[Pkg-samba-maint] [samba] 10/11: Add regression patch for Joining a 2003 domain as a domain member

Tue Apr 12 22:38:00 UTC 2016

This is an automated email from the git hooks/post-receive script.

abartlet-guest pushed a commit to branch master
in repository samba.

commit cd4cbcab916b45f2fbcc06da890b2c3ebf3280fb
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Apr 11 15:48:26 2016 +1200

    Add regression patch for Joining a 2003 domain as a domain member
---
 debian/changelog                                   |  1 +
 ...-prerequisite-v4-3-regression-fixes.metze01.txt | 43 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 source3/libads/sasl.c                              |  8 +++-
 4 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 8f5bb5d..975ba3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ samba (2:4.3.7+dfsg-1) UNRELEASED; urgency=medium
     - CVE-2016-2114 ("server signing = mandatory" not enforced)
     - CVE-2016-2115 (SMB IPC traffic is not integrity protected)
     - CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+  * Additional regression fix for 'net ads join' to a Windows 2003 domain by metze
 
  -- Andrew Bartlett <abartlet+debian at catalyst.net.nz>  Wed, 06 Apr 2016 14:25:42 +1200
 
diff --git a/debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt b/debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
new file mode 100644
index 0000000..4d9d5da
--- /dev/null
+++ b/debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
@@ -0,0 +1,43 @@
+From ad9257bc5464a2d8c2029e19ef6530a3974d987e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Fri, 8 Apr 2016 10:05:38 +0200
+Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with
+ kerberos and arcfour-hmac-md5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
+(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
+that prevents things like 'net ads join' from working against a Windows 2003 domain.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Günther Deschner <gd at samba.org>
+---
+ source3/libads/sasl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 4fcd733..22aa9cf 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
+ 		ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
+ 
+ 		ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
+-		ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
++		/*
++		 * Note that we have to truncate this to 0x2C
++		 * (taken from a capture with LDAP unbind), as the
++		 * signature size is not constant for Kerberos with
++		 * arcfour-hmac-md5.
++		 */
++		ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
+ 		ads->ldap.in.max_wrapped = max_wrapped;
+ 		status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
+ 		if (!ADS_ERR_OK(status)) {
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index e1ce906..67351ab 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ disable-socketwrapper.diff
 ctdb-Fix-detection-of-gnukfreebsd.patch
 no_build_options.patch
 fix-against-talloc-2.1.6.patch
+security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4fcd733..22aa9cf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
 		ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
 
 		ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
-		ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
+		/*
+		 * Note that we have to truncate this to 0x2C
+		 * (taken from a capture with LDAP unbind), as the
+		 * signature size is not constant for Kerberos with
+		 * arcfour-hmac-md5.
+		 */
+		ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
 		ads->ldap.in.max_wrapped = max_wrapped;
 		status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
 		if (!ADS_ERR_OK(status)) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git


