[Pkg-samba-maint] [Git][samba-team/samba][buster-security] 43 commits: CVE-2020-25722 Ensure the structural objectclass cannot be changed
Salvatore Bonaccorso (@carnil)
gitlab at salsa.debian.org
Sat Nov 27 09:57:40 GMT 2021
Salvatore Bonaccorso pushed to branch buster-security at Debian Samba Team / samba
Commits:
075a0298 by Andrew Bartlett at 2021-11-22T13:43:22+01:00
CVE-2020-25722 Ensure the structural objectclass cannot be changed
If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.
Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
[jsutton at samba.org Adapted knownfails to ad_dc_ntvfs and fixed knownfail
conflicts]
- - - - -
799d8e07 by Andrew Bartlett at 2021-11-22T13:43:31+01:00
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
The remaining failures in the priv_attrs (not the strict one) test are
due to missing objectclass constraints on the administrator which should
be addressed, but are not a security issue.
A better test for confirming constraints between objectclass and
userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would
be user_account_control.py.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
b12ef302 by Salvatore Bonaccorso at 2021-11-22T13:49:28+01:00
Add patches for CVE-2020-25722
- - - - -
c46ccd69 by Ralph Boehme at 2021-11-22T13:51:27+01:00
s3/auth: use set_current_user_info() in auth3_generate_session_info_pac()
This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_session_info_krb5() are sent to a different logfile if "log file" uses %U.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62)
[scabrero at samba.org Prerequisite for CVE-2020-25717 backport]
- - - - -
bad7935b by Samuel Cabrero at 2021-11-22T13:51:27+01:00
selftest: Fix ktest usermap file
The user was not mapped:
user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator|
The user 'KTEST/administrator' has no mapping. Skip it next time.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
[scabrero at samba.org Once smb_getpswnam() fallbacks are removed the user
has to be mapped]
- - - - -
98da177d by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
(cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d)
[scabrero at samba.org Backported to 4.10]
- - - - -
4d5d75d7 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
c644de47 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[scabrero at samba.org Backported for 4.10 due to no logon_id for
log_authentication() neither is_allowed_domain()]
- - - - -
505ffe1d by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
309d0476 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s4:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
88608552 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s4:smb_server: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
0bf999f5 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d175d1a8 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
026d3cfe by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:torture: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[scabrero at samba.org Backported to 4.10 due to missing commit
a5548af018643f2e78c482e33ef0e6073db149e4 to check return value
of SMBOWFencrypt()]
- - - - -
0f4893fa by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
d71bda26 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[scabrero at samba.org Backported to 4.10 due to missing commits
7f75dec865256049e99f7fcf46317cd2d53e95d1 and
434030ba711e677fdd167a255d05c1cd4db943b7]
- - - - -
5cd52183 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
59c8f721 by Samuel Cabrero at 2021-11-22T13:51:27+01:00
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org Backported from master/4.15 due to
conflicts with other new parameters]
- - - - -
b670388f by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
cb358a51 by Samuel Cabrero at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
16f14c30 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
We should avoid autocreation of users as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
118260ff by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
So far we autocreated local user accounts based on just the
account_name (just ignoring any domain part).
This only happens via a possible 'add user script',
which is not typically defined on domain members
and on NT4 DCs local users already exist in the
local passdb anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
29b11916 by Ralph Boehme at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!
As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!
For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().
The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.
Note: use 'git show -w'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[scabrero at samba.org Backported to 4.9 removing
selftest/knownfail.d/ktest after fixing user mapping in ktest
environment]
- - - - -
402283b9 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
b8f184b8 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!
We still try to support standalone servers in an MIT realm,
as legacy setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
12d6a5c7 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org Backported from master/4.15 as
check_password is sync in 4.14]
- - - - -
a4589857 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
fb06852f by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
f96d6945 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
This consolidates the code paths used for NTLMSSP and Kerberos!
I checked what we were already doing for NTLMSSP, which is this:
a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx()
b) as a domain member we require a valid response from winbindd,
otherwise we'll return NT_STATUS_NO_LOGON_SERVERS
c) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3()
d) auth_check_ntlm_password() calls
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
e) from auth3_check_password_send/auth3_check_password_recv()
server_returned_info will be passed to auth3_generate_session_info(),
triggered by gensec_session_info(), which means we'll call into
create_local_token() in order to transform auth_serversupplied_info
into auth_session_info.
For Kerberos gensec_session_info() will call
auth3_generate_session_info_pac() via the gensec_generate_session_info_pac()
helper function. The current logic is this:
a) gensec_generate_session_info_pac() is the function that
evaluates the 'gensec:require_pac', which defaulted to 'no'
before.
b) auth3_generate_session_info_pac() called
wbcAuthenticateUserEx() in order to pass the PAC blob
to winbindd, but only to prime its cache, e.g. netsamlogon cache
and others. Most failures were just ignored.
c) If the PAC blob is available, it extracted the PAC_LOGON_INFO
from it.
d) Then we called the horrible get_user_from_kerberos_info() function:
- It uses a first part of the tickets principal name (before the @)
as username and combines that with the 'logon_info->base.logon_domain'
if the logon_info (PAC) is present.
- As a fallback without a PAC it's tries to ask winbindd for a mapping
from realm to netbios domain name.
- Finally is falls back to using the realm as netbios domain name
With this information is builds 'userdomain+winbind_separator+useraccount'
and calls map_username() followed by smb_getpwnam() with create=true,
Note this is similar to the make_server_info_info3() => check_account()
=> smb_getpwnam() logic under 3.
- It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name
instead of the ip address as rhost.
- It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the
guest account.
e) We called create_info3_from_pac_logon_info()
f) make_session_info_krb5() calls gets called and triggers this:
- If get_user_from_kerberos_info() mapped to guest, it calls
make_server_info_guest()
- If create_info3_from_pac_logon_info() created a info3 from logon_info,
it calls make_server_info_info3()
- Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with
a fallback to make_server_info_pw()
From there it calls create_local_token()
I tried to change auth3_generate_session_info_pac() to behave similar
to auth_winbind.c together with auth3_generate_session_info() as
a domain member, as we now rely on a PAC:
a) As domain member we require a PAC and always call wbcAuthenticateUserEx()
and require a valid response!
b) we call make_server_info_wbcAuthUserInfo(), which internally
calls make_server_info_info3(). Note make_server_info_info3()
handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest()
internally.
c) Similar to auth_check_ntlm_password() we now call
smb_pam_accountcheck(unix_username, rhost), where rhost
is only an ipv4 or ipv6 address (without reverse dns lookup)
d) From there it calls create_local_token()
As standalone server (in an MIT realm) we continue
with the already existing code logic, which works without a PAC:
a) we keep smb_getpwnam() with create=true logic as it
also requires an explicit 'add user script' option.
b) In the following commits we assert that there's
actually no PAC in this mode, which means we can
remove unused and confusing code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org Backported due to change in structure
initialization with { 0 } to zero ]
[abartlet at samba.org backported to 4.12 due to conflict
with code not present to reload shared on krb5 login]
- - - - -
6d7cf6bc by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
directory member setup. It was created at a time we wanted to test
smbd/winbindd with kerberos without having the source4 ad dc available.
This still applies to testing the build with system krb5 libraries
but without relying on a running ad dc.
As a domain member setup requires a running winbindd, we should test it
that way, in order to reflect a valid setup.
As a side effect it provides a way to demonstrate that we can accept
smb connections authenticated via kerberos, but no connection to
a domain controller! In order get this working offline, we need an
idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which
should be the default choice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[scabrero at samba.org Backported to 4.11 Run winbindd in offline mode
but keep the user name mapping to avoid having to backport fixes
for bso#14539]
- - - - -
cd30eb98 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org Backported to Samba 4.12 has conflcits
as the share reload code is in a different spot]
- - - - -
4b4d8fa5 by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
beb0739a by Stefan Metzmacher at 2021-11-22T13:51:27+01:00
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
so we don't have a PAC/info3 structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
3d75e2a7 by Salvatore Bonaccorso at 2021-11-22T13:52:11+01:00
Add patches for CVE-2020-25717
- - - - -
ee57b917 by Volker Lendecke at 2021-11-22T19:24:43+01:00
lib: Add dom_sid_str_buf
This is modeled after server_id_str_buf, which as an API to me is easier to
use: I can rely on the compiler to get the buffer size right.
It is designed to violate README.Coding's "Make use of helper variables", but
as this API is simple enough and the output should never be a surprise at all,
I think that's worth it.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Fri Nov 2 20:11:11 CET 2018 on sn-devel-144
- - - - -
aee43c9d by Salvatore Bonaccorso at 2021-11-22T19:25:07+01:00
Add "lib: Add dom_sid_str_buf" patch
- - - - -
bca1a728 by Stefan Metzmacher at 2021-11-22T19:25:08+01:00
CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
[abartlet at samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5
as header libcli/security/dom_sid.h was not present for struct dom_sid_buf]
[abartlet at samba.org fix CVE marker]
- - - - -
8a2243bc by Andrew Bartlett at 2021-11-22T19:25:08+01:00
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.
Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.
This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.
In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
[metze at samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
[abartlet at samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e
as usage.py is not present in Samba 4.10]
- - - - -
ac4ae3a1 by Salvatore Bonaccorso at 2021-11-22T19:25:26+01:00
Add patches to address upstream bug 14901
- - - - -
5fd01fe5 by Mathieu Parent at 2021-11-25T10:11:49+01:00
Drop libparse-pidl-perl package (Closes: #939419)
See also https://gitlab.com/samba-team/samba/commit/e24e344d0da58013fd5fa404529fe1d25ef403bf
- - - - -
46d2d5ca by Lutz Justen at 2021-11-25T10:11:49+01:00
waf: install: Remove installation of PIDL and manpages.
It's not used outside of Samba other than wireshark
who have their own vendor fork.
Signed-off-by: Lutz Justen <ljusten at google.com>
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Apr 23 02:08:56 UTC 2019 on sn-devel-144
- - - - -
d374540a by Salvatore Bonaccorso at 2021-11-25T10:11:49+01:00
Add patch to remove installation of PIDL and manpages
Gbp-Dch: Ignore
- - - - -
6abbb5ee by Salvatore Bonaccorso at 2021-11-27T10:35:09+01:00
Prepare changelog for release
Gbp-Dch: Ignore
- - - - -
30 changed files:
- auth/gensec/gensec_util.c
- auth/ntlmssp/ntlmssp_server.c
- debian/changelog
- debian/control
- − debian/libparse-pidl-perl.install
- + debian/patches/CVE-2020-25717-only-4.9-v2.patch
- + debian/patches/CVE-2020-25722.patch
- + debian/patches/bug-14901-v4-9.patch
- + debian/patches/lib-Add-dom_sid_str_buf.patch
- debian/patches/series
- + debian/patches/waf-install-Remove-installation-of-PIDL-and-manpages.patch
- debian/rules
- + docs-xml/smbdotconf/security/mindomainuid.xml
- docs-xml/smbdotconf/winbind/idmapconfig.xml
- lib/param/loadparm.c
- libcli/security/dom_sid.c
- libcli/security/dom_sid.h
- − pidl/lib/wscript_build
- pidl/wscript
- selftest/selftest.pl
- selftest/target/Samba3.pm
- selftest/target/Samba4.pm
- source3/auth/auth_generic.c
- source3/auth/auth_samba4.c
- source3/auth/auth_util.c
- source3/auth/proto.h
- source3/auth/user_krb5.c
- source3/param/loadparm.c
- source3/rpcclient/cmd_netlogon.c
- source3/torture/pdbtest.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/cc11659f797c58937e9c3c2a0851444c55921555...6abbb5ee46bee080b3a0d79c7b06410f68895dbf
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/cc11659f797c58937e9c3c2a0851444c55921555...6abbb5ee46bee080b3a0d79c7b06410f68895dbf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20211127/50cd06e4/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list