summaryrefslogtreecommitdiffstats
path: root/patches/source/samba
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/samba')
-rw-r--r--patches/source/samba/doinst.sh18
-rw-r--r--patches/source/samba/pytalloc-util.pc11
-rw-r--r--patches/source/samba/rc.samba46
-rw-r--r--patches/source/samba/samba-4.4.16-CVE-2018-1057.patch903
-rw-r--r--patches/source/samba/samba-4.5.14-security-2017-11-21.patch110
-rwxr-xr-xpatches/source/samba/samba.SlackBuild224
-rw-r--r--patches/source/samba/samba.install.talloc.tevent.tdb.diff102
-rw-r--r--patches/source/samba/samba.url2
-rw-r--r--patches/source/samba/slack-desc19
-rw-r--r--patches/source/samba/smb.conf.default223
-rw-r--r--patches/source/samba/smb.conf.default.orig223
-rw-r--r--patches/source/samba/smb.conf.diff29
-rw-r--r--patches/source/samba/talloc.pc11
13 files changed, 1921 insertions, 0 deletions
diff --git a/patches/source/samba/doinst.sh b/patches/source/samba/doinst.sh
new file mode 100644
index 00000000..01b5d450
--- /dev/null
+++ b/patches/source/samba/doinst.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+config() {
+ NEW="$1"
+ OLD="`dirname $NEW`/`basename $NEW .new`"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+config etc/rc.d/rc.samba.new
+config etc/samba/lmhosts.new
+# Commented out 2014-09-15 just in case we do need to change this.
+## This won't be needed. The point here is to preserve the permissions of the existing
+## file, if there is one. I don't see major new development happening in rc.samba... ;-)
+#rm -f etc/rc.d/rc.samba.new
diff --git a/patches/source/samba/pytalloc-util.pc b/patches/source/samba/pytalloc-util.pc
new file mode 100644
index 00000000..800a9a81
--- /dev/null
+++ b/patches/source/samba/pytalloc-util.pc
@@ -0,0 +1,11 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${prefix}/lib
+includedir=${prefix}/include
+
+Name: pytalloc-util
+Description: Utility functions for using talloc objects with Python
+Version: 2.0.8
+Libs: -L${libdir} -lpytalloc-util
+Cflags: -Wl,-rpath,/usr/lib -I${includedir}
+URL: http://talloc.samba.org/
diff --git a/patches/source/samba/rc.samba b/patches/source/samba/rc.samba
new file mode 100644
index 00000000..7fd2b61b
--- /dev/null
+++ b/patches/source/samba/rc.samba
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# /etc/rc.d/rc.samba
+#
+# Start/stop/restart the Samba SMB file/print server.
+#
+# To make Samba start automatically at boot, make this
+# file executable: chmod 755 /etc/rc.d/rc.samba
+#
+
+samba_start() {
+ if [ -x /usr/sbin/smbd -a -x /usr/sbin/nmbd -a -r /etc/samba/smb.conf ]; then
+ mkdir -p /var/run/samba
+ echo "Starting Samba: /usr/sbin/smbd -D"
+ /usr/sbin/smbd -D
+ echo " /usr/sbin/nmbd -D"
+ /usr/sbin/nmbd -D
+ fi
+}
+
+samba_stop() {
+ killall smbd nmbd
+}
+
+samba_restart() {
+ samba_stop
+ sleep 2
+ samba_start
+}
+
+case "$1" in
+'start')
+ samba_start
+ ;;
+'stop')
+ samba_stop
+ ;;
+'restart')
+ samba_restart
+ ;;
+*)
+ # Default is "start", for backwards compatibility with previous
+ # Slackware versions. This may change to a 'usage' error someday.
+ samba_start
+esac
+
diff --git a/patches/source/samba/samba-4.4.16-CVE-2018-1057.patch b/patches/source/samba/samba-4.4.16-CVE-2018-1057.patch
new file mode 100644
index 00000000..8d4c0c0e
--- /dev/null
+++ b/patches/source/samba/samba-4.4.16-CVE-2018-1057.patch
@@ -0,0 +1,903 @@
+From 6ff2935f6a1bb2bdfb45beea07d4cb7c69c66a74 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 12:43:09 +0100
+Subject: [PATCH 01/13] CVE-2018-1057: s4:dsdb/tests: add a test for password
+ change with empty delete
+
+Note that the request using the clearTextPassword attribute for the
+password change is already correctly rejected by the server.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/samba4.ldap.passwords.python | 2 +
+ source4/dsdb/tests/python/passwords.py | 49 +++++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python
+
+diff --git a/selftest/knownfail.d/samba4.ldap.passwords.python b/selftest/knownfail.d/samba4.ldap.passwords.python
+new file mode 100644
+index 0000000..343c5a7
+--- /dev/null
++++ b/selftest/knownfail.d/samba4.ldap.passwords.python
+@@ -0,0 +1,2 @@
++samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword
++samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd
+diff --git a/source4/dsdb/tests/python/passwords.py b/source4/dsdb/tests/python/passwords.py
+index fb3eee5..c50f2b6 100755
+--- a/source4/dsdb/tests/python/passwords.py
++++ b/source4/dsdb/tests/python/passwords.py
+@@ -931,6 +931,55 @@ userPassword: thatsAcomplPASS4
+ # Reset the "minPwdLength" as it was before
+ self.ldb.set_minPwdLength(minPwdLength)
+
++ def test_pw_change_delete_no_value_userPassword(self):
++ """Test password change with userPassword where the delete attribute doesn't have a value"""
++
++ try:
++ self.ldb2.modify_ldif("""
++dn: cn=testuser,cn=users,""" + self.base_dn + """
++changetype: modify
++delete: userPassword
++add: userPassword
++userPassword: thatsAcomplPASS1
++""")
++ except LdbError, (num, msg):
++ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
++ else:
++ self.fail()
++
++ def test_pw_change_delete_no_value_clearTextPassword(self):
++ """Test password change with clearTextPassword where the delete attribute doesn't have a value"""
++
++ try:
++ self.ldb2.modify_ldif("""
++dn: cn=testuser,cn=users,""" + self.base_dn + """
++changetype: modify
++delete: clearTextPassword
++add: clearTextPassword
++clearTextPassword: thatsAcomplPASS2
++""")
++ except LdbError, (num, msg):
++ self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or
++ num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
++ else:
++ self.fail()
++
++ def test_pw_change_delete_no_value_unicodePwd(self):
++ """Test password change with unicodePwd where the delete attribute doesn't have a value"""
++
++ try:
++ self.ldb2.modify_ldif("""
++dn: cn=testuser,cn=users,""" + self.base_dn + """
++changetype: modify
++delete: unicodePwd
++add: unicodePwd
++unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
++""")
++ except LdbError, (num, msg):
++ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
++ else:
++ self.fail()
++
+ def tearDown(self):
+ super(PasswordTests, self).tearDown()
+ delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
+--
+1.9.1
+
+
+From 35f8367aa64955d9f34beac9a62f8336e5e6c510 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 10:56:06 +0100
+Subject: [PATCH 02/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper
+ variable for LDB_FLAG_MOD_TYPE
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/password_hash.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
+index 05b0854..aa3871d 100644
+--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
+@@ -3152,17 +3152,20 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
+ }
+
+ while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
+- if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE) {
++ unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
++
++ if (mtype == LDB_FLAG_MOD_DELETE) {
+ ++del_attr_cnt;
+ }
+- if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD) {
++ if (mtype == LDB_FLAG_MOD_ADD) {
+ ++add_attr_cnt;
+ }
+- if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_REPLACE) {
++ if (mtype == LDB_FLAG_MOD_REPLACE) {
+ ++rep_attr_cnt;
+ }
+ if ((passwordAttr->num_values != 1) &&
+- (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD)) {
++ (mtype == LDB_FLAG_MOD_ADD))
++ {
+ talloc_free(ac);
+ ldb_asprintf_errstring(ldb,
+ "'%s' attribute must have exactly one value on add operations!",
+@@ -3170,7 +3173,8 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((passwordAttr->num_values > 1) &&
+- (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE)) {
++ (mtype == LDB_FLAG_MOD_DELETE))
++ {
+ talloc_free(ac);
+ ldb_asprintf_errstring(ldb,
+ "'%s' attribute must have zero or one value(s) on delete operations!",
+--
+1.9.1
+
+
+From 63c91916d15f355e7179292fac998056c0bd6a44 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 14:40:59 +0100
+Subject: [PATCH 03/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper
+ variable for passwordAttr->num_values
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/password_hash.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
+index aa3871d..690bb98 100644
+--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
+@@ -3153,6 +3153,7 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
+
+ while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
+ unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
++ unsigned int nvalues = passwordAttr->num_values;
+
+ if (mtype == LDB_FLAG_MOD_DELETE) {
+ ++del_attr_cnt;
+@@ -3163,18 +3164,14 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
+ if (mtype == LDB_FLAG_MOD_REPLACE) {
+ ++rep_attr_cnt;
+ }
+- if ((passwordAttr->num_values != 1) &&
+- (mtype == LDB_FLAG_MOD_ADD))
+- {
++ if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) {
+ talloc_free(ac);
+ ldb_asprintf_errstring(ldb,
+ "'%s' attribute must have exactly one value on add operations!",
+ *l);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+- if ((passwordAttr->num_values > 1) &&
+- (mtype == LDB_FLAG_MOD_DELETE))
+- {
++ if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) {
+ talloc_free(ac);
+ ldb_asprintf_errstring(ldb,
+ "'%s' attribute must have zero or one value(s) on delete operations!",
+--
+1.9.1
+
+
+From 895b1d2c9cbbde96646146a3c7b93bd326aada55 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 17:38:31 +0100
+Subject: [PATCH 04/13] CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug()
+ if we checked the acl in acl_check_password_rights()
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 62e560f..aa1660c 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -989,12 +989,14 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ GUID_DRS_USER_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+ sid);
++ goto checked;
+ }
+ else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_FORCE_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+ sid);
++ goto checked;
+ }
+ else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+@@ -1005,7 +1007,13 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+ ret = LDB_ERR_CONSTRAINT_VIOLATION;
+ }
++ goto checked;
+ }
++
++ talloc_free(tmp_ctx);
++ return LDB_SUCCESS;
++
++checked:
+ if (ret != LDB_SUCCESS) {
+ dsdb_acl_debug(sd, acl_user_token(module),
+ req->op.mod.message->dn,
+--
+1.9.1
+
+
+From db056b588d40c4c6995ee882286042dbf383f502 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 17:38:31 +0100
+Subject: [PATCH 05/13] CVE-2018-1057: s4:dsdb/acl: remove unused else branches
+ in acl_check_password_rights()
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index aa1660c..5ec5fd3 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -991,14 +991,24 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ sid);
+ goto checked;
+ }
+- else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
++
++ if (rep_attr_cnt > 0) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_FORCE_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+ sid);
+ goto checked;
+ }
+- else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
++
++ if (add_attr_cnt != del_attr_cnt) {
++ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
++ GUID_DRS_FORCE_CHANGE_PASSWORD,
++ SEC_ADS_CONTROL_ACCESS,
++ sid);
++ goto checked;
++ }
++
++ if (add_attr_cnt == 1 && del_attr_cnt == 1) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_USER_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+--
+1.9.1
+
+
+From ff82d4c547476751f4506092517952ac682ec38c Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 22:59:24 +0100
+Subject: [PATCH 06/13] CVE-2018-1057: s4:dsdb/acl: check for internal controls
+ before other checks
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 37 ++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 5ec5fd3..56ba988 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -943,10 +943,33 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
+ struct ldb_message_element *el;
+ struct ldb_message *msg;
++ struct ldb_control *c = NULL;
+ const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
+ "unicodePwd", "dBCSPwd", NULL }, **l;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+
++ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
++ if (c != NULL) {
++ /*
++ * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
++ * have a user password change and not a set as the message
++ * looks like. In it's value blob it contains the NT and/or LM
++ * hash of the old password specified by the user. This control
++ * is used by the SAMR and "kpasswd" password change mechanisms.
++ *
++ * This control can't be used by real LDAP clients,
++ * the only caller is samdb_set_password_internal(),
++ * so we don't have to strict verification of the input.
++ */
++ ret = acl_check_extended_right(tmp_ctx,
++ sd,
++ acl_user_token(module),
++ GUID_DRS_USER_CHANGE_PASSWORD,
++ SEC_ADS_CONTROL_ACCESS,
++ sid);
++ goto checked;
++ }
++
+ msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
+ if (msg == NULL) {
+ return ldb_module_oom(module);
+@@ -977,20 +1000,6 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ return LDB_SUCCESS;
+ }
+
+- if (ldb_request_get_control(req,
+- DSDB_CONTROL_PASSWORD_CHANGE_OID) != NULL) {
+- /* The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
+- * have a user password change and not a set as the message
+- * looks like. In it's value blob it contains the NT and/or LM
+- * hash of the old password specified by the user.
+- * This control is used by the SAMR and "kpasswd" password
+- * change mechanisms. */
+- ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+- GUID_DRS_USER_CHANGE_PASSWORD,
+- SEC_ADS_CONTROL_ACCESS,
+- sid);
+- goto checked;
+- }
+
+ if (rep_attr_cnt > 0) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+--
+1.9.1
+
+
+From 5c92da9918e2ccbcb39db2b060406f05973c0a24 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 17:43:43 +0100
+Subject: [PATCH 07/13] CVE-2018-1057: s4:dsdb/acl: add check for
+ DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 56ba988..00d52fe 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -970,6 +970,26 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ goto checked;
+ }
+
++ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
++ if (c != NULL) {
++ /*
++ * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without
++ * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
++ * have a force password set.
++ * This control is used by the SAMR/NETLOGON/LSA password
++ * reset mechanisms.
++ *
++ * This control can't be used by real LDAP clients,
++ * the only caller is samdb_set_password_internal(),
++ * so we don't have to strict verification of the input.
++ */
++ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
++ GUID_DRS_FORCE_CHANGE_PASSWORD,
++ SEC_ADS_CONTROL_ACCESS,
++ sid);
++ goto checked;
++ }
++
+ msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
+ if (msg == NULL) {
+ return ldb_module_oom(module);
+--
+1.9.1
+
+
+From 6417b18bc767d471e3c88935073acdc19448dc54 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 16 Feb 2018 15:17:26 +0100
+Subject: [PATCH 08/13] CVE-2018-1057: s4:dsdb/acl: add a NULL check for
+ talloc_new() in acl_check_password_rights()
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 00d52fe..4146cbc 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -948,6 +948,10 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ "unicodePwd", "dBCSPwd", NULL }, **l;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+
++ if (tmp_ctx == NULL) {
++ return LDB_ERR_OPERATIONS_ERROR;
++ }
++
+ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
+ if (c != NULL) {
+ /*
+--
+1.9.1
+
+
+From bf6c7e1b4510242750de64b0a7a112c2024b4372 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 22 Feb 2018 10:54:37 +0100
+Subject: [PATCH 09/13] CVE-2018-1057: s4/dsdb: correctly detect password
+ resets
+
+This change ensures we correctly treat the following LDIF
+
+ dn: cn=testuser,cn=users,...
+ changetype: modify
+ delete: userPassword
+ add: userPassword
+ userPassword: thatsAcomplPASS1
+
+as a password reset. Because delete and add element counts are both
+one, the ACL module wrongly treated this as a password change
+request.
+
+For a password change we need at least one value to delete and one value
+to add. This patch ensures we correctly check attributes and their
+values.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ selftest/knownfail.d/samba4.ldap.passwords.python | 2 --
+ source4/dsdb/samdb/ldb_modules/acl.c | 18 +++++++++++++++++-
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python
+
+diff --git a/selftest/knownfail.d/samba4.ldap.passwords.python b/selftest/knownfail.d/samba4.ldap.passwords.python
+deleted file mode 100644
+index 343c5a7..0000000
+--- a/selftest/knownfail.d/samba4.ldap.passwords.python
++++ /dev/null
+@@ -1,2 +0,0 @@
+-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword
+-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 4146cbc..7a003df 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -941,6 +941,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ {
+ int ret = LDB_SUCCESS;
+ unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
++ unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
+ struct ldb_message_element *el;
+ struct ldb_message *msg;
+ struct ldb_control *c = NULL;
+@@ -1006,12 +1007,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ while ((el = ldb_msg_find_element(msg, *l)) != NULL) {
+ if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
+ ++del_attr_cnt;
++ del_val_cnt += el->num_values;
+ }
+ if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD) {
+ ++add_attr_cnt;
++ add_val_cnt += el->num_values;
+ }
+ if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) {
+ ++rep_attr_cnt;
++ rep_val_cnt += el->num_values;
+ }
+ ldb_msg_remove_element(msg, el);
+ }
+@@ -1041,7 +1045,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ goto checked;
+ }
+
+- if (add_attr_cnt == 1 && del_attr_cnt == 1) {
++ if (add_val_cnt == 1 && del_val_cnt == 1) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_USER_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+@@ -1053,6 +1057,18 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ goto checked;
+ }
+
++ if (add_val_cnt == 1 && del_val_cnt == 0) {
++ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
++ GUID_DRS_FORCE_CHANGE_PASSWORD,
++ SEC_ADS_CONTROL_ACCESS,
++ sid);
++ /* Very strange, but we get constraint violation in this case */
++ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
++ ret = LDB_ERR_CONSTRAINT_VIOLATION;
++ }
++ goto checked;
++ }
++
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+
+--
+1.9.1
+
+
+From fba762e9d7599e4e2f5022a1486f3ab777d18e6d Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 14 Feb 2018 19:15:49 +0100
+Subject: [PATCH 10/13] CVE-2018-1057: s4:dsdb/acl: run password checking only
+ once
+
+This is needed, because a later commit will let the acl module add a
+control to the change request msg and we must ensure that this is only
+done once.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 7a003df..c239c01 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -1097,6 +1097,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ struct ldb_control *as_system;
+ struct ldb_control *is_undelete;
+ bool userPassword;
++ bool password_rights_checked = false;
+ TALLOC_CTX *tmp_ctx;
+ const struct ldb_message *msg = req->op.mod.message;
+ static const char *acl_attrs[] = {
+@@ -1242,6 +1243,9 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ } else if (ldb_attr_cmp("unicodePwd", el->name) == 0 ||
+ (userPassword && ldb_attr_cmp("userPassword", el->name) == 0) ||
+ ldb_attr_cmp("clearTextPassword", el->name) == 0) {
++ if (password_rights_checked) {
++ continue;
++ }
+ ret = acl_check_password_rights(tmp_ctx,
+ module,
+ req,
+@@ -1252,6 +1256,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ if (ret != LDB_SUCCESS) {
+ goto fail;
+ }
++ password_rights_checked = true;
+ } else if (ldb_attr_cmp("servicePrincipalName", el->name) == 0) {
+ ret = acl_check_spn(tmp_ctx,
+ module,
+--
+1.9.1
+
+
+From bc733fce398658e2c280dae4ba5041113e7cd500 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 16 Feb 2018 15:30:13 +0100
+Subject: [PATCH 11/13] CVE-2018-1057: s4:dsdb/samdb: define
+ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control
+
+Will be used to pass "user password change" vs "password reset" from the
+ACL to the password_hash module, ensuring both modules treat the request
+identical.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/samdb.h | 9 +++++++++
+ source4/libcli/ldap/ldap_controls.c | 1 +
+ source4/setup/schema_samba4.ldif | 2 ++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
+index 0a1d90d..98faa4f 100644
+--- a/source4/dsdb/samdb/samdb.h
++++ b/source4/dsdb/samdb/samdb.h
+@@ -158,6 +158,15 @@ struct dsdb_control_password_change {
+ */
+ #define DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID "1.3.6.1.4.1.7165.4.3.25"
+
++/*
++ * Used to pass "user password change" vs "password reset" from the ACL to the
++ * password_hash module, ensuring both modules treat the request identical.
++ */
++#define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33"
++struct dsdb_control_password_acl_validation {
++ bool pwd_reset;
++};
++
+ #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
+ struct dsdb_extended_replicated_object {
+ struct ldb_message *msg;
+diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
+index 14a80af..7837e05 100644
+--- a/source4/libcli/ldap/ldap_controls.c
++++ b/source4/libcli/ldap/ldap_controls.c
+@@ -1281,6 +1281,7 @@ static const struct ldap_control_handler ldap_known_controls[] = {
+ { DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, NULL, NULL },
+ { DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, NULL, NULL },
+ { DSDB_CONTROL_PASSWORD_CHANGE_OID, NULL, NULL },
++ { DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, NULL, NULL },
+ { DSDB_CONTROL_APPLY_LINKS, NULL, NULL },
+ { LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL },
+ { DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL },
+diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif
+index 69aa363..6e184bc 100644
+--- a/source4/setup/schema_samba4.ldif
++++ b/source4/setup/schema_samba4.ldif
+@@ -200,6 +200,8 @@
+ #Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23
+ #Allocated: DSDB_CONTROL_RESTORE_TOMBSTONE_OID 1.3.6.1.4.1.7165.4.3.24
+ #Allocated: DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID 1.3.6.1.4.1.7165.4.3.25
++#Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33
++
+
+ # Extended 1.3.6.1.4.1.7165.4.4.x
+ #Allocated: DSDB_EXTENDED_REPLICATED_OBJECTS_OID 1.3.6.1.4.1.7165.4.4.1
+--
+1.9.1
+
+
+From 7fc6a5ef5b1bad171dd6d2c019a4fe4c0ec00eb6 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 16 Feb 2018 15:38:19 +0100
+Subject: [PATCH 12/13] CVE-2018-1057: s4:dsdb: use
+ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
+
+This is used to pass information about which password change operation (change
+or reset) the acl module validated, down to the password_hash module.
+
+It's very important that both modules treat the request identical.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 41 ++++++++++++++++++++++++--
+ source4/dsdb/samdb/ldb_modules/password_hash.c | 30 ++++++++++++++++++-
+ 2 files changed, 67 insertions(+), 4 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index c239c01..17e1e67 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -948,13 +948,22 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
+ "unicodePwd", "dBCSPwd", NULL }, **l;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
++ struct dsdb_control_password_acl_validation *pav = NULL;
+
+ if (tmp_ctx == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
++ pav = talloc_zero(req, struct dsdb_control_password_acl_validation);
++ if (pav == NULL) {
++ talloc_free(tmp_ctx);
++ return LDB_ERR_OPERATIONS_ERROR;
++ }
++
+ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
+ if (c != NULL) {
++ pav->pwd_reset = false;
++
+ /*
+ * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
+ * have a user password change and not a set as the message
+@@ -977,6 +986,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+
+ c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
+ if (c != NULL) {
++ pav->pwd_reset = true;
++
+ /*
+ * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without
+ * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
+@@ -1030,6 +1041,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+
+
+ if (rep_attr_cnt > 0) {
++ pav->pwd_reset = true;
++
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_FORCE_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+@@ -1038,6 +1051,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ }
+
+ if (add_attr_cnt != del_attr_cnt) {
++ pav->pwd_reset = true;
++
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_FORCE_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+@@ -1046,6 +1061,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ }
+
+ if (add_val_cnt == 1 && del_val_cnt == 1) {
++ pav->pwd_reset = false;
++
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_USER_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+@@ -1058,6 +1075,8 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ }
+
+ if (add_val_cnt == 1 && del_val_cnt == 0) {
++ pav->pwd_reset = true;
++
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_FORCE_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+@@ -1069,6 +1088,14 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ goto checked;
+ }
+
++ /*
++ * Everything else is handled by the password_hash module where it will
++ * fail, but with the correct error code when the module is again
++ * checking the attributes. As the change request will lack the
++ * DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control, we can be sure that
++ * any modification attempt that went this way will be rejected.
++ */
++
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+
+@@ -1078,11 +1105,19 @@ checked:
+ req->op.mod.message->dn,
+ true,
+ 10);
++ talloc_free(tmp_ctx);
++ return ret;
+ }
+- talloc_free(tmp_ctx);
+- return ret;
+-}
+
++ ret = ldb_request_add_control(req,
++ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, false, pav);
++ if (ret != LDB_SUCCESS) {
++ ldb_debug(ldb_module_get_ctx(module), LDB_DEBUG_ERROR,
++ "Unable to register ACL validation control!\n");
++ return ret;
++ }
++ return LDB_SUCCESS;
++}
+
+ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
+ {
+diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
+index 690bb98..de565bc 100644
+--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
+@@ -2572,7 +2572,35 @@ static int setup_io(struct ph_context *ac,
+ /* On "add" we have only "password reset" */
+ ac->pwd_reset = true;
+ } else if (ac->req->operation == LDB_MODIFY) {
+- if (io->og.cleartext_utf8 || io->og.cleartext_utf16
++ struct ldb_control *pav_ctrl = NULL;
++ struct dsdb_control_password_acl_validation *pav = NULL;
++
++ pav_ctrl = ldb_request_get_control(ac->req,
++ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID);
++ if (pav_ctrl != NULL) {
++ pav = talloc_get_type_abort(pav_ctrl->data,
++ struct dsdb_control_password_acl_validation);
++ }
++
++ if (pav == NULL) {
++ bool ok;
++
++ /*
++ * If the DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
++ * control is missing, we require system access!
++ */
++ ok = dsdb_module_am_system(ac->module);
++ if (!ok) {
++ return ldb_module_operr(ac->module);
++ }
++ }
++
++ if (pav != NULL) {
++ /*
++ * We assume what the acl module has validated.
++ */
++ ac->pwd_reset = pav->pwd_reset;
++ } else if (io->og.cleartext_utf8 || io->og.cleartext_utf16
+ || io->og.nt_hash || io->og.lm_hash) {
+ /* If we have an old password specified then for sure it
+ * is a user "password change" */
+--
+1.9.1
+
+
+From 0815e8653277383918530f8dd8afaeadfe8085d5 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 15 Feb 2018 23:11:38 +0100
+Subject: [PATCH 13/13] CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only
+ allowed with a control
+
+This is not strictly needed to fig bug 13272, but it makes sense to also
+fix this while fixing the overall ACL checking logic.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/dsdb/samdb/ldb_modules/acl.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
+index 17e1e67..8d9b780 100644
+--- a/source4/dsdb/samdb/ldb_modules/acl.c
++++ b/source4/dsdb/samdb/ldb_modules/acl.c
+@@ -946,7 +946,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg;
+ struct ldb_control *c = NULL;
+ const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
+- "unicodePwd", "dBCSPwd", NULL }, **l;
++ "unicodePwd", NULL }, **l;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct dsdb_control_password_acl_validation *pav = NULL;
+
+@@ -1006,6 +1006,15 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ goto checked;
+ }
+
++ el = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
++ if (el != NULL) {
++ /*
++ * dBCSPwd is only allowed with a control.
++ */
++ talloc_free(tmp_ctx);
++ return LDB_ERR_UNWILLING_TO_PERFORM;
++ }
++
+ msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
+ if (msg == NULL) {
+ return ldb_module_oom(module);
+--
+1.9.1
+
diff --git a/patches/source/samba/samba-4.5.14-security-2017-11-21.patch b/patches/source/samba/samba-4.5.14-security-2017-11-21.patch
new file mode 100644
index 00000000..40b9dd08
--- /dev/null
+++ b/patches/source/samba/samba-4.5.14-security-2017-11-21.patch
@@ -0,0 +1,110 @@
+From 007f5b54d76bf69f441cc277b7f41f478e258aab Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 19 Sep 2017 16:11:33 -0700
+Subject: [PATCH 1/2] s3: smbd: Fix SMB1 use-after-free crash bug.
+ CVE-2017-14746
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When setting up the chain, always use 'next->' variables
+not the 'req->' one.
+
+Bug discovered by 连一汉 <lianyihan@360.cn>
+
+CVE-2017-14746
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/process.c | 7 ++++---
+ source3/smbd/reply.c | 5 +++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/source3/smbd/process.c b/source3/smbd/process.c
+index 656f1c0a667..2641894d1d7 100644
+--- a/source3/smbd/process.c
++++ b/source3/smbd/process.c
+@@ -1854,12 +1854,13 @@ void smb_request_done(struct smb_request *req)
+
+ next->vuid = SVAL(req->outbuf, smb_uid);
+ next->tid = SVAL(req->outbuf, smb_tid);
+- status = smb1srv_tcon_lookup(req->xconn, req->tid,
++ status = smb1srv_tcon_lookup(req->xconn, next->tid,
+ now, &tcon);
++
+ if (NT_STATUS_IS_OK(status)) {
+- req->conn = tcon->compat;
++ next->conn = tcon->compat;
+ } else {
+- req->conn = NULL;
++ next->conn = NULL;
+ }
+ next->chain_fsp = req->chain_fsp;
+ next->inbuf = req->inbuf;
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index a40ff81b240..26918b6d9d5 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -921,6 +921,11 @@ void reply_tcon_and_X(struct smb_request *req)
+ }
+
+ TALLOC_FREE(tcon);
++ /*
++ * This tree id is gone. Make sure we can't re-use it
++ * by accident.
++ */
++ req->tid = 0;
+ }
+
+ if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
+--
+2.11.0
+
+
+From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 20 Sep 2017 11:04:50 -0700
+Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
+ talloc buffer is grown.
+
+Ensure we zero out unused grown area.
+
+CVE-2017-15275
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/srvstr.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
+index 56dceba8c6c..c2d70b32c32 100644
+--- a/source3/smbd/srvstr.c
++++ b/source3/smbd/srvstr.c
+@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
+ DEBUG(0, ("srvstr_push failed\n"));
+ return -1;
+ }
++
++ /*
++ * Ensure we clear out the extra data we have
++ * grown the buffer by, but not written to.
++ */
++ if (buf_size + result < buf_size) {
++ return -1;
++ }
++ if (grow_size < result) {
++ return -1;
++ }
++
++ memset(tmp + buf_size + result, '\0', grow_size - result);
++
+ set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
+
+ *outbuf = tmp;
+--
+2.11.0
+
diff --git a/patches/source/samba/samba.SlackBuild b/patches/source/samba/samba.SlackBuild
new file mode 100755
index 00000000..cd33c39d
--- /dev/null
+++ b/patches/source/samba/samba.SlackBuild
@@ -0,0 +1,224 @@
+#!/bin/sh
+
+# Copyright 2008, 2009, 2010, 2012, 2013, 2015, 2016 Patrick J. Volkerding, Sebeka, Minnesota, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Modified 2012 by Eric Hameleers <alien at slackware.com> for ARM port.
+
+
+VERSION=${VERSION:-$(echo samba-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-3_slack14.1}
+
+if [ -e $CWD/machine.conf ]; then
+ . $CWD/machine.conf ]
+elif [ -e /etc/slackbuild/machine.conf ]; then
+ . /etc/slackbuild/machine.conf ]
+else
+ # Automatically determine the architecture we're building on:
+ if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+ fi
+ # Set CFLAGS/CXXFLAGS and LIBDIRSUFFIX:
+ if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+ LIBDIRSUFFIX=""
+ elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+ elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+ else
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+ fi
+fi
+
+case "$ARCH" in
+ arm*) TARGET=$ARCH-slackware-linux-gnueabi ;;
+ *) TARGET=$ARCH-slackware-linux ;;
+esac
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-samba
+rm -rf $PKG
+mkdir -p $TMP $PKG
+
+if [ -r /usr/lib${LIBDIRSUFFIX}/libtalloc.so.? -a ! -r /var/log/packages/talloc* ]; then
+ echo "The Samba package needs to be removed before building to ensure that"
+ echo "talloc (and possibly other bundled libraries) are included in the build."
+ echo
+ echo "Removing the Samba package in 15 seconds, and then continuing with the build."
+ sleep 15
+ removepkg samba
+fi
+
+cd $TMP
+rm -rf samba-$VERSION
+tar xvf $CWD/samba-$VERSION.tar.xz || exit 1
+cd samba-$VERSION || exit 1
+
+# Patch to install talloc/tevent/tdb libraries and includes:
+zcat $CWD/samba.install.talloc.tevent.tdb.diff.gz | patch -p1 --verbose || exit 1
+
+# Patch CVE-2017-14746 and CVE-2017-15275:
+zcat $CWD/samba-4.5.14-security-2017-11-21.patch.gz | patch -p1 --verbose || exit 1
+
+# Patch CVE-2018-1057:
+zcat $CWD/samba-4.4.16-CVE-2018-1057.patch.gz | patch -p1 --verbose || exit 1
+
+if [ ! -d source3/lib/cmdline ]; then
+ ( cd source3/lib
+ mkdir cmdline
+ cd cmdline
+ ln -sf ../../../source3/include/popt_common.h . )
+fi
+
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+# Some of these options could be auto-detected, but declaring them
+# here doesn't hurt and helps document what features we're trying to
+# build in.
+#
+# LDFLAGS are needed to avoid problems with missing symbols.
+LDFLAGS="-Wl,--no-as-needed" \
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --enable-fhs \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --includedir=/usr/include \
+ --bindir=/usr/bin \
+ --sbindir=/usr/sbin \
+ --mandir=/usr/man \
+ --sysconfdir=/etc \
+ --with-configdir=/etc/samba \
+ --with-piddir=/var/run \
+ --with-privatedir=/etc/samba/private \
+ --with-privatelibdir=/usr/lib${LIBDIRSUFFIX} \
+ --with-modulesdir=/usr/lib${LIBDIRSUFFIX} \
+ --with-lockdir=/var/cache/samba \
+ --with-logfilebase=/var/log/samba \
+ --localstatedir=/var \
+ --enable-cups \
+ --with-acl-support \
+ --with-automount \
+ --with-quotas \
+ --with-syslog \
+ --with-utmp \
+ --with-winbind \
+ --with-ldap \
+ --with-ads \
+ --without-pam \
+ --build=$TARGET
+ # Gives errors:
+ #--builtin-libraries=replace,ccan \
+ #--bundled-libraries=heimdal \
+
+# -j options don't seem to work... [Yes they do! At least try to use -j below...]
+JOBS=6
+MAXJOBS=6
+export JOBS MAXJOBS
+make -j $MAXJOBS || make || exit 1
+
+mkdir -p \
+ $PKG/usr/doc/samba-$VERSION \
+ $PKG/var/spool/samba \
+ $PKG/var/log/samba \
+ $PKG/etc/samba/private \
+ $PKG/var/cache/samba
+chmod 700 $PKG/etc/samba/private
+chmod 1777 $PKG/var/spool/samba
+
+make install DESTDIR=$PKG || exit 1
+
+# Install the smbprint script:
+install -m0744 packaging/printing/smbprint $PKG/usr/bin/smbprint
+
+# Add a sample config file:
+cat $CWD/smb.conf.default > $PKG/etc/samba/smb.conf-sample
+
+# Setup a default lmhosts file:
+echo "127.0.0.1 localhost" > $PKG/etc/samba/lmhosts.new
+
+if [ ! -r $PKG/usr/bin/smbget ]; then
+ rm -f $PKG/usr/share/man/man1/smbget.1
+fi
+
+# We'll add rc.samba to the init directory, but chmod 644 so that it doesn't
+# start by default:
+mkdir -p $PKG/etc/rc.d
+cat $CWD/rc.samba > $PKG/etc/rc.d/rc.samba.new
+chmod 644 $PKG/etc/rc.d/rc.samba.new
+
+mv $PKG/usr/share/man $PKG/usr
+gzip -9 $PKG/usr/man/man?/*.?
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" \
+ | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+# PAM related stuff we don't use:
+rm -r $PKG/usr/share/locale
+rm -f $PKG/usr/man/man8/pam*
+
+cp -a \
+ COPYING* MAINTAINERS Manifest PFIF.txt README* \
+ Read-Manifest-Now Roadmap WHATSNEW.txt docs examples \
+ $PKG/usr/doc/samba-$VERSION
+# These are installed elsewhere:
+rm -rf $PKG/usr/doc/samba-$VERSION/docs/htmldocs \
+ $PKG/usr/doc/samba-$VERSION/docs/manpages
+# Empty now?
+rmdir $PKG/usr/doc/samba-$VERSION/docs 2> /dev/null
+# I'm sorry, but when all this info is included in HTML, adding 7MB worth of
+# PDF files just to have extra artwork is more fluff than I'll agree to.
+rm -f $PKG/usr/doc/samba-$VERSION/docs/*.pdf
+# Also redundant also:
+rm -rf $PKG/usr/doc/samba-$VERSION/docs/docbook
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
+
+cat << EOF
+
+*** Be sure the package contains:
+
+drwx------ 2 root root 1024 Mar 12 13:21 /etc/samba/private
+drwxr-xr-x 2 root root 4096 May 3 15:46 /var/cache/samba/
+drwxr-xr-x 2 root root 48 Aug 29 13:06 /var/log/samba/
+drwxrwxrwt 2 root root 1024 Mar 12 13:21 /var/spool/samba/
+
+EOF
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/samba-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/samba/samba.install.talloc.tevent.tdb.diff b/patches/source/samba/samba.install.talloc.tevent.tdb.diff
new file mode 100644
index 00000000..9410f2b7
--- /dev/null
+++ b/patches/source/samba/samba.install.talloc.tevent.tdb.diff
@@ -0,0 +1,102 @@
+--- ./lib/tevent/wscript.orig 2016-03-08 05:07:45.000000000 -0600
++++ ./lib/tevent/wscript 2016-04-11 12:45:14.299532166 -0500
+@@ -92,11 +92,8 @@
+ if bld.CONFIG_SET('HAVE_SOLARIS_PORTS'):
+ SRC += ' tevent_port.c'
+
+- if bld.env.standalone_tevent:
+- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig'
+- private_library = False
+- else:
+- private_library = True
++ bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig'
++ private_library = False
+
+ if not bld.CONFIG_SET('USING_SYSTEM_TEVENT'):
+ bld.SAMBA_LIBRARY('tevent',
+--- ./lib/tdb/wscript.orig 2016-01-26 05:45:46.000000000 -0600
++++ ./lib/tdb/wscript 2016-04-11 12:45:14.301532166 -0500
+@@ -117,11 +117,8 @@
+
+ COMMON_SRC = bld.SUBDIR('common', COMMON_FILES)
+
+- if bld.env.standalone_tdb:
+- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig'
+- private_library = False
+- else:
+- private_library = True
++ bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig'
++ private_library = False
+
+ if not bld.CONFIG_SET('USING_SYSTEM_TDB'):
+
+--- ./lib/talloc/wscript.orig 2016-04-11 12:45:14.295532166 -0500
++++ ./lib/talloc/wscript 2016-04-11 12:45:26.761531768 -0500
+@@ -77,41 +77,39 @@
+ def build(bld):
+ bld.RECURSE('lib/replace')
+
+- if bld.env.standalone_talloc:
+- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig'
+- bld.env.TALLOC_VERSION = VERSION
+- private_library = False
+-
+- # should we also install the symlink to libtalloc1.so here?
+- bld.SAMBA_LIBRARY('talloc-compat1-%s' % (VERSION),
+- 'compat/talloc_compat1.c',
+- public_deps='talloc',
+- soname='libtalloc.so.1',
+- pc_files=[],
+- public_headers=[],
+- enabled=bld.env.TALLOC_COMPAT1)
+-
+- testsuite_deps = 'talloc'
+- if bld.CONFIG_SET('HAVE_PTHREAD'):
+- testsuite_deps += ' pthread'
+-
+- bld.SAMBA_BINARY('talloc_testsuite',
+- 'testsuite_main.c testsuite.c',
+- testsuite_deps,
+- install=False)
+-
+- bld.SAMBA_BINARY('talloc_test_magic_differs_helper',
+- 'test_magic_differs_helper.c',
+- 'talloc', install=False)
++ bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig'
++ bld.env.TALLOC_VERSION = VERSION
++ private_library = False
++
++ # should we also install the symlink to libtalloc1.so here?
++ bld.SAMBA_LIBRARY('talloc-compat1-%s' % (VERSION),
++ 'compat/talloc_compat1.c',
++ public_deps='talloc',
++ soname='libtalloc.so.1',
++ pc_files=[],
++ public_headers=[],
++ enabled=bld.env.TALLOC_COMPAT1)
++
++ testsuite_deps = 'talloc'
++ if bld.CONFIG_SET('HAVE_PTHREAD'):
++ testsuite_deps += ' pthread'
++
++ bld.SAMBA_BINARY('talloc_testsuite',
++ 'testsuite_main.c testsuite.c',
++ testsuite_deps,
++ install=False)
++
++ bld.SAMBA_BINARY('talloc_test_magic_differs_helper',
++ 'test_magic_differs_helper.c',
++ 'talloc', install=False)
+
+- else:
+- private_library = True
+
+ if not bld.CONFIG_SET('USING_SYSTEM_TALLOC'):
+
+ bld.SAMBA_LIBRARY('talloc',
+ 'talloc.c',
+ deps='replace',
++ includes='.',
+ abi_directory='ABI',
+ abi_match='talloc* _talloc*',
+ hide_symbols=True,
diff --git a/patches/source/samba/samba.url b/patches/source/samba/samba.url
new file mode 100644
index 00000000..2b35c1fb
--- /dev/null
+++ b/patches/source/samba/samba.url
@@ -0,0 +1,2 @@
+https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.gz
+https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.asc
diff --git a/patches/source/samba/slack-desc b/patches/source/samba/slack-desc
new file mode 100644
index 00000000..f4352c60
--- /dev/null
+++ b/patches/source/samba/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+samba: samba (CIFS file and print server)
+samba:
+samba: Samba is a CIFS file and print server for CIFS clients. It allows
+samba: you to make file space or printers on a Samba host available to CIFS
+samba: clients (such as PCs running Windows).
+samba:
+samba: If you have any Windows file servers, you may be able to replace them
+samba: or supplement them with Samba. One of Samba's big strengths is
+samba: integration, so you can use it to tie together your Linux hosts and
+samba: Windows PC clients.
+samba:
diff --git a/patches/source/samba/smb.conf.default b/patches/source/samba/smb.conf.default
new file mode 100644
index 00000000..c41cfff6
--- /dev/null
+++ b/patches/source/samba/smb.conf.default
@@ -0,0 +1,223 @@
+# This is the main Samba configuration file. You should read the
+# smb.conf(5) manual page in order to understand the options listed
+# here. Samba has a huge number of configurable options (perhaps too
+# many!) most of which are not shown in this example
+#
+# For a step to step guide on installing, configuring and using samba,
+# read the Samba-HOWTO-Collection. This may be obtained from:
+# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
+#
+# Many working examples of smb.conf files can be found in the
+# Samba-Guide which is generated daily and can be downloaded from:
+# http://www.samba.org/samba/docs/Samba-Guide.pdf
+#
+# Any line which starts with a ; (semi-colon) or a # (hash)
+# is a comment and is ignored. In this example we will use a #
+# for commentry and a ; for parts of the config file that you
+# may wish to enable
+#
+# NOTE: Whenever you modify this file you should run the command "testparm"
+# to check that you have not made any basic syntactic errors.
+#
+#======================= Global Settings =====================================
+[global]
+
+# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
+ workgroup = MYGROUP
+
+# server string is the equivalent of the NT Description field
+ server string = Samba Server
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller".
+#
+# Most people will want "standalone sever" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+ server role = standalone server
+
+# This option is important for security. It allows you to restrict
+# connections to machines which are on your local network. The
+# following example restricts access to two C class networks and
+# the "loopback" interface. For more examples of the syntax see
+# the smb.conf man page
+; hosts allow = 192.168.1. 192.168.2. 127.
+
+# Uncomment this if you want a guest account, you must add this to /etc/passwd
+# otherwise the user "nobody" is used
+; guest account = pcguest
+
+# this tells Samba to use a separate log file for each machine
+# that connects
+ log file = /var/log/samba.%m
+
+# Put a capping on the size of the log files (in Kb).
+ max log size = 50
+
+# Specifies the Kerberos or Active Directory realm the host is part of
+; realm = MY_REALM
+
+# Backend to store user information in. New installations should
+# use either tdbsam or ldapsam. smbpasswd is available for backwards
+# compatibility. tdbsam requires no further configuration.
+; passdb backend = tdbsam
+
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting.
+# Note: Consider carefully the location in the configuration file of
+# this line. The included file is read at that point.
+; include = /usr/local/samba/lib/smb.conf.%m
+
+# Configure Samba to use multiple interfaces
+# If you have multiple network interfaces then you must list them
+# here. See the man page for details.
+; interfaces = 192.168.12.2/24 192.168.13.2/24
+
+# Where to store roving profiles (only for Win95 and WinNT)
+# %L substitutes for this servers netbios name, %U is username
+# You must uncomment the [Profiles] share below
+; logon path = \\%L\Profiles\%U
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
+; wins support = yes
+
+# WINS Server - Tells the NMBD components of Samba to be a WINS Client
+# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
+; wins server = w.x.y.z
+
+# WINS Proxy - Tells Samba to answer name resolution queries on
+# behalf of a non WINS capable client, for this to work there must be
+# at least one WINS Server on the network. The default is NO.
+; wins proxy = yes
+
+# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
+# via DNS nslookups. The default is NO.
+ dns proxy = no
+
+# These scripts are used on a domain controller or stand-alone
+# machine to add or delete corresponding unix accounts
+; add user script = /usr/sbin/useradd %u
+; add group script = /usr/sbin/groupadd %g
+; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+; delete user script = /usr/sbin/userdel %u
+; delete user from group script = /usr/sbin/deluser %u %g
+; delete group script = /usr/sbin/groupdel %g
+
+
+#============================ Share Definitions ==============================
+[homes]
+ comment = Home Directories
+ browseable = no
+ writable = yes
+
+# Un-comment the following and create the netlogon directory for Domain Logons
+; [netlogon]
+; comment = Network Logon Service
+; path = /usr/local/samba/lib/netlogon
+; guest ok = yes
+; writable = no
+; share modes = no
+
+
+# Un-comment the following to provide a specific roving profile share
+# the default is to use the user's home directory
+;[Profiles]
+; path = /usr/local/samba/profiles
+; browseable = no
+; guest ok = yes
+
+
+# NOTE: If you have a BSD-style print system there is no need to
+# specifically define each individual printer
+[printers]
+ comment = All Printers
+ path = /var/spool/samba
+ browseable = no
+# Set public = yes to allow user 'guest account' to print
+ guest ok = no
+ writable = no
+ printable = yes
+
+# This one is useful for people to share files
+;[tmp]
+; comment = Temporary file space
+; path = /tmp
+; read only = no
+; public = yes
+
+# A publicly accessible directory, but read only, except for people in
+# the "staff" group
+;[public]
+; comment = Public Stuff
+; path = /home/samba
+; public = yes
+; writable = no
+; printable = no
+; write list = @staff
+
+# Other examples.
+#
+# A private printer, usable only by fred. Spool data will be placed in fred's
+# home directory. Note that fred must have write access to the spool directory,
+# wherever it is.
+;[fredsprn]
+; comment = Fred's Printer
+; valid users = fred
+; path = /homes/fred
+; printer = freds_printer
+; public = no
+; writable = no
+; printable = yes
+
+# A private directory, usable only by fred. Note that fred requires write
+# access to the directory.
+;[fredsdir]
+; comment = Fred's Service
+; path = /usr/somewhere/private
+; valid users = fred
+; public = no
+; writable = yes
+; printable = no
+
+# a service which has a different directory for each machine that connects
+# this allows you to tailor configurations to incoming machines. You could
+# also use the %U option to tailor it by user name.
+# The %m gets replaced with the machine name that is connecting.
+;[pchome]
+; comment = PC Directories
+; path = /usr/pc/%m
+; public = no
+; writable = yes
+
+# A publicly accessible directory, read/write to all users. Note that all files
+# created in the directory by users will be owned by the default user, so
+# any user with access can delete any other user's files. Obviously this
+# directory must be writable by the default user. Another user could of course
+# be specified, in which case all files would be owned by that user instead.
+;[public]
+; path = /usr/somewhere/else/public
+; public = yes
+; only guest = yes
+; writable = yes
+; printable = no
+
+# The following two entries demonstrate how to share a directory so that two
+# users can place files there that will be owned by the specific users. In this
+# setup, the directory should be writable by both users and should have the
+# sticky bit set on it to prevent abuse. Obviously this could be extended to
+# as many users as required.
+;[myshare]
+; comment = Mary's and Fred's stuff
+; path = /usr/somewhere/shared
+; valid users = mary fred
+; public = no
+; writable = yes
+; printable = no
+; create mask = 0765
+
+
diff --git a/patches/source/samba/smb.conf.default.orig b/patches/source/samba/smb.conf.default.orig
new file mode 100644
index 00000000..bb9c2e25
--- /dev/null
+++ b/patches/source/samba/smb.conf.default.orig
@@ -0,0 +1,223 @@
+# This is the main Samba configuration file. You should read the
+# smb.conf(5) manual page in order to understand the options listed
+# here. Samba has a huge number of configurable options (perhaps too
+# many!) most of which are not shown in this example
+#
+# For a step to step guide on installing, configuring and using samba,
+# read the Samba-HOWTO-Collection. This may be obtained from:
+# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
+#
+# Many working examples of smb.conf files can be found in the
+# Samba-Guide which is generated daily and can be downloaded from:
+# http://www.samba.org/samba/docs/Samba-Guide.pdf
+#
+# Any line which starts with a ; (semi-colon) or a # (hash)
+# is a comment and is ignored. In this example we will use a #
+# for commentry and a ; for parts of the config file that you
+# may wish to enable
+#
+# NOTE: Whenever you modify this file you should run the command "testparm"
+# to check that you have not made any basic syntactic errors.
+#
+#======================= Global Settings =====================================
+[global]
+
+# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
+ workgroup = MYGROUP
+
+# server string is the equivalent of the NT Description field
+ server string = Samba Server
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller".
+#
+# Most people will want "standalone sever" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+ server role = standalone server
+
+# This option is important for security. It allows you to restrict
+# connections to machines which are on your local network. The
+# following example restricts access to two C class networks and
+# the "loopback" interface. For more examples of the syntax see
+# the smb.conf man page
+; hosts allow = 192.168.1. 192.168.2. 127.
+
+# Uncomment this if you want a guest account, you must add this to /etc/passwd
+# otherwise the user "nobody" is used
+; guest account = pcguest
+
+# this tells Samba to use a separate log file for each machine
+# that connects
+ log file = /usr/local/samba/var/log.%m
+
+# Put a capping on the size of the log files (in Kb).
+ max log size = 50
+
+# Specifies the Kerberos or Active Directory realm the host is part of
+; realm = MY_REALM
+
+# Backend to store user information in. New installations should
+# use either tdbsam or ldapsam. smbpasswd is available for backwards
+# compatibility. tdbsam requires no further configuration.
+; passdb backend = tdbsam
+
+# Using the following line enables you to customise your configuration
+# on a per machine basis. The %m gets replaced with the netbios name
+# of the machine that is connecting.
+# Note: Consider carefully the location in the configuration file of
+# this line. The included file is read at that point.
+; include = /usr/local/samba/lib/smb.conf.%m
+
+# Configure Samba to use multiple interfaces
+# If you have multiple network interfaces then you must list them
+# here. See the man page for details.
+; interfaces = 192.168.12.2/24 192.168.13.2/24
+
+# Where to store roving profiles (only for Win95 and WinNT)
+# %L substitutes for this servers netbios name, %U is username
+# You must uncomment the [Profiles] share below
+; logon path = \\%L\Profiles\%U
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
+; wins support = yes
+
+# WINS Server - Tells the NMBD components of Samba to be a WINS Client
+# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
+; wins server = w.x.y.z
+
+# WINS Proxy - Tells Samba to answer name resolution queries on
+# behalf of a non WINS capable client, for this to work there must be
+# at least one WINS Server on the network. The default is NO.
+; wins proxy = yes
+
+# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
+# via DNS nslookups. The default is NO.
+ dns proxy = no
+
+# These scripts are used on a domain controller or stand-alone
+# machine to add or delete corresponding unix accounts
+; add user script = /usr/sbin/useradd %u
+; add group script = /usr/sbin/groupadd %g
+; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
+; delete user script = /usr/sbin/userdel %u
+; delete user from group script = /usr/sbin/deluser %u %g
+; delete group script = /usr/sbin/groupdel %g
+
+
+#============================ Share Definitions ==============================
+[homes]
+ comment = Home Directories
+ browseable = no
+ writable = yes
+
+# Un-comment the following and create the netlogon directory for Domain Logons
+; [netlogon]
+; comment = Network Logon Service
+; path = /usr/local/samba/lib/netlogon
+; guest ok = yes
+; writable = no
+; share modes = no
+
+
+# Un-comment the following to provide a specific roving profile share
+# the default is to use the user's home directory
+;[Profiles]
+; path = /usr/local/samba/profiles
+; browseable = no
+; guest ok = yes
+
+
+# NOTE: If you have a BSD-style print system there is no need to
+# specifically define each individual printer
+[printers]
+ comment = All Printers
+ path = /usr/spool/samba
+ browseable = no
+# Set public = yes to allow user 'guest account' to print
+ guest ok = no
+ writable = no
+ printable = yes
+
+# This one is useful for people to share files
+;[tmp]
+; comment = Temporary file space
+; path = /tmp
+; read only = no
+; public = yes
+
+# A publicly accessible directory, but read only, except for people in
+# the "staff" group
+;[public]
+; comment = Public Stuff
+; path = /home/samba
+; public = yes
+; writable = no
+; printable = no
+; write list = @staff
+
+# Other examples.
+#
+# A private printer, usable only by fred. Spool data will be placed in fred's
+# home directory. Note that fred must have write access to the spool directory,
+# wherever it is.
+;[fredsprn]
+; comment = Fred's Printer
+; valid users = fred
+; path = /homes/fred
+; printer = freds_printer
+; public = no
+; writable = no
+; printable = yes
+
+# A private directory, usable only by fred. Note that fred requires write
+# access to the directory.
+;[fredsdir]
+; comment = Fred's Service
+; path = /usr/somewhere/private
+; valid users = fred
+; public = no
+; writable = yes
+; printable = no
+
+# a service which has a different directory for each machine that connects
+# this allows you to tailor configurations to incoming machines. You could
+# also use the %U option to tailor it by user name.
+# The %m gets replaced with the machine name that is connecting.
+;[pchome]
+; comment = PC Directories
+; path = /usr/pc/%m
+; public = no
+; writable = yes
+
+# A publicly accessible directory, read/write to all users. Note that all files
+# created in the directory by users will be owned by the default user, so
+# any user with access can delete any other user's files. Obviously this
+# directory must be writable by the default user. Another user could of course
+# be specified, in which case all files would be owned by that user instead.
+;[public]
+; path = /usr/somewhere/else/public
+; public = yes
+; only guest = yes
+; writable = yes
+; printable = no
+
+# The following two entries demonstrate how to share a directory so that two
+# users can place files there that will be owned by the specific users. In this
+# setup, the directory should be writable by both users and should have the
+# sticky bit set on it to prevent abuse. Obviously this could be extended to
+# as many users as required.
+;[myshare]
+; comment = Mary's and Fred's stuff
+; path = /usr/somewhere/shared
+; valid users = mary fred
+; public = no
+; writable = yes
+; printable = no
+; create mask = 0765
+
+
diff --git a/patches/source/samba/smb.conf.diff b/patches/source/samba/smb.conf.diff
new file mode 100644
index 00000000..b08d2b12
--- /dev/null
+++ b/patches/source/samba/smb.conf.diff
@@ -0,0 +1,29 @@
+--- smb.conf.default.orig 2013-06-13 04:21:02.000000000 -0500
++++ smb.conf.default 2013-10-15 20:02:31.684043875 -0500
+@@ -22,7 +22,7 @@
+ #======================= Global Settings =====================================
+ [global]
+
+-# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
++# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
+ workgroup = MYGROUP
+
+ # server string is the equivalent of the NT Description field
+@@ -52,7 +52,7 @@
+
+ # this tells Samba to use a separate log file for each machine
+ # that connects
+- log file = /usr/local/samba/var/log.%m
++ log file = /var/log/samba.%m
+
+ # Put a capping on the size of the log files (in Kb).
+ max log size = 50
+@@ -136,7 +136,7 @@
+ # specifically define each individual printer
+ [printers]
+ comment = All Printers
+- path = /usr/spool/samba
++ path = /var/spool/samba
+ browseable = no
+ # Set public = yes to allow user 'guest account' to print
+ guest ok = no
diff --git a/patches/source/samba/talloc.pc b/patches/source/samba/talloc.pc
new file mode 100644
index 00000000..125977d1
--- /dev/null
+++ b/patches/source/samba/talloc.pc
@@ -0,0 +1,11 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${prefix}/lib
+includedir=${prefix}/include
+
+Name: talloc
+Description: A hierarchical pool based memory system with destructors
+Version: 2.0.8
+Libs: -Wl,-rpath,/usr/lib -L${libdir} -ltalloc
+Cflags: -I${includedir}
+URL: http://talloc.samba.org/