From 05aafc282ba7bbef7d888d761c2d42341745bf50 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 4 Mar 2020 01:39:54 +0000 Subject: Wed Mar 4 01:39:54 UTC 2020 xap/seamonkey-2.53.1-x86_64-2.txz: Rebuilt. Fixed $LIBDIRSUFFIX for 32-bit. Thanks to ljb643. --- source/n/samba/0000-use-gnutls-for-des-cbc.patch | 371 --------------------- ...001-handle-removal-des-enctypes-from-krb5.patch | 314 ----------------- ...mba-tool-create-working-private-krb5.conf.patch | 42 --- source/n/samba/samba.SlackBuild | 7 +- source/n/samba/samba.url | 4 +- 5 files changed, 3 insertions(+), 735 deletions(-) delete mode 100644 source/n/samba/0000-use-gnutls-for-des-cbc.patch delete mode 100644 source/n/samba/0001-handle-removal-des-enctypes-from-krb5.patch delete mode 100644 source/n/samba/0002-samba-tool-create-working-private-krb5.conf.patch (limited to 'source/n/samba') diff --git a/source/n/samba/0000-use-gnutls-for-des-cbc.patch b/source/n/samba/0000-use-gnutls-for-des-cbc.patch deleted file mode 100644 index 9180a646..00000000 --- a/source/n/samba/0000-use-gnutls-for-des-cbc.patch +++ /dev/null @@ -1,371 +0,0 @@ -From 21073bff847fbc41d3dab0a649fa400d8188fa16 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 19 Oct 2019 23:48:19 +0300 -Subject: [PATCH 1/2] smbdes: add des_crypt56_gnutls() using use DES-CBC with - zeroed IV - -Signed-off-by: Isaac Boukris ---- - libcli/auth/smbdes.c | 47 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 47 insertions(+) - -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 6d9a6dc2ce8..37ede91ad22 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -23,6 +23,9 @@ - #include "includes.h" - #include "libcli/auth/libcli_auth.h" - -+#include -+#include -+ - /* NOTES: - - This code makes no attempt to be fast! In fact, it is a very -@@ -273,6 +276,50 @@ static void str_to_key(const uint8_t *str,uint8_t *key) - } - } - -+static int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8], -+ const uint8_t key_in[7], bool enc) -+{ -+ static uint8_t iv8[8]; -+ gnutls_datum_t iv = { iv8, 8 }; -+ gnutls_datum_t key; -+ gnutls_cipher_hd_t ctx; -+ uint8_t key2[8]; -+ uint8_t outb[8]; -+ int ret; -+ -+ memset(out, 0, 8); -+ -+ str_to_key(key_in, key2); -+ -+ key.data = key2; -+ key.size = 8; -+ -+ ret = gnutls_global_init(); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ memcpy(outb, in, 8); -+ if (enc) { -+ ret = gnutls_cipher_encrypt(ctx, outb, 8); -+ } else { -+ ret = gnutls_cipher_decrypt(ctx, outb, 8); -+ } -+ -+ if (ret == 0) { -+ memcpy(out, outb, 8); -+ } -+ -+ gnutls_cipher_deinit(ctx); -+ -+ return ret; -+} -+ - /* - basic des crypt using a 56 bit (7 byte) key - */ --- -2.22.0 - - -From 6d6651213f391840e3004ec3b055f8f25be9b360 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Mon, 21 Oct 2019 20:03:04 +0300 -Subject: [PATCH 2/2] smbdes: use the new des_crypt56_gnutls() - -and remove builtin DES crypto. - -Signed-off-by: Isaac Boukris ---- - libcli/auth/smbdes.c | 258 +------------------------------------------ - 1 file changed, 1 insertion(+), 257 deletions(-) - -diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c -index 37ede91ad22..7de05b75303 100644 ---- a/libcli/auth/smbdes.c -+++ b/libcli/auth/smbdes.c -@@ -26,239 +26,6 @@ - #include - #include - --/* NOTES: -- -- This code makes no attempt to be fast! In fact, it is a very -- slow implementation -- -- This code is NOT a complete DES implementation. It implements only -- the minimum necessary for SMB authentication, as used by all SMB -- products (including every copy of Microsoft Windows95 ever sold) -- -- In particular, it can only do a unchained forward DES pass. This -- means it is not possible to use this code for encryption/decryption -- of data, instead it is only useful as a "hash" algorithm. -- -- There is no entry point into this code that allows normal DES operation. -- -- I believe this means that this code does not come under ITAR -- regulations but this is NOT a legal opinion. If you are concerned -- about the applicability of ITAR regulations to this code then you -- should confirm it for yourself (and maybe let me know if you come -- up with a different answer to the one above) --*/ -- -- --static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9, -- 1, 58, 50, 42, 34, 26, 18, -- 10, 2, 59, 51, 43, 35, 27, -- 19, 11, 3, 60, 52, 44, 36, -- 63, 55, 47, 39, 31, 23, 15, -- 7, 62, 54, 46, 38, 30, 22, -- 14, 6, 61, 53, 45, 37, 29, -- 21, 13, 5, 28, 20, 12, 4}; -- --static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5, -- 3, 28, 15, 6, 21, 10, -- 23, 19, 12, 4, 26, 8, -- 16, 7, 27, 20, 13, 2, -- 41, 52, 31, 37, 47, 55, -- 30, 40, 51, 45, 33, 48, -- 44, 49, 39, 56, 34, 53, -- 46, 42, 50, 36, 29, 32}; -- --static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, -- 60, 52, 44, 36, 28, 20, 12, 4, -- 62, 54, 46, 38, 30, 22, 14, 6, -- 64, 56, 48, 40, 32, 24, 16, 8, -- 57, 49, 41, 33, 25, 17, 9, 1, -- 59, 51, 43, 35, 27, 19, 11, 3, -- 61, 53, 45, 37, 29, 21, 13, 5, -- 63, 55, 47, 39, 31, 23, 15, 7}; -- --static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5, -- 4, 5, 6, 7, 8, 9, -- 8, 9, 10, 11, 12, 13, -- 12, 13, 14, 15, 16, 17, -- 16, 17, 18, 19, 20, 21, -- 20, 21, 22, 23, 24, 25, -- 24, 25, 26, 27, 28, 29, -- 28, 29, 30, 31, 32, 1}; -- --static const uint8_t perm5[32] = { 16, 7, 20, 21, -- 29, 12, 28, 17, -- 1, 15, 23, 26, -- 5, 18, 31, 10, -- 2, 8, 24, 14, -- 32, 27, 3, 9, -- 19, 13, 30, 6, -- 22, 11, 4, 25}; -- -- --static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, -- 39, 7, 47, 15, 55, 23, 63, 31, -- 38, 6, 46, 14, 54, 22, 62, 30, -- 37, 5, 45, 13, 53, 21, 61, 29, -- 36, 4, 44, 12, 52, 20, 60, 28, -- 35, 3, 43, 11, 51, 19, 59, 27, -- 34, 2, 42, 10, 50, 18, 58, 26, -- 33, 1, 41, 9, 49, 17, 57, 25}; -- -- --static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; -- --static const uint8_t sbox[8][4][16] = { -- {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, -- {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, -- {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, -- {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, -- -- {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, -- {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, -- {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, -- {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, -- -- {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, -- {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, -- {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, -- {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, -- -- {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, -- {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, -- {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, -- {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, -- -- {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, -- {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, -- {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, -- {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, -- -- {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, -- {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, -- {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, -- {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, -- -- {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, -- {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, -- {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, -- {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, -- -- {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, -- {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, -- {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, -- {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; -- --static void permute(char *out, const char *in, const uint8_t *p, int n) --{ -- int i; -- for (i=0;i -Date: Wed, 6 Nov 2019 12:12:55 +0200 -Subject: [PATCH] Remove DES support if MIT Kerberos version does not support - it - ---- - source3/libads/kerberos_keytab.c | 2 - - source3/passdb/machine_account_secrets.c | 36 ------------------ - source4/auth/kerberos/kerberos.h | 2 +- - .../dsdb/samdb/ldb_modules/password_hash.c | 12 ++++++ - source4/kdc/db-glue.c | 4 +- - source4/torture/rpc/remote_pac.c | 37 ------------------- - testprogs/blackbox/dbcheck-oldrelease.sh | 2 +- - testprogs/blackbox/functionalprep.sh | 2 +- - .../blackbox/test_export_keytab_heimdal.sh | 16 ++++---- - .../blackbox/upgradeprovision-oldrelease.sh | 2 +- - 10 files changed, 26 insertions(+), 89 deletions(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 97d5535041c..7d193e1a600 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) - krb5_data password; - krb5_kvno kvno; - krb5_enctype enctypes[6] = { -- ENCTYPE_DES_CBC_CRC, -- ENCTYPE_DES_CBC_MD5, - #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - ENCTYPE_AES128_CTS_HMAC_SHA1_96, - #endif -diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index dfc21f295a1..efba80f1474 100644 ---- a/source3/passdb/machine_account_secrets.c -+++ b/source3/passdb/machine_account_secrets.c -@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor - krb5_keyblock key; - DATA_BLOB aes_256_b = data_blob_null; - DATA_BLOB aes_128_b = data_blob_null; -- DATA_BLOB des_md5_b = data_blob_null; - bool ok; - #endif /* HAVE_ADS */ - DATA_BLOB arc4_b = data_blob_null; -@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor - return ENOMEM; - } - -- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, -- NULL, -- &salt, -- &cleartext_utf8, -- ENCTYPE_DES_CBC_MD5, -- &key); -- if (krb5_ret != 0) { -- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n", -- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys)); -- krb5_free_context(krb5_ctx); -- TALLOC_FREE(keys); -- TALLOC_FREE(salt_data); -- return krb5_ret; -- } -- des_md5_b = data_blob_talloc(keys, -- KRB5_KEY_DATA(&key), -- KRB5_KEY_LENGTH(&key)); -- krb5_free_keyblock_contents(krb5_ctx, &key); -- if (des_md5_b.data == NULL) { -- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n"); -- krb5_free_context(krb5_ctx); -- TALLOC_FREE(keys); -- TALLOC_FREE(salt_data); -- return ENOMEM; -- } -- - krb5_free_context(krb5_ctx); - no_kerberos: - -@@ -1227,15 +1200,6 @@ no_kerberos: - keys[idx].value = arc4_b; - idx += 1; - --#ifdef HAVE_ADS -- if (des_md5_b.length != 0) { -- keys[idx].keytype = ENCTYPE_DES_CBC_MD5; -- keys[idx].iteration_count = 4096; -- keys[idx].value = des_md5_b; -- idx += 1; -- } --#endif /* HAVE_ADS */ -- - p->salt_data = salt_data; - p->default_iteration_count = 4096; - p->num_keys = idx; -diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h -index 2ff9e3868af..1dd63acc838 100644 ---- a/source4/auth/kerberos/kerberos.h -+++ b/source4/auth/kerberos/kerberos.h -@@ -50,7 +50,7 @@ struct keytab_container { - #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01") - #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01") - --#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \ -+#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \ - ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256) - - #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES -diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c -index 006e35c46d5..f16937c6cab 100644 ---- a/source4/dsdb/samdb/ldb_modules/password_hash.c -+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c -@@ -786,6 +786,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) - * create ENCTYPE_DES_CBC_MD5 key out of - * the salt and the cleartext password - */ -+#ifdef SAMBA4_USES_HEIMDAL - krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, - NULL, - &salt, -@@ -804,6 +805,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) - KRB5_KEY_DATA(&key), - KRB5_KEY_LENGTH(&key)); - krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); -+#else -+ /* MIT has dropped support for DES enctypes, store a random key instead. */ -+ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8); -+ generate_secret_buffer(io->g.des_md5.data, 8); -+#endif - if (!io->g.des_md5.data) { - return ldb_oom(ldb); - } -@@ -812,6 +818,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) - * create ENCTYPE_DES_CBC_CRC key out of - * the salt and the cleartext password - */ -+#ifdef SAMBA4_USES_HEIMDAL - krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, - NULL, - &salt, -@@ -830,6 +837,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) - KRB5_KEY_DATA(&key), - KRB5_KEY_LENGTH(&key)); - krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); -+#else -+ /* MIT has dropped support for DES enctypes, store a random key instead. */ -+ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8); -+ generate_secret_buffer(io->g.des_crc.data, 8); -+#endif - if (!io->g.des_crc.data) { - return ldb_oom(ldb); - } -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index f62a633c6c7..023ae7b580d 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, - - /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ - if (userAccountControl & UF_USE_DES_KEY_ONLY) { -- supported_enctypes = ENC_CRC32|ENC_RSA_MD5; -+ supported_enctypes = 0; - } else { - /* Otherwise, add in the default enc types */ -- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; -+ supported_enctypes |= ENC_RC4_HMAC_MD5; - } - - /* Is this the krbtgt or a RODC krbtgt */ -diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c -index 7a5cda74b74..f12060e3c8f 100644 ---- a/source4/torture/rpc/remote_pac.c -+++ b/source4/torture/rpc/remote_pac.c -@@ -38,7 +38,6 @@ - - #define TEST_MACHINE_NAME_BDC "torturepacbdc" - #define TEST_MACHINE_NAME_WKSTA "torturepacwksta" --#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes" - #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc" - #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk" - -@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx, - NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); - } - --static bool test_PACVerify_workstation_des(struct torture_context *tctx, -- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) --{ -- struct samr_SetUserInfo r; -- union samr_UserInfo user_info; -- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx); -- struct smb_krb5_context *smb_krb5_context; -- krb5_error_code ret; -- -- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(), -- tctx->lp_ctx, &smb_krb5_context); -- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed"); -- -- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) { -- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes"); -- } -- -- /* Mark this workstation with DES-only */ -- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST; -- r.in.user_handle = torture_join_samr_user_policy(join_ctx); -- r.in.level = 16; -- r.in.info = &user_info; -- -- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r), -- "failed to set DES info account flags"); -- torture_assert_ntstatus_ok(tctx, r.out.result, -- "failed to set DES into account flags"); -- -- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, -- TEST_MACHINE_NAME_WKSTA_DES, -- NETLOGON_NEG_AUTH2_ADS_FLAGS); --} -- - #ifdef SAMBA4_USES_HEIMDAL - static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, - uint16_t validation_level, -@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) - &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); - torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); - -- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", -- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); -- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); - #ifdef SAMBA4_USES_HEIMDAL - tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", - &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC); -diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh -index 3d0ee2c165a..41c55178d4e 100755 ---- a/testprogs/blackbox/dbcheck-oldrelease.sh -+++ b/testprogs/blackbox/dbcheck-oldrelease.sh -@@ -388,7 +388,7 @@ referenceprovision() { - - ldapcmp() { - if [ x$RELEASE = x"release-4-0-0" ]; then -- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName -+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes - fi - } - -diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh -index 80e82252d45..1d37611ef7a 100755 ---- a/testprogs/blackbox/functionalprep.sh -+++ b/testprogs/blackbox/functionalprep.sh -@@ -61,7 +61,7 @@ provision_2012r2() { - ldapcmp_ignore() { - # At some point we will need to ignore, but right now, it should be perfect - IGNORE_ATTRS=$1 -- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn -+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes - } - - ldapcmp() { -diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh -index cfa245fd4de..6a2595cd684 100755 ---- a/testprogs/blackbox/test_export_keytab_heimdal.sh -+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh -@@ -43,7 +43,7 @@ test_keytab() { - - echo "test: $testname" - -- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour") -+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour") - status=$? - if [ x$status != x0 ]; then - echo "failure: $testname" -@@ -64,22 +64,22 @@ unc="//$SERVER/tmp" - testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1` - - testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 -+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 - testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 -+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 - - testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 -+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 - testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` --test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 -+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 - - testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1` --test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 -+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 - testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1` --test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 -+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 - - testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1` --test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5 -+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3 - - KRB5CCNAME="$PREFIX/tmpuserccache" - export KRB5CCNAME -diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh -index 76276168011..208baa54a02 100755 ---- a/testprogs/blackbox/upgradeprovision-oldrelease.sh -+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh -@@ -106,7 +106,7 @@ referenceprovision() { - - ldapcmp() { - if [ x$RELEASE != x"alpha13" ]; then -- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName -+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes - fi - } - --- -2.23.0 - diff --git a/source/n/samba/0002-samba-tool-create-working-private-krb5.conf.patch b/source/n/samba/0002-samba-tool-create-working-private-krb5.conf.patch deleted file mode 100644 index 643d3676..00000000 --- a/source/n/samba/0002-samba-tool-create-working-private-krb5.conf.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 5a084994144704a6c146b94f8a22cf57ce08deab Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 7 Oct 2019 18:24:28 +0300 -Subject: [PATCH] samba-tool: create working private krb5.conf - -DNS update tool uses private krb5.conf which should have enough details -to authenticate with GSS-TSIG when running nsupdate. - -Unfortunately, the configuration we provide is not enough. We set -defaults to not lookup REALM via DNS but at the same time we don't -provide any realm definition. As result, MIT Kerberos cannot actually -find a working realm for Samba AD deployment because it cannot query DNS -for a realm discovery or pick it up from the configuration. - -Extend private krb5.conf with a realm definition that will allow MIT -Kerberos to look up KDC over DNS. - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider ---- - source4/setup/krb5.conf | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf -index b1bf6cf907d..ad6f2818fb5 100644 ---- a/source4/setup/krb5.conf -+++ b/source4/setup/krb5.conf -@@ -2,3 +2,11 @@ - default_realm = ${REALM} - dns_lookup_realm = false - dns_lookup_kdc = true -+ -+[realms] -+${REALM} = { -+ default_domain = ${DNSDOMAIN} -+} -+ -+[domain_realm] -+ ${HOSTNAME} = ${REALM} --- -2.21.0 - diff --git a/source/n/samba/samba.SlackBuild b/source/n/samba/samba.SlackBuild index 70cfe97d..854483e3 100755 --- a/source/n/samba/samba.SlackBuild +++ b/source/n/samba/samba.SlackBuild @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=samba VERSION=${VERSION:-$(echo samba-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-3} +BUILD=${BUILD:-1} if [ -e $CWD/machine.conf ]; then . $CWD/machine.conf ] @@ -104,11 +104,6 @@ find . \ if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then PAM_OPTIONS="--with-pam --with-pammodulesdir=/lib${LIBDIRSUFFIX}/security --with-system-mitkrb5 --with-experimental-mit-ad-dc" unset SHADOW_OPTIONS - # Handle removal of ENCTYPE_DES_CBC_MD5 from krb5. - # These patches are already upstreamed in the 4.12.0 RC. - zcat $CWD/0000-use-gnutls-for-des-cbc.patch.gz | patch -p1 --verbose || exit 1 - zcat $CWD/0001-handle-removal-des-enctypes-from-krb5.patch.gz | patch -p1 --verbose || exit 1 - zcat $CWD/0002-samba-tool-create-working-private-krb5.conf.patch.gz | patch -p1 --verbose || exit 1 else unset PAM_OPTIONS SHADOW_OPTIONS="--without-pam" diff --git a/source/n/samba/samba.url b/source/n/samba/samba.url index 99cf6b0d..ba966eed 100644 --- a/source/n/samba/samba.url +++ b/source/n/samba/samba.url @@ -1,2 +1,2 @@ -https://download.samba.org/pub/samba/stable/samba-4.11.6.tar.gz -https://download.samba.org/pub/samba/stable/samba-4.11.6.tar.asc +https://download.samba.org/pub/samba/stable/samba-4.12.0.tar.gz +https://download.samba.org/pub/samba/stable/samba-4.12.0.tar.asc -- cgit v1.2.3