From b10ff49d652720bcf5e9ad6179bb3d4d52b9b58e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Nov 11 2021 14:26:36 +0000 Subject: Fix winbind trusted domain regression related: #2021716 Guenther --- diff --git a/samba-4.14-fix-winbind-no-trusted-domain.patch b/samba-4.14-fix-winbind-no-trusted-domain.patch new file mode 100644 index 0000000..4924872 --- /dev/null +++ b/samba-4.14-fix-winbind-no-trusted-domain.patch @@ -0,0 +1,41 @@ +From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 9 Nov 2021 20:50:20 +0100 +Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression + +add_trusted_domain() should only reject domains +based on is_allowed_domain(), which now also +checks "allow trusted domains = no", if we don't +have an explicit trust to the domain (SEC_CHAN_NULL). + +We use at least SEC_CHAN_LOCAL for local domains like +BUILTIN. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 + +Signed-off-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 + +(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) +--- + source3/winbindd/winbindd_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 42ddbfd2f44..9d54e462c42 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, + return NT_STATUS_INVALID_PARAMETER; + } + +- if (!is_allowed_domain(domain_name)) { ++ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + +-- +2.33.1 + diff --git a/samba.spec b/samba.spec index f3dbc6d..0494d2b 100644 --- a/samba.spec +++ b/samba.spec @@ -115,7 +115,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global main_release 0 +%global main_release 1 %global samba_version 4.14.10 %global talloc_version 2.3.2 @@ -185,6 +185,7 @@ Source14: samba.pamd Source201: README.downgrade Patch0: samba-s4u.patch +Patch1: samba-4.14-fix-winbind-no-trusted-domain.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -3954,6 +3955,10 @@ fi %endif %changelog +* Thu Nov 11 2021 Guenther Deschner - 4.14.10-1 +- Fix winbind trusted domain regression +- related: #2021716 + * Tue Nov 09 2021 Guenther Deschner - 4.14.10-0 - Update to Samba 4.14.10 - resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124