abbra pushed to samba (f22). "Samba 4.2 broke FreeIPA trusts to AD (..more)"

Mon May 11 17:31:23 UTC 2015

From a79780284253c609ffd85f1a8b9174745a91b6a5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 11 May 2015 20:29:59 +0300
Subject: Samba 4.2 broke FreeIPA trusts to AD

Fixes #1219834

diff --git a/samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch b/samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch
new file mode 100644
index 0000000..f6ae63a
--- /dev/null
+++ b/samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch
@@ -0,0 +1,35 @@
+From 97d7bc19bb463cfbb9d45b69cec1e668eb15b4a1 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab at samba.org>
+Date: Thu, 7 May 2015 14:12:03 +0000
+Subject: [PATCH] auth/credentials: if credentials have principal set, they are
+ not anonymous anymore
+
+When dealing with Kerberos, we cannot consider credentials anonymous
+if credentials were obtained properly.
+
+Signed-off: Alexander Bokovoy <ab at samba.org>
+---
+ auth/credentials/credentials.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 78b5955..b1ccc5a 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -921,6 +921,13 @@ _PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
+ 						    cred->machine_account_pending_lp_ctx);
+ 	}
+ 
++	if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
++		/* if principal is set, it's not anonymous */
++		if (cred->principal && cred->principal_obtained >= cred->username_obtained) {
++			return false;
++		}
++	}
++
+ 	username = cli_credentials_get_username(cred);
+ 	
+ 	/* Yes, it is deliberate that we die if we have a NULL pointer
+-- 
+2.4.0
+
diff --git a/samba.spec b/samba.spec
index f003093..f2e0cf9 100644
--- a/samba.spec
+++ b/samba.spec
@@ -6,7 +6,7 @@
 # ctdb is enabled by default, you can disable it with: --without clustering
 %bcond_without clustering
 
-%define main_release 7
+%define main_release 8
 
 %define samba_version 4.2.1
 %define talloc_version 2.1.2
@@ -95,6 +95,7 @@ Source0:        samba-%{version}%{pre_release}.tar.xz
 Patch0:         samba-4.2.2-fix_debug_macro.patch
 Patch1:         samba-4.2.2-lib-util-fix-detection-of-systemd-libraries.patch
 Patch2:         samba-4.2-fix-rpc-helper.patch
+Patch3:         samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch
 
 # Red Hat specific replacement-files
 Source1: samba.log
@@ -643,6 +644,7 @@ and use CTDB instead.
 %patch0 -p1 -b .samba-4.2.2-fix_debug_macro.patch
 %patch1 -p1 -b .samba-4.2.2-lib-util-fix-detection-of-systemd-libraries.patch
 %patch2 -p1 -b .samba-4.2-fix-rpc-helper.patch
+%patch3 -p1 -b .samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch
 
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -1931,6 +1933,9 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 
 %changelog
+* Mon May 11 2015 Alexander Bokovoy <abokovoy at redhat.com> - 4.2.1-8
+- Fixes: #1219832: Samba 4.2 broke FreeIPA trusts to AD
+
 * Thu Apr 30 2015 Alexander Bokovoy <abokovoy at redhat.com> - 4.2.1-7
 - Fix LSASD daemon
 - resolves: #1217346 - FreeIPA trusts to AD broken due to Samba 4.2 failure to run LSARPC pipe externally
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/samba.git/commit/?h=f22&id=a79780284253c609ffd85f1a8b9174745a91b6a5
