domenico/openwrt-19.07
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
domenico
2025-06-24 16:03:39 +02:00
commit f3256cdaf2
6949 changed files with 1441681 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
package/network/services/samba36/Makefile Normal file
View File

@@ -0,0 +1,191 @@
#
# Copyright (C) 2007-2014 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=samba
PKG_VERSION:=3.6.25
PKG_RELEASE:=14
PKG_SOURCE_URL:=https://download.samba.org/pub/samba \
https://download.samba.org/pub/samba/stable
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_HASH:=8f2c8a7f2bd89b0dfd228ed917815852f7c625b2bc0936304ac3ed63aaf83751
PKG_LICENSE:=GPL-3.0
PKG_LICENSE_FILES:=COPYING
PKG_CPE_ID:=cpe:/a:samba:samba
PKG_BUILD_PARALLEL:=1
include $(INCLUDE_DIR)/package.mk
MAKE_PATH:=source3
CONFIGURE_PATH:=source3
PKG_BUILD_BIN:=$(PKG_BUILD_DIR)/$(MAKE_PATH)/bin
define Package/samba/Default
SECTION:=net
CATEGORY:=Network
TITLE:=Samba 3.6 SMB/CIFS
URL:=https://www.samba.org/
MAINTAINER:=Felix Fietkau <nbd@nbd.name>
endef
define Package/samba36-server
$(call Package/samba/Default)
TITLE+= server
DEPENDS:=+USE_GLIBC:librt $(ICONV_DEPENDS)
endef
define Package/samba36-hotplug
$(call Package/samba/Default)
TITLE+= hotplug script for auto sharing
DEPENDS:=+blockd
endef
define Package/samba36-client
$(call Package/samba/Default)
TITLE+= client
DEPENDS:=+libreadline +libncurses
endef
define Package/samba36-net
$(call Package/samba/Default)
TITLE+= net commands
DEPENDS:=+libreadline +libncurses
endef
define Package/samba36-server/config
config PACKAGE_SAMBA_MAX_DEBUG_LEVEL
int "Maximum level of compiled-in debug messages"
depends on PACKAGE_samba36-server || PACKAGE_samba36-client
default -1
endef
define Package/samba36-server/description
The Samba software suite is a collection of programs that implements the
SMB protocol for UNIX systems, allowing you to serve files and printers to
Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred
to as the LanManager or Netbios protocol.
endef
TARGET_CFLAGS += -DMAX_DEBUG_LEVEL=$(CONFIG_PACKAGE_SAMBA_MAX_DEBUG_LEVEL) -D__location__=\\\"\\\" -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
CONFIGURE_VARS += \
ac_cv_lib_attr_getxattr=no \
ac_cv_search_getxattr=no \
ac_cv_file__proc_sys_kernel_core_pattern=yes \
libreplace_cv_HAVE_C99_VSNPRINTF=yes \
libreplace_cv_HAVE_GETADDRINFO=yes \
libreplace_cv_HAVE_IFACE_IFCONF=yes \
$(if $(CONFIG_IPV6),,libreplace_cv_HAVE_IPV6=no libreplace_cv_HAVE_IPV6_V6ONLY=no) \
LINUX_LFS_SUPPORT=yes \
samba_cv_CC_NEGATIVE_ENUM_VALUES=yes \
samba_cv_HAVE_GETTIMEOFDAY_TZ=yes \
samba_cv_HAVE_IFACE_IFCONF=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=yes \
samba_cv_HAVE_SECURE_MKSTEMP=yes \
samba_cv_HAVE_WRFILE_KEYTAB=no \
samba_cv_USE_SETREUID=yes \
samba_cv_USE_SETRESUID=yes \
samba_cv_have_setreuid=yes \
samba_cv_have_setresuid=yes \
ac_cv_header_libunwind_h=no \
ac_cv_header_zlib_h=no \
samba_cv_zlib_1_2_3=no \
ac_cv_path_PYTHON="" \
ac_cv_path_PYTHON_CONFIG=""
CONFIGURE_ARGS += \
--exec-prefix=/usr \
--prefix=/ \
--disable-avahi \
--disable-cups \
--disable-external-libtalloc \
--disable-external-libtdb \
--disable-external-libtevent \
--disable-pie \
--disable-relro \
--disable-static \
--disable-swat \
--disable-shared-libs \
--with-libiconv="$(ICONV_PREFIX)" \
--with-codepagedir=/etc/samba \
--with-configdir=/etc/samba \
--with-included-iniparser \
--with-included-popt \
--with-lockdir=/var/lock \
--with-logfilebase=/var/log \
--with-nmbdsocketdir=/var/nmbd \
--with-piddir=/var/run \
--with-privatedir=/etc/samba \
--with-sendfile-support \
--without-acl-support \
--without-cluster-support \
--without-ads \
--without-krb5 \
--without-ldap \
--without-pam \
--without-winbind \
--without-libtdb \
--without-libtalloc \
--without-libnetapi \
--without-libsmbclient \
--without-libsmbsharemodes \
--without-libtevent \
--without-libaddns \
--with-shared-modules=pdb_tdbsam,pdb_wbc_sam,idmap_nss,nss_info_template,auth_winbind,auth_wbc,auth_domain
MAKE_FLAGS += DYNEXP= PICFLAG= MODULES=
define Package/samba36-server/conffiles
/etc/config/samba
/etc/samba/smb.conf.template
/etc/samba/smbpasswd
endef
define Package/samba36-server/install
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/samba.config $(1)/etc/config/samba
$(INSTALL_DIR) $(1)/etc/samba
$(INSTALL_CONF) ./files/smb.conf.template $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/lowcase.dat $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/upcase.dat $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/valid.dat $(1)/etc/samba
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/samba.init $(1)/etc/init.d/samba
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/samba_multicall $(1)/usr/sbin
$(LN) samba_multicall $(1)/usr/sbin/smbd
$(LN) samba_multicall $(1)/usr/sbin/nmbd
$(LN) samba_multicall $(1)/usr/sbin/smbpasswd
endef
define Package/samba36-hotplug/install
$(INSTALL_DIR) $(1)/etc/hotplug.d/mount
$(INSTALL_CONF) ./files/samba.hotplug $(1)/etc/hotplug.d/mount/60-samba
endef
define Package/samba36-client/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/smbclient $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/nmblookup $(1)/usr/sbin
endef
define Package/samba36-net/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/net $(1)/usr/sbin
endef
$(eval $(call BuildPackage,samba36-client))
$(eval $(call BuildPackage,samba36-server))
$(eval $(call BuildPackage,samba36-hotplug))
$(eval $(call BuildPackage,samba36-net))

6
package/network/services/samba36/files/samba.config Normal file
View File

@@ -0,0 +1,6 @@
config samba
option 'name' 'OpenWrt'
option 'workgroup' 'WORKGROUP'
option 'description' 'OpenWrt'
option 'homes' '1'

56
package/network/services/samba36/files/samba.hotplug Normal file
View File

@@ -0,0 +1,56 @@
#!/bin/sh
. /usr/share/libubox/jshn.sh
device_get_vars() {
json_init
json_load "$(ubus call block info)"
json_select devices
json_get_keys keys
for key in $keys
do
json_select $key
json_get_var device device
[ "$device" = "$1" ] && {
shift
json_get_vars $@
json_select ..
break
}
json_select ..
done
json_select ..
}
[ -f /var/run/config/samba ] || {
mkdir -p /var/run/config && touch /var/run/config/samba
}
[ "$ACTION" = "add" ] && {
device_get_vars $DEVICE label mount
[ -n "$mount" ] && {
uci -c /var/run/config batch <<-EOF
set samba.$DEVICE="sambashare"
set samba.$DEVICE.name="$label"
set samba.$DEVICE.path="$mount"
set samba.$DEVICE.browseable="yes"
set samba.$DEVICE.read_only="yes"
set samba.$DEVICE.guest_ok="yes"
commit samba
EOF
/etc/init.d/samba reload
}
}
[ "$ACTION" = "remove" ] && {
uci -c /var/run/config batch <<-EOF
delete samba.$DEVICE
commit samba
EOF
/etc/init.d/samba reload
}

117
package/network/services/samba36/files/samba.init Executable file
View File

@@ -0,0 +1,117 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2008-2012 OpenWrt.org
START=60
USE_PROCD=1
smb_header() {
config_get samba_iface $1 interface "loopback lan"
# resolve interfaces
local interfaces=$(
. /lib/functions/network.sh
local net
for net in $samba_iface; do
local device
network_is_up $net || continue
network_get_device device "$net"
echo -n "${device:-$net} "
done
)
local name workgroup description charset
local hostname="$(uci_get system.@system[0].hostname)"
config_get name $1 name "${hostname:-OpenWrt}"
config_get workgroup $1 workgroup "${hostname:-OpenWrt}"
config_get description $1 description "Samba on ${hostname:-OpenWrt}"
config_get charset $1 charset "UTF-8"
mkdir -p /var/etc
sed -e "s#|NAME|#$name#g" \
-e "s#|WORKGROUP|#$workgroup#g" \
-e "s#|DESCRIPTION|#$description#g" \
-e "s#|INTERFACES|#$interfaces#g" \
-e "s#|CHARSET|#$charset#g" \
/etc/samba/smb.conf.template > /var/etc/smb.conf
local homes
config_get_bool homes $1 homes 0
[ $homes -gt 0 ] && {
cat <<EOT >> /var/etc/smb.conf
[homes]
comment = Home Directories
browsable = no
read only = no
create mode = 0750
EOT
}
[ -L /etc/samba/smb.conf ] || ln -nsf /var/etc/smb.conf /etc/samba/smb.conf
}
smb_add_share() {
local name
local path
local users
local read_only
local guest_ok
local create_mask
local dir_mask
local browseable
config_get name $1 name
config_get path $1 path
config_get users $1 users
config_get read_only $1 read_only
config_get guest_ok $1 guest_ok
config_get create_mask $1 create_mask
config_get dir_mask $1 dir_mask
config_get browseable $1 browseable
[ -z "$name" -o -z "$path" ] && return
echo -e "\n[$name]\n\tpath = $path" >> /var/etc/smb.conf
[ -n "$users" ] && echo -e "\tvalid users = $users" >> /var/etc/smb.conf
[ -n "$read_only" ] && echo -e "\tread only = $read_only" >> /var/etc/smb.conf
[ -n "$guest_ok" ] && echo -e "\tguest ok = $guest_ok" >> /var/etc/smb.conf
[ -n "$create_mask" ] && echo -e "\tcreate mask = $create_mask" >> /var/etc/smb.conf
[ -n "$dir_mask" ] && echo -e "\tdirectory mask = $dir_mask" >> /var/etc/smb.conf
[ -n "$browseable" ] && echo -e "\tbrowseable = $browseable" >> /var/etc/smb.conf
}
init_config() {
config_load samba
CONFIG_APPEND=1 UCI_CONFIG_DIR=/var/run/config config_load samba
config_foreach smb_header samba
config_foreach smb_add_share sambashare
}
service_triggers() {
procd_add_reload_trigger samba
local i
for i in $samba_iface; do
procd_add_reload_interface_trigger $i
done
}
start_service() {
init_config
procd_open_instance
procd_add_mdns "smb" "tcp" "445"
procd_set_param command /usr/sbin/smbd -F
procd_set_param respawn
procd_set_param file /var/etc/smb.conf
procd_close_instance
procd_open_instance
procd_set_param command /usr/sbin/nmbd -F
procd_set_param respawn
procd_set_param file /var/etc/smb.conf
procd_close_instance
}

20
package/network/services/samba36/files/smb.conf.template Normal file
View File

@@ -0,0 +1,20 @@
[global]
netbios name = |NAME|
display charset = |CHARSET|
interfaces = |INTERFACES|
server string = |DESCRIPTION|
unix charset = |CHARSET|
workgroup = |WORKGROUP|
bind interfaces only = yes
deadtime = 30
enable core files = no
invalid users = root
local master = no
map to guest = Bad User
max protocol = SMB2
min receivefile size = 16384
null passwords = yes
passdb backend = smbpasswd
security = user
smb passwd file = /etc/samba/smbpasswd
use sendfile = yes

39
package/network/services/samba36/patches/010-patch-cve-2015-5252.patch Normal file
View File

@@ -0,0 +1,39 @@
From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 9 Jul 2015 10:58:11 -0700
Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
access outside the share).
Ensure matching component ends in '/' or '\0'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/smbd/vfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_s
if (!allow_widelinks || !allow_symlinks) {
const char *conn_rootdir;
size_t rootdir_len;
+ bool matched;
conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
if (conn_rootdir == NULL) {
@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_s
}
rootdir_len = strlen(conn_rootdir);
- if (strncmp(conn_rootdir, resolved_name,
- rootdir_len) != 0) {
+ matched = (strncmp(conn_rootdir, resolved_name,
+ rootdir_len) == 0);
+ if (!matched || (resolved_name[rootdir_len] != '/' &&
+ resolved_name[rootdir_len] != '\0')) {
DEBUG(2, ("check_reduced_name: Bad access "
"attempt: %s is a symlink outside the "
"share path\n", fname));

88
package/network/services/samba36/patches/011-patch-cve-2015-5296.patch Normal file
View File

@@ -0,0 +1,88 @@
From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:17:02 +0200
Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in do_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/clidfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALL
const char *username;
const char *password;
NTSTATUS status;
+ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+
+ if (force_encrypt) {
+ signing_state = Required;
+ }
/* make a copy so we don't modify the global string 'service' */
servicename = talloc_strdup(ctx,share);
@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALL
zero_sockaddr(&ss);
/* have to open a new connection */
- c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
+ c = cli_initialise_ex(signing_state);
if (c == NULL) {
d_printf("Connection to %s failed\n", server_n);
return NULL;
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
const char *username_used;
NTSTATUS status;
char *newserver, *newshare;
+ int signing_state = Undefined;
zero_sockaddr(&ss);
ZERO_STRUCT(c);
@@ -404,8 +405,12 @@ again:
zero_sockaddr(&ss);
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
+
/* have to open a new connection */
- if ((c = cli_initialise()) == NULL) {
+ if ((c = cli_initialise_ex(signing_state)) == NULL) {
errno = ENOMEM;
return NULL;
}
@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
pp_workgroup, pp_username, pp_password);
if (!ipc_srv) {
+ int signing_state = Undefined;
/* We didn't find a cached connection. Get the password */
if (!*pp_password || (*pp_password)[0] == '\0') {
@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
zero_sockaddr(&ss);
nt_status = cli_full_connection(&ipc_cli,
@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
*pp_workgroup,
*pp_password,
flags,
- Undefined);
+ signing_state);
if (! NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("cli_full_connection failed! (%s)\n",
nt_errstr(nt_status)));

93
package/network/services/samba36/patches/012-patch-cve-2015-5299.patch Normal file
View File

@@ -0,0 +1,93 @@
From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 23 Oct 2015 14:54:31 -0700
Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
snapdir
Fix originally from <partha@exablox.com>
https://bugzilla.samba.org/show_bug.cgi?id=11529
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
---
source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -21,6 +21,8 @@
#include "includes.h"
#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "../libcli/security/security.h"
#include "system/filesys.h"
#include "ntioctl.h"
@@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle
SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1);
}
+static bool check_access_snapdir(struct vfs_handle_struct *handle,
+ const char *path)
+{
+ struct smb_filename smb_fname;
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted = 0;
+
+ ZERO_STRUCT(smb_fname);
+ smb_fname.base_name = talloc_asprintf(talloc_tos(),
+ "%s",
+ path);
+ if (smb_fname.base_name == NULL) {
+ return false;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
+ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+
+ status = smbd_check_open_rights(handle->conn,
+ &smb_fname,
+ SEC_DIR_LIST,
+ &access_granted);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("user does not have list permission "
+ "on snapdir %s\n",
+ smb_fname.base_name));
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+ TALLOC_FREE(smb_fname.base_name);
+ return true;
+}
+
static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname)
{
SHADOW2_NEXT(RMDIR, (handle, name), int, -1);
@@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2
SMB_STRUCT_DIRENT *d;
TALLOC_CTX *tmp_ctx = talloc_new(handle->data);
char *snapshot;
+ bool ret;
snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle);
if (snapdir == NULL) {
@@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2
talloc_free(tmp_ctx);
return -1;
}
+ ret = check_access_snapdir(handle, snapdir);
+ if (!ret) {
+ DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
+ errno = EACCES;
+ talloc_free(tmp_ctx);
+ return -1;
+ }
p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);

172
package/network/services/samba36/patches/015-patch-cve-2015-7560.patch Normal file
View File

@@ -0,0 +1,172 @@
From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:18:12 -0800
Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2
files_struct *fsp,
const SMB_STRUCT_STAT *psbuf);
+/****************************************************************************
+ Check if an open file handle or pathname is a symlink.
+****************************************************************************/
+
+static NTSTATUS refuse_symlink(connection_struct *conn,
+ const files_struct *fsp,
+ const char *name)
+{
+ SMB_STRUCT_STAT sbuf;
+ const SMB_STRUCT_STAT *pst = NULL;
+
+ if (fsp) {
+ pst = &fsp->fsp_name->st;
+ } else {
+ int ret = vfs_stat_smb_fname(conn,
+ name,
+ &sbuf);
+ if (ret == -1) {
+ return map_nt_error_from_unix(errno);
+ }
+ pst = &sbuf;
+ }
+ if (S_ISLNK(pst->st_ex_mode)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
/********************************************************************
Roundup a value to the nearest allocation roundup size boundary.
Only do this for Windows clients.
@@ -181,12 +209,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
char **names, **tmp;
size_t num_names;
ssize_t sizeret = -1;
+ NTSTATUS status;
+
+ if (pnames) {
+ *pnames = NULL;
+ }
+ *pnum_names = 0;
if (!lp_ea_support(SNUM(conn))) {
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+ status = refuse_symlink(conn, fsp, fname);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Just return no EA's on a symlink.
+ */
return NT_STATUS_OK;
}
@@ -236,10 +274,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
if (sizeret == 0) {
TALLOC_FREE(names);
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
return NT_STATUS_OK;
}
@@ -550,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn,
const struct smb_filename *smb_fname, struct ea_list *ea_list)
{
char *fname = NULL;
+ NTSTATUS status;
if (!lp_ea_support(SNUM(conn))) {
return NT_STATUS_EAS_NOT_SUPPORTED;
@@ -559,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+
/* For now setting EAs on streams isn't supported. */
fname = smb_fname->base_name;
@@ -4931,6 +4972,13 @@ NTSTATUS smbd_do_qfilepathinfo(connectio
uint16 num_file_acls = 0;
uint16 num_def_acls = 0;
+ status = refuse_symlink(conn,
+ fsp,
+ smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
if (fsp && fsp->fh->fd != -1) {
file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
} else {
@@ -6452,6 +6500,7 @@ static NTSTATUS smb_set_posix_acl(connec
uint16 num_def_acls;
bool valid_file_acls = True;
bool valid_def_acls = True;
+ NTSTATUS status;
if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
@@ -6479,6 +6528,11 @@ static NTSTATUS smb_set_posix_acl(connec
return NT_STATUS_INVALID_PARAMETER;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
(unsigned int)num_file_acls,
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struc
return NT_STATUS_OK;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL set on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (psd->owner_sid == NULL) {
security_info_sent &= ~SECINFO_OWNER;
}
@@ -1925,6 +1931,12 @@ NTSTATUS smbd_do_query_security_desc(con
return NT_STATUS_ACCESS_DENIED;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL get on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
SECINFO_GROUP|SECINFO_SACL)) {
/* Don't return SECINFO_LABEL if anything else was

6824
package/network/services/samba36/patches/020-CVE-preparation-v3-6.patch Normal file
View File

File diff suppressed because it is too large Load Diff

9515
package/network/services/samba36/patches/021-CVE-preparation-v3-6-addition.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1791
package/network/services/samba36/patches/022-CVE-2015-5370-v3-6.patch Normal file
View File

File diff suppressed because it is too large Load Diff

255
package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch Normal file
View File

@@ -0,0 +1,255 @@
From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 1 Dec 2015 08:46:45 +0100
Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
ntlmssp_state->allow_lm_key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
source3/libsmb/ntlmssp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct nt
* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
*/
if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp
{
/* As per JRA's comment above */
if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SIGN) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SEAL) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (feature & NTLMSSP_FEATURE_CCACHE) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -387,7 +392,12 @@ static NTSTATUS ntlmssp_client_initial(s
}
if (ntlmssp_state->use_ntlmv2) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->allow_lm_key = false;
+ }
+
+ if (ntlmssp_state->allow_lm_key) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
/* generate the ntlmssp negotiate packet */
@@ -422,6 +432,86 @@ static NTSTATUS ntlmssp_client_initial(s
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ uint32_t flags)
+{
+ uint32_t missing_flags = ntlmssp_state->required_flags;
+
+ if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = true;
+ } else {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = false;
+ }
+
+ /*
+ * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+ * has priority over NTLMSSP_NEGOTIATE_LM_KEY
+ */
+ if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ }
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_56)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+
+ if ((flags & NTLMSSP_REQUEST_TARGET)) {
+ ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+ }
+
+ missing_flags &= ~ntlmssp_state->neg_flags;
+ if (missing_flags != 0) {
+ NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
+ DEBUG(1, ("%s: Got challenge flags[0x%08x] "
+ "- possible downgrade detected! "
+ "missing_flags[0x%08x] - %s\n",
+ __func__,
+ (unsigned)flags,
+ (unsigned)missing_flags,
+ nt_errstr(status)));
+ debug_ntlmssp_flags(missing_flags);
+ DEBUGADD(4, ("neg_flags[0x%08x]\n",
+ (unsigned)ntlmssp_state->neg_flags));
+ debug_ntlmssp_flags(ntlmssp_state->neg_flags);
+
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
@@ -448,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge
DATA_BLOB encrypted_session_key = data_blob_null;
NTSTATUS nt_status = NT_STATUS_OK;
+ if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &server_domain_blob,
+ &chal_flags)) {
+ DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+ dump_data(2, reply.data, reply.length);
+
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ data_blob_free(&server_domain_blob);
+
+ DEBUG(3, ("Got challenge flags:\n"));
+ debug_ntlmssp_flags(chal_flags);
+
+ nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
if (ntlmssp_state->use_ccache) {
struct wbcCredentialCacheParams params;
struct wbcCredentialCacheInfo *info = NULL;
@@ -498,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge
noccache:
- if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
- "NTLMSSP",
- &ntlmssp_command,
- &server_domain_blob,
- &chal_flags)) {
- DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
- dump_data(2, reply.data, reply.length);
-
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (DEBUGLEVEL >= 10) {
struct CHALLENGE_MESSAGE *challenge = talloc(
talloc_tos(), struct CHALLENGE_MESSAGE);
@@ -525,13 +624,6 @@ noccache:
}
}
- data_blob_free(&server_domain_blob);
-
- DEBUG(3, ("Got challenge flags:\n"));
- debug_ntlmssp_flags(chal_flags);
-
- ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
-
if (ntlmssp_state->unicode) {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdUdbddB";
@@ -769,6 +861,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
ntlmssp_state->unicode = True;
ntlmssp_state->use_ntlmv2 = use_ntlmv2;
+ ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
@@ -780,6 +873,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
NTLMSSP_NEGOTIATE_KEY_EXCH |
NTLMSSP_REQUEST_TARGET;
+ if (ntlmssp_state->use_ntlmv2) {
+ ntlmssp_state->allow_lm_key = false;
+ }
+
ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
if (!ntlmssp_state->client.netbios_name) {
talloc_free(ntlmssp_state);
--- a/libcli/auth/ntlmssp.h
+++ b/libcli/auth/ntlmssp.h
@@ -83,6 +83,7 @@ struct ntlmssp_state
DATA_BLOB nt_resp;
DATA_BLOB session_key;
+ uint32_t required_flags;
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
/**

681
package/network/services/samba36/patches/024-CVE-2016-2111-v3-6.patch Normal file
View File

@@ -0,0 +1,681 @@
From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 26 Sep 2015 01:29:10 +0200
Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base
case NetlogonNetworkTransitiveInformation:
{
const char *wksname = nt_workstation;
+ const char *workgroup = lp_workgroup();
status = make_auth_context_fixed(talloc_tos(), &auth_context,
logon->network->challenge);
@@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base
logon->network->nt.length)) {
status = NT_STATUS_NO_MEMORY;
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ status = NTLMv2_RESPONSE_verify_netlogon_creds(
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->password.response.nt,
+ creds, workgroup);
+ }
break;
}
case NetlogonInteractiveInformation:
@@ -1636,6 +1645,14 @@ static NTSTATUS _netr_LogonSamLogon_base
r->out.validation->sam3);
break;
case 6:
+ /* Only allow this if the pipe is protected. */
+ if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+ get_remote_machine_name()));
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+ }
+
status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
r->out.validation->sam6);
break;
@@ -2271,11 +2288,13 @@ NTSTATUS _netr_GetForestTrustInformation
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2371,11 +2390,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1122,8 +1122,8 @@ static bool schan(struct torture_context
generate_random_buffer(chal.data, chal.length);
names_blob = NTLMv2_generate_names_blob(
mem_ctx,
- cli_credentials_get_workstation(user_creds),
- cli_credentials_get_domain(user_creds));
+ cli_credentials_get_workstation(wks_creds),
+ cli_credentials_get_domain(wks_creds));
status = cli_credentials_get_ntlm_response(
user_creds, mem_ctx, &flags, chal, names_blob,
&lm_resp, &nt_resp, NULL, NULL);
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup);
/***********************************************************
encode a password buffer with a unicode password. The buffer
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -26,7 +26,7 @@
#include "../libcli/auth/msrpc_parse.h"
#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../librpc/gen_ndr/ntlmssp.h"
+#include "../librpc/gen_ndr/ndr_ntlmssp.h"
void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
{
@@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
lm_response, nt_response, lm_session_key, user_session_key);
}
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup)
+{
+ TALLOC_CTX *frame = NULL;
+ /* RespType + HiRespType */
+ static const char *magic = "\x01\x01";
+ int cmp;
+ struct NTLMv2_RESPONSE v2_resp;
+ enum ndr_err_code err;
+ const struct AV_PAIR *av_nb_cn = NULL;
+ const struct AV_PAIR *av_nb_dn = NULL;
+
+ if (response.length < 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes.
+ */
+ return NT_STATUS_OK;
+ }
+
+ cmp = memcmp(response.data + 16, magic, 2);
+ if (cmp != 0) {
+ /*
+ * It doesn't look like a valid NTLMv2_RESPONSE
+ */
+ return NT_STATUS_OK;
+ }
+
+ frame = talloc_stackframe();
+
+ err = ndr_pull_struct_blob(&response, frame, &v2_resp,
+ (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
+ if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
+ NTSTATUS status;
+ status = ndr_map_error2ntstatus(err);
+ DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
+ "length %u - %s - %s\n",
+ (unsigned)response.length,
+ ndr_map_error2string(err),
+ nt_errstr(status)));
+ dump_data(2, response.data, response.length);
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ if (DEBUGLVL(10)) {
+ NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
+ }
+
+ /*
+ * Make sure the netbios computer name in the
+ * NTLMv2_RESPONSE matches the computer name
+ * in the secure channel credentials for workstation
+ * trusts.
+ *
+ * And the netbios domain name matches our
+ * workgroup.
+ *
+ * This prevents workstations from requesting
+ * the session key of NTLMSSP sessions of clients
+ * to other hosts.
+ */
+ if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
+ av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbComputerName);
+ av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbDomainName);
+ }
+
+ if (av_nb_cn != NULL) {
+ const char *v = NULL;
+ char *a = NULL;
+ size_t len;
+
+ v = av_nb_cn->Value.AvNbComputerName;
+
+ a = talloc_strdup(frame, creds->account_name);
+ if (a == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ len = strlen(a);
+ if (len > 0 && a[len - 1] == '$') {
+ a[len - 1] = '\0';
+ }
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(a, v);
+#else /* smbd */
+ cmp = StrCaseCmp(a, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbComputerName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+ if (av_nb_dn != NULL) {
+ const char *v = NULL;
+
+ v = av_nb_dn->Value.AvNbDomainName;
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(workgroup, v);
+#else /* smbd */
+ cmp = StrCaseCmp(workgroup, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/***********************************************************
encode a password buffer with a unicode password. The buffer
is filled with random data to make it harder to attack.
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
source='credentials.c session.c smbencrypt.c smbdes.c',
- public_deps='MSRPC_PARSE',
+ public_deps='MSRPC_PARSE NDR_NTLMSSP',
public_headers='credentials.h:domain_credentials.h'
)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/
PROFILE_OBJ = profile/profile.o
PROFILES_OBJ = utils/profiles.o \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(PARAM_OBJ) \
$(LIB_OBJ) $(LIB_DUMMY_OBJ) \
$(POPT_LIB_OBJ) \
@@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(P
STATUS_OBJ = utils/status.o utils/status_profile.o \
$(LOCKING_OBJ) $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
@@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OB
TESTPARM_OBJ = utils/testparm.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
TEST_LP_LOAD_OBJ = param/test_lp_load.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
$(LIB_NONSMBD_OBJ) \
$(PARAM_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
@@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ
$(LIBNDR_GEN_OBJ0)
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
- $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
torture/denytest.o torture/mangle_test.o \
@@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARA
$(LIBNDR_GEN_OBJ0)
MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBNDR_GEN_OBJ0)
@@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_
VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
-SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
LOG2PCAP_OBJ = utils/log2pcaphex.o
@@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
EVTLOGADM_OBJ0 = utils/eventlogadm.o
EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
librpc/gen_ndr/ndr_eventlog.o \
librpc/gen_ndr/ndr_lsa.o
SHARESEC_OBJ0 = utils/sharesec.o
SHARESEC_OBJ = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
- $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
+ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
@libreplacedir@/test/getifaddrs.o \
@@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARA
$(LIBNDR_GEN_OBJ0)
WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
- $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
+ $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
@@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.
DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ)
DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
SPLIT_TOKENS_OBJ = utils/split_tokens.o \
--- a/source4/torture/raw/samba3misc.c
+++ b/source4/torture/raw/samba3misc.c
@@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct tortu
bool ret = true;
TALLOC_CTX *mem_ctx;
bool nt_status_support;
+ bool client_ntlmv2_auth;
if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
d_printf("talloc_init failed\n");
@@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct tortu
}
nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
if (!torture_open_connection(&cli_nt, torture, 0)) {
goto fail;
}
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
if (!torture_open_connection(&cli_dos, torture, 1)) {
goto fail;
@@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct tortu
}
smbcli_deltree(cli_nt->tree, dirname);
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
+ nt_status_support ? "yes":"no"),
+ ret, fail, "Could not set 'nt status support' back to where it was\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no"),
+ ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
status = smbcli_mkdir(cli_nt->tree, dirname);
if (!NT_STATUS_IS_OK(status)) {
--- a/source4/torture/basic/base.c
+++ b/source4/torture/basic/base.c
@@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct
static bool torture_samba3_errorpaths(struct torture_context *tctx)
{
bool nt_status_support;
+ bool client_ntlmv2_auth;
struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
bool result = false;
int fnum;
@@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(st
NTSTATUS status;
nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
torture_comment(tctx, "Could not set 'nt status support = yes'\n");
goto fail;
}
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
+ goto fail;
+ }
if (!torture_open_connection(&cli_nt, tctx, 0)) {
goto fail;
}
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
- torture_comment(tctx, "Could not set 'nt status support = yes'\n");
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
goto fail;
}
@@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(st
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
nt_status_support ? "yes":"no")) {
- torture_comment(tctx, "Could not reset 'nt status support = yes'");
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
goto fail;
}
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_st
NTSTATUS status;
/* otherwise do a NT1 style session setup */
+ if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
+ /*
+ * Don't send an NTLMv2 response without NTLMSSP
+ * if we want to use spnego support
+ */
+ DEBUG(1, ("Server does not support EXTENDED_SECURITY "
+ " but 'client use spnego = yes"
+ " and 'client ntlmv2 auth = yes'\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
status = cli_session_setup_nt1(cli, user, pass, passlen,
ntpass, ntpasslen, workgroup);
if (!NT_STATUS_IS_OK(status)) {
--- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -9,6 +9,11 @@
supporting servers (including WindowsXP, Windows2000 and Samba
3.0) to agree upon an authentication
mechanism. This enables Kerberos authentication in particular.</para>
+
+ <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -28,6 +28,11 @@
NTLMv2 by default, and some sites (particularly those following
'best practice' security polices) only allow NTLMv2 responses, and
not the weaker LM or NTLM.</para>
+
+ <para>When <smbconfoption name="client use spnego"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
</samba:parameter>
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="raw NTLMv2 auth"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+ extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+ <para>If this option, <command moreinfo="none">lanman auth</command>
+ and <command moreinfo="none">ntlm auth</command> are all disabled,
+ then only clients with SPNEGO support will be permitted.
+ That means NTLMv2 is only supported within NTLMSSP.</para>
+</description>
+
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
int lp_restrict_anonymous(void);
bool lp_lanman_auth(void);
bool lp_ntlm_auth(void);
+bool lp_raw_ntlmv2_auth(void);
bool lp_client_plaintext_auth(void);
bool lp_client_lanman_auth(void);
bool lp_client_ntlmv2_auth(void);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -336,6 +336,7 @@ struct global {
bool bAllowTrustedDomains;
bool bLanmanAuth;
bool bNTLMAuth;
+ bool bRawNTLMv2Auth;
bool bUseSpnego;
bool bClientLanManAuth;
bool bClientNTLMv2Auth;
@@ -1383,6 +1384,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "raw NTLMv2 auth",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bRawNTLMv2Auth,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "client NTLMv2 auth",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5337,6 +5347,7 @@ static void init_globals(bool reinit_glo
Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.bRawNTLMv2Auth = false; /* Allow NTLMv2 without NTLMSSP */
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
@@ -5819,6 +5830,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domai
FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
+FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -30,6 +30,7 @@
#include "../lib/util/util_pw.h"
#include "lib/winbind_util.h"
#include "passdb.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(st
const char *client_domain,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
+ bool allow_raw = lp_raw_ntlmv2_auth();
+
+ if (!allow_raw && nt_resp.length >= 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes
+ * and should only be supported via NTLMSSP.
+ */
+ DEBUG(2,("Rejecting raw NTLMv2 authentication with "
+ "user [%s\\%s]\n",
+ client_domain, smb_name));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return make_user_info_map(user_info, smb_name,
client_domain,
get_remote_machine_name(),
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -127,6 +127,7 @@ sub setup_dc($$)
domain master = yes
domain logons = yes
lanman auth = yes
+ raw NTLMv2 auth = yes
";
my $vars = $self->provision($path,
@@ -230,6 +231,7 @@ sub setup_secserver($$$)
my $secserver_options = "
security = server
password server = $s3dcvars->{SERVER_IP}
+ client ntlmv2 auth = no
";
my $ret = $self->provision($prefix,

129
package/network/services/samba36/patches/025-CVE-2016-2112-v3-6.patch Normal file
View File

@@ -0,0 +1,129 @@
From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 30 Mar 2016 16:55:44 +0200
Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
ntlmssp_have_feature()
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/include/proto.h | 1 +
source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
return NT_STATUS_OK;
}
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
+ uint32_t feature)
+{
+ if (feature & NTLMSSP_FEATURE_SIGN) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SEAL) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+ if (ntlmssp_state->session_key.length > 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
/**
* Request features for the NTLMSSP negotiation
*
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
/* we have a reference conter on ntlmssp_state, if we are signing
then the state will be kept by the signing engine */
+ if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SEAL);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+ }
+
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
</para>
<para>
- The default value is <emphasis>plain</emphasis> which is not irritable
- to KRB5 clock skew errors. That implies synchronizing the time
- with the KDC in the case of using <emphasis>sign</emphasis> or
- <emphasis>seal</emphasis>.
+ The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">plain</value>
+<value type="default">sign</value>
</samba:parameter>
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/

256
package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch Normal file
View File

@@ -0,0 +1,256 @@
From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Feb 2016 03:43:58 +0100
Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
source3/include/proto.h | 1 +
source3/param/loadparm.c | 12 ++++++++++++
4 files changed, 39 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="client ipc signing"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+ connections as DCERPC transport inside of winbind. Possible values
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>When set to auto, SMB signing is offered, but not enforced and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">mandatory</value>
+</samba:parameter>
--- a/docs-xml/smbdotconf/security/clientsigning.xml
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -12,6 +12,9 @@
<para>When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is required and if set
to disabled, SMB signing is not offered either.
+
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+ <smbconfoption name="client ipc signing"/> option.</para>
</para>
</description>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void);
int lp_winbind_reconnect_delay(void);
int lp_winbind_max_clients(void);
const char **lp_winbind_nss_info(void);
+bool lp_winbind_sealed_pipes(void);
int lp_algorithmic_rid_base(void);
int lp_name_cache_timeout(void);
int lp_client_signing(void);
+int lp_client_ipc_signing(void);
int lp_server_signing(void);
int lp_client_ldap_sasl_wrapping(void);
char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -215,6 +215,7 @@ struct global {
int winbind_expand_groups;
bool bWinbindRefreshTickets;
bool bWinbindOfflineLogon;
+ bool bWinbindSealedPipes;
bool bWinbindNormalizeNames;
bool bWinbindRpcOnly;
bool bCreateKrb5Conf;
@@ -366,6 +367,7 @@ struct global {
int restrict_anonymous;
int name_cache_timeout;
int client_signing;
+ int client_ipc_signing;
int server_signing;
int client_ldap_sasl_wrapping;
int iUsershareMaxShares;
@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "client ipc signing",
+ .type = P_ENUM,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.client_ipc_signing,
+ .special = NULL,
+ .enum_list = enum_smb_signing_vals,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "server signing",
.type = P_ENUM,
.p_class = P_GLOBAL,
@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "winbind sealed pipes",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bWinbindSealedPipes,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "winbind normalize names",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo
Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
Globals.bWinbindRefreshTickets = False;
Globals.bWinbindOfflineLogon = False;
+ Globals.bWinbindSealedPipes = True;
Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo
Globals.bClientUseSpnego = True;
Globals.client_signing = Auto;
+ Globals.client_ipc_signing = Required;
Globals.server_signing = False;
Globals.bDeferSharingViolations = True;
@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups,
FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo
FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn
lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
}
+ if (!lp_is_in_client()) {
+ switch (lp_client_ipc_signing()) {
+ case Required:
+ lp_set_cmdline("client signing", "mandatory");
+ break;
+ case Auto:
+ lp_set_cmdline("client signing", "auto");
+ break;
+ case False:
+ lp_set_cmdline("client signing", "disabled");
+ break;
+ }
+ }
+
init_iconv();
bAllowIncludeRegistry = true;
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st
"", /* username */
"", /* domain */
"", /* password */
- 0, lp_client_signing());
+ 0, False);
if ( !NT_STATUS_IS_OK( ret ) ) {
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether any requests from winbindd to domain controllers
+ pipe will be sealed. Disabling sealing can be useful for debugging
+ purposes.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_
TALLOC_FREE(conn->samr_pipe);
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ status = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(status)));
+ goto done;
+ }
/* Finally fall back to anonymous. */
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_lsarpc.syntax_id,
&conn->lsa_pipe);
@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb
no_schannel:
if ((lp_client_schannel() == False) ||
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ TALLOC_FREE(netlogon_pipe);
+ invalidate_cm_connection(conn);
+ return result;
+ }
/*
* NetSamLogonEx only works for schannel
*/

308
package/network/services/samba36/patches/027-CVE-2016-2118-v3-6.patch Normal file
View File

@@ -0,0 +1,308 @@
From d68424b5ef92f5810760f90e9eeb664572a61e4e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Dec 2015 14:49:36 +0100
Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
---
source3/rpcclient/rpcclient.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -1062,10 +1062,9 @@ out_free:
}
}
if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
- /* If neither Integrity or Privacy are requested then
- * Use just Connect level */
+ /* If nothing is requested then default to integrity */
if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
- pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
+ pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
}
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_au
/* Perform an authenticated DCE-RPC bind
*/
- if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
+ if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
/*
we are doing an authenticated connection,
- but not using sign or seal. We must force
- the CONNECT dcerpc auth type as a NONE auth
- type doesn't allow authentication
- information to be passed.
+ which needs to use [connect], [sign] or [seal].
+ If nothing is specified, we default to [sign] now.
+ This give roughly the same protection as
+ ncacn_np with smb signing.
*/
- conn->flags |= DCERPC_CONNECT;
+ conn->flags |= DCERPC_SIGN;
}
if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="allow dcerpc auth level connect"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether DCERPC services are allowed to
+ be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+ but no per message integrity nor privacy protection.</para>
+
+ <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+ winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
+
+ <para>This option yields precedence to the implentation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
void lp_set_passdb_backend(const char *backend);
void widelinks_warning(int snum);
char *lp_ncalrpc_dir(void);
+bool lp_allow_dcerpc_auth_level_connect(void);
/* The following definitions come from param/loadparm_server_role.c */
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -355,6 +355,7 @@ struct global {
bool bUseMmap;
bool bHostnameLookups;
bool bUnixExtensions;
+ bool bAllowDcerpcAuthLevelConnect;
bool bDisableNetbios;
char * szDedicatedKeytabFile;
int iKerberosMethod;
@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "allow dcerpc auth level connect",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bAllowDcerpcAuthLevelConnect,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "use spnego",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_glo
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
+
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
Globals.enhanced_browsing = true;
@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_
FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
+FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
uint32 context_id;
struct ndr_syntax_id syntax;
+ /*
+ * shall we allow "connect" auth level for this interface ?
+ */
+ bool allow_connect;
} PIPE_RPC_FNS;
/*
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -44,6 +44,11 @@
#include "rpc_server/srv_pipe.h"
#include "../librpc/gen_ndr/ndr_dcerpc.h"
#include "../librpc/ndr/ndr_dcerpc.h"
+#include "../librpc/gen_ndr/ndr_samr.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_epmapper.h"
+#include "../librpc/gen_ndr/ndr_echo.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -340,6 +345,8 @@ static bool check_bind_req(struct pipes_
uint32 context_id)
{
struct pipe_rpc_fns *context_fns;
+ const char *interface_name = NULL;
+ bool ok;
DEBUG(3,("check_bind_req for %s\n",
get_pipe_name_from_syntax(talloc_tos(), abstract)));
@@ -390,12 +397,57 @@ static bool check_bind_req(struct pipes_
return False;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ abstract);
+
+ SMB_ASSERT(interface_name != NULL);
+
context_fns->next = context_fns->prev = NULL;
context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
context_fns->context_id = context_id;
context_fns->syntax = *abstract;
+ context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+ /*
+ * for the samr and the lsarpc interfaces we don't allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ /*
+ * for the epmapper and echo interfaces we allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ /*
+ * every interface can be modified to allow "connect" auth_level by
+ * using a parametric option like:
+ * allow dcerpc auth level connect:<interface>
+ * e.g.
+ * allow dcerpc auth level connect:samr = yes
+ */
+ context_fns->allow_connect = lp_parm_bool(-1,
+ "allow dcerpc auth level connect",
+ interface_name, context_fns->allow_connect);
+
/* add to the list of open contexts */
DLIST_ADD( p->contexts, context_fns );
@@ -1736,6 +1788,7 @@ static bool api_pipe_request(struct pipe
TALLOC_CTX *frame = talloc_stackframe();
bool ret = False;
PIPE_RPC_FNS *pipe_fns;
+ const char *interface_name = NULL;
if (!p->pipe_bound) {
DEBUG(1, ("Pipe not bound!\n"));
@@ -1757,8 +1810,36 @@ static bool api_pipe_request(struct pipe
return false;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ &pipe_fns->syntax);
+
+ SMB_ASSERT(interface_name != NULL);
+
DEBUG(5, ("Requested \\PIPE\\%s\n",
- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
+ interface_name));
+
+ switch (p->auth.auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ break;
+ default:
+ if (!pipe_fns->allow_connect) {
+ DEBUG(1, ("%s: restrict auth_level_connect access "
+ "to [%s] with auth[type=0x%x,level=0x%x] "
+ "on [%s] from [%s]\n",
+ __func__, interface_name,
+ p->auth.auth_type,
+ p->auth.auth_level,
+ derpc_transport_string_by_transport(p->transport),
+ p->client_id->name));
+
+ setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
+ TALLOC_FREE(frame);
+ return true;
+ }
+ break;
+ }
if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
--- a/source3/selftest/knownfail
+++ b/source3/selftest/knownfail
@@ -18,3 +18,5 @@ samba3.posix_s3.nbt.dgram.*netlogon2
samba3.*rap.sam.*.useradd # Not provided by Samba 3
samba3.*rap.sam.*.userdelete # Not provided by Samba 3
samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
+samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
+samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -201,6 +201,8 @@ if sub.returncode == 0:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
+ elif t == "rpc.samr.passwords.validate":
+ plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
else:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct p
struct samr_GetDomPwInfo pw;
struct samr_PwInfo dom_pw_info;
+ if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (r->in.level < 1 || r->in.level > 3) {
return NT_STATUS_INVALID_INFO_CLASS;
}

59
package/network/services/samba36/patches/028-CVE-2016-2125-v3.6.patch Normal file
View File

@@ -0,0 +1,59 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 28 Dec 2016 19:21:49 +0100
Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
This is a backport of upstream commits
b1a056f77e793efc45df34ab7bf78fbec1bf8a59
b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
---
source3/librpc/crypto/gse.c | 1 -
source3/libsmb/clifsinfo.c | 2 +-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC
&es->s.gss_state->gss_ctx,
srv_name,
GSS_C_NO_OID, /* default OID. */
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
GSS_C_INDEFINITE, /* requested ticket lifetime. */
NULL, /* no channel bindings */
p_tok_in,
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,

29
package/network/services/samba36/patches/029-CVE-2017-7494-v3-6.patch Normal file
View File

@@ -0,0 +1,29 @@
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 8 May 2017 21:40:40 +0200
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
inside
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/srv_pipe.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_f
pipename += 1;
}
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;

40
package/network/services/samba36/patches/030-CVE-2017-15275-v3.6.patch Normal file
View File

@@ -0,0 +1,40 @@
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;

136
package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch Normal file
View File

@@ -0,0 +1,136 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:02:03 +0200
Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Author: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
SMB_OFF_T startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
SMB_OFF_T startpos;
const char *data;
@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
return;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
SMB_OFF_T startpos;
@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);

75
package/network/services/samba36/patches/032-CVE-2017-12150-v3.6.patch Normal file
View File

@@ -0,0 +1,75 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:01:34 +0200
Subject: CVE-2017-12150
These are the three upstream patches
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
---
libgpo/gpo_fetch.c | 2 +-
source3/lib/util_cmdline.c | 3 +++
source3/libsmb/clidfs.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ Required);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return Required;
+ }
return auth_info->signing_state;
}
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
/* If a password was not supplied then
* try again with a null username. */
if (password[0] || !username[0] ||
+ force_encrypt || client_is_signing_mandatory(c) ||
get_cmdline_auth_info_use_kerberos(auth_info) ||
+ get_cmdline_auth_info_use_ccache(auth_info) ||
!NT_STATUS_IS_OK(cli_session_setup(c, "",
"", 0,
"", 0,

49
package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch Normal file
View File

@@ -0,0 +1,49 @@
From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 2 Jan 2018 15:56:03 -0800
Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -176,6 +176,11 @@ static void prune_printername_cache(void
static const char *canon_servername(const char *servername)
{
const char *pservername = servername;
+
+ if (servername == NULL) {
+ return "";
+ }
+
while (*pservername == '\\') {
pservername++;
}
@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if ((version = get_version_id(r->in.architecture)) == -1)
@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if (get_version_id(r->in.architecture) == -1) {
/* this is what NT returns */

14
package/network/services/samba36/patches/100-configure_fixes.patch Normal file
View File

@@ -0,0 +1,14 @@
--- a/source3/configure
+++ b/source3/configure
@@ -13294,10 +13294,7 @@ if test x"$libreplace_cv_HAVE_GETADDRINF
# see bug 5910, use our replacements if we detect
# a broken system.
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ $as_echo "assuming valid getaddrinfo without bug 5910" >&2
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */

119
package/network/services/samba36/patches/110-multicall.patch Normal file
View File

@@ -0,0 +1,119 @@
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -73,22 +73,22 @@ LDAP_LIBS=@LDAP_LIBS@
NSCD_LIBS=@NSCD_LIBS@
UUID_LIBS=@UUID_LIBS@
LIBWBCLIENT=@LIBWBCLIENT_STATIC@ @LIBWBCLIENT_SHARED@
-LIBWBCLIENT_LIBS=@LIBWBCLIENT_LIBS@
+LIBWBCLIENT_LIBS=@LIBWBCLIENT_STATIC@
PTHREAD_LDFLAGS=@PTHREAD_LDFLAGS@
PTHREAD_CFLAGS=@PTHREAD_CFLAGS@
DNSSD_LIBS=@DNSSD_LIBS@
AVAHI_LIBS=@AVAHI_LIBS@
POPT_LIBS=@POPTLIBS@
LIBTALLOC=@LIBTALLOC_STATIC@ @LIBTALLOC_SHARED@
-LIBTALLOC_LIBS=@LIBTALLOC_LIBS@
+LIBTALLOC_LIBS=@LIBTALLOC_STATIC@
LIBTEVENT=@LIBTEVENT_STATIC@ @LIBTEVENT_SHARED@
LIBTEVENT_LIBS=@LIBTEVENT_LIBS@
LIBREPLACE_LIBS=@LIBREPLACE_LIBS@
LIBTDB=@LIBTDB_STATIC@ @LIBTDB_SHARED@
-LIBTDB_LIBS=@LIBTDB_LIBS@
+LIBTDB_LIBS=@LIBTDB_STATIC@
TDB_DEPS=@TDB_DEPS@
LIBNETAPI=@LIBNETAPI_STATIC@ @LIBNETAPI_SHARED@
-LIBNETAPI_LIBS=@LIBNETAPI_LIBS@
+LIBNETAPI_LIBS=@LIBNETAPI_STATIC@
LIBSMBCLIENT_LIBS=@LIBSMBCLIENT_LIBS@
LIBSMBSHAREMODES_LIBS=@LIBSMBSHAREMODES_LIBS@
@@ -216,7 +216,7 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_P
# Note that all executable programs now provide for an optional executable suffix.
-SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
+SBIN_PROGS = bin/samba_multicall@EXEEXT@ bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
BIN_PROGS1 = bin/smbclient@EXEEXT@ bin/net@EXEEXT@ bin/smbspool@EXEEXT@ \
bin/testparm@EXEEXT@ bin/smbstatus@EXEEXT@ bin/smbget@EXEEXT@ \
@@ -1799,6 +1799,42 @@ bin/.dummy:
dir=bin $(MAKEDIR); fi
@: >> $@ || : > $@ # what a fancy emoticon!
+smbd/server_multicall.o: smbd/server.c smbd/server.o
+ @echo Compiling $<.c
+ @$(COMPILE_CC_PATH) -Dmain=smbd_main && exit 0;\
+ echo "The following command failed:" 1>&2;\
+ echo "$(COMPILE_CC_PATH)" 1>&2;\
+ $(COMPILE_CC_PATH) >/dev/null 2>&1
+
+nmbd/nmbd_multicall.o: nmbd/nmbd.c nmbd/nmbd.o
+ @echo Compiling $<.c
+ @$(COMPILE_CC_PATH) -Dmain=nmbd_main && exit 0;\
+ echo "The following command failed:" 1>&2;\
+ echo "$(COMPILE_CC_PATH)" 1>&2;\
+ $(COMPILE_CC_PATH) >/dev/null 2>&1
+
+utils/smbpasswd_multicall.o: utils/smbpasswd.c utils/smbpasswd.o
+ @echo Compiling $<.c
+ @$(COMPILE_CC_PATH) -Dmain=smbpasswd_main && exit 0;\
+ echo "The following command failed:" 1>&2;\
+ echo "$(COMPILE_CC_PATH)" 1>&2;\
+ $(COMPILE_CC_PATH) >/dev/null 2>&1
+
+SMBD_MULTI_O = $(patsubst smbd/server.o,smbd/server_multicall.o,$(SMBD_OBJ))
+NMBD_MULTI_O = $(patsubst nmbd/nmbd.o,nmbd/nmbd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(NMBD_OBJ)))
+SMBPASSWD_MULTI_O = $(patsubst utils/smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
+MULTI_O = multi.o
+
+MULTICALL_O = $(sort $(SMBD_MULTI_O) $(NMBD_MULTI_O) $(SMBPASSWD_MULTI_O) $(MULTI_O))
+
+bin/samba_multicall@EXEEXT@: $(BINARY_PREREQS) $(MULTICALL_O) $(LIBTALLOC) $(LIBTDB) $(LIBWBCLIENT) @BUILD_POPT@
+ @echo Linking $@
+ @$(CC) -o $@ $(MULTICALL_O) $(LDFLAGS) $(LDAP_LIBS) @SMBD_FAM_LIBS@ \
+ $(KRB5LIBS) $(DYNEXP) $(PRINT_LIBS) $(AUTH_LIBS) \
+ $(ACL_LIBS) $(PASSDB_LIBS) $(LIBS) $(DNSSD_LIBS) $(AVAHI_LIBS) \
+ $(POPT_LIBS) @SMBD_LIBS@ $(LIBTALLOC_LIBS) $(LIBTEVENT_LIBS) $(LIBTDB_LIBS) \
+ $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS)
+
bin/smbd@EXEEXT@: $(BINARY_PREREQS) $(SMBD_OBJ) $(LIBTALLOC) $(LIBTEVENT) $(LIBTDB) $(LIBWBCLIENT) @BUILD_POPT@
@echo Linking $@
@$(CC) -o $@ $(SMBD_OBJ) $(LDFLAGS) $(LDAP_LIBS) @SMBD_FAM_LIBS@ \
--- /dev/null
+++ b/source3/multi.c
@@ -0,0 +1,35 @@
+#include <stdio.h>
+#include <string.h>
+
+extern int smbd_main(int argc, char **argv);
+extern int nmbd_main(int argc, char **argv);
+extern int smbpasswd_main(int argc, char **argv);
+
+static struct {
+ const char *name;
+ int (*func)(int argc, char **argv);
+} multicall[] = {
+ { "smbd", smbd_main },
+ { "nmbd", nmbd_main },
+ { "smbpasswd", smbpasswd_main },
+};
+
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
+
+int main(int argc, char **argv)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(multicall); i++) {
+ if (strstr(argv[0], multicall[i].name))
+ return multicall[i].func(argc, argv);
+ }
+
+ fprintf(stderr, "Invalid multicall command, available commands:");
+ for (i = 0; i < ARRAY_SIZE(multicall); i++)
+ fprintf(stderr, " %s", multicall[i].name);
+
+ fprintf(stderr, "\n");
+
+ return 1;
+}

281
package/network/services/samba36/patches/111-owrt_smbpasswd.patch Normal file
View File

@@ -0,0 +1,281 @@
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -1025,7 +1025,7 @@ TEST_LP_LOAD_OBJ = param/test_lp_load.o
PASSWD_UTIL_OBJ = utils/passwd_util.o
-SMBPASSWD_OBJ = utils/smbpasswd.o $(PASSWD_UTIL_OBJ) $(PASSCHANGE_OBJ) \
+SMBPASSWD_OBJ = utils/owrt_smbpasswd.o $(PASSWD_UTIL_OBJ) $(PASSCHANGE_OBJ) \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \
$(GROUPDB_OBJ) $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \
$(POPT_LIB_OBJ) $(SMBLDAP_OBJ) \
@@ -1813,7 +1813,7 @@ nmbd/nmbd_multicall.o: nmbd/nmbd.c nmbd/
echo "$(COMPILE_CC_PATH)" 1>&2;\
$(COMPILE_CC_PATH) >/dev/null 2>&1
-utils/smbpasswd_multicall.o: utils/smbpasswd.c utils/smbpasswd.o
+utils/smbpasswd_multicall.o: utils/owrt_smbpasswd.c utils/owrt_smbpasswd.o
@echo Compiling $<.c
@$(COMPILE_CC_PATH) -Dmain=smbpasswd_main && exit 0;\
echo "The following command failed:" 1>&2;\
@@ -1822,7 +1822,7 @@ utils/smbpasswd_multicall.o: utils/smbpa
SMBD_MULTI_O = $(patsubst smbd/server.o,smbd/server_multicall.o,$(SMBD_OBJ))
NMBD_MULTI_O = $(patsubst nmbd/nmbd.o,nmbd/nmbd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(NMBD_OBJ)))
-SMBPASSWD_MULTI_O = $(patsubst utils/smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
+SMBPASSWD_MULTI_O = $(patsubst utils/owrt_smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
MULTI_O = multi.o
MULTICALL_O = $(sort $(SMBD_MULTI_O) $(NMBD_MULTI_O) $(SMBPASSWD_MULTI_O) $(MULTI_O))
--- /dev/null
+++ b/source3/utils/owrt_smbpasswd.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2012 Felix Fietkau <nbd@nbd.name>
+ * Copyright (C) 2008 John Crispin <blogic@openwrt.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA. */
+
+#include "includes.h"
+#include <endian.h>
+#include <stdio.h>
+
+static char buf[256];
+
+static void md4hash(const char *passwd, uchar p16[16])
+{
+ int len;
+ smb_ucs2_t wpwd[129];
+ int i;
+
+ len = strlen(passwd);
+ for (i = 0; i < len; i++) {
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ wpwd[i] = (unsigned char)passwd[i];
+#else
+ wpwd[i] = (unsigned char)passwd[i] << 8;
+#endif
+ }
+ wpwd[i] = 0;
+
+ len = len * sizeof(int16);
+ mdfour(p16, (unsigned char *)wpwd, len);
+ ZERO_STRUCT(wpwd);
+}
+
+
+static bool find_passwd_line(FILE *fp, const char *user, char **next)
+{
+ char *p1;
+
+ while (!feof(fp)) {
+ if(!fgets(buf, sizeof(buf) - 1, fp))
+ continue;
+
+ p1 = strchr(buf, ':');
+
+ if (p1 - buf != strlen(user))
+ continue;
+
+ if (strncmp(buf, user, p1 - buf) != 0)
+ continue;
+
+ if (next)
+ *next = p1;
+ return true;
+ }
+ return false;
+}
+
+/* returns -1 if user is not present in /etc/passwd*/
+static int find_uid_for_user(const char *user)
+{
+ FILE *fp;
+ char *p1, *p2, *p3;
+ int ret = -1;
+
+ fp = fopen("/etc/passwd", "r");
+ if (!fp) {
+ printf("failed to open /etc/passwd");
+ goto out;
+ }
+
+ if (!find_passwd_line(fp, user, &p1)) {
+ printf("User %s not found or invalid in /etc/passwd\n", user);
+ goto out;
+ }
+
+ p2 = strchr(p1 + 1, ':');
+ if (!p2)
+ goto out;
+
+ p2++;
+ p3 = strchr(p2, ':');
+ if (!p1)
+ goto out;
+
+ *p3 = '\0';
+ ret = atoi(p2);
+
+out:
+ if(fp)
+ fclose(fp);
+ return ret;
+}
+
+static void smbpasswd_write_user(FILE *fp, const char *user, int uid, const char *password)
+{
+ static uchar nt_p16[NT_HASH_LEN];
+ int len = 0;
+ int i;
+
+ md4hash(strdup(password), nt_p16);
+
+ len += snprintf(buf + len, sizeof(buf) - len, "%s:%u:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:", user, uid);
+ for(i = 0; i < NT_HASH_LEN; i++)
+ len += snprintf(buf + len, sizeof(buf) - len, "%02X", nt_p16[i]);
+
+ snprintf(buf + len, sizeof(buf) - len, ":[U ]:LCT-00000001:\n");
+ fputs(buf, fp);
+}
+
+static void smbpasswd_delete_user(FILE *fp)
+{
+ fpos_t r_pos, w_pos;
+ int len = strlen(buf);
+
+ fgetpos(fp, &r_pos);
+ fseek(fp, -len, SEEK_CUR);
+ fgetpos(fp, &w_pos);
+ fsetpos(fp, &r_pos);
+
+ while (fgets(buf, sizeof(buf) - 1, fp)) {
+ int cur_len = strlen(buf);
+
+ fsetpos(fp, &w_pos);
+ fputs(buf, fp);
+ fgetpos(fp, &w_pos);
+
+ fsetpos(fp, &r_pos);
+ fseek(fp, cur_len, SEEK_CUR);
+ fgetpos(fp, &r_pos);
+ }
+
+ fsetpos(fp, &w_pos);
+ ftruncate(fileno(fp), ftello(fp));
+}
+
+static int usage(const char *progname)
+{
+ fprintf(stderr,
+ "Usage: %s [options] <username>\n"
+ "\n"
+ "Options:\n"
+ " -s read password from stdin\n"
+ " -a add user\n"
+ " -x delete user\n",
+ progname);
+ return 1;
+}
+
+int main(int argc, char **argv)
+{
+ const char *prog = argv[0];
+ const char *user;
+ char *pw1, *pw2;
+ FILE *fp;
+ bool add = false, delete = false, get_stdin = false, found;
+ int ch;
+ int uid;
+
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ while ((ch = getopt(argc, argv, "asx")) != EOF) {
+ switch (ch) {
+ case 's':
+ get_stdin = true;
+ break;
+ case 'a':
+ add = true;
+ break;
+ case 'x':
+ delete = true;
+ break;
+ default:
+ return usage(prog);
+ }
+ }
+
+ if (add && delete)
+ return usage(prog);
+
+ argc -= optind;
+ argv += optind;
+
+ if (!argc)
+ return usage(prog);
+
+ user = argv[0];
+ if (!delete) {
+ uid = find_uid_for_user(user);
+ if (uid < 0) {
+ fprintf(stderr, "Could not find user '%s' in /etc/passwd\n", user);
+ return 2;
+ }
+ }
+
+ fp = fopen("/etc/samba/smbpasswd", "r+");
+ if(!fp) {
+ fprintf(stderr, "Failed to open /etc/samba/smbpasswd");
+ return 3;
+ }
+
+ found = find_passwd_line(fp, user, NULL);
+ if (!add && !found) {
+ fprintf(stderr, "Could not find user '%s' in /etc/samba/smbpasswd\n", user);
+ return 3;
+ }
+
+ if (delete) {
+ smbpasswd_delete_user(fp);
+ goto out;
+ }
+
+ pw1 = get_pass("New SMB password:", get_stdin);
+ if (!pw1)
+ pw1 = strdup("");
+
+ pw2 = get_pass("Retype SMB password:", get_stdin);
+ if (!pw2)
+ pw2 = strdup("");
+
+ if (strcmp(pw1, pw2) != 0) {
+ fprintf(stderr, "Mismatch - password unchanged.\n");
+ goto out_free;
+ }
+
+ if (found)
+ fseek(fp, -strlen(buf), SEEK_CUR);
+ smbpasswd_write_user(fp, user, uid, pw2);
+
+out_free:
+ free(pw1);
+ free(pw2);
+out:
+ fclose(fp);
+ TALLOC_FREE(frame);
+
+ return 0;
+}

41
package/network/services/samba36/patches/120-add_missing_ifdef.patch Normal file
View File

@@ -0,0 +1,41 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -119,9 +119,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
+#ifdef DEVELOPER
if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
return false;
}
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -628,7 +628,9 @@ static struct cmd_set *rpcclient_command
netlogon_commands,
srvsvc_commands,
dfs_commands,
+#ifdef DEVELOPER
echo_commands,
+#endif
epmapper_commands,
shutdown_commands,
test_commands,
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -433,10 +433,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = true;
}
+#ifdef DEVELOPER
ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
if (ok) {
context_fns->allow_connect = true;
}
+#endif
/*
* every interface can be modified to allow "connect" auth_level by
* using a parametric option like:

346
package/network/services/samba36/patches/200-remove_printer_support.patch Normal file
View File

@@ -0,0 +1,346 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -1110,6 +1110,10 @@ bool dcesrv_ep_setup(struct tevent_conte
"rpc_server",
"spoolss",
"embedded");
+#ifndef PRINTER_SUPPORT
+ if (1) {
+ } else
+#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0) {
spoolss_cb.init = spoolss_init_cb;
spoolss_cb.shutdown = spoolss_shutdown_cb;
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -624,7 +624,9 @@ static struct cmd_set *rpcclient_command
lsarpc_commands,
ds_commands,
samr_commands,
+#ifdef PRINTER_SUPPORT
spoolss_commands,
+#endif
netlogon_commands,
srvsvc_commands,
dfs_commands,
--- a/source3/printing/spoolssd.c
+++ b/source3/printing/spoolssd.c
@@ -165,6 +165,10 @@ void start_spoolssd(struct tevent_contex
NTSTATUS status;
int ret;
+#ifndef PRINTER_SUPPORT
+ return;
+#endif
+
DEBUG(1, ("Forking SPOOLSS Daemon\n"));
pid = sys_fork();
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7841,6 +7841,10 @@ int net_rpc_printer(struct net_context *
{NULL, NULL, 0, NULL, NULL}
};
+#ifndef PRINTER_SUPPORT
+ return 0;
+#endif
+
if (argc == 0) {
if (c->display_usage) {
d_printf(_("Usage:\n"));
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -5255,7 +5255,11 @@ void reply_printopen(struct smb_request
return;
}
- if (!CAN_PRINT(conn)) {
+
+#ifdef PRINTER_SUPPORT
+ if (!CAN_PRINT(conn))
+#endif
+ {
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsplopen);
return;
@@ -5361,7 +5365,10 @@ void reply_printqueue(struct smb_request
is really quite gross and only worked when there was only
one printer - I think we should now only accept it if they
get it right (tridge) */
- if (!CAN_PRINT(conn)) {
+#ifdef PRINTER_SUPPORT
+ if (!CAN_PRINT(conn))
+#endif
+ {
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsplretq);
return;
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -784,6 +784,10 @@ static bool api_DosPrintQGetInfo(struct
union spoolss_JobInfo *job_info = NULL;
union spoolss_PrinterInfo printer_info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -999,6 +1003,10 @@ static bool api_DosPrintQEnum(struct smb
union spoolss_DriverInfo *driver_info;
union spoolss_JobInfo **job_info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!param_format || !output_format1 || !p) {
return False;
}
@@ -3105,6 +3113,10 @@ static bool api_RDosPrintJobDel(struct s
struct spoolss_DevmodeContainer devmode_ctr;
enum spoolss_JobControl command;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -3238,6 +3250,10 @@ static bool api_WPrintQueueCtrl(struct s
struct sec_desc_buf secdesc_ctr;
enum spoolss_PrinterControl command;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !QueueName) {
return False;
}
@@ -3404,6 +3420,10 @@ static bool api_PrintJobInfo(struct smbd
union spoolss_JobInfo info;
struct spoolss_SetJobInfo1 info1;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -4547,6 +4567,10 @@ static bool api_WPrintJobGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_JobInfo info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -4685,6 +4709,10 @@ static bool api_WPrintJobEnumerate(struc
uint32_t count = 0;
union spoolss_JobInfo *info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -4890,6 +4918,10 @@ static bool api_WPrintDestGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_PrinterInfo info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5026,6 +5058,10 @@ static bool api_WPrintDestEnum(struct sm
union spoolss_PrinterInfo *info;
uint32_t count;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5129,6 +5165,10 @@ static bool api_WPrintDriverEnum(struct
int succnt;
struct pack_desc desc;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5193,6 +5233,10 @@ static bool api_WPrintQProcEnum(struct s
int succnt;
struct pack_desc desc;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5257,6 +5301,10 @@ static bool api_WPrintPortEnum(struct sm
int succnt;
struct pack_desc desc;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -141,7 +141,9 @@ static void exit_server_common(enum serv
rpc_eventlog_shutdown();
rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
+#endif
rpc_srvsvc_shutdown();
rpc_winreg_shutdown();
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1608,6 +1608,9 @@ static NTSTATUS open_file_ntcreate(conne
* Most of the passed parameters are ignored.
*/
+#ifndef PRINTER_SUPPORT
+ return NT_STATUS_ACCESS_DENIED;
+#endif
if (pinfo) {
*pinfo = FILE_WAS_CREATED;
}
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -643,6 +643,9 @@ static NTSTATUS close_normal_file(struct
status = ntstatus_keeperror(status, tmp);
if (fsp->print_file) {
+#ifndef PRINTER_SUPPORT
+ return NT_STATUS_OK;
+#endif
/* FIXME: return spool errors */
print_spool_end(fsp, close_type);
file_free(req, fsp);
--- a/source3/smbd/fileio.c
+++ b/source3/smbd/fileio.c
@@ -298,6 +298,10 @@ ssize_t write_file(struct smb_request *r
uint32_t t;
int ret;
+#ifndef PRINTER_SUPPORT
+ return -1;
+#endif
+
ret = print_spool_write(fsp, data, n, pos, &t);
if (ret) {
errno = ret;
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -486,7 +486,10 @@ static struct tevent_req *smbd_smb2_crea
info = FILE_WAS_OPENED;
} else if (CAN_PRINT(smb1req->conn)) {
status = file_new(smb1req, smb1req->conn, &result);
- if(!NT_STATUS_IS_OK(status)) {
+#ifdef PRINTER_SUPPORT
+ if(!NT_STATUS_IS_OK(status))
+#endif
+ {
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -85,9 +85,11 @@ bool init_service_op_table( void )
/* add builtin services */
+#ifdef PRINTER_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" );
svcctl_ops[i].ops = &spoolss_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -113,9 +113,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2423,8 +2423,10 @@ static bool housekeeping_fn(const struct
change_to_root_user();
+#ifdef PRINTER_SUPPORT
/* update printer queue caches if necessary */
update_monitored_printq_cache(sconn->msg_ctx);
+#endif
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -123,7 +123,9 @@ static void smb_pcap_updated(struct mess
{
struct tevent_context *ev_ctx =
talloc_get_type_abort(private_data, struct tevent_context);
-
+#ifndef PRINTER_SUPPORT
+ return;
+#endif
DEBUG(10,("Got message saying pcap was updated. Reloading.\n"));
change_to_root_user();
reload_printers(ev_ctx, msg);
@@ -1277,6 +1279,7 @@ extern void build_options(bool screen);
* The print backend init also migrates the printing tdb's,
* this requires a winreg pipe.
*/
+#ifdef PRINTER_SUPPORT
if (!print_backend_init(smbd_messaging_context()))
exit(1);
@@ -1315,7 +1318,7 @@ extern void build_options(bool screen);
smbd_messaging_context());
}
}
-
+#endif
if (!is_daemon) {
/* inetd mode */
TALLOC_FREE(frame);

88
package/network/services/samba36/patches/210-remove_ad_support.patch Normal file
View File

@@ -0,0 +1,88 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -95,9 +95,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
return false;
}
+#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
@@ -141,9 +143,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
+#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
return false;
}
+#endif
return true;
}
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -918,6 +918,7 @@ static bool netdfs_init_cb(void *ptr)
return true;
}
+#ifdef ACTIVE_DIRECTORY
static bool dssetup_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -966,6 +967,7 @@ static bool dssetup_init_cb(void *ptr)
return true;
}
+#endif
static bool wkssvc_init_cb(void *ptr)
{
@@ -1172,12 +1174,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
#endif
+#ifdef ACTIVE_DIRECTORY
dssetup_cb.init = dssetup_init_cb;
dssetup_cb.shutdown = NULL;
dssetup_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_dssetup_init(&dssetup_cb))) {
return false;
}
+#endif
wkssvc_cb.init = wkssvc_init_cb;
wkssvc_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -132,7 +132,9 @@ static void exit_server_common(enum serv
if (am_parent) {
rpc_wkssvc_shutdown();
+#ifdef ACTIVE_DIRECTORY
rpc_dssetup_shutdown();
+#endif
#ifdef DEVELOPER
rpc_rpcecho_shutdown();
#endif
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3391,12 +3391,14 @@ NTSTATUS cli_rpc_pipe_open_noauth_transp
status = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(status)) {
int lvl = 0;
+#ifdef ACTIVE_DIRECTORY
if (ndr_syntax_id_equal(interface,
&ndr_table_dssetup.syntax_id)) {
/* non AD domains just don't have this pipe, avoid
* level 0 statement in that case - gd */
lvl = 3;
}
+#endif
DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
"%s failed with error %s\n",
get_pipe_name_from_syntax(talloc_tos(), interface),

98
package/network/services/samba36/patches/220-remove_services.patch Normal file
View File

@@ -0,0 +1,98 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -131,6 +131,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
return false;
}
+#ifdef EXTRA_SERVICES
if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
return false;
}
@@ -140,6 +141,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -697,6 +697,7 @@ static bool spoolss_shutdown_cb(void *pt
return true;
}
+#ifdef EXTRA_SERVICES
static bool svcctl_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -733,6 +734,7 @@ static bool svcctl_init_cb(void *ptr)
return true;
}
+#endif
static bool svcctl_shutdown_cb(void *ptr)
{
@@ -741,6 +743,8 @@ static bool svcctl_shutdown_cb(void *ptr
return true;
}
+#ifdef EXTRA_SERVICES
+
static bool ntsvcs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -802,6 +806,7 @@ static bool eventlog_init_cb(void *ptr)
return true;
}
+#endif
static bool initshutdown_init_cb(void *ptr)
{
@@ -1130,6 +1135,7 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef EXTRA_SERVICES
svcctl_cb.init = svcctl_init_cb;
svcctl_cb.shutdown = svcctl_shutdown_cb;
svcctl_cb.private_data = ep_ctx;
@@ -1150,6 +1156,7 @@ bool dcesrv_ep_setup(struct tevent_conte
if (!NT_STATUS_IS_OK(rpc_eventlog_init(&eventlog_cb))) {
return false;
}
+#endif
initshutdown_cb.init = initshutdown_init_cb;
initshutdown_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -140,9 +140,11 @@ static void exit_server_common(enum serv
#endif
rpc_netdfs_shutdown();
rpc_initshutdown_shutdown();
+#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
- rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+ rpc_ntsvcs_shutdown();
+#endif
#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
#endif
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -637,9 +637,11 @@ static struct cmd_set *rpcclient_command
shutdown_commands,
test_commands,
wkssvc_commands,
+#ifdef EXTRA_SERVICES
ntsvcs_commands,
drsuapi_commands,
eventlog_commands,
+#endif
winreg_commands,
NULL
};

146
package/network/services/samba36/patches/230-remove_winreg_support.patch Normal file
View File

@@ -0,0 +1,146 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -409,6 +409,7 @@ static bool epmapper_shutdown_cb(void *p
return true;
}
+#ifdef WINREG_SUPPORT
static bool winreg_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -456,6 +457,7 @@ static bool winreg_init_cb(void *ptr)
return true;
}
+#endif
static bool srvsvc_init_cb(void *ptr)
{
@@ -710,10 +712,12 @@ static bool svcctl_init_cb(void *ptr)
"epmapper",
"none");
+#ifdef WINREG_SUPPORT
ok = svcctl_init_winreg(ep_ctx->msg_ctx);
if (!ok) {
return false;
}
+#endif
/* initialize the control hooks */
init_service_op_table();
@@ -785,10 +789,12 @@ static bool eventlog_init_cb(void *ptr)
"epmapper",
"none");
+#ifdef WINREG_SUPPORT
ok = eventlog_init_winreg(ep_ctx->msg_ctx);
if (!ok) {
return false;
}
+#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0 ||
StrCaseCmp(rpcsrv_type, "daemon") == 0) {
@@ -1077,12 +1083,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef WINREG_SUPPORT
winreg_cb.init = winreg_init_cb;
winreg_cb.shutdown = NULL;
winreg_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_winreg_init(&winreg_cb))) {
return false;
}
+#endif
srvsvc_cb.init = srvsvc_init_cb;
srvsvc_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -150,7 +150,9 @@ static void exit_server_common(enum serv
#endif
rpc_srvsvc_shutdown();
+#ifdef WINREG_SUPPORT
rpc_winreg_shutdown();
+#endif
rpc_netlogon_shutdown();
rpc_samr_shutdown();
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -112,9 +112,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
return false;
}
+#ifdef WINREG_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#endif
#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -95,9 +95,11 @@ bool init_service_op_table( void )
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
svcctl_ops[i].ops = &winreg_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "WINS" );
svcctl_ops[i].ops = &wins_svc_ops;
--- a/source3/services/svc_winreg_glue.c
+++ b/source3/services/svc_winreg_glue.c
@@ -88,6 +88,10 @@ struct security_descriptor *svcctl_get_s
NTSTATUS status;
WERROR result = WERR_OK;
+#ifndef WINREG_SUPPORT
+ return NULL;
+#endif
+
key = talloc_asprintf(mem_ctx,
"%s\\%s\\Security",
TOP_LEVEL_SERVICES_KEY, name);
@@ -161,6 +165,10 @@ bool svcctl_set_secdesc(struct messaging
NTSTATUS status;
WERROR result = WERR_OK;
+#ifndef WINREG_SUPPORT
+ return false;
+#endif
+
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return false;
@@ -272,6 +280,10 @@ const char *svcctl_get_string_value(TALL
NTSTATUS status;
WERROR result = WERR_OK;
+#ifndef WINREG_SUPPORT
+ return NULL;
+#endif
+
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NULL;
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -642,7 +642,9 @@ static struct cmd_set *rpcclient_command
drsuapi_commands,
eventlog_commands,
#endif
+#ifdef WINREG_SUPPORT
winreg_commands,
+#endif
NULL
};

71
package/network/services/samba36/patches/240-remove_dfs_api.patch Normal file
View File

@@ -0,0 +1,71 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -881,6 +881,7 @@ static bool rpcecho_init_cb(void *ptr) {
#endif
+#ifdef DFS_SUPPORT
static bool netdfs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -928,6 +929,7 @@ static bool netdfs_init_cb(void *ptr)
return true;
}
+#endif
#ifdef ACTIVE_DIRECTORY
static bool dssetup_init_cb(void *ptr)
@@ -1173,12 +1175,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef DFS_SUPPORT
netdfs_cb.init = netdfs_init_cb;
netdfs_cb.shutdown = NULL;
netdfs_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netdfs_init(&netdfs_cb))) {
return false;
}
+#endif
#ifdef DEVELOPER
rpcecho_cb.init = rpcecho_init_cb;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -122,9 +122,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef DFS_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
+#endif
#ifdef DEVELOPER
if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
return false;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -138,7 +138,9 @@ static void exit_server_common(enum serv
#ifdef DEVELOPER
rpc_rpcecho_shutdown();
#endif
+#ifdef DFS_SUPPORT
rpc_netdfs_shutdown();
+#endif
rpc_initshutdown_shutdown();
#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -629,7 +629,9 @@ static struct cmd_set *rpcclient_command
#endif
netlogon_commands,
srvsvc_commands,
+#ifdef DFS_SUPPORT
dfs_commands,
+#endif
#ifdef DEVELOPER
echo_commands,
#endif

213
package/network/services/samba36/patches/250-remove_domain_logon.patch Normal file
View File

@@ -0,0 +1,213 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -606,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -654,6 +655,7 @@ static bool netlogon_init_cb(void *ptr)
return true;
}
+#endif
static bool spoolss_init_cb(void *ptr)
{
@@ -1116,12 +1118,15 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
netlogon_cb.shutdown = NULL;
netlogon_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netlogon_init(&netlogon_cb))) {
return false;
}
+#endif
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server",
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -103,9 +103,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
return false;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -156,7 +156,9 @@ static void exit_server_common(enum serv
rpc_winreg_shutdown();
#endif
+#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
+#endif
rpc_samr_shutdown();
rpc_lsarpc_shutdown();
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -91,9 +91,11 @@ bool init_service_op_table( void )
i++;
#endif
+#ifdef NETLOGON_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#endif
#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -320,6 +320,10 @@ void process_logon_packet(struct packet_
NTSTATUS status;
const char *pdc_name;
+#ifndef NETLOGON_SUPPORT
+ return;
+#endif
+
in_addr_to_sockaddr_storage(&ss, p->ip);
pss = iface_ip((struct sockaddr *)&ss);
if (!pss) {
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
+#ifdef NETLOGON_SUPPORT
netlogon_commands,
+#endif
srvsvc_commands,
#ifdef DFS_SUPPORT
dfs_commands,
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
@@ -824,6 +824,10 @@ WERROR _wkssvc_NetrJoinDomain2(struct pi
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
}
@@ -901,6 +905,10 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
}
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(st
NTSTATUS nt_status;
switch (sec_channel_type) {
+#ifdef NETLOGON_SUPPORT
case SEC_CHAN_WKSTA:
case SEC_CHAN_DOMAIN:
break;
+#endif
default:
return NT_STATUS_NOT_SUPPORTED;
}
@@ -159,6 +161,11 @@ bool enumerate_domain_trusts( TALLOC_CTX
*num_domains = 0;
*sids = NULL;
+#ifndef NETLOGON_SUPPORT
+ return False;
+#endif
+
+
/* lookup a DC first */
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
@@ -243,6 +250,10 @@ NTSTATUS change_trust_account_password(
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
+#ifndef NETLOGON_SUPPORT
+ return NT_STATUS_UNSUCCESSFUL;
+#endif
+
DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
domain));
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -538,7 +538,9 @@ static NTSTATUS auth_init_trustdomain(st
NTSTATUS auth_domain_init(void)
{
+#ifdef NETLOGON_SUPPORT
smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
+#endif
return NT_STATUS_OK;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2431,8 +2431,10 @@ static bool housekeeping_fn(const struct
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
+#ifdef NETLOGON_SUPPORT
/* Change machine password if neccessary. */
attempt_machine_password_change();
+#endif
/*
* Force a log file check.
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -421,10 +421,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
/*
* for the epmapper and echo interfaces we allow "connect"
* auth_level by default.
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2221,6 +2221,10 @@ static void rpc_pipe_bind_step_two_trigg
struct schannel_state);
struct tevent_req *subreq;
+#ifndef NETLOGON_SUPPORT
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+#endif
if (schannel_auth == NULL ||
!ndr_syntax_id_equal(&state->cli->abstract_syntax,
&ndr_table_netlogon.syntax_id)) {

162
package/network/services/samba36/patches/260-remove_samr.patch Normal file
View File

@@ -0,0 +1,162 @@
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -59,8 +59,11 @@ struct handle_list {
static bool is_samr_lsa_pipe(const struct ndr_syntax_id *syntax)
{
- return (ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id)
- || ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id));
+ return
+#ifdef SAMR_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
+#endif
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -100,9 +100,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef SAMR_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -557,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -605,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#endif
#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
@@ -1111,12 +1113,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
samr_cb.shutdown = NULL;
samr_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_samr_init(&samr_cb))) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -159,7 +159,9 @@ static void exit_server_common(enum serv
#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
#endif
+#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
+#endif
rpc_lsarpc_shutdown();
}
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -623,7 +623,9 @@ static struct cmd_set *rpcclient_command
rpcclient_commands,
lsarpc_commands,
ds_commands,
+#ifdef SAMR_SUPPORT
samr_commands,
+#endif
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2353,6 +2353,10 @@ static bool api_RNetGroupEnum(struct smb
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2541,6 +2545,10 @@ static bool api_NetUserGetGroups(struct
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
@@ -2741,6 +2749,10 @@ static bool api_RNetUserEnum(struct smbd
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2979,6 +2991,10 @@ static bool api_SamOEMChangePassword(str
int bufsize;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
*rparam_len = 4;
*rparam = smb_realloc_limit(*rparam,*rparam_len);
if (!*rparam) {
@@ -4020,6 +4036,10 @@ static bool api_RNetUserGetInfo(struct s
union samr_UserInfo *info;
struct dcerpc_binding_handle *b = NULL;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -409,6 +409,7 @@ static bool check_bind_req(struct pipes_
context_fns->syntax = *abstract;
context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+#ifdef SAMR_SUPPORT
/*
* for the samr and the lsarpc interfaces we don't allow "connect"
* auth_level by default.
@@ -417,6 +418,7 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#endif
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;

43
package/network/services/samba36/patches/270-remove_registry_backend.patch Normal file
View File

@@ -0,0 +1,43 @@
--- a/source3/lib/smbconf/smbconf_init.c
+++ b/source3/lib/smbconf/smbconf_init.c
@@ -68,9 +68,12 @@ sbcErr smbconf_init(TALLOC_CTX *mem_ctx,
}
}
+#ifdef REGISTRY_BACKEND
if (strequal(backend, "registry") || strequal(backend, "reg")) {
err = smbconf_init_reg(mem_ctx, conf_ctx, path);
- } else if (strequal(backend, "file") || strequal(backend, "txt")) {
+ } else
+#endif
+ if (strequal(backend, "file") || strequal(backend, "txt")) {
err = smbconf_init_txt(mem_ctx, conf_ctx, path);
} else if (sep == NULL) {
/*
--- a/source3/lib/netapi/serverinfo.c
+++ b/source3/lib/netapi/serverinfo.c
@@ -557,7 +557,10 @@ static WERROR NetServerSetInfo_l_1005(st
return WERR_INVALID_PARAM;
}
- if (!lp_config_backend_is_registry()) {
+#ifdef REGISTRY_BACKEND
+ if (!lp_config_backend_is_registry())
+#endif
+ {
libnetapi_set_error_string(ctx,
"Configuration manipulation requested but not "
"supported by backend");
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1230,8 +1230,10 @@ extern void build_options(bool screen);
exit(1);
}
+#ifdef REGISTRY_BACKEND
if (!W_ERROR_IS_OK(registry_init_full()))
exit(1);
+#endif
/* Open the share_info.tdb here, so we don't have to open
after the fork on every single connection. This is a small

143
package/network/services/samba36/patches/280-strip_srvsvc.patch Normal file
View File

@@ -0,0 +1,143 @@
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2197,6 +2197,10 @@ static bool api_RNetShareAdd(struct smbd
struct srvsvc_NetShareInfo2 info2;
struct dcerpc_binding_handle *b;
+#ifndef SRVSVC_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -3589,10 +3593,7 @@ static bool api_RNetServerGetInfo(struct
NTSTATUS status;
WERROR werr;
TALLOC_CTX *mem_ctx = talloc_tos();
- struct rpc_pipe_client *cli = NULL;
- union srvsvc_NetSrvInfo info;
int errcode;
- struct dcerpc_binding_handle *b;
if (!str1 || !str2 || !p) {
return False;
@@ -3655,66 +3656,16 @@ static bool api_RNetServerGetInfo(struct
p = *rdata;
p2 = p + struct_len;
- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
- conn->session_info,
- &conn->sconn->client_id,
- conn->sconn->msg_ctx,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("api_RNetServerGetInfo: could not connect to srvsvc: %s\n",
- nt_errstr(status)));
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
-
- b = cli->binding_handle;
-
- status = dcerpc_srvsvc_NetSrvGetInfo(b, mem_ctx,
- NULL,
- 101,
- &info,
- &werr);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!W_ERROR_IS_OK(werr)) {
- errcode = W_ERROR_V(werr);
- goto out;
- }
-
- if (info.info101 == NULL) {
- errcode = W_ERROR_V(WERR_INVALID_PARAM);
- goto out;
- }
-
if (uLevel != 20) {
- srvstr_push(NULL, 0, p, info.info101->server_name, 16,
+ srvstr_push(NULL, 0, p, global_myname(), 16,
STR_ASCII|STR_UPPER|STR_TERMINATE);
- }
+ }
p += 16;
if (uLevel > 0) {
- SCVAL(p,0,info.info101->version_major);
- SCVAL(p,1,info.info101->version_minor);
- SIVAL(p,2,info.info101->server_type);
-
- if (mdrcnt == struct_len) {
- SIVAL(p,6,0);
- } else {
- SIVAL(p,6,PTR_DIFF(p2,*rdata));
- if (mdrcnt - struct_len <= 0) {
- return false;
- }
- push_ascii(p2,
- info.info101->comment,
- MIN(mdrcnt - struct_len,
- MAX_SERVER_STRING_LENGTH),
- STR_TERMINATE);
- p2 = skip_string(*rdata,*rdata_len,p2);
- if (!p2) {
- return False;
- }
- }
+ SCVAL(p,0,lp_major_announce_version());
+ SCVAL(p,1,lp_minor_announce_version());
+ SIVAL(p,2,lp_default_server_announce());
+ SIVAL(p,6,0);
}
if (uLevel > 1) {
@@ -5405,6 +5356,10 @@ static bool api_RNetSessionEnum(struct s
uint32_t totalentries, resume_handle = 0;
uint32_t count = 0;
+#ifndef SRVSVC_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -1533,6 +1533,10 @@ WERROR _srvsvc_NetShareSetInfo(struct pi
TALLOC_CTX *ctx = p->mem_ctx;
union srvsvc_NetShareInfo *info = r->in.info;
+#ifndef FULL_SRVSVC
+ return WERR_ACCESS_DENIED;
+#endif
+
DEBUG(5,("_srvsvc_NetShareSetInfo: %d\n", __LINE__));
if (!r->in.share_name) {
@@ -1763,6 +1767,10 @@ WERROR _srvsvc_NetShareAdd(struct pipes_
int max_connections = 0;
TALLOC_CTX *ctx = p->mem_ctx;
+#ifndef FULL_SRVSVC
+ return WERR_ACCESS_DENIED;
+#endif
+
DEBUG(5,("_srvsvc_NetShareAdd: %d\n", __LINE__));
if (r->out.parm_error) {
@@ -1945,6 +1953,10 @@ WERROR _srvsvc_NetShareDel(struct pipes_
struct share_params *params;
TALLOC_CTX *ctx = p->mem_ctx;
+#ifndef FULL_SRVSVC
+ return WERR_ACCESS_DENIED;
+#endif
+
DEBUG(5,("_srvsvc_NetShareDel: %d\n", __LINE__));
if (!r->in.share_name) {

88
package/network/services/samba36/patches/290-remove_lsa.patch Normal file
View File

@@ -0,0 +1,88 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -92,9 +92,11 @@ bool smb_register_ndr_interface(const st
static bool initialize_interfaces(void)
{
+#ifdef LSA_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
return false;
}
+#endif
#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
return false;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -162,7 +162,9 @@ static void exit_server_common(enum serv
#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
#endif
+#ifdef LSA_SUPPORT
rpc_lsarpc_shutdown();
+#endif
}
/*
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -508,6 +508,7 @@ static bool srvsvc_init_cb(void *ptr)
return true;
}
+#ifdef LSA_SUPPORT
static bool lsarpc_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -556,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#endif
#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
@@ -1106,12 +1108,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
+#ifdef LSA_SUPPORT
lsarpc_cb.init = lsarpc_init_cb;
lsarpc_cb.shutdown = NULL;
lsarpc_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_lsarpc_init(&lsarpc_cb))) {
return false;
}
+#endif
#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -63,7 +63,10 @@ static bool is_samr_lsa_pipe(const struc
#ifdef SAMR_SUPPORT
ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
#endif
- ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
+#ifdef LSA_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id) ||
+#endif
+ false;
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -419,10 +419,12 @@ static bool check_bind_req(struct pipes_
context_fns->allow_connect = false;
}
#endif
+#ifdef LSA_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {

11
package/network/services/samba36/patches/300-assert_debug_level.patch Normal file
View File

@@ -0,0 +1,11 @@
--- a/lib/util/util.h
+++ b/lib/util/util.h
@@ -53,7 +53,7 @@ extern const char *panic_action;
#else
/* redefine the assert macro for non-developer builds */
#define SMB_ASSERT(b) do { if (!(b)) { \
- DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
+ DEBUG(3,("PANIC: assert failed at %s(%d): %s\n", \
__FILE__, __LINE__, #b)); }} while (0)
#endif

337
package/network/services/samba36/patches/310-remove_error_strings.patch Normal file
View File

@@ -0,0 +1,337 @@
--- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c
@@ -28,6 +28,7 @@ struct werror_code_struct {
static const struct werror_code_struct dos_errs[] =
{
+#ifdef VERBOSE_ERROR
{ "WERR_OK", WERR_OK },
{ "WERR_BADFILE", WERR_BADFILE },
{ "WERR_ACCESS_DENIED", WERR_ACCESS_DENIED },
@@ -2668,6 +2669,7 @@ static const struct werror_code_struct d
{ "WERR_AMBIGUOUS_SYSTEM_DEVICE", WERR_AMBIGUOUS_SYSTEM_DEVICE },
{ "WERR_SYSTEM_DEVICE_NOT_FOUND", WERR_SYSTEM_DEVICE_NOT_FOUND },
/* END GENERATED-WIN32-ERROR-CODES */
+#endif
{ NULL, W_ERROR(0) }
};
@@ -2684,12 +2686,14 @@ const char *win_errstr(WERROR werror)
static char msg[40];
int idx = 0;
+#ifdef VERBOSE_ERROR
while (dos_errs[idx].dos_errstr != NULL) {
if (W_ERROR_V(dos_errs[idx].werror) ==
W_ERROR_V(werror))
return dos_errs[idx].dos_errstr;
idx++;
}
+#endif
slprintf(msg, sizeof(msg), "DOS code 0x%08x", W_ERROR_V(werror));
@@ -2702,6 +2706,7 @@ struct werror_str_struct {
};
const struct werror_str_struct dos_err_strs[] = {
+#ifdef VERBOSE_ERROR
{ WERR_OK, "Success" },
{ WERR_ACCESS_DENIED, "Access is denied" },
{ WERR_INVALID_PARAM, "Invalid parameter" },
@@ -5324,6 +5329,7 @@ const struct werror_str_struct dos_err_s
{ WERR_AMBIGUOUS_SYSTEM_DEVICE, "The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria." },
{ WERR_SYSTEM_DEVICE_NOT_FOUND, "The requested system device cannot be found." },
/* END GENERATED-WIN32-ERROR-CODES-DESC */
+#endif
};
@@ -5334,6 +5340,7 @@ const struct werror_str_struct dos_err_s
const char *get_friendly_werror_msg(WERROR werror)
{
+#ifdef VERBOSE_ERROR
int i = 0;
for (i = 0; i < ARRAY_SIZE(dos_err_strs); i++) {
@@ -5342,6 +5349,7 @@ const char *get_friendly_werror_msg(WERR
return dos_err_strs[i].friendly_errstr;
}
}
+#endif
return win_errstr(werror);
}
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -663,4 +663,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_enum
_PUBLIC_ void ndr_print_bool(struct ndr_print *ndr, const char *name, const bool b);
+#ifndef VERBOSE_ERROR
+#define ndr_print_bool(...) do {} while (0)
+#define ndr_print_struct(...) do {} while (0)
+#define ndr_print_null(...) do {} while (0)
+#define ndr_print_enum(...) do {} while (0)
+#define ndr_print_bitmap_flag(...) do {} while (0)
+#define ndr_print_ptr(...) do {} while (0)
+#define ndr_print_union(...) do {} while (0)
+#define ndr_print_bad_level(...) do {} while (0)
+#define ndr_print_array_uint8(...) do {} while (0)
+#define ndr_print_string_array(...) do {} while (0)
+#define ndr_print_string_array(...) do {} while (0)
+#define ndr_print_NTSTATUS(...) do {} while (0)
+#define ndr_print_WERROR(...) do {} while (0)
+#endif
+
#endif /* __LIBNDR_H__ */
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@@ -31,6 +31,19 @@
#define NDR_SIVAL(ndr, ofs, v) do { if (NDR_BE(ndr)) { RSIVAL(ndr->data,ofs,v); } else SIVAL(ndr->data,ofs,v); } while (0)
#define NDR_SIVALS(ndr, ofs, v) do { if (NDR_BE(ndr)) { RSIVALS(ndr->data,ofs,v); } else SIVALS(ndr->data,ofs,v); } while (0)
+#undef ndr_print_bool
+#undef ndr_print_struct
+#undef ndr_print_null
+#undef ndr_print_enum
+#undef ndr_print_bitmap_flag
+#undef ndr_print_ptr
+#undef ndr_print_union
+#undef ndr_print_bad_level
+#undef ndr_print_array_uint8
+#undef ndr_print_string_array
+#undef ndr_print_string_array
+#undef ndr_print_NTSTATUS
+#undef ndr_print_WERROR
/*
check for data leaks from the server by looking for non-zero pad bytes
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_stri
return NDR_ERR_SUCCESS;
}
+#undef ndr_print_string_array
_PUBLIC_ void ndr_print_string_array(struct ndr_print *ndr, const char *name, const char **a)
{
uint32_t count;
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -31,6 +31,7 @@ struct dcerpc_fault_table {
static const struct dcerpc_fault_table dcerpc_faults[] =
{
#define _FAULT_STR(x) { #x , x }
+#ifdef VERBOSE_ERROR
_FAULT_STR(DCERPC_NCA_S_COMM_FAILURE),
_FAULT_STR(DCERPC_NCA_S_OP_RNG_ERROR),
_FAULT_STR(DCERPC_NCA_S_UNKNOWN_IF),
@@ -78,6 +79,7 @@ static const struct dcerpc_fault_table d
_FAULT_STR(DCERPC_NCA_S_FAULT_CODESET_CONV_ERROR),
_FAULT_STR(DCERPC_NCA_S_FAULT_OBJECT_NOT_FOUND),
_FAULT_STR(DCERPC_NCA_S_FAULT_NO_CLIENT_STUB),
+#endif
{ NULL, 0 }
#undef _FAULT_STR
};
@@ -87,12 +89,14 @@ _PUBLIC_ const char *dcerpc_errstr(TALLO
int idx = 0;
WERROR werr = W_ERROR(fault_code);
+#ifdef VERBOSE_ERROR
while (dcerpc_faults[idx].errstr != NULL) {
if (dcerpc_faults[idx].faultcode == fault_code) {
return dcerpc_faults[idx].errstr;
}
idx++;
}
+#endif
return win_errstr(werr);
}
--- a/source3/libsmb/nterr.c
+++ b/source3/libsmb/nterr.c
@@ -702,6 +702,7 @@ const char *nt_errstr(NTSTATUS nt_code)
NT_STATUS_DOS_CODE(nt_code));
}
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -709,6 +710,7 @@ const char *nt_errstr(NTSTATUS nt_code)
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT code 0x%08x",
NT_STATUS_V(nt_code));
@@ -724,12 +726,14 @@ const char *get_friendly_nt_error_msg(NT
{
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_err_desc[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_err_desc[idx].nt_errcode) == NT_STATUS_V(nt_code)) {
return nt_err_desc[idx].nt_errstr;
}
idx++;
}
+#endif
/* fall back to NT_STATUS_XXX string */
@@ -745,6 +749,7 @@ const char *get_nt_error_c_code(NTSTATUS
char *result;
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -752,6 +757,7 @@ const char *get_nt_error_c_code(NTSTATUS
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT_STATUS(0x%08x)",
NT_STATUS_V(nt_code));
@@ -767,12 +773,14 @@ NTSTATUS nt_status_string_to_code(const
{
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (strcasecmp(nt_errs[idx].nt_errstr, nt_status_str) == 0) {
return nt_errs[idx].nt_errcode;
}
idx++;
}
+#endif
return NT_STATUS_UNSUCCESSFUL;
}
--- a/lib/tdb/common/tdb_private.h
+++ b/lib/tdb/common/tdb_private.h
@@ -69,7 +69,11 @@ typedef uint32_t tdb_off_t;
/* NB assumes there is a local variable called "tdb" that is the
* current context, also takes doubly-parenthesized print-style
* argument. */
+#ifdef VERBOSE_DEBUG
#define TDB_LOG(x) tdb->log.log_fn x
+#else
+#define TDB_LOG(x) do {} while(0)
+#endif
#ifdef TDB_TRACE
void tdb_trace(struct tdb_context *tdb, const char *op);
--- a/source3/script/mkbuildoptions.awk
+++ b/source3/script/mkbuildoptions.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/script/mkbuildoptions-waf.awk
+++ b/source3/script/mkbuildoptions-waf.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -445,7 +445,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -466,7 +465,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -486,7 +484,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -508,7 +505,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -526,7 +522,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -570,7 +565,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -996,7 +996,6 @@ static bool api_pipe_bind_req(struct pip
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
}
@@ -1330,7 +1329,6 @@ bool api_pipe_bind_auth3(struct pipes_st
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err;
}
@@ -1488,7 +1486,6 @@ static bool api_pipe_alter_context(struc
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
}
@@ -2062,7 +2059,6 @@ static bool process_request_pdu(struct p
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
set_incoming_fault(p);
return false;
}

22
package/network/services/samba36/patches/320-debug_level_checks.patch Normal file
View File

@@ -0,0 +1,22 @@
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -45,7 +45,7 @@ bool dbghdr( int level, const char *loca
* Redefine DEBUGLEVEL because so we don't have to change every source file
* that *unnecessarily* references it.
*/
-#define DEBUGLEVEL DEBUGLEVEL_CLASS[DBGC_ALL]
+#define DEBUGLEVEL 0
/*
* Define all new debug classes here. A class is represented by an entry in
--- a/source3/nmbd/asyncdns.c
+++ b/source3/nmbd/asyncdns.c
@@ -85,7 +85,7 @@ static void asyncdns_process(void)
struct query_record r;
unstring qname;
- DEBUGLEVEL = -1;
+ DEBUGLEVEL_CLASS[DBGC_ALL] = -1;
while (1) {
NTSTATUS status;

8854
package/network/services/samba36/patches/330-librpc_default_print.patch Normal file
View File

File diff suppressed because it is too large Load Diff