gentoo resync : 05.12.2021

2 files changed, 84 insertions, 0 deletions

diff --git a/net-fs/samba/files/samba-4.14.10-winbindd_regression_fix.patch b/net-fs/samba/files/samba-4.14.10-winbindd_regression_fix.patch
new file mode 100644
index 000000000000..23411dad6bec
--- /dev/null
+++ b/net-fs/samba/files/samba-4.14.10-winbindd_regression_fix.patch
@@ -0,0 +1,42 @@
+From bc07c3b70702100975f8921e56cf9b733ec3b826 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 9 Nov 2021 20:50:20 +0100
+Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
+
+add_trusted_domain() should only reject domains
+based on is_allowed_domain(), which now also
+checks "allow trusted domains = no", if we don't
+have an explicit trust to the domain (SEC_CHAN_NULL).
+
+We use at least SEC_CHAN_LOCAL for local domains like
+BUILTIN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
+
+(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
+---
+ source3/winbindd/winbindd_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 42ddbfd2f44e..9d54e462c425 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
+-	if (!is_allowed_domain(domain_name)) {
++	if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
+ 		return NT_STATUS_NO_SUCH_DOMAIN;
+ 	}
+ 
+-- 
+2.25.1
+
diff --git a/net-fs/samba/files/samba-4.15.2-winbindd_regression_fix.patch b/net-fs/samba/files/samba-4.15.2-winbindd_regression_fix.patch
new file mode 100644
index 000000000000..457bad16a6e2
--- /dev/null
+++ b/net-fs/samba/files/samba-4.15.2-winbindd_regression_fix.patch
@@ -0,0 +1,42 @@
+From 9f73f8a784f2de9211601f92729a47aaa3e51a1a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 9 Nov 2021 20:50:20 +0100
+Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
+
+add_trusted_domain() should only reject domains
+based on is_allowed_domain(), which now also
+checks "allow trusted domains = no", if we don't
+have an explicit trust to the domain (SEC_CHAN_NULL).
+
+We use at least SEC_CHAN_LOCAL for local domains like
+BUILTIN.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
+
+(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
+---
+ source3/winbindd/winbindd_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index fe68adec534a..a8c510fafc67 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -135,7 +135,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
+ 		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
+-	if (!is_allowed_domain(domain_name)) {
++	if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
+ 		return NT_STATUS_NO_SUCH_DOMAIN;
+ 	}
+ 
+-- 
+2.25.1
+