File _service:tar_scm_kernel_repo:backport-0011-CVE-... of Package samba

File _service:tar_scm_kernel_repo:backport-0011-CVE-2020-25722-s4-provision-add-host-SPNs-at-the-sta.patch of Package samba

From 50f5069a73ac689d3b5fb56fdc652aefb57d396a Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 28 Oct 2021 09:45:36 +1300
Subject: [PATCH 146/266] CVE-2020-25722 s4/provision: add host/ SPNs at the
 start

There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.

This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Conflict:NA
Reference:https://gitlab.com/samba-team/samba/-/commit/50f5069a73ac689d3b5fb56fdc652aefb57d396a
---
 selftest/knownfail.d/cve-2020-25722-provision | 4 ++++
 source4/setup/provision_self_join.ldif        | 9 +++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 selftest/knownfail.d/cve-2020-25722-provision

diff --git a/selftest/knownfail.d/cve-2020-25722-provision b/selftest/knownfail.d/cve-2020-25722-provision
new file mode 100644
index 00000000000..7fd4b4b3763
--- /dev/null
+++ b/selftest/knownfail.d/cve-2020-25722-provision
@@ -0,0 +1,4 @@
+samba4.blackbox.dbcheck.release-4-0-0
+samba4.blackbox.dbcheck.release-4-0-0.quick
+samba4.blackbox.upgradeprovision.release-4-0-0
+samba4.blackbox.functionalprep.check_databases_same
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index f77ac5710ec..92bf4d9cf8f 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -15,11 +15,16 @@ localPolicyFlags: 0
 operatingSystem: Samba
 operatingSystemVersion: ${SAMBA_VERSION_STRING}
 sAMAccountName: ${NETBIOSNAME}$
-# The "servicePrincipalName" updates are now handled by the "samba_spnupdate"
-# script
 userAccountControl: 532480
 clearTextPassword:: ${MACHINEPASS_B64}
 objectSid: ${DOMAINSID}-${DCRID}
+# While some "servicePrincipalName" updates might be handled by the
+# "samba_spnupdate" script, we need to get the basics in here before
+# we add any others.
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+servicePrincipalName: HOST/${DNSNAME}/${DNSNAME}
+
 
 dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 objectClass: rIDSet
-- 
2.23.0