[Pkg-samba-maint] Bug#1009726: bullseye-pu: package samba/2:4.13.13+dfsg-1+deb11u4

Michael Tokarev mjt at tls.msk.ru
Fri Apr 15 15:12:38 BST 2022


Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>

Here's the proposed samba package update for bullseye.
I picked up a few patches which were missing when we
did security updates: we only picked up the security-
related patches from upstream but missed bugfixes.
Evem missed a known regression caused by two of the
security fixes in there (#999876, #1001053).

[ Reason ]
The reason for this update is simple: to fix quite some
bugs accumulated in there. Including one serious data
corruption issue.  The bugs being fixed are:

 #999876, winbind fails to start with `allow trusted domains: no`
  regression after a security fix
 #1001053 MIT-kerberos auth broken after 4.13.13+dfsg-1~deb11u2
  regression after a security fix
 #1004691 CVE-2021-43566: mkdir race condition allows share escape
 #1005642 possible data corruption due to windows client
  cache poisoning
 #998423 server coredump possible with share names containing
  %-variable substitutions
 #953530 unable to install samba on non-systemd system due to missing
  /run/samba dir before running samba tools

[ Tests ]
All code changes are coming from the upstream stable releases.
I included *all* changes from actual released 4.13.17 upstream
stable series (with all the known regressions there fixed),
except of the changes for parts we do not use (to lib/ldb/ -
this is our separate ldb package). So for the tests, this
release is much closer to the the one which survived the
excellent upstream testsuite and which has been tested
worldwide (what we had in bullseye-security before is some
mix from there).

Other code changes which are from releases later than 4.13.17
(which is the last upstream stable release for the 4.13 series)
are also taken from upstream stable fixes but destined for
later series.

The whole patch set has been running at our sites for quite
a while, for one it fixed the data corruption issue which
hit us hard (#1005642). We're running this since Feb-2022.

And we already run this release on all our production systems
with all the changes included (except it is using the UNRELEASED
build) for quite some time.

There's just one non-code change in there, #953530 - mkdir
/run/samba in postinst before invoking samba. I did verify
this actually fixes the issue (inability to install samba
on a non-systemd system), but this one does not affect
systems that are upgrading samba, as this directory is
already there.

[ Risks ]
There are risks, as with any complex piece of software.
Overall this release should be less risky than current
release in bullseye-security due to the fixes it missed.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]

From the d/changelog:

  * Import the left-other patches from 4.13.17 upstream stable branch:
   - s3-winbindd-fix-allow-trusted-domains-no-regression.patch
     Closes: #999876, winbind fails to start with `allow trusted domains: no`
   - IPA-DC-add-missing-checks.patch
   - CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch
     Closes: #1001053, MIT-kerberos auth broken after 4.13.13+dfsg-1~deb11u2
   - dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch
   - s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch
      Closes: #1004691, CVE-2021-43566:
      mkdir race condition allows share escape

This brings us up to the upstream 4.13.17, - I verified both the result
after applying all the d/patches/ patches, and every individual patch
from there.  We are now at 4.13.17 release *except* of the version number
and the changes in lib/ldb/ which are packaged separately.

  * 4 patches from upstream to fix possible serious data corruption issue
    with windows client cache poisoning, Closes: #1005642

This comes from upstream targetting later samba series, backported to
all relevant stable series. The prob has been fixed after 4.13.17
went end-of-life.

  * two patches from upstream to fix coredump when connecting to shares
    with var substitutions, Closes: #998423

Ditto.

  * samba-common-bin.postinst: mkdir /run/samba before invoking samba binaries
    Closes: #953530

This simple change helps new installs on systemd-less systems

  * remove file creation+deletion from previously applied combined patches
    CVE-2021-23192-only-4.13-v2.patch & CVE-2021-3738-dsdb-crash-4.13-v03.patch
    to make patch deapply happy (quilt does not notice this situation)

This one is kinda interesting. Previous security upload included two
cumulative .patch files (containing several git commits in single file),
with first of them adding a file, and second removing that just-added file.
This does not work right with quilt, it keeps such "phantom" file in the
source tree when deapplying patches, so subsequent apply fails due to the
file already exist.  So I had to remove parts of these combined patches
which adds and deletes these files to make quilt happy. This change does
not affect the resulting code in any way, the result of applying the
cleaned-up patches is *exactly* the same, it just helps with the package
building process.  The files being added+removed are small (these are
just lists of tests known to fail which gets cleaned up when the actual
fix is applied) so it's easy to see what's going on there.

  * switch from weird ~deb11uN to the usual +deb11uN release numbering scheme
    since a more recent upstream version is available in testing now

It is not really a change per se, just an indication that the versioning
scheme is finally back to normal.

  * d/salsa-ci.yml: target bullseye

This does nothing to the code, but in order to run salsa-ci tests I
had to change "experimental" to "bullseye" in there. It successfully
passed all tests which it passed before.

[ Other info ]
(Anything else the release team should know.)

---
diff -Nru samba-4.13.13+dfsg/debian/changelog samba-4.13.13+dfsg/debian/changelog
--- samba-4.13.13+dfsg/debian/changelog	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/changelog	2022-04-15 16:25:59.000000000 +0300
@@ -1,3 +1,30 @@
+samba (2:4.13.13+dfsg-1+deb11u4) bullseye; urgency=medium
+
+  * Import the left-other patches from 4.13.17 upstream stable branch:
+   - s3-winbindd-fix-allow-trusted-domains-no-regression.patch
+     Closes: #999876, winbind fails to start with `allow trusted domains: no`
+   - IPA-DC-add-missing-checks.patch
+   - CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch
+     Closes: #1001053, MIT-kerberos auth broken after 4.13.13+dfsg-1~deb11u2
+   - dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch
+   - s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch
+      Closes: #1004691, CVE-2021-43566:
+      mkdir race condition allows share escape
+  * 4 patches from upstream to fix possible serious data corruption issue
+    with windows client cache poisoning, Closes: #1005642
+  * two patches from upstream to fix coredump when connecting to shares
+    with var substitutions, Closes: #998423
+  * samba-common-bin.postinst: mkdir /run/samba before invoking samba binaries
+    Closes: #953530
+  * remove file creation+deletion from previously applied combined patches
+    CVE-2021-23192-only-4.13-v2.patch & CVE-2021-3738-dsdb-crash-4.13-v03.patch
+    to make patch deapply happy (quilt does not notice this situation)
+  * switch from weird ~deb11uN to the usual +deb11uN release numbering scheme
+    since a more recent upstream version is available in testing now
+  * d/salsa-ci.yml: target bullseye
+
+ -- Michael Tokarev <mjt at tls.msk.ru>  Fri, 15 Apr 2022 16:25:59 +0300
+
 samba (2:4.13.13+dfsg-1~deb11u3) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru samba-4.13.13+dfsg/debian/libwbclient0.symbols samba-4.13.13+dfsg/debian/libwbclient0.symbols
--- samba-4.13.13+dfsg/debian/libwbclient0.symbols	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/libwbclient0.symbols	2022-04-15 16:24:01.000000000 +0300
@@ -276,6 +276,7 @@
  nt_time_to_full_timespec at SAMBA_UTIL_0.0.1 2:4.12.0+dfsg
  nt_time_to_unix at SAMBA_UTIL_0.0.1 2:4.11.0
  nt_time_to_unix_timespec at SAMBA_UTIL_0.0.1 2:4.11.0
+ nt_time_to_unix_timespec_raw at SAMBA_UTIL_0.0.1 2:2.4.13+dfsg-1~deb11u4
  nttime_to_timeval at SAMBA_UTIL_0.0.1 2:4.11.0
  null_nttime at SAMBA_UTIL_0.0.1 2:4.11.0
  null_time at SAMBA_UTIL_0.0.1 2:4.11.0
diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch
--- samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,77 @@
+From 43530db58aa8b7cd4e6f5365fd12ab9ee7861c0d Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Thu, 6 Jan 2022 13:58:20 -0800
+Subject: [PATCH 1/4] lib: util: Add a function nt_time_to_unix_timespec_raw().
+
+Not yet used. Does no checks on the converted values.
+
+A later cleanup will allow us to move nt_time_to_unix_timespec()
+and nt_time_to_full_timespec() to use common code.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Christof Schmitt <cs at samba.org>
+(cherry picked from commit 29d69c22a0d945193ce3dac27e1083dbc5c53f03)
+---
+ lib/util/time.c | 30 ++++++++++++++++++++++++++++++
+ lib/util/time.h |  2 ++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/lib/util/time.c b/lib/util/time.c
+index 0fac5e2e397..b49d2fa6f30 100644
+--- a/lib/util/time.c
++++ b/lib/util/time.c
+@@ -865,6 +865,36 @@ _PUBLIC_ int get_time_zone(time_t t)
+ 	return tm_diff(&tm_utc,tm);
+ }
+ 
++/*
++ * Raw convert an NTTIME to a unix timespec.
++ */
++
++struct timespec nt_time_to_unix_timespec_raw(
++			NTTIME nt)
++{
++	int64_t d;
++	struct timespec ret;
++
++	d = (int64_t)nt;
++	/* d is now in 100ns units, since jan 1st 1601".
++	   Save off the ns fraction. */
++
++	/*
++	 * Take the last seven decimal digits and multiply by 100.
++	 * to convert from 100ns units to 1ns units.
++	 */
++        ret.tv_nsec = (long) ((d % (1000 * 1000 * 10)) * 100);
++
++	/* Convert to seconds */
++	d /= 1000*1000*10;
++
++	/* Now adjust by 369 years to make the secs since 1970 */
++	d -= TIME_FIXUP_CONSTANT_INT;
++
++	ret.tv_sec = (time_t)d;
++	return ret;
++}
++
+ struct timespec nt_time_to_unix_timespec(NTTIME nt)
+ {
+ 	int64_t d;
+diff --git a/lib/util/time.h b/lib/util/time.h
+index 4a90b40d5ce..6cd5bd4daa2 100644
+--- a/lib/util/time.h
++++ b/lib/util/time.h
+@@ -342,6 +342,8 @@ bool nt_time_equal(NTTIME *t1, NTTIME *t2);
+ 
+ void interpret_dos_date(uint32_t date,int *year,int *month,int *day,int *hour,int *minute,int *second);
+ 
++struct timespec nt_time_to_unix_timespec_raw(NTTIME nt);
++
+ struct timespec nt_time_to_unix_timespec(NTTIME nt);
+ 
+ time_t convert_timespec_to_time_t(struct timespec ts);
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch
--- samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,60 @@
+From 9904bcf0b2dfa234abe85796ce54e5de602b1988 Mon Sep 17 00:00:00 2001
+From: Jones Syue <jonessyue at qnap.com>
+Date: Mon, 10 Jan 2022 09:29:44 -0800
+Subject: [PATCH 4/4] s3: includes: Make the comments describing itime
+ consistent. Always use "invented" time.
+
+It gets confusing if we call it "imaginary" or "instantiation"
+in different places.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
+
+Signed-off-by: Jones Syue <jonessyue at qnap.com>
+Reviewed-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Ralph Boehme <slow at samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra at samba.org>
+Autobuild-Date(master): Mon Jan 10 18:42:02 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 745af26a1a6531b2e906aa7c1c0355cbab658441)
+
+Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
+Autobuild-Date(v4-14-test): Wed Jan 12 12:26:56 UTC 2022 on sn-devel-184
+---
+ source3/include/includes.h | 4 ++--
+ source3/lib/system.c       | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/include/includes.h b/source3/include/includes.h
+index 8fa65cc3122..b35108b6c8f 100644
+--- a/source3/include/includes.h
++++ b/source3/include/includes.h
+@@ -209,10 +209,10 @@ struct stat_ex {
+ 	struct timespec st_ex_ctime;
+ 	struct timespec st_ex_btime; /* birthtime */
+ 	/*
+-	 * Immutable original birth time aka instantiation time. Set when a file
++	 * Immutable original birth time aka invented time. Set when a file
+ 	 * is created, never changes thereafter. May not be set by the client.
+ 	 */
+-	struct timespec st_ex_itime; /* instantiation time */
++	struct timespec st_ex_itime; /* invented time */
+ 
+ 	blksize_t	st_ex_blksize;
+ 	blkcnt_t	st_ex_blocks;
+diff --git a/source3/lib/system.c b/source3/lib/system.c
+index cd20b7c5eaf..afc48e0d30d 100644
+--- a/source3/lib/system.c
++++ b/source3/lib/system.c
+@@ -428,7 +428,7 @@ void init_stat_ex_from_stat (struct stat_ex *dst,
+ }
+ 
+ /*******************************************************************
+- Create a clock-derived itime (imaginary) time. Used to generate
++ Create a clock-derived itime (invented) time. Used to generate
+  the fileid.
+ ********************************************************************/
+ 
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch
--- samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,39 @@
+From 9c237a727a3536f8f9fdde98a943373197d43d20 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Mon, 10 Jan 2022 09:01:09 -0800
+Subject: [PATCH 3/4] s3: lib: In create_clock_itime(), use timespec_current()
+ -> clock_gettime(CLOCK_REALTIME..).
+
+CLOCK_MONOTONIC (which we previously used) is reset
+when the system is rebooted.
+
+CLOCK_REALTIME is a "wall clock" time. It's still affected by NTP
+changes (for Linux we should probably use CLOCK_TAI instead
+but that is Linux-specific). For most systems CLOCK_REALTIME
+will be good enough.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Ralph Boehme <slow at samba.org>
+(cherry picked from commit 920611f0bc98229ac4a5ee127af7f99216075341)
+---
+ source3/lib/system.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/lib/system.c b/source3/lib/system.c
+index 1a513020c57..cd20b7c5eaf 100644
+--- a/source3/lib/system.c
++++ b/source3/lib/system.c
+@@ -440,7 +440,7 @@ void create_clock_itime(struct stat_ex *dst)
+ 	uint8_t rval;
+ 
+ 	/* Start with the system clock. */
+-	clock_gettime_mono(&itime);
++	itime = timespec_current();
+ 
+ 	/* Convert to NTTIME. */
+ 	tval = unix_timespec_to_nt_time(itime);
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch
--- samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,139 @@
+From 18916136e42ce42b19623c1861afbddf1a7d452f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Wed, 5 Jan 2022 11:40:46 -0800
+Subject: [PATCH 2/4] s3: smbd: Create and use a common function for generating
+ a fileid - create_clock_itime().
+
+This first gets the clock_gettime_mono() value, converts to an NTTIME (as
+this is what is stored in the dos attribute EA), then mixes in 8 bits of
+randomness shifted up by 55 bits to cope with poor resolution clocks to
+avoid duplicate inodes.
+
+Using 8 bits of randomness on top of an NTTIME gives us around 114
+years headroom. We can now guarentee returning a itime-based
+fileid in a normal share (storing dos attributes in an EA).
+
+Remove knownfail.d/fileid-unique
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Christof Schmitt <cs at samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra at samba.org>
+Autobuild-Date(master): Sat Jan  8 06:35:22 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 23fbf0bad0332a0ae0d4dc3c8f6df6e7ec46b88b)
+---
+ source3/include/proto.h |  1 +
+ source3/lib/system.c    | 52 +++++++++++++++++++++++++++++++++++++++++
+ source3/smbd/open.c     |  6 ++---
+ 3 files changed, 56 insertions(+), 3 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index de5d1be5208..4f977942084 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -230,6 +230,7 @@ void update_stat_ex_create_time(struct stat_ex *dst, struct timespec create_time
+ void update_stat_ex_file_id(struct stat_ex *dst, uint64_t file_id);
+ void update_stat_ex_from_saved_stat(struct stat_ex *dst,
+ 				    const struct stat_ex *src);
++void create_clock_itime(struct stat_ex *dst);
+ int sys_stat(const char *fname, SMB_STRUCT_STAT *sbuf,
+ 	     bool fake_dir_create_times);
+ int sys_fstat(int fd, SMB_STRUCT_STAT *sbuf,
+diff --git a/source3/lib/system.c b/source3/lib/system.c
+index f1265e0c43f..1a513020c57 100644
+--- a/source3/lib/system.c
++++ b/source3/lib/system.c
+@@ -427,6 +427,58 @@ void init_stat_ex_from_stat (struct stat_ex *dst,
+ 	dst->st_ex_iflags |= ST_EX_IFLAG_CALCULATED_FILE_ID;
+ }
+ 
++/*******************************************************************
++ Create a clock-derived itime (imaginary) time. Used to generate
++ the fileid.
++********************************************************************/
++
++void create_clock_itime(struct stat_ex *dst)
++{
++	NTTIME tval;
++	struct timespec itime;
++	uint64_t mixin;
++	uint8_t rval;
++
++	/* Start with the system clock. */
++	clock_gettime_mono(&itime);
++
++	/* Convert to NTTIME. */
++	tval = unix_timespec_to_nt_time(itime);
++
++	/*
++	 * In case the system clock is poor granularity
++	 * (happens on VM or docker images) then mix in
++	 * 8 bits of randomness.
++	 */
++	generate_random_buffer((unsigned char *)&rval, 1);
++	mixin = rval;
++
++	/*
++	 * Shift up by 55 bits. This gives us approx 114 years
++	 * of headroom.
++	 */
++	mixin <<= 55;
++
++	/* And OR into the nttime. */
++	tval |= mixin;
++
++	/*
++	 * Convert to a unix timespec, ignoring any
++	 * constraints on seconds being higher than
++	 * TIME_T_MAX or lower than TIME_T_MIN. These
++	 * are only needed to allow unix display time functions
++	 * to work correctly, and this is being used to
++	 * generate a fileid. All we care about is the
++	 * NTTIME being valid across all NTTIME ranges
++	 * (which we carefully ensured above).
++	 */
++
++	itime = nt_time_to_unix_timespec_raw(tval);
++
++	/* And set as a generated itime. */
++	update_stat_ex_itime(dst, itime);
++}
++
+ /*******************************************************************
+ A stat() wrapper.
+ ********************************************************************/
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index ef158657684..f7646f98b33 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -4134,13 +4134,13 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
+ 	 * If we created a file and it's not a stream, this is the point where
+ 	 * we set the itime (aka invented time) that get's stored in the DOS
+ 	 * attribute xattr. The value is going to be either what the filesystem
+-	 * provided or a copy of the creation date.
++	 * provided or a generated itime value.
+ 	 *
+ 	 * Either way, we turn the itime into a File-ID, unless the filesystem
+ 	 * provided one (unlikely).
+ 	 */
+ 	if (info == FILE_WAS_CREATED && !is_named_stream(smb_fname)) {
+-		smb_fname->st.st_ex_iflags &= ~ST_EX_IFLAG_CALCULATED_ITIME;
++		create_clock_itime(&smb_fname->st);
+ 
+ 		if (lp_store_dos_attributes(SNUM(conn)) &&
+ 		    smb_fname->st.st_ex_iflags & ST_EX_IFLAG_CALCULATED_FILE_ID)
+@@ -4318,7 +4318,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
+ 		return NT_STATUS_NOT_A_DIRECTORY;
+ 	}
+ 
+-	smb_dname->st.st_ex_iflags &= ~ST_EX_IFLAG_CALCULATED_ITIME;
++	create_clock_itime(&smb_dname->st);
+ 
+ 	if (lp_store_dos_attributes(SNUM(conn))) {
+ 		if (smb_dname->st.st_ex_iflags & ST_EX_IFLAG_CALCULATED_FILE_ID)
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch
--- samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,34 @@
+From b00fed3b698cc78a377d71e0574c878e262c4808 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Mon, 23 Aug 2021 17:40:42 -0700
+Subject: [PATCH] s3: mdssvc: Correctly disconnect the VFS connection inside
+ the mds_ctx destructor.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14809
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Ralph Boehme <slow at samba.org>
+(cherry picked from commit b4d8c62c4e8191e05fd03dd096a0bc989e224ed3)
+---
+ source3/rpc_server/mdssvc/mdssvc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index 715de272d32..a983a882294 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
++++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -1568,6 +1568,11 @@ static int mds_ctx_destructor_cb(struct mds_ctx *mds_ctx)
+ 	}
+ 	TALLOC_FREE(mds_ctx->ino_path_map);
+ 
++	if (mds_ctx->conn != NULL) {
++		SMB_VFS_DISCONNECT(mds_ctx->conn);
++		conn_free(mds_ctx->conn);
++	}
++
+ 	ZERO_STRUCTP(mds_ctx);
+ 
+ 	return 0;
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch
--- samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,46 @@
+From 97dc8c0dcccbcecd3a8f8f3872b47d3a3c6e8036 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Mon, 23 Aug 2021 17:42:40 -0700
+Subject: [PATCH] s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an
+ unallocated pointer on error.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Just return the status - if create_conn_struct_as_root() fails
+the connection struct never gets returned.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14809
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Ralph Boehme <slow at samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow at samba.org>
+Autobuild-Date(master): Wed Aug 25 17:09:23 UTC 2021 on sn-devel-184
+
+(cherry picked from commit 857045f3a236dea125200dd09279d677e513682b)
+---
+ source3/smbd/msdfs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
+index 3a1dd11d9eb..3645f5d21d5 100644
+--- a/source3/smbd/msdfs.c
++++ b/source3/smbd/msdfs.c
+@@ -525,12 +525,7 @@ NTSTATUS create_conn_struct_cwd(TALLOC_CTX *mem_ctx,
+ 					    path,
+ 					    session_info);
+ 	unbecome_root();
+-	if (!NT_STATUS_IS_OK(status)) {
+-		TALLOC_FREE(c);
+-		return status;
+-	}
+-
+-	return NT_STATUS_OK;
++	return status;
+ }
+ 
+ static void shuffle_strlist(char **list, int count)
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch
--- samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,62 @@
+From 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow at samba.org>
+Date: Fri, 26 Nov 2021 10:57:17 +0100
+Subject: [PATCH 297/314] CVE-2020-25717: s3-auth: fix MIT Realm regression
+
+This looks like a regression introduced by the recent security fixes. This
+commit should hopefully fixes it.
+
+As a quick solution it might be possible to use the username map script based on
+the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
+sure this behaves identical, but it might work in the standalone server case.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
+
+Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
+
+Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
+
+Signed-off-by: Ralph Boehme <slow at samba.org>
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
+---
+ source3/auth/user_krb5.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index b8f37cbeee0..169bf563368 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ 	char *fuser = NULL;
+ 	char *unixuser = NULL;
+ 	struct passwd *pw = NULL;
++	bool may_retry = false;
+ 
+ 	DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
+ 
+@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ 		domain = realm;
+ 	} else {
+ 		domain = lp_workgroup();
++		may_retry = true;
+ 	}
+ 
+ 	fuser = talloc_asprintf(mem_ctx,
+@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ 	*mapped_to_guest = false;
+ 
+ 	pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
++	if (may_retry && pw == NULL && !*is_mapped) {
++		fuser = talloc_strdup(mem_ctx, user);
++		if (!fuser) {
++			return NT_STATUS_NO_MEMORY;
++		}
++		pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
++	}
+ 	if (pw) {
+ 		if (!unixuser) {
+ 			return NT_STATUS_NO_MEMORY;
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch
--- samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch	2022-04-15 16:24:01.000000000 +0300
@@ -3327,9 +3327,7 @@
 Reviewed-by: Samuel Cabrero <scabrero at samba.org>
 ---
  python/samba/tests/dcerpc/raw_protocol.py | 1273 +++++++++++++++++++++
- selftest/knownfail.d/dcerpc-auth-fraq     |   20 +
- 2 files changed, 1293 insertions(+)
- create mode 100644 selftest/knownfail.d/dcerpc-auth-fraq
+ 1 files changed, 1273 insertions(+)
 
 diff --git a/python/samba/tests/dcerpc/raw_protocol.py b/python/samba/tests/dcerpc/raw_protocol.py
 index 3dbc8d1179f5..5fe148ce93a5 100755
@@ -4615,32 +4613,6 @@
      def _test_neg_xmit_check_values(self,
                                      req_xmit=None,
                                      req_recv=None,
-diff --git a/selftest/knownfail.d/dcerpc-auth-fraq b/selftest/knownfail.d/dcerpc-auth-fraq
-new file mode 100644
-index 000000000000..f3c62b65e9e9
---- /dev/null
-+++ b/selftest/knownfail.d/dcerpc-auth-fraq
-@@ -0,0 +1,20 @@
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_all_111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_alone
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_all_111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_context_111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_level_111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_type_111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSame111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_firstSame2
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext2
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame111
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame2
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone
-+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone111
 -- 
 2.25.1
 
@@ -4662,10 +4634,8 @@
  librpc/rpc/dcerpc_pkt_auth.h          |  1 +
  librpc/rpc/dcesrv_auth.c              | 28 +++++++++
  librpc/rpc/dcesrv_core.c              | 86 +++++++++++++++++++++------
- selftest/knownfail.d/dcerpc-auth-fraq | 20 -------
  source4/librpc/rpc/dcerpc.c           |  1 +
- 6 files changed, 109 insertions(+), 46 deletions(-)
- delete mode 100644 selftest/knownfail.d/dcerpc-auth-fraq
+ 5 files changed, 109 insertions(+), 26 deletions(-)
 
 diff --git a/librpc/rpc/dcerpc_pkt_auth.c b/librpc/rpc/dcerpc_pkt_auth.c
 index 322d7497893c..1cb191468b5d 100644
@@ -4953,32 +4923,6 @@
  		}
  	}
  
-diff --git a/selftest/knownfail.d/dcerpc-auth-fraq b/selftest/knownfail.d/dcerpc-auth-fraq
-deleted file mode 100644
-index f3c62b65e9e9..000000000000
---- a/selftest/knownfail.d/dcerpc-auth-fraq
-+++ /dev/null
-@@ -1,20 +0,0 @@
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_all_111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_alone
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_all_111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_context_111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_level_111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_type_111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSame111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_firstSame2
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext2
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame111
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame2
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone
--^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone111
 diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
 index 4847e8a02004..baf6df6e498b 100644
 --- a/source4/librpc/rpc/dcerpc.c
diff -Nru samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch
--- samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch	2022-04-15 16:24:01.000000000 +0300
@@ -233,18 +233,9 @@
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
 Reviewed-by: Andrew Bartlett <abartlet at samba.org>
 ---
- .../knownfail.d/drsuapi.DsBindAssocGroupWS    |   1 +
  source4/torture/rpc/drsuapi.c                 | 172 ++++++++++++++++++
- 2 files changed, 173 insertions(+)
- create mode 100644 selftest/knownfail.d/drsuapi.DsBindAssocGroupWS
+ 1 files changed, 172 insertions(+)
 
-diff --git a/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS b/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS
-new file mode 100644
-index 00000000000..9af5a904fdd
---- /dev/null
-+++ b/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS
-@@ -0,0 +1 @@
-+^samba4.rpc.drsuapi.*drsuapi.DsBindAssocGroupWS
 diff --git a/source4/torture/rpc/drsuapi.c b/source4/torture/rpc/drsuapi.c
 index 3e8105af07b..1cd8f77db9c 100644
 --- a/source4/torture/rpc/drsuapi.c
@@ -715,18 +706,9 @@
 Signed-off-by: Stefan Metzmacher <metze at samba.org>
 Reviewed-by: Andrew Bartlett <abartlet at samba.org>
 ---
- .../knownfail.d/drsuapi.DsBindAssocGroupWS    |  1 -
  source4/rpc_server/drsuapi/dcesrv_drsuapi.c   | 55 +++++++------------
- 2 files changed, 19 insertions(+), 37 deletions(-)
- delete mode 100644 selftest/knownfail.d/drsuapi.DsBindAssocGroupWS
+ 1 files changed, 19 insertions(+), 36 deletions(-)
 
-diff --git a/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS b/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS
-deleted file mode 100644
-index 9af5a904fdd..00000000000
---- a/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS
-+++ /dev/null
-@@ -1 +0,0 @@
--^samba4.rpc.drsuapi.*drsuapi.DsBindAssocGroupWS
 diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
 index 7e2b6174d2f..239971d7009 100644
 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
diff -Nru samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch
--- samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,63 @@
+From dd679ce7f4450765274b085bbee97d1fa8e0f2a0 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet at samba.org>
+Date: Fri, 12 Nov 2021 12:44:44 +1300
+Subject: [PATCH 298/314] dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
+ for the local replicated object
+
+This may allow further processing when the DN normalisation has changed
+which changes the indexing, such as seen after fixes for bug 14656.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
+
+Signed-off-by: Andrew Bartlett <abartlet at samba.org>
+Reviewed-by: Stefan Metzmacher <metze at samba.org>
+(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)
+
+Autobuild-User(v4-13-test): Stefan Metzmacher <metze at samba.org>
+Autobuild-Date(v4-13-test): Wed Dec  8 16:49:25 UTC 2021 on sn-devel-184
+---
+ source4/dsdb/samdb/ldb_modules/operational.c    |  2 +-
+ source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 ++++++++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
+index 5eaebf98141..4e60feaf14f 100644
+--- a/source4/dsdb/samdb/ldb_modules/operational.c
++++ b/source4/dsdb/samdb/ldb_modules/operational.c
+@@ -1399,7 +1399,7 @@ static const struct op_attributes_replace search_sub[] = {
+ 	{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
+ 	{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
+ 	{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
+-	{ "parentGUID", NULL, NULL, construct_parent_guid },
++	{ "parentGUID", "objectGUID", NULL, construct_parent_guid },
+ 	{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
+ 	{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
+ 	{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber },
+diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+index 58c04da5f53..870185ee1d3 100644
+--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
++++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+@@ -6923,7 +6923,18 @@ static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
+ 				   ar->req);
+ 	LDB_REQ_SET_LOCATION(search_req);
+ 
+-	ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED);
++	/*
++	 * We set DSDB_SEARCH_SHOW_EXTENDED_DN to get the GUID on the
++	 * DN.  This in turn helps our operational module find the
++	 * record by GUID, not DN lookup which is more error prone if
++	 * DN indexing changes.  We prefer to keep chasing GUIDs
++	 * around if possible, even within a transaction.
++	 *
++	 * The aim here is to keep replication moving and allow a
++	 * reindex later.
++	 */
++	ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED
++					|DSDB_SEARCH_SHOW_EXTENDED_DN);
+ 
+ 	if (ret != LDB_SUCCESS) {
+ 		return ret;
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch
--- samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,54 @@
+From fadf49634500a08392f0625db4062d993ccb0b0a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab at samba.org>
+Date: Fri, 12 Nov 2021 19:06:01 +0200
+Subject: [PATCH 290/314] IPA DC: add missing checks
+
+When introducing FreeIPA support, two places were forgotten:
+
+ - schannel gensec module needs to be aware of IPA DC
+ - _lsa_QueryInfoPolicy should treat IPA DC as PDC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
+
+Signed-off-by: Alexander Bokovoy <ab at samba.org>
+Reviewed-by: Guenther Deschner <gd at samba.org>
+
+Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
+Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
+
+(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
+
+Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
+Autobuild-Date(v4-13-test): Mon Nov 15 15:33:17 UTC 2021 on sn-devel-184
+---
+ auth/gensec/schannel.c              | 1 +
+ source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index 0cdae141ead..6ebbe8f3179 100644
+--- a/auth/gensec/schannel.c
++++ b/auth/gensec/schannel.c
+@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+ 	case ROLE_DOMAIN_BDC:
+ 	case ROLE_DOMAIN_PDC:
+ 	case ROLE_ACTIVE_DIRECTORY_DC:
++	case ROLE_IPA_DC:
+ 		return NT_STATUS_OK;
+ 	default:
+ 		return NT_STATUS_NOT_IMPLEMENTED;
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index 198387424e6..08a77c80017 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
++++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -681,6 +681,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
+ 		switch (lp_server_role()) {
+ 			case ROLE_DOMAIN_PDC:
+ 			case ROLE_DOMAIN_BDC:
++			case ROLE_IPA_DC:
+ 				name = get_global_sam_name();
+ 				sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
+ 				if (!sid) {
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch
--- samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,97 @@
+From 9c2e3c72c0cdde31a2a5c2e58ce508070ec151d0 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Tue, 21 Sep 2021 17:38:27 -0700
+Subject: [PATCH 302/314] s3: smbd: Fix mkdir race condition allows share
+ escape in Samba 4.13.X and below: CVE-2021-43566
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13979
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+---
+ source3/smbd/open.c | 43 ++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 40 insertions(+), 3 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index ef158657684..17163e9ddea 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -4255,6 +4255,8 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
+ 	uint32_t access_mask = SEC_DIR_ADD_SUBDIR;
+ 	int ret;
+ 	bool ok;
++	struct smb_filename *oldwd_fname = NULL;
++	struct smb_filename *smb_fname_rel = NULL;
+ 
+ 	SMB_ASSERT(*dirfsp == conn->cwd_fsp);
+ 
+@@ -4267,7 +4269,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
+ 	ok = parent_smb_fname(talloc_tos(),
+ 			      smb_dname,
+ 			      &parent_dir_fname,
+-			      NULL);
++			      &smb_fname_rel);
+ 	if (!ok) {
+ 		return NT_STATUS_NO_MEMORY;
+ 	}
+@@ -4295,14 +4297,40 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
+ 		return status;
+ 	}
+ 
++	oldwd_fname = vfs_GetWd(talloc_tos(), conn);
++	if (oldwd_fname == NULL) {
++		return NT_STATUS_NO_MEMORY;
++	}
++
++	/* Pin parent directory in place. */
++	if (vfs_ChDir(conn, parent_dir_fname) == -1) {
++		status = map_nt_error_from_unix(errno);
++		TALLOC_FREE(oldwd_fname);
++		return status;
++	}
++
++	/* Ensure the relative path is below the share. */
++	status = check_reduced_name(conn, parent_dir_fname, smb_fname_rel);
++	if (!NT_STATUS_IS_OK(status)) {
++		goto need_chdir_err;
++	}
++
+ 	ret = SMB_VFS_MKDIRAT(conn,
+ 			      *dirfsp,
+-			      smb_dname,
++			      smb_fname_rel,
+ 			      mode);
+ 	if (ret != 0) {
+-		return map_nt_error_from_unix(errno);
++		status = map_nt_error_from_unix(errno);
++		goto need_chdir_err;
+ 	}
+ 
++	/* Return to share $cwd. */
++	ret = vfs_ChDir(conn, oldwd_fname);
++	if (ret == -1) {
++		smb_panic("unable to get back to old directory\n");
++	}
++	TALLOC_FREE(oldwd_fname);
++
+ 	/* Ensure we're checking for a symlink here.... */
+ 	/* We don't want to get caught by a symlink racer. */
+ 
+@@ -4378,6 +4406,15 @@ static NTSTATUS mkdir_internal(connection_struct *conn,
+ 		     smb_dname->base_name);
+ 
+ 	return NT_STATUS_OK;
++
++  need_chdir_err:
++
++	ret = vfs_ChDir(conn, oldwd_fname);
++	if (ret == -1) {
++		smb_panic("unable to get back to old directory\n");
++	}
++	TALLOC_FREE(oldwd_fname);
++	return status;
+ }
+ 
+ /****************************************************************************
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch
--- samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch	1970-01-01 03:00:00.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch	2022-04-15 16:24:01.000000000 +0300
@@ -0,0 +1,46 @@
+From b7158d4ce853f3ce4342ff9756490104ad163b9c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Tue, 9 Nov 2021 20:50:20 +0100
+Subject: [PATCH 289/314] s3:winbindd: fix "allow trusted domains = no"
+ regression
+
+add_trusted_domain() should only reject domains
+based on is_allowed_domain(), which now also
+checks "allow trusted domains = no", if we don't
+have an explicit trust to the domain (SEC_CHAN_NULL).
+
+We use at least SEC_CHAN_LOCAL for local domains like
+BUILTIN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Andreas Schneider <asn at samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
+Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
+
+(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
+
+Autobuild-User(v4-13-test): Stefan Metzmacher <metze at samba.org>
+Autobuild-Date(v4-13-test): Thu Nov 11 10:37:06 UTC 2021 on sn-devel-184
+---
+ source3/winbindd/winbindd_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 1ae4a8d3ca3..a4f33c4765b 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -131,7 +131,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
+-	if (!is_allowed_domain(domain_name)) {
++	if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
+ 		return NT_STATUS_NO_SUCH_DOMAIN;
+ 	}
+ 
+-- 
+2.30.2
+
diff -Nru samba-4.13.13+dfsg/debian/patches/series samba-4.13.13+dfsg/debian/patches/series
--- samba-4.13.13+dfsg/debian/patches/series	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/patches/series	2022-04-15 16:24:01.000000000 +0300
@@ -288,3 +288,14 @@
 0004-CVE-2020-25717-selftest-turn-ad_member_no_nss_wb-int.patch
 0005-CVE-2020-25717-tests-krb5-Add-a-test-for-idmap_nss-m.patch
 0006-CVE-2020-25717-s3-auth-Fallback-to-a-SID-UID-based-m.patch
+s3-winbindd-fix-allow-trusted-domains-no-regression.patch
+IPA-DC-add-missing-checks.patch
+CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch
+dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch
+s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch
+bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch
+bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch
+bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch
+bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch
+bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch
+bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch
diff -Nru samba-4.13.13+dfsg/debian/salsa-ci.yml samba-4.13.13+dfsg/debian/salsa-ci.yml
--- samba-4.13.13+dfsg/debian/salsa-ci.yml	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/salsa-ci.yml	2022-04-15 16:24:01.000000000 +0300
@@ -4,7 +4,7 @@
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
 variables:
-  RELEASE: 'experimental'
+  RELEASE: 'bullseye'
 
 blhc:
   # Until https://bugs.debian.org/929503 is fixed in blhc
diff -Nru samba-4.13.13+dfsg/debian/samba-common-bin.postinst samba-4.13.13+dfsg/debian/samba-common-bin.postinst
--- samba-4.13.13+dfsg/debian/samba-common-bin.postinst	2022-02-03 23:54:02.000000000 +0300
+++ samba-4.13.13+dfsg/debian/samba-common-bin.postinst	2022-04-12 10:16:56.000000000 +0300
@@ -2,10 +2,8 @@
 
 set -e
 
-# systemd-tmpfiles should be called before testparm
-# See https://bugs.debian.org/975422
-
-#DEBHELPER#
+# ensure a (tmpfs-based) /run/samba exists before running testparm
+[ -d /run/samba ] || mkdir -p /run/samba
 
 if [ "$1" = "configure" ] ; then
     SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
@@ -19,3 +17,5 @@
         echo "Done"
     fi
 fi
+
+#DEBHELPER#


More information about the Pkg-samba-maint mailing list