samba/sme10/samba-4.4.7-fix_group_substituion_with_ad.patch

From 6dfc274ce5ae036a95ac2d7f6f9182c7f5a5b50f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 19 Sep 2016 13:59:54 +0200
Subject: [PATCH] s3-lib: Fix %G substitution in AD member environment

If we are a domain member we should look up the user with the domain
name specified else it will only work if we have
'winbind use default domain' set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 619ca5f63c47ff8b021692aaa756dcb0d883b8dd)
---
 source3/lib/substitute.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
index 4e2ce9b..1f98327 100644
--- a/source3/lib/substitute.c
+++ b/source3/lib/substitute.c
@@ -499,15 +499,18 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
                        break;
                case 'G' : {
                        struct passwd *pass;
+                       bool is_domain_name = false;
+                       const char *sep = lp_winbind_separator();
 
                        if (domain_name != NULL && domain_name[0] != '\0' &&
-                           !strequal(domain_name, my_sam_name()))
-                       {
+                           (lp_security() == SEC_ADS ||
+                            lp_security() == SEC_DOMAIN)) {
                                r = talloc_asprintf(tmp_ctx,
                                                    "%s%c%s",
                                                    domain_name,
-                                                   *lp_winbind_separator(),
+                                                   *sep,
                                                    smb_name);
+                               is_domain_name = true;
                        } else {
                                r = talloc_strdup(tmp_ctx, smb_name);
                        }
@@ -517,9 +520,18 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
 
                        pass = Get_Pwnam_alloc(tmp_ctx, r);
                        if (pass != NULL) {
-                               a_string = realloc_string_sub(
-                                       a_string, "%G",
-                                       gidtoname(pass->pw_gid));
+                               char *group_name;
+
+                               group_name = gidtoname(pass->pw_gid);
+                               if (is_domain_name) {
+                                       p = strchr_m(group_name, *sep);
+                                       if (p != NULL) {
+                                               group_name = p + 1;
+                                       }
+                               }
+                               a_string = realloc_string_sub(a_string,
+                                                             "%G",
+                                                             group_name);
                        }
                        TALLOC_FREE(pass);
                        break;
-- 
2.10.1

From d851e487422808b6d3ba2738daa1c697e569bd27 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 12 Oct 2016 12:35:12 +0200
Subject: [PATCH] lib: Fix CID 1373623 Dereference after null check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We should not overload "p", this is used in the outer loop

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 6ec81ca3c196f3c4659a4e1c473759b393708d12)
---
 source3/lib/substitute.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
index 1f98327..f56e2c4 100644
--- a/source3/lib/substitute.c
+++ b/source3/lib/substitute.c
@@ -524,9 +524,10 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
 
                                group_name = gidtoname(pass->pw_gid);
                                if (is_domain_name) {
-                                       p = strchr_m(group_name, *sep);
-                                       if (p != NULL) {
-                                               group_name = p + 1;
+                                       char *group_sep;
+                                       group_sep = strchr_m(group_name, *sep);
+                                       if (group_sep != NULL) {
+                                               group_name = group_sep + 1;
                                        }
                                }
                                a_string = realloc_string_sub(a_string,
-- 
2.10.1

1	unnilennium	1.1	From 6dfc274ce5ae036a95ac2d7f6f9182c7f5a5b50f Mon Sep 17 00:00:00 2001
2			From: Andreas Schneider <asn@samba.org>
3			Date: Mon, 19 Sep 2016 13:59:54 +0200
4			Subject: [PATCH] s3-lib: Fix %G substitution in AD member environment
5
6			If we are a domain member we should look up the user with the domain
7			name specified else it will only work if we have
8			'winbind use default domain' set.
9
10			BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276
11
12			Signed-off-by: Andreas Schneider <asn@samba.org>
13			Reviewed-by: Ralph Boehme <slow@samba.org>
14			(cherry picked from commit 619ca5f63c47ff8b021692aaa756dcb0d883b8dd)
15			---
16			source3/lib/substitute.c \| 24 ++++++++++++++++++------
17			1 file changed, 18 insertions(+), 6 deletions(-)
18
19			diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
20			index 4e2ce9b..1f98327 100644
21			--- a/source3/lib/substitute.c
22			+++ b/source3/lib/substitute.c
23			@@ -499,15 +499,18 @@ char talloc_sub_basic(TALLOC_CTX mem_ctx,
24			break;
25			case 'G' : {
26			struct passwd *pass;
27			+ bool is_domain_name = false;
28			+ const char *sep = lp_winbind_separator();
29
30			if (domain_name != NULL && domain_name[0] != '\0' &&
31			- !strequal(domain_name, my_sam_name()))
32			- {
33			+ (lp_security() == SEC_ADS \|\|
34			+ lp_security() == SEC_DOMAIN)) {
35			r = talloc_asprintf(tmp_ctx,
36			"%s%c%s",
37			domain_name,
38			- *lp_winbind_separator(),
39			+ *sep,
40			smb_name);
41			+ is_domain_name = true;
42			} else {
43			r = talloc_strdup(tmp_ctx, smb_name);
44			}
45			@@ -517,9 +520,18 @@ char talloc_sub_basic(TALLOC_CTX mem_ctx,
46
47			pass = Get_Pwnam_alloc(tmp_ctx, r);
48			if (pass != NULL) {
49			- a_string = realloc_string_sub(
50			- a_string, "%G",
51			- gidtoname(pass->pw_gid));
52			+ char *group_name;
53			+
54			+ group_name = gidtoname(pass->pw_gid);
55			+ if (is_domain_name) {
56			+ p = strchr_m(group_name, *sep);
57			+ if (p != NULL) {
58			+ group_name = p + 1;
59			+ }
60			+ }
61			+ a_string = realloc_string_sub(a_string,
62			+ "%G",
63			+ group_name);
64			}
65			TALLOC_FREE(pass);
66			break;
67			--
68			2.10.1
69
70			From d851e487422808b6d3ba2738daa1c697e569bd27 Mon Sep 17 00:00:00 2001
71			From: Volker Lendecke <vl@samba.org>
72			Date: Wed, 12 Oct 2016 12:35:12 +0200
73			Subject: [PATCH] lib: Fix CID 1373623 Dereference after null check
74			MIME-Version: 1.0
75			Content-Type: text/plain; charset=UTF-8
76			Content-Transfer-Encoding: 8bit
77
78			We should not overload "p", this is used in the outer loop
79
80			BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276
81			Signed-off-by: Volker Lendecke <vl@samba.org>
82			Reviewed-by: Ralph Böhme <slow@samba.org>
83			Reviewed-by: Jeremy Allison <jra@samba.org>
84			(cherry picked from commit 6ec81ca3c196f3c4659a4e1c473759b393708d12)
85			---
86			source3/lib/substitute.c \| 7 ++++---
87			1 file changed, 4 insertions(+), 3 deletions(-)
88
89			diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
90			index 1f98327..f56e2c4 100644
91			--- a/source3/lib/substitute.c
92			+++ b/source3/lib/substitute.c
93			@@ -524,9 +524,10 @@ char talloc_sub_basic(TALLOC_CTX mem_ctx,
94
95			group_name = gidtoname(pass->pw_gid);
96			if (is_domain_name) {
97			- p = strchr_m(group_name, *sep);
98			- if (p != NULL) {
99			- group_name = p + 1;
100			+ char *group_sep;
101			+ group_sep = strchr_m(group_name, *sep);
102			+ if (group_sep != NULL) {
103			+ group_name = group_sep + 1;
104			}
105			}
106			a_string = realloc_string_sub(a_string,
107			--
108			2.10.1
109