Ubuntu
samba package

Merge ~ahasenack/ubuntu/+source/samba:fix-printing-1951490-impish into ubuntu/+source/samba:ubuntu/impish-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/samba
  3. fix-printing-1951490-impish
  4. Merge into ubuntu/impish-devel
Proposed by Andreas Hasenack
Status: Merged
Merge reported by: Andreas Hasenack
Merged at revision: c6266671f8feabfa45dc1d8adc4fd2006886d867
Proposed branch: ~ahasenack/ubuntu/+source/samba:fix-printing-1951490-impish
Merge into: ubuntu/+source/samba:ubuntu/impish-devel
Diff against target: 256 lines (+234/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/lp-1951490-fix-printing-KB5006743.patch (+226/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior (community) Approve
Canonical Server Pending
Review via email: mp+416667@code.launchpad.net

Description of the change

Fix printing after KB5006743 from MS is applied to the clients.

This one is complicated to test because of the environment. I will try to rely on community members for the SRU testing. Some have already tested the patch in PPA builds that others have provided in the bug.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kb5006743-printing/

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Andreas.

LGTM modulo a small nit with the DEP-3 headers. +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, uploaded

$ dput ubuntu ../samba_4.13.17~dfsg-0ubuntu0.21.10.2_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../samba_4.13.17~dfsg-0ubuntu0.21.10.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../samba_4.13.17~dfsg-0ubuntu0.21.10.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading samba_4.13.17~dfsg-0ubuntu0.21.10.2.dsc: done.
  Uploading samba_4.13.17~dfsg-0ubuntu0.21.10.2.debian.tar.xz: done.
  Uploading samba_4.13.17~dfsg-0ubuntu0.21.10.2_source.buildinfo: done.
  Uploading samba_4.13.17~dfsg-0ubuntu0.21.10.2_source.changes: done.
Successfully uploaded packages.

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index dd2dc84..556cf8c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+samba (2:4.13.17~dfsg-0ubuntu0.21.10.2) impish; urgency=medium
7+
8+ * d/p/lp-1951490-fix-printing-KB5006743.patch: Fix printing after
9+ Windows 2021-10 Monthly Rollup patch (LP: #1951490)
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Thu, 10 Mar 2022 10:52:15 -0300
12+
13 samba (2:4.13.17~dfsg-0ubuntu0.21.10.1) impish-security; urgency=medium
14
15 * Update to 4.13.17 as a security update
16diff --git a/debian/patches/lp-1951490-fix-printing-KB5006743.patch b/debian/patches/lp-1951490-fix-printing-KB5006743.patch
17new file mode 100644
18index 0000000..c110345
19--- /dev/null
20+++ b/debian/patches/lp-1951490-fix-printing-KB5006743.patch
21@@ -0,0 +1,226 @@
22+From 9e3c363030dd3108d9658e87f7c4101d0b470c47 Mon Sep 17 00:00:00 2001
23+From: Stefan Metzmacher <metze@samba.org>
24+Date: Sat, 22 Jan 2022 01:08:26 +0100
25+Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
26+
27+This is important for the source3/rpc_server code as it might
28+be called embedded in smbd and may not run as root with access
29+to our private tdb/ldb files.
30+
31+Note this is only really needed for 4.15 and older, as
32+we no longer run the rpc_server embedded in smbd,
33+but we better be consistent for now.
34+
35+This should be able to fix the problem the printing no longer works
36+on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
37+
38+Windows uses NTLMSSP with privacy at the DCERPC layer on top
39+of NCACN_NP (smb).
40+
41+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
42+
43+Signed-off-by: Stefan Metzmacher <metze@samba.org>
44+Reviewed-by: Andreas Schneider <asn@samba.org>
45+(similar to commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
46+---
47+ librpc/rpc/dcesrv_auth.c | 6 ++++++
48+ librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
49+ librpc/rpc/dcesrv_core.h | 2 ++
50+ source3/rpc_server/rpc_config.c | 2 ++
51+ source4/rpc_server/service_rpc.c | 10 ++++++++++
52+ 5 files changed, 38 insertions(+)
53+
54+Origin: upstream, https://git.samba.org/samba.git/?p=samba.git;a=commit;h=9e3c363030dd3108d9658e87f7c4101d0b470c47
55+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14867
56+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1951490
57+Last-Update: 2022-03-10
58+--- a/librpc/rpc/dcesrv_auth.c
59++++ b/librpc/rpc/dcesrv_auth.c
60+@@ -81,6 +81,7 @@ static bool dcesrv_auth_prepare_gensec(s
61+ {
62+ struct dcesrv_connection *dce_conn = call->conn;
63+ struct dcesrv_auth *auth = call->auth_state;
64++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
65+ NTSTATUS status;
66+
67+ if (auth->auth_started) {
68+@@ -129,9 +130,11 @@ static bool dcesrv_auth_prepare_gensec(s
69+ auth->auth_level = call->in_auth_info.auth_level;
70+ auth->auth_context_id = call->in_auth_info.auth_context_id;
71+
72++ cb->auth.become_root();
73+ status = call->conn->dce_ctx->callbacks.auth.gensec_prepare(auth,
74+ call,
75+ &auth->gensec_security);
76++ cb->auth.unbecome_root();
77+ if (!NT_STATUS_IS_OK(status)) {
78+ DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
79+ nt_errstr(status)));
80+@@ -324,6 +327,7 @@ bool dcesrv_auth_bind(struct dcesrv_call
81+ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
82+ {
83+ struct dcesrv_auth *auth = call->auth_state;
84++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
85+ const char *pdu = "<unknown>";
86+
87+ switch (call->pkt.ptype) {
88+@@ -354,9 +358,11 @@ NTSTATUS dcesrv_auth_complete(struct dce
89+ return status;
90+ }
91+
92++ cb->auth.become_root();
93+ status = gensec_session_info(auth->gensec_security,
94+ auth,
95+ &auth->session_info);
96++ cb->auth.unbecome_root();
97+ if (!NT_STATUS_IS_OK(status)) {
98+ DEBUG(1, ("Failed to establish session_info: %s\n",
99+ nt_errstr(status)));
100+--- a/librpc/rpc/dcesrv_core.c
101++++ b/librpc/rpc/dcesrv_core.c
102+@@ -949,6 +949,7 @@ static NTSTATUS dcesrv_bind(struct dcesr
103+ struct dcerpc_binding *ep_2nd_description = NULL;
104+ const char *endpoint = NULL;
105+ struct dcesrv_auth *auth = call->auth_state;
106++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
107+ struct dcerpc_ack_ctx *ack_ctx_list = NULL;
108+ struct dcerpc_ack_ctx *ack_features = NULL;
109+ struct tevent_req *subreq = NULL;
110+@@ -1153,9 +1154,11 @@ static NTSTATUS dcesrv_bind(struct dcesr
111+ return dcesrv_auth_reply(call);
112+ }
113+
114++ cb->auth.become_root();
115+ subreq = gensec_update_send(call, call->event_ctx,
116+ auth->gensec_security,
117+ call->in_auth_info.credentials);
118++ cb->auth.unbecome_root();
119+ if (subreq == NULL) {
120+ return NT_STATUS_NO_MEMORY;
121+ }
122+@@ -1170,10 +1173,13 @@ static void dcesrv_bind_done(struct teve
123+ tevent_req_callback_data(subreq,
124+ struct dcesrv_call_state);
125+ struct dcesrv_connection *conn = call->conn;
126++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
127+ NTSTATUS status;
128+
129++ cb->auth.become_root();
130+ status = gensec_update_recv(subreq, call,
131+ &call->out_auth_info->credentials);
132++ cb->auth.unbecome_root();
133+ TALLOC_FREE(subreq);
134+
135+ status = dcesrv_auth_complete(call, status);
136+@@ -1231,6 +1237,7 @@ static NTSTATUS dcesrv_auth3(struct dces
137+ {
138+ struct dcesrv_connection *conn = call->conn;
139+ struct dcesrv_auth *auth = call->auth_state;
140++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
141+ struct tevent_req *subreq = NULL;
142+ NTSTATUS status;
143+
144+@@ -1275,9 +1282,11 @@ static NTSTATUS dcesrv_auth3(struct dces
145+ return NT_STATUS_OK;
146+ }
147+
148++ cb->auth.become_root();
149+ subreq = gensec_update_send(call, call->event_ctx,
150+ auth->gensec_security,
151+ call->in_auth_info.credentials);
152++ cb->auth.unbecome_root();
153+ if (subreq == NULL) {
154+ return NT_STATUS_NO_MEMORY;
155+ }
156+@@ -1293,10 +1302,13 @@ static void dcesrv_auth3_done(struct tev
157+ struct dcesrv_call_state);
158+ struct dcesrv_connection *conn = call->conn;
159+ struct dcesrv_auth *auth = call->auth_state;
160++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
161+ NTSTATUS status;
162+
163++ cb->auth.become_root();
164+ status = gensec_update_recv(subreq, call,
165+ &call->out_auth_info->credentials);
166++ cb->auth.unbecome_root();
167+ TALLOC_FREE(subreq);
168+
169+ status = dcesrv_auth_complete(call, status);
170+@@ -1568,6 +1580,7 @@ static NTSTATUS dcesrv_alter(struct dces
171+ struct ncacn_packet *pkt = &call->ack_pkt;
172+ uint32_t extra_flags = 0;
173+ struct dcesrv_auth *auth = call->auth_state;
174++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
175+ struct dcerpc_ack_ctx *ack_ctx_list = NULL;
176+ struct tevent_req *subreq = NULL;
177+ size_t i;
178+@@ -1679,9 +1692,11 @@ static NTSTATUS dcesrv_alter(struct dces
179+ return dcesrv_auth_reply(call);
180+ }
181+
182++ cb->auth.become_root();
183+ subreq = gensec_update_send(call, call->event_ctx,
184+ auth->gensec_security,
185+ call->in_auth_info.credentials);
186++ cb->auth.unbecome_root();
187+ if (subreq == NULL) {
188+ return NT_STATUS_NO_MEMORY;
189+ }
190+@@ -1696,10 +1711,13 @@ static void dcesrv_alter_done(struct tev
191+ tevent_req_callback_data(subreq,
192+ struct dcesrv_call_state);
193+ struct dcesrv_connection *conn = call->conn;
194++ struct dcesrv_context_callbacks *cb = &call->conn->dce_ctx->callbacks;
195+ NTSTATUS status;
196+
197++ cb->auth.become_root();
198+ status = gensec_update_recv(subreq, call,
199+ &call->out_auth_info->credentials);
200++ cb->auth.unbecome_root();
201+ TALLOC_FREE(subreq);
202+
203+ status = dcesrv_auth_complete(call, status);
204+--- a/librpc/rpc/dcesrv_core.h
205++++ b/librpc/rpc/dcesrv_core.h
206+@@ -386,6 +386,8 @@ struct dcesrv_context_callbacks {
207+ NTSTATUS (*gensec_prepare)(TALLOC_CTX *mem_ctx,
208+ struct dcesrv_call_state *call,
209+ struct gensec_security **out);
210++ void (*become_root)(void);
211++ void (*unbecome_root)(void);
212+ } auth;
213+ struct {
214+ NTSTATUS (*find)(struct dcesrv_call_state *);
215+--- a/source3/rpc_server/rpc_config.c
216++++ b/source3/rpc_server/rpc_config.c
217+@@ -30,6 +30,8 @@
218+ static struct dcesrv_context_callbacks srv_callbacks = {
219+ .log.successful_authz = dcesrv_log_successful_authz,
220+ .auth.gensec_prepare = dcesrv_auth_gensec_prepare,
221++ .auth.become_root = become_root,
222++ .auth.unbecome_root = unbecome_root,
223+ .assoc_group.find = dcesrv_assoc_group_find,
224+ };
225+
226+--- a/source4/rpc_server/service_rpc.c
227++++ b/source4/rpc_server/service_rpc.c
228+@@ -40,9 +40,19 @@
229+ #include "../libcli/named_pipe_auth/npa_tstream.h"
230+ #include "smbd/process_model.h"
231+
232++static void skip_become_root(void)
233++{
234++}
235++
236++static void skip_unbecome_root(void)
237++{
238++}
239++
240+ struct dcesrv_context_callbacks srv_callbacks = {
241+ .log.successful_authz = log_successful_dcesrv_authz_event,
242+ .auth.gensec_prepare = dcesrv_gensec_prepare,
243++ .auth.become_root = skip_become_root,
244++ .auth.unbecome_root = skip_unbecome_root,
245+ .assoc_group.find = dcesrv_assoc_group_find,
246+ };
247+
248diff --git a/debian/patches/series b/debian/patches/series
249index 0bdd339..7f61566 100644
250--- a/debian/patches/series
251+++ b/debian/patches/series
252@@ -12,3 +12,4 @@ Rename-mdfind-to-mdsearch.patch
253 ctdb-config-enable-syslog-by-default.patch
254 bug14918-1.patch
255 bug14918-2.patch
256+lp-1951490-fix-printing-KB5006743.patch

Subscribers

People subscribed via source and target branches