Version in base suite: 4.13.13+dfsg-1~deb11u3 Base version: samba_4.13.13+dfsg-1~deb11u3 Target version: samba_4.13.13+dfsg-1~deb11u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/samba/samba_4.13.13+dfsg-1~deb11u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/samba/samba_4.13.13+dfsg-1~deb11u4.dsc changelog | 35 ++ libwbclient0.symbols | 1 patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch | 62 ++++ patches/CVE-2021-23192-only-4.13-v2.patch | 60 ---- patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch | 22 - patches/IPA-DC-add-missing-checks.patch | 54 +++ patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch | 77 +++++ patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch | 60 ++++ patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch | 39 ++ patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch | 139 ++++++++++ patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch | 34 ++ patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch | 46 +++ patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch | 63 ++++ patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch | 97 ++++++ patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch | 46 +++ patches/series | 11 rules | 2 salsa-ci.yml | 2 samba-common-bin.postinst | 8 19 files changed, 774 insertions(+), 84 deletions(-) diff -Nru samba-4.13.13+dfsg/debian/changelog samba-4.13.13+dfsg/debian/changelog --- samba-4.13.13+dfsg/debian/changelog 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/changelog 2022-05-28 19:52:59.000000000 +0000 @@ -1,3 +1,38 @@ +samba (2:4.13.13+dfsg-1~deb11u4) bullseye-proposed-updates; urgency=medium + + * fix the order of everything during build by exporting PYTHONHASHSEED=1 + for waf. This should fix the broken i386 build of the last security + upload. Closes: #1006935, #1009855 + * Import the left-over patches from 4.13.17 upstream stable branch: + - s3-winbindd-fix-allow-trusted-domains-no-regression.patch + https://bugzilla.samba.org/show_bug.cgi?id=14899 + Closes: #999876, winbind fails to start with `allow trusted domains: no` + - IPA-DC-add-missing-checks.patch + https://bugzilla.samba.org/show_bug.cgi?id=14903 + - CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch + https://bugzilla.samba.org/show_bug.cgi?id=14922 + Closes: #1001053, MIT-kerberos auth broken after 4.13.13+dfsg-1~deb11u2 + - dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch + https://bugzilla.samba.org/show_bug.cgi?id=14656 + https://bugzilla.samba.org/show_bug.cgi?id=14902 + - s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch + https://bugzilla.samba.org/show_bug.cgi?id=13979 + Closes: #1004691, CVE-2021-43566: mkdir race condition allows share escape + * 4 patches from upstream to fix possible serious data corruption issue + with windows client cache poisoning, Closes: #1005642 + https://bugzilla.samba.org/show_bug.cgi?id=14928 + * two patches from upstream to fix coredump when connecting to shares + with var substitutions, Closes: #998423 + https://bugzilla.samba.org/show_bug.cgi?id=14809 + * samba-common-bin.postinst: mkdir /run/samba before invoking samba binaries + Closes: #953530 + * remove file creation+deletion from previously applied combined patches + CVE-2021-23192-only-4.13-v2.patch & CVE-2021-3738-dsdb-crash-4.13-v03.patch + to make patch deapply happy (quilt does not notice this situation) + * d/salsa-ci.yml: target bullseye + + -- Michael Tokarev Sat, 28 May 2022 22:52:59 +0300 + samba (2:4.13.13+dfsg-1~deb11u3) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru samba-4.13.13+dfsg/debian/libwbclient0.symbols samba-4.13.13+dfsg/debian/libwbclient0.symbols --- samba-4.13.13+dfsg/debian/libwbclient0.symbols 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/libwbclient0.symbols 2022-05-28 19:52:17.000000000 +0000 @@ -276,6 +276,7 @@ nt_time_to_full_timespec@SAMBA_UTIL_0.0.1 2:4.12.0+dfsg nt_time_to_unix@SAMBA_UTIL_0.0.1 2:4.11.0 nt_time_to_unix_timespec@SAMBA_UTIL_0.0.1 2:4.11.0 + nt_time_to_unix_timespec_raw@SAMBA_UTIL_0.0.1 2:2.4.13+dfsg-1~deb11u4 nttime_to_timeval@SAMBA_UTIL_0.0.1 2:4.11.0 null_nttime@SAMBA_UTIL_0.0.1 2:4.11.0 null_time@SAMBA_UTIL_0.0.1 2:4.11.0 diff -Nru samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch --- samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,62 @@ +From 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 Nov 2021 10:57:17 +0100 +Subject: [PATCH 297/314] CVE-2020-25717: s3-auth: fix MIT Realm regression + +This looks like a regression introduced by the recent security fixes. This +commit should hopefully fixes it. + +As a quick solution it might be possible to use the username map script based on +the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not +sure this behaves identical, but it might work in the standalone server case. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 + +Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Ralph Boehme +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) +--- + source3/auth/user_krb5.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index b8f37cbeee0..169bf563368 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + char *fuser = NULL; + char *unixuser = NULL; + struct passwd *pw = NULL; ++ bool may_retry = false; + + DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); + +@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + domain = realm; + } else { + domain = lp_workgroup(); ++ may_retry = true; + } + + fuser = talloc_asprintf(mem_ctx, +@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + *mapped_to_guest = false; + + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); ++ if (may_retry && pw == NULL && !*is_mapped) { ++ fuser = talloc_strdup(mem_ctx, user); ++ if (!fuser) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); ++ } + if (pw) { + if (!unixuser) { + return NT_STATUS_NO_MEMORY; +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch --- samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/CVE-2021-23192-only-4.13-v2.patch 2022-05-28 19:52:17.000000000 +0000 @@ -3327,9 +3327,7 @@ Reviewed-by: Samuel Cabrero --- python/samba/tests/dcerpc/raw_protocol.py | 1273 +++++++++++++++++++++ - selftest/knownfail.d/dcerpc-auth-fraq | 20 + - 2 files changed, 1293 insertions(+) - create mode 100644 selftest/knownfail.d/dcerpc-auth-fraq + 1 files changed, 1273 insertions(+) diff --git a/python/samba/tests/dcerpc/raw_protocol.py b/python/samba/tests/dcerpc/raw_protocol.py index 3dbc8d1179f5..5fe148ce93a5 100755 @@ -4615,32 +4613,6 @@ def _test_neg_xmit_check_values(self, req_xmit=None, req_recv=None, -diff --git a/selftest/knownfail.d/dcerpc-auth-fraq b/selftest/knownfail.d/dcerpc-auth-fraq -new file mode 100644 -index 000000000000..f3c62b65e9e9 ---- /dev/null -+++ b/selftest/knownfail.d/dcerpc-auth-fraq -@@ -0,0 +1,20 @@ -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_all_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_alone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_all_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_context_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_level_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_type_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSame111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_firstSame2 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext2 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame2 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone111 -- 2.25.1 @@ -4662,10 +4634,8 @@ librpc/rpc/dcerpc_pkt_auth.h | 1 + librpc/rpc/dcesrv_auth.c | 28 +++++++++ librpc/rpc/dcesrv_core.c | 86 +++++++++++++++++++++------ - selftest/knownfail.d/dcerpc-auth-fraq | 20 ------- source4/librpc/rpc/dcerpc.c | 1 + - 6 files changed, 109 insertions(+), 46 deletions(-) - delete mode 100644 selftest/knownfail.d/dcerpc-auth-fraq + 5 files changed, 109 insertions(+), 26 deletions(-) diff --git a/librpc/rpc/dcerpc_pkt_auth.c b/librpc/rpc/dcerpc_pkt_auth.c index 322d7497893c..1cb191468b5d 100644 @@ -4953,32 +4923,6 @@ } } -diff --git a/selftest/knownfail.d/dcerpc-auth-fraq b/selftest/knownfail.d/dcerpc-auth-fraq -deleted file mode 100644 -index f3c62b65e9e9..000000000000 ---- a/selftest/knownfail.d/dcerpc-auth-fraq -+++ /dev/null -@@ -1,20 +0,0 @@ --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_all_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_alone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_all_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_context_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_level_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_type_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSame111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_firstSame2 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext2 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame2 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone111 diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 4847e8a02004..baf6df6e498b 100644 --- a/source4/librpc/rpc/dcerpc.c diff -Nru samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch --- samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/CVE-2021-3738-dsdb-crash-4.13-v03.patch 2022-05-28 19:52:17.000000000 +0000 @@ -233,18 +233,9 @@ Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- - .../knownfail.d/drsuapi.DsBindAssocGroupWS | 1 + source4/torture/rpc/drsuapi.c | 172 ++++++++++++++++++ - 2 files changed, 173 insertions(+) - create mode 100644 selftest/knownfail.d/drsuapi.DsBindAssocGroupWS + 1 files changed, 172 insertions(+) -diff --git a/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS b/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS -new file mode 100644 -index 00000000000..9af5a904fdd ---- /dev/null -+++ b/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS -@@ -0,0 +1 @@ -+^samba4.rpc.drsuapi.*drsuapi.DsBindAssocGroupWS diff --git a/source4/torture/rpc/drsuapi.c b/source4/torture/rpc/drsuapi.c index 3e8105af07b..1cd8f77db9c 100644 --- a/source4/torture/rpc/drsuapi.c @@ -715,18 +706,9 @@ Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- - .../knownfail.d/drsuapi.DsBindAssocGroupWS | 1 - source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 55 +++++++------------ - 2 files changed, 19 insertions(+), 37 deletions(-) - delete mode 100644 selftest/knownfail.d/drsuapi.DsBindAssocGroupWS + 1 files changed, 19 insertions(+), 36 deletions(-) -diff --git a/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS b/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS -deleted file mode 100644 -index 9af5a904fdd..00000000000 ---- a/selftest/knownfail.d/drsuapi.DsBindAssocGroupWS -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.rpc.drsuapi.*drsuapi.DsBindAssocGroupWS diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c index 7e2b6174d2f..239971d7009 100644 --- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c diff -Nru samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch --- samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/IPA-DC-add-missing-checks.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,54 @@ +From fadf49634500a08392f0625db4062d993ccb0b0a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 12 Nov 2021 19:06:01 +0200 +Subject: [PATCH 290/314] IPA DC: add missing checks + +When introducing FreeIPA support, two places were forgotten: + + - schannel gensec module needs to be aware of IPA DC + - _lsa_QueryInfoPolicy should treat IPA DC as PDC + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Alexander Bokovoy +Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184 + +(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5) + +Autobuild-User(v4-13-test): Jule Anger +Autobuild-Date(v4-13-test): Mon Nov 15 15:33:17 UTC 2021 on sn-devel-184 +--- + auth/gensec/schannel.c | 1 + + source3/rpc_server/lsa/srv_lsa_nt.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c +index 0cdae141ead..6ebbe8f3179 100644 +--- a/auth/gensec/schannel.c ++++ b/auth/gensec/schannel.c +@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: ++ case ROLE_IPA_DC: + return NT_STATUS_OK; + default: + return NT_STATUS_NOT_IMPLEMENTED; +diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c +index 198387424e6..08a77c80017 100644 +--- a/source3/rpc_server/lsa/srv_lsa_nt.c ++++ b/source3/rpc_server/lsa/srv_lsa_nt.c +@@ -681,6 +681,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p, + switch (lp_server_role()) { + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: ++ case ROLE_IPA_DC: + name = get_global_sam_name(); + sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); + if (!sid) { +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch --- samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,77 @@ +From 43530db58aa8b7cd4e6f5365fd12ab9ee7861c0d Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 6 Jan 2022 13:58:20 -0800 +Subject: [PATCH 1/4] lib: util: Add a function nt_time_to_unix_timespec_raw(). + +Not yet used. Does no checks on the converted values. + +A later cleanup will allow us to move nt_time_to_unix_timespec() +and nt_time_to_full_timespec() to use common code. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928 + +Signed-off-by: Jeremy Allison +Reviewed-by: Christof Schmitt +(cherry picked from commit 29d69c22a0d945193ce3dac27e1083dbc5c53f03) +--- + lib/util/time.c | 30 ++++++++++++++++++++++++++++++ + lib/util/time.h | 2 ++ + 2 files changed, 32 insertions(+) + +diff --git a/lib/util/time.c b/lib/util/time.c +index 0fac5e2e397..b49d2fa6f30 100644 +--- a/lib/util/time.c ++++ b/lib/util/time.c +@@ -865,6 +865,36 @@ _PUBLIC_ int get_time_zone(time_t t) + return tm_diff(&tm_utc,tm); + } + ++/* ++ * Raw convert an NTTIME to a unix timespec. ++ */ ++ ++struct timespec nt_time_to_unix_timespec_raw( ++ NTTIME nt) ++{ ++ int64_t d; ++ struct timespec ret; ++ ++ d = (int64_t)nt; ++ /* d is now in 100ns units, since jan 1st 1601". ++ Save off the ns fraction. */ ++ ++ /* ++ * Take the last seven decimal digits and multiply by 100. ++ * to convert from 100ns units to 1ns units. ++ */ ++ ret.tv_nsec = (long) ((d % (1000 * 1000 * 10)) * 100); ++ ++ /* Convert to seconds */ ++ d /= 1000*1000*10; ++ ++ /* Now adjust by 369 years to make the secs since 1970 */ ++ d -= TIME_FIXUP_CONSTANT_INT; ++ ++ ret.tv_sec = (time_t)d; ++ return ret; ++} ++ + struct timespec nt_time_to_unix_timespec(NTTIME nt) + { + int64_t d; +diff --git a/lib/util/time.h b/lib/util/time.h +index 4a90b40d5ce..6cd5bd4daa2 100644 +--- a/lib/util/time.h ++++ b/lib/util/time.h +@@ -342,6 +342,8 @@ bool nt_time_equal(NTTIME *t1, NTTIME *t2); + + void interpret_dos_date(uint32_t date,int *year,int *month,int *day,int *hour,int *minute,int *second); + ++struct timespec nt_time_to_unix_timespec_raw(NTTIME nt); ++ + struct timespec nt_time_to_unix_timespec(NTTIME nt); + + time_t convert_timespec_to_time_t(struct timespec ts); +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch --- samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,60 @@ +From 9904bcf0b2dfa234abe85796ce54e5de602b1988 Mon Sep 17 00:00:00 2001 +From: Jones Syue +Date: Mon, 10 Jan 2022 09:29:44 -0800 +Subject: [PATCH 4/4] s3: includes: Make the comments describing itime + consistent. Always use "invented" time. + +It gets confusing if we call it "imaginary" or "instantiation" +in different places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928 + +Signed-off-by: Jones Syue +Reviewed-by: Jeremy Allison +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Mon Jan 10 18:42:02 UTC 2022 on sn-devel-184 + +(cherry picked from commit 745af26a1a6531b2e906aa7c1c0355cbab658441) + +Autobuild-User(v4-14-test): Jule Anger +Autobuild-Date(v4-14-test): Wed Jan 12 12:26:56 UTC 2022 on sn-devel-184 +--- + source3/include/includes.h | 4 ++-- + source3/lib/system.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/include/includes.h b/source3/include/includes.h +index 8fa65cc3122..b35108b6c8f 100644 +--- a/source3/include/includes.h ++++ b/source3/include/includes.h +@@ -209,10 +209,10 @@ struct stat_ex { + struct timespec st_ex_ctime; + struct timespec st_ex_btime; /* birthtime */ + /* +- * Immutable original birth time aka instantiation time. Set when a file ++ * Immutable original birth time aka invented time. Set when a file + * is created, never changes thereafter. May not be set by the client. + */ +- struct timespec st_ex_itime; /* instantiation time */ ++ struct timespec st_ex_itime; /* invented time */ + + blksize_t st_ex_blksize; + blkcnt_t st_ex_blocks; +diff --git a/source3/lib/system.c b/source3/lib/system.c +index cd20b7c5eaf..afc48e0d30d 100644 +--- a/source3/lib/system.c ++++ b/source3/lib/system.c +@@ -428,7 +428,7 @@ void init_stat_ex_from_stat (struct stat_ex *dst, + } + + /******************************************************************* +- Create a clock-derived itime (imaginary) time. Used to generate ++ Create a clock-derived itime (invented) time. Used to generate + the fileid. + ********************************************************************/ + +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch --- samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,39 @@ +From 9c237a727a3536f8f9fdde98a943373197d43d20 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 10 Jan 2022 09:01:09 -0800 +Subject: [PATCH 3/4] s3: lib: In create_clock_itime(), use timespec_current() + -> clock_gettime(CLOCK_REALTIME..). + +CLOCK_MONOTONIC (which we previously used) is reset +when the system is rebooted. + +CLOCK_REALTIME is a "wall clock" time. It's still affected by NTP +changes (for Linux we should probably use CLOCK_TAI instead +but that is Linux-specific). For most systems CLOCK_REALTIME +will be good enough. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit 920611f0bc98229ac4a5ee127af7f99216075341) +--- + source3/lib/system.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/lib/system.c b/source3/lib/system.c +index 1a513020c57..cd20b7c5eaf 100644 +--- a/source3/lib/system.c ++++ b/source3/lib/system.c +@@ -440,7 +440,7 @@ void create_clock_itime(struct stat_ex *dst) + uint8_t rval; + + /* Start with the system clock. */ +- clock_gettime_mono(&itime); ++ itime = timespec_current(); + + /* Convert to NTTIME. */ + tval = unix_timespec_to_nt_time(itime); +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch --- samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,139 @@ +From 18916136e42ce42b19623c1861afbddf1a7d452f Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 5 Jan 2022 11:40:46 -0800 +Subject: [PATCH 2/4] s3: smbd: Create and use a common function for generating + a fileid - create_clock_itime(). + +This first gets the clock_gettime_mono() value, converts to an NTTIME (as +this is what is stored in the dos attribute EA), then mixes in 8 bits of +randomness shifted up by 55 bits to cope with poor resolution clocks to +avoid duplicate inodes. + +Using 8 bits of randomness on top of an NTTIME gives us around 114 +years headroom. We can now guarentee returning a itime-based +fileid in a normal share (storing dos attributes in an EA). + +Remove knownfail.d/fileid-unique + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928 + +Signed-off-by: Jeremy Allison +Reviewed-by: Christof Schmitt + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Sat Jan 8 06:35:22 UTC 2022 on sn-devel-184 + +(cherry picked from commit 23fbf0bad0332a0ae0d4dc3c8f6df6e7ec46b88b) +--- + source3/include/proto.h | 1 + + source3/lib/system.c | 52 +++++++++++++++++++++++++++++++++++++++++ + source3/smbd/open.c | 6 ++--- + 3 files changed, 56 insertions(+), 3 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index de5d1be5208..4f977942084 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -230,6 +230,7 @@ void update_stat_ex_create_time(struct stat_ex *dst, struct timespec create_time + void update_stat_ex_file_id(struct stat_ex *dst, uint64_t file_id); + void update_stat_ex_from_saved_stat(struct stat_ex *dst, + const struct stat_ex *src); ++void create_clock_itime(struct stat_ex *dst); + int sys_stat(const char *fname, SMB_STRUCT_STAT *sbuf, + bool fake_dir_create_times); + int sys_fstat(int fd, SMB_STRUCT_STAT *sbuf, +diff --git a/source3/lib/system.c b/source3/lib/system.c +index f1265e0c43f..1a513020c57 100644 +--- a/source3/lib/system.c ++++ b/source3/lib/system.c +@@ -427,6 +427,58 @@ void init_stat_ex_from_stat (struct stat_ex *dst, + dst->st_ex_iflags |= ST_EX_IFLAG_CALCULATED_FILE_ID; + } + ++/******************************************************************* ++ Create a clock-derived itime (imaginary) time. Used to generate ++ the fileid. ++********************************************************************/ ++ ++void create_clock_itime(struct stat_ex *dst) ++{ ++ NTTIME tval; ++ struct timespec itime; ++ uint64_t mixin; ++ uint8_t rval; ++ ++ /* Start with the system clock. */ ++ clock_gettime_mono(&itime); ++ ++ /* Convert to NTTIME. */ ++ tval = unix_timespec_to_nt_time(itime); ++ ++ /* ++ * In case the system clock is poor granularity ++ * (happens on VM or docker images) then mix in ++ * 8 bits of randomness. ++ */ ++ generate_random_buffer((unsigned char *)&rval, 1); ++ mixin = rval; ++ ++ /* ++ * Shift up by 55 bits. This gives us approx 114 years ++ * of headroom. ++ */ ++ mixin <<= 55; ++ ++ /* And OR into the nttime. */ ++ tval |= mixin; ++ ++ /* ++ * Convert to a unix timespec, ignoring any ++ * constraints on seconds being higher than ++ * TIME_T_MAX or lower than TIME_T_MIN. These ++ * are only needed to allow unix display time functions ++ * to work correctly, and this is being used to ++ * generate a fileid. All we care about is the ++ * NTTIME being valid across all NTTIME ranges ++ * (which we carefully ensured above). ++ */ ++ ++ itime = nt_time_to_unix_timespec_raw(tval); ++ ++ /* And set as a generated itime. */ ++ update_stat_ex_itime(dst, itime); ++} ++ + /******************************************************************* + A stat() wrapper. + ********************************************************************/ +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index ef158657684..f7646f98b33 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -4134,13 +4134,13 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn, + * If we created a file and it's not a stream, this is the point where + * we set the itime (aka invented time) that get's stored in the DOS + * attribute xattr. The value is going to be either what the filesystem +- * provided or a copy of the creation date. ++ * provided or a generated itime value. + * + * Either way, we turn the itime into a File-ID, unless the filesystem + * provided one (unlikely). + */ + if (info == FILE_WAS_CREATED && !is_named_stream(smb_fname)) { +- smb_fname->st.st_ex_iflags &= ~ST_EX_IFLAG_CALCULATED_ITIME; ++ create_clock_itime(&smb_fname->st); + + if (lp_store_dos_attributes(SNUM(conn)) && + smb_fname->st.st_ex_iflags & ST_EX_IFLAG_CALCULATED_FILE_ID) +@@ -4318,7 +4318,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn, + return NT_STATUS_NOT_A_DIRECTORY; + } + +- smb_dname->st.st_ex_iflags &= ~ST_EX_IFLAG_CALCULATED_ITIME; ++ create_clock_itime(&smb_dname->st); + + if (lp_store_dos_attributes(SNUM(conn))) { + if (smb_dname->st.st_ex_iflags & ST_EX_IFLAG_CALCULATED_FILE_ID) +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch --- samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,34 @@ +From b00fed3b698cc78a377d71e0574c878e262c4808 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 23 Aug 2021 17:40:42 -0700 +Subject: [PATCH] s3: mdssvc: Correctly disconnect the VFS connection inside + the mds_ctx destructor. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14809 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit b4d8c62c4e8191e05fd03dd096a0bc989e224ed3) +--- + source3/rpc_server/mdssvc/mdssvc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 715de272d32..a983a882294 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -1568,6 +1568,11 @@ static int mds_ctx_destructor_cb(struct mds_ctx *mds_ctx) + } + TALLOC_FREE(mds_ctx->ino_path_map); + ++ if (mds_ctx->conn != NULL) { ++ SMB_VFS_DISCONNECT(mds_ctx->conn); ++ conn_free(mds_ctx->conn); ++ } ++ + ZERO_STRUCTP(mds_ctx); + + return 0; +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch --- samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,46 @@ +From 97dc8c0dcccbcecd3a8f8f3872b47d3a3c6e8036 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 23 Aug 2021 17:42:40 -0700 +Subject: [PATCH] s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an + unallocated pointer on error. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Just return the status - if create_conn_struct_as_root() fails +the connection struct never gets returned. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14809 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Wed Aug 25 17:09:23 UTC 2021 on sn-devel-184 + +(cherry picked from commit 857045f3a236dea125200dd09279d677e513682b) +--- + source3/smbd/msdfs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c +index 3a1dd11d9eb..3645f5d21d5 100644 +--- a/source3/smbd/msdfs.c ++++ b/source3/smbd/msdfs.c +@@ -525,12 +525,7 @@ NTSTATUS create_conn_struct_cwd(TALLOC_CTX *mem_ctx, + path, + session_info); + unbecome_root(); +- if (!NT_STATUS_IS_OK(status)) { +- TALLOC_FREE(c); +- return status; +- } +- +- return NT_STATUS_OK; ++ return status; + } + + static void shuffle_strlist(char **list, int count) +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch --- samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,63 @@ +From dd679ce7f4450765274b085bbee97d1fa8e0f2a0 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 12 Nov 2021 12:44:44 +1300 +Subject: [PATCH 298/314] dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching + for the local replicated object + +This may allow further processing when the DN normalisation has changed +which changes the indexing, such as seen after fixes for bug 14656. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher +(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7) + +Autobuild-User(v4-13-test): Stefan Metzmacher +Autobuild-Date(v4-13-test): Wed Dec 8 16:49:25 UTC 2021 on sn-devel-184 +--- + source4/dsdb/samdb/ldb_modules/operational.c | 2 +- + source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c +index 5eaebf98141..4e60feaf14f 100644 +--- a/source4/dsdb/samdb/ldb_modules/operational.c ++++ b/source4/dsdb/samdb/ldb_modules/operational.c +@@ -1399,7 +1399,7 @@ static const struct op_attributes_replace search_sub[] = { + { "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups }, + { "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc}, + { "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups }, +- { "parentGUID", NULL, NULL, construct_parent_guid }, ++ { "parentGUID", "objectGUID", NULL, construct_parent_guid }, + { "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry }, + { "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc }, + { "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber }, +diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +index 58c04da5f53..870185ee1d3 100644 +--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c ++++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +@@ -6923,7 +6923,18 @@ static int replmd_replicated_apply_next(struct replmd_replicated_request *ar) + ar->req); + LDB_REQ_SET_LOCATION(search_req); + +- ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED); ++ /* ++ * We set DSDB_SEARCH_SHOW_EXTENDED_DN to get the GUID on the ++ * DN. This in turn helps our operational module find the ++ * record by GUID, not DN lookup which is more error prone if ++ * DN indexing changes. We prefer to keep chasing GUIDs ++ * around if possible, even within a transaction. ++ * ++ * The aim here is to keep replication moving and allow a ++ * reindex later. ++ */ ++ ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED ++ |DSDB_SEARCH_SHOW_EXTENDED_DN); + + if (ret != LDB_SUCCESS) { + return ret; +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch --- samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,97 @@ +From 9c2e3c72c0cdde31a2a5c2e58ce508070ec151d0 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 21 Sep 2021 17:38:27 -0700 +Subject: [PATCH 302/314] s3: smbd: Fix mkdir race condition allows share + escape in Samba 4.13.X and below: CVE-2021-43566 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13979 + +Signed-off-by: Jeremy Allison +--- + source3/smbd/open.c | 43 ++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 40 insertions(+), 3 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index ef158657684..17163e9ddea 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -4255,6 +4255,8 @@ static NTSTATUS mkdir_internal(connection_struct *conn, + uint32_t access_mask = SEC_DIR_ADD_SUBDIR; + int ret; + bool ok; ++ struct smb_filename *oldwd_fname = NULL; ++ struct smb_filename *smb_fname_rel = NULL; + + SMB_ASSERT(*dirfsp == conn->cwd_fsp); + +@@ -4267,7 +4269,7 @@ static NTSTATUS mkdir_internal(connection_struct *conn, + ok = parent_smb_fname(talloc_tos(), + smb_dname, + &parent_dir_fname, +- NULL); ++ &smb_fname_rel); + if (!ok) { + return NT_STATUS_NO_MEMORY; + } +@@ -4295,14 +4297,40 @@ static NTSTATUS mkdir_internal(connection_struct *conn, + return status; + } + ++ oldwd_fname = vfs_GetWd(talloc_tos(), conn); ++ if (oldwd_fname == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ /* Pin parent directory in place. */ ++ if (vfs_ChDir(conn, parent_dir_fname) == -1) { ++ status = map_nt_error_from_unix(errno); ++ TALLOC_FREE(oldwd_fname); ++ return status; ++ } ++ ++ /* Ensure the relative path is below the share. */ ++ status = check_reduced_name(conn, parent_dir_fname, smb_fname_rel); ++ if (!NT_STATUS_IS_OK(status)) { ++ goto need_chdir_err; ++ } ++ + ret = SMB_VFS_MKDIRAT(conn, + *dirfsp, +- smb_dname, ++ smb_fname_rel, + mode); + if (ret != 0) { +- return map_nt_error_from_unix(errno); ++ status = map_nt_error_from_unix(errno); ++ goto need_chdir_err; + } + ++ /* Return to share $cwd. */ ++ ret = vfs_ChDir(conn, oldwd_fname); ++ if (ret == -1) { ++ smb_panic("unable to get back to old directory\n"); ++ } ++ TALLOC_FREE(oldwd_fname); ++ + /* Ensure we're checking for a symlink here.... */ + /* We don't want to get caught by a symlink racer. */ + +@@ -4378,6 +4406,15 @@ static NTSTATUS mkdir_internal(connection_struct *conn, + smb_dname->base_name); + + return NT_STATUS_OK; ++ ++ need_chdir_err: ++ ++ ret = vfs_ChDir(conn, oldwd_fname); ++ if (ret == -1) { ++ smb_panic("unable to get back to old directory\n"); ++ } ++ TALLOC_FREE(oldwd_fname); ++ return status; + } + + /**************************************************************************** +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch --- samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/s3-winbindd-fix-allow-trusted-domains-no-regression.patch 2022-05-28 19:52:17.000000000 +0000 @@ -0,0 +1,46 @@ +From b7158d4ce853f3ce4342ff9756490104ad163b9c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 9 Nov 2021 20:50:20 +0100 +Subject: [PATCH 289/314] s3:winbindd: fix "allow trusted domains = no" + regression + +add_trusted_domain() should only reject domains +based on is_allowed_domain(), which now also +checks "allow trusted domains = no", if we don't +have an explicit trust to the domain (SEC_CHAN_NULL). + +We use at least SEC_CHAN_LOCAL for local domains like +BUILTIN. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 + +(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) + +Autobuild-User(v4-13-test): Stefan Metzmacher +Autobuild-Date(v4-13-test): Thu Nov 11 10:37:06 UTC 2021 on sn-devel-184 +--- + source3/winbindd/winbindd_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 1ae4a8d3ca3..a4f33c4765b 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -131,7 +131,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, + return NT_STATUS_INVALID_PARAMETER; + } + +- if (!is_allowed_domain(domain_name)) { ++ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + +-- +2.30.2 + diff -Nru samba-4.13.13+dfsg/debian/patches/series samba-4.13.13+dfsg/debian/patches/series --- samba-4.13.13+dfsg/debian/patches/series 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/patches/series 2022-05-28 19:52:17.000000000 +0000 @@ -288,3 +288,14 @@ 0004-CVE-2020-25717-selftest-turn-ad_member_no_nss_wb-int.patch 0005-CVE-2020-25717-tests-krb5-Add-a-test-for-idmap_nss-m.patch 0006-CVE-2020-25717-s3-auth-Fallback-to-a-SID-UID-based-m.patch +s3-winbindd-fix-allow-trusted-domains-no-regression.patch +IPA-DC-add-missing-checks.patch +CVE-2020-25717-s3-auth-fix-MIT-Realm-regression.patch +dsdb-Use-DSDB_SEARCH_SHOW_EXTENDED_DN-when-searching.patch +s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch +bug1005642-lib-util-Add-a-function-nt_time_to_unix_timespec_raw.patch +bug1005642-s3-smbd-Create-and-use-a-common-function-for-generat.patch +bug1005642-s3-lib-In-create_clock_itime-use-timespec_current-cl.patch +bug1005642-s3-includes-Make-the-comments-describing-itime-consi.patch +bug998423-s3-mdssvc-Correctly-disconnect-the-VFS-connection-in.patch +bug998423-s3-smbd-In-create_conn_struct_cwd-don-t-TALLOC_FREE-.patch diff -Nru samba-4.13.13+dfsg/debian/rules samba-4.13.13+dfsg/debian/rules --- samba-4.13.13+dfsg/debian/rules 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/rules 2022-05-28 19:52:17.000000000 +0000 @@ -25,7 +25,7 @@ export PYSHORT=python3 export PYTHON=$(shell which $(PYSHORT)) export PYTHON_CONFIG="$(PYTHON)-config" -WAF := $(PYTHON) ./buildtools/bin/waf -v +WAF := PYTHONHASHSEED=1 $(PYTHON) ./buildtools/bin/waf -v WAF_NO_PARALLEL := $(WAF) -j 1 # wrapper around cups-config, to work around #726726 diff -Nru samba-4.13.13+dfsg/debian/salsa-ci.yml samba-4.13.13+dfsg/debian/salsa-ci.yml --- samba-4.13.13+dfsg/debian/salsa-ci.yml 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/salsa-ci.yml 2022-05-28 19:52:17.000000000 +0000 @@ -4,7 +4,7 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'experimental' + RELEASE: 'bullseye' blhc: # Until https://bugs.debian.org/929503 is fixed in blhc diff -Nru samba-4.13.13+dfsg/debian/samba-common-bin.postinst samba-4.13.13+dfsg/debian/samba-common-bin.postinst --- samba-4.13.13+dfsg/debian/samba-common-bin.postinst 2022-02-03 20:54:02.000000000 +0000 +++ samba-4.13.13+dfsg/debian/samba-common-bin.postinst 2022-05-24 14:03:51.000000000 +0000 @@ -2,10 +2,8 @@ set -e -# systemd-tmpfiles should be called before testparm -# See https://bugs.debian.org/975422 - -#DEBHELPER# +# ensure a (tmpfs-based) /run/samba exists before running testparm +[ -d /run/samba ] || mkdir -p /run/samba if [ "$1" = "configure" ] ; then SERVER_ROLE=`samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1` @@ -19,3 +17,5 @@ echo "Done" fi fi + +#DEBHELPER#