Attachment #43756 for bug #67865

View | Details | Raw Unified | Return to bug 67865
Collapse All | Expand All





PORTNAME=		samba
PORTVERSION=		3.0.4
PORTREVISION?=		3
PORTEPOCH?=		1
CATEGORIES?=		net
MASTER_SITES=		${MASTER_SITE_SAMBA}

USE_ICONV=		yes
USE_AUTOCONF_VER=	253

LATEST_LINK?=		${PKGNAMEPREFIX}${PORTNAME}3${PKGNAMESUFFIX}
EXAMPLESDIR=		${PREFIX}/share/examples/${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}
WRKSRC=			${WRKDIR}/${DISTNAME}/source


SAMBA_RUNDIR=		${VARDIR}/run
SAMBA_LOCKDIR?=		${VARDIR}/db/samba
SAMBA_PRIVATE?=		${PREFIX}/private
SAMBA_CONFDIR=		${PREFIX}/etc
SAMBA_SWATDIR=		${PREFIX}/share/swat
SAMBA_LIBDIR=		${PREFIX}/lib
RC_DIR=			${SAMBA_CONFDIR}/rc.d
SAMBA_CONFIG=		${SAMBA_CONFDIR}/smb.conf

CONFIGURE_ENV+=		CPPFLAGS=-I${LOCALBASE}/include \




--- configure.in.orig	Thu Apr 29 09:34:48 2004
+++ configure.in	Thu May 20 14:16:15 2004
@@ -803,6 +803,13 @@
    AC_DEFINE(HAVE_SIG_ATOMIC_T_TYPE,1,[Whether we have the atomic_t variable type])
 fi
 
+AC_CACHE_CHECK([for optreset], samba_cv_var_optreset, [
+  AC_TRY_LINK([#include <unistd.h>],[optreset = 1],
+  [samba_cv_var_optreset=yes],[samba_cv_var_optreset=no])])
+if test x"$samba_cv_var_optreset" = x"yes"; then
+  AC_DEFINE(HAVE_OPTRESET,1,[Whether the system has optreset])
+fi
+
 # stupid headers have the functions but no declaration. grrrr.
 AC_HAVE_DECL(errno, [#include <errno.h>])
 AC_HAVE_DECL(setresuid, [#include <unistd.h>])




--- include/config.h.in.orig	Sat May  8 02:33:46 2004
+++ include/config.h.in	Thu May 20 14:17:44 2004
@@ -236,6 +236,9 @@
 /* Define to 1 if you have the `endnetgrent' function. */
 #undef HAVE_ENDNETGRENT
 
+/* Whether optreset is available */
+#undef HAVE_OPTRESET
+
 /* Whether errno() is available */
 #undef HAVE_ERRNO_DECL
 




Index: source/rpc_client/cli_pipe.c
===================================================================
--- rpc_client/cli_pipe.c	(revision 842)
+++ rpc_client/cli_pipe.c	(working copy)
@@ -332,13 +332,24 @@
 	if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
 		RPC_AUTH_NETSEC_CHK chk;
 
-		if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
+		if ( (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) 
+			&& (auth_len != RPC_AUTH_NETSEC_SIGN_ONLY_CHK_LEN)  ) 
+		{
 			DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
 			return False;
 		}
 
-		if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", 
-						&chk, &auth_verf, 0)) {
+		/* can't seal with no nonce */
+		if ( (cli->pipe_auth_flags & AUTH_PIPE_SEAL)
+			&& (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN)  )
+		{
+			DEBUG(0,("rpc_auth_pipe: sealing not supported with schannel auth len %d\n", auth_len));
+			return False;
+		}
+		
+
+		if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", auth_len, &chk, &auth_verf, 0)) 
+		{
 			DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
 				  "RPC_AUTH_NETSECK_CHK failed\n"));
 			return False;
@@ -918,7 +929,7 @@
 			auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
 		}
 		if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {	
-			auth_len = RPC_AUTH_NETSEC_CHK_LEN;
+			auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
 		}
 		auth_hdr_len = RPC_HDR_AUTH_LEN;
 	}
@@ -1034,8 +1045,9 @@
 				/* write auth footer onto the packet */
 				
 				parse_offset_marker = prs_offset(&sec_blob);
-				if (!smb_io_rpc_auth_netsec_chk("", &verf,
-								&sec_blob, 0)) {
+				if (!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN, 
+					&verf, &sec_blob, 0)) 
+				{
 					prs_mem_free(&sec_blob);
 					return False;
 				}

Added Link Here

(-)files/patch-jerry-filename.c (+15 lines)
1	Index: source/smbd/filename.c
2	===================================================================
3	--- smbd/filename.c (revision 842)
4	+++ smbd/filename.c (working copy)
5	@@ -137,6 +137,10 @@
6	if (!*name) {
7	name[0] = '.';
8	name[1] = '\0';
9	+ if (SMB_VFS_STAT(conn,name,&st) == 0) {
10	+ *pst = st;
11	+ }
12	+ DEBUG(5,("conversion finished %s -> %s\n",orig_path, name));
13	return(True);
14	}
15




Index: source/rpc_parse/parse_rpc.c
===================================================================
--- rpc_parse/parse_rpc.c	(revision 842)
+++ rpc_parse/parse_rpc.c	(working copy)
@@ -1189,7 +1189,8 @@
 /*******************************************************************
 reads or writes an RPC_AUTH_NETSEC_CHK structure.
 ********************************************************************/
-BOOL smb_io_rpc_auth_netsec_chk(const char *desc, RPC_AUTH_NETSEC_CHK * chk,
+BOOL smb_io_rpc_auth_netsec_chk(const char *desc, int auth_len, 
+                                RPC_AUTH_NETSEC_CHK * chk,
 				prs_struct *ps, int depth)
 {
 	if (chk == NULL)
@@ -1198,10 +1199,19 @@
 	prs_debug(ps, depth, desc, "smb_io_rpc_auth_netsec_chk");
 	depth++;
 
-	prs_uint8s(False, "sig  ", ps, depth, chk->sig, sizeof(chk->sig));
-	prs_uint8s(False, "seq_num", ps, depth, chk->seq_num, sizeof(chk->seq_num));
-	prs_uint8s(False, "packet_digest", ps, depth, chk->packet_digest, sizeof(chk->packet_digest));
-	prs_uint8s(False, "confounder", ps, depth, chk->confounder, sizeof(chk->confounder));
+	if ( !prs_uint8s(False, "sig  ", ps, depth, chk->sig, sizeof(chk->sig)) )
+		return False;
+		
+	if ( !prs_uint8s(False, "seq_num", ps, depth, chk->seq_num, sizeof(chk->seq_num)) )
+		return False;
+		
+	if ( !prs_uint8s(False, "packet_digest", ps, depth, chk->packet_digest, sizeof(chk->packet_digest)) )
+		return False;
+	
+	if ( auth_len == RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN ) {
+		if ( !prs_uint8s(False, "confounder", ps, depth, chk->confounder, sizeof(chk->confounder)) )
+			return False;
+	}
 
 	return True;
 }




Index: source/include/rpc_dce.h
===================================================================
--- include/rpc_dce.h	(revision 842)
+++ include/rpc_dce.h	(working copy)
@@ -63,8 +63,10 @@
 #define NETSEC_AUTH_TYPE 0x44
 #define NETSEC_SIGN_SIGNATURE { 0x77, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00 }
 #define NETSEC_SEAL_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 }
-#define RPC_AUTH_NETSEC_CHK_LEN 0x20
 
+#define RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN 	0x20
+#define RPC_AUTH_NETSEC_SIGN_ONLY_CHK_LEN 	0x18
+
 /* The 7 here seems to be required to get Win2k not to downgrade us
    to NT4.  Actually, anything other than 1ff would seem to do... */
 #define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff




Index: source/rpc_server/srv_pipe.c
===================================================================
--- rpc_server/srv_pipe.c	(revision 842)
+++ rpc_server/srv_pipe.c	(working copy)
@@ -124,7 +124,7 @@
 	if(p->ntlmssp_auth_validated) {
 		data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
 	} else if(p->netsec_auth_validated) {
-		data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
+		data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
 	}
 
 	/*
@@ -177,8 +177,8 @@
 	} else if (p->netsec_auth_validated) {
 		p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
 			data_len + ss_padding_len +
-			RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
-		p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
+			RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
+		p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
 	} else {
 		p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
 		p->hdr.auth_len = 0;
@@ -309,7 +309,8 @@
 			      SENDER_IS_ACCEPTOR,
 			      &verf, data, data_len + ss_padding_len);
 
-		smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
+		smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN, 
+			&verf, &outgoing_pdu, 0);
 
 		p->netsec_auth.seq_num++;
 	}
@@ -1339,7 +1340,7 @@
 
 	auth_len = p->hdr.auth_len;
 
-	if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
+	if (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) {
 		DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
 		return False;
 	}
@@ -1384,7 +1385,9 @@
 		return False;
 	}
 
-	if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
+	if(!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN, 
+		&netsec_chk, rpc_in, 0)) 
+	{
 		DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
 		return False;
 	}




Index: source/smbd/uid.c
===================================================================
--- smbd/uid.c	(revision 842)
+++ smbd/uid.c	(working copy)
@@ -189,20 +189,26 @@
 
 	snum = SNUM(conn);
 
+	if ((vuser) && !check_user_ok(conn, vuser, snum)) {
+		DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) not permitted access to share %s.\n",
+			vuser->user.smb_name, vuser->user.unix_name, vuid, lp_servicename(snum)));
+		return False;
+	}
+
 	if (conn->force_user) /* security = share sets this too */ {
 		uid = conn->uid;
 		gid = conn->gid;
 		current_user.groups = conn->groups;
 		current_user.ngroups = conn->ngroups;
 		token = conn->nt_user_token;
-	} else if ((vuser) && check_user_ok(conn, vuser, snum)) {
+	} else if (vuser) {
 		uid = conn->admin_user ? 0 : vuser->uid;
 		gid = vuser->gid;
 		current_user.ngroups = vuser->n_groups;
 		current_user.groups  = vuser->groups;
 		token = vuser->nt_user_token;
 	} else {
-		DEBUG(2,("change_to_user: Invalid vuid used %d or vuid not permitted access to share.\n",vuid));
+		DEBUG(2,("change_to_user: Invalid vuid used %d in accessing share %s.\n",vuid, lp_servicename(snum) ));
 		return False;
 	}
 




--- rpcclient/cmd_reg.c.orig	Sun Apr  4 09:37:28 2004
+++ rpcclient/cmd_reg.c	Thu May 20 14:18:36 2004
@@ -905,7 +905,11 @@
 	int opt;
 
 	*msg = 0;
-	optind = 0; /* TODO: test if this hack works on other systems too --simo */
+#ifdef HAVE_OPTRESET
+	optreset = optind = 1;
+#else
+	optind = 0;
+#endif
 
 	while ((opt = getopt(argc, argv, "m:t:rf")) != EOF)
 	{




# Defaults
nmbd_enable=${nmbd_enable:-"NO"}
nmbd_flags=${nmbd_flags:-"-D"}
command_args="-s ${samba_config}"

load_rc_config $name
run_rc_command "$1"

# Defaults
smbd_enable=${smbd_enable:-"NO"}
smbd_flags=${smbd_flags:-"-D"}
command_args="-s ${samba_config}"

load_rc_config $name
run_rc_command "$1"

%%WINBIND%%# Defaults
%%WINBIND%%winbindd_enable=${winbindd_enable:-"NO"}
%%WINBIND%%winbindd_flags=${winbindd_flags:-""}
%%WINBIND%%command_args="-s ${samba_config}"
%%WINBIND%%
%%WINBIND%%load_rc_config $name
%%WINBIND%%run_rc_command "$1"

Return to bug 67865

Lines 7-13 Link Here

(-)Makefile (-4 / +4 lines)
7		7
8	PORTNAME= samba	8	PORTNAME= samba
9	PORTVERSION= 3.0.4	9	PORTVERSION= 3.0.4
10	PORTREVISION?= 2	10	PORTREVISION?= 3
11	PORTEPOCH?= 1	11	PORTEPOCH?= 1
12	CATEGORIES?= net	12	CATEGORIES?= net
13	MASTER_SITES= ${MASTER_SITE_SAMBA}	13	MASTER_SITES= ${MASTER_SITE_SAMBA}
Lines 22-28 Link Here
22	USE_ICONV= yes	22	USE_ICONV= yes
23	USE_AUTOCONF_VER= 253	23	USE_AUTOCONF_VER= 253
24		24
25	LATEST_LINK?= ${PKGNAMEPREFIX}${PORTNAME}-3${PKGNAMESUFFIX}	25	LATEST_LINK?= ${PKGNAMEPREFIX}${PORTNAME}3${PKGNAMESUFFIX}
26	EXAMPLESDIR= ${PREFIX}/share/examples/${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}	26	EXAMPLESDIR= ${PREFIX}/share/examples/${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}
27	WRKSRC= ${WRKDIR}/${DISTNAME}/source	27	WRKSRC= ${WRKDIR}/${DISTNAME}/source
28		28
Lines 33-42 Link Here
33	SAMBA_RUNDIR= ${VARDIR}/run	33	SAMBA_RUNDIR= ${VARDIR}/run
34	SAMBA_LOCKDIR?= ${VARDIR}/db/samba	34	SAMBA_LOCKDIR?= ${VARDIR}/db/samba
35	SAMBA_PRIVATE?= ${PREFIX}/private	35	SAMBA_PRIVATE?= ${PREFIX}/private
36	SAMBA_CONFDIR?= ${PREFIX}/etc	36	SAMBA_CONFDIR= ${PREFIX}/etc
37	SAMBA_SWATDIR= ${PREFIX}/share/swat	37	SAMBA_SWATDIR= ${PREFIX}/share/swat
38	SAMBA_LIBDIR= ${PREFIX}/lib	38	SAMBA_LIBDIR= ${PREFIX}/lib
39	RC_DIR?= ${SAMBA_CONFDIR}/rc.d	39	RC_DIR= ${SAMBA_CONFDIR}/rc.d
40	SAMBA_CONFIG= ${SAMBA_CONFDIR}/smb.conf	40	SAMBA_CONFIG= ${SAMBA_CONFDIR}/smb.conf
41		41
42	CONFIGURE_ENV+= CPPFLAGS=-I${LOCALBASE}/include \	42	CONFIGURE_ENV+= CPPFLAGS=-I${LOCALBASE}/include \

Added Link Here

(-)files/patch-configure.in (+16 lines)
1	--- configure.in.orig Thu Apr 29 09:34:48 2004
2	+++ configure.in Thu May 20 14:16:15 2004
3	@@ -803,6 +803,13 @@
4	AC_DEFINE(HAVE_SIG_ATOMIC_T_TYPE,1,[Whether we have the atomic_t variable type])
5	fi
6
7	+AC_CACHE_CHECK([for optreset], samba_cv_var_optreset, [
8	+ AC_TRY_LINK([#include <unistd.h>],[optreset = 1],
9	+ [samba_cv_var_optreset=yes],[samba_cv_var_optreset=no])])
10	+if test x"$samba_cv_var_optreset" = x"yes"; then
11	+ AC_DEFINE(HAVE_OPTRESET,1,[Whether the system has optreset])
12	+fi
13	+
14	# stupid headers have the functions but no declaration. grrrr.
15	AC_HAVE_DECL(errno, [#include <errno.h>])
16	AC_HAVE_DECL(setresuid, [#include <unistd.h>])

Added Link Here

(-)files/patch-include_config.h.in (+12 lines)
1	--- include/config.h.in.orig Sat May 8 02:33:46 2004
2	+++ include/config.h.in Thu May 20 14:17:44 2004
3	@@ -236,6 +236,9 @@
4	/* Define to 1 if you have the `endnetgrent' function. */
5	#undef HAVE_ENDNETGRENT
6
7	+/* Whether optreset is available */
8	+#undef HAVE_OPTRESET
9	+
10	/* Whether errno() is available */
11	#undef HAVE_ERRNO_DECL
12

Added Link Here

(-)files/patch-jerry-cli_pipe.c (+53 lines)
1	Index: source/rpc_client/cli_pipe.c
2	===================================================================
3	--- rpc_client/cli_pipe.c (revision 842)
4	+++ rpc_client/cli_pipe.c (working copy)
5	@@ -332,13 +332,24 @@
6	if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
7	RPC_AUTH_NETSEC_CHK chk;
8
9	- if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
10	+ if ( (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN)
11	+ && (auth_len != RPC_AUTH_NETSEC_SIGN_ONLY_CHK_LEN) )
12	+ {
13	DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
14	return False;
15	}
16
17	- if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign",
18	- &chk, &auth_verf, 0)) {
19	+ /* can't seal with no nonce */
20	+ if ( (cli->pipe_auth_flags & AUTH_PIPE_SEAL)
21	+ && (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) )
22	+ {
23	+ DEBUG(0,("rpc_auth_pipe: sealing not supported with schannel auth len %d\n", auth_len));
24	+ return False;
25	+ }
26	+
27	+
28	+ if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", auth_len, &chk, &auth_verf, 0))
29	+ {
30	DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
31	"RPC_AUTH_NETSECK_CHK failed\n"));
32	return False;
33	@@ -918,7 +929,7 @@
34	auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
35	}
36	if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
37	- auth_len = RPC_AUTH_NETSEC_CHK_LEN;
38	+ auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
39	}
40	auth_hdr_len = RPC_HDR_AUTH_LEN;
41	}
42	@@ -1034,8 +1045,9 @@
43	/* write auth footer onto the packet */
44
45	parse_offset_marker = prs_offset(&sec_blob);
46	- if (!smb_io_rpc_auth_netsec_chk("", &verf,
47	- &sec_blob, 0)) {
48	+ if (!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
49	+ &verf, &sec_blob, 0))
50	+ {
51	prs_mem_free(&sec_blob);
52	return False;
53	}

Added Link Here

(-)files/patch-jerry-parse_rpc.c (+38 lines)
1	Index: source/rpc_parse/parse_rpc.c
2	===================================================================
3	--- rpc_parse/parse_rpc.c (revision 842)
4	+++ rpc_parse/parse_rpc.c (working copy)
5	@@ -1189,7 +1189,8 @@
6	/*******************************************************************
7	reads or writes an RPC_AUTH_NETSEC_CHK structure.
8	********************************************************************/
9	-BOOL smb_io_rpc_auth_netsec_chk(const char desc, RPC_AUTH_NETSEC_CHK chk,
10	+BOOL smb_io_rpc_auth_netsec_chk(const char *desc, int auth_len,
11	+ RPC_AUTH_NETSEC_CHK * chk,
12	prs_struct *ps, int depth)
13	{
14	if (chk == NULL)
15	@@ -1198,10 +1199,19 @@
16	prs_debug(ps, depth, desc, "smb_io_rpc_auth_netsec_chk");
17	depth++;
18
19	- prs_uint8s(False, "sig ", ps, depth, chk->sig, sizeof(chk->sig));
20	- prs_uint8s(False, "seq_num", ps, depth, chk->seq_num, sizeof(chk->seq_num));
21	- prs_uint8s(False, "packet_digest", ps, depth, chk->packet_digest, sizeof(chk->packet_digest));
22	- prs_uint8s(False, "confounder", ps, depth, chk->confounder, sizeof(chk->confounder));
23	+ if ( !prs_uint8s(False, "sig ", ps, depth, chk->sig, sizeof(chk->sig)) )
24	+ return False;
25	+
26	+ if ( !prs_uint8s(False, "seq_num", ps, depth, chk->seq_num, sizeof(chk->seq_num)) )
27	+ return False;
28	+
29	+ if ( !prs_uint8s(False, "packet_digest", ps, depth, chk->packet_digest, sizeof(chk->packet_digest)) )
30	+ return False;
31	+
32	+ if ( auth_len == RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN ) {
33	+ if ( !prs_uint8s(False, "confounder", ps, depth, chk->confounder, sizeof(chk->confounder)) )
34	+ return False;
35	+ }
36
37	return True;
38	}

Added Link Here

(-)files/patch-jerry-rpc_dce.h (+16 lines)
1	Index: source/include/rpc_dce.h
2	===================================================================
3	--- include/rpc_dce.h (revision 842)
4	+++ include/rpc_dce.h (working copy)
5	@@ -63,8 +63,10 @@
6	#define NETSEC_AUTH_TYPE 0x44
7	#define NETSEC_SIGN_SIGNATURE { 0x77, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00 }
8	#define NETSEC_SEAL_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 }
9	-#define RPC_AUTH_NETSEC_CHK_LEN 0x20
10
11	+#define RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN 0x20
12	+#define RPC_AUTH_NETSEC_SIGN_ONLY_CHK_LEN 0x18
13	+
14	/* The 7 here seems to be required to get Win2k not to downgrade us
15	to NT4. Actually, anything other than 1ff would seem to do... */
16	#define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff

Added Link Here

(-)files/patch-jerry-srv_pipe.c (+54 lines)
1	Index: source/rpc_server/srv_pipe.c
2	===================================================================
3	--- rpc_server/srv_pipe.c (revision 842)
4	+++ rpc_server/srv_pipe.c (working copy)
5	@@ -124,7 +124,7 @@
6	if(p->ntlmssp_auth_validated) {
7	data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
8	} else if(p->netsec_auth_validated) {
9	- data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
10	+ data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
11	}
12
13	/*
14	@@ -177,8 +177,8 @@
15	} else if (p->netsec_auth_validated) {
16	p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
17	data_len + ss_padding_len +
18	- RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
19	- p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
20	+ RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
21	+ p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
22	} else {
23	p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
24	p->hdr.auth_len = 0;
25	@@ -309,7 +309,8 @@
26	SENDER_IS_ACCEPTOR,
27	&verf, data, data_len + ss_padding_len);
28
29	- smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
30	+ smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
31	+ &verf, &outgoing_pdu, 0);
32
33	p->netsec_auth.seq_num++;
34	}
35	@@ -1339,7 +1340,7 @@
36
37	auth_len = p->hdr.auth_len;
38
39	- if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
40	+ if (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) {
41	DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
42	return False;
43	}
44	@@ -1384,7 +1385,9 @@
45	return False;
46	}
47
48	- if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
49	+ if(!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
50	+ &netsec_chk, rpc_in, 0))
51	+ {
52	DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
53	return False;
54	}

Added Link Here

(-)files/patch-jerry-uid.c (+33 lines)
1	Index: source/smbd/uid.c
2	===================================================================
3	--- smbd/uid.c (revision 842)
4	+++ smbd/uid.c (working copy)
5	@@ -189,20 +189,26 @@
6
7	snum = SNUM(conn);
8
9	+ if ((vuser) && !check_user_ok(conn, vuser, snum)) {
10	+ DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) not permitted access to share %s.\n",
11	+ vuser->user.smb_name, vuser->user.unix_name, vuid, lp_servicename(snum)));
12	+ return False;
13	+ }
14	+
15	if (conn->force_user) /* security = share sets this too */ {
16	uid = conn->uid;
17	gid = conn->gid;
18	current_user.groups = conn->groups;
19	current_user.ngroups = conn->ngroups;
20	token = conn->nt_user_token;
21	- } else if ((vuser) && check_user_ok(conn, vuser, snum)) {
22	+ } else if (vuser) {
23	uid = conn->admin_user ? 0 : vuser->uid;
24	gid = vuser->gid;
25	current_user.ngroups = vuser->n_groups;
26	current_user.groups = vuser->groups;
27	token = vuser->nt_user_token;
28	} else {
29	- DEBUG(2,("change_to_user: Invalid vuid used %d or vuid not permitted access to share.\n",vuid));
30	+ DEBUG(2,("change_to_user: Invalid vuid used %d in accessing share %s.\n",vuid, lp_servicename(snum) ));
31	return False;
32	}
33

Added Link Here

(-)files/patch-rpcclient_cmd_reg.c (+15 lines)
1	--- rpcclient/cmd_reg.c.orig Sun Apr 4 09:37:28 2004
2	+++ rpcclient/cmd_reg.c Thu May 20 14:18:36 2004
3	@@ -905,7 +905,11 @@
4	int opt;
5
6	*msg = 0;
7	- optind = 0; /* TODO: test if this hack works on other systems too --simo */
8	+#ifdef HAVE_OPTRESET
9	+ optreset = optind = 1;
10	+#else
11	+ optind = 0;
12	+#endif
13
14	while ((opt = getopt(argc, argv, "m:t:rf")) != EOF)
15	{

Lines 86-92 Link Here

(-)files/samba.sh.sample (-3 / +3 lines)
86	# Defaults	86	# Defaults
87	nmbd_enable=${nmbd_enable:-"NO"}	87	nmbd_enable=${nmbd_enable:-"NO"}
88	nmbd_flags=${nmbd_flags:-"-D"}	88	nmbd_flags=${nmbd_flags:-"-D"}
89	command_args="${nmbd_flags} -s ${samba_config}"	89	command_args="-s ${samba_config}"
90		90
91	load_rc_config $name	91	load_rc_config $name
92	run_rc_command "$1"	92	run_rc_command "$1"
Lines 101-107 Link Here
101	# Defaults	101	# Defaults
102	smbd_enable=${smbd_enable:-"NO"}	102	smbd_enable=${smbd_enable:-"NO"}
103	smbd_flags=${smbd_flags:-"-D"}	103	smbd_flags=${smbd_flags:-"-D"}
104	command_args="${smbd_flags} -s ${samba_config}"	104	command_args="-s ${samba_config}"
105		105
106	load_rc_config $name	106	load_rc_config $name
107	run_rc_command "$1"	107	run_rc_command "$1"
Lines 117-123 Link Here
117	%%WINBIND%%# Defaults	117	%%WINBIND%%# Defaults
118	%%WINBIND%%winbindd_enable=${winbindd_enable:-"NO"}	118	%%WINBIND%%winbindd_enable=${winbindd_enable:-"NO"}
119	%%WINBIND%%winbindd_flags=${winbindd_flags:-""}	119	%%WINBIND%%winbindd_flags=${winbindd_flags:-""}
120	%%WINBIND%%command_args="${winbindd_flags} -s ${samba_config}"	120	%%WINBIND%%command_args="-s ${samba_config}"
121	%%WINBIND%%	121	%%WINBIND%%
122	%%WINBIND%%load_rc_config $name	122	%%WINBIND%%load_rc_config $name
123	%%WINBIND%%run_rc_command "$1"	123	%%WINBIND%%run_rc_command "$1"