debian/control

@@ -7,7 +7,7 @@ Uploaders: Steve Langasek <vorlon@debian.org>,
            Mathieu Parent <sathieu@debian.org>,
            Andrew Bartlett <abartlet+debian@catalyst.net.nz>
 Homepage: http://www.samba.org
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Build-Depends: bison,
                debhelper (>= 11),
                dh-exec,
@@ -242,7 +242,6 @@ Pre-Depends: ${misc:Pre-Depends}
 Architecture: any
 Section: python
 Provides: ${python:Provides}
-Suggests: python-gpgme
 Depends: python-crypto,
          python-ldb,
          python-tdb,
@@ -250,6 +249,7 @@ Depends: python-crypto,
          ${misc:Depends},
          ${python:Depends},
          ${shlibs:Depends}
+Recommends: python-gpg
 Description: Python bindings for Samba
  Samba is an implementation of the SMB/CIFS protocol for Unix systems,
  providing support for cross-platform file sharing with Microsoft Windows, OS X,

debian/patches/python-gpg.patch

+From f1e2bedbbc1446073876e0a0e02e9c4f02fa67f6 Mon Sep 17 00:00:00 2001
+From: Joe Guo <joeg@catalyst.net.nz>
+Date: Thu, 20 Dec 2018 16:47:00 +1300
+Subject: [PATCH] netcmd/user: python[3]-gpgme unsupported and replaced by
+ python[3]-gpg
+
+python[3]-gpgme is deprecated since ubuntu 1804 and debian 9.
+use python[3]-gpg instead, and adapt the API.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13728
+
+Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 84069c8a5476a47d45ab946d82abb0d6c04635c3)
+---
+ python/samba/netcmd/user.py | 86 ++++++++++++++++++++++++++-----------
+ 1 file changed, 61 insertions(+), 25 deletions(-)
+
+diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
+index 5af76c9be7d1..437866c0a42f 100644
+--- a/python/samba/netcmd/user.py
++++ b/python/samba/netcmd/user.py
+@@ -21,6 +21,7 @@ import samba.getopt as options
+ import ldb
+ import pwd
+ import os
++import io
+ import re
+ import tempfile
+ import difflib
+@@ -56,15 +57,56 @@ from samba.netcmd import (
+     )
+ from samba.compat import text_type
+ 
+-try:
+-    import io
+-    import gpgme
+-    gpgme_support = True
+-    decrypt_samba_gpg_help = "Decrypt the SambaGPG password as cleartext source"
+-except ImportError as e:
+-    gpgme_support = False
+-    decrypt_samba_gpg_help = "Decrypt the SambaGPG password not supported, " + \
+-            "python-gpgme required"
++
++# python[3]-gpgme is abandoned since ubuntu 1804 and debian 9
++# have to use python[3]-gpg instead
++# The API is different, need to adapt.
++
++def _gpgme_decrypt(encrypted_bytes):
++    """
++    Use python[3]-gpgme to decrypt GPG.
++    """
++    ctx = gpgme.Context()
++    ctx.armor = True  # use ASCII-armored
++    out = io.BytesIO()
++    ctx.decrypt(io.BytesIO(encrypted_bytes), out)
++    return out.getvalue()
++
++
++def _gpg_decrypt(encrypted_bytes):
++    """
++    Use python[3]-gpg to decrypt GPG.
++    """
++    ciphertext = gpg.Data(string=encrypted_bytes)
++    ctx = gpg.Context(armor=True)
++    # plaintext, result, verify_result
++    plaintext, _, _ = ctx.decrypt(ciphertext)
++    return plaintext
++
++
++gpg_decrypt = None
++
++if not gpg_decrypt:
++    try:
++        import gpgme
++        gpg_decrypt = _gpgme_decrypt
++    except ImportError:
++        pass
++
++if not gpg_decrypt:
++    try:
++        import gpg
++        gpg_decrypt = _gpg_decrypt
++    except ImportError:
++        pass
++
++if gpg_decrypt:
++    decrypt_samba_gpg_help = ("Decrypt the SambaGPG password as "
++                              "cleartext source")
++else:
++    decrypt_samba_gpg_help = ("Decrypt the SambaGPG password not supported, "
++                              "python[3]-gpgme or python[3]-gpg required")
++
+ 
+ disabled_virtual_attributes = {
+     }
+@@ -1024,13 +1066,8 @@ class GetPasswordCommand(Command):
+             #
+             sgv = get_package("Primary:SambaGPG", min_idx=-1)
+             if sgv is not None and unicodePwd is not None:
+-                ctx = gpgme.Context()
+-                ctx.armor = True
+-                cipher_io = io.BytesIO(sgv)
+-                plain_io = io.BytesIO()
+                 try:
+-                    ctx.decrypt(cipher_io, plain_io)
+-                    cv = plain_io.getvalue()
++                    cv = gpg_decrypt(sgv)
+                     #
+                     # We only use the password if it matches
+                     # the current nthash stored in the unicodePwd
+@@ -1042,14 +1079,13 @@ class GetPasswordCommand(Command):
+                     nthash = tmp.get_nt_hash()
+                     if nthash == unicodePwd:
+                         calculated["Primary:CLEARTEXT"] = cv
+-                except gpgme.GpgmeError as e1:
+-                    (major, minor, msg) = e1.args
+-                    if major == gpgme.ERR_BAD_SECKEY:
+-                        msg = "ERR_BAD_SECKEY: " + msg
+-                    else:
+-                        msg = "MAJOR:%d, MINOR:%d: %s" % (major, minor, msg)
+-                    self.outf.write("WARNING: '%s': SambaGPG can't be decrypted into CLEARTEXT: %s\n" % (
+-                                    username or account_name, msg))
++
++                except Exception as e:
++                    self.outf.write(
++                        "WARNING: '%s': SambaGPG can't be decrypted "
++                        "into CLEARTEXT: %s\n" % (
++                            username or account_name, e))
++
+ 
+         def get_utf8(a, b, username):
+             try:
+@@ -1458,7 +1494,7 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS-
+             sambaopts=None, versionopts=None):
+         self.lp = sambaopts.get_loadparm()
+ 
+-        if decrypt_samba_gpg and not gpgme_support:
++        if decrypt_samba_gpg and not gpg_decrypt:
+             raise CommandError(decrypt_samba_gpg_help)
+ 
+         if filter is None and username is None:
+@@ -1800,7 +1836,7 @@ samba-tool user syncpasswords --terminate \\
+             if H is None:
+                 H = "ldapi://%s" % os.path.abspath(self.lp.private_path("ldap_priv/ldapi"))
+ 
+-            if decrypt_samba_gpg and not gpgme_support:
++            if decrypt_samba_gpg and not gpg_decrypt:
+                 raise CommandError(decrypt_samba_gpg_help)
+ 
+             password_attrs = self.parse_attributes(attributes)
+-- 
+2.17.1
+

debian/patches/series

@@ -8,3 +8,4 @@ add-so-version-to-private-libraries
 heimdal-rfc3454.txt
 nsswitch-Add-try_authtok-option-to-pam_winbind.patch
 s3-auth-ignore-create_builtin_guests-failing-without.patch
+python-gpg.patch

python/samba/netcmd/user.py

@@ -21,6 +21,7 @@ import samba.getopt as options
 import ldb
 import pwd
 import os
+import io
 import re
 import tempfile
 import difflib
@@ -56,15 +57,56 @@ from samba.netcmd import (
     )
 from samba.compat import text_type
 
+
+# python[3]-gpgme is abandoned since ubuntu 1804 and debian 9
+# have to use python[3]-gpg instead
+# The API is different, need to adapt.
+
+def _gpgme_decrypt(encrypted_bytes):
+    """
+    Use python[3]-gpgme to decrypt GPG.
+    """
+    ctx = gpgme.Context()
+    ctx.armor = True  # use ASCII-armored
+    out = io.BytesIO()
+    ctx.decrypt(io.BytesIO(encrypted_bytes), out)
+    return out.getvalue()
+
+
+def _gpg_decrypt(encrypted_bytes):
+    """
+    Use python[3]-gpg to decrypt GPG.
+    """
+    ciphertext = gpg.Data(string=encrypted_bytes)
+    ctx = gpg.Context(armor=True)
+    # plaintext, result, verify_result
+    plaintext, _, _ = ctx.decrypt(ciphertext)
+    return plaintext
+
+
+gpg_decrypt = None
+
+if not gpg_decrypt:
     try:
-    import io
         import gpgme
-    gpgme_support = True
-    decrypt_samba_gpg_help = "Decrypt the SambaGPG password as cleartext source"
-except ImportError as e:
-    gpgme_support = False
-    decrypt_samba_gpg_help = "Decrypt the SambaGPG password not supported, " + \
-            "python-gpgme required"
+        gpg_decrypt = _gpgme_decrypt
+    except ImportError:
+        pass
+
+if not gpg_decrypt:
+    try:
+        import gpg
+        gpg_decrypt = _gpg_decrypt
+    except ImportError:
+        pass
+
+if gpg_decrypt:
+    decrypt_samba_gpg_help = ("Decrypt the SambaGPG password as "
+                              "cleartext source")
+else:
+    decrypt_samba_gpg_help = ("Decrypt the SambaGPG password not supported, "
+                              "python[3]-gpgme or python[3]-gpg required")
+
 
 disabled_virtual_attributes = {
     }
@@ -1024,13 +1066,8 @@ class GetPasswordCommand(Command):
             #
             sgv = get_package("Primary:SambaGPG", min_idx=-1)
             if sgv is not None and unicodePwd is not None:
-                ctx = gpgme.Context()
-                ctx.armor = True
-                cipher_io = io.BytesIO(sgv)
-                plain_io = io.BytesIO()
                 try:
-                    ctx.decrypt(cipher_io, plain_io)
-                    cv = plain_io.getvalue()
+                    cv = gpg_decrypt(sgv)
                     #
                     # We only use the password if it matches
                     # the current nthash stored in the unicodePwd
@@ -1042,14 +1079,13 @@ class GetPasswordCommand(Command):
                     nthash = tmp.get_nt_hash()
                     if nthash == unicodePwd:
                         calculated["Primary:CLEARTEXT"] = cv
-                except gpgme.GpgmeError as e1:
-                    (major, minor, msg) = e1.args
-                    if major == gpgme.ERR_BAD_SECKEY:
-                        msg = "ERR_BAD_SECKEY: " + msg
-                    else:
-                        msg = "MAJOR:%d, MINOR:%d: %s" % (major, minor, msg)
-                    self.outf.write("WARNING: '%s': SambaGPG can't be decrypted into CLEARTEXT: %s\n" % (
-                                    username or account_name, msg))
+
+                except Exception as e:
+                    self.outf.write(
+                        "WARNING: '%s': SambaGPG can't be decrypted "
+                        "into CLEARTEXT: %s\n" % (
+                            username or account_name, e))
+
 
         def get_utf8(a, b, username):
             try:
@@ -1458,7 +1494,7 @@ samba-tool user getpassword --filter=samaccountname=TestUser3 --attributes=msDS-
             sambaopts=None, versionopts=None):
         self.lp = sambaopts.get_loadparm()
 
-        if decrypt_samba_gpg and not gpgme_support:
+        if decrypt_samba_gpg and not gpg_decrypt:
             raise CommandError(decrypt_samba_gpg_help)
 
         if filter is None and username is None:
@@ -1800,7 +1836,7 @@ samba-tool user syncpasswords --terminate \\
             if H is None:
                 H = "ldapi://%s" % os.path.abspath(self.lp.private_path("ldap_priv/ldapi"))
 
-            if decrypt_samba_gpg and not gpgme_support:
+            if decrypt_samba_gpg and not gpg_decrypt:
                 raise CommandError(decrypt_samba_gpg_help)
 
             password_attrs = self.parse_attributes(attributes)