initial commit of file from CVS for samba on Thu 26 Oct 11:22:51 BST 2023

This commit is contained in:
Brian Read 2023-10-26 11:22:51 +01:00
parent 10989af9b1
commit d51d43e16c
16 changed files with 20902 additions and 1 deletions

1
.gitattributes vendored Normal file
View File

@ -0,0 +1 @@
*.tar.xz filter=lfs diff=lfs merge=lfs -text

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.rpm
*.log
*spec-20*

21
Makefile Normal file
View File

@ -0,0 +1,21 @@
# Makefile for source rpm: samba
# $Id: Makefile,v 1.1 2016/09/29 08:22:00 vip-ire Exp $
NAME := samba
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

20
README.dc Normal file
View File

@ -0,0 +1,20 @@
MIT Kerberos 5 Support
=======================
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
choice. The Samba build in Fedora is using MIT Kerberos implementation in order
to allow system-wide interoperability between both desktop and server
applications running on the same machine.
At the moment the Samba Active Directory Domain Controller implementation is
not available with MIT Kereberos. FreeIPA and Samba Team members are currently
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
distribution integration of Samba AD DC features.
We have just finished migrating the file server and all client utilities to MIT
Kerberos. The result of this work is available in samba-* packages in Fedora.
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
KDC will be ready.
In case of further questions do not hesitate to send your inquiries to
samba-owner@fedoraproject.org

29
README.downgrade Normal file
View File

@ -0,0 +1,29 @@
Downgrading Samba
=================
Short version: data-preserving downgrades between Samba versions are not supported
Long version:
With Samba development there are cases when on-disk database format evolves.
In general, Samba Team attempts to maintain forward compatibility and
automatically upgrade databases during runtime when requires.
However, when downgrade is required Samba will not perform downgrade to
existing databases. It may be impossible if new features that caused database
upgrade are in use. Thus, one needs to consider a downgrade procedure before
actually downgrading Samba setup.
Please always perform back up prior both upgrading and downgrading across major
version changes. Restoring database files is easiest and simplest way to get to
previously working setup.
Easiest way to downgrade is to remove all created databases and start from scratch.
This means losing all authentication and domain relationship data, as well as
user databases (in case of tdb storage), printers, registry settings, and winbindd
caches.
Remove databases in following locations:
/var/lib/samba/*.tdb
/var/lib/samba/private/*.tdb
In particular, registry settings are known to prevent running downgraded versions
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

View File

@ -1,3 +1,11 @@
# samba
3rd Party (Maintained by Koozali) git repo for samba smeserver
## Description
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
*Once it has been checked, then this comment will be deleted*
<br />
Samba is an open-source software package that provides file and print services and enables file and printer sharing between Windows, Unix, and Linux systems. With Samba, users can access files and printers located on Windows or Unix machines from a Linux machine. Samba also provides secure authentication and data encryption, allowing users to securely access shared resources across different networks.

1
contriborbase Normal file
View File

@ -0,0 +1 @@
sme10

Binary file not shown.

View File

@ -0,0 +1,150 @@
From a691be8ed36fb5740ae877a46f0aff72ce0c9cb2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 4 May 2020 12:17:37 +0200
Subject: [PATCH] ldb: revert ad-dc fix and keep ldb version at 1.5.4
Revert "ldap server: generate correct referral schemes"
This reverts commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa.
---
lib/ldb/include/ldb_module.h | 5 -----
lib/ldb/wscript | 2 +-
selftest/knownfail.d/ldap_referrals | 1 +
source4/dsdb/samdb/ldb_modules/partition.c | 16 +++++-----------
source4/ldap_server/ldap_backend.c | 18 ------------------
source4/ldap_server/ldap_server.c | 1 -
source4/ldap_server/ldap_server.h | 6 ------
7 files changed, 7 insertions(+), 42 deletions(-)
create mode 100644 selftest/knownfail.d/ldap_referrals
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index 8c47082690b..9a5c61d0e73 100644
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -103,11 +103,6 @@ struct ldb_module;
* attributes, not to be printed in trace messages */
#define LDB_SECRET_ATTRIBUTE_LIST_OPAQUE "LDB_SECRET_ATTRIBUTE_LIST"
-/*
- * The scheme to be used for referral entries, i.e. ldap or ldaps
- */
-#define LDAP_REFERRAL_SCHEME_OPAQUE "LDAP_REFERRAL_SCHEME"
-
/*
these function pointers define the operations that a ldb module can intercept
*/
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 0f760a9bc80..d3402a7b5b2 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.5.7'
+VERSION = '1.5.4'
import sys, os
diff --git a/selftest/knownfail.d/ldap_referrals b/selftest/knownfail.d/ldap_referrals
new file mode 100644
index 00000000000..403f0d3bd6d
--- /dev/null
+++ b/selftest/knownfail.d/ldap_referrals
@@ -0,0 +1 @@
+^samba.ldap.referrals.samba.tests.ldap_referrals.LdapReferralTest.test_ldaps_search
diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c
index f66ccab1dd5..49bdeb04fa5 100644
--- a/source4/dsdb/samdb/ldb_modules/partition.c
+++ b/source4/dsdb/samdb/ldb_modules/partition.c
@@ -902,17 +902,11 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req)
data->partitions[i]->ctrl->dn) == 0) &&
(ldb_dn_compare(req->op.search.base,
data->partitions[i]->ctrl->dn) != 0)) {
- const char *scheme = ldb_get_opaque(
- ldb, LDAP_REFERRAL_SCHEME_OPAQUE);
- char *ref = talloc_asprintf(
- ac,
- "%s://%s/%s%s",
- scheme == NULL ? "ldap" : scheme,
- lpcfg_dnsdomain(lp_ctx),
- ldb_dn_get_linearized(
- data->partitions[i]->ctrl->dn),
- req->op.search.scope ==
- LDB_SCOPE_ONELEVEL ? "??base" : "");
+ char *ref = talloc_asprintf(ac,
+ "ldap://%s/%s%s",
+ lpcfg_dnsdomain(lp_ctx),
+ ldb_dn_get_linearized(data->partitions[i]->ctrl->dn),
+ req->op.search.scope == LDB_SCOPE_ONELEVEL ? "??base" : "");
if (ref == NULL) {
return ldb_oom(ldb);
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 573472c0f7f..39f1aa2a2a6 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -647,24 +647,6 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
call->notification.busy = true;
}
- {
- const char *scheme = NULL;
- switch (call->conn->referral_scheme) {
- case LDAP_REFERRAL_SCHEME_LDAPS:
- scheme = "ldaps";
- break;
- default:
- scheme = "ldap";
- }
- ldb_ret = ldb_set_opaque(
- samdb,
- LDAP_REFERRAL_SCHEME_OPAQUE,
- discard_const_p(char *, scheme));
- if (ldb_ret != LDB_SUCCESS) {
- goto reply;
- }
- }
-
ldb_set_timeout(samdb, lreq, req->timelimit);
if (!call->conn->is_privileged) {
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index 25c3b624abc..7c7eeb0a6c1 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -436,7 +436,6 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq)
}
conn->sockets.active = conn->sockets.tls;
- conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS;
ldapsrv_call_read_next(conn);
}
diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h
index 5b944f5ab9b..d3e31fb1eec 100644
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -24,11 +24,6 @@
#include "system/network.h"
#include "lib/param/loadparm.h"
-enum ldap_server_referral_scheme {
- LDAP_REFERRAL_SCHEME_LDAP,
- LDAP_REFERRAL_SCHEME_LDAPS
-};
-
struct ldapsrv_connection {
struct ldapsrv_connection *next, *prev;
struct loadparm_context *lp_ctx;
@@ -52,7 +47,6 @@ struct ldapsrv_connection {
bool is_privileged;
enum ldap_server_require_strong_auth require_strong_auth;
bool authz_logged;
- enum ldap_server_referral_scheme referral_scheme;
struct {
int initial_timeout;
--
2.24.1

38
pam_winbind.conf Normal file
View File

@ -0,0 +1,38 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

14550
samba-4.10-redhat.patch Normal file

File diff suppressed because it is too large Load Diff

6
samba.pamd Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth

5673
samba.spec Normal file

File diff suppressed because it is too large Load Diff

313
smb.conf.example Normal file
View File

@ -0,0 +1,313 @@
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================
[global]
# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
workgroup = MYGROUP
server string = Samba Server Version %v
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
security = user
passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
; local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
load printers = yes
cups options = raw
; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
; printing = cups
# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

37
smb.conf.vendor Normal file
View File

@ -0,0 +1,37 @@
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775

51
trust.patch Normal file
View File

@ -0,0 +1,51 @@
diff -urN samba-4.10.16.old/source3/rpc_server/netlogon/srv_netlog_nt.c samba-4.10.16/source3/rpc_server/netlogon/srv_netlog_nt.c
--- samba-4.10.16.old/source3/rpc_server/netlogon/srv_netlog_nt.c 2023-07-16 10:18:26.101390835 +0300
+++ samba-4.10.16/source3/rpc_server/netlogon/srv_netlog_nt.c 2023-07-16 10:35:36.843060123 +0300
@@ -2672,6 +2672,11 @@
struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
+ if (r->in.query_level != 1) {
+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
become_root();
status = netr_creds_server_step_check(p, p->mem_ctx,
r->in.computer_name,
@@ -2683,10 +2688,6 @@
return status;
}
- if (r->in.query_level != 1) {
- return NT_STATUS_NOT_SUPPORTED;
- }
-
r->out.capabilities->server_capabilities = creds->negotiate_flags;
return NT_STATUS_OK;
diff -urN samba-4.10.16.old/source4/rpc_server/netlogon/dcerpc_netlogon.c samba-4.10.16/source4/rpc_server/netlogon/dcerpc_netlogon.c
--- samba-4.10.16.old/source4/rpc_server/netlogon/dcerpc_netlogon.c 2023-07-16 10:18:26.545400571 +0300
+++ samba-4.10.16/source4/rpc_server/netlogon/dcerpc_netlogon.c 2023-07-16 10:40:11.763109454 +0300
@@ -2910,6 +2910,10 @@
struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
+ if (r->in.query_level != 1) {
+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
+ }
+
status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
r->in.computer_name,
@@ -2921,10 +2925,6 @@
}
NT_STATUS_NOT_OK_RETURN(status);
- if (r->in.query_level != 1) {
- return NT_STATUS_NOT_SUPPORTED;
- }
-
r->out.capabilities->server_capabilities = creds->negotiate_flags;
return NT_STATUS_OK;