samba: import security updates from redhead

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

lfs/samba

@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 67
+PAK_VER    = 68
 
 DEPS       = "cups krb5"
 
@@ -152,9 +152,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_member_auth_after_changed_secret.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_dirsort_ea-support.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-7494-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-winbind_fix_trusted_domain_handling.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-2619.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-12150-v3-6.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-12163.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-15275.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/doc-update.patch
-#	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.x-winbind_tevent_poll.patch
-
 
 	cd $(DIR_APP)/source3 && ./autogen.sh
 	cd $(DIR_APP)/source3 && ./configure \

src/patches/samba/CVE-2017-12150-v3-6.patch

@@ -0,0 +1,102 @@
+From d3198caa7a8910a9ce1eb4104d5b410ef29ac2bb Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 3 Nov 2016 17:16:43 +0100
+Subject: [PATCH 1/3] CVE-2017-12150: s3:lib:
+ get_cmdline_auth_info_signing_state use Required for smb_encrypt
+
+This is an addition to the fixes for CVE-2015-5296.
+
+It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Backported-by: Andreas Schneider <asn@samba.org>
+---
+ source3/lib/util_cmdline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index cb0b79a5d30..3178c848b63 100644
+--- a/source3/lib/util_cmdline.c
++++ b/source3/lib/util_cmdline.c
+@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
+ 
+ int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
+ {
++	if (auth_info->smb_encrypt) {
++		return Required;
++	}
+ 	return auth_info->signing_state;
+ }
+ 
+-- 
+2.14.1
+
+
+From bb762a74c81159633f904f8fb67b49bab74a0b9c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 05:49:46 +0100
+Subject: [PATCH 2/3] CVE-2017-12150: libgpo: make use of Required for SMB
+ signing in gpo_connect_server()
+
+It's important that we use a signed connection to get the GPOs!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Backported-by: Andreas Schneider <asn@samba.org>
+---
+ libgpo/gpo_fetch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
+index 3cfe1d5b942..af012e01336 100644
+--- a/libgpo/gpo_fetch.c
++++ b/libgpo/gpo_fetch.c
+@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, struct loadparm_context *lp_
+ 			ads->auth.password,
+ 			CLI_FULL_CONNECTION_USE_KERBEROS |
+ 			CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
+-			Undefined);
++			Required);
+ 	if (!NT_STATUS_IS_OK(result)) {
+ 		DEBUG(10,("check_refresh_gpo: "
+ 				"failed to connect: %s\n",
+-- 
+2.14.1
+
+
+From 070b0fb9ebb57cdbc2b82e335de021fb46bc543c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 06:07:56 +0100
+Subject: [PATCH 3/3] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
+ authentication was not requested
+
+With forced encryption or required signing we should also don't fallback.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Backported-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libsmb/clidfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 23e147120f1..120a2c999ce 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -197,7 +197,9 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
+ 		/* If a password was not supplied then
+ 		 * try again with a null username. */
+ 		if (password[0] || !username[0] ||
++			force_encrypt || client_is_signing_mandatory(c) ||
+ 			get_cmdline_auth_info_use_kerberos(auth_info) ||
++			get_cmdline_auth_info_use_ccache(auth_info) ||
+ 			!NT_STATUS_IS_OK(cli_session_setup(c, "",
+ 				    		"", 0,
+ 						"", 0,
+-- 
+2.14.1
+

src/patches/samba/CVE-2017-12163.patch

@@ -0,0 +1,141 @@
+From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 8 Sep 2017 10:13:14 -0700
+Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
+ writing server memory to file.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 1583c2358bb..9625670d653 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
+ 	}
+ 
+ 	/* Ensure we don't write bytes past the end of this packet. */
++	/*
++	 * This already protects us against CVE-2017-12163.
++	 */
+ 	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
+ 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ 		error_to_writebrawerr(req);
+@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
+ 			exit_server_cleanly("secondary writebraw failed");
+ 		}
+ 
++		/*
++		 * We are not vulnerable to CVE-2017-12163
++		 * here as we are guarenteed to have numtowrite
++		 * bytes available - we just read from the client.
++		 */
+ 		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
+ 		if (nwritten == -1) {
+ 			TALLOC_FREE(buf);
+@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
+ 	connection_struct *conn = req->conn;
+ 	ssize_t nwritten = -1;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	SMB_OFF_T startpos;
+ 	const char *data;
+ 	NTSTATUS status = NT_STATUS_OK;
+@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
+ 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ 	data = (const char *)req->buf + 3;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwriteunlock);
++		return;
++	}
++
+ 	if (!fsp->print_file && numtowrite > 0) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
+ {
+ 	connection_struct *conn = req->conn;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	ssize_t nwritten = -1;
+ 	SMB_OFF_T startpos;
+ 	const char *data;
+@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
+ 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ 	data = (const char *)req->buf + 3;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwrite);
++		return;
++	}
++
+ 	if (!fsp->print_file) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
+ 			return;
+ 		}
+ 	} else {
++		/*
++		 * This already protects us against CVE-2017-12163.
++		 */
+ 		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
+ 				smb_doff + numtowrite > smblen) {
+ 			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
+ {
+ 	connection_struct *conn = req->conn;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	ssize_t nwritten = -1;
+ 	NTSTATUS close_status = NT_STATUS_OK;
+ 	SMB_OFF_T startpos;
+@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
+ 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
+ 	data = (const char *)req->buf + 1;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwriteclose);
++		return;
++	}
++
+ 	if (!fsp->print_file) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
+ 
+ 	numtowrite = SVAL(req->buf, 1);
+ 
++	/*
++	 * This already protects us against CVE-2017-12163.
++	 */
+ 	if (req->buflen < numtowrite + 3) {
+ 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ 		END_PROFILE(SMBsplwr);
+-- 
+2.13.5
+

src/patches/samba/CVE-2017-15275.patch

@@ -0,0 +1,45 @@
+From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 20 Sep 2017 11:04:50 -0700
+Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
+ talloc buffer is grown.
+
+Ensure we zero out unused grown area.
+
+CVE-2017-15275
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/srvstr.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
+index 56dceba8c6c..c2d70b32c32 100644
+--- a/source3/smbd/srvstr.c
++++ b/source3/smbd/srvstr.c
+@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
+ 		DEBUG(0, ("srvstr_push failed\n"));
+ 		return -1;
+ 	}
++
++	/*
++	 * Ensure we clear out the extra data we have
++	 * grown the buffer by, but not written to.
++	 */
++	if (buf_size + result < buf_size) {
++		return -1;
++	}
++	if (grow_size < result) {
++		return -1;
++	}
++
++	memset(tmp + buf_size + result, '\0', grow_size - result);
++
+ 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
+ 
+ 	*outbuf = tmp;
+-- 
+2.11.0
+

src/patches/samba/samba-3.6.99-winbind_fix_trusted_domain_handling.patch

@@ -0,0 +1,432 @@
+From a280f61d71d5ea7e2212d253b84ac5b25810b88e Mon Sep 17 00:00:00 2001
+From: Uri Simchoni <uri@samba.org>
+Date: Wed, 10 Feb 2016 00:26:45 +0200
+Subject: [PATCH 1/4] winbindd: introduce add_trusted_domain_from_tdc()
+
+This is purely a refactoring patch -
+Add a routine that adds a winbindd domain object based on
+domain trust cache entry. add_trusted_domain() becomes
+a wrapper for this new routine.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
+
+Signed-off-by: Uri Simchoni <uri@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/winbindd/winbindd_util.c | 76 +++++++++++++++++++++++++---------------
+ 1 file changed, 48 insertions(+), 28 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 353722e..70a9041 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -30,6 +30,10 @@
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_WINBIND
+ 
++static struct winbindd_domain *
++add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
++			    struct winbindd_methods *methods);
++
+ extern struct winbindd_methods cache_methods;
+ 
+ /**
+@@ -91,11 +95,31 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
+ 
+ /* Add a trusted domain to our list of domains.
+    If the domain already exists in the list,
+-   return it and don't re-initialize.
+- */
+-static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
+-						  struct winbindd_methods *methods,
+-						  const struct dom_sid *sid)
++   return it and don't re-initialize.  */
++
++static struct winbindd_domain *
++add_trusted_domain(const char *domain_name, const char *alt_name,
++		   struct winbindd_methods *methods, const struct dom_sid *sid)
++{
++	struct winbindd_tdc_domain tdc;
++
++	ZERO_STRUCT(tdc);
++
++	tdc.domain_name = domain_name;
++	tdc.dns_name = alt_name;
++	if (sid) {
++		sid_copy(&tdc.sid, sid);
++	}
++
++	return add_trusted_domain_from_tdc(&tdc, methods);
++}
++
++/* Add a trusted domain out of a trusted domain cache
++   entry
++*/
++static struct winbindd_domain *
++add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
++			    struct winbindd_methods *methods)
+ {
+ 	struct winbindd_domain *domain;
+ 	const char *alternative_name = NULL;
+@@ -103,6 +127,12 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
+ 	const char *param;
+ 	const char **ignored_domains, **dom;
+ 	int role = lp_server_role();
++	const char *domain_name = tdc->domain_name;
++	const struct dom_sid *sid = &tdc->sid;
++
++	if (is_null_sid(sid)) {
++		sid = NULL;
++	}
+ 
+ 	ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
+ 	for (dom=ignored_domains; dom && *dom; dom++) {
+@@ -114,8 +144,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
+ 
+ 	/* ignore alt_name if we are not in an AD domain */
+ 
+-	if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
+-		alternative_name = alt_name;
++	if (tdc->dns_name && *tdc->dns_name) {
++		alternative_name = tdc->dns_name;
+ 	}
+ 
+ 	/* We can't call domain_list() as this function is called from
+@@ -127,8 +157,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
+ 			break;
+ 		}
+ 
+-		if (alternative_name && *alternative_name)
+-		{
++		if (alternative_name) {
+ 			if (strequal(alternative_name, domain->name) ||
+ 			    strequal(alternative_name, domain->alt_name))
+ 			{
+@@ -136,12 +165,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
+ 			}
+ 		}
+ 
+-		if (sid)
+-		{
+-			if (is_null_sid(sid)) {
+-				continue;
+-			}
+-
++		if (sid != NULL) {
+ 			if (dom_sid_equal(sid, &domain->sid)) {
+ 				break;
+ 			}
+@@ -191,11 +215,11 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
+ 	domain->internal = is_internal_domain(sid);
+ 	domain->sequence_number = DOM_SEQUENCE_NONE;
+ 	domain->last_seq_check = 0;
+-	domain->initialized = False;
++	domain->initialized = false;
+ 	domain->online = is_internal_domain(sid);
+ 	domain->check_online_timeout = 0;
+ 	domain->dc_probe_pid = (pid_t)-1;
+-	if (sid) {
++	if (sid != NULL) {
+ 		sid_copy(&domain->sid, sid);
+ 	}
+ 
+@@ -246,9 +270,9 @@ done:
+ 
+ 	setup_domain_child(domain);
+ 
+-	DEBUG(2,("Added domain %s %s %s\n",
+-		 domain->name, domain->alt_name,
+-		 &domain->sid?sid_string_dbg(&domain->sid):""));
++	DEBUG(2,
++	      ("Added domain %s %s %s\n", domain->name, domain->alt_name,
++	       !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
+ 
+ 	return domain;
+ }
+@@ -432,10 +456,8 @@ static void rescan_forest_root_trusts( void )
+ 		d = find_domain_from_name_noinit( dom_list[i].domain_name );
+ 
+ 		if ( !d ) {
+-			(void)add_trusted_domain( dom_list[i].domain_name,
+-						dom_list[i].dns_name,
+-						&cache_methods,
+-						&dom_list[i].sid);
++			d = add_trusted_domain_from_tdc(&dom_list[i],
++							&cache_methods);
+ 		}
+ 
+ 		if (d == NULL) {
+@@ -501,10 +523,8 @@ static void rescan_forest_trusts( void )
+ 			   about it */
+ 
+ 			if ( !d ) {
+-				(void)add_trusted_domain( dom_list[i].domain_name,
+-							dom_list[i].dns_name,
+-							&cache_methods,
+-							&dom_list[i].sid);
++				d = add_trusted_domain_from_tdc(&dom_list[i],
++								&cache_methods);
+ 			}
+ 
+ 			if (d == NULL) {
+-- 
+2.9.4
+
+
+From 153f173eea81ffa1caa4768589a08bb20a6a1950 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 23 Dec 2014 09:43:03 +0000
+Subject: [PATCH 2/4] s3:winbindd: mark our primary as active_directory if
+ possible
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source3/winbindd/winbindd_util.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 70a9041..700076a 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -232,6 +232,12 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ 		domain->primary = true;
+ 	}
+ 
++	if (domain->primary) {
++		if (lp_security() == SEC_ADS) {
++			domain->active_directory = true;
++		}
++	}
++
+ 	/* Link to domain list */
+ 	DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
+ 
+-- 
+2.9.4
+
+
+From 5d741ee3d1dafbb32c106fed817840892b69598d Mon Sep 17 00:00:00 2001
+From: Uri Simchoni <uri@samba.org>
+Date: Wed, 10 Feb 2016 00:32:23 +0200
+Subject: [PATCH 3/4] winbindd: initialize foreign domain as AD based on trust
+
+Based on trust parameters, initialize the active_directory
+member of domain object to true.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
+
+Signed-off-by: Uri Simchoni <uri@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/winbindd/winbindd_util.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index 700076a..aaa9ee8 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -222,6 +222,9 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ 	if (sid != NULL) {
+ 		sid_copy(&domain->sid, sid);
+ 	}
++	domain->domain_flags = tdc->trust_flags;
++	domain->domain_type = tdc->trust_type;
++	domain->domain_trust_attribs = tdc->trust_attribs;
+ 
+ 	/* Is this our primary domain ? */
+ 	if (strequal(domain_name, get_global_sam_name()) &&
+@@ -236,6 +239,10 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ 		if (lp_security() == SEC_ADS) {
+ 			domain->active_directory = true;
+ 		}
++	} else if (!domain->internal) {
++		if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
++			domain->active_directory = true;
++		}
+ 	}
+ 
+ 	/* Link to domain list */
+-- 
+2.9.4
+
+
+From a8ac7dcae2e3b00362ea9d91b5ef7f149bc734a0 Mon Sep 17 00:00:00 2001
+From: Uri Simchoni <uri@samba.org>
+Date: Wed, 10 Feb 2016 00:38:11 +0200
+Subject: [PATCH 4/4] winbindd: return trust parameters when listing trusts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When asking a child domain process to list trusts on that domain,
+return (along with trust domain names and SID) the trust properties -
+flags, type, and attributes.
+
+Use those attributes to initialize domain object.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
+
+Signed-off-by: Uri Simchoni <uri@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144
+---
+ source3/winbindd/winbindd_misc.c | 11 +++---
+ source3/winbindd/winbindd_util.c | 82 +++++++++++++++++++++++++++++-----------
+ 2 files changed, 65 insertions(+), 28 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
+index 7d25167..5335ad9 100644
+--- a/source3/winbindd/winbindd_misc.c
++++ b/source3/winbindd/winbindd_misc.c
+@@ -172,11 +172,12 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *
+ 
+ 	for (i=0; i<trusts.count; i++) {
+ 		extra_data = talloc_asprintf_append_buffer(
+-			extra_data, "%s\\%s\\%s\n",
+-			trusts.array[i].netbios_name,
+-			trusts.array[i].dns_name,
+-			sid_string_talloc(state->mem_ctx,
+-					  trusts.array[i].sid));
++		    extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n",
++		    trusts.array[i].netbios_name, trusts.array[i].dns_name,
++		    sid_string_talloc(state->mem_ctx, trusts.array[i].sid),
++		    trusts.array[i].trust_flags,
++		    (uint32_t)trusts.array[i].trust_type,
++		    trusts.array[i].trust_attributes);
+ 	}
+ 
+ 	/* add our primary domain */
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index aaa9ee8..b99fac4 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -343,6 +343,8 @@ static void trustdom_list_done(struct tevent_req *req)
+ 	struct winbindd_response *response;
+ 	int res, err;
+ 	char *p;
++	struct winbindd_tdc_domain trust_params = {0};
++	ptrdiff_t extra_len;
+ 
+ 	res = wb_domain_request_recv(req, state, &response, &err);
+ 	if ((res == -1) || (response->result != WINBINDD_OK)) {
+@@ -351,17 +353,27 @@ static void trustdom_list_done(struct tevent_req *req)
+ 		return;
+ 	}
+ 
++	if (response->length < sizeof(struct winbindd_response)) {
++		DEBUG(0, ("ill-formed trustdom response - short length\n"));
++		TALLOC_FREE(state);
++		return;
++	}
++
++	extra_len = response->length - sizeof(struct winbindd_response);
++
+ 	p = (char *)response->extra_data.data;
+ 
+-	while ((p != NULL) && (*p != '\0')) {
++	while ((p - (char *)response->extra_data.data) < extra_len) {
+ 		char *q, *sidstr, *alt_name;
+-		struct dom_sid sid;
+-		struct winbindd_domain *domain;
+-		char *alternate_name = NULL;
++
++		DEBUG(10, ("parsing response line '%s'\n", p));
++
++		ZERO_STRUCT(trust_params);
++		trust_params.domain_name = p;
+ 
+ 		alt_name = strchr(p, '\\');
+ 		if (alt_name == NULL) {
+-			DEBUG(0, ("Got invalid trustdom response\n"));
++			DEBUG(10, ("Got invalid trustdom response\n"));
+ 			break;
+ 		}
+ 
+@@ -370,39 +382,63 @@ static void trustdom_list_done(struct tevent_req *req)
+ 
+ 		sidstr = strchr(alt_name, '\\');
+ 		if (sidstr == NULL) {
+-			DEBUG(0, ("Got invalid trustdom response\n"));
++			DEBUG(10, ("Got invalid trustdom response\n"));
+ 			break;
+ 		}
+ 
+ 		*sidstr = '\0';
+ 		sidstr += 1;
+ 
+-		q = strchr(sidstr, '\n');
+-		if (q != NULL)
+-			*q = '\0';
++		/* use the real alt_name if we have one, else pass in NULL */
++		if (!strequal(alt_name, "(null)")) {
++			trust_params.dns_name = alt_name;
++		}
++
++		q = strtok(sidstr, "\\");
++		if (q == NULL) {
++			DEBUG(10, ("Got invalid trustdom response\n"));
++			break;
++		}
++
++		if (!string_to_sid(&trust_params.sid, sidstr)) {
++			DEBUG(0, ("Got invalid trustdom response\n"));
++			break;
++		}
+ 
+-		if (!string_to_sid(&sid, sidstr)) {
++		q = strtok(NULL, "\\");
++		if (q == NULL) {
+ 			DEBUG(0, ("Got invalid trustdom response\n"));
+ 			break;
+ 		}
+ 
+-		/* use the real alt_name if we have one, else pass in NULL */
++		trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
+ 
+-		if ( !strequal( alt_name, "(null)" ) )
+-			alternate_name = alt_name;
++		q = strtok(NULL, "\\");
++		if (q == NULL) {
++			DEBUG(0, ("Got invalid trustdom response\n"));
++			break;
++		}
++
++		trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
+ 
+-		/* If we have an existing domain structure, calling
+- 		   add_trusted_domain() will update the SID if
+- 		   necessary.  This is important because we need the
+- 		   SID for sibling domains */
++		q = strtok(NULL, "\n");
++		if (q == NULL) {
++			DEBUG(10, ("Got invalid trustdom response\n"));
++			break;
++		}
+ 
+-		(void)add_trusted_domain(p, alternate_name,
+-					    &cache_methods,
+-					    &sid);
++		trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
++
++		/*
++		 * We always call add_trusted_domain() cause on an existing
++		 * domain structure, it will update the SID if necessary.
++		 * This is important because we need the SID for sibling
++		 * domains.
++		 */
++		(void)add_trusted_domain_from_tdc(&trust_params,
++						  &cache_methods);
+ 
+-		p=q;
+-		if (p != NULL)
+-			p += 1;
++		p = q + strlen(q) + 1;
+ 	}
+ 
+ 	/*
+-- 
+2.9.4
+