[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Fri Dec 3 12:55:01 UTC 2021


The branch, master has been updated
       via  5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0
       via  1e61de83066 CVE-2020-25717: s3-auth: fix MIT Realm regression
       via  f621317e3b2 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
      from  d1ea9c5aaba libcli:auth: Allow to connect to netlogon server offering only AES

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5e3df5f9ee64a80898f73585b19113354f463c44
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Nov 26 11:59:45 2021 +0100

    smbd: s3-dsgetdcname: handle num_ips == 0
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Fri Dec  3 12:54:04 UTC 2021 on sn-devel-184

commit 1e61de8306604a0d3858342df8a1d2412d8d418b
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Nov 26 10:57:17 2021 +0100

    CVE-2020-25717: s3-auth: fix MIT Realm regression
    
    This looks like a regression introduced by the recent security fixes. This
    commit should hopefully fixes it.
    
    As a quick solution it might be possible to use the username map script based on
    the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
    sure this behaves identical, but it might work in the standalone server case.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
    
    Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit f621317e3b25a8925ab6e448068264488a0a47c7
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 12 12:44:44 2021 +1300

    dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
    
    This may allow further processing when the DN normalisation has changed
    which changes the indexing, such as seen after fixes for bug 14656.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/user_krb5.c                        |  9 +++++++++
 source3/libsmb/dsgetdcname.c                    |  4 ++++
 source4/dsdb/samdb/ldb_modules/operational.c    |  2 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 ++++++++++++-
 4 files changed, 26 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	char *fuser = NULL;
 	char *unixuser = NULL;
 	struct passwd *pw = NULL;
+	bool may_retry = false;
 
 	DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
 
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 		domain = realm;
 	} else {
 		domain = lp_workgroup();
+		may_retry = true;
 	}
 
 	fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	*mapped_to_guest = false;
 
 	pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+	if (may_retry && pw == NULL && !*is_mapped) {
+		fuser = talloc_strdup(mem_ctx, user);
+		if (!fuser) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+	}
 	if (pw) {
 		if (!unixuser) {
 			return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index f8ae96109b7..5954e48d747 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
 	for (i = 0; i < numdcs; i++) {
 		size_t j;
 
+		if (dcs[i].num_ips == 0) {
+			continue;
+		}
+
 		dclist[ret_count].hostname =
 			talloc_move(dclist, &dcs[i].hostname);
 
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 11b87bdf5ca..2b3cd2d7954 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1408,7 +1408,7 @@ static const struct op_attributes_replace search_sub[] = {
 	{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
 	{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
 	{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
-	{ "parentGUID", NULL, NULL, construct_parent_guid },
+	{ "parentGUID", "objectGUID", NULL, construct_parent_guid },
 	{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
 	{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
 	{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber },
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 599cb79c1fd..d3baf3ae7dd 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -6925,7 +6925,18 @@ static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
 				   ar->req);
 	LDB_REQ_SET_LOCATION(search_req);
 
-	ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED);
+	/*
+	 * We set DSDB_SEARCH_SHOW_EXTENDED_DN to get the GUID on the
+	 * DN.  This in turn helps our operational module find the
+	 * record by GUID, not DN lookup which is more error prone if
+	 * DN indexing changes.  We prefer to keep chasing GUIDs
+	 * around if possible, even within a transaction.
+	 *
+	 * The aim here is to keep replication moving and allow a
+	 * reindex later.
+	 */
+	ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED
+					|DSDB_SEARCH_SHOW_EXTENDED_DN);
 
 	if (ret != LDB_SUCCESS) {
 		return ret;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list