[SCM] Samba Shared Repository - branch v4-14-test updated

Stefan Metzmacher metze at samba.org
Wed Dec 8 14:37:01 UTC 2021 

The branch, v4-14-test has been updated
       via  3d35397e103 smbd: s3-dsgetdcname: handle num_ips == 0
       via  ce1186e06ed dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
       via  b0d67dc3d42 CVE-2020-25717: s3-auth: fix MIT Realm regression
      from  aef700ad3c8 s3: docs-xml: Clarify the "delete veto files" paramter.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test


- Log -----------------------------------------------------------------
commit 3d35397e10348317ab2adbaf033c5becf59fcc33
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Nov 26 11:59:45 2021 +0100

    smbd: s3-dsgetdcname: handle num_ips == 0
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Fri Dec  3 12:54:04 UTC 2021 on sn-devel-184
    
    (cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)
    
    Autobuild-User(v4-14-test): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(v4-14-test): Wed Dec  8 14:36:05 UTC 2021 on sn-devel-184

commit ce1186e06ed2581a29af794eb66405a4efe26b71
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 12 12:44:44 2021 +1300

    dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
    
    This may allow further processing when the DN normalisation has changed
    which changes the indexing, such as seen after fixes for bug 14656.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)

commit b0d67dc3d42b81e5e35da26a333c4fcd67baab1f
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Nov 26 10:57:17 2021 +0100

    CVE-2020-25717: s3-auth: fix MIT Realm regression
    
    This looks like a regression introduced by the recent security fixes. This
    commit should hopefully fixes it.
    
    As a quick solution it might be possible to use the username map script based on
    the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
    sure this behaves identical, but it might work in the standalone server case.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
    
    Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/user_krb5.c                        |  9 +++++++++
 source3/libsmb/dsgetdcname.c                    |  4 ++++
 source4/dsdb/samdb/ldb_modules/operational.c    |  2 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 ++++++++++++-
 4 files changed, 26 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	char *fuser = NULL;
 	char *unixuser = NULL;
 	struct passwd *pw = NULL;
+	bool may_retry = false;
 
 	DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
 
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 		domain = realm;
 	} else {
 		domain = lp_workgroup();
+		may_retry = true;
 	}
 
 	fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	*mapped_to_guest = false;
 
 	pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+	if (may_retry && pw == NULL && !*is_mapped) {
+		fuser = talloc_strdup(mem_ctx, user);
+		if (!fuser) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+	}
 	if (pw) {
 		if (!unixuser) {
 			return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index ae90e07de77..c313259bcb1 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
 	for (i = 0; i < numdcs; i++) {
 		size_t j;
 
+		if (dcs[i].num_ips == 0) {
+			continue;
+		}
+
 		dclist[ret_count].hostname =
 			talloc_move(dclist, &dcs[i].hostname);
 
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index d66b918e95d..ccbe1f5fd20 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1404,7 +1404,7 @@ static const struct op_attributes_replace search_sub[] = {
 	{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
 	{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
 	{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
-	{ "parentGUID", NULL, NULL, construct_parent_guid },
+	{ "parentGUID", "objectGUID", NULL, construct_parent_guid },
 	{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
 	{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
 	{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber },
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index fbeab0b1825..ab506cec488 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -6925,7 +6925,18 @@ static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
 				   ar->req);
 	LDB_REQ_SET_LOCATION(search_req);
 
-	ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED);
+	/*
+	 * We set DSDB_SEARCH_SHOW_EXTENDED_DN to get the GUID on the
+	 * DN.  This in turn helps our operational module find the
+	 * record by GUID, not DN lookup which is more error prone if
+	 * DN indexing changes.  We prefer to keep chasing GUIDs
+	 * around if possible, even within a transaction.
+	 *
+	 * The aim here is to keep replication moving and allow a
+	 * reindex later.
+	 */
+	ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED
+					|DSDB_SEARCH_SHOW_EXTENDED_DN);
 
 	if (ret != LDB_SUCCESS) {
 		return ret;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list