[Pkg-samba-maint] [samba] 10/11: Add regression patch for Joining a 2003 domain as a domain member
Andrew Bartlett
abartlet-guest at moszumanska.debian.org
Tue Apr 12 22:38:00 UTC 2016
This is an automated email from the git hooks/post-receive script.
abartlet-guest pushed a commit to branch master
in repository samba.
commit cd4cbcab916b45f2fbcc06da890b2c3ebf3280fb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 11 15:48:26 2016 +1200
Add regression patch for Joining a 2003 domain as a domain member
---
debian/changelog | 1 +
...-prerequisite-v4-3-regression-fixes.metze01.txt | 43 ++++++++++++++++++++++
debian/patches/series | 1 +
source3/libads/sasl.c | 8 +++-
4 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 8f5bb5d..975ba3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ samba (2:4.3.7+dfsg-1) UNRELEASED; urgency=medium
- CVE-2016-2114 ("server signing = mandatory" not enforced)
- CVE-2016-2115 (SMB IPC traffic is not integrity protected)
- CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+ * Additional regression fix for 'net ads join' to a Windows 2003 domain by metze
-- Andrew Bartlett <abartlet+debian at catalyst.net.nz> Wed, 06 Apr 2016 14:25:42 +1200
diff --git a/debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt b/debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
new file mode 100644
index 0000000..4d9d5da
--- /dev/null
+++ b/debian/patches/security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
@@ -0,0 +1,43 @@
+From ad9257bc5464a2d8c2029e19ef6530a3974d987e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Fri, 8 Apr 2016 10:05:38 +0200
+Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with
+ kerberos and arcfour-hmac-md5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
+(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
+that prevents things like 'net ads join' from working against a Windows 2003 domain.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Günther Deschner <gd at samba.org>
+---
+ source3/libads/sasl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 4fcd733..22aa9cf 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
+ ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
+
+ ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
+- ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
++ /*
++ * Note that we have to truncate this to 0x2C
++ * (taken from a capture with LDAP unbind), as the
++ * signature size is not constant for Kerberos with
++ * arcfour-hmac-md5.
++ */
++ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
+ ads->ldap.in.max_wrapped = max_wrapped;
+ status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
+ if (!ADS_ERR_OK(status)) {
+--
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index e1ce906..67351ab 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ disable-socketwrapper.diff
ctdb-Fix-detection-of-gnukfreebsd.patch
no_build_options.patch
fix-against-talloc-2.1.6.patch
+security-2016-04-12-prerequisite-v4-3-regression-fixes.metze01.txt
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4fcd733..22aa9cf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
- ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
+ /*
+ * Note that we have to truncate this to 0x2C
+ * (taken from a capture with LDAP unbind), as the
+ * signature size is not constant for Kerberos with
+ * arcfour-hmac-md5.
+ */
+ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
ads->ldap.in.max_wrapped = max_wrapped;
status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
if (!ADS_ERR_OK(status)) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list