diff --git a/0000-use-gnutls-for-des-cbc.patch b/0000-use-gnutls-for-des-cbc.patch new file mode 100644 index 0000000000000000000000000000000000000000..9180a646c9bfd508a9bbc47a910e1de71abe96fa --- /dev/null +++ b/0000-use-gnutls-for-des-cbc.patch @@ -0,0 +1,371 @@ +From 21073bff847fbc41d3dab0a649fa400d8188fa16 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 19 Oct 2019 23:48:19 +0300 +Subject: [PATCH 1/2] smbdes: add des_crypt56_gnutls() using use DES-CBC with + zeroed IV + +Signed-off-by: Isaac Boukris +--- + libcli/auth/smbdes.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + +diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c +index 6d9a6dc2ce8..37ede91ad22 100644 +--- a/libcli/auth/smbdes.c ++++ b/libcli/auth/smbdes.c +@@ -23,6 +23,9 @@ + #include "includes.h" + #include "libcli/auth/libcli_auth.h" + ++#include ++#include ++ + /* NOTES: + + This code makes no attempt to be fast! In fact, it is a very +@@ -273,6 +276,50 @@ static void str_to_key(const uint8_t *str,uint8_t *key) + } + } + ++static int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], ++ const uint8_t key_in[7], bool enc) ++{ ++ static uint8_t iv8[8]; ++ gnutls_datum_t iv = { iv8, 8 }; ++ gnutls_datum_t key; ++ gnutls_cipher_hd_t ctx; ++ uint8_t key2[8]; ++ uint8_t outb[8]; ++ int ret; ++ ++ memset(out, 0, 8); ++ ++ str_to_key(key_in, key2); ++ ++ key.data = key2; ++ key.size = 8; ++ ++ ret = gnutls_global_init(); ++ if (ret != 0) { ++ return ret; ++ } ++ ++ ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv); ++ if (ret != 0) { ++ return ret; ++ } ++ ++ memcpy(outb, in, 8); ++ if (enc) { ++ ret = gnutls_cipher_encrypt(ctx, outb, 8); ++ } else { ++ ret = gnutls_cipher_decrypt(ctx, outb, 8); ++ } ++ ++ if (ret == 0) { ++ memcpy(out, outb, 8); ++ } ++ ++ gnutls_cipher_deinit(ctx); ++ ++ return ret; ++} ++ + /* + basic des crypt using a 56 bit (7 byte) key + */ +-- +2.22.0 + + +From 6d6651213f391840e3004ec3b055f8f25be9b360 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 21 Oct 2019 20:03:04 +0300 +Subject: [PATCH 2/2] smbdes: use the new des_crypt56_gnutls() + +and remove builtin DES crypto. + +Signed-off-by: Isaac Boukris +--- + libcli/auth/smbdes.c | 258 +------------------------------------------ + 1 file changed, 1 insertion(+), 257 deletions(-) + +diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c +index 37ede91ad22..7de05b75303 100644 +--- a/libcli/auth/smbdes.c ++++ b/libcli/auth/smbdes.c +@@ -26,239 +26,6 @@ + #include + #include + +-/* NOTES: +- +- This code makes no attempt to be fast! In fact, it is a very +- slow implementation +- +- This code is NOT a complete DES implementation. It implements only +- the minimum necessary for SMB authentication, as used by all SMB +- products (including every copy of Microsoft Windows95 ever sold) +- +- In particular, it can only do a unchained forward DES pass. This +- means it is not possible to use this code for encryption/decryption +- of data, instead it is only useful as a "hash" algorithm. +- +- There is no entry point into this code that allows normal DES operation. +- +- I believe this means that this code does not come under ITAR +- regulations but this is NOT a legal opinion. If you are concerned +- about the applicability of ITAR regulations to this code then you +- should confirm it for yourself (and maybe let me know if you come +- up with a different answer to the one above) +-*/ +- +- +-static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9, +- 1, 58, 50, 42, 34, 26, 18, +- 10, 2, 59, 51, 43, 35, 27, +- 19, 11, 3, 60, 52, 44, 36, +- 63, 55, 47, 39, 31, 23, 15, +- 7, 62, 54, 46, 38, 30, 22, +- 14, 6, 61, 53, 45, 37, 29, +- 21, 13, 5, 28, 20, 12, 4}; +- +-static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5, +- 3, 28, 15, 6, 21, 10, +- 23, 19, 12, 4, 26, 8, +- 16, 7, 27, 20, 13, 2, +- 41, 52, 31, 37, 47, 55, +- 30, 40, 51, 45, 33, 48, +- 44, 49, 39, 56, 34, 53, +- 46, 42, 50, 36, 29, 32}; +- +-static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, +- 60, 52, 44, 36, 28, 20, 12, 4, +- 62, 54, 46, 38, 30, 22, 14, 6, +- 64, 56, 48, 40, 32, 24, 16, 8, +- 57, 49, 41, 33, 25, 17, 9, 1, +- 59, 51, 43, 35, 27, 19, 11, 3, +- 61, 53, 45, 37, 29, 21, 13, 5, +- 63, 55, 47, 39, 31, 23, 15, 7}; +- +-static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5, +- 4, 5, 6, 7, 8, 9, +- 8, 9, 10, 11, 12, 13, +- 12, 13, 14, 15, 16, 17, +- 16, 17, 18, 19, 20, 21, +- 20, 21, 22, 23, 24, 25, +- 24, 25, 26, 27, 28, 29, +- 28, 29, 30, 31, 32, 1}; +- +-static const uint8_t perm5[32] = { 16, 7, 20, 21, +- 29, 12, 28, 17, +- 1, 15, 23, 26, +- 5, 18, 31, 10, +- 2, 8, 24, 14, +- 32, 27, 3, 9, +- 19, 13, 30, 6, +- 22, 11, 4, 25}; +- +- +-static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, +- 39, 7, 47, 15, 55, 23, 63, 31, +- 38, 6, 46, 14, 54, 22, 62, 30, +- 37, 5, 45, 13, 53, 21, 61, 29, +- 36, 4, 44, 12, 52, 20, 60, 28, +- 35, 3, 43, 11, 51, 19, 59, 27, +- 34, 2, 42, 10, 50, 18, 58, 26, +- 33, 1, 41, 9, 49, 17, 57, 25}; +- +- +-static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; +- +-static const uint8_t sbox[8][4][16] = { +- {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, +- {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, +- {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, +- {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, +- +- {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, +- {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, +- {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, +- {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, +- +- {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, +- {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, +- {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, +- {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, +- +- {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, +- {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, +- {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, +- {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, +- +- {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, +- {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, +- {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, +- {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, +- +- {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, +- {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, +- {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, +- {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, +- +- {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, +- {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, +- {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, +- {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, +- +- {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, +- {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, +- {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, +- {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; +- +-static void permute(char *out, const char *in, const uint8_t *p, int n) +-{ +- int i; +- for (i=0;i -Date: Mon, 5 Aug 2019 13:39:53 -0700 -Subject: [PATCH 1/7] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code - from evil server returned names. - -Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 - -Signed-off-by: Jeremy Allison ---- - source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++ - source3/libsmb/proto.h | 3 ++ - 2 files changed, 78 insertions(+) - -diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c -index 5cb1fce4338..4f518339e2b 100644 ---- a/source3/libsmb/clilist.c -+++ b/source3/libsmb/clilist.c -@@ -24,6 +24,66 @@ - #include "trans2.h" - #include "../libcli/smb/smbXcli_base.h" - -+/**************************************************************************** -+ Check if a returned directory name is safe. -+****************************************************************************/ -+ -+static NTSTATUS is_bad_name(bool windows_names, const char *name) -+{ -+ const char *bad_name_p = NULL; -+ -+ bad_name_p = strchr(name, '/'); -+ if (bad_name_p != NULL) { -+ /* -+ * Windows and POSIX names can't have '/'. -+ * Server is attacking us. -+ */ -+ return NT_STATUS_INVALID_NETWORK_RESPONSE; -+ } -+ if (windows_names) { -+ bad_name_p = strchr(name, '\\'); -+ if (bad_name_p != NULL) { -+ /* -+ * Windows names can't have '\\'. -+ * Server is attacking us. -+ */ -+ return NT_STATUS_INVALID_NETWORK_RESPONSE; -+ } -+ } -+ return NT_STATUS_OK; -+} -+ -+/**************************************************************************** -+ Check if a returned directory name is safe. Disconnect if server is -+ sending bad names. -+****************************************************************************/ -+ -+NTSTATUS is_bad_finfo_name(const struct cli_state *cli, -+ const struct file_info *finfo) -+{ -+ NTSTATUS status = NT_STATUS_OK; -+ bool windows_names = true; -+ -+ if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) { -+ windows_names = false; -+ } -+ if (finfo->name != NULL) { -+ status = is_bad_name(windows_names, finfo->name); -+ if (!NT_STATUS_IS_OK(status)) { -+ DBG_ERR("bad finfo->name\n"); -+ return status; -+ } -+ } -+ if (finfo->short_name != NULL) { -+ status = is_bad_name(windows_names, finfo->short_name); -+ if (!NT_STATUS_IS_OK(status)) { -+ DBG_ERR("bad finfo->short_name\n"); -+ return status; -+ } -+ } -+ return NT_STATUS_OK; -+} -+ - /**************************************************************************** - Calculate a safe next_entry_offset. - ****************************************************************************/ -@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - TALLOC_FREE(finfo); - return NT_STATUS_NO_MEMORY; - } -+ -+ status = is_bad_finfo_name(state->cli, finfo); -+ if (!NT_STATUS_IS_OK(status)) { -+ smbXcli_conn_disconnect(state->cli->conn, status); -+ TALLOC_FREE(finfo); -+ return status; -+ } - } - *pfinfo = finfo; - return NT_STATUS_OK; -@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq) - ff_eos = true; - break; - } -+ -+ status = is_bad_finfo_name(state->cli, finfo); -+ if (!NT_STATUS_IS_OK(status)) { -+ smbXcli_conn_disconnect(state->cli->conn, status); -+ tevent_req_nterror(req, status); -+ return; -+ } -+ - if (!state->first && (state->mask[0] != '\0') && - strcsequal(finfo->name, state->mask)) { - DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has " -diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h -index 2bd61b1d2c2..e708e911b97 100644 ---- a/source3/libsmb/proto.h -+++ b/source3/libsmb/proto.h -@@ -722,6 +722,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli, - - /* The following definitions come from libsmb/clilist.c */ - -+NTSTATUS is_bad_finfo_name(const struct cli_state *cli, -+ const struct file_info *finfo); -+ - NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute, - NTSTATUS (*fn)(const char *, struct file_info *, - const char *, void *), void *state); --- -2.17.1 - diff --git a/0001-CVE-2019-14833.patch b/0001-CVE-2019-14833.patch deleted file mode 100644 index aa5910c134db7f3686bdf274a04a6bce814d4d2d..0000000000000000000000000000000000000000 --- a/0001-CVE-2019-14833.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e6de467a763b93152eef27726957a32879268fb7 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 19 Sep 2019 11:50:01 +1200 -Subject: [PATCH 3/7] CVE-2019-14833: Use utf8 characters in the unacceptable - password - -This shows that the "check password script" handling has a bug. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438 -Signed-off-by: Andrew Bartlett ---- - selftest/knownfail.d/unacceptable-passwords | 1 + - selftest/target/Samba4.pm | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/unacceptable-passwords - -diff --git a/selftest/knownfail.d/unacceptable-passwords b/selftest/knownfail.d/unacceptable-passwords -new file mode 100644 -index 00000000000..75fa2fc32b8 ---- /dev/null -+++ b/selftest/knownfail.d/unacceptable-passwords -@@ -0,0 +1 @@ -+^samba.tests.samba_tool.user_check_password_script.samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_unacceptable\(chgdcpass:local\) -\ No newline at end of file -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index b565d466477..d7c22ce4e23 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1986,7 +1986,7 @@ sub provision_chgdcpass($$) - my $extra_provision_options = undef; - # This environment disallows the use of this password - # (and also removes the default AD complexity checks) -- my $unacceptable_password = "widk3Dsle32jxdBdskldsk55klASKQ"; -+ my $unacceptable_password = "Pa脽脽word-widk3Dsle32jxdBdskldsk55klASKQ"; - push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ"); - my $ret = $self->provision($prefix, - "domain controller", --- -2.17.1 diff --git a/0001-CVE-2019-14847.patch b/0001-CVE-2019-14847.patch deleted file mode 100644 index ede833ea2b96d1994afb1925e8dfa32aa77a7c64..0000000000000000000000000000000000000000 --- a/0001-CVE-2019-14847.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ea39bdd6293041af668f1bfdfea39a725733bad3 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Fri, 3 May 2019 17:27:51 +1200 -Subject: [PATCH 5/7] CVE-2019-14847 dsdb/modules/dirsync: ensure attrs exist - (CID 1107212) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Gary Lockyer -(cherry picked from commit 23f72c4d712f8d1fec3d67a66d477709d5b0abe2) ---- - source4/dsdb/samdb/ldb_modules/dirsync.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c -index b5510eccd24..62a66fef8d4 100644 ---- a/source4/dsdb/samdb/ldb_modules/dirsync.c -+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c -@@ -343,6 +343,10 @@ skip: - - attr = dsdb_attribute_by_lDAPDisplayName(dsc->schema, - el->name); -+ if (attr == NULL) { -+ continue; -+ } -+ - keep = false; - - if (attr->linkID & 1) { --- -2.17.1 - diff --git a/0001-CVE-2019-3824.patch b/0001-CVE-2019-3824.patch deleted file mode 100644 index 8ef27fff86ab3a1c2e85ecb9c76d89a661f4367a..0000000000000000000000000000000000000000 --- a/0001-CVE-2019-3824.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 3674b0891afb016c83763520b87e9f190dcfe884 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 18 Jan 2019 16:37:24 +0100 -Subject: [PATCH] CVE-2019-3824 ldb: Out of bound read in ldb_wildcard_compare - -There is valgrind error in few tests tests/test-generic.sh - 91 echo "Test wildcard match" - 92 $VALGRIND ldbadd $LDBDIR/tests/test-wildcard.ldif || exit 1 - 93 $VALGRIND ldbsearch '(cn=test*multi)' || exit 1 - 95 $VALGRIND ldbsearch '(cn=*test_multi)' || exit 1 - 97 $VALGRIND ldbsearch '(cn=test*multi*test*multi)' || exit 1 - -e.g. - ==3098== Memcheck, a memory error detector - ==3098== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. - ==3098== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info - ==3098== Command: ./bin/ldbsearch (cn=test*multi) - ==3098== - ==3098== Invalid read of size 1 - ==3098== at 0x483CEE7: memchr (vg_replace_strmem.c:890) - ==3098== by 0x49A9073: memmem (in /usr/lib64/libc-2.28.9000.so) - ==3098== by 0x485DFE9: ldb_wildcard_compare (ldb_match.c:313) - ==3098== by 0x485DFE9: ldb_match_substring (ldb_match.c:360) - ==3098== by 0x485DFE9: ldb_match_message (ldb_match.c:572) - ==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549) - ==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17) - ==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17) - ==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274) - ==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594) - ==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854) - ==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713) - ==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38) - ==3098== by 0x48FCEFD: tevent_common_loop_timer_delay (in /usr/lib64/libtevent.so.0.9.38) - ==3098== by 0x48FE14A: ??? (in /usr/lib64/libtevent.so.0.9.38) - ==3098== Address 0x4b4ab81 is 0 bytes after a block of size 129 alloc'd - ==3098== at 0x483880B: malloc (vg_replace_malloc.c:309) - ==3098== by 0x491048B: talloc_strndup (in /usr/lib64/libtalloc.so.2.1.15) - ==3098== by 0x48593CA: ldb_casefold_default (ldb_utf8.c:59) - ==3098== by 0x485F68D: ldb_handler_fold (attrib_handlers.c:64) - ==3098== by 0x485DB88: ldb_wildcard_compare (ldb_match.c:257) - ==3098== by 0x485DB88: ldb_match_substring (ldb_match.c:360) - ==3098== by 0x485DB88: ldb_match_message (ldb_match.c:572) - ==3098== by 0x558F8FA: search_func (ldb_kv_search.c:549) - ==3098== by 0x48C78CA: ??? (in /usr/lib64/libtdb.so.1.3.17) - ==3098== by 0x48C7A60: tdb_traverse_read (in /usr/lib64/libtdb.so.1.3.17) - ==3098== by 0x557B7C4: ltdb_traverse_fn (ldb_tdb.c:274) - ==3098== by 0x558FBFA: ldb_kv_search_full (ldb_kv_search.c:594) - ==3098== by 0x558FBFA: ldb_kv_search (ldb_kv_search.c:854) - ==3098== by 0x558E497: ldb_kv_callback (ldb_kv.c:1713) - ==3098== by 0x48FCD58: tevent_common_invoke_timer_handler (in /usr/lib64/libtevent.so.0.9.38) - ==3098== - # record 1 - dn: cn=test_multi_test_multi_test_multi,o=University of Michigan,c=TEST - cn: test_multi_test_multi_test_multi - description: test multi wildcards matching - objectclass: person - sn: multi_test - name: test_multi_test_multi_test_multi - distinguishedName: cn=test_multi_test_multi_test_multi,o=University of Michiga - n,c=TEST - - # returned 1 records - # 1 entries - # 0 referrals - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Lukas Slebodnik -Reviewed-by: Andrew Bartlett -Reviewed-by: Gary Lockyer ---- - lib/ldb/common/ldb_match.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c -index 25fe3f9c21b..8eeedfb12e0 100644 ---- a/lib/ldb/common/ldb_match.c -+++ b/lib/ldb/common/ldb_match.c -@@ -308,9 +308,10 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, - if (p == NULL) goto mismatch; - if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { - uint8_t *g; -+ uint8_t *end = val.data + val.length; - do { /* greedy */ - g = memmem(p + cnk.length, -- val.length - (p - val.data), -+ end - (p + cnk.length), - (const uint8_t *)cnk.data, - cnk.length); - if (g) p = g; --- -2.24.0 diff --git a/0001-handle-removal-des-enctypes-from-krb5.patch b/0001-handle-removal-des-enctypes-from-krb5.patch new file mode 100644 index 0000000000000000000000000000000000000000..04753237200249188763a4f614f66f9ee777ee14 --- /dev/null +++ b/0001-handle-removal-des-enctypes-from-krb5.patch @@ -0,0 +1,314 @@ +From 3828e798da8e0b44356039dd927f0624d5d182f9 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 6 Nov 2019 12:12:55 +0200 +Subject: [PATCH] Remove DES support if MIT Kerberos version does not support + it + +--- + source3/libads/kerberos_keytab.c | 2 - + source3/passdb/machine_account_secrets.c | 36 ------------------ + source4/auth/kerberos/kerberos.h | 2 +- + .../dsdb/samdb/ldb_modules/password_hash.c | 12 ++++++ + source4/kdc/db-glue.c | 4 +- + source4/torture/rpc/remote_pac.c | 37 ------------------- + testprogs/blackbox/dbcheck-oldrelease.sh | 2 +- + testprogs/blackbox/functionalprep.sh | 2 +- + .../blackbox/test_export_keytab_heimdal.sh | 16 ++++---- + .../blackbox/upgradeprovision-oldrelease.sh | 2 +- + 10 files changed, 26 insertions(+), 89 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 97d5535041c..7d193e1a600 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + krb5_data password; + krb5_kvno kvno; + krb5_enctype enctypes[6] = { +- ENCTYPE_DES_CBC_CRC, +- ENCTYPE_DES_CBC_MD5, + #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + #endif +diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c +index dfc21f295a1..efba80f1474 100644 +--- a/source3/passdb/machine_account_secrets.c ++++ b/source3/passdb/machine_account_secrets.c +@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + krb5_keyblock key; + DATA_BLOB aes_256_b = data_blob_null; + DATA_BLOB aes_128_b = data_blob_null; +- DATA_BLOB des_md5_b = data_blob_null; + bool ok; + #endif /* HAVE_ADS */ + DATA_BLOB arc4_b = data_blob_null; +@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + return ENOMEM; + } + +- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, +- NULL, +- &salt, +- &cleartext_utf8, +- ENCTYPE_DES_CBC_MD5, +- &key); +- if (krb5_ret != 0) { +- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n", +- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys)); +- krb5_free_context(krb5_ctx); +- TALLOC_FREE(keys); +- TALLOC_FREE(salt_data); +- return krb5_ret; +- } +- des_md5_b = data_blob_talloc(keys, +- KRB5_KEY_DATA(&key), +- KRB5_KEY_LENGTH(&key)); +- krb5_free_keyblock_contents(krb5_ctx, &key); +- if (des_md5_b.data == NULL) { +- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n"); +- krb5_free_context(krb5_ctx); +- TALLOC_FREE(keys); +- TALLOC_FREE(salt_data); +- return ENOMEM; +- } +- + krb5_free_context(krb5_ctx); + no_kerberos: + +@@ -1227,15 +1200,6 @@ no_kerberos: + keys[idx].value = arc4_b; + idx += 1; + +-#ifdef HAVE_ADS +- if (des_md5_b.length != 0) { +- keys[idx].keytype = ENCTYPE_DES_CBC_MD5; +- keys[idx].iteration_count = 4096; +- keys[idx].value = des_md5_b; +- idx += 1; +- } +-#endif /* HAVE_ADS */ +- + p->salt_data = salt_data; + p->default_iteration_count = 4096; + p->num_keys = idx; +diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h +index 2ff9e3868af..1dd63acc838 100644 +--- a/source4/auth/kerberos/kerberos.h ++++ b/source4/auth/kerberos/kerberos.h +@@ -50,7 +50,7 @@ struct keytab_container { + #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01") + #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01") + +-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \ ++#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \ + ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256) + + #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index 006e35c46d5..f16937c6cab 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -786,6 +786,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + * create ENCTYPE_DES_CBC_MD5 key out of + * the salt and the cleartext password + */ ++#ifdef SAMBA4_USES_HEIMDAL + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, +@@ -804,6 +805,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); ++#else ++ /* MIT has dropped support for DES enctypes, store a random key instead. */ ++ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8); ++ generate_secret_buffer(io->g.des_md5.data, 8); ++#endif + if (!io->g.des_md5.data) { + return ldb_oom(ldb); + } +@@ -812,6 +818,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + * create ENCTYPE_DES_CBC_CRC key out of + * the salt and the cleartext password + */ ++#ifdef SAMBA4_USES_HEIMDAL + krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, + NULL, + &salt, +@@ -830,6 +837,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); ++#else ++ /* MIT has dropped support for DES enctypes, store a random key instead. */ ++ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8); ++ generate_secret_buffer(io->g.des_crc.data, 8); ++#endif + if (!io->g.des_crc.data) { + return ldb_oom(ldb); + } +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index f62a633c6c7..023ae7b580d 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, + + /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ + if (userAccountControl & UF_USE_DES_KEY_ONLY) { +- supported_enctypes = ENC_CRC32|ENC_RSA_MD5; ++ supported_enctypes = 0; + } else { + /* Otherwise, add in the default enc types */ +- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++ supported_enctypes |= ENC_RC4_HMAC_MD5; + } + + /* Is this the krbtgt or a RODC krbtgt */ +diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c +index 7a5cda74b74..f12060e3c8f 100644 +--- a/source4/torture/rpc/remote_pac.c ++++ b/source4/torture/rpc/remote_pac.c +@@ -38,7 +38,6 @@ + + #define TEST_MACHINE_NAME_BDC "torturepacbdc" + #define TEST_MACHINE_NAME_WKSTA "torturepacwksta" +-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes" + #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc" + #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk" + +@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); + } + +-static bool test_PACVerify_workstation_des(struct torture_context *tctx, +- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) +-{ +- struct samr_SetUserInfo r; +- union samr_UserInfo user_info; +- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx); +- struct smb_krb5_context *smb_krb5_context; +- krb5_error_code ret; +- +- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(), +- tctx->lp_ctx, &smb_krb5_context); +- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed"); +- +- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) { +- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes"); +- } +- +- /* Mark this workstation with DES-only */ +- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST; +- r.in.user_handle = torture_join_samr_user_policy(join_ctx); +- r.in.level = 16; +- r.in.info = &user_info; +- +- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r), +- "failed to set DES info account flags"); +- torture_assert_ntstatus_ok(tctx, r.out.result, +- "failed to set DES into account flags"); +- +- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, +- TEST_MACHINE_NAME_WKSTA_DES, +- NETLOGON_NEG_AUTH2_ADS_FLAGS); +-} +- + #ifdef SAMBA4_USES_HEIMDAL + static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, + uint16_t validation_level, +@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); + +- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", +- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); +- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); + #ifdef SAMBA4_USES_HEIMDAL + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC); +diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh +index 3d0ee2c165a..41c55178d4e 100755 +--- a/testprogs/blackbox/dbcheck-oldrelease.sh ++++ b/testprogs/blackbox/dbcheck-oldrelease.sh +@@ -388,7 +388,7 @@ referenceprovision() { + + ldapcmp() { + if [ x$RELEASE = x"release-4-0-0" ]; then +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes + fi + } + +diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh +index 80e82252d45..1d37611ef7a 100755 +--- a/testprogs/blackbox/functionalprep.sh ++++ b/testprogs/blackbox/functionalprep.sh +@@ -61,7 +61,7 @@ provision_2012r2() { + ldapcmp_ignore() { + # At some point we will need to ignore, but right now, it should be perfect + IGNORE_ATTRS=$1 +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes + } + + ldapcmp() { +diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh +index cfa245fd4de..6a2595cd684 100755 +--- a/testprogs/blackbox/test_export_keytab_heimdal.sh ++++ b/testprogs/blackbox/test_export_keytab_heimdal.sh +@@ -43,7 +43,7 @@ test_keytab() { + + echo "test: $testname" + +- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour") ++ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour") + status=$? + if [ x$status != x0 ]; then + echo "failure: $testname" +@@ -64,22 +64,22 @@ unc="//$SERVER/tmp" + testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1` + + testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 ++test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 ++test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + + testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 ++test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 ++test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + + testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 ++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 ++test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + + testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5 ++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3 + + KRB5CCNAME="$PREFIX/tmpuserccache" + export KRB5CCNAME +diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh +index 76276168011..208baa54a02 100755 +--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh ++++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh +@@ -106,7 +106,7 @@ referenceprovision() { + + ldapcmp() { + if [ x$RELEASE != x"alpha13" ]; then +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes + fi + } + +-- +2.23.0 + diff --git a/0002-CVE-2019-10218.patch b/0002-CVE-2019-10218.patch deleted file mode 100644 index d610db78b33d8e4500decaf72ee553c82615e334..0000000000000000000000000000000000000000 --- a/0002-CVE-2019-10218.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 167f78aa97af6502cb2027dc9dad40399b0a9c4f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 6 Aug 2019 12:08:09 -0700 -Subject: [PATCH 2/7] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code - from evil server returned names. - -Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 - -Signed-off-by: Jeremy Allison ---- - source3/libsmb/cli_smb2_fnum.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c -index 1cfa50ffbac..3cdf68dc24b 100644 ---- a/source3/libsmb/cli_smb2_fnum.c -+++ b/source3/libsmb/cli_smb2_fnum.c -@@ -1017,6 +1017,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, - goto fail; - } - -+ /* Protect against server attack. */ -+ status = is_bad_finfo_name(cli, finfo); -+ if (!NT_STATUS_IS_OK(status)) { -+ smbXcli_conn_disconnect(cli->conn, status); -+ goto fail; -+ } -+ - if (dir_check_ftype((uint32_t)finfo->mode, - (uint32_t)attribute)) { - /* --- -2.17.1 - diff --git a/0002-CVE-2019-14833.patch b/0002-CVE-2019-14833.patch deleted file mode 100644 index 3bb1997f7e0d6f83643c3dd279aeee5160e2dda9..0000000000000000000000000000000000000000 --- a/0002-CVE-2019-14833.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 70078d4ddf3b842eeadee058dadeef82ec4edf0b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= -Date: Tue, 6 Aug 2019 16:32:32 +0200 -Subject: [PATCH 4/7] CVE-2019-14833 dsdb: send full password to check password - script -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -utf8_len represents the number of characters (not bytes) of the -password. If the password includes multi-byte characters it is required -to write the total number of bytes to the check password script. -Otherwise the last bytes of the password string would be ignored. - -Therefore we rename utf8_len to be clear what it does and does -not represent. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12438 - -Signed-off-by: Bj枚rn Baumbach -Signed-off-by: Andrew Bartlett ---- - selftest/knownfail.d/unacceptable-passwords | 1 - - source4/dsdb/common/util.c | 33 +++++++++++++++++---- - 2 files changed, 27 insertions(+), 7 deletions(-) - delete mode 100644 selftest/knownfail.d/unacceptable-passwords - -diff --git a/selftest/knownfail.d/unacceptable-passwords b/selftest/knownfail.d/unacceptable-passwords -deleted file mode 100644 -index 75fa2fc32b8..00000000000 ---- a/selftest/knownfail.d/unacceptable-passwords -+++ /dev/null -@@ -1 +0,0 @@ --^samba.tests.samba_tool.user_check_password_script.samba.tests.samba_tool.user_check_password_script.UserCheckPwdTestCase.test_checkpassword_unacceptable\(chgdcpass:local\) -\ No newline at end of file -diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c -index 18f700370a3..c7893bff43b 100644 ---- a/source4/dsdb/common/util.c -+++ b/source4/dsdb/common/util.c -@@ -2088,21 +2088,36 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, - const uint32_t pwdProperties, - const uint32_t minPwdLength) - { -- const char *utf8_pw = (const char *)utf8_blob->data; -- size_t utf8_len = strlen_m(utf8_pw); - char *password_script = NULL; -+ const char *utf8_pw = (const char *)utf8_blob->data; -+ -+ /* -+ * This looks strange because it is. -+ * -+ * The check for the number of characters in the password -+ * should clearly not be against the byte length, or else a -+ * single UTF8 character would count for more than one. -+ * -+ * We have chosen to use the number of 16-bit units that the -+ * password encodes to as the measure of length. This is not -+ * the same as the number of codepoints, if a password -+ * contains a character beyond the Basic Multilingual Plane -+ * (above 65535) it will count for more than one "character". -+ */ -+ -+ size_t password_characters_roughly = strlen_m(utf8_pw); - - /* checks if the "minPwdLength" property is satisfied */ -- if (minPwdLength > utf8_len) { -+ if (minPwdLength > password_characters_roughly) { - return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT; - } - -- /* checks the password complexity */ -+ /* We might not be asked to check the password complexity */ - if (!(pwdProperties & DOMAIN_PASSWORD_COMPLEX)) { - return SAMR_VALIDATION_STATUS_SUCCESS; - } - -- if (utf8_len == 0) { -+ if (password_characters_roughly == 0) { - return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH; - } - -@@ -2110,6 +2125,7 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, - if (password_script != NULL && *password_script != '\0') { - int check_ret = 0; - int error = 0; -+ ssize_t nwritten = 0; - struct tevent_context *event_ctx = NULL; - struct tevent_req *req = NULL; - struct samba_runcmd_state *run_cmd = NULL; -@@ -2134,7 +2150,12 @@ enum samr_ValidationStatus samdb_check_password(TALLOC_CTX *mem_ctx, - tevent_timeval_current_ofs(10, 0), - 100, 100, cmd, NULL); - run_cmd = tevent_req_data(req, struct samba_runcmd_state); -- if (write(run_cmd->fd_stdin, utf8_pw, utf8_len) != utf8_len) { -+ nwritten = write(run_cmd->fd_stdin, -+ utf8_blob->data, -+ utf8_blob->length); -+ if (nwritten != utf8_blob->length) { -+ close(run_cmd->fd_stdin); -+ run_cmd->fd_stdin = -1; - TALLOC_FREE(password_script); - TALLOC_FREE(event_ctx); - return SAMR_VALIDATION_STATUS_PASSWORD_FILTER_ERROR; --- -2.17.1 diff --git a/0002-CVE-2019-14847.patch b/0002-CVE-2019-14847.patch deleted file mode 100644 index 9de3f1d214c016ecb6ebe8dc15a31b5bc72a6445..0000000000000000000000000000000000000000 --- a/0002-CVE-2019-14847.patch +++ /dev/null @@ -1,72 +0,0 @@ -From bdb3e3f669bd991da819040e726e003e4e2b841d Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 15 Oct 2019 16:28:46 +1300 -Subject: [PATCH 6/7] CVE-2019-14847 dsdb: Demonstrate the correct interaction - of ranged_results style attributes and dirsync - -Incremental results are provided by a flag on the dirsync control, not -by changing the attribute name. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 - -Signed-off-by: Andrew Bartlett ---- - selftest/knownfail.d/dirsync | 1 + - source4/dsdb/tests/python/dirsync.py | 26 ++++++++++++++++++++++++++ - 2 files changed, 27 insertions(+) - create mode 100644 selftest/knownfail.d/dirsync - -diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync -new file mode 100644 -index 00000000000..bc49fe0d9bb ---- /dev/null -+++ b/selftest/knownfail.d/dirsync -@@ -0,0 +1 @@ -+^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\( -\ No newline at end of file -diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py -index 136f4d3bba6..b6f7022a50b 100755 ---- a/source4/dsdb/tests/python/dirsync.py -+++ b/source4/dsdb/tests/python/dirsync.py -@@ -28,6 +28,7 @@ from samba.tests.subunitrun import TestProgram, SubunitOptions - import samba.getopt as options - import base64 - -+import ldb - from ldb import LdbError, SCOPE_BASE - from ldb import Message, MessageElement, Dn - from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE -@@ -590,6 +591,31 @@ class SimpleDirsyncTests(DirsyncBaseTests): - - class ExtendedDirsyncTests(SimpleDirsyncTests): - -+ def test_dirsync_linkedattributes_range(self): -+ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) -+ res = self.ldb_admin.search(self.base_dn, -+ attrs=["member;range=1-1"], -+ expression="(name=Administrators)", -+ controls=["dirsync:1:0:0"]) -+ -+ self.assertTrue(len(res) > 0) -+ self.assertTrue(res[0].get("member;range=1-1") is None) -+ self.assertTrue(res[0].get("member") is not None) -+ self.assertTrue(len(res[0].get("member")) > 0) -+ -+ def test_dirsync_linkedattributes_range_user(self): -+ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) -+ try: -+ res = self.ldb_simple.search(self.base_dn, -+ attrs=["member;range=1-1"], -+ expression="(name=Administrators)", -+ controls=["dirsync:1:0:0"]) -+ except LdbError as e: -+ (num, _) = e.args -+ self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS) -+ else: -+ self.fail() -+ - def test_dirsync_linkedattributes(self): - flag_incr_linked = 2147483648 - self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) --- -2.17.1 diff --git a/0002-CVE-2019-3824.patch b/0002-CVE-2019-3824.patch deleted file mode 100644 index 49f7c27ef80d54276e5c1a8c607ba5c7549f7064..0000000000000000000000000000000000000000 --- a/0002-CVE-2019-3824.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 745b99fc6b75db33cdb0a58df1a3f2a5063bc76e Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Mon, 4 Feb 2019 11:22:34 +1300 -Subject: [PATCH] CVE-2019-3824 ldb: Extra comments to clarify no pointer wrap - in wildcard processing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer ---- - lib/ldb/common/ldb_match.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c -index 8eeedfb12e0..1920b661f75 100644 ---- a/lib/ldb/common/ldb_match.c -+++ b/lib/ldb/common/ldb_match.c -@@ -306,12 +306,33 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, - p = memmem((const void *)val.data,val.length, - (const void *)cnk.data, cnk.length); - if (p == NULL) goto mismatch; -+ -+ /* -+ * At this point we know cnk.length <= val.length as -+ * otherwise there could be no match -+ */ -+ - if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) { - uint8_t *g; - uint8_t *end = val.data + val.length; - do { /* greedy */ -- g = memmem(p + cnk.length, -- end - (p + cnk.length), -+ -+ /* -+ * haystack is a valid pointer in val -+ * because the memmem() can only -+ * succeed if the needle (cnk.length) -+ * is <= haystacklen -+ * -+ * p will be a pointer at least -+ * cnk.length from the end of haystack -+ */ -+ uint8_t *haystack -+ = p + cnk.length; -+ size_t haystacklen -+ = end - (haystack); -+ -+ g = memmem(haystack, -+ haystacklen, - (const uint8_t *)cnk.data, - cnk.length); - if (g) p = g; --- -2.24.0 diff --git a/0002-samba-tool-create-working-private-krb5.conf.patch b/0002-samba-tool-create-working-private-krb5.conf.patch new file mode 100644 index 0000000000000000000000000000000000000000..643d3676dac3cbf3336ce9bbe66bda96c5374763 --- /dev/null +++ b/0002-samba-tool-create-working-private-krb5.conf.patch @@ -0,0 +1,42 @@ +From 5a084994144704a6c146b94f8a22cf57ce08deab Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 7 Oct 2019 18:24:28 +0300 +Subject: [PATCH] samba-tool: create working private krb5.conf + +DNS update tool uses private krb5.conf which should have enough details +to authenticate with GSS-TSIG when running nsupdate. + +Unfortunately, the configuration we provide is not enough. We set +defaults to not lookup REALM via DNS but at the same time we don't +provide any realm definition. As result, MIT Kerberos cannot actually +find a working realm for Samba AD deployment because it cannot query DNS +for a realm discovery or pick it up from the configuration. + +Extend private krb5.conf with a realm definition that will allow MIT +Kerberos to look up KDC over DNS. + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +--- + source4/setup/krb5.conf | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf +index b1bf6cf907d..ad6f2818fb5 100644 +--- a/source4/setup/krb5.conf ++++ b/source4/setup/krb5.conf +@@ -2,3 +2,11 @@ + default_realm = ${REALM} + dns_lookup_realm = false + dns_lookup_kdc = true ++ ++[realms] ++${REALM} = { ++ default_domain = ${DNSDOMAIN} ++} ++ ++[domain_realm] ++ ${HOSTNAME} = ${REALM} +-- +2.21.0 + diff --git a/0003-CVE-2019-14847.patch b/0003-CVE-2019-14847.patch deleted file mode 100644 index d763d5b0493de639377f4df593069881db69f310..0000000000000000000000000000000000000000 --- a/0003-CVE-2019-14847.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 77b10b360f4ffb7ac90bc5fce0a80306515c1aca Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 15 Oct 2019 15:44:34 +1300 -Subject: [PATCH 7/7] CVE-2019-14847 dsdb: Correct behaviour of ranged_results - when combined with dirsync - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 - -Signed-off-by: Andrew Bartlett ---- - selftest/knownfail.d/dirsync | 1 - - source4/dsdb/samdb/ldb_modules/dirsync.c | 11 ++++---- - .../dsdb/samdb/ldb_modules/ranged_results.c | 25 ++++++++++++++++--- - 3 files changed, 28 insertions(+), 9 deletions(-) - delete mode 100644 selftest/knownfail.d/dirsync - -diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync -deleted file mode 100644 -index bc49fe0d9bb..00000000000 ---- a/selftest/knownfail.d/dirsync -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\( -\ No newline at end of file -diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c -index 62a66fef8d4..4ac5faad403 100644 ---- a/source4/dsdb/samdb/ldb_modules/dirsync.c -+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c -@@ -998,7 +998,7 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req - } - - /* -- * check if there's an extended dn control -+ * check if there's a dirsync control - */ - control = ldb_request_get_control(req, LDB_CONTROL_DIRSYNC_OID); - if (control == NULL) { -@@ -1327,11 +1327,12 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req - - } - /* -- * Remove our control from the list of controls -+ * Mark dirsync control as uncritical (done) -+ * -+ * We need this so ranged_results knows how to behave with -+ * dirsync - */ -- if (!ldb_save_controls(control, req, NULL)) { -- return ldb_operr(ldb); -- } -+ control->critical = false; - dsc->schema = dsdb_get_schema(ldb, dsc); - /* - * At the begining we make the hypothesis that we will return a complete -diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c -index 13bf3a2d0a9..98438799997 100644 ---- a/source4/dsdb/samdb/ldb_modules/ranged_results.c -+++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c -@@ -35,14 +35,14 @@ - struct rr_context { - struct ldb_module *module; - struct ldb_request *req; -+ bool dirsync_in_use; - }; - - static struct rr_context *rr_init_context(struct ldb_module *module, - struct ldb_request *req) - { -- struct rr_context *ac; -- -- ac = talloc_zero(req, struct rr_context); -+ struct ldb_control *dirsync_control = NULL; -+ struct rr_context *ac = talloc_zero(req, struct rr_context); - if (ac == NULL) { - ldb_set_errstring(ldb_module_get_ctx(module), "Out of Memory"); - return NULL; -@@ -51,6 +51,16 @@ static struct rr_context *rr_init_context(struct ldb_module *module, - ac->module = module; - ac->req = req; - -+ /* -+ * check if there's a dirsync control (as there is an -+ * interaction between these modules) -+ */ -+ dirsync_control = ldb_request_get_control(req, -+ LDB_CONTROL_DIRSYNC_OID); -+ if (dirsync_control != NULL) { -+ ac->dirsync_in_use = true; -+ } -+ - return ac; - } - -@@ -82,6 +92,15 @@ static int rr_search_callback(struct ldb_request *req, struct ldb_reply *ares) - ares->response, ares->error); - } - -+ if (ac->dirsync_in_use) { -+ /* -+ * We return full attribute values when mixed with -+ * dirsync -+ */ -+ return ldb_module_send_entry(ac->req, -+ ares->message, -+ ares->controls); -+ } - /* LDB_REPLY_ENTRY */ - - temp_ctx = talloc_new(ac->req); --- -2.17.1 - diff --git a/0003-CVE-2019-3824.patch b/0003-CVE-2019-3824.patch deleted file mode 100644 index 2f3dbb5945274f8fc41177df4e14b75b86b69365..0000000000000000000000000000000000000000 --- a/0003-CVE-2019-3824.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9427806f7298d71bd7edfbdda7506ec63f15dda1 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Mon, 4 Feb 2019 11:22:50 +1300 -Subject: [PATCH] CVE-2019-3824 ldb: Improve code style and layout in wildcard - processing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer ---- - lib/ldb/common/ldb_match.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c -index 1920b661f75..ab0a89888f0 100644 ---- a/lib/ldb/common/ldb_match.c -+++ b/lib/ldb/common/ldb_match.c -@@ -333,9 +333,11 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, - - g = memmem(haystack, - haystacklen, -- (const uint8_t *)cnk.data, -- cnk.length); -- if (g) p = g; -+ (const uint8_t *)cnk.data, -+ cnk.length); -+ if (g) { -+ p = g; -+ } - } while(g); - } - val.length = val.length - (p - (uint8_t *)(val.data)) - cnk.length; --- -2.24.0 diff --git a/0004-CVE-2019-3824.patch b/0004-CVE-2019-3824.patch deleted file mode 100644 index 85c1cfd1151efa5ea0838750465f2d8c9695fdeb..0000000000000000000000000000000000000000 --- a/0004-CVE-2019-3824.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 8d34d172092f71baad0d777567e49aebfa07313d Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 19 Feb 2019 10:25:24 +1300 -Subject: [PATCH] CVE-2019-3824 ldb: ldb_parse_tree use talloc_zero - -Initialise the created ldb_parse_tree with talloc_zero, this ensures -that it is correctly initialised if inadvertently passed to a function -expecting a different operation type. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - lib/ldb/common/ldb_parse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c -index 5fa5a74afa9..db420091311 100644 ---- a/lib/ldb/common/ldb_parse.c -+++ b/lib/ldb/common/ldb_parse.c -@@ -389,7 +389,7 @@ static struct ldb_parse_tree *ldb_parse_simple(TALLOC_CTX *mem_ctx, const char * - struct ldb_parse_tree *ret; - enum ldb_parse_op filtertype; - -- ret = talloc(mem_ctx, struct ldb_parse_tree); -+ ret = talloc_zero(mem_ctx, struct ldb_parse_tree); - if (!ret) { - errno = ENOMEM; - return NULL; --- -2.24.0 diff --git a/0005-CVE-2019-3824.patch b/0005-CVE-2019-3824.patch deleted file mode 100644 index bb41724d5be3c4f846a3702b94cd2894bba47741..0000000000000000000000000000000000000000 --- a/0005-CVE-2019-3824.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 34383981a0c40860f71a4451ff8fd752e1b67666 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 19 Feb 2019 10:26:25 +1300 -Subject: [PATCH] CVE-2019-3824 ldb: wildcard_match check tree operation - -Check the operation type of the passed parse tree, and return -LDB_INAPPROPRIATE_MATCH if the operation is not LDB_OP_SUBSTRING. - -A query of "attribute=*" gets parsed as LDB_OP_PRESENT, checking the -operation and failing ldb_wildcard_match should help prevent confusion -writing tests. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - lib/ldb/common/ldb_match.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c -index ab0a89888f0..59f48b52b70 100644 ---- a/lib/ldb/common/ldb_match.c -+++ b/lib/ldb/common/ldb_match.c -@@ -244,6 +244,11 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, - uint8_t *save_p = NULL; - unsigned int c = 0; - -+ if (tree->operation != LDB_OP_SUBSTRING) { -+ *matched = false; -+ return LDB_ERR_INAPPROPRIATE_MATCHING; -+ } -+ - a = ldb_schema_attribute_by_name(ldb, tree->u.substring.attr); - if (!a) { - return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX; --- -2.24.0 diff --git a/0006-CVE-2019-3824.patch b/0006-CVE-2019-3824.patch deleted file mode 100644 index e6d651d026497ddbadff71db35d94776fc202e9e..0000000000000000000000000000000000000000 --- a/0006-CVE-2019-3824.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 42f0f57eb819ce6b68a8c5b3b53123b83ec917e3 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 19 Feb 2019 10:26:56 +1300 -Subject: [PATCH] CVE-2019-3824 ldb: wildcard_match end of data check - -ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' -to the data, to make them safe to use the C string functions on. - -However testing for the trailing '\0' is not the correct way to test for -the end of a value, the length should be checked instead. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - lib/ldb/common/ldb_match.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c -index 59f48b52b70..829afa77e71 100644 ---- a/lib/ldb/common/ldb_match.c -+++ b/lib/ldb/common/ldb_match.c -@@ -353,7 +353,7 @@ static int ldb_wildcard_compare(struct ldb_context *ldb, - } - - /* last chunk may not have reached end of string */ -- if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto mismatch; -+ if ( (! tree->u.substring.end_with_wildcard) && (val.length != 0) ) goto mismatch; - talloc_free(save_p); - *matched = true; - return LDB_SUCCESS; --- -2.24.0 diff --git a/0007-CVE-2019-3824.patch b/0007-CVE-2019-3824.patch deleted file mode 100644 index 80ac0fe827c7425ca9a4a0965ff482a19cde41cf..0000000000000000000000000000000000000000 --- a/0007-CVE-2019-3824.patch +++ /dev/null @@ -1,270 +0,0 @@ -From 45b75db50f5c1a7c8c38af59a62fccee5401c845 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 19 Feb 2019 10:24:38 +1300 -Subject: [PATCH] CVE-2019-3824 ldb: Add tests for ldb_wildcard_match - -Add cmocka tests for ldb_wildcard_match. - -Running test_wildcard_match under valgrind reproduces - CVE-2019-3824 out of bounds read in wildcard compare (bug 13773) - - valgrind --suppressions=lib/ldb/tests/ldb_match_test.valgrind\ - bin/ldb_match_test - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - lib/ldb/tests/ldb_match_test.c | 191 ++++++++++++++++++++++++++ - lib/ldb/tests/ldb_match_test.valgrind | 16 +++ - lib/ldb/wscript | 8 +- - 3 files changed, 214 insertions(+), 1 deletion(-) - create mode 100644 lib/ldb/tests/ldb_match_test.c - create mode 100644 lib/ldb/tests/ldb_match_test.valgrind - -diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c -new file mode 100644 -index 00000000000..e09f50c86ba ---- /dev/null -+++ b/lib/ldb/tests/ldb_match_test.c -@@ -0,0 +1,191 @@ -+/* -+ * Tests exercising the ldb match operations. -+ * -+ * -+ * Copyright (C) Catalyst.NET Ltd 2017 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ * -+ */ -+ -+/* -+ * from cmocka.c: -+ * These headers or their equivalents should be included prior to -+ * including -+ * this header file. -+ * -+ * #include -+ * #include -+ * #include -+ * -+ * This allows test applications to use custom definitions of C standard -+ * library functions and types. -+ */ -+#include -+#include -+#include -+#include -+#include -+ -+#include "../common/ldb_match.c" -+ -+#include "../include/ldb.h" -+ -+struct ldbtest_ctx { -+ struct tevent_context *ev; -+ struct ldb_context *ldb; -+}; -+ -+static int ldb_test_canonicalise( -+ struct ldb_context *ldb, -+ void *mem_ctx, -+ const struct ldb_val *in, -+ struct ldb_val *out) -+{ -+ out->length = in->length; -+ out->data = in->data; -+ return 0; -+} -+ -+static int setup(void **state) -+{ -+ struct ldbtest_ctx *test_ctx; -+ struct ldb_schema_syntax *syntax = NULL; -+ int ret; -+ -+ test_ctx = talloc_zero(NULL, struct ldbtest_ctx); -+ assert_non_null(test_ctx); -+ -+ test_ctx->ev = tevent_context_init(test_ctx); -+ assert_non_null(test_ctx->ev); -+ -+ test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev); -+ assert_non_null(test_ctx->ldb); -+ -+ syntax = talloc_zero(test_ctx, struct ldb_schema_syntax); -+ assert_non_null(syntax); -+ syntax->canonicalise_fn = ldb_test_canonicalise; -+ -+ ret = ldb_schema_attribute_add_with_syntax( -+ test_ctx->ldb, "a", LDB_ATTR_FLAG_FIXED, syntax); -+ assert_int_equal(LDB_SUCCESS, ret); -+ -+ *state = test_ctx; -+ return 0; -+} -+ -+static int teardown(void **state) -+{ -+ talloc_free(*state); -+ return 0; -+} -+ -+ -+/* -+ * The wild card pattern "attribute=*" is parsed as an LDB_OP_PRESENT operation -+ * rather than a LDB_OP_???? -+ * -+ * This test serves to document that behaviour, and to confirm that -+ * ldb_wildcard_compare handles this case appropriately. -+ */ -+static void test_wildcard_match_star(void **state) -+{ -+ struct ldbtest_ctx *ctx = *state; -+ bool matched = false; -+ int ret; -+ -+ uint8_t value[] = "The value.......end"; -+ struct ldb_val val = { -+ .data = value, -+ .length = (sizeof(value)) -+ }; -+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, "a=*"); -+ assert_non_null(tree); -+ -+ ret = ldb_wildcard_compare(ctx->ldb, tree, val, &matched); -+ assert_false(matched); -+ assert_int_equal(LDB_ERR_INAPPROPRIATE_MATCHING, ret); -+} -+ -+/* -+ * Test basic wild card matching -+ * -+ */ -+static void test_wildcard_match(void **state) -+{ -+ struct ldbtest_ctx *ctx = *state; -+ bool matched = false; -+ -+ uint8_t value[] = "The value.......end"; -+ struct ldb_val val = { -+ .data = value, -+ .length = (sizeof(value)) -+ }; -+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, "objectClass=*end"); -+ assert_non_null(tree); -+ -+ ldb_wildcard_compare(ctx->ldb, tree, val, &matched); -+ assert_true(matched); -+} -+ -+ -+/* -+ * ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' -+ * to the data, to make them safe to use the C string functions on. -+ * -+ * However testing for the trailing '\0' is not the correct way to test for -+ * the end of a value, the length should be checked instead. -+ */ -+static void test_wildcard_match_end_condition(void **state) -+{ -+ struct ldbtest_ctx *ctx = *state; -+ bool matched = false; -+ -+ uint8_t value[] = "hellomynameisbobx"; -+ struct ldb_val val = { -+ .data = talloc_memdup(NULL, value, sizeof(value)), -+ .length = (sizeof(value) - 2) -+ }; -+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, "a=*hello*mynameis*bob"); -+ assert_non_null(tree); -+ -+ ldb_wildcard_compare(ctx->ldb, tree, val, &matched); -+ assert_true(matched); -+} -+ -+/* -+ * Note: to run under valgrind use: -+ * valgrind \ -+ * --suppressions=lib/ldb/tests/ldb_match_test.valgrind \ -+ * bin/ldb_match_test -+ */ -+int main(int argc, const char **argv) -+{ -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test_setup_teardown( -+ test_wildcard_match_star, -+ setup, -+ teardown), -+ cmocka_unit_test_setup_teardown( -+ test_wildcard_match, -+ setup, -+ teardown), -+ cmocka_unit_test_setup_teardown( -+ test_wildcard_match_end_condition, -+ setup, -+ teardown), -+ }; -+ -+ return cmocka_run_group_tests(tests, NULL, NULL); -+} -diff --git a/lib/ldb/tests/ldb_match_test.valgrind b/lib/ldb/tests/ldb_match_test.valgrind -new file mode 100644 -index 00000000000..660bd5a6b46 ---- /dev/null -+++ b/lib/ldb/tests/ldb_match_test.valgrind -@@ -0,0 +1,16 @@ -+{ -+ Memory allocated in set-up -+ Memcheck:Leak -+ match-leak-kinds: possible -+ fun:malloc -+ ... -+ fun:setup -+} -+{ -+ Memory allocated by ldb_init -+ Memcheck:Leak -+ match-leak-kinds: possible -+ fun:malloc -+ ... -+ fun:ldb_init -+} -diff --git a/lib/ldb/wscript b/lib/ldb/wscript -index 6e224e7b4b7..5355585f69c 100644 ---- a/lib/ldb/wscript -+++ b/lib/ldb/wscript -@@ -500,6 +500,11 @@ def build(bld): - deps='cmocka ldb', - install=False) - -+ bld.SAMBA_BINARY('ldb_match_test', -+ source='tests/ldb_match_test.c', -+ deps='cmocka ldb', -+ install=False) -+ - if bld.CONFIG_SET('HAVE_LMDB'): - bld.SAMBA_BINARY('ldb_mdb_mod_op_test', - source='tests/ldb_mod_op_test.c', -@@ -567,7 +572,8 @@ def test(ctx): - # we don't want to run ldb_lmdb_size_test (which proves we can - # fit > 4G of data into the DB), it would fill up the disk on - # many of our test instances -- 'ldb_mdb_kv_ops_test'] -+ 'ldb_mdb_kv_ops_test', -+ 'ldb_match_test'] - - for test_exe in test_exes: - cmd = os.path.join(Utils.g_module.blddir, test_exe) diff --git a/CVE-2018-14629.patch b/CVE-2018-14629.patch deleted file mode 100644 index 3594dd6c318b5f0ebc985a53a10952583b082e04..0000000000000000000000000000000000000000 --- a/CVE-2018-14629.patch +++ /dev/null @@ -1,92 +0,0 @@ -From bf596c14c2462b9a15ea738ef4f32b3abb8b63d1 Mon Sep 17 00:00:00 2001 -From: Aaron Haslett -Date: Tue, 23 Oct 2018 17:25:51 +1300 -Subject: [PATCH 01/17] CVE-2018-14629 dns: CNAME loop prevention using counter - -Count number of answers generated by internal DNS query routine and stop at -20 to match Microsoft's loop prevention mechanism. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 - -Signed-off-by: Aaron Haslett -Reviewed-by: Andrew Bartlett -Reviewed-by: Garming Sam ---- - python/samba/tests/dns.py | 22 ++++++++++++++++++++++ - selftest/knownfail.d/dns | 6 ++++++ - source4/dns_server/dns_query.c | 6 ++++++ - 3 files changed, 34 insertions(+) - -diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py -index 6771e3bb8c4..3e6306e2be8 100644 ---- a/python/samba/tests/dns.py -+++ b/python/samba/tests/dns.py -@@ -844,6 +844,28 @@ class TestComplexQueries(DNSTest): - self.assertEquals(response.answers[1].name, name2) - self.assertEquals(response.answers[1].rdata, name0) - -+ def test_cname_loop(self): -+ cname1 = "cnamelooptestrec." + self.get_dns_domain() -+ cname2 = "cnamelooptestrec2." + self.get_dns_domain() -+ cname3 = "cnamelooptestrec3." + self.get_dns_domain() -+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) -+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) -+ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME) -+ -+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) -+ questions = [] -+ -+ q = self.make_name_question(cname1, -+ dns.DNS_QTYPE_A, -+ dns.DNS_QCLASS_IN) -+ questions.append(q) -+ self.finish_name_packet(p, questions) -+ -+ (response, response_packet) =\ -+ self.dns_transaction_udp(p, host=self.server_ip) -+ -+ max_recursion_depth = 20 -+ self.assertEquals(len(response.answers), max_recursion_depth) - - class TestInvalidQueries(DNSTest): - def setUp(self): -diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns -index a5176654cc2..a248432aafa 100644 ---- a/selftest/knownfail.d/dns -+++ b/selftest/knownfail.d/dns -@@ -69,3 +69,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) - - # The SOA override should not pass against the RODC, it must not overstamp - samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) -+ -+# -+# rodc and vampire_dc require signed dns updates, so the test setup -+# fails, but the test does run on fl2003dc -+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\) -+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\) -diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c -index 923f7233eb9..65faeac3b6a 100644 ---- a/source4/dns_server/dns_query.c -+++ b/source4/dns_server/dns_query.c -@@ -40,6 +40,7 @@ - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_DNS -+#define MAX_Q_RECURSION_DEPTH 20 - - struct forwarder_string { - const char *forwarder; -@@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send( - state->answers = answers; - state->nsrecs = nsrecs; - -+ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { -+ tevent_req_done(req); -+ return tevent_req_post(req, ev); -+ } -+ - resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && - ((question->question_type == DNS_QTYPE_A) || - (question->question_type == DNS_QTYPE_AAAA))); --- -2.17.1 diff --git a/CVE-2018-16841-1.patch b/CVE-2018-16841-1.patch deleted file mode 100644 index 950966015c9c438382b6a3b532443cb74bd699dc..0000000000000000000000000000000000000000 --- a/CVE-2018-16841-1.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b38900c353ca92365f144734c99d156cc39611d4 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 23 Oct 2018 17:33:46 +1300 -Subject: [PATCH 3/5] CVE-2018-16841 heimdal: Fix segfault on PKINIT with - mis-matching principal - -In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free -mem_ctx. - -This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the -MIT KDC effort. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer ---- - source4/kdc/db-glue.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index 8ccc34cd665..519060a5641 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -2606,10 +2606,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, - * comparison */ - if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { - talloc_free(mem_ctx); --#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */ -- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; --#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ -+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ - return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; -+#else /* Heimdal (where this is an enum) */ -+ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; - #endif - } - --- -2.11.0 - diff --git a/CVE-2018-16841-2.patch b/CVE-2018-16841-2.patch deleted file mode 100644 index a06be6074d9cb7f9c0f4c37e47a77b025ca3a92a..0000000000000000000000000000000000000000 --- a/CVE-2018-16841-2.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 58733073f6eb78e8b157ee55493e92ffa361b73c Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Wed, 24 Oct 2018 15:41:28 +1300 -Subject: [PATCH 4/5] CVE-2018-16841 selftest: Check for mismatching principal - in certficate compared with principal in AS-REQ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer ---- - testprogs/blackbox/test_pkinit_heimdal.sh | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh -index 0a13aa293e7..0912e0dbfe8 100755 ---- a/testprogs/blackbox/test_pkinit_heimdal.sh -+++ b/testprogs/blackbox/test_pkinit_heimdal.sh -@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque - testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` - test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` - -+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1` -+ -+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1` -+ - testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` - testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` - test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` - -+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1` -+ -+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1` -+ - testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` - testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` - test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` --- -2.11.0 - - diff --git a/CVE-2018-16851.patch b/CVE-2018-16851.patch deleted file mode 100644 index 2be7d22a0d411cadc60421984df5a819a9cc80f7..0000000000000000000000000000000000000000 --- a/CVE-2018-16851.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f33f52c366f7cf140f470de44579dcb7eb832629 Mon Sep 17 00:00:00 2001 -From: Garming Sam -Date: Mon, 5 Nov 2018 16:18:18 +1300 -Subject: [PATCH 07/17] CVE-2018-16851 ldap_server: Check ret before - manipulating blob - -In the case of hitting the talloc ~256MB limit, this causes a crash in -the server. - -Note that you would actually need to load >256MB of data into the LDAP. -Although there is some generated/hidden data which would help you reach that -limit (descriptors and RMD blobs). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 - -Signed-off-by: Garming Sam -Reviewed-by: Andrew Bartlett ---- - source4/ldap_server/ldap_server.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c -index b5251e3623e..bc2f54bc146 100644 ---- a/source4/ldap_server/ldap_server.c -+++ b/source4/ldap_server/ldap_server.c -@@ -690,13 +690,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call) - ret = data_blob_append(call, &blob, b.data, b.length); - data_blob_free(&b); - -- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); -- - if (!ret) { - ldapsrv_terminate_connection(conn, "data_blob_append failed"); - return; - } - -+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); -+ - DLIST_REMOVE(call->replies, call->replies); - } - --- -2.17.1 diff --git a/CVE-2018-16852-1.patch b/CVE-2018-16852-1.patch deleted file mode 100644 index fc2e900260024d55b1fbff1abd49bc7c10fbaccd..0000000000000000000000000000000000000000 --- a/CVE-2018-16852-1.patch +++ /dev/null @@ -1,398 +0,0 @@ -From f40e1b3b42ce23b574a4c530545ff8170ddc7330 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 6 Nov 2018 12:10:07 +1300 -Subject: [PATCH 04/17] CVE-2018-16852 dcerpc dnsserver: Verification tests - -Tests to verify -Bug 13669 - (CVE-2018-16852) NULL - pointer de-reference in Samba AD DC DNS management - -The presence of the ZONE_MASTER_SERVERS property or the -ZONE_SCAVENGING_SERVERS property in a zone record causes the server to -follow a null pointer and terminate. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 - -Reviewed-by: Andrew Bartlett -Signed-off-by: Gary Lockyer ---- - selftest/knownfail.d/bug13669 | 4 + - .../tests/rpc_dns_server_dnsutils_test.c | 304 ++++++++++++++++++ - source4/rpc_server/wscript_build | 17 +- - source4/selftest/tests.py | 2 + - 4 files changed, 325 insertions(+), 2 deletions(-) - create mode 100644 selftest/knownfail.d/bug13669 - create mode 100644 source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c - -diff --git a/selftest/knownfail.d/bug13669 b/selftest/knownfail.d/bug13669 -new file mode 100644 -index 00000000000..74c8c130674 ---- /dev/null -+++ b/selftest/knownfail.d/bug13669 -@@ -0,0 +1,4 @@ -+^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_master_servers_empty -+^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_master_servers -+^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_scavenging_servers_empty -+^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_scavenging_servers -diff --git a/source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c b/source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c -new file mode 100644 -index 00000000000..89721135658 ---- /dev/null -+++ b/source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c -@@ -0,0 +1,304 @@ -+/* -+ * Unit tests for source4/rpc_server/dnsserver/dnsutils.c -+ * -+ * Copyright (C) Catalyst.NET Ltd 2018 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ * -+ */ -+ -+/* -+ * from cmocka.c: -+ * These headers or their equivalents should be included prior to -+ * including -+ * this header file. -+ * -+ * #include -+ * #include -+ * #include -+ * -+ * This allows test applications to use custom definitions of C standard -+ * library functions and types. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+ -+ -+#include "../dnsserver/dnsutils.c" -+ -+ -+/* -+ * Test setting of an empty ZONE_MASTER_SERVERS property -+ */ -+static void test_dnsserver_init_zoneinfo_master_servers_empty(void **state) -+{ -+ struct dnsserver_zone *zone = NULL; -+ struct dnsserver_serverinfo *serverinfo = NULL; -+ struct dnsserver_zoneinfo *zoneinfo = NULL; -+ struct dnsp_DnsProperty *property = NULL; -+ -+ TALLOC_CTX *ctx = talloc_new(NULL); -+ -+ /* -+ * Setup the zone data -+ */ -+ zone = talloc_zero(ctx, struct dnsserver_zone); -+ assert_non_null(zone); -+ zone->name = "test"; -+ -+ /* -+ * Set up an empty ZONE_MASTER_SERVERS property -+ */ -+ property = talloc_zero_array(ctx, struct dnsp_DnsProperty, 1); -+ assert_non_null(property); -+ property->id = DSPROPERTY_ZONE_MASTER_SERVERS; -+ property->data.master_servers.addrCount = 0; -+ property->data.master_servers.addr = NULL; -+ -+ zone->tmp_props = property; -+ zone->num_props = 1; -+ -+ -+ /* -+ * Setup the server info -+ */ -+ serverinfo = talloc_zero(ctx, struct dnsserver_serverinfo); -+ assert_non_null(serverinfo); -+ -+ /* -+ * call dnsserver_init_zoneinfo -+ */ -+ zoneinfo = dnsserver_init_zoneinfo(zone, serverinfo); -+ -+ /* -+ * Check results -+ */ -+ assert_non_null(zoneinfo); -+ assert_non_null(zoneinfo->aipLocalMasters); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrCount, 0); -+ assert_null(zoneinfo->aipLocalMasters->AddrArray); -+ -+ TALLOC_FREE(ctx); -+} -+ -+/* -+ * Test setting of a non empty ZONE_MASTER_SERVERS property -+ */ -+static void test_dnsserver_init_zoneinfo_master_servers(void **state) -+{ -+ struct dnsserver_zone *zone = NULL; -+ struct dnsserver_serverinfo *serverinfo = NULL; -+ struct dnsserver_zoneinfo *zoneinfo = NULL; -+ struct dnsp_DnsProperty *property = NULL; -+ -+ TALLOC_CTX *ctx = talloc_new(NULL); -+ -+ /* -+ * Setup the zone data -+ */ -+ zone = talloc_zero(ctx, struct dnsserver_zone); -+ assert_non_null(zone); -+ zone->name = "test"; -+ -+ /* -+ * Set up an empty ZONE_MASTER_SERVERS property -+ */ -+ property = talloc_zero_array(ctx, struct dnsp_DnsProperty, 1); -+ assert_non_null(property); -+ property->id = DSPROPERTY_ZONE_MASTER_SERVERS; -+ property->data.master_servers.addrCount = 4; -+ property->data.master_servers.addr = -+ talloc_zero_array(ctx, uint32_t, 4); -+ property->data.master_servers.addr[0] = 1000; -+ property->data.master_servers.addr[1] = 1001; -+ property->data.master_servers.addr[2] = 1002; -+ property->data.master_servers.addr[3] = 1003; -+ -+ zone->tmp_props = property; -+ zone->num_props = 1; -+ -+ -+ /* -+ * Setup the server info -+ */ -+ serverinfo = talloc_zero(ctx, struct dnsserver_serverinfo); -+ assert_non_null(serverinfo); -+ -+ /* -+ * call dnsserver_init_zoneinfo -+ */ -+ zoneinfo = dnsserver_init_zoneinfo(zone, serverinfo); -+ -+ /* -+ * Check results -+ */ -+ assert_non_null(zoneinfo); -+ assert_non_null(zoneinfo->aipLocalMasters); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrCount, 4); -+ assert_non_null(zoneinfo->aipLocalMasters->AddrArray); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[0], 1000); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[1], 1001); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[2], 1002); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[3], 1003); -+ -+ /* -+ * Ensure that we're working with a copy of the property data -+ * and not a reference. -+ * The pointers should be different, and we should be able to change -+ * the values in the property without affecting the zoneinfo data -+ */ -+ assert_true(zoneinfo->aipLocalMasters->AddrArray != -+ property->data.master_servers.addr); -+ property->data.master_servers.addr[0] = 0; -+ property->data.master_servers.addr[1] = 1; -+ property->data.master_servers.addr[2] = 2; -+ property->data.master_servers.addr[3] = 3; -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[0], 1000); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[1], 1001); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[2], 1002); -+ assert_int_equal(zoneinfo->aipLocalMasters->AddrArray[3], 1003); -+ -+ TALLOC_FREE(ctx); -+} -+ -+/* -+ * Test setting of an empty ZONE_SCAVENGING_SERVERS property -+ */ -+static void test_dnsserver_init_zoneinfo_scavenging_servers_empty(void **state) -+{ -+ struct dnsserver_zone *zone = NULL; -+ struct dnsserver_serverinfo *serverinfo = NULL; -+ struct dnsserver_zoneinfo *zoneinfo = NULL; -+ struct dnsp_DnsProperty *property = NULL; -+ -+ TALLOC_CTX *ctx = talloc_new(NULL); -+ -+ /* -+ * Setup the zone data -+ */ -+ zone = talloc_zero(ctx, struct dnsserver_zone); -+ assert_non_null(zone); -+ zone->name = "test"; -+ -+ property = talloc_zero_array(ctx, struct dnsp_DnsProperty, 1); -+ assert_non_null(property); -+ property->id = DSPROPERTY_ZONE_SCAVENGING_SERVERS; -+ property->data.servers.addrCount = 0; -+ property->data.servers.addr = NULL; -+ -+ zone->tmp_props = property; -+ zone->num_props = 1; -+ -+ -+ serverinfo = talloc_zero(ctx, struct dnsserver_serverinfo); -+ assert_non_null(serverinfo); -+ -+ zoneinfo = dnsserver_init_zoneinfo(zone, serverinfo); -+ -+ assert_non_null(zoneinfo); -+ assert_non_null(zoneinfo->aipScavengeServers); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrCount, 0); -+ assert_null(zoneinfo->aipScavengeServers->AddrArray); -+ -+ TALLOC_FREE(ctx); -+} -+ -+/* -+ * Test setting of a non empty ZONE_SCAVENGING_SERVERS property -+ */ -+static void test_dnsserver_init_zoneinfo_scavenging_servers(void **state) -+{ -+ struct dnsserver_zone *zone = NULL; -+ struct dnsserver_serverinfo *serverinfo = NULL; -+ struct dnsserver_zoneinfo *zoneinfo = NULL; -+ struct dnsp_DnsProperty *property = NULL; -+ -+ TALLOC_CTX *ctx = talloc_new(NULL); -+ -+ /* -+ * Setup the zone data -+ */ -+ zone = talloc_zero(ctx, struct dnsserver_zone); -+ assert_non_null(zone); -+ zone->name = "test"; -+ -+ property = talloc_zero_array(ctx, struct dnsp_DnsProperty, 1); -+ assert_non_null(property); -+ property->id = DSPROPERTY_ZONE_SCAVENGING_SERVERS; -+ property->data.servers.addrCount = 4; -+ property->data.servers.addr = talloc_zero_array(ctx, uint32_t, 4); -+ property->data.servers.addr[0] = 1000; -+ property->data.servers.addr[1] = 1001; -+ property->data.servers.addr[2] = 1002; -+ property->data.servers.addr[3] = 1003; -+ -+ zone->tmp_props = property; -+ zone->num_props = 1; -+ -+ -+ serverinfo = talloc_zero(ctx, struct dnsserver_serverinfo); -+ assert_non_null(serverinfo); -+ -+ zoneinfo = dnsserver_init_zoneinfo(zone, serverinfo); -+ -+ assert_non_null(zoneinfo); -+ assert_non_null(zoneinfo->aipScavengeServers); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrCount, 4); -+ assert_non_null(zoneinfo->aipScavengeServers->AddrArray); -+ assert_non_null(zoneinfo->aipScavengeServers->AddrArray); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[0], 1000); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[1], 1001); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[2], 1002); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[3], 1003); -+ -+ /* -+ * Ensure that we're working with a copy of the property data -+ * and not a reference. -+ * The pointers should be different, and we should be able to change -+ * the values in the property without affecting the zoneinfo data -+ */ -+ assert_true(zoneinfo->aipScavengeServers->AddrArray != -+ property->data.servers.addr); -+ property->data.servers.addr[0] = 0; -+ property->data.servers.addr[1] = 1; -+ property->data.servers.addr[2] = 2; -+ property->data.servers.addr[3] = 3; -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[0], 1000); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[1], 1001); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[2], 1002); -+ assert_int_equal(zoneinfo->aipScavengeServers->AddrArray[3], 1003); -+ -+ -+ TALLOC_FREE(ctx); -+} -+int main(int argc, const char **argv) -+{ -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test( -+ test_dnsserver_init_zoneinfo_master_servers_empty), -+ cmocka_unit_test( -+ test_dnsserver_init_zoneinfo_master_servers), -+ cmocka_unit_test( -+ test_dnsserver_init_zoneinfo_scavenging_servers_empty), -+ cmocka_unit_test( -+ test_dnsserver_init_zoneinfo_scavenging_servers), -+ }; -+ -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ return cmocka_run_group_tests(tests, NULL, NULL); -+} -diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build -index 8e05eb8a0c3..14b68c7ce0f 100644 ---- a/source4/rpc_server/wscript_build -+++ b/source4/rpc_server/wscript_build -@@ -3,7 +3,7 @@ - bld.SAMBA_SUBSYSTEM('DCERPC_SHARE', - source='common/share_info.c', - autoproto='common/share.h', -- deps='ldb', -+ deps='ldb share', - enabled=bld.CONFIG_SET('WITH_NTVFS_FILESERVER'), - ) - -@@ -163,7 +163,7 @@ bld.SAMBA_MODULE('dcerpc_dnsserver', - source='dnsserver/dcerpc_dnsserver.c dnsserver/dnsutils.c dnsserver/dnsdata.c dnsserver/dnsdb.c', - subsystem='dcerpc_server', - init_function='dcerpc_server_dnsserver_init', -- deps='DCERPC_COMMON dnsserver_common' -+ deps='DCERPC_COMMON dnsserver_common netif' - ) - - -@@ -176,3 +176,16 @@ bld.SAMBA_MODULE('service_dcerpc', - deps='dcerpc_server' - ) - -+if bld.CONFIG_GET('ENABLE_SELFTEST'): -+ bld.SAMBA_BINARY( -+ 'test_rpc_dns_server_dnsutils', -+ source='tests/rpc_dns_server_dnsutils_test.c', -+ deps=''' -+ dnsserver_common -+ DCERPC_COMMON -+ cmocka -+ talloc -+ ''', -+ install=False, -+ enabled=bld.AD_DC_BUILD_IS_ENABLED() -+ ) -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 9dec0adb05c..18b2c1162b0 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -1164,3 +1164,5 @@ plantestsuite("samba4.dsdb.samdb.ldb_modules.audit_util", "none", - [os.path.join(bindir(), "test_audit_util")]) - plantestsuite("samba4.dsdb.samdb.ldb_modules.audit_log", "none", - [os.path.join(bindir(), "test_audit_log")]) -+plantestsuite("samba4.dcerpc.dnsserver.dnsutils", "none", -+ [os.path.join(bindir(), "test_rpc_dns_server_dnsutils")]) --- -2.17.1 - diff --git a/CVE-2018-16852-2.patch b/CVE-2018-16852-2.patch deleted file mode 100644 index a459a4b624710099c4c2250577c6ecc2a5b0fb7a..0000000000000000000000000000000000000000 --- a/CVE-2018-16852-2.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 05f867db81f118215445f2c49eda4b9c3451d14a Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 6 Nov 2018 12:16:30 +1300 -Subject: [PATCH 05/17] CVE-2018-16852 dcerpc dnsserver: Ensure properties are - handled correctly - -Fixes for -Bug 13669 - (CVE-2018-16852) NULL - pointer de-reference in Samba AD DC DNS management - -The presence of the ZONE_MASTER_SERVERS property or the -ZONE_SCAVENGING_SERVERS property in a zone record causes the server to -follow a null pointer and terminate. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - selftest/knownfail.d/bug13669 | 4 -- - source4/rpc_server/dnsserver/dnsutils.c | 64 +++++++++++++++++++++---- - 2 files changed, 56 insertions(+), 12 deletions(-) - delete mode 100644 selftest/knownfail.d/bug13669 - -diff --git a/selftest/knownfail.d/bug13669 b/selftest/knownfail.d/bug13669 -deleted file mode 100644 -index 74c8c130674..00000000000 ---- a/selftest/knownfail.d/bug13669 -+++ /dev/null -@@ -1,4 +0,0 @@ --^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_master_servers_empty --^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_master_servers --^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_scavenging_servers_empty --^samba4.dcerpc.dnsserver.dnsutils.test_dnsserver_init_zoneinfo_scavenging_servers -diff --git a/source4/rpc_server/dnsserver/dnsutils.c b/source4/rpc_server/dnsserver/dnsutils.c -index a1c749074af..e4055c99e74 100644 ---- a/source4/rpc_server/dnsserver/dnsutils.c -+++ b/source4/rpc_server/dnsserver/dnsutils.c -@@ -209,6 +209,46 @@ struct dnsserver_serverinfo *dnsserver_init_serverinfo(TALLOC_CTX *mem_ctx, - } - - -+/* -+ * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct. -+ * The new structure and it's data are allocated on the supplied talloc context -+ */ -+static struct IP4_ARRAY *copy_ip4_array( -+ TALLOC_CTX *ctx, -+ const char *name, -+ struct dnsp_ip4_array array) { -+ -+ struct IP4_ARRAY *ip4_array = NULL; -+ unsigned int i; -+ -+ ip4_array = talloc_zero(ctx, struct IP4_ARRAY); -+ if (ip4_array == NULL) { -+ DBG_ERR("Out of memory copying property [%s]\n", -+ name); -+ return NULL; -+ } -+ -+ ip4_array->AddrCount = array.addrCount; -+ if (ip4_array->AddrCount == 0) { -+ return ip4_array; -+ } -+ -+ ip4_array->AddrArray = talloc_array(ip4_array, uint32_t, -+ ip4_array->AddrCount); -+ if (ip4_array->AddrArray == NULL) { -+ TALLOC_FREE(ip4_array); -+ DBG_ERR("Out of memory copying property [%s] values\n", -+ name); -+ return NULL; -+ } -+ -+ for (i = 0; i < ip4_array->AddrCount; i++) { -+ ip4_array->AddrArray[i] = array.addr[i]; -+ } -+ -+ return ip4_array; -+} -+ - struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, - struct dnsserver_serverinfo *serverinfo) - { -@@ -309,20 +349,28 @@ struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, - prop->aging_enabled; - break; - case DSPROPERTY_ZONE_SCAVENGING_SERVERS: -- zoneinfo->aipScavengeServers->AddrCount = -- prop->servers.addrCount; -- zoneinfo->aipScavengeServers->AddrArray = -- prop->servers.addr; -+ zoneinfo->aipScavengeServers = -+ copy_ip4_array(zoneinfo, -+ "ZONE_SCAVENGING_SERVERS", -+ prop->servers); -+ if (zoneinfo->aipScavengeServers == NULL) { -+ TALLOC_FREE(zoneinfo); -+ return NULL; -+ } - break; - case DSPROPERTY_ZONE_AGING_ENABLED_TIME: - zoneinfo->dwAvailForScavengeTime = - prop->next_scavenging_cycle_hours; - break; - case DSPROPERTY_ZONE_MASTER_SERVERS: -- zoneinfo->aipLocalMasters->AddrCount = -- prop->master_servers.addrCount; -- zoneinfo->aipLocalMasters->AddrArray = -- prop->master_servers.addr; -+ zoneinfo->aipLocalMasters = -+ copy_ip4_array(zoneinfo, -+ "ZONE_MASTER_SERVERS", -+ prop->master_servers); -+ if (zoneinfo->aipLocalMasters == NULL) { -+ TALLOC_FREE(zoneinfo); -+ return NULL; -+ } - break; - case DSPROPERTY_ZONE_EMPTY: - case DSPROPERTY_ZONE_SECURE_TIME: --- -2.17.1 diff --git a/CVE-2018-16852-3.patch b/CVE-2018-16852-3.patch deleted file mode 100644 index b5c89afc4fc5ec07dd8a03f0198bb9678ec90f85..0000000000000000000000000000000000000000 --- a/CVE-2018-16852-3.patch +++ /dev/null @@ -1,328 +0,0 @@ -From c78ca8b9b48a19e71f4d6ddd2e300f282fb0b247 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Wed, 7 Nov 2018 15:08:04 +1300 -Subject: [PATCH 06/17] CVE-2018-16852 dcerpc dnsserver: refactor common - properties handling - -dnsserver_common.c and dnsutils.c both share similar code to process -zone properties. This patch extracts the common code and moves it to -dnsserver_common.c. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - source4/dns_server/dnsserver_common.c | 129 +++++++++++++++++------- - source4/dns_server/dnsserver_common.h | 3 + - source4/rpc_server/dnsserver/dnsutils.c | 107 ++------------------ - 3 files changed, 104 insertions(+), 135 deletions(-) - -diff --git a/source4/dns_server/dnsserver_common.c b/source4/dns_server/dnsserver_common.c -index bbbfe920f4e..cc24a6c1b52 100644 ---- a/source4/dns_server/dnsserver_common.c -+++ b/source4/dns_server/dnsserver_common.c -@@ -742,6 +742,94 @@ bool dns_name_is_static(struct dnsp_DnssrvRpcRecord *records, - return false; - } - -+/* -+ * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct. -+ * The new structure and it's data are allocated on the supplied talloc context -+ */ -+static struct IP4_ARRAY *copy_ip4_array(TALLOC_CTX *ctx, -+ const char *name, -+ struct dnsp_ip4_array array) -+{ -+ -+ struct IP4_ARRAY *ip4_array = NULL; -+ unsigned int i; -+ -+ ip4_array = talloc_zero(ctx, struct IP4_ARRAY); -+ if (ip4_array == NULL) { -+ DBG_ERR("Out of memory copying property [%s]\n", name); -+ return NULL; -+ } -+ -+ ip4_array->AddrCount = array.addrCount; -+ if (ip4_array->AddrCount == 0) { -+ return ip4_array; -+ } -+ -+ ip4_array->AddrArray = -+ talloc_array(ip4_array, uint32_t, ip4_array->AddrCount); -+ if (ip4_array->AddrArray == NULL) { -+ TALLOC_FREE(ip4_array); -+ DBG_ERR("Out of memory copying property [%s] values\n", name); -+ return NULL; -+ } -+ -+ for (i = 0; i < ip4_array->AddrCount; i++) { -+ ip4_array->AddrArray[i] = array.addr[i]; -+ } -+ -+ return ip4_array; -+} -+ -+bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo, -+ struct dnsp_DnsProperty *prop) -+{ -+ switch (prop->id) { -+ case DSPROPERTY_ZONE_TYPE: -+ zoneinfo->dwZoneType = prop->data.zone_type; -+ break; -+ case DSPROPERTY_ZONE_ALLOW_UPDATE: -+ zoneinfo->fAllowUpdate = prop->data.allow_update_flag; -+ break; -+ case DSPROPERTY_ZONE_NOREFRESH_INTERVAL: -+ zoneinfo->dwNoRefreshInterval = prop->data.norefresh_hours; -+ break; -+ case DSPROPERTY_ZONE_REFRESH_INTERVAL: -+ zoneinfo->dwRefreshInterval = prop->data.refresh_hours; -+ break; -+ case DSPROPERTY_ZONE_AGING_STATE: -+ zoneinfo->fAging = prop->data.aging_enabled; -+ break; -+ case DSPROPERTY_ZONE_SCAVENGING_SERVERS: -+ zoneinfo->aipScavengeServers = copy_ip4_array( -+ zoneinfo, "ZONE_SCAVENGING_SERVERS", prop->data.servers); -+ if (zoneinfo->aipScavengeServers == NULL) { -+ return false; -+ } -+ break; -+ case DSPROPERTY_ZONE_AGING_ENABLED_TIME: -+ zoneinfo->dwAvailForScavengeTime = -+ prop->data.next_scavenging_cycle_hours; -+ break; -+ case DSPROPERTY_ZONE_MASTER_SERVERS: -+ zoneinfo->aipLocalMasters = copy_ip4_array( -+ zoneinfo, "ZONE_MASTER_SERVERS", prop->data.master_servers); -+ if (zoneinfo->aipLocalMasters == NULL) { -+ return false; -+ } -+ break; -+ case DSPROPERTY_ZONE_EMPTY: -+ case DSPROPERTY_ZONE_SECURE_TIME: -+ case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME: -+ case DSPROPERTY_ZONE_AUTO_NS_SERVERS: -+ case DSPROPERTY_ZONE_DCPROMO_CONVERT: -+ case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA: -+ case DSPROPERTY_ZONE_MASTER_SERVERS_DA: -+ case DSPROPERTY_ZONE_NS_SERVERS_DA: -+ case DSPROPERTY_ZONE_NODE_DBFLAGS: -+ break; -+ } -+ return true; -+} - WERROR dns_get_zone_properties(struct ldb_context *samdb, - TALLOC_CTX *mem_ctx, - struct ldb_dn *zone_dn, -@@ -774,6 +862,7 @@ WERROR dns_get_zone_properties(struct ldb_context *samdb, - } - - for (i = 0; i < element->num_values; i++) { -+ bool valid_property; - prop = talloc_zero(mem_ctx, struct dnsp_DnsProperty); - if (prop == NULL) { - return WERR_NOT_ENOUGH_MEMORY; -@@ -787,42 +876,10 @@ WERROR dns_get_zone_properties(struct ldb_context *samdb, - return DNS_ERR(SERVER_FAILURE); - } - -- switch (prop->id) { -- case DSPROPERTY_ZONE_AGING_STATE: -- zoneinfo->fAging = prop->data.aging_enabled; -- break; -- case DSPROPERTY_ZONE_NOREFRESH_INTERVAL: -- zoneinfo->dwNoRefreshInterval = -- prop->data.norefresh_hours; -- break; -- case DSPROPERTY_ZONE_REFRESH_INTERVAL: -- zoneinfo->dwRefreshInterval = prop->data.refresh_hours; -- break; -- case DSPROPERTY_ZONE_ALLOW_UPDATE: -- zoneinfo->fAllowUpdate = prop->data.allow_update_flag; -- break; -- case DSPROPERTY_ZONE_AGING_ENABLED_TIME: -- zoneinfo->dwAvailForScavengeTime = -- prop->data.next_scavenging_cycle_hours; -- break; -- case DSPROPERTY_ZONE_SCAVENGING_SERVERS: -- zoneinfo->aipScavengeServers->AddrCount = -- prop->data.servers.addrCount; -- zoneinfo->aipScavengeServers->AddrArray = -- prop->data.servers.addr; -- break; -- case DSPROPERTY_ZONE_EMPTY: -- case DSPROPERTY_ZONE_TYPE: -- case DSPROPERTY_ZONE_SECURE_TIME: -- case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME: -- case DSPROPERTY_ZONE_MASTER_SERVERS: -- case DSPROPERTY_ZONE_AUTO_NS_SERVERS: -- case DSPROPERTY_ZONE_DCPROMO_CONVERT: -- case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA: -- case DSPROPERTY_ZONE_MASTER_SERVERS_DA: -- case DSPROPERTY_ZONE_NS_SERVERS_DA: -- case DSPROPERTY_ZONE_NODE_DBFLAGS: -- break; -+ valid_property = -+ dns_zoneinfo_load_zone_property(zoneinfo, prop); -+ if (!valid_property) { -+ return DNS_ERR(SERVER_FAILURE); - } - } - -diff --git a/source4/dns_server/dnsserver_common.h b/source4/dns_server/dnsserver_common.h -index 380f61b8dbc..60ecde4fa91 100644 ---- a/source4/dns_server/dnsserver_common.h -+++ b/source4/dns_server/dnsserver_common.h -@@ -87,4 +87,7 @@ NTSTATUS dns_common_zones(struct ldb_context *samdb, - TALLOC_CTX *mem_ctx, - struct ldb_dn *base_dn, - struct dns_server_zone **zones_ret); -+ -+bool dns_zoneinfo_load_zone_property(struct dnsserver_zoneinfo *zoneinfo, -+ struct dnsp_DnsProperty *prop); - #endif /* __DNSSERVER_COMMON_H__ */ -diff --git a/source4/rpc_server/dnsserver/dnsutils.c b/source4/rpc_server/dnsserver/dnsutils.c -index e4055c99e74..bb52a1797a9 100644 ---- a/source4/rpc_server/dnsserver/dnsutils.c -+++ b/source4/rpc_server/dnsserver/dnsutils.c -@@ -25,6 +25,7 @@ - #include "dsdb/samdb/samdb.h" - #include "lib/socket/netif.h" - #include "lib/util/util_net.h" -+#include "dnsserver_common.h" - - static struct DNS_ADDR_ARRAY *fill_dns_addr_array(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, -@@ -208,47 +209,6 @@ struct dnsserver_serverinfo *dnsserver_init_serverinfo(TALLOC_CTX *mem_ctx, - return serverinfo; - } - -- --/* -- * Helper function to copy a dnsp_ip4_array struct to an IP4_ARRAY struct. -- * The new structure and it's data are allocated on the supplied talloc context -- */ --static struct IP4_ARRAY *copy_ip4_array( -- TALLOC_CTX *ctx, -- const char *name, -- struct dnsp_ip4_array array) { -- -- struct IP4_ARRAY *ip4_array = NULL; -- unsigned int i; -- -- ip4_array = talloc_zero(ctx, struct IP4_ARRAY); -- if (ip4_array == NULL) { -- DBG_ERR("Out of memory copying property [%s]\n", -- name); -- return NULL; -- } -- -- ip4_array->AddrCount = array.addrCount; -- if (ip4_array->AddrCount == 0) { -- return ip4_array; -- } -- -- ip4_array->AddrArray = talloc_array(ip4_array, uint32_t, -- ip4_array->AddrCount); -- if (ip4_array->AddrArray == NULL) { -- TALLOC_FREE(ip4_array); -- DBG_ERR("Out of memory copying property [%s] values\n", -- name); -- return NULL; -- } -- -- for (i = 0; i < ip4_array->AddrCount; i++) { -- ip4_array->AddrArray[i] = array.addr[i]; -- } -- -- return ip4_array; --} -- - struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, - struct dnsserver_serverinfo *serverinfo) - { -@@ -257,8 +217,7 @@ struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, - const char *revzone = "in-addr.arpa"; - const char *revzone6 = "ip6.arpa"; - int len1, len2; -- union dnsPropertyData *prop = NULL; -- int i=0; -+ unsigned int i = 0; - - zoneinfo = talloc_zero(zone, struct dnsserver_zoneinfo); - if (zoneinfo == NULL) { -@@ -326,62 +285,12 @@ struct dnsserver_zoneinfo *dnsserver_init_zoneinfo(struct dnsserver_zone *zone, - zoneinfo->dwLastXfrResult = 0; - - for(i=0; inum_props; i++){ -- prop=&(zone->tmp_props[i].data); -- switch (zone->tmp_props[i].id) { -- case DSPROPERTY_ZONE_TYPE: -- zoneinfo->dwZoneType = -- prop->zone_type; -- break; -- case DSPROPERTY_ZONE_ALLOW_UPDATE: -- zoneinfo->fAllowUpdate = -- prop->allow_update_flag; -- break; -- case DSPROPERTY_ZONE_NOREFRESH_INTERVAL: -- zoneinfo->dwNoRefreshInterval = -- prop->norefresh_hours; -- break; -- case DSPROPERTY_ZONE_REFRESH_INTERVAL: -- zoneinfo->dwRefreshInterval = -- prop->refresh_hours; -- break; -- case DSPROPERTY_ZONE_AGING_STATE: -- zoneinfo->fAging = -- prop->aging_enabled; -- break; -- case DSPROPERTY_ZONE_SCAVENGING_SERVERS: -- zoneinfo->aipScavengeServers = -- copy_ip4_array(zoneinfo, -- "ZONE_SCAVENGING_SERVERS", -- prop->servers); -- if (zoneinfo->aipScavengeServers == NULL) { -- TALLOC_FREE(zoneinfo); -- return NULL; -- } -- break; -- case DSPROPERTY_ZONE_AGING_ENABLED_TIME: -- zoneinfo->dwAvailForScavengeTime = -- prop->next_scavenging_cycle_hours; -- break; -- case DSPROPERTY_ZONE_MASTER_SERVERS: -- zoneinfo->aipLocalMasters = -- copy_ip4_array(zoneinfo, -- "ZONE_MASTER_SERVERS", -- prop->master_servers); -- if (zoneinfo->aipLocalMasters == NULL) { -- TALLOC_FREE(zoneinfo); -- return NULL; -- } -- break; -- case DSPROPERTY_ZONE_EMPTY: -- case DSPROPERTY_ZONE_SECURE_TIME: -- case DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME: -- case DSPROPERTY_ZONE_AUTO_NS_SERVERS: -- case DSPROPERTY_ZONE_DCPROMO_CONVERT: -- case DSPROPERTY_ZONE_SCAVENGING_SERVERS_DA: -- case DSPROPERTY_ZONE_MASTER_SERVERS_DA: -- case DSPROPERTY_ZONE_NS_SERVERS_DA: -- case DSPROPERTY_ZONE_NODE_DBFLAGS: -- break; -+ bool valid_property; -+ valid_property = dns_zoneinfo_load_zone_property( -+ zoneinfo, &zone->tmp_props[i]); -+ if (!valid_property) { -+ TALLOC_FREE(zoneinfo); -+ return NULL; - } - } - --- -2.17.1 - diff --git a/CVE-2018-16853-1.patch b/CVE-2018-16853-1.patch deleted file mode 100644 index b318fe1d6a8538b998693a6763e1483e96d31ab2..0000000000000000000000000000000000000000 --- a/CVE-2018-16853-1.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 403c007b2309fe7ff264240cd3d07eb8a94a63f9 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 18 Aug 2018 15:32:43 +0300 -Subject: [PATCH 1/5] CVE-2018-16853: Fix kinit test on system lacking - ldbsearch - -By fixing bindir variable name. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher ---- - testprogs/blackbox/test_kinit_mit.sh | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh -index dabf9915ed1..370542536e1 100755 ---- a/testprogs/blackbox/test_kinit_mit.sh -+++ b/testprogs/blackbox/test_kinit_mit.sh -@@ -32,13 +32,13 @@ samba_enableaccount="$samba_tool user enable" - machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache" - - ldbmodify="ldbmodify" --if [ -x "$samba4bindir/ldbmodify" ]; then -- ldbmodify="$samba4bindir/ldbmodify" -+if [ -x "$samba_bindir/ldbmodify" ]; then -+ ldbmodify="$samba_bindir/ldbmodify" - fi - - ldbsearch="ldbsearch" --if [ -x "$samba4bindir/ldbsearch" ]; then -- ldbsearch="$samba4bindir/ldbsearch" -+if [ -x "$samba_bindir/ldbsearch" ]; then -+ ldbsearch="$samba_bindir/ldbsearch" - fi - - . `dirname $0`/subunit.sh --- -2.19.1 - - -From fbae2d0135b4ab998e771db2a8052574d7e34ad9 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 18 Aug 2018 00:40:30 +0300 -Subject: [PATCH 2/5] CVE-2018-16853: The ticket in check_policy_as can - actually be a TGS - -This happens when we are called from S4U2Self flow, and in that case -kdcreq->client is NULL. Use the name from client entry instead. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index de5813bde2f..81ac73582e0 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, - char *netbios_name = NULL; - char *realm = NULL; - bool password_change = false; -+ krb5_const_principal client_princ; - DATA_BLOB int_data = { NULL, 0 }; - krb5_data d; - krb5_pa_data **e_data; -@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, - return KRB5_KDB_DBNOTINITED; - } - -- if (ks_is_kadmin(context, kdcreq->client)) { -+ /* Prefer canonicalised name from client entry */ -+ client_princ = client ? client->princ : kdcreq->client; -+ -+ if (client_princ == NULL || ks_is_kadmin(context, client_princ)) { - return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; - } - -@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, - goto done; - } - -- code = krb5_unparse_name(context, kdcreq->client, &client_name); -+ code = krb5_unparse_name(context, client_princ, &client_name); - if (code) { - goto done; - } --- -2.19.1 - - -From a49cb0d8b694d7cb579bf9b97208c7c1083be711 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 18 Aug 2018 16:01:59 +0300 -Subject: [PATCH 3/5] CVE-2018-16853: Add a test to verify s4u2self doesn't - crash - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher ---- - testprogs/blackbox/test_kinit_mit.sh | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh -index 370542536e1..f691b0f15d7 100755 ---- a/testprogs/blackbox/test_kinit_mit.sh -+++ b/testprogs/blackbox/test_kinit_mit.sh -@@ -24,6 +24,7 @@ samba_srcdir="$SRCDIR/source4" - samba_kinit=kinit - samba_kdestroy=kdestroy - samba_kpasswd=kpasswd -+samba_kvno=kvno - - samba_tool="$samba_bindir/samba-tool" - samba_texpect="$samba_bindir/texpect" -@@ -299,6 +300,17 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || - - testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` - -+########################################################### -+### Test basic s4u2self request -+########################################################### -+ -+# Use previous acquired machine creds to request a ticket for self. -+# We expect it to fail for now. -+MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM" -+$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT -+# But we expect the KDC to be up and running still -+testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1` -+ - ### Cleanup - - $samba_kdestroy --- -2.19.1 - - -From 3e5ed4ad4a7ee1a42d4db73da35932d0acabe959 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 28 Sep 2016 07:22:32 +0200 -Subject: [PATCH 4/5] CVE-2018-16853: Do not segfault if client is not set - -This can be triggered with FAST but we don't support this yet. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher ---- - source4/kdc/mit-kdb/kdb_samba_policies.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index 81ac73582e0..fc80329f221 100644 ---- a/source4/kdc/mit-kdb/kdb_samba_policies.c -+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -461,6 +461,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, - krb5_timestamp authtime, - krb5_error_code error_code) - { -+ /* -+ * FIXME: This segfaulted with a FAST test -+ * FIND_FAST: for , Unknown FAST armor type 0 -+ */ -+ if (client == NULL) { -+ return; -+ } -+ - samba_bad_password_count(client, error_code); - - /* TODO: perform proper audit logging for addresses */ -@@ -473,6 +481,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, - krb5_timestamp authtime, - krb5_error_code error_code) - { -+ /* -+ * FIXME: This segfaulted with a FAST test -+ * FIND_FAST: for , Unknown FAST armor type 0 -+ */ -+ if (client == NULL) { -+ return; -+ } -+ - samba_bad_password_count(client, error_code); - } - #endif --- -2.19.1 - - -From d67c462cd36ee525eb9122bd5d525d10eac7d06a Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 7 Nov 2018 22:53:35 +0200 -Subject: [PATCH 5/5] CVE-2018-16853: fix crash in expired passowrd case - -When calling encode_krb5_padata_sequence() make sure to -pass a null terminated array as required. - -Fixes expired passowrd case in samba4.blackbox.kinit test. - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher ---- - source4/kdc/mit_samba.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 414e67c6a98..eacca0903ec 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -865,7 +865,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data - static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) - { - krb5_error_code ret = 0; -- krb5_pa_data pa, *ppa = NULL; -+ krb5_pa_data pa, *ppa[2]; - krb5_data *d = NULL; - - if (!e_data) -@@ -886,9 +886,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) - SIVAL(pa.contents, 4, 0); - SIVAL(pa.contents, 8, 1); - -- ppa = &pa; -+ ppa[0] = &pa; -+ ppa[1] = NULL; - -- ret = encode_krb5_padata_sequence(&ppa, &d); -+ ret = encode_krb5_padata_sequence(ppa, &d); - free(pa.contents); - if (ret) { - return; --- -2.19.1 - diff --git a/CVE-2018-16853-2.patch b/CVE-2018-16853-2.patch deleted file mode 100644 index cbe405b05bc81bc85f4ca0e10799219505e6cdb7..0000000000000000000000000000000000000000 --- a/CVE-2018-16853-2.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 4aabfecd290cd2769376abf7f170e832becc4112 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 6 Nov 2018 13:32:05 +1300 -Subject: [PATCH 08/17] CVE-2018-16853 build: The Samba AD DC, when build with - MIT Kerberos is experimental - -This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer ---- - wscript | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/wscript b/wscript -index 19fc6d12118..7c265e7befb 100644 ---- a/wscript -+++ b/wscript -@@ -56,6 +56,14 @@ def set_options(opt): - help='build Samba with system MIT Kerberos. ' + - 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config', - action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False) -+ -+ opt.add_option('--with-experimental-mit-ad-dc', -+ help='Enable the experimental MIT Kerberos-backed AD DC. ' + -+ 'Note that security patches are not issued for this configuration', -+ action='store_true', -+ dest='with_experimental_mit_ad_dc', -+ default=False) -+ - opt.add_option('--with-system-mitkdc', - help=('Specify the path to the krb5kdc binary from MIT Kerberos'), - type="string", -@@ -210,7 +218,16 @@ def configure(conf): - conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) - - if Options.options.with_system_mitkrb5: -+ if not Options.options.with_experimental_mit_ad_dc and \ -+ not Options.options.without_ad_dc: -+ raise Utils.WafError('The MIT Kerberos build of Samba as an AD DC ' + -+ 'is experimental. Therefore ' -+ '--with-system-mitkrb5 requires either ' + -+ '--with-experimental-mit-ad-dc or ' + -+ '--without-ad-dc') -+ - conf.PROCESS_SEPARATE_RULE('system_mitkrb5') -+ - if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5): - conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) - --- -2.17.1 diff --git a/CVE-2018-16857-1.patch b/CVE-2018-16857-1.patch deleted file mode 100644 index 8b2ad3afb9b64345caa19ea7d389cfcd12438eb3..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-1.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 862d4909eccd18942e3de8e8b0dc6e1594ec27f1 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Sun, 2 Sep 2018 17:34:03 +1200 -Subject: [PATCH 09/17] CVE-2018-16857 selftest: Prepare to allow override of - lockout duration in password_lockout tests - -This will make it easier to avoid flapping tests. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer -(cherry picked from commit a740a6131c967f9640b19a6964fd5d6f85ce853a) - -Backported as a dependency for: -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 ---- - source4/dsdb/tests/python/password_lockout.py | 9 ++++----- - source4/dsdb/tests/python/password_lockout_base.py | 11 +++++++++-- - 2 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py -index ec6cf13fe66..e817e656a2a 100755 ---- a/source4/dsdb/tests/python/password_lockout.py -+++ b/source4/dsdb/tests/python/password_lockout.py -@@ -616,15 +616,14 @@ userPassword: thatsAcomplPASS2XYZ - initial_lastlogon_relation='greater') - - def use_pso_lockout_settings(self, creds): -+ - # create a PSO with the lockout settings the test cases normally expect -+ # -+ # Some test cases sleep() for self.account_lockout_duration - pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3, -- lockout_duration=3) -+ lockout_duration=self.account_lockout_duration) - self.addCleanup(self.ldb.delete, pso.dn) - -- # the test cases should sleep() for the PSO's lockoutDuration/obsvWindow -- self.account_lockout_duration = 3 -- self.lockout_observation_window = 3 -- - userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn) - pso.apply_to(userdn) - -diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py -index 4a320684702..9d82e088bb8 100644 ---- a/source4/dsdb/tests/python/password_lockout_base.py -+++ b/source4/dsdb/tests/python/password_lockout_base.py -@@ -323,8 +323,15 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - """) - - self.base_dn = self.ldb.domain_dn() -- self.account_lockout_duration = 3 -- self.lockout_observation_window = 3 -+ -+ # -+ # Some test cases sleep() for self.account_lockout_duration -+ # so allow it to be controlled via the subclass -+ # -+ if not hasattr(self, 'account_lockout_duration'): -+ self.account_lockout_duration = 3 -+ if not hasattr(self, 'lockout_observation_window'): -+ self.lockout_observation_window = 3 - self.update_lockout_settings(threshold=3, - duration=self.account_lockout_duration, - observation_window=self.lockout_observation_window) --- -2.17.1 - diff --git a/CVE-2018-16857-2.patch b/CVE-2018-16857-2.patch deleted file mode 100644 index 856562b0f56bf5371a0a876c45f51b0c67217fb4..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-2.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 31198d39a76474d55c3d391e04d76758ee115d8e Mon Sep 17 00:00:00 2001 -From: Joe Guo -Date: Mon, 30 Jul 2018 18:21:29 +1200 -Subject: [PATCH 10/17] CVE-2018-16857 PEP8: fix E305: expected 2 blank lines - after class or function definition, found 1 - -Signed-off-by: Joe Guo -Reviewed-by: Andrew Bartlett -Reviewed-by: Douglas Bagnall - -Partial backport of commit 115f2a71b88 (only password_lockout.py -change) as a dependency for: -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 ---- - source4/dsdb/tests/python/password_lockout.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py -index e817e656a2a..d8710866f39 100755 ---- a/source4/dsdb/tests/python/password_lockout.py -+++ b/source4/dsdb/tests/python/password_lockout.py -@@ -1400,6 +1400,7 @@ userPassword: """ + userpass + """ - self._test_samr_password_change(self.lockout1ntlm_creds, - other_creds=self.lockout2ntlm_creds) - -+ - host_url = "ldap://%s" % host - - TestProgram(module=__name__, opts=subunitopts) --- -2.17.1 diff --git a/CVE-2018-16857-3.patch b/CVE-2018-16857-3.patch deleted file mode 100644 index 8f95ee93a6d4e597a2399b2b07405000f414fda2..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-3.patch +++ /dev/null @@ -1,366 +0,0 @@ -From 4d0fd1a421ad4a3ca19ed954ee91fcc36413b017 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Sun, 2 Sep 2018 18:03:06 +1200 -Subject: [PATCH 11/17] CVE-2018-16857 selftest: Split up password_lockout into - tests with and without a call to sleep() - -This means we can have a long observation window for many of the tests and -so make them much more reliable. Many of these cause frustrating flapping -failures in our CI systems. - -Signed-off-by: Andrew Bartlett -Reviewed-by: Gary Lockyer - -Autobuild-User(master): Andrew Bartlett -Autobuild-Date(master): Mon Sep 3 06:14:55 CEST 2018 on sn-devel-144 - -(cherry picked from commit 74357bf347348d3a8b7483c58e5250e98f7e8810) -Backported as a dependency for: -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 ---- - source4/dsdb/tests/python/password_lockout.py | 299 +++++++++--------- - 1 file changed, 157 insertions(+), 142 deletions(-) - -diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py -index d8710866f39..0022dee21ba 100755 ---- a/source4/dsdb/tests/python/password_lockout.py -+++ b/source4/dsdb/tests/python/password_lockout.py -@@ -88,6 +88,42 @@ class PasswordTests(password_lockout_base.BasePasswordTestCase): - self.lockout2ntlm_ldb = self._readd_user(self.lockout2ntlm_creds, - lockOutObservationWindow=self.lockout_observation_window) - -+ -+ def use_pso_lockout_settings(self, creds): -+ -+ # create a PSO with the lockout settings the test cases normally expect -+ # -+ # Some test cases sleep() for self.account_lockout_duration -+ pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3, -+ lockout_duration=self.account_lockout_duration) -+ self.addCleanup(self.ldb.delete, pso.dn) -+ -+ userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn) -+ pso.apply_to(userdn) -+ -+ # update the global lockout settings to be wildly different to what -+ # the test cases normally expect -+ self.update_lockout_settings(threshold=10, duration=600, -+ observation_window=600) -+ -+ def _reset_samr(self, res): -+ -+ # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute) -+ samr_user = self._open_samr_user(res) -+ acb_info = self.samr.QueryUserInfo(samr_user, 16) -+ acb_info.acct_flags &= ~samr.ACB_AUTOLOCK -+ self.samr.SetUserInfo(samr_user, 16, acb_info) -+ self.samr.Close(samr_user) -+ -+ -+class PasswordTestsWithoutSleep(PasswordTests): -+ def setUp(self): -+ # The tests in this class do not sleep, so we can have a -+ # longer window and not flap on slower hosts -+ self.account_lockout_duration = 30 -+ self.lockout_observation_window = 30 -+ super(PasswordTestsWithoutSleep, self).setUp() -+ - def _reset_ldap_lockoutTime(self, res): - self.ldb.modify_ldif(""" - dn: """ + str(res[0].dn) + """ -@@ -615,22 +651,130 @@ userPassword: thatsAcomplPASS2XYZ - "samr", - initial_lastlogon_relation='greater') - -- def use_pso_lockout_settings(self, creds): -+ def test_multiple_logon_krb5(self): -+ self._test_multiple_logon(self.lockout1krb5_creds) - -- # create a PSO with the lockout settings the test cases normally expect -- # -- # Some test cases sleep() for self.account_lockout_duration -- pso = PasswordSettings("lockout-PSO", self.ldb, lockout_attempts=3, -- lockout_duration=self.account_lockout_duration) -- self.addCleanup(self.ldb.delete, pso.dn) -+ def test_multiple_logon_ntlm(self): -+ self._test_multiple_logon(self.lockout1ntlm_creds) - -- userdn = "cn=%s,cn=users,%s" % (creds.get_username(), self.base_dn) -- pso.apply_to(userdn) -+ def _test_samr_password_change(self, creds, other_creds, lockout_threshold=3): -+ """Tests user lockout by using bad password in SAMR password_change""" - -- # update the global lockout settings to be wildly different to what -- # the test cases normally expect -- self.update_lockout_settings(threshold=10, duration=600, -- observation_window=600) -+ # create a connection for SAMR using another user's credentials -+ lp = self.get_loadparm() -+ net = Net(other_creds, lp, server=self.host) -+ -+ # work out the initial account values for this user -+ username = creds.get_username() -+ userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) -+ res = self._check_account(userdn, -+ badPwdCount=0, -+ badPasswordTime=("greater", 0), -+ badPwdCountOnly=True) -+ badPasswordTime = int(res[0]["badPasswordTime"][0]) -+ logonCount = int(res[0]["logonCount"][0]) -+ lastLogon = int(res[0]["lastLogon"][0]) -+ lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0]) -+ -+ # prove we can change the user password (using the correct password) -+ new_password = "thatsAcomplPASS2" -+ net.change_password(newpassword=new_password.encode('utf-8'), -+ username=username, -+ oldpassword=creds.get_password()) -+ creds.set_password(new_password) -+ -+ # try entering 'x' many bad passwords in a row to lock the user out -+ new_password = "thatsAcomplPASS3" -+ for i in range(lockout_threshold): -+ badPwdCount = i + 1 -+ try: -+ print("Trying bad password, attempt #%u" % badPwdCount) -+ net.change_password(newpassword=new_password.encode('utf-8'), -+ username=creds.get_username(), -+ oldpassword="bad-password") -+ self.fail("Invalid SAMR change_password accepted") -+ except NTSTATUSError as e: -+ enum = ctypes.c_uint32(e[0]).value -+ self.assertEquals(enum, ntstatus.NT_STATUS_WRONG_PASSWORD) -+ -+ # check the status of the account is updated after each bad attempt -+ account_flags = 0 -+ lockoutTime = None -+ if badPwdCount >= lockout_threshold: -+ account_flags = dsdb.UF_LOCKOUT -+ lockoutTime = ("greater", badPasswordTime) -+ -+ res = self._check_account(userdn, -+ badPwdCount=badPwdCount, -+ badPasswordTime=("greater", badPasswordTime), -+ logonCount=logonCount, -+ lastLogon=lastLogon, -+ lastLogonTimestamp=lastLogonTimestamp, -+ lockoutTime=lockoutTime, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, -+ msDSUserAccountControlComputed=account_flags) -+ badPasswordTime = int(res[0]["badPasswordTime"][0]) -+ -+ # the user is now locked out -+ lockoutTime = int(res[0]["lockoutTime"][0]) -+ -+ # check the user remains locked out regardless of whether they use a -+ # good or a bad password now -+ for password in (creds.get_password(), "bad-password"): -+ try: -+ print("Trying password %s" % password) -+ net.change_password(newpassword=new_password.encode('utf-8'), -+ username=creds.get_username(), -+ oldpassword=password) -+ self.fail("Invalid SAMR change_password accepted") -+ except NTSTATUSError as e: -+ enum = ctypes.c_uint32(e[0]).value -+ self.assertEquals(enum, ntstatus.NT_STATUS_ACCOUNT_LOCKED_OUT) -+ -+ res = self._check_account(userdn, -+ badPwdCount=lockout_threshold, -+ badPasswordTime=badPasswordTime, -+ logonCount=logonCount, -+ lastLogon=lastLogon, -+ lastLogonTimestamp=lastLogonTimestamp, -+ lockoutTime=lockoutTime, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, -+ msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) -+ -+ # reset the user account lockout -+ self._reset_samr(res) -+ -+ # check bad password counts are reset -+ res = self._check_account(userdn, -+ badPwdCount=0, -+ badPasswordTime=badPasswordTime, -+ logonCount=logonCount, -+ lockoutTime=0, -+ lastLogon=lastLogon, -+ lastLogonTimestamp=lastLogonTimestamp, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, -+ msDSUserAccountControlComputed=0) -+ -+ # check we can change the user password successfully now -+ net.change_password(newpassword=new_password.encode('utf-8'), -+ username=username, -+ oldpassword=creds.get_password()) -+ creds.set_password(new_password) -+ -+ def test_samr_change_password(self): -+ self._test_samr_password_change(self.lockout1ntlm_creds, -+ other_creds=self.lockout2ntlm_creds) -+ -+ # same as above, but use a PSO to enforce the lockout -+ def test_pso_samr_change_password(self): -+ self.use_pso_lockout_settings(self.lockout1ntlm_creds) -+ self._test_samr_password_change(self.lockout1ntlm_creds, -+ other_creds=self.lockout2ntlm_creds) -+ -+ -+class PasswordTestsWithSleep(PasswordTests): -+ def setUp(self): -+ super(PasswordTestsWithSleep, self).setUp() - - def _test_unicodePwd_lockout_with_clear_change(self, creds, other_ldb, - initial_logoncount_relation=None): -@@ -1065,12 +1209,6 @@ unicodePwd:: """ + base64.b64encode(new_utf16).decode('utf8') + """ - self.use_pso_lockout_settings(self.lockout1ntlm_creds) - self._test_login_lockout(self.lockout1ntlm_creds) - -- def test_multiple_logon_krb5(self): -- self._test_multiple_logon(self.lockout1krb5_creds) -- -- def test_multiple_logon_ntlm(self): -- self._test_multiple_logon(self.lockout1ntlm_creds) -- - def _testing_add_user(self, creds, lockOutObservationWindow=0): - username = creds.get_username() - userpass = creds.get_password() -@@ -1251,15 +1389,6 @@ userPassword: """ + userpass + """ - msDSUserAccountControlComputed=0) - return ldb - -- def _reset_samr(self, res): -- -- # Now reset the lockout, by removing ACB_AUTOLOCK (which removes the lock, despite being a generated attribute) -- samr_user = self._open_samr_user(res) -- acb_info = self.samr.QueryUserInfo(samr_user, 16) -- acb_info.acct_flags &= ~samr.ACB_AUTOLOCK -- self.samr.SetUserInfo(samr_user, 16, acb_info) -- self.samr.Close(samr_user) -- - def test_lockout_observation_window(self): - lockout3krb5_creds = self.insta_creds(self.template_creds, - username="lockout3krb5", -@@ -1286,120 +1415,6 @@ userPassword: """ + userpass + """ - self._testing_add_user(lockout4ntlm_creds, - lockOutObservationWindow=self.lockout_observation_window) - -- def _test_samr_password_change(self, creds, other_creds, lockout_threshold=3): -- """Tests user lockout by using bad password in SAMR password_change""" -- -- # create a connection for SAMR using another user's credentials -- lp = self.get_loadparm() -- net = Net(other_creds, lp, server=self.host) -- -- # work out the initial account values for this user -- username = creds.get_username() -- userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) -- res = self._check_account(userdn, -- badPwdCount=0, -- badPasswordTime=("greater", 0), -- badPwdCountOnly=True) -- badPasswordTime = int(res[0]["badPasswordTime"][0]) -- logonCount = int(res[0]["logonCount"][0]) -- lastLogon = int(res[0]["lastLogon"][0]) -- lastLogonTimestamp = int(res[0]["lastLogonTimestamp"][0]) -- -- # prove we can change the user password (using the correct password) -- new_password = "thatsAcomplPASS2" -- net.change_password(newpassword=new_password.encode('utf-8'), -- username=username, -- oldpassword=creds.get_password()) -- creds.set_password(new_password) -- -- # try entering 'x' many bad passwords in a row to lock the user out -- new_password = "thatsAcomplPASS3" -- for i in range(lockout_threshold): -- badPwdCount = i + 1 -- try: -- print("Trying bad password, attempt #%u" % badPwdCount) -- net.change_password(newpassword=new_password.encode('utf-8'), -- username=creds.get_username(), -- oldpassword="bad-password") -- self.fail("Invalid SAMR change_password accepted") -- except NTSTATUSError as e: -- enum = ctypes.c_uint32(e[0]).value -- self.assertEquals(enum, ntstatus.NT_STATUS_WRONG_PASSWORD) -- -- # check the status of the account is updated after each bad attempt -- account_flags = 0 -- lockoutTime = None -- if badPwdCount >= lockout_threshold: -- account_flags = dsdb.UF_LOCKOUT -- lockoutTime = ("greater", badPasswordTime) -- -- res = self._check_account(userdn, -- badPwdCount=badPwdCount, -- badPasswordTime=("greater", badPasswordTime), -- logonCount=logonCount, -- lastLogon=lastLogon, -- lastLogonTimestamp=lastLogonTimestamp, -- lockoutTime=lockoutTime, -- userAccountControl=dsdb.UF_NORMAL_ACCOUNT, -- msDSUserAccountControlComputed=account_flags) -- badPasswordTime = int(res[0]["badPasswordTime"][0]) -- -- # the user is now locked out -- lockoutTime = int(res[0]["lockoutTime"][0]) -- -- # check the user remains locked out regardless of whether they use a -- # good or a bad password now -- for password in (creds.get_password(), "bad-password"): -- try: -- print("Trying password %s" % password) -- net.change_password(newpassword=new_password.encode('utf-8'), -- username=creds.get_username(), -- oldpassword=password) -- self.fail("Invalid SAMR change_password accepted") -- except NTSTATUSError as e: -- enum = ctypes.c_uint32(e[0]).value -- self.assertEquals(enum, ntstatus.NT_STATUS_ACCOUNT_LOCKED_OUT) -- -- res = self._check_account(userdn, -- badPwdCount=lockout_threshold, -- badPasswordTime=badPasswordTime, -- logonCount=logonCount, -- lastLogon=lastLogon, -- lastLogonTimestamp=lastLogonTimestamp, -- lockoutTime=lockoutTime, -- userAccountControl=dsdb.UF_NORMAL_ACCOUNT, -- msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) -- -- # reset the user account lockout -- self._reset_samr(res) -- -- # check bad password counts are reset -- res = self._check_account(userdn, -- badPwdCount=0, -- badPasswordTime=badPasswordTime, -- logonCount=logonCount, -- lockoutTime=0, -- lastLogon=lastLogon, -- lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl=dsdb.UF_NORMAL_ACCOUNT, -- msDSUserAccountControlComputed=0) -- -- # check we can change the user password successfully now -- net.change_password(newpassword=new_password.encode('utf-8'), -- username=username, -- oldpassword=creds.get_password()) -- creds.set_password(new_password) -- -- def test_samr_change_password(self): -- self._test_samr_password_change(self.lockout1ntlm_creds, -- other_creds=self.lockout2ntlm_creds) -- -- # same as above, but use a PSO to enforce the lockout -- def test_pso_samr_change_password(self): -- self.use_pso_lockout_settings(self.lockout1ntlm_creds) -- self._test_samr_password_change(self.lockout1ntlm_creds, -- other_creds=self.lockout2ntlm_creds) -- - - host_url = "ldap://%s" % host - --- -2.17.1 diff --git a/CVE-2018-16857-4.patch b/CVE-2018-16857-4.patch deleted file mode 100644 index 83f3b62c0018423615ba40d6eb8c380d19de0ca9..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-4.patch +++ /dev/null @@ -1,183 +0,0 @@ -From fe8e05a9ea8185325ff87ac73ef0106a85cd662a Mon Sep 17 00:00:00 2001 -From: Joe Guo -Date: Mon, 30 Jul 2018 18:15:34 +1200 -Subject: [PATCH 12/17] CVE-2018-16857 PEP8: fix E127: continuation line - over-indented for visual indent - -Signed-off-by: Joe Guo -Reviewed-by: Andrew Bartlett -Reviewed-by: Douglas Bagnall - -Partial backport of commit bbb9f57603d (only password_lockout_base.py -change) as a dependency for: -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 ---- - .../tests/python/password_lockout_base.py | 36 +++++++++---------- - 1 file changed, 18 insertions(+), 18 deletions(-) - -diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py -index 9d82e088bb8..1b408c75166 100644 ---- a/source4/dsdb/tests/python/password_lockout_base.py -+++ b/source4/dsdb/tests/python/password_lockout_base.py -@@ -390,7 +390,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=("greater", 0), - lastLogonTimestamp=("greater", 0), - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - logonCount = int(res[0]["logonCount"][0]) -@@ -421,7 +421,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg='lastlogontimestamp with wrong password') - badPasswordTime = int(res[0]["badPasswordTime"][0]) -@@ -440,7 +440,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=('greater', lastLogon), - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg='LLTimestamp is updated to lastlogon') - -@@ -461,7 +461,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -483,7 +483,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -508,7 +508,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=("greater", badPasswordTime), - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - lockoutTime = int(res[0]["lockoutTime"][0]) -@@ -530,7 +530,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=lockoutTime, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - - # The wrong password -@@ -550,7 +550,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=lockoutTime, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - - # The correct password, but we are locked out -@@ -570,7 +570,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=lockoutTime, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - - # wait for the lockout to end -@@ -585,7 +585,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - # The correct password after letting the timeout expire -@@ -605,7 +605,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=0, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg="lastLogon is way off") - -@@ -629,7 +629,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -650,7 +650,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -664,7 +664,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - # The wrong password -@@ -684,7 +684,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -700,7 +700,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=("greater", lastLogon), - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - def _test_multiple_logon(self, creds): -@@ -734,7 +734,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=("greater", 0), - lastLogonTimestamp=("greater", 0), - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - logonCount = int(res[0]["logonCount"][0]) -@@ -774,5 +774,5 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=(lastlogon_relation, lastLogon), - lastLogonTimestamp=lastLogonTimestamp, - userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) --- -2.17.1 diff --git a/CVE-2018-16857-5.patch b/CVE-2018-16857-5.patch deleted file mode 100644 index bcdd6bd8cc530b51f6915552075f95ee62b75272..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-5.patch +++ /dev/null @@ -1,221 +0,0 @@ -From 9cb6b4e9131afac71a39a2f6a3c142723cb6ca19 Mon Sep 17 00:00:00 2001 -From: Joe Guo -Date: Mon, 30 Jul 2018 18:19:21 +1200 -Subject: [PATCH 13/17] CVE-2018-16857 PEP8: fix E251: unexpected spaces around - keyword / parameter equals - -Signed-off-by: Joe Guo -Reviewed-by: Andrew Bartlett -Reviewed-by: Douglas Bagnall - -Partial backport of commit 1ccc36b4010cd63 (only password_lockout_base.py -change) as a dependency for: -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 ---- - .../tests/python/password_lockout_base.py | 60 +++++++------------ - 1 file changed, 20 insertions(+), 40 deletions(-) - -diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py -index 1b408c75166..48a74018624 100644 ---- a/source4/dsdb/tests/python/password_lockout_base.py -+++ b/source4/dsdb/tests/python/password_lockout_base.py -@@ -93,8 +93,7 @@ class BasePasswordTestCase(PasswordTestCase): - logonCount=0, - lastLogon=0, - lastLogonTimestamp=("absent", None), -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - def _check_account(self, dn, -@@ -389,8 +388,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=(logoncount_relation, 0), - lastLogon=("greater", 0), - lastLogonTimestamp=("greater", 0), -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - logonCount = int(res[0]["logonCount"][0]) -@@ -420,8 +418,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=logonCount, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg='lastlogontimestamp with wrong password') - badPasswordTime = int(res[0]["badPasswordTime"][0]) -@@ -439,8 +436,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=(logoncount_relation, logonCount), - lastLogon=('greater', lastLogon), - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg='LLTimestamp is updated to lastlogon') - -@@ -460,8 +456,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=logonCount, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -482,8 +477,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=logonCount, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -507,8 +501,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=("greater", badPasswordTime), -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - lockoutTime = int(res[0]["lockoutTime"][0]) -@@ -529,8 +522,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=lockoutTime, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - - # The wrong password -@@ -549,8 +541,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=lockoutTime, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - - # The correct password, but we are locked out -@@ -569,8 +560,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=lockoutTime, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - - # wait for the lockout to end -@@ -584,8 +574,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lockoutTime=lockoutTime, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - # The correct password after letting the timeout expire -@@ -604,8 +593,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lastLogon=(lastlogon_relation, lastLogon), - lastLogonTimestamp=lastLogonTimestamp, - lockoutTime=0, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg="lastLogon is way off") - -@@ -628,8 +616,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lockoutTime=0, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -649,8 +636,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lockoutTime=0, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -663,8 +649,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lockoutTime=0, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - # The wrong password -@@ -683,8 +668,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lockoutTime=0, - lastLogon=lastLogon, - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - -@@ -699,8 +683,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - lockoutTime=0, - lastLogon=("greater", lastLogon), - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - - def _test_multiple_logon(self, creds): -@@ -733,8 +716,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=(logoncount_relation, 0), - lastLogon=("greater", 0), - lastLogonTimestamp=("greater", 0), -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) - badPasswordTime = int(res[0]["badPasswordTime"][0]) - logonCount = int(res[0]["logonCount"][0]) -@@ -754,8 +736,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=(logoncount_relation, logonCount), - lastLogon=(lastlogon_relation, lastLogon), - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0, - msg=("second logon, firstlogon was %s" % - firstLogon)) -@@ -773,6 +754,5 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - logonCount=(logoncount_relation, logonCount), - lastLogon=(lastlogon_relation, lastLogon), - lastLogonTimestamp=lastLogonTimestamp, -- userAccountControl= -- dsdb.UF_NORMAL_ACCOUNT, -+ userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=0) --- -2.17.1 diff --git a/CVE-2018-16857-6.patch b/CVE-2018-16857-6.patch deleted file mode 100644 index e74f4a265ac2f42053a8e1e590b985ba13d97cf1..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-6.patch +++ /dev/null @@ -1,104 +0,0 @@ -From ec9cc4ed5a05490297cde3fcaac50eeeaaca8469 Mon Sep 17 00:00:00 2001 -From: Tim Beale -Date: Tue, 13 Nov 2018 11:49:56 +1300 -Subject: [PATCH 14/17] CVE-2018-16857 tests: Sanity-check password lockout - works with default values - -Sanity-check that when we use the default lockOutObservationWindow that -user lockout actually works. - -The easiest way to do this is to reuse the _test_login_lockout() -test-case, but stop at the point where we wait for the lockout duration -to expire (because we don't want the test to wait 30 mins). - -This highlights a problem currently where the default values don't work. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 - -Signed-off-by: Tim Beale -Reviewed-by: Andrew Bartlett ---- - selftest/knownfail.d/password_lockout | 4 +++ - source4/dsdb/tests/python/password_lockout.py | 30 +++++++++++++++++++ - .../tests/python/password_lockout_base.py | 6 +++- - 3 files changed, 39 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/password_lockout - -diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout -new file mode 100644 -index 00000000000..305bcbdef25 ---- /dev/null -+++ b/selftest/knownfail.d/password_lockout -@@ -0,0 +1,4 @@ -+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\) -+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\) -+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\) -+samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\) -diff --git a/source4/dsdb/tests/python/password_lockout.py b/source4/dsdb/tests/python/password_lockout.py -index 0022dee21ba..b09a732e179 100755 ---- a/source4/dsdb/tests/python/password_lockout.py -+++ b/source4/dsdb/tests/python/password_lockout.py -@@ -1415,6 +1415,36 @@ userPassword: """ + userpass + """ - self._testing_add_user(lockout4ntlm_creds, - lockOutObservationWindow=self.lockout_observation_window) - -+class PasswordTestsWithDefaults(PasswordTests): -+ def setUp(self): -+ # The tests in this class do not sleep, so we can use the default -+ # timeout windows here -+ self.account_lockout_duration = 30 * 60 -+ self.lockout_observation_window = 30 * 60 -+ super(PasswordTestsWithDefaults, self).setUp() -+ -+ # sanity-check that user lockout works with the default settings (we just -+ # check the user is locked out - we don't wait for the lockout to expire) -+ def test_login_lockout_krb5(self): -+ self._test_login_lockout(self.lockout1krb5_creds, -+ wait_lockout_duration=False) -+ -+ def test_login_lockout_ntlm(self): -+ self._test_login_lockout(self.lockout1ntlm_creds, -+ wait_lockout_duration=False) -+ -+ # Repeat the login lockout tests using PSOs -+ def test_pso_login_lockout_krb5(self): -+ """Check the PSO lockout settings get applied to the user correctly""" -+ self.use_pso_lockout_settings(self.lockout1krb5_creds) -+ self._test_login_lockout(self.lockout1krb5_creds, -+ wait_lockout_duration=False) -+ -+ def test_pso_login_lockout_ntlm(self): -+ """Check the PSO lockout settings get applied to the user correctly""" -+ self.use_pso_lockout_settings(self.lockout1ntlm_creds) -+ self._test_login_lockout(self.lockout1ntlm_creds, -+ wait_lockout_duration=False) - - host_url = "ldap://%s" % host - -diff --git a/source4/dsdb/tests/python/password_lockout_base.py b/source4/dsdb/tests/python/password_lockout_base.py -index 48a74018624..e8ac46dcd97 100644 ---- a/source4/dsdb/tests/python/password_lockout_base.py -+++ b/source4/dsdb/tests/python/password_lockout_base.py -@@ -365,7 +365,7 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - def tearDown(self): - super(BasePasswordTestCase, self).tearDown() - -- def _test_login_lockout(self, creds): -+ def _test_login_lockout(self, creds, wait_lockout_duration=True): - username = creds.get_username() - userpass = creds.get_password() - userdn = "cn=%s,cn=users,%s" % (username, self.base_dn) -@@ -563,6 +563,10 @@ lockoutThreshold: """ + str(lockoutThreshold) + """ - userAccountControl=dsdb.UF_NORMAL_ACCOUNT, - msDSUserAccountControlComputed=dsdb.UF_LOCKOUT) - -+ # if we're just checking the user gets locked out, we can stop here -+ if not wait_lockout_duration: -+ return -+ - # wait for the lockout to end - time.sleep(self.account_lockout_duration + 1) - print(self.account_lockout_duration + 1) --- -2.17.1 - diff --git a/CVE-2018-16857-7.patch b/CVE-2018-16857-7.patch deleted file mode 100644 index b153bba3e39d8fb4d04e1a351baa1e6471061cfd..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-7.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 4f86beeaf3408383385ee99a74520a805dd63c0f Mon Sep 17 00:00:00 2001 -From: Tim Beale -Date: Tue, 13 Nov 2018 12:24:16 +1300 -Subject: [PATCH 15/17] CVE-2018-16857 dsdb/util: Correctly treat - lockOutObservationWindow as 64-bit int - -Commit 442a38c918ae1666b35 refactored some code into a new -get_lockout_observation_window() function. However, in moving the code, -an ldb_msg_find_attr_as_int64() inadvertently got converted to a -ldb_msg_find_attr_as_int(). - -ldb_msg_find_attr_as_int() will only work for values up to -2147483648 -(about 3.5 minutes in MS timestamp form). Unfortunately, the automated -tests used a low enough timeout that they still worked, however, -password lockout would not work with the Samba default settings. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 - -Signed-off-by: Tim Beale -Reviewed-by: Andrew Bartlett ---- - selftest/knownfail.d/password_lockout | 2 -- - source4/dsdb/common/util.c | 10 +++++----- - 2 files changed, 5 insertions(+), 7 deletions(-) - -diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout -index 305bcbdef25..a4e37a84c21 100644 ---- a/selftest/knownfail.d/password_lockout -+++ b/selftest/knownfail.d/password_lockout -@@ -1,4 +1,2 @@ - samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\) - samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\) --samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_ntlm\(ad_dc_ntvfs\) --samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_login_lockout_krb5\(ad_dc_ntvfs\) -diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c -index 193fa2ae653..438a29e1773 100644 ---- a/source4/dsdb/common/util.c -+++ b/source4/dsdb/common/util.c -@@ -5400,12 +5400,12 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg, - struct ldb_message *pso_msg) - { - if (pso_msg != NULL) { -- return ldb_msg_find_attr_as_int(pso_msg, -- "msDS-LockoutObservationWindow", -- 0); -+ return ldb_msg_find_attr_as_int64(pso_msg, -+ "msDS-LockoutObservationWindow", -+ 0); - } else { -- return ldb_msg_find_attr_as_int(domain_msg, -- "lockOutObservationWindow", 0); -+ return ldb_msg_find_attr_as_int64(domain_msg, -+ "lockOutObservationWindow", 0); - } - } - --- -2.17.1 diff --git a/CVE-2018-16857-8.patch b/CVE-2018-16857-8.patch deleted file mode 100644 index 045c0d9dafd3b0dd9b8d6e81c891e7613af9a51d..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-8.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d12b02c78842786969557b9be7c953e9594d90dd Mon Sep 17 00:00:00 2001 -From: Tim Beale -Date: Tue, 13 Nov 2018 13:19:04 +1300 -Subject: [PATCH 16/17] CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow - for PSOs - -Fix a remaining place where we were trying to read the -msDS-LockoutObservationWindow as an int instead of an int64. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 - -Signed-off-by: Tim Beale -Reviewed-by: Andrew Bartlett ---- - selftest/knownfail.d/password_lockout | 2 -- - source4/dsdb/common/util.c | 6 +++--- - 2 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/password_lockout - -diff --git a/selftest/knownfail.d/password_lockout b/selftest/knownfail.d/password_lockout -deleted file mode 100644 -index a4e37a84c21..00000000000 ---- a/selftest/knownfail.d/password_lockout -+++ /dev/null -@@ -1,2 +0,0 @@ --samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_krb5\(ad_dc_ntvfs\) --samba4.ldap.password_lockout.python\(ad_dc_ntvfs\).__main__.PasswordTestsWithDefaults.test_pso_login_lockout_ntlm\(ad_dc_ntvfs\) -diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c -index 438a29e1773..8d863f85a29 100644 ---- a/source4/dsdb/common/util.c -+++ b/source4/dsdb/common/util.c -@@ -5361,9 +5361,9 @@ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb, - - if (res != NULL) { - lockOutObservationWindow = -- ldb_msg_find_attr_as_int(res->msgs[0], -- "msDS-LockoutObservationWindow", -- 0); -+ ldb_msg_find_attr_as_int64(res->msgs[0], -+ "msDS-LockoutObservationWindow", -+ 0); - talloc_free(res); - } else { - --- -2.17.1 - diff --git a/CVE-2018-16857-9.patch b/CVE-2018-16857-9.patch deleted file mode 100644 index 71df94a9526dfd0902ae456a42379d551ea129bf..0000000000000000000000000000000000000000 --- a/CVE-2018-16857-9.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 60b2cd50f4d0554cc5ca8c53b2d1fa89e56a6d06 Mon Sep 17 00:00:00 2001 -From: Tim Beale -Date: Tue, 13 Nov 2018 13:22:41 +1300 -Subject: [PATCH 17/17] CVE-2018-16857 dsdb/util: Add better default - lockOutObservationWindow - -Clearly the lockOutObservationWindow value is important, and using a -default value of zero doesn't work very well. - -This patch adds a better default value (the domain default setting of 30 -minutes). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 - -Signed-off-by: Tim Beale -Reviewed-by: Andrew Bartlett ---- - source4/dsdb/common/util.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c -index 8d863f85a29..18f700370a3 100644 ---- a/source4/dsdb/common/util.c -+++ b/source4/dsdb/common/util.c -@@ -56,6 +56,9 @@ - */ - #include "dsdb/samdb/ldb_modules/util.h" - -+/* default is 30 minutes: -1e7 * 30 * 60 */ -+#define DEFAULT_OBSERVATION_WINDOW -18000000000 -+ - /* - search the sam for the specified attributes in a specific domain, filter on - objectSid being in domain_sid. -@@ -5363,7 +5366,7 @@ int samdb_result_effective_badPwdCount(struct ldb_context *sam_ldb, - lockOutObservationWindow = - ldb_msg_find_attr_as_int64(res->msgs[0], - "msDS-LockoutObservationWindow", -- 0); -+ DEFAULT_OBSERVATION_WINDOW); - talloc_free(res); - } else { - -@@ -5402,10 +5405,11 @@ static int64_t get_lockout_observation_window(struct ldb_message *domain_msg, - if (pso_msg != NULL) { - return ldb_msg_find_attr_as_int64(pso_msg, - "msDS-LockoutObservationWindow", -- 0); -+ DEFAULT_OBSERVATION_WINDOW); - } else { - return ldb_msg_find_attr_as_int64(domain_msg, -- "lockOutObservationWindow", 0); -+ "lockOutObservationWindow", -+ DEFAULT_OBSERVATION_WINDOW); - } - } - --- -2.17.1 diff --git a/CVE-2018-16860.patch b/CVE-2018-16860.patch deleted file mode 100644 index 5efdc9c4173d21d0d97face34f3060c0b5b69760..0000000000000000000000000000000000000000 --- a/CVE-2018-16860.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 43958af1d50f0185e21e6cd74110c455ee8996af Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 30 Jan 2019 23:49:07 +0200 -Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed - checksum - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andrew Bartlett -Signed-off-by: Andrew Bartlett - -Autobuild-User(master): Karolin Seeger -Autobuild-Date(master): Tue May 14 11:45:13 UTC 2019 on sn-devel-184 ---- - source4/heimdal/kdc/krb5tgs.c | 7 + - 1 files changed, 7 insertions(+), 0 deletions(-) - -diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c -index a888788bb6f..ff7d93138c0 100644 ---- a/source4/heimdal/kdc/krb5tgs.c -+++ b/source4/heimdal/kdc/krb5tgs.c -@@ -1925,6 +1925,13 @@ tgs_build_reply(krb5_context context, - goto out; - } - -+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) { -+ free_PA_S4U2Self(&self); -+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum"); -+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM; -+ goto out; -+ } -+ - ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack); - if (ret) - goto out; diff --git a/CVE-2019-10197-1.patch b/CVE-2019-10197-1.patch deleted file mode 100644 index e7d38f4d9c011a9b82fe01fa5d1c717cd27d548c..0000000000000000000000000000000000000000 --- a/CVE-2019-10197-1.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 12 Jul 2019 12:10:35 -0700 -Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug - info into a new function. - -Will be called on elsewhere on successful impersonation. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -Reviewed-by: Stefan Metzmacher ---- - source3/smbd/uid.c | 37 +++++++++++++++++++++++-------------- - 1 file changed, 23 insertions(+), 14 deletions(-) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index a4bcb747d37e..ce8e8d92131c 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn, - return(True); - } - -+static void print_impersonation_info(connection_struct *conn) -+{ -+ struct smb_filename *cwdfname = NULL; -+ -+ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) { -+ return; -+ } -+ -+ cwdfname = vfs_GetWd(talloc_tos(), conn); -+ if (cwdfname == NULL) { -+ return; -+ } -+ -+ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", -+ (int)getuid(), -+ (int)geteuid(), -+ (int)getgid(), -+ (int)getegid(), -+ cwdfname->base_name); -+ TALLOC_FREE(cwdfname); -+} -+ - /**************************************************************************** - Become the user of a connection number without changing the security context - stack, but modify the current_user entries. -@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn, - current_user.done_chdir = true; - } - -- if (CHECK_DEBUGLVL(DBGLVL_INFO)) { -- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn); -- if (cwdfname == NULL) { -- return false; -- } -- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", -- (int)getuid(), -- (int)geteuid(), -- (int)getgid(), -- (int)getegid(), -- cwdfname->base_name); -- TALLOC_FREE(cwdfname); -- } -- -+ print_impersonation_info(conn); - return true; - } - --- -2.17.1 - diff --git a/CVE-2019-10197-2.patch b/CVE-2019-10197-2.patch deleted file mode 100644 index e7ed51e97feff75d196e3cf6e58b92ff92eac3d0..0000000000000000000000000000000000000000 --- a/CVE-2019-10197-2.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 11 Jul 2019 17:01:29 +0200 -Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that - change_to_user_internal() always resets current_user.done_chdir - -We should not leave current_user.done_chdir as true if we didn't call -chdir_current_service() with success. - -This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when -chdir_current_service() worked once on one share but later failed on another -share. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme ---- - source3/smbd/uid.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index ce8e8d92131c..77a81f602988 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn, - current_user.conn = conn; - current_user.vuid = vuid; - current_user.need_chdir = conn->tcon_done; -+ current_user.done_chdir = false; - - if (current_user.need_chdir) { - ok = chdir_current_service(conn); --- -2.17.1 - diff --git a/CVE-2019-10197-3.patch b/CVE-2019-10197-3.patch deleted file mode 100644 index f142118e8aa5743071945e8d8e43a4e445f9e2b8..0000000000000000000000000000000000000000 --- a/CVE-2019-10197-3.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 18 Jun 2019 14:04:08 +0200 -Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset - current_user.{need,done}_chdir in become_root() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - source3/smbd/uid.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 77a81f602988..50868ba8572a 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -624,6 +624,9 @@ void smbd_become_root(void) - } - push_conn_ctx(); - set_root_sec_ctx(); -+ -+ current_user.need_chdir = false; -+ current_user.done_chdir = false; - } - - /* Unbecome the root user */ --- -2.17.1 - diff --git a/CVE-2019-10197-4.patch b/CVE-2019-10197-4.patch deleted file mode 100644 index 3389e590afa8283a00bc374db726c92d2cb3ac31..0000000000000000000000000000000000000000 --- a/CVE-2019-10197-4.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 30 Jul 2019 17:16:59 +0200 -Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own - independent subdirectory - -The next patch will otherwise break the fsrvp related tests. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - selftest/target/Samba3.pm | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 9d88253c9fe7..f7eb314138a0 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$) - my $widelinks_linkdir="$shrdir/widelinks_foo"; - push(@dirs,$widelinks_linkdir); - -+ my $fsrvp_shrdir="$shrdir/fsrvp"; -+ push(@dirs,$fsrvp_shrdir); -+ - my $shadow_tstdir="$shrdir/shadow"; - push(@dirs,$shadow_tstdir); - my $shadow_mntdir="$shadow_tstdir/mount"; -@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$) - guest ok = yes - - [fsrvp_share] -- path = $shrdir -+ path = $fsrvp_shrdir - comment = fake shapshots using rsync - vfs objects = shell_snap shadow_copy2 - shell_snap:check path command = $fake_snap_pl --check - shell_snap:create command = $fake_snap_pl --create - shell_snap:delete command = $fake_snap_pl --delete - # a relative path here fails, the snapshot dir is no longer found -- shadow:snapdir = $shrdir/.snapshots -+ shadow:snapdir = $fsrvp_shrdir/.snapshots - - [shadow1] - path = $shadow_shrdir --- -2.17.1 - diff --git a/CVE-2019-10197-5.patch b/CVE-2019-10197-5.patch deleted file mode 100644 index b5d9ec3d03abf23aa9d2ac14fd9a12f3930d83d1..0000000000000000000000000000000000000000 --- a/CVE-2019-10197-5.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 16 Jul 2019 15:40:38 +0200 -Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test - for the no permission on share root problem - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - selftest/knownfail.d/CVE-2019-10197 | 1 + - selftest/target/Samba3.pm | 12 +++++++++ - source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++ - 3 files changed, 43 insertions(+) - create mode 100644 selftest/knownfail.d/CVE-2019-10197 - -diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 -new file mode 100644 -index 000000000000..f7056bbf3ad4 ---- /dev/null -+++ b/selftest/knownfail.d/CVE-2019-10197 -@@ -0,0 +1 @@ -+^samba3.blackbox.smbclient_s3.*.noperm.share.regression -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index f7eb314138a0..2f491441815f 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$) - my $ro_shrdir="$shrdir/root-tmp"; - push(@dirs,$ro_shrdir); - -+ my $noperm_shrdir="$shrdir/noperm-tmp"; -+ push(@dirs,$noperm_shrdir); -+ - my $msdfs_shrdir="$shrdir/msdfsshare"; - push(@dirs,$msdfs_shrdir); - -@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$) - chmod 0755, $piddir; - - -+ ## -+ ## Create a directory without permissions to enter -+ ## -+ chmod 0000, $noperm_shrdir; -+ - ## - ## create ro and msdfs share layout - ## -@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$) - [ro-tmp] - path = $ro_shrdir - guest ok = yes -+[noperm] -+ path = $noperm_shrdir -+ wide links = yes -+ guest ok = yes - [write-list-tmp] - path = $shrdir - read only = yes -diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh -index bf033ccd2fbf..0bae1d78fac9 100755 ---- a/source3/script/tests/test_smbclient_s3.sh -+++ b/source3/script/tests/test_smbclient_s3.sh -@@ -1329,6 +1329,32 @@ EOF - fi - } - -+# -+# Regression test for CVE-2019-10197 -+# we should always get ACCESS_DENIED -+# -+test_noperm_share_regression() -+{ -+ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1' -+ eval echo "$cmd" -+ out=`eval $cmd` -+ ret=$? -+ if [ $ret -eq 0 ] ; then -+ echo "$out" -+ echo "failed accessing no perm share should not work" -+ return 1 -+ fi -+ -+ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l` -+ if [ "$num" -ne "2" ] ; then -+ echo "$out" -+ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected" -+ return 1 -+ fi -+ -+ return 0 -+} -+ - # Test smbclient deltree command - test_deltree() - { -@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \ - test_local_symlinks || \ - failed=`expr $failed + 1` - -+testit "noperm share regression" \ -+ test_noperm_share_regression || \ -+ failed=`expr $failed + 1` -+ - testit "smbclient deltree command" \ - test_deltree || \ - failed=`expr $failed + 1` --- -2.17.1 - diff --git a/CVE-2019-10197-6.patch b/CVE-2019-10197-6.patch deleted file mode 100644 index 5e7baec5a6181858cf7274e5804f05a22c066b67..0000000000000000000000000000000000000000 --- a/CVE-2019-10197-6.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 11 Jul 2019 17:02:15 +0200 -Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate() - out of change_to_user_internal() - -This makes sure we always call chdir_current_service() even -when we still impersonated the user. Which is important -in order to run the SMB* request within the correct working directory -and only if the user has permissions to enter that directory. - -It makes sure we always update conn->lastused_count -in chdir_current_service() for each request. - -Note that vfs_ChDir() (called from chdir_current_service()) -maintains its own cache and avoids calling SMB_VFS_CHDIR() -if possible. - -It means we still avoid syscalls if we get a multiple requests -for the same session/tcon tuple. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme ---- - selftest/knownfail.d/CVE-2019-10197 | 1 - - source3/smbd/uid.c | 21 +++++++++++++++++---- - 2 files changed, 17 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/CVE-2019-10197 - -diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 -deleted file mode 100644 -index f7056bbf3ad4..000000000000 ---- a/selftest/knownfail.d/CVE-2019-10197 -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.blackbox.smbclient_s3.*.noperm.share.regression -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 50868ba8572a..5c39baade5cf 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn) - stack, but modify the current_user entries. - ****************************************************************************/ - --static bool change_to_user_internal(connection_struct *conn, -- const struct auth_session_info *session_info, -- uint64_t vuid) -+static bool change_to_user_impersonate(connection_struct *conn, -+ const struct auth_session_info *session_info, -+ uint64_t vuid) - { - int snum; - gid_t gid; -@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn, - - if ((current_user.conn == conn) && - (current_user.vuid == vuid) && -- (current_user.need_chdir == conn->tcon_done) && - (current_user.ut.uid == session_info->unix_token->uid)) - { - DBG_INFO("Skipping user change - already user\n"); -@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn, - - current_user.conn = conn; - current_user.vuid = vuid; -+ return true; -+} -+ -+static bool change_to_user_internal(connection_struct *conn, -+ const struct auth_session_info *session_info, -+ uint64_t vuid) -+{ -+ bool ok; -+ -+ ok = change_to_user_impersonate(conn, session_info, vuid); -+ if (!ok) { -+ return false; -+ } -+ - current_user.need_chdir = conn->tcon_done; - current_user.done_chdir = false; - --- -2.17.1 - diff --git a/CVE-2019-12435-1.patch b/CVE-2019-12435-1.patch deleted file mode 100644 index 2af1538199b58e0b50f3d9d0b46455d139bd7295..0000000000000000000000000000000000000000 --- a/CVE-2019-12435-1.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff -Nurp samba-4.9.1/python/samba/tests/dcerpc/dnsserver.py samba-4.9.1-bak/python/samba/tests/dcerpc/dnsserver.py ---- samba-4.9.1/python/samba/tests/dcerpc/dnsserver.py 2018-07-12 04:23:36.000000000 -0400 -+++ samba-4.9.1-bak/python/samba/tests/dcerpc/dnsserver.py 2019-07-29 11:47:02.701000000 -0400 -@@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver - from samba.tests import RpcInterfaceTestCase, env_get_var_value - from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord - from samba import sd_utils, descriptor -+from samba import WERRORError, werror - - class DnsserverTests(RpcInterfaceTestCase): - -@@ -707,6 +708,29 @@ class DnsserverTests(RpcInterfaceTestCas - 'ServerInfo') - self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid) - -+ # This test is to confirm that we do not support multizone operations, -+ # which are designated by a non-zero dwContext value (the 3rd argument -+ # to DnssrvOperation). -+ def test_operation_invalid(self): -+ non_zone = 'a-zone-that-does-not-exist' -+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM -+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() -+ name_and_param.pszNodeName = 'AllowUpdate' -+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE -+ try: -+ res = self.conn.DnssrvOperation(self.server, -+ non_zone, -+ 1, -+ 'ResetDwordProperty', -+ typeid, -+ name_and_param) -+ except WERRORError as e: -+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: -+ return -+ -+ # We should always encounter a DOES_NOT_EXIST error. -+ self.fail() -+ - def test_operation2(self): - client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN - rev_zone = '1.168.192.in-addr.arpa' -diff -Nurp samba-4.9.1/source4/rpc_server/dnsserver/dcerpc_dnsserver.c samba-4.9.1-bak/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ---- samba-4.9.1/source4/rpc_server/dnsserver/dcerpc_dnsserver.c 2018-07-12 04:23:36.000000000 -0400 -+++ samba-4.9.1-bak/source4/rpc_server/dnsserver/dcerpc_dnsserver.c 2019-07-29 11:51:52.408000000 -0400 -@@ -1955,7 +1955,13 @@ static WERROR dcesrv_DnssrvOperation(str - &r->in.pData); - } else { - z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); -- if (z == NULL && request_filter == 0) { -+ /* -+ * In the case that request_filter is not 0 and z is NULL, -+ * the request is for a multizone operation, which we do not -+ * yet support, so just error on NULL zone name. -+ */ -+ if (z == NULL) { -+ - return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; - } - diff --git a/CVE-2019-12435-2.patch b/CVE-2019-12435-2.patch deleted file mode 100644 index c6eb2a0a66548636ae8cdf2b060cd40e29e0e6f0..0000000000000000000000000000000000000000 --- a/CVE-2019-12435-2.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -Nurp samba-4.9.1/python/samba/tests/dcerpc/dnsserver.py samba-4.9.1-bak/python/samba/tests/dcerpc/dnsserver.py ---- samba-4.9.1/python/samba/tests/dcerpc/dnsserver.py 2019-07-29 11:56:23.948000000 -0400 -+++ samba-4.9.1-bak/python/samba/tests/dcerpc/dnsserver.py 2019-07-29 11:58:35.410000000 -0400 -@@ -731,6 +731,32 @@ class DnsserverTests(RpcInterfaceTestCas - # We should always encounter a DOES_NOT_EXIST error. - self.fail() - -+ # This test is to confirm that we do not support multizone operations, -+ # which are designated by a non-zero dwContext value (the 5th argument -+ # to DnssrvOperation2). -+ def test_operation2_invalid(self): -+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN -+ non_zone = 'a-zone-that-does-not-exist' -+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM -+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() -+ name_and_param.pszNodeName = 'AllowUpdate' -+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE -+ try: -+ res = self.conn.DnssrvOperation2(client_version, -+ 0, -+ self.server, -+ non_zone, -+ 1, -+ 'ResetDwordProperty', -+ typeid, -+ name_and_param) -+ except WERRORError as e: -+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: -+ return -+ -+ # We should always encounter a DOES_NOT_EXIST error. -+ self.fail() -+ - def test_operation2(self): - client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN - rev_zone = '1.168.192.in-addr.arpa' -diff -Nurp samba-4.9.1/source4/rpc_server/dnsserver/dcerpc_dnsserver.c samba-4.9.1-bak/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ---- samba-4.9.1/source4/rpc_server/dnsserver/dcerpc_dnsserver.c 2019-07-29 11:56:23.950000000 -0400 -+++ samba-4.9.1-bak/source4/rpc_server/dnsserver/dcerpc_dnsserver.c 2019-07-29 12:00:03.852000000 -0400 -@@ -2168,7 +2168,12 @@ static WERROR dcesrv_DnssrvOperation2(st - &r->in.pData); - } else { - z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); -- if (z == NULL && request_filter == 0) { -+ /* -+ * In the case that request_filter is not 0 and z is NULL, -+ * the request is for a multizone operation, which we do not -+ * yet support, so just error on NULL zone name. -+ */ -+ if (z == NULL) { - return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; - } - diff --git a/CVE-2019-14861.patch b/CVE-2019-14861.patch deleted file mode 100644 index 1c3ce865af7d5ffc3edfcf9d35c130cbf5263744..0000000000000000000000000000000000000000 --- a/CVE-2019-14861.patch +++ /dev/null @@ -1,390 +0,0 @@ -From 9501741466ba2c0740ffc703c5d242d6b41510e8 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 29 Oct 2019 17:25:28 +1300 -Subject: [PATCH 1/9] CVE-2019-14861: s4-rpc/dnsserver: Confirm sort behaviour - in dcesrv_DnssrvEnumRecords - -The sort behaviour for child records is not correct in Samba so -we add a flapping entry. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 - -Signed-off-by: Andrew Bartlett ---- - python/samba/tests/dcerpc/dnsserver.py | 101 +++++++++++++++++++++++++ - selftest/flapping.d/dnsserver | 2 + - 2 files changed, 103 insertions(+) - create mode 100644 selftest/flapping.d/dnsserver - -diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py -index 7264a290ef2..14ce308e38f 100644 ---- a/python/samba/tests/dcerpc/dnsserver.py -+++ b/python/samba/tests/dcerpc/dnsserver.py -@@ -156,6 +156,107 @@ class DnsserverTests(RpcInterfaceTestCase): - None) - super(DnsserverTests, self).tearDown() - -+ def test_enum_is_sorted(self): -+ """ -+ Confirm the zone is sorted -+ """ -+ -+ record_str = "192.168.50.50" -+ record_type_str = "A" -+ self.add_record(self.custom_zone, "atestrecord-1", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-2", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-3", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-4", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-0", record_type_str, record_str) -+ -+ # This becomes an extra A on the zone itself by server-side magic -+ self.add_record(self.custom_zone, self.custom_zone, record_type_str, record_str) -+ -+ _, result = self.conn.DnssrvEnumRecords2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, -+ 0, -+ self.server, -+ self.custom_zone, -+ "@", -+ None, -+ self.record_type_int(record_type_str), -+ dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA, -+ None, -+ None) -+ -+ self.assertEqual(len(result.rec), 6) -+ self.assertEqual(result.rec[0].dnsNodeName.str, "") -+ self.assertEqual(result.rec[1].dnsNodeName.str, "atestrecord-0") -+ self.assertEqual(result.rec[2].dnsNodeName.str, "atestrecord-1") -+ self.assertEqual(result.rec[3].dnsNodeName.str, "atestrecord-2") -+ self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3") -+ self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4") -+ -+ def test_enum_is_sorted_children_prefix_first(self): -+ """ -+ Confirm the zone returns the selected prefix first but no more -+ as Samba is flappy for the full sort -+ """ -+ -+ record_str = "192.168.50.50" -+ record_type_str = "A" -+ self.add_record(self.custom_zone, "atestrecord-1.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-2.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-3.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-4.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-0.a.b", record_type_str, record_str) -+ -+ # Not expected to be returned -+ self.add_record(self.custom_zone, "atestrecord-0.b.b", record_type_str, record_str) -+ -+ _, result = self.conn.DnssrvEnumRecords2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, -+ 0, -+ self.server, -+ self.custom_zone, -+ "a.b", -+ None, -+ self.record_type_int(record_type_str), -+ dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA, -+ None, -+ None) -+ -+ self.assertEqual(len(result.rec), 6) -+ self.assertEqual(result.rec[0].dnsNodeName.str, "") -+ -+ def test_enum_is_sorted_children(self): -+ """ -+ Confirm the zone is sorted -+ """ -+ -+ record_str = "192.168.50.50" -+ record_type_str = "A" -+ self.add_record(self.custom_zone, "atestrecord-1.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-2.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-3.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-4.a.b", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-0.a.b", record_type_str, record_str) -+ -+ # Not expected to be returned -+ self.add_record(self.custom_zone, "atestrecord-0.b.b", record_type_str, record_str) -+ -+ _, result = self.conn.DnssrvEnumRecords2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, -+ 0, -+ self.server, -+ self.custom_zone, -+ "a.b", -+ None, -+ self.record_type_int(record_type_str), -+ dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA, -+ None, -+ None) -+ -+ self.assertEqual(len(result.rec), 6) -+ self.assertEqual(result.rec[0].dnsNodeName.str, "") -+ self.assertEqual(result.rec[1].dnsNodeName.str, "atestrecord-0") -+ self.assertEqual(result.rec[2].dnsNodeName.str, "atestrecord-1") -+ self.assertEqual(result.rec[3].dnsNodeName.str, "atestrecord-2") -+ self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3") -+ self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4") -+ - # This test fails against Samba (but passes against Windows), - # because Samba does not return the record when we enum records. - # Records can be given DNS_RANK_NONE when the zone they are in -diff --git a/selftest/flapping.d/dnsserver b/selftest/flapping.d/dnsserver -new file mode 100644 -index 00000000000..9b33e8522a3 ---- /dev/null -+++ b/selftest/flapping.d/dnsserver -@@ -0,0 +1,2 @@ -+# This is not stable in samba due to a bug -+^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_enum_is_sorted_children -\ No newline at end of file --- -2.17.1 - - -From 51fa9a6a805e4221120847ee9dcab6796021175a Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Mon, 21 Oct 2019 12:12:10 +1300 -Subject: [PATCH 2/9] CVE-2019-14861: s4-rpc_server: Remove special case for @ - in dns_build_tree() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 - -Signed-off-by: Andrew Bartlett ---- - source4/rpc_server/dnsserver/dnsdata.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/source4/rpc_server/dnsserver/dnsdata.c b/source4/rpc_server/dnsserver/dnsdata.c -index 59e29f029a6..f991f4042e3 100644 ---- a/source4/rpc_server/dnsserver/dnsdata.c -+++ b/source4/rpc_server/dnsserver/dnsdata.c -@@ -795,10 +795,11 @@ struct dns_tree *dns_build_tree(TALLOC_CTX *mem_ctx, const char *name, struct ld - for (i=0; icount; i++) { - ptr = ldb_msg_find_attr_as_string(res->msgs[i], "name", NULL); - -- if (strcmp(ptr, "@") == 0) { -- base->data = res->msgs[i]; -- continue; -- } else if (strcasecmp(ptr, name) == 0) { -+ /* -+ * This might be the sub-domain in the zone being -+ * requested, or @ for the root of the zone -+ */ -+ if (strcasecmp(ptr, name) == 0) { - base->data = res->msgs[i]; - continue; - } --- -2.17.1 - - -From 16405fecc403517574915a49de5f4abcaa964e21 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 29 Oct 2019 14:15:36 +1300 -Subject: [PATCH 3/9] CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in - ldb_qsort() via dcesrv_DnssrvEnumRecords) - -dns_name_compare() had logic to put @ and the top record in the tree being -enumerated first, but if a domain had both then this would break the -older qsort() implementation in ldb_qsort() and cause a read of memory -before the base pointer. - -By removing this special case (not required as the base pointer -is already seperatly located, no matter were it is in the -returned records) the crash is avoided. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 - -Signed-off-by: Andrew Bartlett ---- - .../rpc_server/dnsserver/dcerpc_dnsserver.c | 21 ++++++++++++------- - source4/rpc_server/dnsserver/dnsdata.c | 19 ++--------------- - source4/rpc_server/dnsserver/dnsserver.h | 4 ++-- - 3 files changed, 17 insertions(+), 27 deletions(-) - -diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -index 353754f9261..c0bf3425dae 100644 ---- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -@@ -1733,6 +1733,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - struct DNS_RPC_RECORDS_ARRAY *recs; - char **add_names = NULL; - char *rname; -+ const char *preference_name = NULL; - int add_count = 0; - int i, ret, len; - WERROR status; -@@ -1749,6 +1750,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - ret = ldb_search(dsstate->samdb, tmp_ctx, &res, z->zone_dn, - LDB_SCOPE_ONELEVEL, attrs, - "(&(objectClass=dnsNode)(!(dNSTombstoned=TRUE)))"); -+ preference_name = "@"; - } else { - char *encoded_name - = ldb_binary_encode_string(tmp_ctx, name); -@@ -1756,6 +1758,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - LDB_SCOPE_ONELEVEL, attrs, - "(&(objectClass=dnsNode)(|(name=%s)(name=*.%s))(!(dNSTombstoned=TRUE)))", - encoded_name, encoded_name); -+ preference_name = name; - } - if (ret != LDB_SUCCESS) { - talloc_free(tmp_ctx); -@@ -1769,16 +1772,18 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - recs = talloc_zero(mem_ctx, struct DNS_RPC_RECORDS_ARRAY); - W_ERROR_HAVE_NO_MEMORY_AND_FREE(recs, tmp_ctx); - -- /* Sort the names, so that the first record is the parent record */ -- ldb_qsort(res->msgs, res->count, sizeof(struct ldb_message *), name, -- (ldb_qsort_cmp_fn_t)dns_name_compare); -+ /* -+ * Sort the names, so that the records are in order by the child -+ * component below "name". -+ * -+ * A full tree sort is not required, so we pass in "name" so -+ * we know which level to sort, as only direct children are -+ * eventually returned -+ */ -+ LDB_TYPESAFE_QSORT(res->msgs, res->count, name, dns_name_compare); - - /* Build a tree of name components from dns name */ -- if (strcasecmp(name, z->name) == 0) { -- tree = dns_build_tree(tmp_ctx, "@", res); -- } else { -- tree = dns_build_tree(tmp_ctx, name, res); -- } -+ tree = dns_build_tree(tmp_ctx, preference_name, res); - W_ERROR_HAVE_NO_MEMORY_AND_FREE(tree, tmp_ctx); - - /* Find the parent record in the tree */ -diff --git a/source4/rpc_server/dnsserver/dnsdata.c b/source4/rpc_server/dnsserver/dnsdata.c -index f991f4042e3..acdb87752f8 100644 ---- a/source4/rpc_server/dnsserver/dnsdata.c -+++ b/source4/rpc_server/dnsserver/dnsdata.c -@@ -1052,8 +1052,8 @@ WERROR dns_fill_records_array(TALLOC_CTX *mem_ctx, - } - - --int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m2, -- char *search_name) -+int dns_name_compare(struct ldb_message * const *m1, struct ldb_message * const *m2, -+ const char *search_name) - { - const char *name1, *name2; - const char *ptr1, *ptr2; -@@ -1064,21 +1064,6 @@ int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m - return 0; - } - -- /* '@' record and the search_name record gets preference */ -- if (name1[0] == '@') { -- return -1; -- } -- if (search_name && strcasecmp(name1, search_name) == 0) { -- return -1; -- } -- -- if (name2[0] == '@') { -- return 1; -- } -- if (search_name && strcasecmp(name2, search_name) == 0) { -- return 1; -- } -- - /* Compare the last components of names. - * If search_name is not NULL, compare the second last components of names */ - ptr1 = strrchr(name1, '.'); -diff --git a/source4/rpc_server/dnsserver/dnsserver.h b/source4/rpc_server/dnsserver/dnsserver.h -index 93f1d72f2ef..690ab87ed10 100644 ---- a/source4/rpc_server/dnsserver/dnsserver.h -+++ b/source4/rpc_server/dnsserver/dnsserver.h -@@ -188,8 +188,8 @@ struct DNS_ADDR_ARRAY *dns_addr_array_copy(TALLOC_CTX *mem_ctx, struct DNS_ADDR_ - int dns_split_name_components(TALLOC_CTX *mem_ctx, const char *name, char ***components); - char *dns_split_node_name(TALLOC_CTX *mem_ctx, const char *node_name, const char *zone_name); - --int dns_name_compare(const struct ldb_message **m1, const struct ldb_message **m2, -- char *search_name); -+int dns_name_compare(struct ldb_message * const *m1, struct ldb_message * const *m2, -+ const char *search_name); - bool dns_record_match(struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2); - - void dnsp_to_dns_copy(TALLOC_CTX *mem_ctx, struct dnsp_DnssrvRpcRecord *dnsp, --- -2.17.1 - - -From 90073f0abc495c4b5bd05322b71667c534ee9dd8 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Wed, 30 Oct 2019 11:50:57 +1300 -Subject: [PATCH 4/9] CVE-2019-14861: Test to demonstrate the bug - -This test does not fail every time, but when it does it casues a segfault which -takes out the rpc_server master process, as this hosts the dnsserver pipe. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138 - -Signed-off-by: Andrew Bartlett ---- - python/samba/tests/dcerpc/dnsserver.py | 47 ++++++++++++++++++++++++++ - 1 file changed, 47 insertions(+) - -diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py -index 14ce308e38f..a9b8a4ace91 100644 ---- a/python/samba/tests/dcerpc/dnsserver.py -+++ b/python/samba/tests/dcerpc/dnsserver.py -@@ -191,6 +191,53 @@ class DnsserverTests(RpcInterfaceTestCase): - self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3") - self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4") - -+ def test_enum_is_sorted_with_zone_dup(self): -+ """ -+ Confirm the zone is sorted -+ """ -+ -+ record_str = "192.168.50.50" -+ record_type_str = "A" -+ self.add_record(self.custom_zone, "atestrecord-1", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-2", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-3", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-4", record_type_str, record_str) -+ self.add_record(self.custom_zone, "atestrecord-0", record_type_str, record_str) -+ -+ # This triggers a bug in old Samba -+ self.add_record(self.custom_zone, self.custom_zone + "1", record_type_str, record_str) -+ -+ dn, record = self.get_record_from_db(self.custom_zone, self.custom_zone + "1") -+ -+ new_dn = ldb.Dn(self.samdb, str(dn)) -+ new_dn.set_component(0, "dc", self.custom_zone) -+ self.samdb.rename(dn, new_dn) -+ -+ _, result = self.conn.DnssrvEnumRecords2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, -+ 0, -+ self.server, -+ self.custom_zone, -+ "@", -+ None, -+ self.record_type_int(record_type_str), -+ dnsserver.DNS_RPC_VIEW_AUTHORITY_DATA, -+ None, -+ None) -+ -+ self.assertEqual(len(result.rec), 7) -+ self.assertEqual(result.rec[0].dnsNodeName.str, "") -+ self.assertEqual(result.rec[1].dnsNodeName.str, "atestrecord-0") -+ self.assertEqual(result.rec[2].dnsNodeName.str, "atestrecord-1") -+ self.assertEqual(result.rec[3].dnsNodeName.str, "atestrecord-2") -+ self.assertEqual(result.rec[4].dnsNodeName.str, "atestrecord-3") -+ self.assertEqual(result.rec[5].dnsNodeName.str, "atestrecord-4") -+ -+ # Windows doesn't reload the zone fast enough, but doesn't -+ # have the bug anyway, it will sort last on both names (where -+ # it should) -+ if result.rec[6].dnsNodeName.str != (self.custom_zone + "1"): -+ self.assertEqual(result.rec[6].dnsNodeName.str, self.custom_zone) -+ - def test_enum_is_sorted_children_prefix_first(self): - """ - Confirm the zone returns the selected prefix first but no more --- -2.17.1 diff --git a/CVE-2019-14870.patch b/CVE-2019-14870.patch deleted file mode 100644 index f05c4e4f3785ebf180d6fcdbc16c1e7b383483e2..0000000000000000000000000000000000000000 --- a/CVE-2019-14870.patch +++ /dev/null @@ -1,285 +0,0 @@ -From 5249cad8b435d162584f010f492568d6f4526662 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 30 Oct 2019 15:59:16 +0100 -Subject: [PATCH 7/9] CVE-2019-14870: heimdal: add S4U test for - delegation_not_allowed - -Signed-off-by: Isaac Boukris ---- - selftest/knownfail.d/heimdal_not_delegated | 1 + - source4/selftest/tests.py | 1 + - testprogs/blackbox/test_s4u_heimdal.sh | 73 ++++++++++++++++++++++ - 3 files changed, 75 insertions(+) - create mode 100644 selftest/knownfail.d/heimdal_not_delegated - create mode 100755 testprogs/blackbox/test_s4u_heimdal.sh - -diff --git a/selftest/knownfail.d/heimdal_not_delegated b/selftest/knownfail.d/heimdal_not_delegated -new file mode 100644 -index 00000000000..bfc382a3fc2 ---- /dev/null -+++ b/selftest/knownfail.d/heimdal_not_delegated -@@ -0,0 +1 @@ -+^samba4.blackbox.krb5.s4u -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 9c3c77f1c56..2ec0bee923b 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -425,6 +425,7 @@ if have_heimdal_support: - plantestsuite("samba4.blackbox.kinit_trust(fl2003dc:local)", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"]) - plantestsuite("samba4.blackbox.export.keytab(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) - plantestsuite("samba4.blackbox.kpasswd(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) -+ plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration]) - else: - plantestsuite("samba4.blackbox.kinit(ad_dc_ntvfs:local)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) - plantestsuite("samba4.blackbox.kinit(fl2000dc:local)", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) -diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh -new file mode 100755 -index 00000000000..0e12c7ec096 ---- /dev/null -+++ b/testprogs/blackbox/test_s4u_heimdal.sh -@@ -0,0 +1,73 @@ -+#!/bin/sh -+ -+if [ $# -lt 5 ]; then -+cat < $PREFIX/tmppassfile -+testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` -+ -+testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` -+testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` -+ -+testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` -+testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` -+ -+rm -f $ocache -+testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=`expr $failed + 1` -+ -+testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` -+testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` -+ -+ -+rm -f $ocache $PREFIX/tmpccache tmppassfile -+exit $failed --- -2.17.1 - - -From d0d4954b9b4643678b6f465959dd69de0faafd07 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Mon, 28 Oct 2019 02:54:09 +0200 -Subject: [PATCH 8/9] CVE-2019-14870: heimdal: enforce delegation_not_allowed - in S4U2Self - -Signed-off-by: Isaac Boukris ---- - selftest/knownfail.d/heimdal_not_delegated | 1 - - source4/heimdal/kdc/krb5tgs.c | 58 ++++++++++++++-------- - 2 files changed, 36 insertions(+), 23 deletions(-) - delete mode 100644 selftest/knownfail.d/heimdal_not_delegated - -diff --git a/selftest/knownfail.d/heimdal_not_delegated b/selftest/knownfail.d/heimdal_not_delegated -deleted file mode 100644 -index bfc382a3fc2..00000000000 ---- a/selftest/knownfail.d/heimdal_not_delegated -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.blackbox.krb5.s4u -diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c -index ff7d93138c0..ee3ac3d8f53 100644 ---- a/source4/heimdal/kdc/krb5tgs.c -+++ b/source4/heimdal/kdc/krb5tgs.c -@@ -1975,30 +1975,42 @@ server_lookup: - if (ret) - goto out; - -+ ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags, -+ NULL, &s4u2self_impersonated_clientdb, -+ &s4u2self_impersonated_client); -+ if (ret) { -+ const char *msg; -+ -+ /* -+ * If the client belongs to the same realm as our krbtgt, it -+ * should exist in the local database. -+ * -+ */ -+ -+ if (ret == HDB_ERR_NOENTRY) -+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; -+ msg = krb5_get_error_message(context, ret); -+ kdc_log(context, config, 1, -+ "S2U4Self principal to impersonate %s not found in database: %s", -+ tpn, msg); -+ krb5_free_error_message(context, msg); -+ goto out; -+ } -+ -+ /* Ignore pw_end attributes (as Windows does), -+ * since S4U2Self is not password authentication. */ -+ free(s4u2self_impersonated_client->entry.pw_end); -+ s4u2self_impersonated_client->entry.pw_end = NULL; -+ -+ ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn, -+ NULL, NULL, FALSE); -+ if (ret) -+ goto out; -+ - /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */ - if(rspac.data) { - krb5_pac p = NULL; - krb5_data_free(&rspac); -- ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags, -- NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client); -- if (ret) { -- const char *msg; -- -- /* -- * If the client belongs to the same realm as our krbtgt, it -- * should exist in the local database. -- * -- */ -- -- if (ret == HDB_ERR_NOENTRY) -- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; -- msg = krb5_get_error_message(context, ret); -- kdc_log(context, config, 1, -- "S2U4Self principal to impersonate %s not found in database: %s", -- tpn, msg); -- krb5_free_error_message(context, msg); -- goto out; -- } - ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, &p); - if (ret) { - kdc_log(context, config, 0, "PAC generation failed for -- %s", -@@ -2034,10 +2046,12 @@ server_lookup: - - /* - * If the service isn't trusted for authentication to -- * delegation, remove the forward flag. -+ * delegation or if the impersonate client is disallowed -+ * forwardable, remove the forwardable flag. - */ - -- if (client->entry.flags.trusted_for_delegation) { -+ if (client->entry.flags.trusted_for_delegation && -+ s4u2self_impersonated_client->entry.flags.forwardable) { - str = "[forwardable]"; - } else { - b->kdc_options.forwardable = 0; --- -2.17.1 - - -From 277ab21fcf31bf60458410994e188d9c236963a3 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 21 Nov 2019 11:12:48 +0100 -Subject: [PATCH 9/9] CVE-2019-14870: mit-kdc: enforce delegation_not_allowed - flag - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14187 - -Signed-off-by: Isaac Boukris ---- - source4/kdc/mit_samba.c | 5 +++++ - source4/kdc/sdb_to_kdb.c | 17 ++++++----------- - 2 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index eacca0903ec..06e680b60e2 100644 ---- a/source4/kdc/mit_samba.c -+++ b/source4/kdc/mit_samba.c -@@ -304,6 +304,11 @@ fetch_referral_principal: - - sdb_free_entry(&sentry); - -+ if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { -+ kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; -+ kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; -+ } -+ - done: - krb5_free_principal(ctx->context, referral_principal); - referral_principal = NULL; -diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c -index 74d882738f8..b7253ade122 100644 ---- a/source4/kdc/sdb_to_kdb.c -+++ b/source4/kdc/sdb_to_kdb.c -@@ -36,18 +36,13 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s, - if (s->initial) { - *k |= KRB5_KDB_DISALLOW_TGT_BASED; - } -- /* -- * Do not set any disallow rules for forwardable, proxiable, -- * renewable, postdate and server. -- * -- * The KDC will take care setting the flags based on the incoming -- * ticket. -- */ -- if (s->forwardable) { -- ; -+ /* The forwardable and proxiable flags are set according to client and -+ * server attributes. */ -+ if (!s->forwardable) { -+ *k |= KRB5_KDB_DISALLOW_FORWARDABLE; - } -- if (s->proxiable) { -- ; -+ if (!s->proxiable) { -+ *k |= KRB5_KDB_DISALLOW_PROXIABLE; - } - if (s->renewable) { - ; --- -2.17.1 - diff --git a/CVE-2019-3870-1.patch b/CVE-2019-3870-1.patch deleted file mode 100644 index bb5e0a62b6d9771735a20f98841ae280d2c7ed2d..0000000000000000000000000000000000000000 --- a/CVE-2019-3870-1.patch +++ /dev/null @@ -1,140 +0,0 @@ -From c25348e1f2a7fd0801e06918d67c469f1912f311 Mon Sep 17 00:00:00 2001 -From: Tim Beale -Date: Fri, 15 Mar 2019 15:20:21 +1300 -Subject: [PATCH 1/5] CVE-2019-3870 tests: Extend smbd tests to check for umask - being overwritten - -The smbd changes the umask - if the code fails to restore the umask to -what it was, then this is very bad. Add an extra check to every -smbd-related test that the umask at the end of the test is the same as -what it was at the beginning (i.e. if the smbd code changed the umask -then it correctly restored the value afterwards). - -As the selftest sets the umask for all tests to zero, it makes it hard -to detect this problem, so the test setUp() needs to set it to something -else first. - -This extra checking is added to the setUp()/tearDown() so that it -applies to all test-cases. However, any failure that occur with this -approach will not be able to be known-failed. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 - -Signed-off-by: Tim Beale -Reviewed-by: Andrew Bartlett - -(This backport to Samba 4.9 by Andrew Bartlett was not a pure -cherry-pick due to merge conflicts) ---- - python/samba/tests/ntacls_backup.py | 4 ++-- - python/samba/tests/posixacl.py | 4 ++-- - python/samba/tests/smbd_base.py | 48 +++++++++++++++++++++++++++++++++++++ - selftest/knownfail.d/umask-leak | 3 +++ - 4 files changed, 55 insertions(+), 4 deletions(-) - create mode 100644 python/samba/tests/smbd_base.py - create mode 100644 selftest/knownfail.d/umask-leak - -diff --git a/python/samba/tests/ntacls_backup.py b/python/samba/tests/ntacls_backup.py -index 9ab264a27fd..763804fd63f 100644 ---- a/python/samba/tests/ntacls_backup.py -+++ b/python/samba/tests/ntacls_backup.py -@@ -27,10 +27,10 @@ from samba import ntacls - from samba.auth import system_session - from samba.param import LoadParm - from samba.dcerpc import security --from samba.tests import TestCaseInTempDir -+from samba.tests.smbd_base import SmbdBaseTests - - --class NtaclsBackupRestoreTests(TestCaseInTempDir): -+class NtaclsBackupRestoreTests(SmbdBaseTests): - """ - Tests for NTACLs backup and restore. - """ -diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py -index 8b48825fc6f..2005f4eef59 100644 ---- a/python/samba/tests/posixacl.py -+++ b/python/samba/tests/posixacl.py -@@ -20,7 +20,7 @@ - - from samba.ntacls import setntacl, getntacl, checkset_backend - from samba.dcerpc import security, smb_acl, idmap --from samba.tests import TestCaseInTempDir -+from samba.tests.smbd_base import SmbdBaseTests - from samba import provision - import os - from samba.samba3 import smbd, passdb -@@ -32,7 +32,7 @@ DOM_SID = "S-1-5-21-2212615479-2695158682-2101375467" - ACL = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)" - - --class PosixAclMappingTests(TestCaseInTempDir): -+class PosixAclMappingTests(SmbdBaseTests): - - def setUp(self): - super(PosixAclMappingTests, self).setUp() -diff --git a/python/samba/tests/smbd_base.py b/python/samba/tests/smbd_base.py -new file mode 100644 -index 00000000000..4e5c3641e2c ---- /dev/null -+++ b/python/samba/tests/smbd_base.py -@@ -0,0 +1,48 @@ -+# Unix SMB/CIFS implementation. Common code for smbd python bindings tests -+# Copyright (C) Catalyst.Net Ltd 2019 -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+# -+from samba.tests import TestCaseInTempDir -+import os -+ -+TEST_UMASK = 0o022 -+ -+class SmbdBaseTests(TestCaseInTempDir): -+ -+ def get_umask(self): -+ # we can only get the umask by setting it to something -+ curr_umask = os.umask(0) -+ # restore the old setting -+ os.umask(curr_umask) -+ return curr_umask -+ -+ def setUp(self): -+ super(SmbdBaseTests, self).setUp() -+ self.orig_umask = self.get_umask() -+ -+ # set an arbitrary umask - the underlying smbd code should override -+ # this, but it allows us to check if umask is left unset -+ os.umask(TEST_UMASK) -+ -+ def tearDown(self): -+ # the current umask should be what we set it to earlier - if it's not, -+ # it indicates the code has changed it and not restored it -+ self.assertEqual(self.get_umask(), TEST_UMASK, -+ "umask unexpectedly overridden by test") -+ -+ # restore the original umask value (before we interferred with it) -+ os.umask(self.orig_umask) -+ -+ super(SmbdBaseTests, self).tearDown() -diff --git a/selftest/knownfail.d/umask-leak b/selftest/knownfail.d/umask-leak -new file mode 100644 -index 00000000000..5580beb4b68 ---- /dev/null -+++ b/selftest/knownfail.d/umask-leak -@@ -0,0 +1,3 @@ -+^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_smbd_create_file -+^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_backup_online -+^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_backup_offline --- -2.11.0 diff --git a/CVE-2019-3870-2.patch b/CVE-2019-3870-2.patch deleted file mode 100644 index b36c0b7c2457c5b50b45743866dfd03e796061fd..0000000000000000000000000000000000000000 --- a/CVE-2019-3870-2.patch +++ /dev/null @@ -1,120 +0,0 @@ -From b9ccfe0452524d8fdd5751944662856425599af2 Mon Sep 17 00:00:00 2001 -From: Tim Beale -Date: Fri, 15 Mar 2019 13:52:50 +1300 -Subject: [PATCH 2/5] CVE-2019-3870 tests: Add test to check file-permissions - are correct after provision - -This provisions a new DC and checks there are no world-writable -files in the new DC's private directory. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 - -Signed-off-by: Tim Beale -Reviewed-by: Andrew Bartlett -Reviewed-by: Jeremy Allison ---- - selftest/knownfail.d/provision_fileperms | 1 + - source4/selftest/tests.py | 1 + - source4/setup/tests/provision_fileperms.sh | 71 ++++++++++++++++++++++++++++++ - 3 files changed, 73 insertions(+) - create mode 100644 selftest/knownfail.d/provision_fileperms - create mode 100755 source4/setup/tests/provision_fileperms.sh - -diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms -new file mode 100644 -index 00000000000..88b1585fd19 ---- /dev/null -+++ b/selftest/knownfail.d/provision_fileperms -@@ -0,0 +1 @@ -+samba4.blackbox.provision_fileperms.provision-fileperms\(none\) -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 18b2c1162b0..d6fb388dc33 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -904,6 +904,7 @@ plantestsuite_loadlist("samba4.deletetest.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [ - plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")]) - plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision']) - plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision']) -+plantestsuite("samba4.blackbox.provision_fileperms", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/provision_fileperms.sh"), '$PREFIX/provision']) - plantestsuite("samba4.blackbox.supported_features", "none", - ["PYTHON=%s" % python, - os.path.join(samba4srcdir, -diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh -new file mode 100755 -index 00000000000..0b3ef0321fb ---- /dev/null -+++ b/source4/setup/tests/provision_fileperms.sh -@@ -0,0 +1,71 @@ -+#!/bin/sh -+ -+if [ $# -lt 1 ]; then -+cat < $SMB_CONF -+ -+# provision a basic DC -+testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF -+ -+# check the file permissions in the 'private' directory really are private -+testit "provision-fileperms" check_private_file_perms $TARGET_DIR -+ -+rm -rf $TARGET_DIR -+ -+umask $ORIG_UMASK -+ -+exit $failed --- -2.11.0 diff --git a/CVE-2019-3870-3.patch b/CVE-2019-3870-3.patch deleted file mode 100644 index 3169e029a85c35ccfab74841ab433c81047425dc..0000000000000000000000000000000000000000 --- a/CVE-2019-3870-3.patch +++ /dev/null @@ -1,72 +0,0 @@ -From be504b486d78133fd28ad3d7adfe589a99338846 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 21 Mar 2019 17:21:58 +1300 -Subject: [PATCH 3/5] CVE-2019-3870 pysmbd: Include tests to show the outside - umask has no impact - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Jeremy Allison ---- - python/samba/tests/ntacls_backup.py | 13 +++++++++++++ - python/samba/tests/smbd_base.py | 2 +- - selftest/knownfail.d/pymkdir-umask | 1 + - 3 files changed, 15 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/pymkdir-umask - -diff --git a/python/samba/tests/ntacls_backup.py b/python/samba/tests/ntacls_backup.py -index 763804fd63f..b7defd35903 100644 ---- a/python/samba/tests/ntacls_backup.py -+++ b/python/samba/tests/ntacls_backup.py -@@ -112,6 +112,12 @@ class NtaclsBackupRestoreTests(SmbdBaseTests): - - dirpath = os.path.join(self.service_root, 'a-dir') - smbd.mkdir(dirpath, self.service) -+ mode = os.stat(dirpath).st_mode -+ -+ # This works in conjunction with the TEST_UMASK in smbd_base -+ # to ensure that permissions are not related to the umask -+ # but instead the smb.conf settings -+ self.assertEquals(mode & 0o777, 0o755) - self.assertTrue(os.path.isdir(dirpath)) - - def test_smbd_create_file(self): -@@ -123,6 +129,13 @@ class NtaclsBackupRestoreTests(SmbdBaseTests): - smbd.create_file(filepath, self.service) - self.assertTrue(os.path.isfile(filepath)) - -+ mode = os.stat(filepath).st_mode -+ -+ # This works in conjunction with the TEST_UMASK in smbd_base -+ # to ensure that permissions are not related to the umask -+ # but instead the smb.conf settings -+ self.assertEquals(mode & 0o777, 0o644) -+ - # As well as checking that unlink works, this removes the - # fake xattrs from the dev/inode based DB - smbd.unlink(filepath, self.service) -diff --git a/python/samba/tests/smbd_base.py b/python/samba/tests/smbd_base.py -index 4e5c3641e2c..b49bcc0828f 100644 ---- a/python/samba/tests/smbd_base.py -+++ b/python/samba/tests/smbd_base.py -@@ -17,7 +17,7 @@ - from samba.tests import TestCaseInTempDir - import os - --TEST_UMASK = 0o022 -+TEST_UMASK = 0o042 - - class SmbdBaseTests(TestCaseInTempDir): - -diff --git a/selftest/knownfail.d/pymkdir-umask b/selftest/knownfail.d/pymkdir-umask -new file mode 100644 -index 00000000000..5af01be44e3 ---- /dev/null -+++ b/selftest/knownfail.d/pymkdir-umask -@@ -0,0 +1 @@ -+^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_smbd_mkdir -\ No newline at end of file --- -2.11.0 - diff --git a/CVE-2019-3870-4.patch b/CVE-2019-3870-4.patch deleted file mode 100644 index 25d2995a5504949b83f9b2339de33c35b2758ab4..0000000000000000000000000000000000000000 --- a/CVE-2019-3870-4.patch +++ /dev/null @@ -1,169 +0,0 @@ -From c99f2ab22cc93b5194a3477c6a241600fa0f6758 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 14 Mar 2019 18:20:06 +1300 -Subject: [PATCH 4/5] CVE-2019-3870 pysmbd: Move umask manipuations as close as - possible to users - -Umask manipulation was added to pysmbd with e146fe5ef96c1522175a8e81db15d1e8879e5652 in 2012 -and init_files_struct was split out in 747c3f1fb379bb68cc7479501b85741493c05812 in 2018 for -Samba 4.9. (It was added to assist the smbd.create_file() routine used in the backup and -restore tools, which needed to write files with full metadata). - -This in turn avoids leaving init_files_struct() without resetting the umask to -the original, saved, value. - -Per umask(2) this is required before open() and mkdir() system calls (along -side other file-like things such as those for Unix domain socks and FIFOs etc). - -Therefore for safety and clarify the additional 'belt and braces' umask -manipuations elsewhere are removed. - -mkdir() will be protected by a umask() bracket, for correctness, in the next patch. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 - -Signed-off-by: Andrew Bartlett - -(This backport to Samba 4.9 by Andrew Bartlett is not a pure -cherry-pick due to merge conflicts) ---- - selftest/knownfail.d/provision_fileperms | 1 - - selftest/knownfail.d/umask-leak | 3 --- - source3/smbd/pysmbd.c | 34 ++++++++++---------------------- - 3 files changed, 10 insertions(+), 28 deletions(-) - delete mode 100644 selftest/knownfail.d/provision_fileperms - delete mode 100644 selftest/knownfail.d/umask-leak - -diff --git a/selftest/knownfail.d/provision_fileperms b/selftest/knownfail.d/provision_fileperms -deleted file mode 100644 -index 88b1585fd19..00000000000 ---- a/selftest/knownfail.d/provision_fileperms -+++ /dev/null -@@ -1 +0,0 @@ --samba4.blackbox.provision_fileperms.provision-fileperms\(none\) -diff --git a/selftest/knownfail.d/umask-leak b/selftest/knownfail.d/umask-leak -deleted file mode 100644 -index 5580beb4b68..00000000000 ---- a/selftest/knownfail.d/umask-leak -+++ /dev/null -@@ -1,3 +0,0 @@ --^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_smbd_create_file --^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_backup_online --^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_backup_offline -diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c -index 1431925efd0..179a1ee2943 100644 ---- a/source3/smbd/pysmbd.c -+++ b/source3/smbd/pysmbd.c -@@ -85,27 +85,19 @@ static int set_sys_acl_conn(const char *fname, - { - int ret; - struct smb_filename *smb_fname = NULL; -- mode_t saved_umask; - - TALLOC_CTX *frame = talloc_stackframe(); - -- /* we want total control over the permissions on created files, -- so set our umask to 0 */ -- saved_umask = umask(0); -- - smb_fname = synthetic_smb_fname_split(frame, - fname, - lp_posix_pathnames()); - if (smb_fname == NULL) { - TALLOC_FREE(frame); -- umask(saved_umask); - return -1; - } - - ret = SMB_VFS_SYS_ACL_SET_FILE( conn, smb_fname, acltype, theacl); - -- umask(saved_umask); -- - TALLOC_FREE(frame); - return ret; - } -@@ -132,22 +124,26 @@ static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx, - } - fsp->conn = conn; - -- /* we want total control over the permissions on created files, -- so set our umask to 0 */ -- saved_umask = umask(0); -- - smb_fname = synthetic_smb_fname_split(fsp, - fname, - lp_posix_pathnames()); - if (smb_fname == NULL) { -- umask(saved_umask); - return NT_STATUS_NO_MEMORY; - } - - fsp->fsp_name = smb_fname; -+ -+ /* -+ * we want total control over the permissions on created files, -+ * so set our umask to 0 (this matters if flags contains O_CREAT) -+ */ -+ saved_umask = umask(0); -+ - fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00644); -+ -+ umask(saved_umask); -+ - if (fsp->fh->fd == -1) { -- umask(saved_umask); - return NT_STATUS_INVALID_PARAMETER; - } - -@@ -157,7 +153,6 @@ static NTSTATUS init_files_struct(TALLOC_CTX *mem_ctx, - DEBUG(0,("Error doing fstat on open file %s (%s)\n", - smb_fname_str_dbg(smb_fname), - strerror(errno) )); -- umask(saved_umask); - return map_nt_error_from_unix(errno); - } - -@@ -444,7 +439,6 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) - char *fname, *service = NULL; - int uid, gid; - TALLOC_CTX *frame; -- mode_t saved_umask; - struct smb_filename *smb_fname = NULL; - - if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sii|z", -@@ -460,10 +454,6 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) - return NULL; - } - -- /* we want total control over the permissions on created files, -- so set our umask to 0 */ -- saved_umask = umask(0); -- - smb_fname = synthetic_smb_fname(talloc_tos(), - fname, - NULL, -@@ -471,7 +461,6 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) - lp_posix_pathnames() ? - SMB_FILENAME_POSIX_PATH : 0); - if (smb_fname == NULL) { -- umask(saved_umask); - TALLOC_FREE(frame); - errno = ENOMEM; - return PyErr_SetFromErrno(PyExc_OSError); -@@ -479,14 +468,11 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) - - ret = SMB_VFS_CHOWN(conn, smb_fname, uid, gid); - if (ret != 0) { -- umask(saved_umask); - TALLOC_FREE(frame); - errno = ret; - return PyErr_SetFromErrno(PyExc_OSError); - } - -- umask(saved_umask); -- - TALLOC_FREE(frame); - - Py_RETURN_NONE; --- -2.11.0 diff --git a/CVE-2019-3870-5.patch b/CVE-2019-3870-5.patch deleted file mode 100644 index d7fe40baf402fde52935ecae8cd49f6356ee405a..0000000000000000000000000000000000000000 --- a/CVE-2019-3870-5.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 61414430c6bd6c9c9bfa1512880ecc6adbdbf9b4 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Thu, 21 Mar 2019 17:24:14 +1300 -Subject: [PATCH 5/5] CVE-2019-3870 pysmbd: Ensure a zero umask is set for - smbd.mkdir() - -mkdir() is the other call that requires a umask of 0 in Samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Jeremy Allison ---- - selftest/knownfail.d/pymkdir-umask | 1 - - source3/smbd/pysmbd.c | 11 ++++++++++- - 2 files changed, 10 insertions(+), 2 deletions(-) - delete mode 100644 selftest/knownfail.d/pymkdir-umask - -diff --git a/selftest/knownfail.d/pymkdir-umask b/selftest/knownfail.d/pymkdir-umask -deleted file mode 100644 -index 5af01be44e3..00000000000 ---- a/selftest/knownfail.d/pymkdir-umask -+++ /dev/null -@@ -1 +0,0 @@ --^samba.tests.ntacls_backup.samba.tests.ntacls_backup.NtaclsBackupRestoreTests.test_smbd_mkdir -\ No newline at end of file -diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c -index 179a1ee2943..845ea25f936 100644 ---- a/source3/smbd/pysmbd.c -+++ b/source3/smbd/pysmbd.c -@@ -739,6 +739,8 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs) - TALLOC_CTX *frame = talloc_stackframe(); - struct connection_struct *conn = NULL; - struct smb_filename *smb_fname = NULL; -+ int ret; -+ mode_t saved_umask; - - if (!PyArg_ParseTupleAndKeywords(args, - kwargs, -@@ -769,8 +771,15 @@ static PyObject *py_smbd_mkdir(PyObject *self, PyObject *args, PyObject *kwargs) - return NULL; - } - -+ /* we want total control over the permissions on created files, -+ so set our umask to 0 */ -+ saved_umask = umask(0); -+ -+ ret = SMB_VFS_MKDIR(conn, smb_fname, 00755); - -- if (SMB_VFS_MKDIR(conn, smb_fname, 00755) == -1) { -+ umask(saved_umask); -+ -+ if (ret == -1) { - DBG_ERR("mkdir error=%d (%s)\n", errno, strerror(errno)); - TALLOC_FREE(frame); - return NULL; --- -2.11.0 - diff --git a/CVE-2019-3880.patch b/CVE-2019-3880.patch deleted file mode 100644 index eded5d9ddb308a6950de3924d9e04a4acea7d392..0000000000000000000000000000000000000000 --- a/CVE-2019-3880.patch +++ /dev/null @@ -1,151 +0,0 @@ -From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 21 Mar 2019 14:51:30 -0700 -Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of - SaveKey/RestoreKey. - -The were not using VFS backend calls and could only work -locally, and were unsafe against symlink races and other -security issues. - -If the incoming handle is valid, return WERR_BAD_PATHNAME. - -[MS-RRP] states "The format of the file name is implementation-specific" -so ensure we don't allow this. - -As reported by Michael Hanselmann. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851 - -Signed-off-by: Jeremy Allison -Reviewed-by: Andrew Bartlett ---- - source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++----------------------------- - 1 file changed, 4 insertions(+), 88 deletions(-) - -diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c -index d9ee8d0602d..816c6bb2a12 100644 ---- a/source3/rpc_server/winreg/srv_winreg_nt.c -+++ b/source3/rpc_server/winreg/srv_winreg_nt.c -@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p, - } - - /******************************************************************* -- ********************************************************************/ -- --static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname ) --{ -- char *p = NULL; -- int num_services = lp_numservices(); -- int snum = -1; -- const char *share_path = NULL; -- char *fname = *pp_fname; -- -- /* convert to a unix path, stripping the C:\ along the way */ -- -- if (!(p = valid_share_pathname(ctx, fname))) { -- return -1; -- } -- -- /* has to exist within a valid file share */ -- -- for (snum=0; snumin.handle ); -- char *fname = NULL; -- int snum = -1; - -- if ( !regkey ) -+ if ( !regkey ) { - return WERR_INVALID_HANDLE; -- -- if ( !r->in.filename || !r->in.filename->name ) -- return WERR_INVALID_PARAMETER; -- -- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); -- if (!fname) { -- return WERR_NOT_ENOUGH_MEMORY; - } -- -- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from " -- "\"%s\"\n", regkey->key->name, fname)); -- -- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1) -- return WERR_BAD_PATHNAME; -- -- /* user must posses SeRestorePrivilege for this this proceed */ -- -- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) { -- return WERR_ACCESS_DENIED; -- } -- -- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", -- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); -- -- return reg_restorekey(regkey, fname); -+ return WERR_BAD_PATHNAME; - } - - /******************************************************************* -@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p, - struct winreg_SaveKey *r) - { - struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle ); -- char *fname = NULL; -- int snum = -1; - -- if ( !regkey ) -+ if ( !regkey ) { - return WERR_INVALID_HANDLE; -- -- if ( !r->in.filename || !r->in.filename->name ) -- return WERR_INVALID_PARAMETER; -- -- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); -- if (!fname) { -- return WERR_NOT_ENOUGH_MEMORY; - } -- -- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n", -- regkey->key->name, fname)); -- -- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 ) -- return WERR_BAD_PATHNAME; -- -- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n", -- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); -- -- return reg_savekey(regkey, fname); -+ return WERR_BAD_PATHNAME; - } - - /******************************************************************* --- -2.11.0 - diff --git a/README.dc b/README.dc deleted file mode 100644 index d67a5567fa19d66ef58e61713c8be1e9acdcd2cc..0000000000000000000000000000000000000000 --- a/README.dc +++ /dev/null @@ -1,12 +0,0 @@ -MIT Kerberos 5 Support -======================= - -Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of -choice. The Samba build in Fedora is using MIT Kerberos implementation in order -to allow system-wide interoperability between both desktop and server -applications running on the same machine. - -In this build the Active Directory support has been disabled. - -In case of further questions do not hesitate to send your inquiries to -samba-owner@fedoraproject.org diff --git a/samba-4.11.6.tar.asc b/samba-4.11.6.tar.asc new file mode 100644 index 0000000000000000000000000000000000000000..292cb0c8253e97ccbe0509b795af9f40c2fabbd1 --- /dev/null +++ b/samba-4.11.6.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXjALthUcc2FtYmEtYnVn +c0BzYW1iYS5vcmcACgkQbzORW2Vot+od+ACgpzREKkVcyLse9EwufX0vS/JMUYIA +n2xGjOlyTFJJUD9heWInjmYzy4W0 +=472O +-----END PGP SIGNATURE----- diff --git a/samba-4.9.1.tar.gz b/samba-4.11.6.tar.xz similarity index 49% rename from samba-4.9.1.tar.gz rename to samba-4.11.6.tar.xz index 63f32fea22a436186f01d377764511a81888b602..c8b29cb1ebfc2dc582b60640d98bdeb378b9f4af 100644 Binary files a/samba-4.9.1.tar.gz and b/samba-4.11.6.tar.xz differ diff --git a/samba-4.9.0rc5-stack-protector.patch b/samba-4.9.0rc5-stack-protector.patch deleted file mode 100644 index 51bc83ac21269c694add46a733244484e735423b..0000000000000000000000000000000000000000 --- a/samba-4.9.0rc5-stack-protector.patch +++ /dev/null @@ -1,117 +0,0 @@ -From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 3 Sep 2018 10:35:08 +0200 -Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support - -The -fstack-protector* flags are compiler only flags, don't pass them to -the linker. - -https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371) ---- - buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++------------- - 1 file changed, 19 insertions(+), 17 deletions(-) - -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py -index c4391d0c4dc..bfd6f9710db 100644 ---- a/buildtools/wafsamba/samba_autoconf.py -+++ b/buildtools/wafsamba/samba_autoconf.py -@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None): - return - - # we need to build real code that can't be optimized away to test -- if conf.check(fragment=''' -- #include -- -- int main(void) -- { -- char t[100000]; -- while (fgets(t, sizeof(t), stdin)); -- return 0; -- } -- ''', -- execute=0, -- ccflags='-fstack-protector', -- ldflags='-fstack-protector', -- mandatory=False, -- msg='Checking if toolchain accepts -fstack-protector'): -- conf.ADD_CFLAGS('-fstack-protector') -- conf.ADD_LDFLAGS('-fstack-protector') -+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector'] -+ for stack_protect_flag in stack_protect_list: -+ flag_supported = conf.check(fragment=''' -+ #include -+ -+ int main(void) -+ { -+ char t[100000]; -+ while (fgets(t, sizeof(t), stdin)); -+ return 0; -+ } -+ ''', -+ execute=0, -+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag], -+ mandatory=False, -+ msg='Checking if compiler accepts %s' % (stack_protect_flag)) -+ if flag_supported: -+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag)) -+ break - - if Options.options.debug: - conf.ADD_CFLAGS('-g', testflags=True) --- -2.18.0 - - -From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 3 Sep 2018 10:49:52 +0200 -Subject: [PATCH 2/2] waf: Add -fstack-clash-protection - -https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0) ---- - buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py -index bfd6f9710db..f2b3ec8db8d 100644 ---- a/buildtools/wafsamba/samba_autoconf.py -+++ b/buildtools/wafsamba/samba_autoconf.py -@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None): - conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag)) - break - -+ flag_supported = conf.check(fragment=''' -+ #include -+ -+ int main(void) -+ { -+ char t[100000]; -+ while (fgets(t, sizeof(t), stdin)); -+ return 0; -+ } -+ ''', -+ execute=0, -+ ccflags=[ '-Werror', '-fstack-clash-protection'], -+ mandatory=False, -+ msg='Checking if compiler accepts -fstack-clash-protection') -+ if flag_supported: -+ conf.ADD_CFLAGS('-fstack-clash-protection') -+ - if Options.options.debug: - conf.ADD_CFLAGS('-g', testflags=True) - --- -2.18.0 - diff --git a/samba-4.9.1.tar.asc b/samba-4.9.1.tar.asc deleted file mode 100644 index 3a9597508b2985f300b5531c4e0e05a9f3371ed3..0000000000000000000000000000000000000000 --- a/samba-4.9.1.tar.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq -Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg== -=2NTz ------END PGP SIGNATURE----- diff --git a/samba.log b/samba.logrotate similarity index 50% rename from samba.log rename to samba.logrotate index 6ccd04dd3252bb2315abc37bd75ec651065d3d44..40f85aa002720e90a4b7331ac0014fbcd381aaf9 100644 --- a/samba.log +++ b/samba.logrotate @@ -1,7 +1,10 @@ -/var/log/samba/* { +/var/log/samba/log.* { + compress + dateext + maxage 365 + rotate 99 notifempty olddir /var/log/samba/old missingok - sharedscripts copytruncate } diff --git a/samba.spec b/samba.spec index 191a4adab8b48a5aed25a8e069806fc92f12c000..e98babc303212ce068b04b75971ba23f40a9a7e8 100644 --- a/samba.spec +++ b/samba.spec @@ -1,10 +1,11 @@ %bcond_with testsuite %bcond_without clustering -%define talloc_version 2.1.14 -%define tdb_version 1.3.16 -%define tevent_version 0.9.37 -%define ldb_version 1.4.2 +%define talloc_version 2.2.0 +%define tdb_version 1.4.2 +%define tevent_version 0.10.0 +%define ldb_version 2.0.8 + %undefine _strict_symbol_defs_build @@ -13,6 +14,7 @@ %global with_profiling 1 %global with_vfs_cephfs 0 + %global with_vfs_glusterfs 0 %ifarch x86_64 %global with_vfs_glusterfs 1 @@ -23,15 +25,14 @@ %global with_intel_aes_accel 1 %endif -%global libwbc_alternatives_version 0.14 +%global libwbc_alternatives_version 0.15 %global libwbc_alternatives_suffix %nil %if 0%{?__isa_bits} == 64 %global libwbc_alternatives_suffix -64 %endif -%global with_mitkrb5 1 - %global with_dc 1 + %if %{with testsuite} %global with_dc 1 %endif @@ -39,113 +40,70 @@ %global required_mit_krb5 1.15.1 %global with_clustering_support 0 + %if %{with clustering} %global with_clustering_support 1 %endif -%{!?python2_sitearch: %define python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" %define samba_depver %{version}-%{release} Name: samba -Version: 4.9.1 -Release: 8 +Version: 4.11.6 +Release: 1 + Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ -URL: http://www.samba.org/ -Source0: https://download.samba.org/pub/samba/stable/%{name}-%{version}.tar.gz +URL: https://www.samba.org + +Source0: https://download.samba.org/pub/samba/stable/%{name}-%{version}.tar.xz Source1: https://download.samba.org/pub/samba/stable/%{name}-%{version}.tar.asc Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -Source3: samba.log +Source3: samba.logrotate Source4: smb.conf.vendor Source5: smb.conf.example Source6: pam_winbind.conf Source7: samba.pamd -Source8: README.dc -Source9: README.downgrade - -Patch6000: samba-4.9.0rc5-stack-protector.patch -Patch6001: CVE-2018-14629.patch -Patch6002: CVE-2018-16851.patch -Patch6003: CVE-2018-16853-1.patch -Patch6004: CVE-2018-16853-2.patch -Patch6005: CVE-2019-3870-1.patch -Patch6006: CVE-2019-3870-2.patch -Patch6007: CVE-2019-3870-3.patch -Patch6008: CVE-2019-3870-4.patch -Patch6009: CVE-2019-3870-5.patch -Patch6010: CVE-2019-3880.patch -Patch6011: CVE-2018-16841-1.patch -Patch6012: CVE-2018-16841-2.patch -Patch6013: CVE-2019-12435-1.patch -Patch6014: CVE-2019-12435-2.patch -Patch6015: CVE-2018-16852-1.patch -Patch6016: CVE-2018-16852-2.patch -Patch6017: CVE-2018-16852-3.patch -Patch6018: CVE-2018-16857-1.patch -Patch6019: CVE-2018-16857-2.patch -Patch6020: CVE-2018-16857-3.patch -Patch6021: CVE-2018-16857-4.patch -Patch6022: CVE-2018-16857-5.patch -Patch6023: CVE-2018-16857-6.patch -Patch6024: CVE-2018-16857-7.patch -Patch6025: CVE-2018-16857-8.patch -Patch6026: CVE-2018-16857-9.patch -Patch6027: CVE-2019-10197-1.patch -Patch6028: CVE-2019-10197-2.patch -Patch6029: CVE-2019-10197-3.patch -Patch6030: CVE-2019-10197-4.patch -Patch6031: CVE-2019-10197-5.patch -Patch6032: CVE-2019-10197-6.patch -Patch6033: 0001-CVE-2019-14847.patch -Patch6034: 0002-CVE-2019-14847.patch -Patch6035: 0003-CVE-2019-14847.patch -Patch6036: 0001-CVE-2019-14833.patch -Patch6037: 0002-CVE-2019-14833.patch -Patch6038: 0001-CVE-2019-10218.patch -Patch6039: 0002-CVE-2019-10218.patch -Patch6040: 0001-CVE-2019-3824.patch -Patch6041: 0002-CVE-2019-3824.patch -Patch6042: 0003-CVE-2019-3824.patch -Patch6043: 0004-CVE-2019-3824.patch -Patch6044: 0005-CVE-2019-3824.patch -Patch6045: 0006-CVE-2019-3824.patch -Patch6046: 0007-CVE-2019-3824.patch -Patch6047: CVE-2019-14861.patch -Patch6048: CVE-2019-14870.patch -Patch6049: CVE-2018-16860.patch - -BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gpgme-devel -BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel -BuildRequires: libattr-devel libcap-devel libcmocka-devel libnsl2-devel libtirpc-devel libuuid-devel -BuildRequires: libxslt ncurses-devel openldap-devel pam-devel perl-generators perl(Test::More) -BuildRequires: perl(ExtUtils::MakeMaker) perl(Parse::Yapp) popt-devel python2-devel python3-devel -%if %{with_dc} -BuildRequires: python2-dns python2-iso8601 python3-iso8601 -%endif -BuildRequires: quota-devel readline-devel rpcgen rpcsvc-proto-devel sed xfsprogs-devel xz zlib-devel >= 1.2.3 -BuildRequires: pkgconfig(libsystemd) + +Source201: README.downgrade + +Patch100: 0000-use-gnutls-for-des-cbc.patch +Patch101: 0001-handle-removal-des-enctypes-from-krb5.patch +Patch102: 0002-samba-tool-create-working-private-krb5.conf.patch + +BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel +BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel +BuildRequires: libcap-devel libcmocka-devel libnsl2-devel libtirpc-devel libuuid-devel libxslt lmdb ncurses-devel openldap-devel +BuildRequires: pam-devel perl-interpreter perl-generators perl(Archive::Tar) perl(Test::More) popt-devel python3-devel quota-devel +BuildRequires: readline-devel rpcgen rpcsvc-proto-devel sed libtasn1-devel libtasn1-tools xfsprogs-devel xz zlib-devel >= 1.2.3 + + +BuildRequires: pkgconfig(libsystemd) + %if %{with_vfs_glusterfs} -BuildRequires: glusterfs-api-devel >= 3.4.0.16 glusterfs-devel >= 3.4.0.16 +BuildRequires: glusterfs-api-devel >= 3.4.0.16 glusterfs-devel >= 3.4.0.16 %endif + %if %{with_vfs_cephfs} -BuildRequires: libcephfs-devel +BuildRequires: libcephfs-devel %endif + %if %{with_dc} -BuildRequires: bind gnutls-devel >= 3.4.7 krb5-server >= %{required_mit_krb5} python2-crypto python3-crypto -%endif -BuildRequires: perl(Parse::Yapp) libtalloc-devel >= %{talloc_version} python2-talloc-devel >= %{talloc_version} -BuildRequires: python3-talloc-devel >= %{talloc_version} libtevent-devel >= %{tevent_version} -BuildRequires: python2-tevent >= %{tevent_version} python3-tevent >= %{tevent_version} -BuildRequires: libtdb-devel >= %{tdb_version} python2-tdb >= %{tdb_version} python3-tdb >= %{tdb_version} -BuildRequires: libldb-devel >= %{ldb_version} python2-ldb-devel >= %{ldb_version} -BuildRequires: python3-ldb-devel >= %{ldb_version} -%if %{with testsuite} -BuildRequires: ldb-tools tdb-tools python2-pygpgme python2-markdown python3-pygpgme python3-markdown +BuildRequires: python3-iso8601 bind krb5-server >= %{required_mit_krb5} +%endif + +BuildRequires: perl(ExtUtils::MakeMaker) perl(Parse::Yapp) libtalloc-devel >= %{talloc_version} python3-talloc-devel >= %{talloc_version} +BuildRequires: libtevent-devel >= %{tevent_version} python3-tevent >= %{tevent_version} + +BuildRequires: libtdb-devel >= %{tdb_version} python3-tdb >= %{tdb_version} +BuildRequires: libldb-devel >= %{ldb_version} python3-ldb-devel >= %{ldb_version} + +%if %{with testsuite} || %{with_dc} +BuildRequires: ldb-tools tdb-tools python3-gpg python3-markdown %endif + %if %{with_dc} -BuildRequires: krb5-server >= %{required_mit_krb5} bind +BuildRequires: krb5-server >= %{required_mit_krb5} bind %endif Requires: systemd shadow-utils pam %{name}-common = %{samba_depver} @@ -167,35 +125,45 @@ Samba is a suite of programs for Linux and Unix to interoperate with Windows. %package client Summary: Client package for %{name} -Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} Requires: chkconfig krb5-libs >= %{required_mit_krb5} -%if %with_libwbclient -Requires: libwbclient = %{samba_depver} -%endif %if %with_libsmbclient -Requires: libsmbclient = %{samba_depver} +Requires: libsmbclient = %{samba_depver} +%endif +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} %endif -Provides: samba4-client = %{samba_depver} %{name}-client-libs -Obsoletes: samba4-client < %{samba_depver} %{name}-client-libs + +Provides: samba4-client = %{samba_depver} %{name}-client-libs +Obsoletes: samba4-client < %{samba_depver} %{name}-client-libs %description client -This package includes some files about SMB/CIFS clients to complement -the SMB/CIFS filesystem. +This package includes some files about SMB/CIFS clients to complement the SMB/CIFS clients. %package common Summary: Common package for %{name} client and server -Requires: systemd -Requires: %{name}-client = %{samba_depver} +Requires: systemd +Recommends: logrotate + +%if ! %{with_dc} +Obsoletes: samba-dc < %{samba_depver} +Obsoletes: samba-dc-libs < %{samba_depver} +Obsoletes: samba-dc-bind-dlz < %{samba_depver} +%endif + +Requires: %{name}-client = %{samba_depver} %if %with_libwbclient -Requires: libwbclient = %{samba_depver} +Requires: libwbclient = %{samba_depver} %endif Provides: samba4-common = %{samba_depver} %{name}-common-libs Obsoletes: samba4-common < %{samba_depver} %{name}-common-libs + %description common This package contains some common basic files needed by %{name} client and server. + %package common-tools Summary: Tools package for %{name} Requires: %{name}-common = %{samba_depver} %{name}-client = %{samba_depver} %{name} = %{samba_depver} @@ -206,17 +174,16 @@ Requires: libwbclient = %{samba_depver} %description common-tools This package contains some tools for %{name} server and client. + %package dc Summary: Domain Controller package for %{name} -Requires: %{name} = %{samba_depver} %{name}-winbind = %{samba_depver} +Requires: %{name} = %{samba_depver} %{name}-winbind = %{samba_depver} Requires: %{name}-common = %{samba_depver} tdb-tools -%if %{with_dc} -Requires: python2 python2-%{name} = %{samba_depver} python2-%{name}-dc = %{samba_depver} -Requires: python2-crypto krb5-server >= %{required_mit_krb5} -# needs libldb and samba version are the same. Otherwise samba-tools -# will not work +Requires: lmdb ldb-tools + %requires_eq libldb -%endif + + Provides: samba4-dc = %{samba_depver} %{name}-dc-libs samba4-dc-libs = %{samba_depver} Obsoletes: samba4-dc < %{samba_depver} %{name}-dc-libs samba4-dc-libs < %{samba_depver} @@ -224,21 +191,28 @@ Obsoletes: samba4-dc < %{samba_depver} %{name}-dc-libs samba4-dc-libs < %{s The samba-dc package provides AD Domain Controller functionality, including some libraries. -%if %{with_dc} + +%package dc-provision +Summary: Samba AD files to provision a DC + +%description dc-provision +The samba-dc-provision package provides files to setup a domain controller + + %package dc-bind-dlz -Summary: Bind DLZ module for Samba AD -Requires: %{name}-common = %{samba_depver} %{name}-dc = %{samba_depver} bind +Summary: Bind DLZ module for Samba AD +Requires: %{name}-common = %{samba_depver} %{name}-dc = %{samba_depver} bind %description dc-bind-dlz This package contains the library files to manage name server related details of Samba AD. -%endif %package devel -Summary: Development package for %{name} -Requires: %{name} = %{samba_depver} %{name}-client = %{samba_depver} -Provides: samba4-devel = %{samba_depver} -Obsoletes: samba4-devel < %{samba_depver} +Summary: Developer tools for Samba libraries +Requires: %{name}-libs = %{samba_depver} %{name}-client-libs = %{samba_depver} + +Provides: samba4-devel = %{samba_depver} +Obsoletes: samba4-devel < %{samba_depver} %description devel This package contains some header files and library files for %{name}. @@ -248,44 +222,58 @@ This package contains some header files and library files for %{name}. Summary: The VFS module for Ceph distributed storage system Requires: %{name} = %{samba_depver} + %description vfs-cephfs This is the samba VFS module for Ceph distributed storage system integration. +#endif with_vfs_cephfs %endif +### GLUSTER %if %{with_vfs_glusterfs} %package vfs-glusterfs -Summary: The VFS module for GlusterFS +Summary: Samba VFS module for GlusterFS Requires: glusterfs-api >= 3.4.0.16 glusterfs >= 3.4.0.16 Requires: %{name} = %{samba_depver} %{name}-client = %{samba_depver} -Obsoletes: samba-glusterfs < %{samba_depver} -Provides: samba-glusterfs = %{samba_depver} + +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + +Obsoletes: samba-glusterfs < %{samba_depver} +Provides: samba-glusterfs = %{samba_depver} %description vfs-glusterfs -This is the samba VFS module for GlusterFS integration. +Samba VFS module for GlusterFS integration. %endif %package krb5-printing Summary: The samba CUPS backend package for printing with Kerberos -Requires: %{name}-client chkconfig +Requires: %{name}-client = %{samba_depver} %description krb5-printing This package will allow cups to access the Kerberos credentials cache of the user issuing the print job. + %if %with_libsmbclient %package -n libsmbclient -Summary: The SMB client library package for %{name} -Requires: %{name}-common = %{samba_depver} %{name}-client = %{samba_depver} +Summary: The SMB client library +Requires: %{name}-common = %{samba_depver} %{name}-client = %{samba_depver} + +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif %description -n libsmbclient This pacakge contains the SMB client library from the Samba suite. %package -n libsmbclient-devel Summary: Development package for the SMB client library -Requires: libsmbclient = %{samba_depver} +Requires: libsmbclient = %{samba_depver} %description -n libsmbclient-devel -This package contains some head files and libraries for libsmbclient package. +This package provides developer tools for the wbclient library. +#endif with_libsmbclient %endif %if %with_libwbclient @@ -304,48 +292,31 @@ Obsoletes: samba-winbind-devel < %{samba_depver} %description -n libwbclient-devel This package provides developer tools for the wbclient library. +#endif with_libwbclient %endif -%if %{with_dc} -%package -n python2-%{name} -Summary: Python libraries for %{name} -Requires: %{name} = %{samba_depver} %{name}-client = %{samba_depver} %{name}-common = %{samba_depver} -Requires: python2-tevent python2-tdb python2-ldb python2-talloc python2-dns -Provides: samba-python = %{samba_depver} samba4-python = %{samba_depver} -Obsoletes: samba-python < %{samba_depver} samba4-python < %{samba_depver} - -%description -n python2-%{name} -This package contains the Python libraries needed by programs to use SMB, RPC - and other Samba provided protocols in Python programs. - -%package -n python2-samba-test -Summary: Samba Python libraries -Requires: python2-%{name} = %{samba_depver} - -%description -n python2-samba-test -This package contains some python libraries for test package of %{name}. - -%package -n python2-samba-dc -Summary: Python libraries for Samba AD -Requires: python2-%{name} = %{samba_depver} - -%description -n python2-samba-dc -This package contains the Python libraries needed by programs -to manage Samba AD. -%endif - +### PYTHON3 %package -n python3-%{name} Summary: Python3 library package for %{name} Requires: %{name} = %{samba_depver} %{name}-client = %{samba_depver} %{name}-common = %{samba_depver} Requires: python3-talloc python3-tevent python3-tdb python3-ldb python3-dns +%if %with_libsmbclient +Requires: libsmbclient = %{samba_depver} +%endif +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif + %description -n python3-%{name} This package contains the Python 3 libraries needed by programs that use SMB, RPC and other Samba provided protocols in Python 3 programs. %package -n python3-samba-test Summary: Test package for python3 binding for %{name} -Requires: python3-%{name} = %{samba_depver} + +Requires: %{name}-client = %{samba_depver} +Requires: %{name} = %{samba_depver} %description -n python3-samba-test This package contains the Python libraries used by the test suite of Samba. @@ -363,7 +334,8 @@ to manage Samba AD. %package pidl Summary: Perl IDL compiler package for %{name} -Requires: perl(Parse::Yapp) perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: perl(Parse::Yapp) perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +Requires: perl-interpreter BuildArch: noarch Provides: samba4-pidl = %{samba_depver} Obsoletes: samba4-pidl < %{samba_depver} @@ -385,6 +357,10 @@ Requires: libsmbclient = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} %endif + +Requires: python3-%{name} = %{samba_depver} +Requires: perl(Archive::Tar) + Provides: samba4-test = %{samba_depver} %{name}-test-libs %{name}-test-devel = %{samba_depver} Obsoletes: samba4-test < %{samba_depver} %{name}-test-libs %{name}-test-devel < %{samba_depver} @@ -392,13 +368,18 @@ Obsoletes: samba4-test < %{samba_depver} %{name}-test-libs %{name}-test-dev %{name}-test provides testing tools for both the server and client packages of Samba. + %package winbind Summary: The winbind package for %{name} Requires: %{name}-common = %{samba_depver} %{name}-common-tools = %{samba_depver} Requires: %{name}-client = %{samba_depver} %{name}-winbind-modules = %{samba_depver} +Requires: libwbclient = %{samba_depver} Provides: samba4-winbind = %{samba_depver} Obsoletes: samba4-winbind < %{samba_depver} +# Old NetworkManager expects the dispatcher scripts in a different place +Conflicts: NetworkManager < 1.20 + %description winbind This package provides the winbind NSS library, and some client tools. Winbind enables Linux to be a full member in Windows domains and to use @@ -424,6 +405,8 @@ Requires: libwbclient = %{samba_depver} %{name}-winbind = %{samba_depver} %else Requires: %{name} = %{samba_depver} %endif +Requires: samba-client = %{samba_depver} + Provides: samba4-winbind-krb5-locator = %{samba_depver} Obsoletes: samba4-winbind-krb5-locator < %{samba_depver} @@ -445,8 +428,8 @@ necessary to communicate to the Winbind Daemon %if %with_clustering_support %package -n ctdb Summary: A Clustered Database package based on Samba's Trivial Database (TDB) -Requires: %{name}-client = %{samba_depver} coreutils psmisc sed tdb-tools gawk -Requires: procps-ng net-tools ethtool iproute iptables util-linux systemd-units +Requires: %{name}-common = %{samba_depver} %{name}-client = %{samba_depver} coreutils psmisc +Requires: sed tdb-tools gawk procps-ng net-tools ethtool iproute iptables util-linux systemd-units %description -n ctdb This package is a cluster implementation of the TDB database used by Samba and other @@ -454,12 +437,16 @@ projects to store temporary data. If an application is already using TDB for temporary data it is very easy to convert that application to be cluster aware and use CTDB instead. +### CTDB-TEST %package -n ctdb-tests Summary: The test package fors CTDB clustered database -Requires: %{name}-client = %{samba_depver} ctdb = %{samba_depver} -Recommends: nc -Provides: ctdb-devel = %{samba_depver} -Obsoletes: ctdb-devel < %{samba_depver} +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-client = %{samba_depver} +Requires: ctdb = %{samba_depver} +Recommends: nc + +Provides: ctdb-devel = %{samba_depver} +Obsoletes: ctdb-devel < %{samba_depver} %description -n ctdb-tests This package contains the test suite for CTDB clustered database. @@ -471,8 +458,9 @@ Summary: Help package for %{name} %description help This package contains some man help files for %{name}. + %prep -zcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - +xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n %{name}-%{version} -p1 %build @@ -512,10 +500,6 @@ export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" -pathfix.py -n -p -i %{__python2} buildtools/bin/waf -export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 - -export PYTHON=%{__python2} %configure \ --enable-fhs \ @@ -536,10 +520,8 @@ export PYTHON=%{__python2} %if (! %with_libsmbclient) || (! %with_libwbclient) --private-libraries=%{_samba_private_libraries} \ %endif -%if %with_mitkrb5 --with-system-mitkrb5 \ --with-experimental-mit-ad-dc \ -%endif %if ! %with_dc --without-ad-dc \ %endif @@ -564,50 +546,41 @@ export PYTHON=%{__python2} --systemd-smb-extra=%{_systemd_extra} \ --systemd-nmb-extra=%{_systemd_extra} \ --systemd-winbind-extra=%{_systemd_extra} \ - --systemd-samba-extra=%{_systemd_extra} \ - --extra-python=%{__python3} + --systemd-samba-extra=%{_systemd_extra} %make_build +pushd pidl +%__perl Makefile.PL PREFIX=%{_prefix} + +%make_build +popd + %install rm -rf %{buildroot} -export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 -export PYTHON=%{__python2} - %make_install -for i in %{buildroot}%{_bindir} %{buildroot}%{_sbindir} ; do - find $i \ - ! -name '*.pyc' -a \ - ! -name '*.pyo' -a \ - -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ - -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; -done - -filenames=$(echo " - tests/dcerpc/integer.py - tests/dcerpc/unix.py -") -for file in $filenames; do - filename="%{buildroot}/%{python3_sitearch}/samba/$file" - if python3 -c "with open('$filename') as f: compile(f.read(), '$file', 'exec')"; then - echo "python3 compilation of $file succeeded unexpectedly" - exit 1 - else - echo "python3 compilation of $file failed, removing" - rm "$filename" - fi -done - -install -dm755 %{buildroot}/usr/{sbin,bin} -install -dm755 %{buildroot}%{_libdir}/{security,pkgconfig} -install -dm755 %{buildroot}/%{_libdir}/samba/{ldb,wbclient} -install -dm755 %{buildroot}/var/lib/samba/{drivers,lock,private,scripts,sysvol,winbindd_privileged} -install -dm755 %{buildroot}/var/log/samba/old -install -dm755 %{buildroot}/var/spool/samba -install -dm755 %{buildroot}/var/run/{samba,winbindd} - +install -d -m 0755 %{buildroot}/usr/{sbin,bin} +install -d -m 0755 %{buildroot}%{_libdir}/security +install -d -m 0755 %{buildroot}/var/lib/samba +install -d -m 0755 %{buildroot}/var/lib/samba/drivers +install -d -m 0755 %{buildroot}/var/lib/samba/lock +install -d -m 0755 %{buildroot}/var/lib/samba/private +install -d -m 0755 %{buildroot}/var/lib/samba/scripts +install -d -m 0755 %{buildroot}/var/lib/samba/sysvol +install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged +install -d -m 0755 %{buildroot}/var/log/samba/old +install -d -m 0755 %{buildroot}/var/spool/samba +install -d -m 0755 %{buildroot}/run/samba +install -d -m 0755 %{buildroot}/run/winbindd +install -d -m 0755 %{buildroot}/%{_libdir}/samba +install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb +install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig + +# Move libwbclient.so* into private directory, it cannot be just libdir/samba +# because samba uses rpath with this directory. +install -d -m 0755 %{buildroot}/%{_libdir}/samba/wbclient mv %{buildroot}/%{_libdir}/libwbclient.so* %{buildroot}/%{_libdir}/samba/wbclient if [ ! -f %{buildroot}/%{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} ] then @@ -615,176 +588,160 @@ then exit -1 fi -pushd %{buildroot} -touch .%{_libexecdir}/samba/cups_backend_smb -install -dm755 .%{_sysconfdir}/logrotate.d -install -m644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/samba +touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb -install -m644 %{SOURCE4} .%{_sysconfdir}/samba/smb.conf -install -m644 %{SOURCE5} .%{_sysconfdir}/samba/smb.conf.example +# Install other stuff +install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/samba -install -dm755 .%{_sysconfdir}/security -install -m644 %{SOURCE6} .%{_sysconfdir}/security/pam_winbind.conf +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/samba/smb.conf.example -install -dm755 .%{_sysconfdir}/pam.d -install -m644 %{SOURCE7} .%{_sysconfdir}/pam.d/samba +install -d -m 0755 %{buildroot}%{_sysconfdir}/security +install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf -echo 127.0.0.1 localhost > .%{_sysconfdir}/samba/lmhosts +install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d +install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/samba -install -dm755 .%{_sysconfdir}/openldap/schema -install -m644 %{_builddir}/%{name}-%{version}/examples/LDAP/samba.schema \ - %{buildroot}%{_sysconfdir}/openldap/schema/samba.schema +echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts -install -m744 %{_builddir}/%{name}-%{version}/packaging/printing/smbprint \ - %{buildroot}%{_bindir}/smbprint +# openLDAP database schema +install -d -m 0755 %{buildroot}%{_sysconfdir}/openldap/schema +install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/schema/samba.schema -install -dm755 %{buildroot}%{_tmpfilesdir} -install -m644 %{_builddir}/%{name}-%{version}/packaging/systemd/samba.conf.tmp \ - %{buildroot}%{_tmpfilesdir}/samba.conf -popd +install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint -echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +# Create /run/samba. +echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf %if %with_clustering_support -echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf +echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif -install -dm755 %{buildroot}%{_sysconfdir}/sysconfig -install -m644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba +install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig +install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba %if %with_clustering_support cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb </dev/null || groupadd -r printadmin || : %post common -/sbin/ldconfig +%{?ldconfig} %tmpfiles_create %{_tmpfilesdir}/samba.conf if [ -d /var/cache/samba ]; then mv /var/cache/samba/netsamlogon_cache.tdb /var/lib/samba/ 2>/dev/null @@ -825,50 +781,54 @@ if [ $1 -eq 0 ] ; then %{_sbindir}/update-alternatives --remove cups_backend_smb %{_bindir}/smbspool fi -%if %with_dc +%if %{with_dc} + %post dc /sbin/ldconfig %systemd_post samba.service %preun dc +/sbin/ldconfig %systemd_preun samba.service %postun dc -/sbin/ldconfig %systemd_postun_with_restart samba.service +#endif with_dc %endif %post krb5-printing %{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ - cups_backend_smb \ - %{_libexecdir}/samba/smbspool_krb5_wrapper 50 + cups_backend_smb \ + %{_libexecdir}/samba/smbspool_krb5_wrapper 50 %postun krb5-printing if [ $1 -eq 0 ] ; then - %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper + %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper fi %if %with_libsmbclient -%post -n libsmbclient -p /sbin/ldconfig - -%postun -n libsmbclient -p /sbin/ldconfig +%ldconfig_scriptlets -n libsmbclient %endif %if %with_libwbclient %posttrans -n libwbclient +# It has to be posttrans here to make sure all files of a previous version +# without alternatives support are removed %{_sbindir}/update-alternatives \ --install \ %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} \ 10 -/sbin/ldconfig +%{?ldconfig} %preun -n libwbclient -%{_sbindir}/update-alternatives \ - --remove \ - libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ - %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +fi /sbin/ldconfig %posttrans -n libwbclient-devel @@ -879,17 +839,28 @@ fi 10 %preun -n libwbclient-devel -if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then - /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null -else - %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so +# alternatives checks if the file which should be removed is a link or not, but +# not if it points to the /etc/alternatives directory or to some other place. +# When downgrading to a version where alternatives is not used and +# libwbclient.so is a link and not a file it will be removed. The following +# check removes the alternatives files manually if that is the case. +if [ $1 -eq 0 ]; then + if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then + /bin/rm -f \ + /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} \ + /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null + else + %{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so + fi fi +#endif with_libwbclient %endif -%post test -p /sbin/ldconfig - -%postun test -p /sbin/ldconfig +%ldconfig_scriptlets test %pre winbind /usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : @@ -901,8 +872,7 @@ fi %systemd_preun winbind.service %postun winbind -%systemd_postun_with_restart smb.service -%systemd_postun_with_restart nmb.service +%systemd_postun_with_restart winbind.service %postun winbind-krb5-locator if [ "$1" -ge "1" ]; then @@ -920,9 +890,7 @@ if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so fi -%post winbind-modules -p /sbin/ldconfig - -%postun winbind-modules -p /sbin/ldconfig +%ldconfig_scriptlets winbind-modules %if %with_clustering_support %post -n ctdb @@ -936,74 +904,81 @@ fi %systemd_postun_with_restart ctdb.service %endif + +### SAMBA %files %license COPYING -%doc README WHATSNEW.txt +%doc README.md WHATSNEW.txt %doc examples/autofs examples/LDAP examples/misc %doc examples/printer-accounting examples/printing %doc packaging/README.downgrade %{_libdir}/libdcerpc-samr.so.* -%{_libdir}/%{name}/libMESSAGING-samba4.so -%{_libdir}/%{name}/libMESSAGING-SEND-samba4.so -%{_libdir}/%{name}/libLIBWBCLIENT-OLD-samba4.so -%{_libdir}/%{name}/libauth4-samba4.so -%{_libdir}/%{name}/libauth-unix-token-samba4.so -%{_libdir}/%{name}/libcluster-samba4.so -%{_libdir}/%{name}/libdcerpc-samba4.so -%{_libdir}/%{name}/libnon-posix-acls-samba4.so -%{_libdir}/%{name}/libshares-samba4.so -%{_libdir}/%{name}/libsmbpasswdparser-samba4.so -%{_libdir}/%{name}/libxattr-tdb-samba4.so + +%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so +%{_libdir}/samba/libauth4-samba4.so +%{_libdir}/samba/libauth-unix-token-samba4.so +%{_libdir}/samba/libdcerpc-samba4.so +%{_libdir}/samba/libshares-samba4.so +%{_libdir}/samba/libsmbpasswdparser-samba4.so +%{_libdir}/samba/libxattr-tdb-samba4.so + + %{_bindir}/smbstatus -%{_sbindir}/smbd -%{_sbindir}/nmbd %{_sbindir}/eventlogadm +%{_sbindir}/nmbd +%{_sbindir}/smbd %if %{with_dc} -%{_libdir}/samba/vfs/dfs_samba4.so +# This is only used by vfs_dfs_samba4 %{_libdir}/samba/libdfs-server-ad-samba4.so %endif -%dir %{_libdir}/%{name}/auth -%dir %{_libdir}/%{name}/vfs -%{_libdir}/%{name}/auth/script.so -%{_libdir}/%{name}/auth/unix.so -%{_libdir}/%{name}/vfs/acl_tdb.so -%{_libdir}/%{name}/vfs/acl_xattr.so -%{_libdir}/%{name}/vfs/aio_fork.so -%{_libdir}/%{name}/vfs/aio_pthread.so -%{_libdir}/%{name}/vfs/audit.so -%{_libdir}/%{name}/vfs/btrfs.so -%{_libdir}/%{name}/vfs/cap.so -%{_libdir}/%{name}/vfs/catia.so -%{_libdir}/%{name}/vfs/commit.so -%{_libdir}/%{name}/vfs/crossrename.so -%{_libdir}/%{name}/vfs/default_quota.so -%{_libdir}/%{name}/vfs/dirsort.so -%{_libdir}/%{name}/vfs/expand_msdfs.so -%{_libdir}/%{name}/vfs/extd_audit.so -%{_libdir}/%{name}/vfs/fake_perms.so -%{_libdir}/%{name}/vfs/fileid.so -%{_libdir}/%{name}/vfs/fruit.so -%{_libdir}/%{name}/vfs/full_audit.so -%{_libdir}/%{name}/vfs/linux_xfs_sgid.so -%{_libdir}/%{name}/vfs/media_harmony.so -%{_libdir}/%{name}/vfs/netatalk.so -%{_libdir}/%{name}/vfs/offline.so -%{_libdir}/%{name}/vfs/preopen.so -%{_libdir}/%{name}/vfs/readahead.so -%{_libdir}/%{name}/vfs/readonly.so -%{_libdir}/%{name}/vfs/recycle.so -%{_libdir}/%{name}/vfs/shadow_copy.so -%{_libdir}/%{name}/vfs/shadow_copy2.so -%{_libdir}/%{name}/vfs/shell_snap.so -%{_libdir}/%{name}/vfs/snapper.so -%{_libdir}/%{name}/vfs/streams_depot.so -%{_libdir}/%{name}/vfs/streams_xattr.so -%{_libdir}/%{name}/vfs/syncops.so -%{_libdir}/%{name}/vfs/time_audit.so -%{_libdir}/%{name}/vfs/unityed_media.so -%{_libdir}/%{name}/vfs/virusfilter.so -%{_libdir}/%{name}/vfs/worm.so -%{_libdir}/%{name}/vfs/xattr_tdb.so +%dir %{_libdir}/samba/auth +%{_libdir}/samba/auth/script.so +%{_libdir}/samba/auth/unix.so +%dir %{_libdir}/samba/vfs +%{_libdir}/samba/vfs/acl_tdb.so +%{_libdir}/samba/vfs/acl_xattr.so +%{_libdir}/samba/vfs/aio_fork.so +%{_libdir}/samba/vfs/aio_pthread.so +%{_libdir}/samba/vfs/audit.so +%{_libdir}/samba/vfs/btrfs.so +%{_libdir}/samba/vfs/cap.so +%{_libdir}/samba/vfs/catia.so +%{_libdir}/samba/vfs/commit.so +%{_libdir}/samba/vfs/crossrename.so +%{_libdir}/samba/vfs/default_quota.so +%if %{with_dc} +%{_libdir}/samba/vfs/dfs_samba4.so +%endif +%{_libdir}/samba/vfs/dirsort.so +%{_libdir}/samba/vfs/expand_msdfs.so +%{_libdir}/samba/vfs/extd_audit.so +%{_libdir}/samba/vfs/fake_perms.so +%{_libdir}/samba/vfs/fileid.so +%{_libdir}/samba/vfs/fruit.so +%{_libdir}/samba/vfs/full_audit.so +%{_libdir}/samba/vfs/gpfs.so +%{_libdir}/samba/vfs/glusterfs_fuse.so +%{_libdir}/samba/vfs/linux_xfs_sgid.so +%{_libdir}/samba/vfs/media_harmony.so +%{_libdir}/samba/vfs/netatalk.so +%{_libdir}/samba/vfs/offline.so +%{_libdir}/samba/vfs/preopen.so +%{_libdir}/samba/vfs/readahead.so +%{_libdir}/samba/vfs/readonly.so +%{_libdir}/samba/vfs/recycle.so +%{_libdir}/samba/vfs/shadow_copy.so +%{_libdir}/samba/vfs/shadow_copy2.so +%{_libdir}/samba/vfs/shell_snap.so +%{_libdir}/samba/vfs/snapper.so +%{_libdir}/samba/vfs/streams_depot.so +%{_libdir}/samba/vfs/streams_xattr.so +%{_libdir}/samba/vfs/syncops.so +%{_libdir}/samba/vfs/time_audit.so +%{_libdir}/samba/vfs/unityed_media.so +%{_libdir}/samba/vfs/virusfilter.so +%{_libdir}/samba/vfs/worm.so +%{_libdir}/samba/vfs/xattr_tdb.so + %{_unitdir}/nmb.service %{_unitdir}/smb.service %attr(1777,root,root) %dir /var/spool/samba @@ -1017,11 +992,38 @@ fi %if ! %{with_vfs_cephfs} %exclude %{_mandir}/man8/vfs_ceph.8* +%exclude %{_mandir}/man8/vfs_ceph_snapshots.8* %endif %attr(775,root,printadmin) %dir /var/lib/samba/drivers %files client +%doc source3/client/README.smbspool +%{_bindir}/cifsdd +%{_bindir}/dbwrap_tool +%{_bindir}/dumpmscat +%{_bindir}/findsmb +%{_bindir}/mvxattr +%{_bindir}/nmblookup +%{_bindir}/oLschema2ldif +%{_bindir}/regdiff +%{_bindir}/regpatch +%{_bindir}/regshell +%{_bindir}/regtree +%{_bindir}/rpcclient +%{_bindir}/samba-regedit +%{_bindir}/sharesec +%{_bindir}/smbcacls +%{_bindir}/smbclient +%{_bindir}/smbcquotas +%{_bindir}/smbget +%{_bindir}/smbprint +%{_bindir}/smbspool +%{_bindir}/smbtar +%{_bindir}/smbtree +%dir %{_libexecdir}/samba +%ghost %{_libexecdir}/samba/cups_backend_smb + %{_libdir}/libdcerpc-binding.so.* %{_libdir}/libndr.so.* %{_libdir}/libndr-krb5pac.so.* @@ -1039,107 +1041,98 @@ fi %{_libdir}/libtevent-util.so.* %{_libdir}/libdcerpc.so.* -%{_bindir}/cifsdd -%{_bindir}/dbwrap_tool -%{_bindir}/findsmb -%{_bindir}/mvxattr -%{_bindir}/nmblookup -%{_bindir}/oLschema2ldif -%{_bindir}/reg* -%{_bindir}/rpcclient -%{_bindir}/samba-regedit -%{_bindir}/sharesec -%{_bindir}/smb* -%exclude %{_bindir}/smbcontrol -%exclude %{_bindir}/smbpasswd -%exclude %{_bindir}/smbstatus -%exclude %{_bindir}/smbtorture - -%dir %{_libexecdir}/samba -%ghost %{_libexecdir}/samba/cups_backend_smb - %dir %{_libdir}/samba -%{_libdir}/%{name}/libCHARSET3-samba4.so -%{_libdir}/%{name}/libaddns-samba4.so -%{_libdir}/%{name}/libads-samba4.so -%{_libdir}/%{name}/libasn1util-samba4.so -%{_libdir}/%{name}/libauth-samba4.so -%{_libdir}/%{name}/libauthkrb5-samba4.so -%{_libdir}/%{name}/libcli-cldap-samba4.so -%{_libdir}/%{name}/libcli-ldap-common-samba4.so -%{_libdir}/%{name}/libcli-ldap-samba4.so -%{_libdir}/%{name}/libcli-nbt-samba4.so -%{_libdir}/%{name}/libcli-smb-common-samba4.so -%{_libdir}/%{name}/libcli-spoolss-samba4.so -%{_libdir}/%{name}/libcliauth-samba4.so -%{_libdir}/%{name}/libcmdline-credentials-samba4.so -%{_libdir}/%{name}/libcommon-auth-samba4.so -%{_libdir}/%{name}/libctdb-event-client-samba4.so -%{_libdir}/%{name}/libdbwrap-samba4.so -%{_libdir}/%{name}/libdcerpc-samba-samba4.so -%{_libdir}/%{name}/libevents-samba4.so -%{_libdir}/%{name}/libflag-mapping-samba4.so -%{_libdir}/%{name}/libgenrand-samba4.so -%{_libdir}/%{name}/libgensec-samba4.so -%{_libdir}/%{name}/libgpext-samba4.so -%{_libdir}/%{name}/libgse-samba4.so -%{_libdir}/%{name}/libhttp-samba4.so -%{_libdir}/%{name}/libinterfaces-samba4.so -%{_libdir}/%{name}/libiov-buf-samba4.so -%{_libdir}/%{name}/libkrb5samba-samba4.so -%{_libdir}/%{name}/libldbsamba-samba4.so -%{_libdir}/%{name}/liblibcli-lsa3-samba4.so -%{_libdir}/%{name}/liblibcli-netlogon3-samba4.so -%{_libdir}/%{name}/liblibsmb-samba4.so -%{_libdir}/%{name}/libmessages-dgm-samba4.so -%{_libdir}/%{name}/libmessages-util-samba4.so -%{_libdir}/%{name}/libmsghdr-samba4.so -%{_libdir}/%{name}/libmsrpc3-samba4.so -%{_libdir}/%{name}/libndr-samba-samba4.so -%{_libdir}/%{name}/libndr-samba4.so -%{_libdir}/%{name}/libnet-keytab-samba4.so -%{_libdir}/%{name}/libnetif-samba4.so -%{_libdir}/%{name}/libnpa-tstream-samba4.so -%{_libdir}/%{name}/libposix-eadb-samba4.so -%{_libdir}/%{name}/libprinting-migrate-samba4.so -%{_libdir}/%{name}/libreplace-samba4.so -%{_libdir}/%{name}/libregistry-samba4.so -%{_libdir}/%{name}/libsamba-cluster-support-samba4.so -%{_libdir}/%{name}/libsamba-debug-samba4.so -%{_libdir}/%{name}/libsamba-modules-samba4.so -%{_libdir}/%{name}/libsamba-security-samba4.so -%{_libdir}/%{name}/libsamba-sockets-samba4.so -%{_libdir}/%{name}/libsamba3-util-samba4.so -%{_libdir}/%{name}/libsamdb-common-samba4.so -%{_libdir}/%{name}/libsecrets3-samba4.so -%{_libdir}/%{name}/libserver-id-db-samba4.so -%{_libdir}/%{name}/libserver-role-samba4.so -%{_libdir}/%{name}/libsmb-transport-samba4.so -%{_libdir}/%{name}/libsmbclient-raw-samba4.so -%{_libdir}/%{name}/libsmbd-base-samba4.so -%{_libdir}/%{name}/libsmbd-conn-samba4.so -%{_libdir}/%{name}/libsmbd-shim-samba4.so -%{_libdir}/%{name}/libsmbldaphelper-samba4.so -%{_libdir}/%{name}/libsys-rw-samba4.so -%{_libdir}/%{name}/libsocket-blocking-samba4.so -%{_libdir}/%{name}/libtalloc-report-samba4.so -%{_libdir}/%{name}/libtdb-wrap-samba4.so -%{_libdir}/%{name}/libtime-basic-samba4.so -%{_libdir}/%{name}/libtorture-samba4.so -%{_libdir}/%{name}/libtrusts-util-samba4.so -%{_libdir}/%{name}/libutil-cmdline-samba4.so -%{_libdir}/%{name}/libutil-reg-samba4.so -%{_libdir}/%{name}/libutil-setid-samba4.so -%{_libdir}/%{name}/libutil-tdb-samba4.so +%{_libdir}/samba/libCHARSET3-samba4.so +%{_libdir}/samba/libMESSAGING-SEND-samba4.so +%{_libdir}/samba/libMESSAGING-samba4.so +%{_libdir}/samba/libaddns-samba4.so +%{_libdir}/samba/libads-samba4.so +%{_libdir}/samba/libasn1util-samba4.so +%{_libdir}/samba/libauth-samba4.so +%{_libdir}/samba/libauthkrb5-samba4.so +%{_libdir}/samba/libcli-cldap-samba4.so +%{_libdir}/samba/libcli-ldap-common-samba4.so +%{_libdir}/samba/libcli-ldap-samba4.so +%{_libdir}/samba/libcli-nbt-samba4.so +%{_libdir}/samba/libcli-smb-common-samba4.so +%{_libdir}/samba/libcli-spoolss-samba4.so +%{_libdir}/samba/libcliauth-samba4.so +%{_libdir}/samba/libclidns-samba4.so +%{_libdir}/samba/libcluster-samba4.so +%{_libdir}/samba/libcmdline-contexts-samba4.so +%{_libdir}/samba/libcmdline-credentials-samba4.so +%{_libdir}/samba/libcommon-auth-samba4.so +%{_libdir}/samba/libctdb-event-client-samba4.so +%{_libdir}/samba/libdbwrap-samba4.so +%{_libdir}/samba/libdcerpc-samba-samba4.so +%{_libdir}/samba/libevents-samba4.so +%{_libdir}/samba/libflag-mapping-samba4.so +%{_libdir}/samba/libgenrand-samba4.so +%{_libdir}/samba/libgensec-samba4.so +%{_libdir}/samba/libgpext-samba4.so +%{_libdir}/samba/libgpo-samba4.so +%{_libdir}/samba/libgse-samba4.so +%{_libdir}/samba/libhttp-samba4.so +%{_libdir}/samba/libinterfaces-samba4.so +%{_libdir}/samba/libiov-buf-samba4.so +%{_libdir}/samba/libkrb5samba-samba4.so +%{_libdir}/samba/libldbsamba-samba4.so +%{_libdir}/samba/liblibcli-lsa3-samba4.so +%{_libdir}/samba/liblibcli-netlogon3-samba4.so +%{_libdir}/samba/liblibsmb-samba4.so +%{_libdir}/samba/libmessages-dgm-samba4.so +%{_libdir}/samba/libmessages-util-samba4.so +%{_libdir}/samba/libmscat-samba4.so +%{_libdir}/samba/libmsghdr-samba4.so +%{_libdir}/samba/libmsrpc3-samba4.so +%{_libdir}/samba/libndr-samba-samba4.so +%{_libdir}/samba/libndr-samba4.so +%{_libdir}/samba/libnet-keytab-samba4.so +%{_libdir}/samba/libnetif-samba4.so +%{_libdir}/samba/libnpa-tstream-samba4.so +%{_libdir}/samba/libposix-eadb-samba4.so +%{_libdir}/samba/libprinter-driver-samba4.so +%{_libdir}/samba/libprinting-migrate-samba4.so +%{_libdir}/samba/libreplace-samba4.so +%{_libdir}/samba/libregistry-samba4.so +%{_libdir}/samba/libsamba-cluster-support-samba4.so +%{_libdir}/samba/libsamba-debug-samba4.so +%{_libdir}/samba/libsamba-modules-samba4.so +%{_libdir}/samba/libsamba-security-samba4.so +%{_libdir}/samba/libsamba-sockets-samba4.so +%{_libdir}/samba/libsamba3-util-samba4.so +%{_libdir}/samba/libsamdb-common-samba4.so +%{_libdir}/samba/libsecrets3-samba4.so +%{_libdir}/samba/libserver-id-db-samba4.so +%{_libdir}/samba/libserver-role-samba4.so +%{_libdir}/samba/libsmb-transport-samba4.so +%{_libdir}/samba/libsmbclient-raw-samba4.so +%{_libdir}/samba/libsmbd-base-samba4.so +%{_libdir}/samba/libsmbd-conn-samba4.so +%{_libdir}/samba/libsmbd-shim-samba4.so +%{_libdir}/samba/libsmbldaphelper-samba4.so +%{_libdir}/samba/libsys-rw-samba4.so +%{_libdir}/samba/libsocket-blocking-samba4.so +%{_libdir}/samba/libtalloc-report-samba4.so +%{_libdir}/samba/libtdb-wrap-samba4.so +%{_libdir}/samba/libtime-basic-samba4.so +%{_libdir}/samba/libtorture-samba4.so +%{_libdir}/samba/libtrusts-util-samba4.so +%{_libdir}/samba/libutil-cmdline-samba4.so +%{_libdir}/samba/libutil-reg-samba4.so +%{_libdir}/samba/libutil-setid-samba4.so +%{_libdir}/samba/libutil-tdb-samba4.so %if ! %with_libwbclient %{_libdir}/samba/libwbclient.so.* %{_libdir}/samba/libwinbind-client-samba4.so +#endif ! with_libwbclient %endif %if ! %with_libsmbclient %{_libdir}/samba/libsmbclient.so.* %{_mandir}/man7/libsmbclient.7* +#endif ! with_libsmbclient %endif %files common @@ -1148,21 +1141,25 @@ fi %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba %attr(0700,root,root) %dir /var/log/samba/old -%ghost %dir /var/run/samba -%ghost %dir /var/run/winbindd +%ghost %dir /run/samba +%ghost %dir /run/winbindd %dir /var/lib/samba %attr(700,root,root) %dir /var/lib/samba/private %dir /var/lib/samba/lock %attr(755,root,root) %dir %{_sysconfdir}/samba %config(noreplace) %{_sysconfdir}/samba/smb.conf -%config(noreplace) %{_sysconfdir}/samba/lmhosts %{_sysconfdir}/samba/smb.conf.example +%config(noreplace) %{_sysconfdir}/samba/lmhosts %config(noreplace) %{_sysconfdir}/sysconfig/samba + +%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so %{_libdir}/samba/libpopt-samba3-samba4.so %if %{with_intel_aes_accel} %{_libdir}/samba/libaesni-intel-samba4.so %endif + %dir %{_libdir}/samba/ldb + %dir %{_libdir}/samba/pdb %{_libdir}/samba/pdb/ldapsam.so %{_libdir}/samba/pdb/smbpasswd.so @@ -1176,8 +1173,85 @@ fi %{_bindir}/smbpasswd %{_bindir}/testparm +%if %{with_dc} %files dc -%if %with_dc +%{_unitdir}/samba.service +%{_bindir}/samba-tool +%{_sbindir}/samba +%{_sbindir}/samba_dnsupdate +%{_sbindir}/samba_downgrade_db +%{_sbindir}/samba-gpupdate +%{_sbindir}/samba_kcc +%{_sbindir}/samba_spnupdate +%{_sbindir}/samba_upgradedns + +%{_libdir}/krb5/plugins/kdb/samba.so + +%{_libdir}/samba/auth/samba4.so +%{_libdir}/samba/libpac-samba4.so +%dir %{_libdir}/samba/gensec +%{_libdir}/samba/gensec/krb5.so +%{_libdir}/samba/ldb/acl.so +%{_libdir}/samba/ldb/aclread.so +%{_libdir}/samba/ldb/anr.so +%{_libdir}/samba/ldb/audit_log.so +%{_libdir}/samba/ldb/count_attrs.so +%{_libdir}/samba/ldb/descriptor.so +%{_libdir}/samba/ldb/dirsync.so +%{_libdir}/samba/ldb/dns_notify.so +%{_libdir}/samba/ldb/dsdb_notification.so +%{_libdir}/samba/ldb/encrypted_secrets.so +%{_libdir}/samba/ldb/extended_dn_in.so +%{_libdir}/samba/ldb/extended_dn_out.so +%{_libdir}/samba/ldb/extended_dn_store.so +%{_libdir}/samba/ldb/group_audit_log.so +%{_libdir}/samba/ldb/ildap.so +%{_libdir}/samba/ldb/instancetype.so +%{_libdir}/samba/ldb/lazy_commit.so +%{_libdir}/samba/ldb/ldbsamba_extensions.so +%{_libdir}/samba/ldb/linked_attributes.so +%{_libdir}/samba/ldb/local_password.so +%{_libdir}/samba/ldb/new_partition.so +%{_libdir}/samba/ldb/objectclass.so +%{_libdir}/samba/ldb/objectclass_attrs.so +%{_libdir}/samba/ldb/objectguid.so +%{_libdir}/samba/ldb/operational.so +%{_libdir}/samba/ldb/paged_results.so +%{_libdir}/samba/ldb/partition.so +%{_libdir}/samba/ldb/password_hash.so +%{_libdir}/samba/ldb/ranged_results.so +%{_libdir}/samba/ldb/repl_meta_data.so +%{_libdir}/samba/ldb/resolve_oids.so +%{_libdir}/samba/ldb/rootdse.so +%{_libdir}/samba/ldb/samba3sam.so +%{_libdir}/samba/ldb/samba3sid.so +%{_libdir}/samba/ldb/samba_dsdb.so +%{_libdir}/samba/ldb/samba_secrets.so +%{_libdir}/samba/ldb/samldb.so +%{_libdir}/samba/ldb/schema_data.so +%{_libdir}/samba/ldb/schema_load.so +%{_libdir}/samba/ldb/secrets_tdb_sync.so +%{_libdir}/samba/ldb/show_deleted.so +%{_libdir}/samba/ldb/simple_dn.so +%{_libdir}/samba/ldb/simple_ldap_map.so +%{_libdir}/samba/ldb/subtree_delete.so +%{_libdir}/samba/ldb/subtree_rename.so +%{_libdir}/samba/ldb/tombstone_reanimate.so +%{_libdir}/samba/ldb/unique_object_sids.so +%{_libdir}/samba/ldb/update_keytab.so +%{_libdir}/samba/ldb/vlv.so +%{_libdir}/samba/ldb/wins_ldb.so +%{_libdir}/samba/vfs/posix_eadb.so +%dir /var/lib/samba/sysvol +%{_mandir}/man8/samba.8* +%{_mandir}/man8/samba_downgrade_db.8* +%{_mandir}/man8/samba-gpupdate.8* +%{_mandir}/man8/samba-tool.8* + +%files dc-provision +%license source4/setup/ad-schema/licence.txt +%{_datadir}/samba/setup + %{_libdir}/samba/libdb-glue-samba4.so %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so @@ -1196,7 +1270,6 @@ fi %{_libdir}/samba/service/nbtd.so %{_libdir}/samba/service/ntp_signd.so %{_libdir}/samba/service/s3fs.so -%{_libdir}/samba/service/web.so %{_libdir}/samba/service/winbindd.so %{_libdir}/samba/service/wrepl.so %{_libdir}/libdcerpc-server.so.* @@ -1204,86 +1277,16 @@ fi %{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libscavenge-dns-records-samba4.so -%else -%doc packaging/README.dc-libs -%endif -%if %with_dc -%{_unitdir}/samba.service -%{_bindir}/samba-tool -%{_sbindir}/samba* - -%{_libdir}/krb5/plugins/kdb/samba.so - -%{_libdir}/samba/auth/samba4.so -%{_libdir}/samba/libpac-samba4.so -%dir %{_libdir}/samba/gensec -%{_libdir}/%{name}/gensec/krb5.so -%{_libdir}/%{name}/ldb/acl.so -%{_libdir}/%{name}/ldb/aclread.so -%{_libdir}/%{name}/ldb/anr.so -%{_libdir}/%{name}/ldb/audit_log.so -%{_libdir}/%{name}/ldb/descriptor.so -%{_libdir}/%{name}/ldb/dirsync.so -%{_libdir}/%{name}/ldb/dns_notify.so -%{_libdir}/%{name}/ldb/dsdb_notification.so -%{_libdir}/%{name}/ldb/encrypted_secrets.so -%{_libdir}/%{name}/ldb/extended_dn_in.so -%{_libdir}/%{name}/ldb/extended_dn_out.so -%{_libdir}/%{name}/ldb/extended_dn_store.so -%{_libdir}/%{name}/ldb/group_audit_log.so -%{_libdir}/%{name}/ldb/ildap.so -%{_libdir}/%{name}/ldb/instancetype.so -%{_libdir}/%{name}/ldb/lazy_commit.so -%{_libdir}/%{name}/ldb/ldbsamba_extensions.so -%{_libdir}/%{name}/ldb/linked_attributes.so -%{_libdir}/%{name}/ldb/local_password.so -%{_libdir}/%{name}/ldb/new_partition.so -%{_libdir}/%{name}/ldb/objectclass.so -%{_libdir}/%{name}/ldb/objectclass_attrs.so -%{_libdir}/%{name}/ldb/objectguid.so -%{_libdir}/%{name}/ldb/operational.so -%{_libdir}/%{name}/ldb/partition.so -%{_libdir}/%{name}/ldb/password_hash.so -%{_libdir}/%{name}/ldb/ranged_results.so -%{_libdir}/%{name}/ldb/repl_meta_data.so -%{_libdir}/%{name}/ldb/resolve_oids.so -%{_libdir}/%{name}/ldb/rootdse.so -%{_libdir}/%{name}/ldb/samba3sam.so -%{_libdir}/%{name}/ldb/samba3sid.so -%{_libdir}/%{name}/ldb/samba_dsdb.so -%{_libdir}/%{name}/ldb/samba_secrets.so -%{_libdir}/%{name}/ldb/samldb.so -%{_libdir}/%{name}/ldb/schema_data.so -%{_libdir}/%{name}/ldb/schema_load.so -%{_libdir}/%{name}/ldb/secrets_tdb_sync.so -%{_libdir}/%{name}/ldb/show_deleted.so -%{_libdir}/%{name}/ldb/simple_dn.so -%{_libdir}/%{name}/ldb/simple_ldap_map.so -%{_libdir}/%{name}/ldb/subtree_delete.so -%{_libdir}/%{name}/ldb/subtree_rename.so -%{_libdir}/%{name}/ldb/tombstone_reanimate.so -%{_libdir}/%{name}/ldb/unique_object_sids.so -%{_libdir}/%{name}/ldb/update_keytab.so -%{_libdir}/%{name}/ldb/vlv.so -%{_libdir}/%{name}/ldb/wins_ldb.so -%{_libdir}/%{name}/vfs/posix_eadb.so -%dir /var/lib/samba/sysvol -%{_datadir}/samba/setup -%{_mandir}/man8/samba.8* -%{_mandir}/man8/samba-gpupdate.8* -%{_mandir}/man8/samba-tool.8* -%else # with_dc -%doc packaging/README.dc -%endif # with_dc -%if %with_dc %files dc-bind-dlz %attr(770,root,named) %dir /var/lib/samba/bind-dns %dir %{_libdir}/samba/bind9 -%{_libdir}/%{name}/bind9/dlz_bind9.so -%{_libdir}/%{name}/bind9/dlz_bind9_9.so -%{_libdir}/%{name}/bind9/dlz_bind9_10.so -%{_libdir}/%{name}/bind9/dlz_bind9_11.so +%{_libdir}/samba/bind9/dlz_bind9.so +%{_libdir}/samba/bind9/dlz_bind9_9.so +%{_libdir}/samba/bind9/dlz_bind9_10.so +%{_libdir}/samba/bind9/dlz_bind9_11.so +%{_libdir}/samba/bind9/dlz_bind9_12.so +#endif with_dc %endif %files devel @@ -1355,16 +1358,14 @@ fi %{_includedir}/samba-4.0/util/byteorder.h %{_includedir}/samba-4.0/util/data_blob.h %{_includedir}/samba-4.0/util/debug.h +%{_includedir}/samba-4.0/util/discard.h %{_includedir}/samba-4.0/util/fault.h %{_includedir}/samba-4.0/util/genrand.h %{_includedir}/samba-4.0/util/idtree.h %{_includedir}/samba-4.0/util/idtree_random.h -%{_includedir}/samba-4.0/util/memory.h -%{_includedir}/samba-4.0/util/safe_string.h %{_includedir}/samba-4.0/util/signal.h %{_includedir}/samba-4.0/util/string_wrappers.h %{_includedir}/samba-4.0/util/substitute.h -%{_includedir}/samba-4.0/util/talloc_stack.h %{_includedir}/samba-4.0/util/tevent_ntstatus.h %{_includedir}/samba-4.0/util/tevent_unix.h %{_includedir}/samba-4.0/util/tevent_werror.h @@ -1404,22 +1405,24 @@ fi %{_includedir}/samba-4.0/dcerpc_server.h %{_libdir}/libdcerpc-server.so %{_libdir}/pkgconfig/dcerpc_server.pc -%{_libdir}/libsamba-policy.so -%{_libdir}/pkgconfig/samba-policy.pc %endif %if ! %with_libsmbclient %{_includedir}/samba-4.0/libsmbclient.h +#endif ! with_libsmbclient %endif %if ! %with_libwbclient %{_includedir}/samba-4.0/wbclient.h +#endif ! with_libwbclient %endif %if %{with_vfs_cephfs} %files vfs-cephfs %{_libdir}/samba/vfs/ceph.so +%{_libdir}/samba/vfs/ceph_snapshots.so %{_mandir}/man8/vfs_ceph.8* +%{_mandir}/man8/vfs_ceph_snapshots.8* %endif %if %{with_vfs_glusterfs} @@ -1430,6 +1433,7 @@ fi %files krb5-printing %attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper +%{_mandir}/man8/smbspool_krb5_wrapper.8* %if %with_libsmbclient %files -n libsmbclient @@ -1440,6 +1444,7 @@ fi %{_libdir}/libsmbclient.so %{_libdir}/pkgconfig/smbclient.pc %{_mandir}/man7/libsmbclient.7* +#endif with_libsmbclient %endif %if %with_libwbclient @@ -1451,561 +1456,273 @@ fi %{_includedir}/samba-4.0/wbclient.h %{_libdir}/samba/wbclient/libwbclient.so %{_libdir}/pkgconfig/wbclient.pc +#endif with_libwbclient %endif %files pidl +%doc pidl/README %attr(755,root,root) %{_bindir}/pidl %dir %{perl_vendorlib}/Parse -%{perl_vendorlib}/Parse/Pidl.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl.pm %dir %{perl_vendorlib}/Parse/Pidl -%{perl_vendorlib}/Parse/Pidl/CUtil.pm -%{perl_vendorlib}/Parse/Pidl/Samba4.pm -%{perl_vendorlib}/Parse/Pidl/Expr.pm -%{perl_vendorlib}/Parse/Pidl/ODL.pm -%{perl_vendorlib}/Parse/Pidl/Typelist.pm -%{perl_vendorlib}/Parse/Pidl/IDL.pm -%{perl_vendorlib}/Parse/Pidl/Compat.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/CUtil.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Expr.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/ODL.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Typelist.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/IDL.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Compat.pm %dir %{perl_vendorlib}/Parse/Pidl/Wireshark -%{perl_vendorlib}/Parse/Pidl/Wireshark/Conformance.pm -%{perl_vendorlib}/Parse/Pidl/Wireshark/NDR.pm -%{perl_vendorlib}/Parse/Pidl/Dump.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Wireshark/Conformance.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Wireshark/NDR.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Dump.pm %dir %{perl_vendorlib}/Parse/Pidl/Samba3 -%{perl_vendorlib}/Parse/Pidl/Samba3/ServerNDR.pm -%{perl_vendorlib}/Parse/Pidl/Samba3/ClientNDR.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba3/ServerNDR.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba3/ClientNDR.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba3/Template.pm %dir %{perl_vendorlib}/Parse/Pidl/Samba4 -%{perl_vendorlib}/Parse/Pidl/Samba4/Header.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/Header.pm %dir %{perl_vendorlib}/Parse/Pidl/Samba4/COM -%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Header.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Proxy.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Stub.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/Python.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/COM/Header.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/COM/Proxy.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/COM/Stub.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/Python.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm %dir %{perl_vendorlib}/Parse/Pidl/Samba4/NDR -%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm -%{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm -%{perl_vendorlib}/Parse/Pidl/NDR.pm -%{perl_vendorlib}/Parse/Pidl/Util.pm - -%if %{with_dc} -%files -n python2-%{name} -%{_libdir}/samba/libsamba-python-samba4.so -%{_libdir}/samba/libsamba-net-samba4.so -%{_libdir}/libsamba-policy.so.* - -%dir %{python2_sitearch}/samba -%{python2_sitearch}/%{name}/__init__.py* -%{python2_sitearch}/%{name}/_glue.so -%{python2_sitearch}/%{name}/_ldb.so -%{python2_sitearch}/%{name}/auth.so -%{python2_sitearch}/%{name}/colour.py* -%{python2_sitearch}/%{name}/common.py* -%{python2_sitearch}/%{name}/compat.py* -%{python2_sitearch}/%{name}/credentials.so -%{python2_sitearch}/%{name}/crypto.so -%{python2_sitearch}/%{name}/dbchecker.py* -%{python2_sitearch}/%{name}/descriptor.py* -%{python2_sitearch}/%{name}/drs_utils.py* -%{python2_sitearch}/%{name}/gensec.so -%{python2_sitearch}/%{name}/getopt.py* -%{python2_sitearch}/%{name}/graph.py* -%{python2_sitearch}/%{name}/hostconfig.py* -%{python2_sitearch}/%{name}/idmap.py* -%{python2_sitearch}/%{name}/join.py* -%{python2_sitearch}/%{name}/messaging.so -%{python2_sitearch}/%{name}/ms_display_specifiers.py* -%{python2_sitearch}/%{name}/ms_schema.py* -%{python2_sitearch}/%{name}/ndr.py* -%{python2_sitearch}/%{name}/net.so -%{python2_sitearch}/%{name}/netbios.so -%{python2_sitearch}/%{name}/ntacls.py* -%{python2_sitearch}/%{name}/ntstatus.so -%{python2_sitearch}/%{name}/param.so -%{python2_sitearch}/%{name}/policy.so -%{python2_sitearch}/%{name}/posix_eadb.so -%{python2_sitearch}/%{name}/registry.so -%{python2_sitearch}/%{name}/remove_dc.py* -%{python2_sitearch}/%{name}/sd_utils.py* -%{python2_sitearch}/%{name}/security.so -%{python2_sitearch}/%{name}/sites.py* -%{python2_sitearch}/%{name}/smb.so -%{python2_sitearch}/%{name}/subnets.py* -%{python2_sitearch}/%{name}/upgrade.py* -%{python2_sitearch}/%{name}/upgradehelpers.py* -%{python2_sitearch}/%{name}/werror.so -%{python2_sitearch}/%{name}/xattr.py* -%{python2_sitearch}/%{name}/xattr_native.so -%{python2_sitearch}/%{name}/xattr_tdb.so - -%dir %{python2_sitearch}/samba/dcerpc -%{python2_sitearch}/%{name}/dcerpc/__init__.py* -%{python2_sitearch}/%{name}/dcerpc/atsvc.so -%{python2_sitearch}/%{name}/dcerpc/auth.so -%{python2_sitearch}/%{name}/dcerpc/base.so -%{python2_sitearch}/%{name}/dcerpc/dcerpc.so -%{python2_sitearch}/%{name}/dcerpc/dfs.so -%{python2_sitearch}/%{name}/dcerpc/dns.so -%{python2_sitearch}/%{name}/dcerpc/dnsp.so -%{python2_sitearch}/%{name}/dcerpc/drsblobs.so -%{python2_sitearch}/%{name}/dcerpc/drsuapi.so -%{python2_sitearch}/%{name}/dcerpc/echo.so -%{python2_sitearch}/%{name}/dcerpc/epmapper.so -%{python2_sitearch}/%{name}/dcerpc/idmap.so -%{python2_sitearch}/%{name}/dcerpc/initshutdown.so -%{python2_sitearch}/%{name}/dcerpc/irpc.so -%{python2_sitearch}/%{name}/dcerpc/krb5pac.so -%{python2_sitearch}/%{name}/dcerpc/lsa.so -%{python2_sitearch}/%{name}/dcerpc/messaging.so -%{python2_sitearch}/%{name}/dcerpc/mgmt.so -%{python2_sitearch}/%{name}/dcerpc/misc.so -%{python2_sitearch}/%{name}/dcerpc/nbt.so -%{python2_sitearch}/%{name}/dcerpc/netlogon.so -%{python2_sitearch}/%{name}/dcerpc/ntlmssp.so -%{python2_sitearch}/%{name}/dcerpc/samr.so -%{python2_sitearch}/%{name}/dcerpc/security.so -%{python2_sitearch}/%{name}/dcerpc/server_id.so -%{python2_sitearch}/%{name}/dcerpc/smb_acl.so -%{python2_sitearch}/%{name}/dcerpc/srvsvc.so -%{python2_sitearch}/%{name}/dcerpc/svcctl.so -%{python2_sitearch}/%{name}/dcerpc/unixinfo.so -%{python2_sitearch}/%{name}/dcerpc/winbind.so -%{python2_sitearch}/%{name}/dcerpc/winreg.so -%{python2_sitearch}/%{name}/dcerpc/wkssvc.so -%{python2_sitearch}/%{name}/dcerpc/xattr.so - -%dir %{python2_sitearch}/samba/emulate -%{python2_sitearch}/%{name}/emulate/__init__.py* -%{python2_sitearch}/%{name}/emulate/traffic.py* -%{python2_sitearch}/%{name}/emulate/traffic_packets.py* - -%dir %{python2_sitearch}/samba/netcmd -%{python2_sitearch}/%{name}/netcmd/__init__.py* -%{python2_sitearch}/%{name}/netcmd/common.py* -%{python2_sitearch}/%{name}/netcmd/computer.py* -%{python2_sitearch}/%{name}/netcmd/dbcheck.py* -%{python2_sitearch}/%{name}/netcmd/delegation.py* -%{python2_sitearch}/%{name}/netcmd/dns.py* -%{python2_sitearch}/%{name}/netcmd/domain.py* -%{python2_sitearch}/%{name}/netcmd/domain_backup.py* -%{python2_sitearch}/%{name}/netcmd/drs.py* -%{python2_sitearch}/%{name}/netcmd/dsacl.py* -%{python2_sitearch}/%{name}/netcmd/forest.py* -%{python2_sitearch}/%{name}/netcmd/fsmo.py* -%{python2_sitearch}/%{name}/netcmd/gpo.py* -%{python2_sitearch}/%{name}/netcmd/group.py* -%{python2_sitearch}/%{name}/netcmd/ldapcmp.py* -%{python2_sitearch}/%{name}/netcmd/main.py* -%{python2_sitearch}/%{name}/netcmd/nettime.py* -%{python2_sitearch}/%{name}/netcmd/ntacl.py* -%{python2_sitearch}/%{name}/netcmd/ou.py* -%{python2_sitearch}/%{name}/netcmd/processes.py* -%{python2_sitearch}/%{name}/netcmd/pso.py* -%{python2_sitearch}/%{name}/netcmd/rodc.py* -%{python2_sitearch}/%{name}/netcmd/schema.py* -%{python2_sitearch}/%{name}/netcmd/sites.py* -%{python2_sitearch}/%{name}/netcmd/spn.py* -%{python2_sitearch}/%{name}/netcmd/testparm.py* -%{python2_sitearch}/%{name}/netcmd/user.py* -%{python2_sitearch}/%{name}/netcmd/visualize.py* - -%dir %{python2_sitearch}/samba/samba3 -%{python2_sitearch}/%{name}/samba3/__init__.py* -%{python2_sitearch}/%{name}/samba3/libsmb_samba_internal.so -%{python2_sitearch}/%{name}/samba3/param.so -%{python2_sitearch}/%{name}/samba3/passdb.so -%{python2_sitearch}/%{name}/samba3/smbd.so - -%dir %{python2_sitearch}/samba/subunit -%{python2_sitearch}/%{name}/subunit/__init__.py* -%{python2_sitearch}/%{name}/subunit/run.py* -%{python2_sitearch}/%{name}/tdb_util.py* - -%dir %{python2_sitearch}/samba/third_party -%{python2_sitearch}/samba/third_party/__init__.py* - -%if %{with_dc} -%files -n python2-%{name}-dc -%{python2_sitearch}/%{name}/domain_update.py* -%{python2_sitearch}/%{name}/dckeytab.so -%{python2_sitearch}/%{name}/dsdb.so -%{python2_sitearch}/%{name}/dsdb_dns.so -%{python2_sitearch}/%{name}/dnsserver.py* -%{python2_sitearch}/%{name}/forest_update.py* -%{python2_sitearch}/%{name}/gpclass.py* -%{python2_sitearch}/%{name}/gpo.so -%{python2_sitearch}/%{name}/gp_sec_ext.py* -%{python2_sitearch}/%{name}/mdb_util.py* -%{python2_sitearch}/%{name}/ms_forest_updates_markdown.py* -%{python2_sitearch}/%{name}/ms_schema_markdown.py* -%{python2_sitearch}/%{name}/samdb.py* -%{python2_sitearch}/%{name}/schema.py* - -%{python2_sitearch}/%{name}/dcerpc/dnsserver.so - -%dir %{python2_sitearch}/samba/kcc -%{python2_sitearch}/%{name}/kcc/__init__.py* -%{python2_sitearch}/%{name}/kcc/debug.py* -%{python2_sitearch}/%{name}/kcc/graph.py* -%{python2_sitearch}/%{name}/kcc/graph_utils.py* -%{python2_sitearch}/%{name}/kcc/kcc_utils.py* -%{python2_sitearch}/%{name}/kcc/ldif_import_export.py* - -%dir %{python2_sitearch}/samba/provision -%{python2_sitearch}/%{name}/provision/__init__.py* -%{python2_sitearch}/%{name}/provision/backend.py* -%{python2_sitearch}/%{name}/provision/common.py* -%{python2_sitearch}/%{name}/provision/kerberos.py* -%{python2_sitearch}/%{name}/provision/kerberos_implementation.py* -%{python2_sitearch}/%{name}/provision/sambadns.py* - -%dir %{python2_sitearch}/samba/web_server -%{python2_sitearch}/samba/web_server/__init__.py* -%endif - -%files -n python2-%{name}-test -%dir %{python2_sitearch}/samba/tests -%{python2_sitearch}/%{name}/tests/__init__.py* -%{python2_sitearch}/%{name}/tests/audit_log_base.py* -%{python2_sitearch}/%{name}/tests/audit_log_dsdb.py* -%{python2_sitearch}/%{name}/tests/audit_log_pass_change.py* -%{python2_sitearch}/%{name}/tests/auth.py* -%{python2_sitearch}/%{name}/tests/auth_log.py* -%{python2_sitearch}/%{name}/tests/auth_log_base.py* -%{python2_sitearch}/%{name}/tests/auth_log_ncalrpc.py* -%{python2_sitearch}/%{name}/tests/auth_log_netlogon.py* -%{python2_sitearch}/%{name}/tests/auth_log_netlogon_bad_creds.py* -%{python2_sitearch}/%{name}/tests/auth_log_pass_change.py* -%{python2_sitearch}/%{name}/tests/auth_log_samlogon.py* -%dir %{python2_sitearch}/samba/tests/blackbox -%{python2_sitearch}/%{name}/tests/blackbox/__init__.py* -%{python2_sitearch}/%{name}/tests/blackbox/check_output.py* -%{python2_sitearch}/%{name}/tests/blackbox/ndrdump.py* -%{python2_sitearch}/%{name}/tests/blackbox/samba_dnsupdate.py* -%{python2_sitearch}/%{name}/tests/blackbox/smbcontrol.py* -%{python2_sitearch}/%{name}/tests/blackbox/traffic_learner.py* -%{python2_sitearch}/%{name}/tests/blackbox/traffic_replay.py* -%{python2_sitearch}/%{name}/tests/blackbox/traffic_summary.py* -%{python2_sitearch}/%{name}/tests/common.py* -%{python2_sitearch}/%{name}/tests/core.py* -%{python2_sitearch}/%{name}/tests/credentials.py* -%dir %{python2_sitearch}/samba/tests/dcerpc -%{python2_sitearch}/%{name}/tests/dcerpc/__init__.py* -%{python2_sitearch}/%{name}/tests/dcerpc/array.py* -%{python2_sitearch}/%{name}/tests/dcerpc/bare.py* -%{python2_sitearch}/%{name}/tests/dcerpc/dnsserver.py* -%{python2_sitearch}/%{name}/tests/dcerpc/integer.py* -%{python2_sitearch}/%{name}/tests/dcerpc/misc.py* -%{python2_sitearch}/%{name}/tests/dcerpc/raw_protocol.py* -%{python2_sitearch}/%{name}/tests/dcerpc/raw_testcase.py* -%{python2_sitearch}/%{name}/tests/dcerpc/registry.py* -%{python2_sitearch}/%{name}/tests/dcerpc/rpc_talloc.py* -%{python2_sitearch}/%{name}/tests/dcerpc/rpcecho.py* -%{python2_sitearch}/%{name}/tests/dcerpc/sam.py* -%{python2_sitearch}/%{name}/tests/dcerpc/srvsvc.py* -%{python2_sitearch}/%{name}/tests/dcerpc/string.py* -%{python2_sitearch}/%{name}/tests/dcerpc/testrpc.py* -%{python2_sitearch}/%{name}/tests/dcerpc/unix.py* -%{python2_sitearch}/%{name}/tests/dckeytab.py* -%{python2_sitearch}/%{name}/tests/dns.py* -%{python2_sitearch}/%{name}/tests/dns_base.py* -%{python2_sitearch}/%{name}/tests/dns_forwarder.py* -%{python2_sitearch}/%{name}/tests/dns_invalid.py* -%dir %{python2_sitearch}/samba/tests/dns_forwarder_helpers -%{python2_sitearch}/%{name}/tests/dns_forwarder_helpers/server.py* -%{python2_sitearch}/%{name}/tests/dns_tkey.py* -%{python2_sitearch}/%{name}/tests/dns_wildcard.py* -%{python2_sitearch}/%{name}/tests/docs.py* -%{python2_sitearch}/%{name}/tests/domain_backup.py* -%{python2_sitearch}/%{name}/tests/dsdb.py* -%{python2_sitearch}/%{name}/tests/dsdb_lock.py* -%{python2_sitearch}/%{name}/tests/dsdb_schema_attributes.py* -%dir %{python2_sitearch}/samba/tests/emulate -%{python2_sitearch}/%{name}/tests/emulate/__init__.py* -%{python2_sitearch}/%{name}/tests/emulate/traffic.py* -%{python2_sitearch}/%{name}/tests/emulate/traffic_packet.py* -%{python2_sitearch}/%{name}/tests/encrypted_secrets.py* -%{python2_sitearch}/%{name}/tests/gensec.py* -%{python2_sitearch}/%{name}/tests/getdcname.py* -%{python2_sitearch}/%{name}/tests/get_opt.py* -%{python2_sitearch}/%{name}/tests/glue.py* -%{python2_sitearch}/%{name}/tests/gpo.py* -%{python2_sitearch}/%{name}/tests/graph.py* -%{python2_sitearch}/%{name}/tests/group_audit.py* -%{python2_sitearch}/%{name}/tests/hostconfig.py* -%{python2_sitearch}/%{name}/tests/join.py* -%dir %{python2_sitearch}/samba/tests/kcc -%{python2_sitearch}/%{name}/tests/kcc/__init__.py* -%{python2_sitearch}/%{name}/tests/kcc/graph.py* -%{python2_sitearch}/%{name}/tests/kcc/graph_utils.py* -%{python2_sitearch}/%{name}/tests/kcc/kcc_utils.py* -%{python2_sitearch}/%{name}/tests/kcc/ldif_import_export.py* -%{python2_sitearch}/%{name}/tests/krb5_credentials.py* -%{python2_sitearch}/%{name}/tests/libsmb_samba_internal.py* -%{python2_sitearch}/%{name}/tests/loadparm.py* -%{python2_sitearch}/%{name}/tests/lsa_string.py* -%{python2_sitearch}/%{name}/tests/messaging.py* -%{python2_sitearch}/%{name}/tests/net_join.py* -%{python2_sitearch}/%{name}/tests/net_join_no_spnego.py* -%{python2_sitearch}/%{name}/tests/netbios.py* -%{python2_sitearch}/%{name}/tests/netcmd.py* -%{python2_sitearch}/%{name}/tests/netlogonsvc.py* -%{python2_sitearch}/%{name}/tests/ntacls.py* -%{python2_sitearch}/%{name}/tests/ntacls_backup.py* -%{python2_sitearch}/%{name}/tests/ntlmdisabled.py* -%{python2_sitearch}/%{name}/tests/pam_winbind.py* -%{python2_sitearch}/%{name}/tests/pam_winbind_warn_pwd_expire.py* -%{python2_sitearch}/%{name}/tests/param.py* -%{python2_sitearch}/%{name}/tests/password_hash.py* -%{python2_sitearch}/%{name}/tests/password_hash_fl2003.py* -%{python2_sitearch}/%{name}/tests/password_hash_fl2008.py* -%{python2_sitearch}/%{name}/tests/password_hash_gpgme.py* -%{python2_sitearch}/%{name}/tests/password_hash_ldap.py* -%{python2_sitearch}/%{name}/tests/password_quality.py* -%{python2_sitearch}/%{name}/tests/password_test.py* -%{python2_sitearch}/%{name}/tests/policy.py* -%{python2_sitearch}/%{name}/tests/posixacl.py* -%{python2_sitearch}/%{name}/tests/provision.py* -%{python2_sitearch}/%{name}/tests/pso.py* -%{python2_sitearch}/%{name}/tests/py_credentials.py* -%{python2_sitearch}/%{name}/tests/registry.py* -%{python2_sitearch}/%{name}/tests/s3idmapdb.py* -%{python2_sitearch}/%{name}/tests/s3param.py* -%{python2_sitearch}/%{name}/tests/s3passdb.py* -%{python2_sitearch}/%{name}/tests/s3registry.py* -%{python2_sitearch}/%{name}/tests/s3windb.py* -%{python2_sitearch}/%{name}/tests/samba3sam.py* -%dir %{python2_sitearch}/samba/tests/samba_tool -%{python2_sitearch}/%{name}/tests/samba_tool/__init__.py* -%{python2_sitearch}/%{name}/tests/samba_tool/base.py* -%{python2_sitearch}/%{name}/tests/samba_tool/computer.py* -%{python2_sitearch}/%{name}/tests/samba_tool/demote.py* -%{python2_sitearch}/%{name}/tests/samba_tool/dnscmd.py* -%{python2_sitearch}/%{name}/tests/samba_tool/forest.py* -%{python2_sitearch}/%{name}/tests/samba_tool/fsmo.py* -%{python2_sitearch}/%{name}/tests/samba_tool/gpo.py* -%{python2_sitearch}/%{name}/tests/samba_tool/group.py* -%{python2_sitearch}/%{name}/tests/samba_tool/help.py* -%{python2_sitearch}/%{name}/tests/samba_tool/join.py* -%{python2_sitearch}/%{name}/tests/samba_tool/ntacl.py* -%{python2_sitearch}/%{name}/tests/samba_tool/ou.py* -%{python2_sitearch}/%{name}/tests/samba_tool/passwordsettings.py* -%{python2_sitearch}/%{name}/tests/samba_tool/processes.py* -%{python2_sitearch}/%{name}/tests/samba_tool/provision_password_check.py* -%{python2_sitearch}/%{name}/tests/samba_tool/rodc.py* -%{python2_sitearch}/%{name}/tests/samba_tool/schema.py* -%{python2_sitearch}/%{name}/tests/samba_tool/sites.py* -%{python2_sitearch}/%{name}/tests/samba_tool/timecmd.py* -%{python2_sitearch}/%{name}/tests/samba_tool/user.py* -%{python2_sitearch}/%{name}/tests/samba_tool/user_check_password_script.py* -%{python2_sitearch}/%{name}/tests/samba_tool/user_virtualCryptSHA.py* -%{python2_sitearch}/%{name}/tests/samba_tool/user_wdigest.py* -%{python2_sitearch}/%{name}/tests/samba_tool/visualize.py* -%{python2_sitearch}/%{name}/tests/samba_tool/visualize_drs.py* -%{python2_sitearch}/%{name}/tests/samdb.py* -%{python2_sitearch}/%{name}/tests/samdb_api.py* -%{python2_sitearch}/%{name}/tests/security.py* -%{python2_sitearch}/%{name}/tests/smb.py* -%{python2_sitearch}/%{name}/tests/source.py* -%{python2_sitearch}/%{name}/tests/strings.py* -%{python2_sitearch}/%{name}/tests/subunitrun.py* -%{python2_sitearch}/%{name}/tests/tdb_util.py* -%{python2_sitearch}/%{name}/tests/unicodenames.py* -%{python2_sitearch}/%{name}/tests/upgrade.py* -%{python2_sitearch}/%{name}/tests/upgradeprovision.py* -%{python2_sitearch}/%{name}/tests/upgradeprovisionneeddc.py* -%{python2_sitearch}/%{name}/tests/xattr.py* -%{python2_sitearch}/%{name}/tests/smbd_base.py* -%endif +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/NDR.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Util.pm +%attr(644,root,root) %{_mandir}/man1/pidl.1* +%attr(644,root,root) %{_mandir}/man3/Parse::Pidl::Dump.3pm* +%attr(644,root,root) %{_mandir}/man3/Parse::Pidl::NDR.3pm* +%attr(644,root,root) %{_mandir}/man3/Parse::Pidl::Util.3pm* +%attr(644,root,root) %{_mandir}/man3/Parse::Pidl::Wireshark::Conformance.3pm* +%attr(644,root,root) %{_mandir}/man3/Parse::Pidl::Wireshark::NDR.3pm* %files -n python3-%{name} %dir %{python3_sitearch}/samba/ %{python3_sitearch}/samba/__init__.py %dir %{python3_sitearch}/samba/__pycache__ -%{python3_sitearch}/%{name}/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/__pycache__/colour.*.pyc -%{python3_sitearch}/%{name}/__pycache__/common.*.pyc -%{python3_sitearch}/%{name}/__pycache__/compat.*.pyc -%{python3_sitearch}/%{name}/__pycache__/dbchecker.*.pyc -%{python3_sitearch}/%{name}/__pycache__/descriptor.*.pyc -%{python3_sitearch}/%{name}/__pycache__/drs_utils.*.pyc -%{python3_sitearch}/%{name}/__pycache__/getopt.*.pyc -%{python3_sitearch}/%{name}/__pycache__/gpclass.*.pyc -%{python3_sitearch}/%{name}/__pycache__/gp_sec_ext.*.pyc -%{python3_sitearch}/%{name}/__pycache__/graph.*.pyc -%{python3_sitearch}/%{name}/__pycache__/hostconfig.*.pyc -%{python3_sitearch}/%{name}/__pycache__/idmap.*.pyc -%{python3_sitearch}/%{name}/__pycache__/join.*.pyc -%{python3_sitearch}/%{name}/__pycache__/mdb_util.*.pyc -%{python3_sitearch}/%{name}/__pycache__/ms_display_specifiers.*.pyc -%{python3_sitearch}/%{name}/__pycache__/ms_schema.*.pyc -%{python3_sitearch}/%{name}/__pycache__/ndr.*.pyc -%{python3_sitearch}/%{name}/__pycache__/ntacls.*.pyc -%{python3_sitearch}/%{name}/__pycache__/sd_utils.*.pyc -%{python3_sitearch}/%{name}/__pycache__/sites.*.pyc -%{python3_sitearch}/%{name}/__pycache__/subnets.*.pyc -%{python3_sitearch}/%{name}/__pycache__/tdb_util.*.pyc -%{python3_sitearch}/%{name}/__pycache__/upgrade.*.pyc -%{python3_sitearch}/%{name}/__pycache__/upgradehelpers.*.pyc -%{python3_sitearch}/%{name}/__pycache__/xattr.*.pyc -%{python3_sitearch}/%{name}/_glue.*.so -%{python3_sitearch}/%{name}/_ldb.*.so -%{python3_sitearch}/%{name}/auth.*.so -%{python3_sitearch}/%{name}/dbchecker.py -%{python3_sitearch}/%{name}/colour.py -%{python3_sitearch}/%{name}/common.py -%{python3_sitearch}/%{name}/compat.py -%{python3_sitearch}/%{name}/credentials.*.so -%{python3_sitearch}/%{name}/crypto.*.so +%{python3_sitearch}/samba/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/__pycache__/colour.*.pyc +%{python3_sitearch}/samba/__pycache__/common.*.pyc +%{python3_sitearch}/samba/__pycache__/compat.*.pyc +%{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc +%{python3_sitearch}/samba/__pycache__/descriptor.*.pyc +%{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc +%{python3_sitearch}/samba/__pycache__/getopt.*.pyc +%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/graph.*.pyc +%{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc +%{python3_sitearch}/samba/__pycache__/idmap.*.pyc +%{python3_sitearch}/samba/__pycache__/join.*.pyc +%{python3_sitearch}/samba/__pycache__/logger.*.pyc +%{python3_sitearch}/samba/__pycache__/mdb_util.*.pyc +%{python3_sitearch}/samba/__pycache__/ms_display_specifiers.*.pyc +%{python3_sitearch}/samba/__pycache__/ms_schema.*.pyc +%{python3_sitearch}/samba/__pycache__/ndr.*.pyc +%{python3_sitearch}/samba/__pycache__/ntacls.*.pyc +%{python3_sitearch}/samba/__pycache__/sd_utils.*.pyc +%{python3_sitearch}/samba/__pycache__/sites.*.pyc +%{python3_sitearch}/samba/__pycache__/subnets.*.pyc +%{python3_sitearch}/samba/__pycache__/tdb_util.*.pyc +%{python3_sitearch}/samba/__pycache__/upgrade.*.pyc +%{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc +%{python3_sitearch}/samba/__pycache__/xattr.*.pyc +%{python3_sitearch}/samba/_glue.*.so +%{python3_sitearch}/samba/_ldb.*.so +%{python3_sitearch}/samba/auth.*.so +%{python3_sitearch}/samba/dbchecker.py +%{python3_sitearch}/samba/colour.py +%{python3_sitearch}/samba/common.py +%{python3_sitearch}/samba/compat.py +%{python3_sitearch}/samba/credentials.*.so +%{python3_sitearch}/samba/crypto.*.so %dir %{python3_sitearch}/samba/dcerpc %dir %{python3_sitearch}/samba/dcerpc/__pycache__ -%{python3_sitearch}/%{name}/dcerpc/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/dcerpc/__init__.py -%{python3_sitearch}/%{name}/dcerpc/atsvc.*.so -%{python3_sitearch}/%{name}/dcerpc/auth.*.so -%{python3_sitearch}/%{name}/dcerpc/base.*.so -%{python3_sitearch}/%{name}/dcerpc/dcerpc.*.so -%{python3_sitearch}/%{name}/dcerpc/dfs.*.so -%{python3_sitearch}/%{name}/dcerpc/dns.*.so -%{python3_sitearch}/%{name}/dcerpc/dnsp.*.so -%{python3_sitearch}/%{name}/dcerpc/drsblobs.*.so -%{python3_sitearch}/%{name}/dcerpc/drsuapi.*.so -%{python3_sitearch}/%{name}/dcerpc/echo.*.so -%{python3_sitearch}/%{name}/dcerpc/epmapper.*.so -%{python3_sitearch}/%{name}/dcerpc/idmap.*.so -%{python3_sitearch}/%{name}/dcerpc/initshutdown.*.so -%{python3_sitearch}/%{name}/dcerpc/irpc.*.so -%{python3_sitearch}/%{name}/dcerpc/krb5pac.*.so -%{python3_sitearch}/%{name}/dcerpc/lsa.*.so -%{python3_sitearch}/%{name}/dcerpc/messaging.*.so -%{python3_sitearch}/%{name}/dcerpc/mgmt.*.so -%{python3_sitearch}/%{name}/dcerpc/misc.*.so -%{python3_sitearch}/%{name}/dcerpc/nbt.*.so -%{python3_sitearch}/%{name}/dcerpc/netlogon.*.so -%{python3_sitearch}/%{name}/dcerpc/ntlmssp.*.so -%{python3_sitearch}/%{name}/dcerpc/samr.*.so -%{python3_sitearch}/%{name}/dcerpc/security.*.so -%{python3_sitearch}/%{name}/dcerpc/server_id.*.so -%{python3_sitearch}/%{name}/dcerpc/smb_acl.*.so -%{python3_sitearch}/%{name}/dcerpc/srvsvc.*.so -%{python3_sitearch}/%{name}/dcerpc/svcctl.*.so -%{python3_sitearch}/%{name}/dcerpc/unixinfo.*.so -%{python3_sitearch}/%{name}/dcerpc/winbind.*.so -%{python3_sitearch}/%{name}/dcerpc/winreg.*.so -%{python3_sitearch}/%{name}/dcerpc/wkssvc.*.so -%{python3_sitearch}/%{name}/dcerpc/xattr.*.so -%{python3_sitearch}/%{name}/descriptor.py -%{python3_sitearch}/%{name}/drs_utils.py -%{python3_sitearch}/%{name}/gensec.*.so -%{python3_sitearch}/%{name}/getopt.py -%{python3_sitearch}/%{name}/gpclass.py -%{python3_sitearch}/%{name}/gp_sec_ext.py -%{python3_sitearch}/%{name}/gpo.*.so -%{python3_sitearch}/%{name}/graph.py -%{python3_sitearch}/%{name}/hostconfig.py -%{python3_sitearch}/%{name}/idmap.py -%{python3_sitearch}/%{name}/join.py -%{python3_sitearch}/%{name}/messaging.*.so -%{python3_sitearch}/%{name}/ndr.py -%{python3_sitearch}/%{name}/net.*.so -%{python3_sitearch}/%{name}/ntstatus.*.so -%{python3_sitearch}/%{name}/posix_eadb.*.so +%{python3_sitearch}/samba/dcerpc/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/dcerpc/__init__.py +%{python3_sitearch}/samba/dcerpc/atsvc.*.so +%{python3_sitearch}/samba/dcerpc/auth.*.so +%{python3_sitearch}/samba/dcerpc/base.*.so +%{python3_sitearch}/samba/dcerpc/dcerpc.*.so +%{python3_sitearch}/samba/dcerpc/dfs.*.so +%{python3_sitearch}/samba/dcerpc/dns.*.so +%{python3_sitearch}/samba/dcerpc/dnsp.*.so +%{python3_sitearch}/samba/dcerpc/drsblobs.*.so +%{python3_sitearch}/samba/dcerpc/drsuapi.*.so +%{python3_sitearch}/samba/dcerpc/echo.*.so +%{python3_sitearch}/samba/dcerpc/epmapper.*.so +%{python3_sitearch}/samba/dcerpc/idmap.*.so +%{python3_sitearch}/samba/dcerpc/initshutdown.*.so +%{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/krb5pac.*.so +%{python3_sitearch}/samba/dcerpc/lsa.*.so +%{python3_sitearch}/samba/dcerpc/messaging.*.so +%{python3_sitearch}/samba/dcerpc/mgmt.*.so +%{python3_sitearch}/samba/dcerpc/misc.*.so +%{python3_sitearch}/samba/dcerpc/nbt.*.so +%{python3_sitearch}/samba/dcerpc/netlogon.*.so +%{python3_sitearch}/samba/dcerpc/ntlmssp.*.so +%{python3_sitearch}/samba/dcerpc/preg.*.so +%{python3_sitearch}/samba/dcerpc/samr.*.so +%{python3_sitearch}/samba/dcerpc/security.*.so +%{python3_sitearch}/samba/dcerpc/server_id.*.so +%{python3_sitearch}/samba/dcerpc/smb_acl.*.so +%{python3_sitearch}/samba/dcerpc/spoolss.*.so +%{python3_sitearch}/samba/dcerpc/srvsvc.*.so +%{python3_sitearch}/samba/dcerpc/svcctl.*.so +%{python3_sitearch}/samba/dcerpc/unixinfo.*.so +%{python3_sitearch}/samba/dcerpc/winbind.*.so +%{python3_sitearch}/samba/dcerpc/windows_event_ids.*.so +%{python3_sitearch}/samba/dcerpc/winreg.*.so +%{python3_sitearch}/samba/dcerpc/winspool.*.so +%{python3_sitearch}/samba/dcerpc/witness.*.so +%{python3_sitearch}/samba/dcerpc/wkssvc.*.so +%{python3_sitearch}/samba/dcerpc/xattr.*.so +%{python3_sitearch}/samba/descriptor.py +%{python3_sitearch}/samba/drs_utils.py +%{python3_sitearch}/samba/gensec.*.so +%{python3_sitearch}/samba/getopt.py +%{python3_sitearch}/samba/gpclass.py +%{python3_sitearch}/samba/gp_sec_ext.py +%{python3_sitearch}/samba/gpo.*.so +%{python3_sitearch}/samba/graph.py +%{python3_sitearch}/samba/hostconfig.py +%{python3_sitearch}/samba/idmap.py +%{python3_sitearch}/samba/join.py +%{python3_sitearch}/samba/messaging.*.so +%{python3_sitearch}/samba/ndr.py +%{python3_sitearch}/samba/net.*.so +%{python3_sitearch}/samba/ntstatus.*.so +%{python3_sitearch}/samba/posix_eadb.*.so %dir %{python3_sitearch}/samba/emulate %dir %{python3_sitearch}/samba/emulate/__pycache__ -%{python3_sitearch}/%{name}/emulate/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/emulate/__pycache__/traffic.*.pyc -%{python3_sitearch}/%{name}/emulate/__pycache__/traffic_packets.*.pyc -%{python3_sitearch}/%{name}/emulate/__init__.py -%{python3_sitearch}/%{name}/emulate/traffic.py -%{python3_sitearch}/%{name}/emulate/traffic_packets.py -%{python3_sitearch}/%{name}/mdb_util.py -%{python3_sitearch}/%{name}/ms_display_specifiers.py -%{python3_sitearch}/%{name}/ms_schema.py -%{python3_sitearch}/%{name}/netbios.*.so +%{python3_sitearch}/samba/emulate/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/emulate/__pycache__/traffic.*.pyc +%{python3_sitearch}/samba/emulate/__pycache__/traffic_packets.*.pyc +%{python3_sitearch}/samba/emulate/__init__.py +%{python3_sitearch}/samba/emulate/traffic.py +%{python3_sitearch}/samba/emulate/traffic_packets.py +%{python3_sitearch}/samba/gp_ext_loader.py +%dir %{python3_sitearch}/samba/gp_parse +%{python3_sitearch}/samba/gp_parse/__init__.py +%dir %{python3_sitearch}/samba/gp_parse/__pycache__ +%{python3_sitearch}/samba/gp_parse/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/gp_parse/__pycache__/gp_aas.*.pyc +%{python3_sitearch}/samba/gp_parse/__pycache__/gp_csv.*.pyc +%{python3_sitearch}/samba/gp_parse/__pycache__/gp_inf.*.pyc +%{python3_sitearch}/samba/gp_parse/__pycache__/gp_ini.*.pyc +%{python3_sitearch}/samba/gp_parse/__pycache__/gp_pol.*.pyc +%{python3_sitearch}/samba/gp_parse/gp_aas.py +%{python3_sitearch}/samba/gp_parse/gp_csv.py +%{python3_sitearch}/samba/gp_parse/gp_inf.py +%{python3_sitearch}/samba/gp_parse/gp_ini.py +%{python3_sitearch}/samba/gp_parse/gp_pol.py +%{python3_sitearch}/samba/logger.py +%{python3_sitearch}/samba/mdb_util.py +%{python3_sitearch}/samba/ms_display_specifiers.py +%{python3_sitearch}/samba/ms_schema.py +%{python3_sitearch}/samba/netbios.*.so %dir %{python3_sitearch}/samba/netcmd %{python3_sitearch}/samba/netcmd/__init__.py %dir %{python3_sitearch}/samba/netcmd/__pycache__ -%{python3_sitearch}/%{name}/netcmd/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/common.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/computer.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/dbcheck.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/delegation.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/dns.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/domain.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/domain_backup.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/drs.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/dsacl.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/forest.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/fsmo.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/gpo.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/group.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/ldapcmp.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/main.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/nettime.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/ntacl.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/ou.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/processes.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/pso.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/rodc.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/schema.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/sites.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/spn.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/testparm.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/user.*.pyc -%{python3_sitearch}/%{name}/netcmd/__pycache__/visualize.*.pyc -%{python3_sitearch}/%{name}/netcmd/common.py -%{python3_sitearch}/%{name}/netcmd/computer.py -%{python3_sitearch}/%{name}/netcmd/dbcheck.py -%{python3_sitearch}/%{name}/netcmd/delegation.py -%{python3_sitearch}/%{name}/netcmd/dns.py -%{python3_sitearch}/%{name}/netcmd/domain.py -%{python3_sitearch}/%{name}/netcmd/domain_backup.py -%{python3_sitearch}/%{name}/netcmd/drs.py -%{python3_sitearch}/%{name}/netcmd/dsacl.py -%{python3_sitearch}/%{name}/netcmd/forest.py -%{python3_sitearch}/%{name}/netcmd/fsmo.py -%{python3_sitearch}/%{name}/netcmd/gpo.py -%{python3_sitearch}/%{name}/netcmd/group.py -%{python3_sitearch}/%{name}/netcmd/ldapcmp.py -%{python3_sitearch}/%{name}/netcmd/main.py -%{python3_sitearch}/%{name}/netcmd/nettime.py -%{python3_sitearch}/%{name}/netcmd/ntacl.py -%{python3_sitearch}/%{name}/netcmd/ou.py -%{python3_sitearch}/%{name}/netcmd/processes.py -%{python3_sitearch}/%{name}/netcmd/pso.py -%{python3_sitearch}/%{name}/netcmd/rodc.py -%{python3_sitearch}/%{name}/netcmd/schema.py -%{python3_sitearch}/%{name}/netcmd/sites.py -%{python3_sitearch}/%{name}/netcmd/spn.py -%{python3_sitearch}/%{name}/netcmd/testparm.py -%{python3_sitearch}/%{name}/netcmd/user.py -%{python3_sitearch}/%{name}/netcmd/visualize.py -%{python3_sitearch}/%{name}/ntacls.py -%{python3_sitearch}/%{name}/param.*.so -%{python3_sitearch}/%{name}/policy.*.so -%{python3_sitearch}/%{name}/registry.*.so -%{python3_sitearch}/%{name}/security.*.so +%{python3_sitearch}/samba/netcmd/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/common.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/computer.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/contact.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/dbcheck.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/delegation.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/dns.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/domain.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/domain_backup.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/drs.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/dsacl.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/forest.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/fsmo.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/group.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/ldapcmp.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/main.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/nettime.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/ntacl.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/ou.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/processes.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/pso.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/rodc.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/sites.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/spn.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/testparm.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/user.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/visualize.*.pyc +%{python3_sitearch}/samba/netcmd/common.py +%{python3_sitearch}/samba/netcmd/computer.py +%{python3_sitearch}/samba/netcmd/contact.py +%{python3_sitearch}/samba/netcmd/dbcheck.py +%{python3_sitearch}/samba/netcmd/delegation.py +%{python3_sitearch}/samba/netcmd/dns.py +%{python3_sitearch}/samba/netcmd/domain.py +%{python3_sitearch}/samba/netcmd/domain_backup.py +%{python3_sitearch}/samba/netcmd/drs.py +%{python3_sitearch}/samba/netcmd/dsacl.py +%{python3_sitearch}/samba/netcmd/forest.py +%{python3_sitearch}/samba/netcmd/fsmo.py +%{python3_sitearch}/samba/netcmd/gpo.py +%{python3_sitearch}/samba/netcmd/group.py +%{python3_sitearch}/samba/netcmd/ldapcmp.py +%{python3_sitearch}/samba/netcmd/main.py +%{python3_sitearch}/samba/netcmd/nettime.py +%{python3_sitearch}/samba/netcmd/ntacl.py +%{python3_sitearch}/samba/netcmd/ou.py +%{python3_sitearch}/samba/netcmd/processes.py +%{python3_sitearch}/samba/netcmd/pso.py +%{python3_sitearch}/samba/netcmd/rodc.py +%{python3_sitearch}/samba/netcmd/schema.py +%{python3_sitearch}/samba/netcmd/sites.py +%{python3_sitearch}/samba/netcmd/spn.py +%{python3_sitearch}/samba/netcmd/testparm.py +%{python3_sitearch}/samba/netcmd/user.py +%{python3_sitearch}/samba/netcmd/visualize.py +%{python3_sitearch}/samba/ntacls.py +%{python3_sitearch}/samba/param.*.so +%{python3_sitearch}/samba/policy.*.so +%{python3_sitearch}/samba/registry.*.so +%{python3_sitearch}/samba/security.*.so %dir %{python3_sitearch}/samba/samba3 %{python3_sitearch}/samba/samba3/__init__.py %dir %{python3_sitearch}/samba/samba3/__pycache__ -%{python3_sitearch}/%{name}/samba3/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/samba3/libsmb_samba_internal.*.so -%{python3_sitearch}/%{name}/samba3/param.*.so -%{python3_sitearch}/%{name}/samba3/passdb.*.so -%{python3_sitearch}/%{name}/samba3/smbd.*.so -%{python3_sitearch}/%{name}/sd_utils.py -%{python3_sitearch}/%{name}/sites.py -%{python3_sitearch}/%{name}/smb.*.so -%{python3_sitearch}/%{name}/subnets.py +%{python3_sitearch}/samba/samba3/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/samba3/libsmb_samba_internal.*.so +%{python3_sitearch}/samba/samba3/param.*.so +%{python3_sitearch}/samba/samba3/passdb.*.so +%{python3_sitearch}/samba/samba3/smbd.*.so +%{python3_sitearch}/samba/sd_utils.py +%{python3_sitearch}/samba/sites.py +%{python3_sitearch}/samba/subnets.py %dir %{python3_sitearch}/samba/subunit %{python3_sitearch}/samba/subunit/__init__.py %dir %{python3_sitearch}/samba/subunit/__pycache__ -%{python3_sitearch}/%{name}/subunit/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/subunit/__pycache__/run.*.pyc -%{python3_sitearch}/%{name}/subunit/run.py -%{python3_sitearch}/%{name}/tdb_util.py -%{python3_sitearch}/%{name}/upgrade.py -%{python3_sitearch}/%{name}/upgradehelpers.py +%{python3_sitearch}/samba/subunit/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/subunit/__pycache__/run.*.pyc +%{python3_sitearch}/samba/subunit/run.py +%{python3_sitearch}/samba/tdb_util.py +%dir %{python3_sitearch}/samba/third_party +%{python3_sitearch}/samba/third_party/__init__.py +%dir %{python3_sitearch}/samba/third_party/__pycache__ +%{python3_sitearch}/samba/third_party/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/upgrade.py +%{python3_sitearch}/samba/upgradehelpers.py +%{python3_sitearch}/samba/werror.*.so +%{python3_sitearch}/samba/xattr.py +%{python3_sitearch}/samba/xattr_native.*.so +%{python3_sitearch}/samba/xattr_tdb.*.so + %{_libdir}/libsamba-policy.*.so* %{_libdir}/pkgconfig/samba-policy.*.pc %{_libdir}/samba/libsamba-net.*-samba4.so @@ -2013,369 +1730,415 @@ fi %if %{with_dc} %files -n python3-%{name}-dc -%{python3_sitearch}/%{name}/samdb.py -%{python3_sitearch}/%{name}/schema.py -%{python3_sitearch}/%{name}/__pycache__/domain_update.*.pyc -%{python3_sitearch}/%{name}/__pycache__/dnsserver.*.pyc -%{python3_sitearch}/%{name}/__pycache__/forest_update.*.pyc -%{python3_sitearch}/%{name}/__pycache__/ms_forest_updates_markdown.*.pyc -%{python3_sitearch}/%{name}/__pycache__/ms_schema_markdown.*.pyc -%{python3_sitearch}/%{name}/__pycache__/remove_dc.*.pyc -%{python3_sitearch}/%{name}/__pycache__/samdb.*.pyc -%{python3_sitearch}/%{name}/__pycache__/schema.*.pyc -%{python3_sitearch}/%{name}/dcerpc/dnsserver.*.so -%{python3_sitearch}/%{name}/dckeytab.*.so -%{python3_sitearch}/%{name}/dsdb.*.so -%{python3_sitearch}/%{name}/dsdb_dns.*.so -%{python3_sitearch}/%{name}/domain_update.py -%{python3_sitearch}/%{name}/forest_update.py -%{python3_sitearch}/%{name}/ms_forest_updates_markdown.py -%{python3_sitearch}/%{name}/ms_schema_markdown.py +%{python3_sitearch}/samba/samdb.py +%{python3_sitearch}/samba/schema.py + +%{python3_sitearch}/samba/__pycache__/domain_update.*.pyc +%{python3_sitearch}/samba/__pycache__/dnsserver.*.pyc +%{python3_sitearch}/samba/__pycache__/forest_update.*.pyc +%{python3_sitearch}/samba/__pycache__/ms_forest_updates_markdown.*.pyc +%{python3_sitearch}/samba/__pycache__/ms_schema_markdown.*.pyc +%{python3_sitearch}/samba/__pycache__/remove_dc.*.pyc +%{python3_sitearch}/samba/__pycache__/samdb.*.pyc +%{python3_sitearch}/samba/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/__pycache__/uptodateness.*.pyc + +%{python3_sitearch}/samba/dcerpc/dnsserver.*.so +%{python3_sitearch}/samba/dckeytab.*.so +%{python3_sitearch}/samba/dsdb.*.so +%{python3_sitearch}/samba/dsdb_dns.*.so +%{python3_sitearch}/samba/domain_update.py +%{python3_sitearch}/samba/forest_update.py +%{python3_sitearch}/samba/ms_forest_updates_markdown.py +%{python3_sitearch}/samba/ms_schema_markdown.py %dir %{python3_sitearch}/samba/kcc -%{python3_sitearch}/%{name}/kcc/__init__.py -%{python3_sitearch}/%{name}/kcc/debug.py -%{python3_sitearch}/%{name}/kcc/graph.py -%{python3_sitearch}/%{name}/kcc/graph_utils.py -%{python3_sitearch}/%{name}/kcc/kcc_utils.py -%{python3_sitearch}/%{name}/kcc/ldif_import_export.py -%{python3_sitearch}/%{name}/dnsserver.py +%{python3_sitearch}/samba/kcc/__init__.py +%{python3_sitearch}/samba/kcc/debug.py +%{python3_sitearch}/samba/kcc/graph.py +%{python3_sitearch}/samba/kcc/graph_utils.py +%{python3_sitearch}/samba/kcc/kcc_utils.py +%{python3_sitearch}/samba/kcc/ldif_import_export.py +%{python3_sitearch}/samba/dnsserver.py %dir %{python3_sitearch}/samba/kcc/__pycache__ -%{python3_sitearch}/%{name}/kcc/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/kcc/__pycache__/debug.*.pyc -%{python3_sitearch}/%{name}/kcc/__pycache__/graph.*.pyc -%{python3_sitearch}/%{name}/kcc/__pycache__/graph_utils.*.pyc -%{python3_sitearch}/%{name}/kcc/__pycache__/kcc_utils.*.pyc -%{python3_sitearch}/%{name}/kcc/__pycache__/ldif_import_export.*.pyc +%{python3_sitearch}/samba/kcc/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/kcc/__pycache__/debug.*.pyc +%{python3_sitearch}/samba/kcc/__pycache__/graph.*.pyc +%{python3_sitearch}/samba/kcc/__pycache__/graph_utils.*.pyc +%{python3_sitearch}/samba/kcc/__pycache__/kcc_utils.*.pyc +%{python3_sitearch}/samba/kcc/__pycache__/ldif_import_export.*.pyc %dir %{python3_sitearch}/samba/provision -%{python3_sitearch}/%{name}/provision/backend.py -%{python3_sitearch}/%{name}/provision/common.py -%{python3_sitearch}/%{name}/provision/kerberos.py -%{python3_sitearch}/%{name}/provision/kerberos_implementation.py -%{python3_sitearch}/%{name}/provision/sambadns.py +%{python3_sitearch}/samba/provision/backend.py +%{python3_sitearch}/samba/provision/common.py +%{python3_sitearch}/samba/provision/kerberos.py +%{python3_sitearch}/samba/provision/kerberos_implementation.py +%{python3_sitearch}/samba/provision/sambadns.py %dir %{python3_sitearch}/samba/provision/__pycache__ -%{python3_sitearch}/%{name}/provision/__init__.py -%{python3_sitearch}/%{name}/provision/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/provision/__pycache__/backend.*.pyc -%{python3_sitearch}/%{name}/provision/__pycache__/common.*.pyc -%{python3_sitearch}/%{name}/provision/__pycache__/kerberos.*.pyc -%{python3_sitearch}/%{name}/provision/__pycache__/kerberos_implementation.*.pyc -%{python3_sitearch}/%{name}/provision/__pycache__/sambadns.*.pyc +%{python3_sitearch}/samba/provision/__init__.py +%{python3_sitearch}/samba/provision/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/provision/__pycache__/backend.*.pyc +%{python3_sitearch}/samba/provision/__pycache__/common.*.pyc +%{python3_sitearch}/samba/provision/__pycache__/kerberos.*.pyc +%{python3_sitearch}/samba/provision/__pycache__/kerberos_implementation.*.pyc +%{python3_sitearch}/samba/provision/__pycache__/sambadns.*.pyc -%{python3_sitearch}/%{name}/remove_dc.py +%{python3_sitearch}/samba/remove_dc.py +%{python3_sitearch}/samba/uptodateness.py %endif %files -n python3-%{name}-test %dir %{python3_sitearch}/samba/tests %{python3_sitearch}/samba/tests/__init__.py %dir %{python3_sitearch}/samba/tests/__pycache__ -%{python3_sitearch}/%{name}/tests/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/audit_log_base.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/audit_log_dsdb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/audit_log_pass_change.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log_base.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log_pass_change.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log_ncalrpc.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log_netlogon.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log_netlogon_bad_creds.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/auth_log_samlogon.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/common.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/core.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/credentials.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dckeytab.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dns.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dns_base.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dns_forwarder.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dns_invalid.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dns_tkey.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dns_wildcard.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dsdb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dsdb_lock.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/dsdb_schema_attributes.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/docs.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/domain_backup.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/encrypted_secrets.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/gensec.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/get_opt.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/getdcname.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/glue.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/gpo.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/graph.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/group_audit.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/hostconfig.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/join.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/krb5_credentials.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/libsmb_samba_internal.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/loadparm.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/lsa_string.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/messaging.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/netbios.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/netcmd.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/net_join_no_spnego.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/net_join.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/netlogonsvc.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/ntacls.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/ntacls_backup.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/ntlmdisabled.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/pam_winbind.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/param.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_hash.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_hash_fl2003.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_hash_fl2008.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_hash_gpgme.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_hash_ldap.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_quality.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/password_test.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/policy.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/posixacl.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/provision.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/pso.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/py_credentials.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/registry.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/s3idmapdb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/s3param.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/s3passdb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/s3registry.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/s3windb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/samba3sam.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/samdb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/samdb_api.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/security.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/smb.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/source.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/strings.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/subunitrun.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/tdb_util.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/unicodenames.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/upgrade.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/upgradeprovision.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/upgradeprovisionneeddc.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/xattr.*.pyc -%{python3_sitearch}/%{name}/tests/__pycache__/smbd_base.*.pyc -%{python3_sitearch}/%{name}/tests/audit_log_base.py -%{python3_sitearch}/%{name}/tests/audit_log_dsdb.py -%{python3_sitearch}/%{name}/tests/audit_log_pass_change.py -%{python3_sitearch}/%{name}/tests/auth.py -%{python3_sitearch}/%{name}/tests/auth_log.py -%{python3_sitearch}/%{name}/tests/auth_log_base.py -%{python3_sitearch}/%{name}/tests/auth_log_ncalrpc.py -%{python3_sitearch}/%{name}/tests/auth_log_netlogon_bad_creds.py -%{python3_sitearch}/%{name}/tests/auth_log_netlogon.py -%{python3_sitearch}/%{name}/tests/auth_log_pass_change.py -%{python3_sitearch}/%{name}/tests/auth_log_samlogon.py +%{python3_sitearch}/samba/tests/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/audit_log_base.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/audit_log_dsdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/audit_log_pass_change.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_base.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_pass_change.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_ncalrpc.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_netlogon.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_netlogon_bad_creds.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_samlogon.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/auth_log_winbind.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/common.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/core.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/credentials.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/domain_backup.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/domain_backup_offline.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/encrypted_secrets.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gensec.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/get_opt.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/join.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/net_join.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/netlogonsvc.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ntacls.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ntacls_backup.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ntlmdisabled.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ntlm_auth.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_base.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_krb5.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_chauthtok.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/param.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_hash.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_hash_fl2003.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_hash_fl2008.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_hash_gpgme.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_hash_ldap.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_quality.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/password_test.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/policy.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/posixacl.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/prefork_restart.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/process_limits.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/provision.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/pso.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/py_credentials.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/registry.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3idmapdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3param.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/security.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/source.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/upgrade.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/upgradeprovision.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/upgradeprovisionneeddc.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/usage.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/xattr.*.pyc +%{python3_sitearch}/samba/tests/audit_log_base.py +%{python3_sitearch}/samba/tests/audit_log_dsdb.py +%{python3_sitearch}/samba/tests/audit_log_pass_change.py +%{python3_sitearch}/samba/tests/auth.py +%{python3_sitearch}/samba/tests/auth_log.py +%{python3_sitearch}/samba/tests/auth_log_base.py +%{python3_sitearch}/samba/tests/auth_log_ncalrpc.py +%{python3_sitearch}/samba/tests/auth_log_netlogon_bad_creds.py +%{python3_sitearch}/samba/tests/auth_log_netlogon.py +%{python3_sitearch}/samba/tests/auth_log_pass_change.py +%{python3_sitearch}/samba/tests/auth_log_samlogon.py +%{python3_sitearch}/samba/tests/auth_log_winbind.py %dir %{python3_sitearch}/samba/tests/blackbox %{python3_sitearch}/samba/tests/blackbox/__init__.py %dir %{python3_sitearch}/samba/tests/blackbox/__pycache__ -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/check_output.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/ndrdump.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/smbcontrol.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/traffic_learner.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/traffic_replay.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/__pycache__/traffic_summary.*.pyc -%{python3_sitearch}/%{name}/tests/blackbox/check_output.py -%{python3_sitearch}/%{name}/tests/blackbox/ndrdump.py -%{python3_sitearch}/%{name}/tests/blackbox/samba_dnsupdate.py -%{python3_sitearch}/%{name}/tests/blackbox/smbcontrol.py -%{python3_sitearch}/%{name}/tests/blackbox/traffic_learner.py -%{python3_sitearch}/%{name}/tests/blackbox/traffic_replay.py -%{python3_sitearch}/%{name}/tests/blackbox/traffic_summary.py -%{python3_sitearch}/%{name}/tests/common.py -%{python3_sitearch}/%{name}/tests/core.py -%{python3_sitearch}/%{name}/tests/credentials.py +%{python3_sitearch}/samba/tests/blackbox/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol_process.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_learner.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_replay.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_summary.*.pyc +%{python3_sitearch}/samba/tests/blackbox/bug13653.py +%{python3_sitearch}/samba/tests/blackbox/check_output.py +%{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py +%{python3_sitearch}/samba/tests/blackbox/ndrdump.py +%{python3_sitearch}/samba/tests/blackbox/netads_json.py +%{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py +%{python3_sitearch}/samba/tests/blackbox/smbcontrol.py +%{python3_sitearch}/samba/tests/blackbox/smbcontrol_process.py +%{python3_sitearch}/samba/tests/blackbox/traffic_learner.py +%{python3_sitearch}/samba/tests/blackbox/traffic_replay.py +%{python3_sitearch}/samba/tests/blackbox/traffic_summary.py +%{python3_sitearch}/samba/tests/common.py +%{python3_sitearch}/samba/tests/complex_expressions.py +%{python3_sitearch}/samba/tests/core.py +%{python3_sitearch}/samba/tests/credentials.py %dir %{python3_sitearch}/samba/tests/dcerpc %{python3_sitearch}/samba/tests/dcerpc/__init__.py %dir %{python3_sitearch}/samba/tests/dcerpc/__pycache__ -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/array.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/bare.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/dnsserver.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/misc.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/raw_protocol.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/raw_testcase.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/registry.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/rpc_talloc.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/rpcecho.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/sam.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/srvsvc.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/string.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/__pycache__/testrpc.*.pyc -%{python3_sitearch}/%{name}/tests/dcerpc/array.py -%{python3_sitearch}/%{name}/tests/dcerpc/bare.py -%{python3_sitearch}/%{name}/tests/dcerpc/dnsserver.py -%{python3_sitearch}/%{name}/tests/dcerpc/misc.py -%{python3_sitearch}/%{name}/tests/dcerpc/raw_protocol.py -%{python3_sitearch}/%{name}/tests/dcerpc/raw_testcase.py -%{python3_sitearch}/%{name}/tests/dcerpc/registry.py -%{python3_sitearch}/%{name}/tests/dcerpc/rpc_talloc.py -%{python3_sitearch}/%{name}/tests/dcerpc/rpcecho.py -%{python3_sitearch}/%{name}/tests/dcerpc/sam.py -%{python3_sitearch}/%{name}/tests/dcerpc/srvsvc.py -%{python3_sitearch}/%{name}/tests/dcerpc/string.py -%{python3_sitearch}/%{name}/tests/dcerpc/testrpc.py -%{python3_sitearch}/%{name}/tests/dckeytab.py -%{python3_sitearch}/%{name}/tests/dns.py -%{python3_sitearch}/%{name}/tests/dns_base.py -%{python3_sitearch}/%{name}/tests/dns_forwarder.py +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_testcase.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/registry.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpc_talloc.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpcecho.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/sam.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/srvsvc.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/string_tests.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/testrpc.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/unix.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/array.py +%{python3_sitearch}/samba/tests/dcerpc/bare.py +%{python3_sitearch}/samba/tests/dcerpc/dnsserver.py +%{python3_sitearch}/samba/tests/dcerpc/integer.py +%{python3_sitearch}/samba/tests/dcerpc/misc.py +%{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py +%{python3_sitearch}/samba/tests/dcerpc/raw_testcase.py +%{python3_sitearch}/samba/tests/dcerpc/registry.py +%{python3_sitearch}/samba/tests/dcerpc/rpc_talloc.py +%{python3_sitearch}/samba/tests/dcerpc/rpcecho.py +%{python3_sitearch}/samba/tests/dcerpc/sam.py +%{python3_sitearch}/samba/tests/dcerpc/srvsvc.py +%{python3_sitearch}/samba/tests/dcerpc/string_tests.py +%{python3_sitearch}/samba/tests/dcerpc/testrpc.py +%{python3_sitearch}/samba/tests/dcerpc/unix.py +%{python3_sitearch}/samba/tests/dckeytab.py +%{python3_sitearch}/samba/tests/dns.py +%{python3_sitearch}/samba/tests/dns_base.py +%{python3_sitearch}/samba/tests/dns_forwarder.py %dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers -%{python3_sitearch}/%{name}/tests/dns_forwarder_helpers/__pycache__/server.*.pyc -%{python3_sitearch}/%{name}/tests/dns_forwarder_helpers/server.py -%{python3_sitearch}/%{name}/tests/dns_invalid.py -%{python3_sitearch}/%{name}/tests/dns_tkey.py -%{python3_sitearch}/%{name}/tests/dns_wildcard.py -%{python3_sitearch}/%{name}/tests/dsdb.py -%{python3_sitearch}/%{name}/tests/dsdb_lock.py -%{python3_sitearch}/%{name}/tests/dsdb_schema_attributes.py -%{python3_sitearch}/%{name}/tests/docs.py -%{python3_sitearch}/%{name}/tests/domain_backup.py +%{python3_sitearch}/samba/tests/dns_forwarder_helpers/__pycache__/server.*.pyc +%{python3_sitearch}/samba/tests/dns_forwarder_helpers/server.py +%{python3_sitearch}/samba/tests/dns_invalid.py +%{python3_sitearch}/samba/tests/dns_tkey.py +%{python3_sitearch}/samba/tests/dns_wildcard.py +%{python3_sitearch}/samba/tests/dsdb.py +%{python3_sitearch}/samba/tests/dsdb_lock.py +%{python3_sitearch}/samba/tests/dsdb_schema_attributes.py +%{python3_sitearch}/samba/tests/docs.py +%{python3_sitearch}/samba/tests/domain_backup.py +%{python3_sitearch}/samba/tests/domain_backup_offline.py %dir %{python3_sitearch}/samba/tests/emulate %{python3_sitearch}/samba/tests/emulate/__init__.py %dir %{python3_sitearch}/samba/tests/emulate/__pycache__ -%{python3_sitearch}/%{name}/tests/emulate/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/tests/emulate/__pycache__/traffic.*.pyc -%{python3_sitearch}/%{name}/tests/emulate/__pycache__/traffic_packet.*.pyc -%{python3_sitearch}/%{name}/tests/emulate/traffic.py -%{python3_sitearch}/%{name}/tests/emulate/traffic_packet.py -%{python3_sitearch}/%{name}/tests/encrypted_secrets.py -%{python3_sitearch}/%{name}/tests/gensec.py -%{python3_sitearch}/%{name}/tests/getdcname.py -%{python3_sitearch}/%{name}/tests/get_opt.py -%{python3_sitearch}/%{name}/tests/glue.py -%{python3_sitearch}/%{name}/tests/gpo.py -%{python3_sitearch}/%{name}/tests/graph.py -%{python3_sitearch}/%{name}/tests/group_audit.py -%{python3_sitearch}/%{name}/tests/hostconfig.py -%{python3_sitearch}/%{name}/tests/join.py +%{python3_sitearch}/samba/tests/emulate/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/tests/emulate/__pycache__/traffic.*.pyc +%{python3_sitearch}/samba/tests/emulate/__pycache__/traffic_packet.*.pyc +%{python3_sitearch}/samba/tests/emulate/traffic.py +%{python3_sitearch}/samba/tests/emulate/traffic_packet.py +%{python3_sitearch}/samba/tests/encrypted_secrets.py +%{python3_sitearch}/samba/tests/gensec.py +%{python3_sitearch}/samba/tests/getdcname.py +%{python3_sitearch}/samba/tests/get_opt.py +%{python3_sitearch}/samba/tests/glue.py +%{python3_sitearch}/samba/tests/gpo.py +%{python3_sitearch}/samba/tests/graph.py +%{python3_sitearch}/samba/tests/group_audit.py +%{python3_sitearch}/samba/tests/hostconfig.py +%{python3_sitearch}/samba/tests/join.py %dir %{python3_sitearch}/samba/tests/kcc %{python3_sitearch}/samba/tests/kcc/__init__.py %dir %{python3_sitearch}/samba/tests/kcc/__pycache__ -%{python3_sitearch}/%{name}/tests/kcc/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/tests/kcc/__pycache__/graph.*.pyc -%{python3_sitearch}/%{name}/tests/kcc/__pycache__/graph_utils.*.pyc -%{python3_sitearch}/%{name}/tests/kcc/__pycache__/kcc_utils.*.pyc -%{python3_sitearch}/%{name}/tests/kcc/__pycache__/ldif_import_export.*.pyc -%{python3_sitearch}/%{name}/tests/kcc/graph.py -%{python3_sitearch}/%{name}/tests/kcc/graph_utils.py -%{python3_sitearch}/%{name}/tests/kcc/kcc_utils.py -%{python3_sitearch}/%{name}/tests/kcc/ldif_import_export.py -%{python3_sitearch}/%{name}/tests/krb5_credentials.py -%{python3_sitearch}/%{name}/tests/libsmb_samba_internal.py -%{python3_sitearch}/%{name}/tests/loadparm.py -%{python3_sitearch}/%{name}/tests/lsa_string.py -%{python3_sitearch}/%{name}/tests/messaging.py -%{python3_sitearch}/%{name}/tests/netbios.py -%{python3_sitearch}/%{name}/tests/netcmd.py -%{python3_sitearch}/%{name}/tests/net_join_no_spnego.py -%{python3_sitearch}/%{name}/tests/net_join.py -%{python3_sitearch}/%{name}/tests/netlogonsvc.py -%{python3_sitearch}/%{name}/tests/ntacls.py -%{python3_sitearch}/%{name}/tests/ntacls_backup.py -%{python3_sitearch}/%{name}/tests/ntlmdisabled.py -%{python3_sitearch}/%{name}/tests/pam_winbind.py -%{python3_sitearch}/%{name}/tests/pam_winbind_warn_pwd_expire.py -%{python3_sitearch}/%{name}/tests/param.py -%{python3_sitearch}/%{name}/tests/password_hash.py -%{python3_sitearch}/%{name}/tests/password_hash_fl2003.py -%{python3_sitearch}/%{name}/tests/password_hash_fl2008.py -%{python3_sitearch}/%{name}/tests/password_hash_gpgme.py -%{python3_sitearch}/%{name}/tests/password_hash_ldap.py -%{python3_sitearch}/%{name}/tests/password_quality.py -%{python3_sitearch}/%{name}/tests/password_test.py -%{python3_sitearch}/%{name}/tests/policy.py -%{python3_sitearch}/%{name}/tests/posixacl.py -%{python3_sitearch}/%{name}/tests/provision.py -%{python3_sitearch}/%{name}/tests/pso.py -%{python3_sitearch}/%{name}/tests/py_credentials.py -%{python3_sitearch}/%{name}/tests/registry.py -%{python3_sitearch}/%{name}/tests/s3idmapdb.py -%{python3_sitearch}/%{name}/tests/s3param.py -%{python3_sitearch}/%{name}/tests/s3passdb.py -%{python3_sitearch}/%{name}/tests/s3registry.py -%{python3_sitearch}/%{name}/tests/s3windb.py -%{python3_sitearch}/%{name}/tests/samba3sam.py +%{python3_sitearch}/samba/tests/kcc/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/tests/kcc/__pycache__/graph.*.pyc +%{python3_sitearch}/samba/tests/kcc/__pycache__/graph_utils.*.pyc +%{python3_sitearch}/samba/tests/kcc/__pycache__/kcc_utils.*.pyc +%{python3_sitearch}/samba/tests/kcc/__pycache__/ldif_import_export.*.pyc +%{python3_sitearch}/samba/tests/kcc/graph.py +%{python3_sitearch}/samba/tests/kcc/graph_utils.py +%{python3_sitearch}/samba/tests/kcc/kcc_utils.py +%{python3_sitearch}/samba/tests/kcc/ldif_import_export.py +%{python3_sitearch}/samba/tests/krb5_credentials.py +%{python3_sitearch}/samba/tests/ldap_referrals.py +%{python3_sitearch}/samba/tests/libsmb.py +%{python3_sitearch}/samba/tests/loadparm.py +%{python3_sitearch}/samba/tests/lsa_string.py +%{python3_sitearch}/samba/tests/messaging.py +%{python3_sitearch}/samba/tests/netbios.py +%{python3_sitearch}/samba/tests/netcmd.py +%{python3_sitearch}/samba/tests/net_join_no_spnego.py +%{python3_sitearch}/samba/tests/net_join.py +%{python3_sitearch}/samba/tests/netlogonsvc.py +%{python3_sitearch}/samba/tests/ntacls.py +%{python3_sitearch}/samba/tests/ntacls_backup.py +%{python3_sitearch}/samba/tests/ntlmdisabled.py +%{python3_sitearch}/samba/tests/ntlm_auth.py +%{python3_sitearch}/samba/tests/ntlm_auth_base.py +%{python3_sitearch}/samba/tests/ntlm_auth_krb5.py +%{python3_sitearch}/samba/tests/pam_winbind.py +%{python3_sitearch}/samba/tests/pam_winbind_chauthtok.py +%{python3_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py +%{python3_sitearch}/samba/tests/param.py +%{python3_sitearch}/samba/tests/password_hash.py +%{python3_sitearch}/samba/tests/password_hash_fl2003.py +%{python3_sitearch}/samba/tests/password_hash_fl2008.py +%{python3_sitearch}/samba/tests/password_hash_gpgme.py +%{python3_sitearch}/samba/tests/password_hash_ldap.py +%{python3_sitearch}/samba/tests/password_quality.py +%{python3_sitearch}/samba/tests/password_test.py +%{python3_sitearch}/samba/tests/policy.py +%{python3_sitearch}/samba/tests/posixacl.py +%{python3_sitearch}/samba/tests/prefork_restart.py +%{python3_sitearch}/samba/tests/process_limits.py +%{python3_sitearch}/samba/tests/provision.py +%{python3_sitearch}/samba/tests/pso.py +%{python3_sitearch}/samba/tests/py_credentials.py +%{python3_sitearch}/samba/tests/registry.py +%{python3_sitearch}/samba/tests/s3idmapdb.py +%{python3_sitearch}/samba/tests/s3param.py +%{python3_sitearch}/samba/tests/s3passdb.py +%{python3_sitearch}/samba/tests/s3registry.py +%{python3_sitearch}/samba/tests/s3windb.py +%{python3_sitearch}/samba/tests/samba3sam.py +%{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool %{python3_sitearch}/samba/tests/samba_tool/__init__.py %dir %{python3_sitearch}/samba/tests/samba_tool/__pycache__ -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/base.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/computer.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/demote.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/dnscmd.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/forest.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/fsmo.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/gpo.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/group.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/help.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/join.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/ntacl.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/ou.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/passwordsettings.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/processes.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/provision_password_check.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/rodc.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/schema.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/sites.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/timecmd.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/user.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/user_check_password_script.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/user_virtualCryptSHA.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/user_wdigest.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/visualize.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/__pycache__/visualize_drs.*.pyc -%{python3_sitearch}/%{name}/tests/samba_tool/base.py -%{python3_sitearch}/%{name}/tests/samba_tool/computer.py -%{python3_sitearch}/%{name}/tests/samba_tool/demote.py -%{python3_sitearch}/%{name}/tests/samba_tool/dnscmd.py -%{python3_sitearch}/%{name}/tests/samba_tool/forest.py -%{python3_sitearch}/%{name}/tests/samba_tool/fsmo.py -%{python3_sitearch}/%{name}/tests/samba_tool/gpo.py -%{python3_sitearch}/%{name}/tests/samba_tool/group.py -%{python3_sitearch}/%{name}/tests/samba_tool/help.py -%{python3_sitearch}/%{name}/tests/samba_tool/join.py -%{python3_sitearch}/%{name}/tests/samba_tool/ntacl.py -%{python3_sitearch}/%{name}/tests/samba_tool/ou.py -%{python3_sitearch}/%{name}/tests/samba_tool/passwordsettings.py -%{python3_sitearch}/%{name}/tests/samba_tool/processes.py -%{python3_sitearch}/%{name}/tests/samba_tool/provision_password_check.py -%{python3_sitearch}/%{name}/tests/samba_tool/rodc.py -%{python3_sitearch}/%{name}/tests/samba_tool/schema.py -%{python3_sitearch}/%{name}/tests/samba_tool/sites.py -%{python3_sitearch}/%{name}/tests/samba_tool/timecmd.py -%{python3_sitearch}/%{name}/tests/samba_tool/user.py -%{python3_sitearch}/%{name}/tests/samba_tool/user_check_password_script.py -%{python3_sitearch}/%{name}/tests/samba_tool/user_virtualCryptSHA.py -%{python3_sitearch}/%{name}/tests/samba_tool/user_wdigest.py -%{python3_sitearch}/%{name}/tests/samba_tool/visualize.py -%{python3_sitearch}/%{name}/tests/samba_tool/visualize_drs.py -%{python3_sitearch}/%{name}/tests/samdb.py -%{python3_sitearch}/%{name}/tests/samdb_api.py -%{python3_sitearch}/%{name}/tests/security.py -%{python3_sitearch}/%{name}/tests/smb.py -%{python3_sitearch}/%{name}/tests/source.py -%{python3_sitearch}/%{name}/tests/strings.py -%{python3_sitearch}/%{name}/tests/subunitrun.py -%{python3_sitearch}/%{name}/tests/tdb_util.py -%{python3_sitearch}/%{name}/tests/unicodenames.py -%{python3_sitearch}/%{name}/tests/upgrade.py -%{python3_sitearch}/%{name}/tests/upgradeprovision.py -%{python3_sitearch}/%{name}/tests/upgradeprovisionneeddc.py -%{python3_sitearch}/%{name}/tests/xattr.py -%{python3_sitearch}/%{name}/tests/smbd_base.py -%dir %{python3_sitearch}/samba/web_server -%{python3_sitearch}/samba/web_server/__init__.py -%dir %{python3_sitearch}/samba/web_server/__pycache__ -%{python3_sitearch}/%{name}/web_server/__pycache__/__init__.*.pyc -%{python3_sitearch}/%{name}/werror.*.so -%{python3_sitearch}/%{name}/xattr.py -%{python3_sitearch}/%{name}/xattr_native.*.so -%{python3_sitearch}/%{name}/xattr_tdb.*.so +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/base.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/computer.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/contact.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/demote.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/dnscmd.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/drs_clone_dc_data_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/dsacl.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/processes.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/timecmd.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_check_password_script.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_wdigest.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/visualize.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/visualize_drs.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/base.py +%{python3_sitearch}/samba/tests/samba_tool/computer.py +%{python3_sitearch}/samba/tests/samba_tool/contact.py +%{python3_sitearch}/samba/tests/samba_tool/demote.py +%{python3_sitearch}/samba/tests/samba_tool/dnscmd.py +%{python3_sitearch}/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/dsacl.py +%{python3_sitearch}/samba/tests/samba_tool/forest.py +%{python3_sitearch}/samba/tests/samba_tool/fsmo.py +%{python3_sitearch}/samba/tests/samba_tool/gpo.py +%{python3_sitearch}/samba/tests/samba_tool/group.py +%{python3_sitearch}/samba/tests/samba_tool/help.py +%{python3_sitearch}/samba/tests/samba_tool/join.py +%{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/ntacl.py +%{python3_sitearch}/samba/tests/samba_tool/ou.py +%{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py +%{python3_sitearch}/samba/tests/samba_tool/processes.py +%{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py +%{python3_sitearch}/samba/tests/samba_tool/rodc.py +%{python3_sitearch}/samba/tests/samba_tool/schema.py +%{python3_sitearch}/samba/tests/samba_tool/sites.py +%{python3_sitearch}/samba/tests/samba_tool/timecmd.py +%{python3_sitearch}/samba/tests/samba_tool/user.py +%{python3_sitearch}/samba/tests/samba_tool/user_check_password_script.py +%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py +%{python3_sitearch}/samba/tests/samba_tool/user_wdigest.py +%{python3_sitearch}/samba/tests/samba_tool/visualize.py +%{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py +%{python3_sitearch}/samba/tests/samdb.py +%{python3_sitearch}/samba/tests/samdb_api.py +%{python3_sitearch}/samba/tests/security.py +%{python3_sitearch}/samba/tests/segfault.py +%{python3_sitearch}/samba/tests/smb.py +%{python3_sitearch}/samba/tests/smbd_base.py +%{python3_sitearch}/samba/tests/smbd_fuzztest.py +%{python3_sitearch}/samba/tests/source.py +%{python3_sitearch}/samba/tests/strings.py +%{python3_sitearch}/samba/tests/subunitrun.py +%{python3_sitearch}/samba/tests/tdb_util.py +%{python3_sitearch}/samba/tests/upgrade.py +%{python3_sitearch}/samba/tests/upgradeprovision.py +%{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py +%{python3_sitearch}/samba/tests/usage.py +%{python3_sitearch}/samba/tests/xattr.py %files test %{_bindir}/gentest @@ -2385,25 +2148,28 @@ fi %{_bindir}/smbtorture %if %{with testsuite} -%{_libdir}/%{name}/libnss-wrapper.so -%{_libdir}/%{name}/libsocket-wrapper.so -%{_libdir}/%{name}/libuid-wrapper.so +# files to ignore in testsuite mode +%{_libdir}/samba/libnss-wrapper.so +%{_libdir}/samba/libsocket-wrapper.so +%{_libdir}/samba/libuid-wrapper.so %endif + %if %with_dc -%{_libdir}/%{name}/libdlz-bind9-for-torture-samba4.so +%{_libdir}/samba/libdlz-bind9-for-torture-samba4.so %else -%{_libdir}/%{name}/libdsdb-module-samba4.so +%{_libdir}/samba/libdsdb-module-samba4.so %endif +### WINBIND %files winbind -%{_libdir}/%{name}/idmap -%{_libdir}/%{name}/nss_info -%{_libdir}/%{name}/libnss-info-samba4.so -%{_libdir}/%{name}/libidmap-samba4.so +%{_libdir}/samba/idmap +%{_libdir}/samba/nss_info +%{_libdir}/samba/libnss-info-samba4.so +%{_libdir}/samba/libidmap-samba4.so %{_sbindir}/winbindd %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged %{_unitdir}/winbind.service -%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind +%{_prefix}/lib/NetworkManager %files winbind-clients %{_bindir}/ntlm_auth @@ -2424,38 +2190,65 @@ fi %files -n ctdb %doc ctdb/README %doc ctdb/doc/examples +# Obsolete %config(noreplace, missingok) %{_sysconfdir}/sysconfig/ctdb + %dir %{_sysconfdir}/ctdb -%config(noreplace) %{_sysconfdir}/ctdb/*.sh %config(noreplace) %{_sysconfdir}/ctdb/ctdb.conf +%config(noreplace) %{_sysconfdir}/ctdb/notify.sh +%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh +%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh +%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh %{_sysconfdir}/ctdb/functions -%{_sysconfdir}/ctdb/statd-callout %{_sysconfdir}/ctdb/nfs-linux-kernel-callout +%{_sysconfdir}/ctdb/statd-callout %config %{_sysconfdir}/sudoers.d/ctdb %dir %{_sysconfdir}/ctdb/events +%dir %{_sysconfdir}/ctdb/events/legacy %dir %{_sysconfdir}/ctdb/events/notification %{_sysconfdir}/ctdb/events/notification/README %dir %{_sysconfdir}/ctdb/nfs-checks.d %{_sysconfdir}/ctdb/nfs-checks.d/README -%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/*.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/00.portmapper.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/10.status.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/20.nfs.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/30.nlockmgr.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/40.mountd.check +%config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check +%{_sbindir}/ctdbd +%{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb -%{_bindir}/ctdb_diagnostics +%{_bindir}/ctdb_local_daemons +%{_bindir}/ping_pong %{_bindir}/ltdbtool +%{_bindir}/ctdb_diagnostics %{_bindir}/onnode -%{_bindir}/ping_pong -%{_sbindir}/ctdbd -%{_sbindir}/ctdbd_wrapper %dir %{_libexecdir}/ctdb -%{_libexecdir}/ctdb/ctdb* +%{_libexecdir}/ctdb/ctdb-config +%{_libexecdir}/ctdb/ctdb-event +%{_libexecdir}/ctdb/ctdb-eventd +%{_libexecdir}/ctdb/ctdb_killtcp +%{_libexecdir}/ctdb/ctdb_lock_helper +%{_libexecdir}/ctdb/ctdb_lvs +%{_libexecdir}/ctdb/ctdb_mutex_fcntl_helper +%{_libexecdir}/ctdb/ctdb_natgw +%{_libexecdir}/ctdb/ctdb-path +%{_libexecdir}/ctdb/ctdb_recovery_helper +%{_libexecdir}/ctdb/ctdb_takeover_helper %{_libexecdir}/ctdb/smnotify %dir %{_localstatedir}/lib/ctdb/ +%dir %{_localstatedir}/lib/ctdb/persistent +%dir %{_localstatedir}/lib/ctdb/state +%dir %{_localstatedir}/lib/ctdb/volatile + %{_tmpfilesdir}/ctdb.conf + %{_unitdir}/ctdb.service %dir %{_datadir}/ctdb @@ -2486,19 +2279,120 @@ fi %dir %{_libexecdir}/ctdb %dir %{_libexecdir}/ctdb/tests -%{_libexecdir}/ctdb/tests/* +%{_libexecdir}/ctdb/tests/cmdline_test +%{_libexecdir}/ctdb/tests/comm_client_test +%{_libexecdir}/ctdb/tests/comm_server_test +%{_libexecdir}/ctdb/tests/comm_test +%{_libexecdir}/ctdb/tests/conf_test +%{_libexecdir}/ctdb/tests/ctdb_io_test +%{_libexecdir}/ctdb/tests/ctdb_packet_parse +%{_libexecdir}/ctdb/tests/ctdb_takeover_tests +%{_libexecdir}/ctdb/tests/db_hash_test +%{_libexecdir}/ctdb/tests/dummy_client +%{_libexecdir}/ctdb/tests/errcode +%{_libexecdir}/ctdb/tests/event_protocol_test +%{_libexecdir}/ctdb/tests/event_script_test +%{_libexecdir}/ctdb/tests/fake_ctdbd +%{_libexecdir}/ctdb/tests/fetch_loop +%{_libexecdir}/ctdb/tests/fetch_loop_key +%{_libexecdir}/ctdb/tests/fetch_readonly +%{_libexecdir}/ctdb/tests/fetch_readonly_loop +%{_libexecdir}/ctdb/tests/fetch_ring +%{_libexecdir}/ctdb/tests/g_lock_loop +%{_libexecdir}/ctdb/tests/hash_count_test +%{_libexecdir}/ctdb/tests/line_test +%{_libexecdir}/ctdb/tests/lock_tdb +%{_libexecdir}/ctdb/tests/message_ring +%{_libexecdir}/ctdb/tests/pidfile_test +%{_libexecdir}/ctdb/tests/pkt_read_test +%{_libexecdir}/ctdb/tests/pkt_write_test +%{_libexecdir}/ctdb/tests/porting_tests +%{_libexecdir}/ctdb/tests/protocol_basic_test +%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test +%{_libexecdir}/ctdb/tests/protocol_ctdb_test +%{_libexecdir}/ctdb/tests/protocol_types_compat_test +%{_libexecdir}/ctdb/tests/protocol_types_test +%{_libexecdir}/ctdb/tests/protocol_util_test +%{_libexecdir}/ctdb/tests/rb_test +%{_libexecdir}/ctdb/tests/reqid_test +%{_libexecdir}/ctdb/tests/run_event_test +%{_libexecdir}/ctdb/tests/run_proc_test +%{_libexecdir}/ctdb/tests/sigcode +%{_libexecdir}/ctdb/tests/sock_daemon_test +%{_libexecdir}/ctdb/tests/sock_io_test +%{_libexecdir}/ctdb/tests/srvid_test +%{_libexecdir}/ctdb/tests/system_socket_test +%{_libexecdir}/ctdb/tests/transaction_loop +%{_libexecdir}/ctdb/tests/tunnel_cmd +%{_libexecdir}/ctdb/tests/tunnel_test +%{_libexecdir}/ctdb/tests/update_record +%{_libexecdir}/ctdb/tests/update_record_persistent %dir %{_datadir}/ctdb/tests + %dir %{_datadir}/ctdb/tests/complex -%{_datadir}/ctdb/tests/complex/* -%exclude %{_datadir}/ctdb/tests/complex/scripts +%{_datadir}/ctdb/tests/complex/README +%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh +%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh +%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh +%{_datadir}/ctdb/tests/complex/31_nfs_tickle.sh +%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh +%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh +%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh +%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh +%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh +%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh +%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh +%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh +%{_datadir}/ctdb/tests/complex/44_failover_nfs_oneway.sh +%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh +%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh +%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh %dir %{_datadir}/ctdb/tests/complex/scripts %{_datadir}/ctdb/tests/complex/scripts/local.bash %dir %{_datadir}/ctdb/tests/cunit -%{_datadir}/ctdb/tests/cunit/* - +%{_datadir}/ctdb/tests/cunit/cmdline_test_001.sh +%{_datadir}/ctdb/tests/cunit/comm_test_001.sh +%{_datadir}/ctdb/tests/cunit/comm_test_002.sh +%{_datadir}/ctdb/tests/cunit/conf_test_001.sh +%{_datadir}/ctdb/tests/cunit/config_test_001.sh +%{_datadir}/ctdb/tests/cunit/config_test_002.sh +%{_datadir}/ctdb/tests/cunit/config_test_003.sh +%{_datadir}/ctdb/tests/cunit/config_test_004.sh +%{_datadir}/ctdb/tests/cunit/config_test_005.sh +%{_datadir}/ctdb/tests/cunit/config_test_006.sh +%{_datadir}/ctdb/tests/cunit/config_test_007.sh +%{_datadir}/ctdb/tests/cunit/ctdb_io_test_001.sh +%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh +%{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh +%{_datadir}/ctdb/tests/cunit/event_script_test_001.sh +%{_datadir}/ctdb/tests/cunit/hash_count_test_001.sh +%{_datadir}/ctdb/tests/cunit/line_test_001.sh +%{_datadir}/ctdb/tests/cunit/path_tests_001.sh +%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh +%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh +%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh +%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_012.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh +%{_datadir}/ctdb/tests/cunit/rb_test_001.sh +%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh +%{_datadir}/ctdb/tests/cunit/run_event_001.sh +%{_datadir}/ctdb/tests/cunit/run_proc_001.sh +%{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh +%{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh +%{_datadir}/ctdb/tests/cunit/srvid_test_001.sh +%{_datadir}/ctdb/tests/cunit/system_socket_test_001.sh +%dir %{_datadir}/ctdb/tests/etc-ctdb +%dir %{_datadir}/ctdb/tests/etc-ctdb/events +%dir %{_datadir}/ctdb/tests/etc-ctdb/events/legacy +%{_datadir}/ctdb/tests/etc-ctdb/events/legacy/00.test.script %dir %{_datadir}/ctdb/tests/eventd %{_datadir}/ctdb/tests/eventd/README %dir %{_datadir}/ctdb/tests/eventd/etc-ctdb @@ -2589,10 +2483,8 @@ fi %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.007.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.011.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.012.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.013.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.014.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.015.sh -%{_datadir}/ctdb/tests/eventscripts/05.system.monitor.016.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh %{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh @@ -2840,6 +2732,8 @@ fi %{_datadir}/ctdb/tests/onnode/0004.sh %{_datadir}/ctdb/tests/onnode/0005.sh %{_datadir}/ctdb/tests/onnode/0006.sh +%{_datadir}/ctdb/tests/onnode/0010.sh +%{_datadir}/ctdb/tests/onnode/0011.sh %{_datadir}/ctdb/tests/onnode/0070.sh %{_datadir}/ctdb/tests/onnode/0071.sh %{_datadir}/ctdb/tests/onnode/0072.sh @@ -2876,12 +2770,9 @@ fi %dir %{_datadir}/ctdb/tests/simple %{_datadir}/ctdb/tests/simple/README -%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh %{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh -%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh -%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh -%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh -%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh +%{_datadir}/ctdb/tests/simple/01_ctdb_reclock_command.sh +%{_datadir}/ctdb/tests/simple/02_ctdb_tunables.sh %{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh %{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh %{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh @@ -2904,11 +2795,9 @@ fi %{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh %{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh %{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh -%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh -%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh +%{_datadir}/ctdb/tests/simple/32_ctdb_disable_enable.sh %{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh -%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh -%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh +%{_datadir}/ctdb/tests/simple/42_ctdb_stop_continue.sh %{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh %{_datadir}/ctdb/tests/simple/51_message_ring.sh %{_datadir}/ctdb/tests/simple/52_fetch_ring.sh @@ -2918,6 +2807,7 @@ fi %{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh %{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh %{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh +%{_datadir}/ctdb/tests/simple/69_recovery_resurrect_deleted.sh %{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh %{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh %{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh @@ -2930,17 +2820,12 @@ fi %{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh %{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh %{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh -%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh +%{_datadir}/ctdb/tests/simple/91_version_check.sh -%dir %{_datadir}/ctdb/tests/simple/etc-ctdb -%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events -%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy -%{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy/00.test.script %dir %{_datadir}/ctdb/tests/simple/scripts %{_datadir}/ctdb/tests/simple/scripts/local.bash %{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash -%{_datadir}/ctdb/tests/simple/scripts/ssh_local_daemons.sh %dir %{_datadir}/ctdb/tests/takeover %{_datadir}/ctdb/tests/takeover/README @@ -3023,7 +2908,6 @@ fi %dir %{_datadir}/ctdb/tests/takeover_helper/scripts %{_datadir}/ctdb/tests/takeover_helper/scripts/local.sh - %dir %{_datadir}/ctdb/tests/tool %{_datadir}/ctdb/tests/tool/README %{_datadir}/ctdb/tests/tool/ctdb.attach.001.sh @@ -3161,6 +3045,7 @@ fi %dir %{_datadir}/ctdb/tests/tool/scripts %{_datadir}/ctdb/tests/tool/scripts/local.sh +#endif with_clustering_support %endif %files help @@ -3169,59 +3054,15 @@ fi %{_mandir}/man5/* %{_mandir}/man7/* %exclude %{_mandir}/man7/libsmbclient.7.gz -%{_mandir}/man8/winbindd.8* -%{_mandir}/man8/idmap_*.8* -%{_mandir}/man8/winbind_krb5_localauth.8* -%{_mandir}/man8/winbind_krb5_locator.8* -%{_mandir}/man8/pam_winbind.8* -%{_mandir}/man8/smbspool_krb5_wrapper.8* -%{_mandir}/man8/cifsdd.8.* -%{_mandir}/man8/samba-regedit.8* -%{_mandir}/man8/smbspool.8* -%{_mandir}/man8/eventlogadm.8* -%{_mandir}/man8/smbd.8* -%{_mandir}/man8/nmbd.8* -%{_mandir}/man8/vfs_a* -%{_mandir}/man8/vfs_btrfs.8* -%{_mandir}/man8/vfs_ca* -%{_mandir}/man8/vfs_commit.8* -%{_mandir}/man8/vfs_crossrename.8* -%{_mandir}/man8/vfs_default_quota.8* -%{_mandir}/man8/vfs_dirsort.8* -%{_mandir}/man8/vfs_extd_audit.8* -%{_mandir}/man8/vfs_fake_perms.8* -%{_mandir}/man8/vfs_fileid.8* -%{_mandir}/man8/vfs_fruit.8* -%{_mandir}/man8/vfs_full_audit.8* -%{_mandir}/man8/vfs_gpfs.8* -%{_mandir}/man8/vfs_linux_xfs_sgid.8* -%{_mandir}/man8/vfs_media_harmony.8* -%{_mandir}/man8/vfs_netatalk.8* -%{_mandir}/man8/vfs_nfs4acl_xattr.8* -%{_mandir}/man8/vfs_offline.8* -%{_mandir}/man8/vfs_prealloc.8* -%{_mandir}/man8/vfs_preopen.8* -%{_mandir}/man8/vfs_readahead.8* -%{_mandir}/man8/vfs_readonly.8* -%{_mandir}/man8/vfs_recycle.8* -%{_mandir}/man8/vfs_shadow_copy.8* -%{_mandir}/man8/vfs_shadow_copy2.8* -%{_mandir}/man8/vfs_shell_snap.8* -%{_mandir}/man8/vfs_snapper.8* -%{_mandir}/man8/vfs_streams_depot.8* -%{_mandir}/man8/vfs_streams_xattr.8* -%{_mandir}/man8/vfs_syncops.8* -%{_mandir}/man8/vfs_time_audit.8* -%{_mandir}/man8/vfs_tsmsm.8* -%{_mandir}/man8/vfs_unityed_media.8* -%{_mandir}/man8/vfs_virusfilter.8* -%{_mandir}/man8/vfs_worm.8* -%{_mandir}/man8/vfs_xattr_tdb.8* -%{_mandir}/man8/net.8* -%{_mandir}/man8/pdbedit.8* -%{_mandir}/man8/smbpasswd.8* +%{_mandir}/man8/* %changelog +* Mon Feb 10 2020 openEuler Buildteam - 4.11.6-1 +- Update to Samba 4.11.6 + +* Fri Jan 10 2020 openEuler Buildteam - 4.9.8-9 +- clean unused file + * Tue Dec 31 2019 openEuler Buildteam - 4.9.1-8 - Type:NA - Id:NA