[Pkg-samba-maint] [samba] 06/08: Add regression patch for Joining a 2003 domain as a domain member

Tue Apr 12 22:04:08 UTC 2016

This is an automated email from the git hooks/post-receive script.

abartlet-guest pushed a commit to branch experimental
in repository samba.

commit d53306ad23446f882ef5a1c3b34fb012ecfdd23a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Apr 11 15:48:26 2016 +1200

    Add regression patch for Joining a 2003 domain as a domain member
---
 debian/changelog                                   |  1 +
 ...-prerequisite-v4-4-regression-fixes.metze01.txt | 48 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 50 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a4a0a2a..7462d31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ samba (2:4.4.1+dfsg-1) UNRELEASED; urgency=medium
     - CVE-2016-2114 ("server signing = mandatory" not enforced)
     - CVE-2016-2115 (SMB IPC traffic is not integrity protected)
     - CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+  * Additional regression fix for 'net ads join' to a Windows 2003 domain by metze
 
  -- Andrew Bartlett <abartlet+debian at catalyst.net.nz>  Wed, 06 Apr 2016 17:51:36 +1200
 
diff --git a/debian/patches/security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt b/debian/patches/security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt
new file mode 100644
index 0000000..7fecf67
--- /dev/null
+++ b/debian/patches/security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt
@@ -0,0 +1,48 @@
+#
+# Additional patch to 4.4.1 to fix a regression noticed after the
+# creation of the tarball.  If not other regressions are noticed, then
+# this will be the difference to 4.4.2.
+#
+From 87fb3b8f61d2b48e4aad4d62d0305f49a4a05dc3 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Fri, 8 Apr 2016 10:05:38 +0200
+Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with
+ kerberos and arcfour-hmac-md5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
+(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
+that prevents things like 'net ads join' from working against a Windows 2003 domain.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Günther Deschner <gd at samba.org>
+---
+ source3/libads/sasl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 4fcd733..22aa9cf 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
+ 		ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
+ 
+ 		ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
+-		ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
++		/*
++		 * Note that we have to truncate this to 0x2C
++		 * (taken from a capture with LDAP unbind), as the
++		 * signature size is not constant for Kerberos with
++		 * arcfour-hmac-md5.
++		 */
++		ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
+ 		ads->ldap.in.max_wrapped = max_wrapped;
+ 		status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
+ 		if (!ADS_ERR_OK(status)) {
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 6b92d26..6161e4b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ Fix-privacy-breach-on-google.com.patch
 fix-cluster-build.diff
 ctdb-Fix-detection-of-gnukfreebsd.patch
 no_build_options.patch
+security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git


