The annotated tag, tdb-1.4.11 has been created at 27acad2f3efe5b40ef546f58dead15de6fe54d07 (tag) tagging 93a6656c13facdb8565f90954428c4cf800bfc36 (commit) replaces samba-4.20.0rc1 tagged by Jule Anger on Mon Jul 29 13:30:01 2024 +0200
- Log ----------------------------------------------------------------- tdb: tag release tdb-1.4.11 -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmanfTkACgkQR5ORYRMI QCX/Nwf+NMtaC5JH345fphhijhy82+D5NDGdd0AbvIbIArr2pLALALmnPAZ/e3hD vDMV++RVQaZlqpXxrZhMWUZyWpJs5EIiiibs/xSfoyIavIQ/v2PwoE4nwPWSItc9 10LJvUJjtpawbEChSGkXUUp3KqfeQoh6WTC2m471nZtVzGxcXY9tFRvGGIYkInnJ 5Wy5jcaSN6XpxXIH7xj+rUD3m7q9IBPkPeAgt/ODLCasHVroG/OJvnxwtwtdhaOq gIbVHcZA91D1zXYeQpZdZVRxAf/LWEer5iimmqOv4YF57Xj9/q7qOGuaes3UCKeL HTyvM/lD3lBq86IpQvl9SnxDqiejCg== =5EbB -----END PGP SIGNATURE----- Alexander Bokovoy (1): Do not fail checksums for RFC8009 types Andreas Schneider (189): python:gp: Fix logging with gp librpc:idl: Make netlogon_samlogon_response public python:gp: Implement client site lookup in site_dn_for_machine() libgpo: Fix trailing spaces in pygpo.c libgpo: Do not segfault if we don't have a valid security descriptor packaging: Provide a systemd service file for samba-bgqd python:tests: Improve keytab comparison of dckeytab buildtools: Fix PYTHONPATH and print it python:samba: Rename trust_utils.py to lsa_utils.py python: Implement OpenPolicyFallback() python:tests: Rename createtrustrelax.py to lsa_utils.py python:tests: Clean lsa_utils.py code according to Python standards python: Set parameter types for CreateTrustedDomainRelax() python: Use secrets.token_bytes instead of random python: Add aead_aes_256_cbc_hmac_sha512() python: Implement CreateTrustedDomainFallback() python: Use OpenPolicyFallback() in trust.py librpc:rpc: Add dcerpc_lsa.h s4:torture: Use init_lsa_String() from init_lsa.h s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info() s4:torture: Use rpc_lsa_encrypt_trustdom_info() s4:torture: Use dcerpc_lsa_OpenPolicy3_r() s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain() s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck() s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common() s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3() s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3() s4:torture: Add test for lsa_CreateTrustedDomainEx3 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes() s3:rpc_client: Implement createtrustdomex2 command s3:rpc_client: Implement createtrustdomex3 command s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2() s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck() s3:rpc_server: Implement lsa_CreateTrustedDomain_common() s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3() s3:auth: Remove trailing spaces s3:auth: Re-format auth3_generate_session_info_pac() s3:auth: Split auth3_generate_session_info_pac() into functions s3:auth: Add support standalone server with MIT Keberos 1.21 python: Fix NtVer check for site_dn_for_machine() s3:libsmb: Pass a memory context to cli_connect_nb_recv() s3:nmbd: Remove trailing spaces in nmbd_synclists.c s3:torture: Remove trailing spaces in torture.c s3:libsmb: Pass memory context to cli_connect_nb() s3:libsmb: Pass a memory context to cli_start_connection_recv() s3:libsmb: Pass a memory context to cli_start_connection() s3:libsmb: Pass memory context to cli_full_connection_creds_recv() s3:libsmb: Pass memory context to cli_full_connection_creds() s3:libnet: Fix memory leak in libnet_join_connect_dc_ipc() s3:libsmb: Make get_ipc_connect() static s3:libsmb: Pass a memory context to get_ipc_connect() lib:tdb: Remove trailing spaces from pytdb.c lib:tdb: Add missing overflow check for num_values in pytdb.c lib:ldb: Add missing overflow check in ldb_msg_normalize() lib:ldb: Use correct integer types for sizes s4:dsdb: Fix stack use after scope in gkdi_create_root_key() auth:creds: Add test for cli_credentials_get_principal_obtained() auth:creds: Add test for cli_credentials_get_password_obtained() auth:creds: Add test for cli_credentials_get_username_obtained() lib:krb5_wrap: Implement smb_gss_mech_import_cred() s3:gse: Use smb_gss_mech_import_cred() in gse_init_server() s3:gse: Implement gensec_gse_security_by_oid() s3:gse: Pass down the mech to gse_context_init() docs-xml: Add smb.conf option 'dns hostname' s3:utils: Use lp_dns_hostname() for 'net' dns updates s3:librpc: Use lp_dns_hostname() for creating the fqdn s3:lib: Remove obsolete name_to_fqdn() s3:libnet: Use lp_dns_hostname() in libnet_join.c s3:libnet: Convert myalias to lower case s3:utils: Use lp_dnsdomain() in net_ads.c python:tests: Ignore case for group_name comparison s3:rpc_server: Use lpcfg_dns_hostname() in srv_witness_nt.c s4:dfs_server: Use lpcfg_dns_hostname() in dfs_server_ad.c s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c auth:ntlmssp: Remove trailing spaces auth:ntlmssp: Use lpcfg_dns_hostname() WHATSNEW: Add 'dns hostname' s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP s3:libads: Do not fail if we don't get an IP passed down s3:winbind: Fix idmap_ad creating an invalid local krb5.conf python:netcmd: Only put regular files into the tarball python:netcmd: Create a SHA256SUM file with checksums python: Add test for checking the SHA256SUM s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish() s3:utils: Use a destructor in rpc_trustdom_establish() s3:util: Use a talloc stackframe in rpc_trustdom_establish() s3:utils: Use talloc instead of malloc functions bootstrap: Fix runner tags bootstrap: Set git safe.directory bootstrap: Fix building CentOS 8 Stream container images gitlab-ci: Set git safe.directory for devel repo third_party: Update uid_wrapper to version 1.3.1 third_party: Update socket_wrapper to version 1.4.3 lib:util: Remove tailing spaces in util.c lib:util: Fix size of tmp array s4:torture: Add missing NULL checks in spoolss.c selftest: Create the cmd outside of the loop selftest: Set NSS_WRAPPER_HOSTS for smbclient gitlab-ci: Remove CentOS7 which is EOL gitlab-ci: Add CentOS 9 Stream gitlab-ci: Update image to Fedora 40 nsswitch:krb5_plugin: Avoid a possible double free s3:lib: Remove trailing spaces in sharesec.c s3:lib: Make sure struct security_ace is fully initialized s3:rpc_server: Make sure struct security_ace is initialized s3:utils: Fix get_window_height() return value s4:torture: Remove trailing spaces in winsreplication.c s4:torture: Initialize struct wrepl_wins_name s4:dsdb: Remove trailing spaces in schema_query.c s4:dsdb: Avoid possible underflows with new_len s3:registry: Remove trailing spaces in reg_perfcount.c s3:registry: Avoid possible double frees s3:registry: Add missing return value checks packaging: Add missing quotes in smbprint s3:torture: Remove trailing spaces in query.c s4:torture: Initialize struct nbt_name_query s4:torture: Initialize struct smb2_handle s3:auth: Remove trailing spaces in pampass.c s3:auth: Avoid passing freed pamh pointer to funcitons using it s4:torture: Initialize struct wrepl_wins_name s3:rpc_client: Check for array size instead of UINT16_MAX s4:torture: Fully initialize struct samr_OpenUser examples: Use cp with force option examples: Initialize char arrays s4:torture: Initialize struct wrepl_wins_name winexe: Make sure specificError is initialized examples: Make sure the array is probably initialized s3:smbd: Remove trailing spaces in posix_acls.c s3:smbd: Make sure struct security_ace is initialized s4:torture: Make sure struct smb2_handle is initialized s3:rpc_client: Initialize struct security_ace s4:torture: Initialize struct netr_LogonSamLogonEx s4:torture: Initialize struct smb2_handle s4:torture: Initialize pointers s3:libsmb: Check if we have a valid file descriptor s3:smbd: Make sure struct security_ace is initialized s3:winbind: Fix integer type of len s4:torture: Remove trailing spaces from gentest.c s4:torture: Initialize param arrays gitlab-ci: Also add the git directory for pipeline in the main mirror third_party: Update nss_wrapper to version 1.1.16 s3:registry: Check for integer overflow s3:registry: Use correct integer sizes s3:smbd: Remove trailing spaces in smb1_process.c s3:smbd: Remove trailing spaces in seal.c s3:smbd: Fix invalid memory free examples: Initialize char arrays s4:torture: Initialize pointer with NULL s3:rpc_server: Initialize array python:tests: Use assertMultiLineEqual() to get better failure output s4:torture: Initialize struct netr_IdentityInfo s4:torture: Initialize union smb_open libcli:nbt: Initialize struct nbt_name_register lib:util: Move open() of /dev/null into the if-clause s4:torture: Initialize struct smb2_create s4:torture: Remove tailing spaces in scanner.c s4:torture: Initialize struct smb_nttrans libgpo: Initialize struct security_ace array s3:modules: Rename thistime to chunk s3:modules: Move chunk out of the loop s3:modules: Make nread a size_t and check for possible overflow s4:torture: Remove tailing spaces in forest_trust.c s3:services: Initialize struct security_ace array lib:param: Add missing return code check s4:torture: Do not set sr.in.info to info be we queried the info selftest: Remove samba4.rpc.lsa.forest.trust from knownfail s4:torture: Split out a new LSA test_set_forest_trust_info() function s4:torture: Add new LSA test_query_forest_trust_info() s3:smbd: Initialize struct security_ace array s4:torture: Initialize pointer with NULL examples:winexe: Fully initialize EXPLICIT_ACCESS s4:torture: Initialize union spoolss_KeyNames auth:gensec: Fully initialize struct spnego_data examples:winexe: Initialize integer nsswitch: Fix integer size types in winbind_write_sock() s4:torture: Initialize struct netr_LogonSamLogonEx s4:torture: Remove trailing spaces from cldapbench.c s4:torture: Initialize struct cldap_netlogon s3:printing: Allow to run samba-bgqd as a standalone systemd service third_party: Update pam_wrapper to version 1.1.7 Andrew Bartlett (152): python/samba/samdb: Only do caching of well known DNs in dbcheck librpc/idl: Add a parser for a FILE: format keytab librpc/idl: Check protocol version number in Kerberos ccache parser python/tests: Add test for new krb5 keytab parser python/tests: Convert dckeytab test to use new NDR keytab parser python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d) libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used samba-tool user getpassword: Do not show preview of gMSA password python/samba/tests: Include more detail on invoication in test of "samba-tool user show" samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes samba-tool user getpassword: Also return the time a GMSA password is valid until samba-tool user getpassword: Clarify success wording selftest: Ignore msKds-DomainID in ldapcmp_restoredc.sh and samba.tests.domain_backup_offline ldb: Move tests to selftest/tests.py and out of standlone build sefltest: Remove duplicate run of ldb.python.crash and ldb.python.repack ldb: Prepare ldb tests for subunit output selftest: Move LDB cmocka based unit tests to Samba testsuite selftest: Always and only run ldb test-tdb test in Samba selftest selftest: Bring ldb test defintions into one place in selftest/tests.py ldb: Make pyldb-util always a private library build: Ensure that a forced-private library has no public headers build: Allow --private-libraries to include a default ldb: Honour --private-library=!ldb as meaning build as a public library autobuild: Move autobuild to expecting ldb to build as part of Samba build: Call conf.CHECK_XSLTPROC_MANPAGES() directly in wscript build: Remove duplicated check for -Wl,-no-undefined on OpenBSD ldb: Remove the ability for Samba to compile against a system LDB build: Move --with-ldap/--without-ldap from source3 build to top level lib/ldb: Always build standalone lib/ldb: Adapt pkg-config files to being build from the main build. lib/ldb: bld.CONFIG_SET(USING_SYSTEM_LDB) is now never set lib/ldb: Remove references to conf.env.standalone_ldb ldb: Remove remaining components of independent ldb build system lib/ldb: Remove duplicate aspects of build system ldb: Rename VERSION to LDB_VERSION to avoid confusion ldb: Remove "private_library" variable with just one user ldb: Unconditionally set LDB_PACKAGE_VERSION build: Allow --with-ldbmodulesdir to override location of LDB modules WHATSNEW: Add information on LDB no longer available standalone ldb/pyldb: Check errors from PyLdbMessage_FromMessage ldb/pyldb: Call Py_DECREF(list) on failure in PyLdbResult_FromResult() dsdb: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE() dsdb: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE() dns: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE() dns: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE() pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h pyldb: Use "O!" to specify the type of py_ldb pyldb: Remove last caller to and definition of PyLdb_Check() pyldb: Improve docstric for whoami(), which takes no arguments. pyldb: Remove unused and broken Python access to LDB module API selftest: Assert that the provision KDS root key is already valid for use python/samba/provision: Ensure KDS root key is usable as soon as provision is complete lib/ldb: Allocate opaque on ldb_ctx lib/ldb-samba: Align py_ldb_set_opaque_integer() with pyldb_set_opaque() and use "unsigned long long" dsdb: Remove calls to ldb.set_opaque_integer() lib/ldb-samba: Remove unused ldb.set_opaque_integer() python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal libnet: Prepare to allow "samba-tool domain exportkeytab to support -H samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb s4-auth/kerberos: Remove unused paremters to create_keytab() s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab() Make "samba-tool domain exportkeytab" prune old keys s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA auth/credentials: Add bindings for getting and setting the salt principal auth/credentials: Use salt on credentials object for Creds.get_aes256_key() auth/credentials: Dynamically calculate the salt principal (unless speccified) s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy() auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob auth/credentials: Make cli_credentials_get_aes256_key into generic key access auth/credentials: Allow generation of old Kerberos keys also s4-kdc: Prepare for gMSA support by recording it on the entry s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab" auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords() s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong python/tests: Add test that gMSA keytab export works and matches direct keytab export lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry() lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry() samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab" s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export samba-tool domain exportkeytab: Raise a proper CommandError selftest: Add tests for "samba-tool domain exportkeytab" with existing files" selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour s4-auth/kerberos: Do not add true duplicates to exported keytab s4-libnet: Prepare for a "rolling update" keytab export samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() selftest: Run samba.tests.segfault with TALLOC_FREE_FILL pyldb: Fix documentation comment on Message.from_dict() method plydb: Keep talloc_reference() to the DN in PyDict_AsMessage pyldb: Consolidate PyErr_SetLdbError() using the pyldb version dsdb: Add API tests for new_gkdi_root_key() pyldb: Improve search for error string in PyErr_SetLdbError s4-dsdb: Populate new GKDI root keys from the server configuration object s4-dsdb: Indent DH parameters table in gkdi_create_root_key() s4-dsdb: Create KdfParameters at runtime auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials python/samba/krb5: Allow client address (caddr) to be missing or empty python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED python/tests/krb5: Allow getting a TGT in pkinit tests python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change auth/credentials: Read managed_password.passwords.query_interval only after parsing selftest: Add tests that demonstrate the issues with ldb use after free pyldb: Include a reference to the Ldb in objects that use pyldb: Add ldb.disconnect() method to ensure DB handles are closed samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup ldb: Add more segfault tests DN handling selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv selftest: Move some KDS root key tests around to prepare for gMSA server side s4-gmsa: Do not attempt password set on remote LDAP connections .gitlab-ci: Remove tags no longer provided by gitlab.com build: Add --vendor-name --vendor-patch-revision options to ./configure script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision s4-libnet: Split up samba-net into samba-net and samba-net-join build: Remove incorrect pyembed=True from samba-policy build: Make "samba4" public libraries provided (mostly) for OpenChange private dsdb: Make argument order of dsdb_update_gmsa_{entry_,}keys() consistant with other uses s4-auth: Update comment to mention 60mins in the NTLM grace period s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to allow broader use python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED python/tests/krb5: Remove unused utf16pw variable python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED accounts python/tests/krb5: Move check_ticket_times() to kdc_base_test.py python/test/krb5: Use assertAlmostEqual in check_ticket_times() python/samba/tests/krb5: PKINIT tests of passwords that are naturally expired dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode dsdb: Reduce minimum maxPwdAge from 1 day to nil dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured! dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed dsdb: Prepare to handle smartcard password rollover kdc: Remove confusing duplicate open of sam.ldb to find RODC status ldb_wrap: Provide a way to avoid Samba using ldb_wrap() kdc: Mark KDC sam.ldb as not to use ldb_wrap cache kdc: Use a consistent, stable time throughout the Heimdal KDC s4-auth: Use consistant externally-supplied time in auth stack kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts kdc: Rotate smart-card only underlying password in 2nd half of lifetime selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expired on NTLM python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS Andréas Leroux (1): ldap_server: Add a ldapsrv debug class to log LDAP queries Anna Popova (1): s3:utils: Fix Inherit-Only flag being automatically propagated to children Anoop C S (12): docs-xml: Build and install man page for wspsearch source4/torture: Add SEC_STD_DELETE to enable proper cleanup s4/torture: Fix misplaced positional arguments for u64 comparison source3/smbd: Update timestamps after a successful SMB_VFS_FNTIMES vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to preserve create_time vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for precise btime s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL s4/torture: Remove already existing test_dir source3/wscript: Remove long pending unsupported option ctdb/wscript: Remove long pending unsupported option vfs_ceph: Disable the module on unsupported Ceph versions Björn Baumbach (1): ctdb-failover: omit "restrict" optimization keyword Björn Jacke (10): Revert "dosmode: prefer capabilities over become_root" Revert "posix_acls.c: prefer capabilities over become_root" Revert "open.c: prefer capabilities over become_root" Revert "vfs_recycle.c: prefer capabilities over become_root" Revert "vfs_posix_eadb.c: prefer capabilities over become_root" Revert "vfs_default.c: prefer capabilities over become_root" Revert "vfs_acl_common.c: prefer capabilities over become_root" Revert "nfs4_acls.c: prefer capabilities over become_root" Revert "dosmode.c: prefer use of capabilities at two places over become_root" Revert "token_util.c: prefer capabilities over become_root" Christof Schmitt (5): tdb: Return failure as exit status from test_tdbbackup.sh tdb: Add test for tdbdump command tdb: Add tdbdump option to output all data as hex values tdb: Add test for tdbdump -x docs: Document new tdbdump -x option David Mulder (1): winbind: Log NOT_IMPLEMENTED as debug Douglas Bagnall (300): perftest:ndr_pack: rename SD tests with object ACEs perftest: ndr_pack_performance gets more SD types perftest:ndr_pack: slightly reduce python overhead perftest:ndr_pack_performance: remove irrelevant imports, options perftest:ndr_pack: use a valid dummy SID perftest:ndr_pack: spin in do_nothing for a while perftest: ndr_pack runs in none environment pidl: calculate subcontext_size only once per pull ndr: shift ndr_pull_security_ace to manual code ndr: short-circuit ace coda if no bytes left ndr: make security_ace push manual ndr: ACE push avoids no-op coda pushes ndr: skip talloc when pulling empty DATA_BLOB ndr: mark invalid pull ndr_flags as unlikely ndr: do not push ACE->coda.ignored blob ndr: avoid object ACE pull overhead for non-object ACE ndr: avoid object ACE push overhead for non-object ACE ndr: ndr_push_security_ace: calculate coda size once ndr: ignore trailing bytes in ndr_pull_security_ace() samba-tool domain claim: use secrets module for token samba-tool domain level: avoid using assert samba-tool: avoid mutable Command class values samba-tool: add self.print_json_status() helper samba-tool: instances remember whether --json was requested samba-tool: with --json, error messages are in JSON pylibs: add string_is_guid() helper. pytest:auth_log_base: use string_is_guid() pytest:audit_log_base: use string_is_guid() pyldb: add a macro to free when raising exceptions pyldb: free things more often on error pyldb: free some finished requests pyldb: catch some talloc failures s4:pydsdb: add not-implemented raising functions to when appropriate ldb: ldb_string_to_time reports more errors pyldb: try to turn ldb_string_to_time() errors into exceptions py:nt_time: add nt_time_from_string() python:nt_time: add string_from_nt_time python:nt_time: add a nt_now() function python/nt_time: have a go at using 1_000_000 number separators. samba-tool domain: add kds sub-branch samba-tool domain kds: add root key sub-command samba-tool domain kds root_key s4:pydsdb: python bindings for gkdi_new_root_key() python:samdb: wrapper for _dsdb_create_gkdi_root_key() ldb:pyldb exposes Result type samba-tool domain: add LDB Result to json encoders samba-tool user delete: use account type constant pytest:samba-tool: add a flag to print more in runcmd pytest:gkdi: shift create_root_key into a function pytest:dsdb: check that there is a gkdi root key provision: add a default root key samba-tool: don't error if there are no sub-commands samba-tool: add `samba-tool domain kds root_key list` samba-tool: add `samba-tool domain kds root_key view` samba-tool: add `samba-tool domain kds root_key create` samba-tool: add `samba-tool domain kds root_key delete` pytests: samba-tool domain kds root_key samba-tool: tidy up uncaught insufficient rights LdbError pytest:samba-tool domain kds root-key: test with normal user libcli/security: claims_conversions: check for NULL in claims array libcli/security: check again for NULL values selftest/gdb_backtrace: print python traceback if available selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread selftest/gdb_backtrace: print `info threads` and some signpost headers py:samdb: make SamDB.__str__ show the URL and ID pytest:segfault: prevent @no_gdb_backtrace smearing on exception pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset pyldb: catch errors in ldb_db_get_casefold pyldb: py_ldb_init() uses py_ldb_connect() for connecting ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is unset ldb:pytests: test duplicate connections fail lib/ldb: don't allow repeated connections ldb:pyldb.h: include some headers that are used pyldb_utils: pyldb_Object_AsDn() sets TypeError more often pyldb: add a FIXME for a non-transitive compare ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare() pyldb: ldb_msg_richcmp: avoid one intransitive compare ldb_dn: make LDB_FREE, TALLOC_FREE fuzzing: fuzz_ndr_X ndr_print does printing fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail fuzz:_conditional_ace_blob discards a const ldb-samba: matching rules: notify of search failure in transitive filter fuzz:fuzz_ndr_X: don't skip printing on push error ndr: always attempt ACE coda pull if ACE type suggests a coda pytest:krb5/lockout: associate user DN with the ldb it is used with ldb:pytests: test ldb.connect() works after .disconnect() pytest:segfault: some more ldb crashes ldb:pyldb: PyErr_LDB_DN_OR_RAISE makes more rigourous checks pyldb: adapt some simple dn methods to use LDB_DN_OR_RAISE() pyldb: py_ldb_dn_get_extended_component uses PyErr_LDB_DN_OR_RAISE() pyldb: py_ldb_dn_get_casefold() uses PyErr_LDB_DN_OR_RAISE() pyldb: py_ldb_dn_extended_str() uses PyErr_LDB_DN_OR_RAISE() pyldb: py_ldb_dn_get_extended_component() uses PyErr_LDB_DN_OR_RAISE pyldb: py_ldb_dn_richcmp() uses PyErr_LDB_DN_OR_RAISE pyldb: py_ldb_dn_get_parent() uses PyErr_LDB_DN_OR_RAISE pyldb: py_ldb_dn_add_child() uses PyErr_LDB_DN_OR_RAISE pyldb: make py_ldb_dn_add_child() a bit less leaky pyldb: py_ldb_dn_add_base() uses PyErr_LDB_DN_OR_RAISE pyldb: make py_ldb_dn_add_base() a bit less leaky pyldb: py_ldb_dn_len checks dn and ldb validity pyldb: py_ldb_dn_concat() uses PyErr_LDB_DN_OR_RAISE pyldb: catch up with README.Coding for some `PyArg_ParseTuple`s pyldb: add PyErr_LDB_MESSAGE_OR_RAISE() macro pyldb: use PyErr_LDB_MESSAGE_OR_RAISE() in various functions pyldb: py_ldb_msg_richcmp() uses PyErr_LDB_MESSAGE_OR_RAISE() pyldb: py_ldb_msg_keys() uses PyErr_LDB_MESSAGE_OR_RAISE pyldb: py_ldb_msg_contains() checks ldb equality pldb: py_ldb_msg_items uses PyErr_LDB_MESSAGE_OR_RAISE pyldb: py_ldb_msg_items checks for more errors pyldb: py_ldb_msg_elements uses PyErr_LDB_MESSAGE_OR_RAISE pyldb: py_ldb_msg_set_dn checks dn ldb equality ldb:pyldb: reorder structs for possible type-punning pyldb: normalise name of pyldb_Message_Check pyldb: add PyErr_internal_LDB_DN_OR_RAISE pyldb: add Dn.ldb accessor pyldb: add Message.ldb accessor s4:samba_upgradeprovision: align DN ownership pyldb: add dn.copy() python method. python:upgrade/upgradeprovision: use dn.copy to align ldbs pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb selftest: move some more expected failures to expectedfail.d ldb: avoid out of bounds read and write in ldb_qsort() lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename util:tsort.h: add a macro for safely comparing numbers ldb: add NUMERIC_CMP macro to ldb.h ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base() ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare() s4:ntvfs: use NUMERIC_CMP in stream_name_cmp s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare s4: use numeric_cmp in dns_common_sort_zones() util:binsearch: user NUMERIC_CMP() torture:charset: use < and > assertions for strcasecmp_m torture:charset: use < and > assertions for strncasecmp_m torture:charset: test more of strcasecmp_m util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle util:test: test_ms_fn_match_protocol_no_wildcard: allow -1 util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP() util:charset:codepoints: codepoint_cmpi warning about non-transitivity s3:libsmb:namequery: note intransitivity in addr_compare() s3:libsmb:namequery: use NUMERIC_CMP in addr_compare lib/torture: add assert_int_{less,greater} macros util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP() ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP() util:datablob: avoid non-transitive comparison in data_blob_cmp() ldb: avoid non-transitive comparison in ldb_val_cmp() ldb: reduce non-transitive comparisons in ldb_msg_element_compare() libcli/security: use NUMERIC_CMP in dom_sid_compare() libcli/security: use NUMERIC_CMP in dom_sid_compare_auth() s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp() s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP() s4:dns_server: use NUMERIC_CMP in rec_cmp() s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list() s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP() s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort() s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP() s3:smbcacls: use NUMERIC_CMP in ace_compare s3:util:sharesec ace_compare() uses NUMERIC_CMP() s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP() s4:dns_server: less noisy, more informative debug messages ldb:mod:sort: rearrange NULL checks ldb:sort: check that elements have values ldb:sort: generalise both-NULL check to equality check ldb:dn: make ldb_dn_compare() self-consistent s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp dsdb:schema: use NUMERIC_CMP in place of uint32_cmp s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP gensec: sort_gensec uses NUMERIC_CMP lib/socket: rearrange iface_comp() to use NUMERIC_CMP s3:libsmb:nmblib: use NUMERIC_CMP in status_compare s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs s4:rpcsrv:samr: improve a comment in compare_msgRid ldb: comment for ldb_dn_compare_base s4:dsdb: fix spelling in comment ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects ldb-samba:ldif_handlers: dn_link_comparison leaks less ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs ldb:attrib_handlers: make ldb_comparison_Boolean more consistent ldb:pytests: test for Turkic i-dots in ldb_comparison_fold ldb:attrib_handlers: use ldb_ascii_toupper() in first loop ldb:utf8: ldb_ascii_toupper() avoids real toupper() ldb: avoid NULL deref in ldb_db_compare ldb:tests: add a test for dotted i uppercase s4:dsdb:util_trusts: describe dns_cmp return values s4:dsdb:util_trusts: simplify the NULL case in dns_cmp ldb:tools: ldbsearch doesn't need ldb_qsort() s4:dsdb:mod: repl_md: make message_sort transitive s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort() s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort() s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP() lib:util:tests: more tests for codepoint_cmpi lib:util: codepoint_cmpi: be transitive and case-insensitive ldb-samba: ldif_write_schemaInfo() uses correct size pytest: sid_strings: use more reliable well known SID pytest: sid_strings: Windows does allow lowercase s-1-... SIDs pytest: sid_strings: adjust to match Windows 2016 pytest: sid_strings: Samba DN object refuses sub-auth overflow ldb-samba: simplify ldif_comparison_objectSid() ldb-samba: simplify ldif_canonicalise_objectSid() ldb-samba: simplify extended_dn_read_SID() ldb-samba: remove unused ldif_comparision_objectSid_isString() ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold ldb: note a transitivity problem in ldb_comparison_fold lib/fuzzing: add fuzz_stable_sort_r_unstable ldb-samba: ldif_read_objectSid() short-circuits without 'S' ldb-samba: ldif_read_objectSid avoids VLA spelling: fix spelling of privilege.ldb in comments spelling: comments: synthax -> syntax lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun s3:smbcacls: fix ace_compare ldb: add test_ldb_comparison_fold lib/util/charset: be explicit about INVALID_CODEPOINT value ldb: add a utf-8 comparison fold callback ldb: move ldb_comparison_fold guts into a separate function ldb: add ldb_set_utf8_functions() for setting casefold functions ldb: ldb_comparison_fold uses the utf-8 casecmp function ldb: add ldb_comparison_fold_ascii() for default comparisons ldb: ldb_comparison_fold_ascii sorts unsigned ldb: ldb_set_utf8_default() sets comparison function util:charset: add strncasecmp_ldb() util:charset: strncasecmp_ldb degrades to ASCII strncasecmp util:charset: strncasecmp_ldb avoids iconv for ASCII ldb-samba: add ldb_comparison_fold_utf8, wrapping strncasecmp_ldb ldb-samba: use ldb_comparison_fold_utf8() ldb: ldb_comparison_fold always uses the casecmp function ldb: remove old ldb_comparison_fold_utf8_broken() ldb: deprecate ldb_set_utf8_fns ldb: ldb_set_utf8_functions follows README.Coding ldb: don't cast to unsigned for ldb_ascii_toupper() lib/fuzzing: add fuzz_strncasecmp_ldb s4:dsdb:strcasecmp_with_ldb_val() avoids overflow ldb: move struct ldb_utf8_fns to ldb_private.h ldb: move struct ldb_debug_ops to ldb_private.h selftest:dnshub: remove py2 compatibility code tdb:pytdb:_tdb_text: remove Py2 compatibility code talloc:pytest: remove tests that only test Python 2 ldb-samba:pytest: remove unused variable tdb:pytests: remove unused Py2 test branches buildtools: remove Python2 compatibility python/common: remove verbiage about old python versions python:smb tests: remove py2 compatibility code pidl:Typelist: resolveType(): don't mistake a reference for a name pidl:python: properly raise exception in ConvertObjectFromPythonData pidl:python: Exception if unconvertable in ConvertObjectToPythonLevel buildtools:pidl: avoid hash randomisation in pidl examples:winexe: more efficient C array generation, no py2 examples:winexe: reproducible builds with zero timestamp examples:winexe: embed Samba version as exe timestamp s3/torture: local_rbtree: avoid birthday collisions fuzzing: fix fuzz_stable_sort_r_unstable comparison samba-tool user readpasswords: avoid `assert` for validation s4/pytest: remove py2 str/bytes workaround in getnc_exop pytest: remove py2 str/bytes workaround in py_credentials pytest: remove py2 str/bytes workaround in dns_base pytest: remove py2 str/bytes workaround in lsa_utils pytest: remove py2 str/bytes workaround in samr_change_password pytest: remove py2 str/bytes workaround in auth_log_samlogon py:emulate: remove py2 str/bytes workaround in traffic py:emulate: remove py2 str/bytes workaround in traffic_packets python:join: avoid useless use of py2-compat string_to_byte_array python:lsa_utils: avoid useless use of py2-compat string_to_byte_array samba-tool domain trust: avoid useless use of string_to_byte_array pytest: simplify and fix HEXDUMP_FILTER used in hexdumps samba-tool ldapcmp: remove a dodgy unused method python: remove string_to_byte_array() buildtools: sanitise strange characters in vendor strings build: --vendor-suffix instead of --vendor-patch-revision --vendor-name docs-xml:manpages: allow for longer version strings cmdline:burn: '-U' does not imply secrets without '%' selftest: run the cmdline tests that we already have cmdline:tests: extend cmdline_burn tests cmdline:burn: do not retain false memories cmdline:burn: handle arguments separated from their --options cmdline:burn: always return true if burnt cmdline:burn: localise some variables cmdline:burn: do not burn options starting --user-*, --password-* cmdline: test_cmdline tests more burning cmdline:burn: use allowlist to ensure more passwords burn cmdline:burn: explicitly burn --username cmdline:burn: add a note about short option combinations cmdline: samba-tool test for bad option warning cmdline:burn: list commands to always burn; warn on unknown libcli:security: allow spaces after BAD: tdb: fix compilation with TDB_TRACE=1 tdb: allow tracing of internal tdb ldb_kv_cache: always initialise dn_list.strict ldb:ldb_kv_dn_list_find_val: check for int overflow ldb_kv_index: dn_list load sub transaction can re-use keys ldb:kv_index: realloc away old dn list ldb:kv_index: don't recalculate a length ldb:kv_index: subtransaction_cancel: check for nested tdb ldb:kv_index: use subtransaction_cancel in transaction_cancel Earl Chew (4): Augment library_flags() to return libraries Improve CHECK_LIB interaction with CHECK_PKG Combine ICU libraries icu-i18n and icu-uc into a single dependency Restore empty string default for conf.env['icu-libs'] Günther Deschner (5): s3-librpc: merge two PIDL lists pidl: fix trailing double-quote on last line of s3 server stubs pidl: add "return ENOTSUP" for int return type in s3 template ctdb/ceph: Add optional namespace support for mutex helper ctdb/docs: Include ceph rados namespace support in man page Jeremy Allison (3): s3: smbd: smb2-posix: Add SAMBA_XATTR_REPARSE_ATTRIB "user.SmbReparse" name. s3/torture: Add test for widelink case insensitivity on a MSDFS share. s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares. Jo Sutton (267): python: Remove ‘typing.Final’ ldb: Fix code spelling lib:util: Remove trailing whitespace libcli/security: Make ‘replace_sid’ parameter const librpc:idl: Remove trailing whitespace librpc:idl: Fix code spelling s3:smbd: Fix code spelling s4:dsdb: Remove duplicate userAccountControl array entry s4:libcli: Remove unnecessary uses of discard_const_p() s4:auth: Fix code spelling s4:dsdb: Remove trailing whitespace s4:dsdb: Fix code spelling s4:dsdb: Correct NDR push error message s4:dsdb: Remove trailing whitespace s4:dsdb: Correct reference to source file s4:dsdb: Mark hash returned by samdb_result_hash() as secret s4:dsdb: Avoid buffer overflow in samdb_result_hashes() s4:dsdb: Fix code formatting selftest: Fix code spelling python:tests: Produce more helpful error message for future GKIDs lib:crypto: Fix code formatting lib:crypto: Export gkid_key_type() and gkid_is_valid() lib:crypto: Comment on GKDI definitions lib:crypto: Explicitly check for zero s4:dsdb: Add helper functions to get GKDI root key DNs python:tests: Fix code spelling python:tests: Pass correct arguments to set_named_ccache() samba-tool: Display friendlier error message if no password is available testprogs:blackbox: Fix code spelling s3:libads: Remove ‘unicodePwd’ attribute from ads_find_machine_acct() search lib:util: Remove inaccurate comment ldb: Remove trailing whitespace ldb: Simplify ldb_errstring() ldb: Fix code spelling python: Reformat nt_time.py lib:compression: Update my name s4:kdc: Remove ‘attrs’ parameter from samba_kdc_lookup_server() python:tests: Remove unused imports s4:dsdb: Check return value of talloc_new() s4:dsdb: Undefine helper macro s4:dsdb: Allocate NT hash on to more appropriate memory context s4:dsdb: Split out function to create a ‘password set’ ldb request s4:dsdb: Remove reference to now‐gone lmNewHash parameter s4:dsdb: Remove unused ‘domain_dn’ parameter mailmap: Associate my identity with my old email address s4:dsdb: Remove duplicate word s4:dsdb: Remove trailing whitespace s4:dsdb: Make array static s4:dsdb: Add ‘ares’ parameter to operational attribute constructor functions s4:dsdb: Fix code formatting s4:setup: Remove empty line s4:dsdb: Add dsdb control indicating that gMSA passwords are to be updated s4:dsdb: Include missing headers s4:dsdb: Add search flag indicating that gMSA passwords are to be updated s4:dsdb: Add dsdb_werror() macro ldb: Remove trailing whitespace ldb: Correct copy‐and‐pasted comments ldb: Split out ldb_controls_get_control() to search a list of controls ldb: Fix documentation typos lib:crypto: Add more GKDI functions lib:crypto: Add functions for deriving gMSA passwords lib:crypto: Add test for GMSA password derivation pidl: Do not call mapTypeName() on expression s3:passdb: Remove trailing whitespace s3:passdb: Make array of strings static s3:passdb: Reformat array of strings s3:passdb: Reformat long line s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts s4:dsdb: Remove unused includes s4:dsdb: Add function to create a GMSA password update request s4:dsdb: Remove redundant include s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h s4:dsdb: Add function to determine whether we have system access s4:dsdb: Make use of dsdb_have_system_access() s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password libcli/security: Include missing headers s4:ldap_server: Remove trailing whitespace libcli/security: Make ‘session_info’ parameter const s4:dsdb: Fix grammar tests/krb5: type hinting tests/krb5: Move assertLocalSamDB() into RawKerberosTest python: Fail the test if we don’t receive an NTSTATUSError s4:rpc_server: Remove trailing whitespace lib:util: Correctly determine whether a character needs to be escaped lib:util: Fix printing hex‐escaped characters s4:rpc_server: Make some arrays static third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2) lib:crypto: Add error checking to GKDI key start time calculation lib:crypto: Correct GKDI interval start time calculation lib:crypto: Check for overflow in GKDI rollover interval calculation s4:dsdb: Add functions for GKDI root key creation ldb: Add tests for Python set_opaque() and get_opaque() ldb: Pass a supported opaque type to ldb.set_opaque() ldb: Remove trailing whitespace ldb: Update ldb.set_opaque() to accept only supported types ldb: Update ldb.get_opaque() to return talloc‐managed opaque values s4:auth: Fix grammar in error message python:tests: Use Managed Service Accounts well‐known GUID python:tests: Simplify expression s4:auth: Allocate strings on shorter‐lived memory context python:tests: Fix code spelling python: Correctly qualify strptime() python: Type ‘format’ parameter as optional s4:libnet: Fix code spelling python: Correct time conversion function name python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew tests/krb5: Allow specifying SamDB to use when creating an account auth:credentials: Remove trailing line auth:credentials: Remove unused include s4:auth: Update error messages tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ tests/krb5: Fix PK-INIT test framework to allow expired password keys s4:ldap_server: Remove trailing whitespace s4:ldap_server: Fix code spelling s4:ldap_server: Rename privileged ops to indicate they are used for ldapi s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections s4:ldap_server: Store whether an LDAP connection is over ldapi s4:ldap_server: Consider ldapi connections to be encrypted python:tests: Replace deprecated method assertRaisesRegexp() python:tests: Fix set declaration python:tests: Reformat code python:tests: Fix typo tests/krb5: Remove unused import tests/krb5: Fix code spelling tests/krb5: Remove unused variable tests/krb5: Make use of ‘expect_edata’ parameter tests/gkdi: Allow current time to be overridden tests/gkdi: Remove implicit clock skew offset tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’ python:gkdi: Add notes on GKDI time periods python:gkdi: Add Gkdi.from_key_envelope() method python:gkdi: Reformat code with ‘ruff’ python:nt_time: Add NT_TIME_MAX constant tests/krb5: Add tests for gMSAs lib:crypto: Reformat source code s4:dsdb: Factor out a function to remove all password related attributes s4:dsdb: Add functions for Group Managed Service Accounts implementation s4:dsdb: Set up passwords and password IDs of new gMSAs selftest: Expand out knownfails for gMSA getpassword tests python:tests: Catch failures to authenticate with gMSA managed passwords s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL s4:dsdb: Implement msDS-ManagedPassword attribute ldb: Check result of py_ldb_msg_keys() tests/krb5: Skip loop iteration if attribute has no values tests/krb5: Extract method to unpack supplementalCredentials blob tests/krb5: Import MAX_CLOCK_SKEW more directly tests/krb5: Add tests that gMSA keys are updated in the database when appropriate s4:dsdb: Explicitly return success error code s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to dsdb_search_dn() s4:dsdb: Add a note that administrators should not set the clock too far in the future s4:dsdb: Only reuse the current password ID as the previous password ID when appropriate s4:dsdb: Store account DN as part of gMSA update structure s4:dsdb: Store found managed password ID as part of gMSA update structure s4:dsdb: Indicate to the LDAP server physical passwords that need to be refreshed s4:dsdb: Move the responsibility for determining whether an account is a gMSA out of gmsa_recalculate_managed_pwd() s4:dsdb: Add dsdb_update_gmsa_keys() python: Reformat code auth:credentials: Fix code spelling auth:credentials: Remove unnecessary declaration s4:kdc: Fix grammar pyglue: Remove unnecessary declaration s4:kdc: Remove unnecessary cast tests/krb5: Fix malapropism tests/krb5: Note that lockout tests use password checks s4:kdc: Correctly extract older NT hash s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag lib:crypto: Add more unit tests for GKDI functions s4:dsdb:tests: Make use of ‘ldb’ parameter s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified tests/krb5: Test retrieving a denied gMSA password over an unsealed connection ctdb: Ensure ‘ret’ is always initialized ctdb: Report errors from getline() lib:crypto: Fix Coverity build ldb: Remove unnecessary declaration tests/krb5: Check that updated NT hashes of gMSAs have the values we expect s4:auth: Export AES128 gMSA keys along with AES256 keys by default python: Move get_admin_sid() to SamDB s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() s4:kdc: Add helper variable indicating whether we think we are performing a keytab export python:gkdi: Add helper methods returning previous and next GKIDs python:tests: Store keys as bytes rather than as tuples python:tests: Rewrite condition of while loop python:tests: Store keys as bytes rather than as lists of ints auth:credentials: Check for NT hash being NULL lib:fuzzing: Remove unused variable lib:fuzzing: Fix undefined shift s4:dsdb: Remove trailing whitespace s4:dsdb: Fix code spelling s4:setup: Update name of dsdb password change control s4:libcli: Fix code spelling s4:libcli: Add more controls to our list of known controls python:tests: Remove unused netlogon connection parameter python:tests: Remove unnecessary ‘pass’ statement python:tests: Pass ServerPasswordSet2() parameters in correct order tests/krb5: Read current time from correct SamDB tests/krb5: Add quantized_time() method tests/krb5: Make use of gmsa_series_for_account() method tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon() tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection s4:dsdb: Let dsdb gMSA time influence pwdLastSet s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period tests/krb5: Test performing NTLMSSP logons at different times tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons tests/krb5: Test viewing gMSA passwords after performing simple binds tests/krb5: Add more tests for gMSAs s4:libnet: Remove trailing whitespace s4:libnet: Remove unnecessary declarations lib:crypto: Add constant denoting maximum GKDI clock skew in minutes s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change s4:dsdb: Remove redundant user flags macro s4:dsdb: Add userAccountControl helper function s4:dsdb: Make use of userAccountControl helper function s4:dsdb: Do not set lockoutTime for trust accounts s4:dsdb: Make map containing default attribute values static s4:kdc: Initialize pointer variable just in case (CID 1596762) s4:kdc: Free target principal string to avoid memory leak (CID 1596760) s4:kdc: Initialize local variable just in case (CID 1596759) tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f) s4:kdc: Remove trailing whitespace s4:kdc: Implement KDC plugin hardware authentication policy third_party/heimdal: Import lorikeet-heimdal-202405220400 (commit 8276d6311146b8ab5d57d092bc5d5fa28282a900) python:tests: Rename ‘keytab_as_set’ variable to be distinct from keytab_as_set() method python:tests: Manually raise AssertionError python:tests: Extract keytab_as_set() function to be usable by other tests s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry() s4:libnet: Update export_keytab() docstring s4:libnet: Allow simulating AS‐REQ flags combination for keytab export tests/krb5: Test that previous keys are counted as current keys following a gMSA key rollover s4:kdc: Merge current and previous gMSA keys during period when both are valid s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts s3:rpc_server: Check function code according to MS-NRPC s3:rpc_server: Check query level according to MS-NRPC ldb: Fix typo tests/krb5: Make use of update_password() method s4:dsdb: Use talloc_get_type_abort() tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion tests/krb5: Calculate correct gMSA password to fix flapping test ldb: Attach appropriate ldb context to returned result s4:auth: Add common out path to authsam_reread_user_logon_data() s4:auth: Add temporary memory context to authsam_reread_user_logon_data() s4:dsdb: Remove trailing whitespace s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594) tests/krb5: Allow creation of disabled accounts for testing tests/krb5: Add tests for errors produced when logging in with unusable accounts third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54) third_party/heimdal: Import lorikeet-heimdal-202406270253 (commit cbd2c0b8ec604686dc7b363d1dcec69bf5f7a7ec) tests/krb5: Fix type errors by giving ‘pwd_last_set’ an appropriate type tests/krb5: Simplify code using dict.get() s3:param: Check return value of strlower_m() (CID 1598446) s4:auth: Use appropriate type for userAccountControl flags s4:dsdb: Use appropriate type for userAccountControl flags pyglue: Remove global variables used in only one place s3:rpc_server: Update deprecated directives perftest:ndr_pack_performance: Remove unused import perftest:ndr_pack_performance: Remove obselete comment lib:crypto: Remove unused macro definitions s3:rpc_server: Fix code spelling s4:auth: Correct order of parameters in documentation lib:krb5_wrap: Fix code spelling s4:dsdb: Remove unnecessary MIN() s3:smbd: Avoid compiler warning for unused label selftest: Consolidate MIT Kerberos knownfails into a single file selftest: Move Heimdal Kerberos knownfails to separate files in their own directory selftest: Move MIT Kerberos knownfails to separate files in their own directory John Thacker (15): pidl:Wireshark Use proto_tree_add_bitmask_with_flags pidl:Wireshark Fix array of pointers NULL termination pidl:Wireshark Get rid of Boolean "flags" with no bit set pidl:Wireshark Rename tvb_new_subset() pidl:Wireshark Fix the type of array of pointerse to hf_ values Revert "pidl: Use non-existent function dissect_ndr_int64()" pidl: Update Wireshark generated DRSUAPI code pidl: Wireshark: Remove init of proto variables pidl: Wireshark: Don't initialise static hf and ett variables. pidl: Wireshark: Const-ify dcerpc_sub_dissector structures. pidl: Wireshark: Update test for removal of ett initialization pidl: Wireshark: Convert the pidl dissector generation code to C99 types pidl: Wireshark: Remove init of proto variables pidl: Wireshark: Don't assign hash undef, assign it an empty array pidl: Wireshark: Another C99 type conversion Jones Syue (1): s3:ntlm_auth: make logs more consistent with length check Jule Anger (6): VERSION: Bump version up to 4.21.0pre1... WHATSNEW: Start release notes for Samba 4.21.0pre1. ldb: change the version to 2.10.0 for Samba 4.21 samba-tool: add "samba-tool user list --locked-only" selftest: add tests for "samba-tool user list --locked-only" tdb: version 1.4.11 Martin Schwenke (47): ctdb-protocol: Add missing push support for new controls ctdb-tests: Limit red-black tree test to 5s of random inserts ctdb-daemon: Use ctdb_event_to_string() ctdb-common: Remove unused variable ctdb_eventscript_call_names. ctdb-common: Remove old runstate/string translation functions ctdb-scripts: Do not de-duplicate the interfaces list ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn" ctdb-scripts: Avoid ShellCheck warning SC2162 ctdb-scripts: Improve documentation ctdb-scripts: Reformat with shfmt -w -p -i 0 -fn ctdb-scripts: Move ctdb.tdb attach to statd-callout ctdb-scripts: Avoid globally changing to queue directory ctdb-scripts: Move state directory creation to "startup" action ctdb-scripts: Add caching function for public IPs ctdb-tests: Default PNN is 0 ctdb-scripts: Avoid connecting to ctdbd in add-client/del-client ctdb-scripts: Set ownership of statd-callout state directory ctdb-scripts: Use find_statd_sm_dir() in one more place ctdb-scripts: No longer run statd-callout under sudo ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn" ctdb-scripts: Quote variable expansions ctdb-scripts: Change NFS-Ganesha PID file location ctdb-scripts: Fix usage message ctdb-scripts: Add script option CTDB_NFS_EXPORTS_FILE ctdb-scripts: Improve NFS-Ganesha export path extraction ctdb-scripts: Improve service PID check ctdb-scripts: Check NFS-Ganesha is running before attempting grace ctdb-scripts: Protect against races when starting grace period ctdb-scripts: Add service_stats_command variable to NFS checks ctdb-scripts: Implement NFS statistics retrieval for NFS-Ganesha ctdb-doc: Add example for NFS-Ganesha RPC checking ctdb-scripts: Fail monitoring after 1 x NFS-Ganesha not running ctdb-doc: Drop unnecessary, broken attempt at rpc.statd stack trace ctdb-failover: Split statd_callout add-client/del-client ctdb-conf: Move all conf files to new conf/ subdirectory ctdb-conf: Move conf.[ch] to conf/ subdirectory ctdb-conf: Rename config loading to not be daemon-specific ctdb-tests: Add more reloadnodes unit tests ctdb-tests: Correctly handle adding a deleted node at the end ctdb-build: Remove unused dependencies on ctdb-util ctdb-protocol: Move definition of CTDB_PORT to protocol ctdb-conf: Add a common node address handling module ctdb-tools: Use ctdb_read_nodes() in the ctdb tool ctdb-tests: Use ctdb_read_nodes() in the fake ctdbd ctdb-protocol: Move ctdb_node_map_* to protocol_api.h ctdb-daemon: Use ctdb_read_nodes() in ctdbd ctdb-daemon: Use ctdb_parse_node_address() in ctdbd MikeLiu (1): smbd: Ensure we grant owner sid in check_parent_access_fsp() Noel Power (25): librpc/wsp: Unknown property used in 'current directory' searches librpc/idl: fix typo in wsp_csort member librpc/idl: remove duplicate definitition s3/rpc_client: change type of offset to uint64_t s3/rpc_client: Remove stray unnecessary comment s3/utils: use full 64 bit address for getrows (with 64bit offsets) s3/rpc_client: cleanup unmarshalling of variant types from row columns idl: Add constant for max rows buffer size s3/rpc_client: Ensure max possible row buffer size is not exceeded s3/rpc_client: Fix array offset check s3/smbd: If we fail to close file_handle ensure we should reset the fd Add simple http_client for use in black box tests (in following commits) selftest: Add basic content-lenght http tests libcli/http: Optimise reading for content-length tests: add test for chunked encoding with http cli library libcli/http: Handle http chunked transfer encoding selftest: fix potential reference before assigned error selftest: Add new test for testing non-chunk transfer encoding libcli/http: Detect unsupported Transfer-encoding type s4/torture: Prepare to handle Level 4 check with unknown func code s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function s3/rpc_server: Fix dereference of client pointer selftest: Add a python blackbox test for some misc (widelink) DFS tests s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share doc: Update codeing guidelines for struct initialisation Oliver Mihatsch (1): Extended the documentation for the "tls certfile" parameter in the smb.conf. Pavel Filipenský (51): s3:libads: Trace ldap search base/filter/scope docs-xml: Add parameter all_groupmem to idmap_ad s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad tests: Add a test for "all_groups=no" to test_idmap_ad.sh s3:libsmb: Fix panic in cliconnect.c smbdotconf: Enable "winbind debug traceid" by default python/tests: Fix nlink test in smb3unix on btrfs filesystem s3:winbindd: Use TDB_REPLACE in tdb_store s3:winbindd: Update non cache entries keys (non_centry_keys) s3:utils: Initialize DATA_BLOB blob s3:rpcclient: Initialize spoolss_DriverDirectoryInfo info s3:registry: Initialize struct security_ace ace[] s4:torture: Initialize struct smb2_handle consistently in lease.c s3:rpc_server: Initialize array struct security_ace ace[] .gitlab-ci-main.yml: Add safe.directory '*' docs-xml: Mention winbind consistently in samba-dcerpcd.8 python:tests: Fix spelling in to test_samba_dnsupdate_no_change s3:librpc: Fix a typo in DEBUG text libnet: Fix debug text s3:lib: Fix a typo in MACRO s3:lib: Merge library trusts_util into library ads docs:smbdotconf: Add parameter 'sync machine password to keytab' docs:smbdotconf: Add parameter 'sync machine password script' s3:testparm: Add check for "sync machine password to keytab" to testparm krb5_wrap: Add TRACE SUPPORT for keys operations s3:libads: Use the TRACE SUPPORT for keys operations s3:libads: Request "msDS-KeyVersionNumber" from ads_find_machine_acct() s3:lib: Sync machine password to keytab: helper functions s3:ads: Do not update system keytab from "net ads changetrustpw" s3:ads: Remove 'kerberos method' warning for 'net ads keytab' functions s3: Sync machine account password in secrets_{prepare,finish}_password_change s3:libnet: Sync keytab during libnet_join_create_keytab() s3:utils: Change net_ads_keytab_create() to call sync_pw2keytabs() selftest: Add "sync machine password to keytab" to env. ad_member_idmap_nss selftest: Add tests for keytab update testprogs: Remove "keytab add", "keytab delete" and "keytab add_apdate_ads" related tests from test_net_ads.sh testprogs: Remove upn related test from test_net_ads.sh testprogs: Use "HOST' instead of 'host' in test_net_ads.sh testprogs: Remove dnshostname related test from test_net_ads.sh testprogs: Remove alias test from test_net_ads.sh s3:libads: Remove ads_keytab_create_default & friends s3:utils: Remove from "net ads keytab": "add", "delete" and "add_update_ads" s3:libads: Call 'sync machine password script' when machine password is updated ctdb:events: Add 46.update-keytabs.script for 'recovered' event s3:script: clustered samba: Add script updatekeytab.sh script: clustered samba: Build samba-ctdb with ad-dc support selftest: Rename nt4_dc_vars -> dcvars in setup_clusteredmember selftest: setup clusteredmember with kerberos, change dependency to "ad_dc" selftest: Add tests for keytab update in clustered samba WHATSNEW: Automatic keytab update after machine password changes Ralph Boehme (37): smbd: simplify handling of failing fstat() after unlinking file third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0) selftest: remove check for $no_delete_prefix selftest: setup "simpleserver" testenv specific directories after calling provision() selftest: setup "fileserver" testenv specific directories after calling provision() selftest: ensure the "fileserver" test environment is removed before provisioning selftest: remove net groupmap delete stuff s3/lib: remove name_compare_entry typedef s3/lib: move path_to_strv() to util_path.c s3/lib: modernize set_namearray() smbd: move target code out of loop body smbd: prepare free_conn_session_info_if_unused() for more cleanup logic smbd: maintain veto_list and hide_list in the vuid cache s3/lib: move set_namearray() to util_namearray.c selftest: add groups "group1" and "group2" to Samba3 smbd: move token_contains_name() to util_namearray.c and make it public s3/lib: add per-user support to set_namearray() CI: fix test file cleanup CI: add a test for per-user (and per-group) veto files winbindd: rename variable old_status to was_online in wb_cache_name_to_sid() winbindd: reformatting winbindd: collapse two if expressions winbindd: properly initialize sid and type in wb_cache_name_to_sid() libwbclient: add error WBC_ERR_NOT_MAPPED libwbclient: prepare wbcCtxLookupName() for dealing with WBC_SID_NAME_UNKNOWN winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names s3/rpc_client: fix handling of NT_STATUS_SOME_NOT_MAPPED s3-errormap: move map_nt_error_from_wbcErr() back into errormap.c s3-errormap: add WBC_ERR_NOT_MAPPED -> NT_STATUS_NONE_MAPPED s3/passdb: add winbind_lookup_name_ex() s3/passdb: use winbind_lookup_name_ex() in lookup_name() instead of winbind_lookup_name() s3/passdb: factor out lookup_name_internal() s3/passdb: add lookup_name_smbconf_ex() using lookup_name_internal() s3/lib: use lookup_name_smbconf_ex() in token_contains_name() smbd: return errors from token_contains_name() s3/lib: return error from set_namearray() WHATSNEW.txt: document "veto files" and "hide files" Rob van der Linde (146): python: do not make use of typing.Final for python 3.6 netcmd: models: fix docstring was missing param netcmd: models: enums and constants also brought forward netcmd: models: change import style to use brackets netcmd: models: check for None in build_expression instead netcmd: models: EnumField now also supports IntFlag netcmd: models: add AccountType IntFlag field netcmd: models: add AccountType enum to User model netcmd: models: move expression code to Field class netcmd: models: fix BooleanField filtering didn't work on FALSE value netcmd: models: fix build_expression did not work with EnumField netcmd: models: fix build_expression on SIDField handles security.dom_sid netcmd: models: move enum import to correct place netcmd: models: model field DateTimeField returns datetime in UTC netcmd: models: add new NtTimeField model field netcmd: models: tests: add tests for NtTimeField netcmd: models: mark some hidden fields on the base Model as readonly libds: remove unreachable break statements after return netcmd: support hyphens in top-level commands and convert to underscore netcmd: json encoder supports security descriptor objects netcmd: bugfix: json encoder failed to call super method netcmd: delegation: pep8 fix blank lines netcmd: delegation: move line down where it gets used netcmd: delegation: initial value not required because of raise below netcmd: delegation: don't use assert but raise CommandError netcmd: models: SDDLField parses to object instead of string netcmd: models: SDDLField move line down where it gets used netcmd: models: rename DoesNotExist exception to NotFound netcmd: models: stop using LookupError exception and change it to NotFound netcmd: models: add Computer model subclass of User netcmd: models: make Group.system_flags a flags based EnumField netcmd: models: add missing enum fields to Group model netcmd: models: add missing fields to User model netcmd: models: add GroupManagedServiceAccount model netcmd: models: add default SDDL to group_msa_membership netcmd: models: Remove unused groups_sddl method from User model netcmd: models: avoid fetching each user in trustees method netcmd: models: make GroupManagedServiceAccount.trustees a property netcmd: models: gmsa trustees property only looks at allowed aces netcmd: models: gmsa trustees update docstring and incorrect return type netcmd: models: gmsa move GroupManagedServiceAccount model to gmsa.py netcmd: models: gmsa GroupManagedServiceAccount inherits from Computer netcmd: models: gmsa move find method to Computer model netcmd: models: update docstring of Computer.find method netcmd: models: move MODELS constant to constants.py to avoid import loop netcmd: models: make MODELS constant keyed by object class instead netcmd: shell: show Models subheading netcmd: models: move group msa membership default to constants netcmd: models: set the default for managed password interval on the model netcmd: models: Query.first and Query.last should use count from instance netcmd: models: Model.get_object_class returns top instead of None netcmd: models: ModelMeta no longer needs to inherit from ABCMeta netcmd: models: bring Model class forward into module netcmd: models: move object_sid field from User to base Model netcmd: models: ModelMeta needs to also set fields and meta if class is Model netcmd: models: Model.query adds optional polymorphic flag for returning specific class types netcmd: models: setting kwarg to None should use field default netcmd: models: model __json__ method should call as_dict instead netcmd: add newline before epilog so there is a space between netcmd: properly show command name in show help python: sd_utils: pep8 fix spacing around python: sd_utils: remove redundant brackets around simple assert statements python: sd_utils: pep8 import sorting selftest: aces: use constant from samba.security selftest: aces: fix mutable default args in assemble_ace python: models: Computer constructor automatically adds "$" to account name netcmd: gmsa: base cli commands for group managed service accounts netcmd: gmsa: cli commands for managing group msa membership netcmd: tests: add tests for service-account commands netcmd: models: move add trustee code to the GMSA model netcmd: models: move remove trustee code to the GMSA model netcmd: silos: silo and auth policy commands use print netcmd: silos: silo and auth policy commands use Query class better netcmd: models: Model.from_message should be internal netcmd: models: Rename method to Query._from_message for consistency netcmd: models: Add a repr method to Query for help in the shell netcmd: models: Add Person and OrganizationalPerson netcmd: models: Add optional base_dn argument to Model.query method netcmd: models: Rename username to account_name for consistency netcmd: models: rename lookup methods to find for consistency netcmd: claims: tidy up, avoid setting enabled twice netcmd: models: ClaimType: move all dunder methods to the top for consistency netcmd: models: Create ClaimType in the model layer instead python: samdb: Move get_connecting_user_sid to samdb python: samdb: Make connecting_user_sid a property netcmd: models: User.find also tries object_sid netcmd: models: add User.get_sid_for_principal helper netcmd: models: allow scope to be overridden in query netcmd: models: improve Computer constructor adding "$" handling netcmd: gmsa: create should allow custom SDDL netcmd: gmsa: fix typo if trustee is not found netcmd: gmsa: add_trustee and remove_trustee change argument to sid netcmd: gmsa: add and remove don't fetch trustee if it is a SID netcmd: gmsa: show viewers also works if SID is not found python: create domain module to move models into python: move models out of the netcmd package python: pep8: fix import sorting after move python: models: add kwargs to __json__ and as_dict methods python: models: add Container model python: fix json encoder should handle Exception tests: samdb: Make use of the domain_sid property tests: user: gmsa dNSHostName is a required field tests: user: fix PEP8 spacing around operator tests: user: create gmsa with models tests: models: fix username should be account_name tests: models: test additional Computer constructor cases tests: gmsa blackbox tests python: domain: models: as_dict() should also exclude empty list fields python: tests: computer model tests should clean up python: tests: write a test for the Model.as_dict method python: domain: models: add children method to return a models direct children python: domain: models: MODELS lookup does need to include base Model for shell command python: domain: models: move MODELS to registry.py because it's not really a constant python: domain: models: move OrganizationalPerson to org.py python: domain: models: add OrganizationalUnit container model netcmd: gmsa: improve descriptions of --dns-host-name and match docs netcmd: docs: add documentation for service-account base command netcmd: docs: add documentation for service-account group-msa-membership commands netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device" netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing netcmd: docs: consistently put <constant> around GROUP and SILO netcmd: docs: add section headings for auth policies and silos netcmd: auth silo: turn silo.py into module netcmd: auth silo: move silo_member.py into silo module netcmd: auth silo: extract silo base commands into silo.py netcmd: auth policy: turn policy.py into module netcmd: auth policy: extract policy base commands into policy.py netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group netcmd: auth policy: add user-allowed-to-authenticate-to subcommands netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group netcmd: auth policy: add service-allowed-to-authenticate-to subcommands netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group netcmd: auth policy: add user-allowed-to-authenticate-from subcommands netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group netcmd: auth policy: add service-allowed-to-authenticate-from subcommands netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group netcmd: docs: update documentation for new auth policy command structure python: tests: fix closing quote in docstring example python: tests: type check should always use "is" or "is not" python: lint: remove unused imports in claims and gmsa commands python: lint: fix pylint R1720 unnecessary "raise" after "else" netcmd: fix broken shell command missing Model python: models: rename argument ldb to samdb python: models: add get_primary_group method to User model selftest: add test for User.get_primary_group method Shachar Sharon (8): vfs_ceph: improve readability of cephwrap_realpath vfs_ceph: align lines-length with coding standard vfs_ceph: re-map unimplemented hooks vfs_ceph: use talloc in realpath hook vfs_ceph: replace WRAP_RETURN macro with convenience helpers vfs_ceph: adjust code-style of cephwrap_disk_free vfs_ceph: explicit cast to uint64_t upon failure of ceph_statfs vfs_ceph: use consistent code style when setting errno Shaleen Bathla (4): s3: winbindd: remove double initialization s3: winbindd: reduce scope of a variable s3: winbindd: assign rangenum member after NULL check s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs Stefan Metzmacher (295): ctdb/events: use 'service "$CTDB_SERVICE_NMB" status' in 48.netbios.script ctdb/events: add 47.samba-dcerpcd.script s3:utils: fix help string for 'net witness force-response' docs-xml: add details for 'net witness' smb2_tcon: only announce SMB2_SHARE_CAP_CLUSTER if rpcd_witness can run smb2_tcon: only announce SMB3 related share capabilities if SMB3 is used docs-xml: document "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" s3:include: let nameserv.h be useable on its own s3:include: split out fstring.h s3:wscript: LIBNMB requires lp_ functions s3:libsmb/unexpected: don't use talloc_tos() in async code s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}() s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL libcli/nbt: add nbt_name_send_raw() s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages s4:libcli/dgram: make use of socket_address_copy() s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs s4:nbt_server: simulate nmbd and provide unexpected handling s3:libads: avoid changing ADS->server.workgroup s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages s3:winbindd: use better debug messages than 'talloc_strdup failed' s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() auth/credentials: don't call talloc_free(ccache_name) on callers memory s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST lib/cmdline: only call cli_credentials_get_password_and_obtained if needed python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags() s3:rpc_client: pass struct rpc_pipe_client to check_bind_response() s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context s3:rpc_client: implement bind time feature negotiation tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid s4:libcli/ldap: fix no memory error code in ldap_bind_sasl() s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl() s4:lib/tls: remove tstream_tls_push_trigger_write step s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed s4:lib/tls: assert that event contexts are not mixed s4:lib/tls: split out tstream_tls_prepare_gnutls() s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS s4:lib/tls: include a TLS server name indication in the client handshake s4:lib/tls: split out tstream_tls_verify_peer() helper s4:lib/tls: add tstream_tls_params_client_lpcfg() s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg() s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg() s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg() lib/crypto: add legacy_gnutls_server_end_point_cb() if needed s4:lib/tls: add tstream_tls_channel_bindings() third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847) wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG auth/gensec: add gensec_set_channel_bindings() function auth/ntlmssp: implement channel binding support s4:gensec_gssapi: implement channel binding support s3:crypto/gse: implement channel binding support s4:ldap_server: add support for tls channel bindings s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl() selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding} WHATSNEW: document ldap_server ldaps/tls channel binding support s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c s3:libads: remove unused include of gensec_internal.h s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code s4:ldap_server: remove unused include of gensec_internal.h docs-xml: add 'tls trust system cas' and 'tls ca directories' options s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}() s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag() s3:tldap: simplify tldap_gensec_bind.h s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv s3:tldap: store plain and gensec tstream s3:tldap: add tldap_extended* s3:tldap: make tldap_gensec_bind_send/recv public s3:tldap: add support for [START]TLS s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms s3:libads: directly use kerberos without asking the server s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind() s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind() s3:libads: use the correct struct sockbuf_io_desc type for 'sbiod' pointer s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF s4:lib/tls: add tstream_tls_sync_setup() s3:libads: add tls_wrapping into openldap s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible s3:libads: call gensec_set_channel_bindings() for tls connections smbdotconf: add client ldap sasl wrapping = {starttls,ldaps} s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND blackbox/test_net_ads_search_server: also test ldaps/starttls s3:torture: add '-T 'option=value' this is similar to '--option='=value' s3:torture: add ldaps/starttls support to run_tldap() s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls auth/gensec: remove useless client_use_spnego_principal usage s4:selftest: remove useless 'client use spnego principal' tests smbdotconf: finally remove unused "client use spnego principal" option WHATSNEW: document ldaps/tls related option changes auth/credentials: add cli_credentials_get_principal_obtained() auth/credentials: add cli_credentials_get_ccache_name_obtained() lib/cmdline: skip the password prompt if we have a valid krb5 ccache auth/credentials: add cli_credentials_get_password_obtained() auth/credentials: add cli_credentials_get_username_obtained() s3:client: avoid cli_credentials_get_password() to check for a specified password auth/gensec: add gensec_kerberos_possible() helper auth/gensec: add gensec_get_unparsed_target_principal() helper s4:gensec_gssapi: make use of gensec_kerberos_possible() s3:gse: make use of gensec_kerberos_possible() s3:gse: avoid prompting for a password that we don't use in the end s3:gse: don't call krb5_cc_resolve() as server lib/krb5_wrap: add smb_krb5_cc_new_unique_memory() lib/krb5_wrap: make use of smb_krb5_cc_new_unique_memory() in smb_krb5_kinit_s4u2_ccache() auth/credentials: use smb_krb5_cc_new_unique_memory() in krb5_cc_remove_cred_wrap() auth/credentials: use smb_krb5_cc_new_unique_memory() in smb_gss_krb5_copy_ccache() auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_shallow_ccache() auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_new_ccache() s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac() s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos' .gitlab-ci-main.yml: debug kernel details of the current runner tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative s3:libsmb: allow store_cldap_reply() to work with a ipv6 response s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login() s3:libads: don't allow ads_kdestroy(NULL) anymore blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username tests/ntlm_auth: Do not set a client_password s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare() s3:gse: get an explicit ccache_name from creds and kinit if required s3:libsmb: remove unused cli_session_creds_prepare_krb5() s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping() s3:libads: remove unused LIBADS_CCACHE_NAME define s3:libads: split out ads_legacy_creds() s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state() s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name() s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds() s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND s3:libads: add ads_connect_cldap_only() helper s3:libsmb: make use of ads_connect_cldap_only() s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int() s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads() s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password() testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect() s3:libads: remove unused ads->auth.renewable s3:libads: we only need to gensec_expire_time()... s3:libads: move ads->auth.time_offset to ads->config.time_offset s3:libads: fix compiler warning in ads_mod_ber() s3:libads: add ads_connect_creds() helper s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds s3:winbindd: make winbindd_get_trust_credentials() public s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c s3:winbindd: make use of samba_sockaddr to avoid compiler warnings s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY() s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c s3:utils: let net_update_dns_internal() set status before goto done in all cases lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi s3:libads: add ads_connect_simple_anon() helper s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible s3:libads: add ads_simple_creds() helper s3:libads: add ads_connect_machine() helper s3:printing: make use of ads_connect_machine() libgpo/pygpo: make use of ads_connect_{creds,machine}() s3:lib/netapi: add libnetapi_get_creds() s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx() s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net' s3:net: add net_context->explicit_credentials to check if credentials were passed s3:net: make use of c->explicit_credentials in order to check for valid credentials s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS s3:net: remove useless net_prompt_pass() wrapper s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption s3:net_ads: require kerberos if we use ads_krb5_set_password() in ads_user_add() s3:libads: remove unused kdc_host argument of ads_krb5_set_password() s3:libads: remove krb5_set_real_time() from ads_krb5_set_password() s3:libads: remove unused kdc_host and time_offset arguments to ads_krb5_chg_password() s3:libads: remove unused kdc_host and time_offset arguments to kerberos_set_password() s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password() s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to operate on s3:net_ads: make use of ads_connect_{cldap_only,creds}() in ads_startup_int() s3:net_ads: remove unused use_in_memory_ccache() s3:include: remove unused krb5_env.h s3:net: remove unused net_context->opt_kerberos s3:net: remove unused net_context->smb_encrypt s3:net: finally remove net_context->opt_{user_specified,user_name,password} s3:libads: finally remove unused ads_connect[_user_creds]() and related code krb5_wrap: let ads_krb5_cli_get_ticket() require an explicit krb5 ccache s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache krb5_wrap: add smb_force_krb5_cc_default[_name]() wrappers krb5_wrap: let smb_krb5_renew_ticket() use smb_force_krb5_cc_default_name() smbspool_krb5_wrapper: remove unused includes smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name() smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name() auth/credentials_krb5: use system/{gssapi,kerberos}.h auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default() lib/replace: make sure krb5_cc_default[_name]() is no longer used directly s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash s3:libnet: split out parse_user() in libnet_dssync_keytab.c s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c s3:libnet: add support for trusted domains in libnet_dssync_keytab.c s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries() s4:kdc: split out samba_kdc_fill_trust_keys() helper s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry() s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry() s4:kdc: split out samba_kdc_fill_trust_keys() helper s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA s4:kdc: also provide cross-realm keys via samba_kdc_seq() s4:libnet_export_keytab: add only_current_keys option samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep() samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option test_kinit_export_keytab: reset pw of the test account and test --only-current-keys s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env variables smbXcli_base: add hacks to test anonymous signing and encryption s4:libcli/smb2: add hack to test anonymous signing and encryption s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} s3:utils: remove unused signing_flags in connections_forall() s3:lib: let sessionid_traverse_read() report if the session was authenticated s3:utils: let connections_forall_read() report if the session was authenticated s3:utils: let smbstatus also report AES-256 encryption types for tcons s3:utils: let smbstatus also report partial tcon signing/encryption s3:smbd: allow anonymous encryption after one authenticated session setup s3:utils: let smbstatus report anonymous signing/encryption explicitly lib/addns: remove unused kerberos/gssapi includes in dns.h python:tests/dns_base: generate a real signature in bad_sign_packet() python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet() python:tests/dns_base: let dns_transaction_tcp() handle short receives python:tests/dns_base: add self.assert_echoed_dns_error() python:tests/dns_tkey: make use of self.assert_echoed_dns_error() python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument python:tests/dns_base: let tkey_trans() take tkey_req_in_answers python:tests/dns_base: pass tkey_trans(expected_rcode) python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True python:tests/dns_base: maintain a dict with tkey related state python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}() python:tests/dns_tkey: add gss.microsoft.com tsig updates python:tests/dns_tkey: test bad and changing tsig algorithms python:tests/dns_base: let verify_packet() work against Windows python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022 python:tests/dns_base: add get_unpriv_creds() helper s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey python:tests/dns_tkey: add test_update_tsig_record_access_denied() s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG s4:dns_server: use the client provided algorithm for the fake TSIG structure s4:dns_server: use tkey->algorithm if available in dns_sign_tsig() s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section s4:dns_server: dns_verify_tsig should return REFUSED on error s4:dns_server: correctly sign dns update responses with gss-tsig like Windows s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads' s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644 vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send test_recycle.sh: make sure we don't see panics on the log files TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal() vfs_recycle: don't unlink on allocation failure vfs_recycle: directly allocate smb_fname_final->base_name vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal() vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA() vfs_recycle: fix memory hierarchy Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()" vfs_recycle: remember resolved config->repository in vfs_recycle_connect() testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]() auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts smbd: correctly restore ENOENT if fstatfs() modifies it python:tests: pass bytes.decode() instead of str(bytes) to assertMultiLineEqual() to get better failure output libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2() selftest:Samba3: add simpleserver globals before include = global_inject.conf selftest:Samba3: allow lanman auth in setup_nt4_member s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests s3:passdb: don't clear the LM HASH without a password change third_party/pam_wrapper: add pam_matrix module s3:auth: let smb_pam_conv() handle resp=NULL selftest: setup pam_matrix in the simpleserver env s3:auth: allow real plaintext authentication python:tests: make test_export_keytab_nochange_update() more reliable selftest:Samba3: don't use PAM_WRAPPER_KEEP_DIR and PAM_WRAPPER_DEBUGLEVEL s3:tests: let modprinter.pl use $TMPDIR Vinit Agnihotri (26): ctdb-protocol: Add new event startipreallocate ctdb-daemon: Implement startipreallocate event ctdb-protocol: Add new control CTDB_CONTROL_START_IPREALLOCATE ctdb-server: Implement CTDB_CONTROL_START_IPREALLOCATE ctdb-takeover: Use CTDB_CONTROL_START_IPREALLOCATE ctdb: send a CTDB_SRVID_START_IPREALLOCATE message after CTDB_EVENT_START_IPREALLOCATE ctdb-scripts: Add handling for startipreallocate ctdb-client: Remove unused function ctdb-doc: Factor out grace period function ctdb-doc: Put NFS in grace on startipreallocate ctdb-scripts: Remove unnecessary 06.nfs.script ctdb-scripts: Remove usage of releaseip-pre, takeip-pre pseudo-events smbd-server: Set event callback for interface change notification lib-addrchange: Change API to fill up if_index value from netlink msg lib-interface: Add new API to validate interface info for given interface index smbd-server: Open socket for additional ip address smbd-server: Handle ip drop event and close listening socket messaging: Add new SMBD message smbd-server: Use MSG_SMB_IP_DROPPED param: Add additional key 'options' for interfaces lib-interface: Add extra parameter 'options' to interface definition lib-interface: Add parsing for interface 'options' lib-interface: Change API for interface 'options' smbd-server: Process ip add/drop events for options:dynamic only ctdb-scripts: Rename and relocate function get_all_interfaces() ctdb-scripts: Add options to generate smb.conf interfaces include file Volker Lendecke (233): smbd: Remove unused declarations in smbXsrv.idl smbd: Simplify fsp_fullbasepath() smbd: Modernize a DEBUG statement smbd: Add conn_protocol() smbd: Remove the last use of get_Protocol() smbd: Remove get_Protocol() lib: Make GUID_to_ndr_buf() return void libsmb: Simplify an if-condition lib: Simplify copy_unix_token() torture: Fix an error message smbd: Add parentheses for easier readability lib: Simplify _hexcharval smbXsrv_version: Modernize DEBUG statements smbXsrv_version: Use a struct assignment instead of ZERO_STRUCT smbXsrv_version: Remove unused smbXsrv_version_global0->db_rec smbXsrv_version: Use a struct assignment smbd: Fix a comment auth: Simplify smb_krb5_send_to_kdc_state_destructor() vfs: Fix a typo smbd: Give smbXsrv_session.c its own header file smbd: Fix and modernize a few DBG statements smbd: Fix a typo tools: Fix whitespace smbd: Avoid a ZERO_STRUCT() with direct struct initialization smbd: Fix a DBG message ctdb: Remove an unnecessary cast lib: Remove timeval_until() lib: Remove timeval_set() smbd: Simplify users of fsp_fullbasepath() smbd: Make read_symlink_reparse() return a reparse_data_buffer smbd: Fix returning symlink stat info in the NO_OPATH case smbd: Remove "st" from struct open_symlink_err smbd: Remove "unparsed" from struct open_symlink_err smbd: Remove struct open_symlink_err smbd: Remove an outdated comment lib: Fix whitespace lib: Give tallocmsg.c its own header lib: Fix dbwrap_tdb.h prerequisites lib: Fix whitespace lib: Use struct initialization in imessaging_client_init() smbXsrv_session: Use struct initialization smbXsrv_session: Remove two implicit NULL initializations smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB smbXsrv_session: Remove a "can't happen" NULL check smbd: Remove an obsolete comment smbd: Save 3 lines smbd: Simplify an if-condition lib: Give lib/util/util_file.c its own header file lib: Add fdopen_keepfd() rpc_server3: Use fdopen_keepfd() lib: Use fdopen_keepfd() ctdb: Use stdio's getline() in ctdb_connection_list_read() ctdb: Remove common/line.[ch] ctdb: Modernize a few DEBUGs smbd: Change protocol selection to not use "sconn->using_smb2" smbd: Add conn_using_smb2() smbd: Remove sconn->using_smb2 lib: Remove an obsolete comment smbd: Simplify call_trans2qpathinfo() smbd: Simplify smb_q_posix_symlink() smbd: Simplify smb_set_file_unix_link() smbd: Slightly simplify notifyd_send_delete() Fix a few "might be uninitialized" errors smbd: Save a few bytes of .text libsmb: Remove unused setup_stat_from_stat_ex() lib: Fix whitespace smbd: Some README.Coding in smbXsrv_session smbd: Simplify an if-condition smbd: Simplify smbXsrv_open_purge_replay_cache() smbd: Simplify smbXsrv_open_clear_replay_cache() smbd: Do an early TALLOC_FREE in smbXsrv_client_global_init() smbd: Save a few lines in smbXsrv_client_global_init() smbd: Use direct struct initialization in smbXsrv_client smbd: Fix a copy&paste error in smbXsrv_client_remove() libsmb: Slightly simplify py_cli_list() pylibsmb: Return reparse_tag from directory listing pylibsmb: clang-format for the calls to Py_BuildValue() pylibsmb: Avoid talloc() passdb: Use getline(3) to read our old machine sid vfs: Convert return_data from char * to uint8_t lib: Convert push_file_id_16 to take uint8_t instead of char smbd: Simplify sending oplock_break_message smbd: Fix a typo smbd: Use struct oplock_break_message for MSG_CLOSE_FILE smbd: Remove message_to_share_mode_entry and vice versa smbd: Use struct oplock_break_message for MSG_SMB_KERNEL_BREAK smbd: Remove unused [push_pull]_file_id_24 smbd: Return FILE_ATTRIBUTE_REPARSE_POINT from "user.DOSATTRIB" reparse: Tighten reparse point length check smbd: Change the output of fsctl_get_reparse_point to uint8 smbd: Prepare to return the reparse tag from fsctl_get_reparse_point smbd: Use reparse_buffer_check() in fsctl_set_reparse_point() selftest: Default to "tmp" share in reparsepoints.py tests: Clarify a reparse point test tests: Codify IO_REPARSE_TAG_MISMATCH behaviour tests: Clean up behind ourselves in test_create_reparse smbd: Implement fsctl_get_reparse_point smbd: Implement fsctl_set_reparse_point tests: Expected failures in reparse point tests should not be errors tests: Run reparse tests tests: Test FSCTL_DELETE_REPARSE_POINT smbd: Implement FSCTL_DELETE_REPARSE_POINT test: Align integer types smbd: Modernize a DEBUG libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3" libsmb: Use SMB2_0_INFO_FILE instead of the raw "1" libsmb: Convert cli_qfileinfo to use FSCC levels libsmb: Add a tevent_req_received() where appropriate libsmb: Add smb2 branch to cli_qfileinfo libsmb: Remove smb2 branch from cli_qfileinfo_basic_send pylibsmb: Add FSCC QUERY_INFO levels pylibsmb: Add py_cli_qfileinfo tests: get TAG_INFORMATION smbd: Fix a DBG smbd: Return reparse tag as of MS-FSCC 2.4.6 smbd: Add DEBUG message got get_reparse_point libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define libsmb: Cap max_rdata at UINT16_MAX smbd: Modernize a few DEBUGs smbd: Add fsctl_get_reparse_tag() helper function smbd: Use fsctl_get_reparse_tag in fsctl_set_reparse_point smbd: Use fsctl_get_reparse_tag in fsctl_del_reparse_point smbd: Test reparse tag in smb3_posix_cc_info smbd: Add reparse tag to smb3_posix_cc_info smbd: Remove an obsolete comment smbd: Simplify check_parent_access_fsp() g_lock: Fix buffer length check in g_lock_parse() smbd: Modernize a few DEBUGs smbd: Fix a typo in a few places smbd: Modernize a few DEBUGs smbd: Move a DBG_DEBUG up smbd: Fix whitespace smbd: Remove the ZERO_ZERO define smbd: Use direct struct initialization smbd: Return correct error for fallback sendfile smbd: Remove an unnecessary else branch smbd: Remove a no-op call to init_strict_lock_struct smbd: Remove an unnecessary else smbd: Remove an unused function parameter libsmb: Use the direct FSCC_ infolevels libsmb: Avoid pointless intermediate variables lib: Fix a typo libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT libsmb: Use SMB2_0_INFO_ constants instead of magic numbers libsmb: Remove unused cli_list_trans() libsmb: Remove an unneeded NULL check libsmb: Remove a talloc_strdup() lib: Use struct initialization smbd: Simplify request_timed_out libsmb: Remove file_info->[ug]id libsmb: Slightly simplify cli_session_creds_init creds: Add cli_credentials_add_gensec_features lib: Use cli_credentials_add_gensec_features in a few places torture: Remove some pointless local variables gensec: Simplify gensec_security_by_* gensec: Refactor gensec_security_mechs() gensec: Filter out disabled mechs in gensec_security_mechs() gensec: Simplify gensec_security_by_fn() libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3" smbd: Fix whitespace winbind: Modernize a few DEBUGs wbclient: Fix a typo lib: gensec.h references NTTIME, add time.h lib: Use unsigned long in ber_write_OID_String lib: Use talloc_asprintf_addbufin _ber_read_OID_String_impl lib: Fix an error path memleak lib: Align an integer type tests: Check that query_directory lists the reparse tag smbd: list reparse tag in QUERY_DIRECTORY torture4: Fix some whitespace heimdal_build: Fix whitespace tdb: Fix a typo lib: Remove pointless \ line endings libsmb: "clang-format" for an if-condition gse: Avoid explicit ZERO_STRUCT in gse_errstr() gse: Simplify gse_errstr() with talloc_asprintf_addbuf() gensec: Fix whitespace spnego: Fix typos credentials: Protect the cred's nt hash with talloc_keep_secret smbd: Fix DEBUG messages tdb: Update times in tdb_transaction_commit per fd, not per name lib: Move 286 bytes from R/W data to R/O text segment lib: Avoid an includes.h smbd: Simplify smbd_do_qfilepathinfo() lib: Align an integer type smbd: Modernize a DEBUG smbd: Simplify notify_filter_string smbd: Simplify callers of notify_filter_string smbd: Fix crossing automounter mount points smbd: Modernize a DEBUG smbd: Align an integer type smbd: Don't leave a pointer variable uninitialized vfs: Fix typos smbd: Modernize a DEBUG smbd: Simplify copy_stat_ex_timestamps smbd: Simplify init_smb_file_time smbd: Remove an obsolete comment smbd: Simplify filename_convert_dirfsp_nosymlink smbd: Simplify fdos_mode smbd: Simplify dos_mode_from_sbuf smbd: Print reparse_point in dos_mode_debug_print smbd: Avoid a cast smbd: Remove some unused code smbd: Simplify reopen_from_fsp smbd: Simplify smbd_do_qfsinfo with direct struct initialization librpc: Make NDR_PRINT_DEBUG call just one DEBUG smbd: Fix cached dos attributes smbd: Rename symlink_target_path to _symlink_target_path libcli: New routine symlink_target_path for [MS-SMB2] 2.2.2.2.1.1 smbd: Use new symlink_target_path routine docs: "share:fake_fscaps" is per share, not global lib: Remove unused strnrchr_m lib: Remove unused strnrchr_w lib: Remove a few duplicate prototypes smbd: Don't talloc_zero where we assign the struct a line below lib: Add general py_reparse_get parsing routine tests: Remove a pointless ; tests: Use the general py_reparse_get lib: Remove unused py_reparse_symlink_get vfs: xattr calls give EBADF for sockets tests: Run reparsepoint tests in fileserver_smb1 tests: FIFOs should be shown as NFS reparse points smbd: Add DBG to return tag for SMB_FILE_ATTRIBUTE_TAG_INFORMATION smbd: Turn file type handling in fdos_mode into a switch smbd: Show fifos as reparse points in fdos_mode smbd: Turn an if-statement getting reparse points into a switch smbd: Report FIFOs as NFS style reparse points tests: Factor out do_test_nfs_reparse tests: Sockets should be shown as NFS reparse points smbd: Show sockets as reparse points in fdos_mode smbd: Factor out fsctl_get_reparse_point_int smbd: Report sockets as NFS style reparse points smbd: Show blk and chr devices as nfs reparse points Xavi Hernandez (1): Fix starvation of pending writes in CTDB queues yuzu367 (1): python/samba/tests/blackbox: Add tests for Inherit-only flag propagation ----------------------------------------------------------------------- -- Samba Shared Repository