The branch, master has been updated via 5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0 via 1e61de83066 CVE-2020-25717: s3-auth: fix MIT Realm regression via f621317e3b2 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object from d1ea9c5aaba libcli:auth: Allow to connect to netlogon server offering only AES
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5e3df5f9ee64a80898f73585b19113354f463c44 Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 commit 1e61de8306604a0d3858342df8a1d2412d8d418b Author: Ralph Boehme <s...@samba.org> Date: Fri Nov 26 10:57:17 2021 +0100 CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit f621317e3b25a8925ab6e448068264488a0a47c7 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 12 12:44:44 2021 +1300 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object This may allow further processing when the DN normalisation has changed which changes the indexing, such as seen after fixes for bug 14656. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/auth/user_krb5.c | 9 +++++++++ source3/libsmb/dsgetdcname.c | 4 ++++ source4/dsdb/samdb/ldb_modules/operational.c | 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 ++++++++++++- 4 files changed, 26 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index b8f37cbeee0..169bf563368 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, char *fuser = NULL; char *unixuser = NULL; struct passwd *pw = NULL; + bool may_retry = false; DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, domain = realm; } else { domain = lp_workgroup(); + may_retry = true; } fuser = talloc_asprintf(mem_ctx, @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, *mapped_to_guest = false; pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + if (may_retry && pw == NULL && !*is_mapped) { + fuser = talloc_strdup(mem_ctx, user); + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + } if (pw) { if (!unixuser) { return NT_STATUS_NO_MEMORY; diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index f8ae96109b7..5954e48d747 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx, for (i = 0; i < numdcs; i++) { size_t j; + if (dcs[i].num_ips == 0) { + continue; + } + dclist[ret_count].hostname = talloc_move(dclist, &dcs[i].hostname); diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 11b87bdf5ca..2b3cd2d7954 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -1408,7 +1408,7 @@ static const struct op_attributes_replace search_sub[] = { { "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups }, { "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc}, { "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups }, - { "parentGUID", NULL, NULL, construct_parent_guid }, + { "parentGUID", "objectGUID", NULL, construct_parent_guid }, { "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry }, { "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc }, { "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber }, diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 599cb79c1fd..d3baf3ae7dd 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -6925,7 +6925,18 @@ static int replmd_replicated_apply_next(struct replmd_replicated_request *ar) ar->req); LDB_REQ_SET_LOCATION(search_req); - ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED); + /* + * We set DSDB_SEARCH_SHOW_EXTENDED_DN to get the GUID on the + * DN. This in turn helps our operational module find the + * record by GUID, not DN lookup which is more error prone if + * DN indexing changes. We prefer to keep chasing GUIDs + * around if possible, even within a transaction. + * + * The aim here is to keep replication moving and allow a + * reindex later. + */ + ret = dsdb_request_add_controls(search_req, DSDB_SEARCH_SHOW_RECYCLED + |DSDB_SEARCH_SHOW_EXTENDED_DN); if (ret != LDB_SUCCESS) { return ret; -- Samba Shared Repository