[SCM] Samba Shared Repository - branch v4-14-test updated
Stefan Metzmacher
metze at samba.org
Wed Dec 8 14:37:01 UTC 2021
The branch, v4-14-test has been updated
via 3d35397e103 smbd: s3-dsgetdcname: handle num_ips == 0
via ce1186e06ed dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
via b0d67dc3d42 CVE-2020-25717: s3-auth: fix MIT Realm regression
from aef700ad3c8 s3: docs-xml: Clarify the "delete veto files" paramter.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -----------------------------------------------------------------
commit 3d35397e10348317ab2adbaf033c5becf59fcc33
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 26 11:59:45 2021 +0100
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)
Autobuild-User(v4-14-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-14-test): Wed Dec 8 14:36:05 UTC 2021 on sn-devel-184
commit ce1186e06ed2581a29af794eb66405a4efe26b71
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)
commit b0d67dc3d42b81e5e35da26a333c4fcd67baab1f
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not
sure this behaves identical, but it might work in the standalone server case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
-----------------------------------------------------------------------
Summary of changes:
source3/auth/user_krb5.c | 9 +++++++++
source3/libsmb/dsgetdcname.c | 4 ++++
source4/dsdb/samdb/ldb_modules/operational.c | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 ++++++++++++-
4 files changed, 26 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index ae90e07de77..c313259bcb1 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
for (i = 0; i < numdcs; i++) {
size_t j;
+ if (dcs[i].num_ips == 0) {
+ continue;
+ }
+
dclist[ret_count].hostname =
talloc_move(dclist, &dcs[i].hostname);
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index d66b918e95d..ccbe1f5fd20 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1404,7 +1404,7 @@ static const struct op_attributes_replace search_sub[] = {
{ "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups },
{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc},
{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups },
- { "parentGUID", NULL, NULL, construct_parent_guid },
+ { "parentGUID", "objectGUID", NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
{ "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc },
{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber },
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index fbeab0b1825..ab506cec488 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -6925,7 +6925,18 @@ static int replmd_replicated_apply_next(struct replmd_replicated_request *ar)
ar->req);
LDB_REQ_SET_LOCATION(search_req);
- ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED);
+ /*
+ * We set DSDB_SEARCH_SHOW_EXTENDED_DN to get the GUID on the
+ * DN. This in turn helps our operational module find the
+ * record by GUID, not DN lookup which is more error prone if
+ * DN indexing changes. We prefer to keep chasing GUIDs
+ * around if possible, even within a transaction.
+ *
+ * The aim here is to keep replication moving and allow a
+ * reindex later.
+ */
+ ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED
+ |DSDB_SEARCH_SHOW_EXTENDED_DN);
if (ret != LDB_SUCCESS) {
return ret;
--
Samba Shared Repository
More information about the samba-cvs
mailing list