The branch, master has been updated
via 50edad8249c s4:dsdb:tests: Add tests for msDS-KeyCredentialLink
attribute
via a9c6e1ac370 s4:dsdb: Implement msDS-KeyCredentialLink attribute
via cd39c04fd92 s4:dsdb:tests: Add get_creds() method
via 1bceb8ff3f8 lib:compression: Fix code spelling
via b5cee3b2dbd s4:dsdb: Remove outdated comments
via d41d350ce7f s4:dsdb:tests: Remove outdated comment
via 46856348496 s4:dsdb:acl: Fix LDB flags comparison
via 3f9f2c9efcc s4:dsdb: Allow an SPN value to match the original
dNSHostName with Validated Write
via 0615268a1c0 s4:dsdb:tests: Correct unprefixed f‐string
via 7fd5a900d16 s4:dsdb:tests: Correct test name
via 2995eb43878 s4:dsdb:tests: Reformat ACEs to be more readable
via d2142640f09 s4:dsdb:tests: Use sAMAccountName GUID constant
via 10d0d970065 setup:adprep: Import the latest
{Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md
via 32bfbc788d2 python:samba: Raise an exception if we can’t parse a
Markdown operation
via c88164ee688 pidl: Validate Python bytes objects
via 4c1216108ac s4:setup: Fix spelling
via 5934b746adc schema: Add Validated-Write-Computer Extended Right
from Windows Server 2016
via 3d7052278ba ldb: Do not return None from __str__()
via 264faeaea05 tests/krb5: Remove redundant line
via 0c92628340e lib:crypto: Don’t pass null pointer to memcpy()
via bef2ef342e9 lib:crypto: Remove trailing whitespace
via c018d8e19e3 lib:async_req: Initialize variables
via fc0f9dc109b s3:lib: Initialize pointer to NULL
via 38dfbf305fd libcli: Fix maybe-uninitialized warning
via a7f59566ae1 ldb: Fix maybe-uninitialized warning
from 81d98b780b8 CID 1509059 winbind: Fixing print statement for time_t
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 50edad8249c7c1063b0e38f02c2ea5a53e9d430d
Author: Jennifer Sutton <[email protected]>
Date: Wed Aug 20 19:10:43 2025 +1200
s4:dsdb:tests: Add tests for msDS-KeyCredentialLink attribute
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Wed Aug 27 04:44:59 UTC 2025 on atb-devel-224
commit a9c6e1ac37065d0b7a4c459c3b2933321ec074c3
Author: Jennifer Sutton <[email protected]>
Date: Thu Jun 5 12:28:20 2025 +1200
s4:dsdb: Implement msDS-KeyCredentialLink attribute
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit cd39c04fd9279d84aa3861e8e0f70409e4c3fc99
Author: Jennifer Sutton <[email protected]>
Date: Wed Aug 13 11:41:53 2025 +1200
s4:dsdb:tests: Add get_creds() method
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 1bceb8ff3f854e10345c7e92b37cf9f1fac8cb9e
Author: Jennifer Sutton <[email protected]>
Date: Wed Aug 13 10:17:46 2025 +1200
lib:compression: Fix code spelling
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit b5cee3b2dbdf20cefe71461b921a13d4ed37113b
Author: Jennifer Sutton <[email protected]>
Date: Wed Aug 13 09:54:00 2025 +1200
s4:dsdb: Remove outdated comments
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit d41d350ce7f54d688c2c154fe86e073f77736c42
Author: Jennifer Sutton <[email protected]>
Date: Tue Aug 12 17:19:55 2025 +1200
s4:dsdb:tests: Remove outdated comment
The relevant tests were enabled in commit
8cb416a0b569017e1928a7a1cead723ce64ca314.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 468563484963216e632ea0f8cbc71aede837215e
Author: Jennifer Sutton <[email protected]>
Date: Tue Aug 12 13:56:16 2025 +1200
s4:dsdb:acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(el->flags & LDB_FLAG_MOD_MASK) == 0
which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.
Commit 99b805e4cbeec232c65adb1a6f3fb326b55c4496 fixed a similar issue.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 3f9f2c9efccdfc092869643ceffc2bb050858eb6
Author: Jennifer Sutton <[email protected]>
Date: Tue Jul 29 15:59:09 2025 +1200
s4:dsdb: Allow an SPN value to match the original dNSHostName with
Validated Write
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 0615268a1c0149d5acee9138873c1ed641637e0d
Author: Jennifer Sutton <[email protected]>
Date: Tue Jul 29 15:02:32 2025 +1200
s4:dsdb:tests: Correct unprefixed f‐string
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 7fd5a900d16b3293a2fc522325f3e002dae2c4e1
Author: Jennifer Sutton <[email protected]>
Date: Tue Jul 29 15:00:16 2025 +1200
s4:dsdb:tests: Correct test name
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 2995eb438784c5c80cb9807dd7bdacd94392f814
Author: Jennifer Sutton <[email protected]>
Date: Tue Jul 29 14:48:23 2025 +1200
s4:dsdb:tests: Reformat ACEs to be more readable
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit d2142640f0920eb57131f7106a683334255eef42
Author: Jennifer Sutton <[email protected]>
Date: Tue Jul 29 13:47:20 2025 +1200
s4:dsdb:tests: Use sAMAccountName GUID constant
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 10d0d9700654b6f83611bcf927689528b7009093
Author: Jennifer Sutton <[email protected]>
Date: Tue Jun 17 17:04:45 2025 +1200
setup:adprep: Import the latest
{Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 32bfbc788d2fd161569f2ac3c192667a3cd196a9
Author: Jennifer Sutton <[email protected]>
Date: Tue Aug 12 12:26:52 2025 +1200
python:samba: Raise an exception if we can’t parse a Markdown operation
Otherwise we would continue with the wrong GUID and filename.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit c88164ee6887d21ddf5d1a272d31c1178e8cc23b
Author: Jennifer Sutton <[email protected]>
Date: Tue Jun 17 16:36:16 2025 +1200
pidl: Validate Python bytes objects
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 4c1216108acaffc33f754cb5f5be493c1d37ac7b
Author: Jennifer Sutton <[email protected]>
Date: Tue Jun 17 16:28:03 2025 +1200
s4:setup: Fix spelling
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 5934b746adc80e39521eb69361374c905dc9870a
Author: Jennifer Sutton <[email protected]>
Date: Tue Jun 17 16:22:56 2025 +1200
schema: Add Validated-Write-Computer Extended Right from Windows Server 2016
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 3d7052278ba59edf3aa9283985733d107133072b
Author: Jennifer Sutton <[email protected]>
Date: Mon Jun 16 11:51:14 2025 +1200
ldb: Do not return None from __str__()
Python will complain with “__str__ returned non-string (type NoneType)”.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 264faeaea05175b58a6df87f7433707de010e4b5
Author: Jennifer Sutton <[email protected]>
Date: Tue Jun 10 12:43:21 2025 +1200
tests/krb5: Remove redundant line
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 0c92628340ea7b6e22c2a6b61e7dfb91f82879d5
Author: Jennifer Sutton <[email protected]>
Date: Mon May 26 12:00:16 2025 +1200
lib:crypto: Don’t pass null pointer to memcpy()
This results in undefined behaviour.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit bef2ef342e973f22e423eef7fc2e01361ee5c17c
Author: Jennifer Sutton <[email protected]>
Date: Mon May 26 11:59:53 2025 +1200
lib:crypto: Remove trailing whitespace
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit c018d8e19e38b894392d5e06db10ae7b2e4df8f9
Author: Jennifer Sutton <[email protected]>
Date: Mon May 19 10:31:47 2025 +1200
lib:async_req: Initialize variables
../../lib/async_req/async_sock.c: In function ‘writev_do’:
../../lib/async_req/async_sock.c:360:12: error: ‘written’ may be used
uninitialized [-Werror=maybe-uninitialized]
360 | if ((written == -1) &&
| ^
../../lib/async_req/async_sock.c:343:17: note: ‘written’ was declared here
343 | ssize_t written;
| ^~~~~~~
../../lib/async_req/async_sock.c: In function ‘read_packet_do’:
../../lib/async_req/async_sock.c:563:12: error: ‘nread’ may be used
uninitialized [-Werror=maybe-uninitialized]
563 | if ((nread == -1) && (errno == EINTR)) {
| ^
../../lib/async_req/async_sock.c:531:17: note: ‘nread’ was declared here
531 | ssize_t nread, more;
| ^~~~~
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit fc0f9dc109b833855f0c92fcd6d7409e337aa6cb
Author: Jennifer Sutton <[email protected]>
Date: Thu Feb 20 15:05:42 2025 +1300
s3:lib: Initialize pointer to NULL
../../source3/lib/netapi/tests/netdisplay.c: In function
‘test_netquerydisplayinformation’:
../../source3/lib/netapi/tests/netdisplay.c:87:45: error: ‘current_name’
may be used uninitialized [-Werror=maybe-uninitialized]
87 | if (name &&
strcasecmp(current_name, name) == 0) {
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../source3/lib/netapi/tests/netdisplay.c:37:21: note: ‘current_name’ was
declared here
37 | const char *current_name;
| ^~~~~~~~~~~~
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 38dfbf305fd05447a8dce11693a3e8c4970bbc2c
Author: Jennifer Sutton <[email protected]>
Date: Thu Feb 20 13:51:24 2025 +1300
libcli: Fix maybe-uninitialized warning
../../libcli/wsp/wsp_aqs.c: In function ‘create_size_range_shortcut’:
../../libcli/wsp/wsp_aqs.c:872:37: error: ‘upper_size’ may be used
uninitialized [-Werror=maybe-uninitialized]
872 | right->value.number = upper_size;
| ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
../../libcli/wsp/wsp_aqs.c:835:18: note: ‘upper_size’ was declared here
835 | uint32_t upper_size;
| ^~~~~~~~~~
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit a7f59566ae1b742ec126822d49d6b781e612051d
Author: Jennifer Sutton <[email protected]>
Date: Thu Feb 20 13:41:48 2025 +1300
ldb: Fix maybe-uninitialized warning
In file included from ../../lib/ldb/include/ldb.h:50,
from ../../lib/ldb/include/ldb_private.h:43,
from ../../lib/ldb/common/ldb_pack.c:34:
../../lib/ldb/common/ldb_pack.c: In function ‘ldb_filter_attrs’:
../../lib/talloc/talloc.h:1173:48: error: ‘i’ may be used uninitialized
[-Werror=maybe-uninitialized]
1173 | #define talloc_array(ctx, type, count) (type *)_talloc_array(ctx,
sizeof(type), count, #type)
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../lib/ldb/common/ldb_pack.c:1178:34: note: in expansion of macro
‘talloc_array’
1178 | filtered_msg->elements = talloc_array(filtered_msg,
| ^~~~~~~~~~~~
../../lib/ldb/common/ldb_pack.c:1134:22: note: ‘i’ was declared here
1134 | unsigned int i;
| ^
cc1: all warnings being treated as errors
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
lib/async_req/async_sock.c | 4 +-
lib/compression/tests/test_lzx_huffman.c | 2 +-
lib/crypto/md4.c | 62 +--
lib/ldb/common/ldb_pack.c | 2 +-
lib/ldb/pyldb.c | 2 +-
libcli/wsp/wsp_aqs.c | 4 +-
libds/common/flags.h | 2 +
librpc/idl/security.idl | 1 +
pidl/lib/Parse/Pidl/Samba4/Python.pm | 6 +
python/samba/ms_forest_updates_markdown.py | 15 +-
python/samba/provision/__init__.py | 11 +-
python/samba/tests/krb5/test_smb.py | 2 -
source3/lib/netapi/tests/netdisplay.c | 2 +-
source4/dsdb/gmsa/gkdi.c | 2 -
source4/dsdb/gmsa/gkdi.h | 2 -
source4/dsdb/pydsdb.c | 2 +
source4/dsdb/samdb/ldb_modules/acl.c | 264 +++++++++++-
source4/dsdb/tests/python/acl.py | 96 ++---
source4/dsdb/tests/python/key_credential_link.py | 474 +++++++++++++++++++++
source4/selftest/tests.py | 2 +
.../Domain-Wide-Updates.md.unused | 16 +-
.../WindowsServerDocs/Forest-Wide-Updates.md | 137 +++---
.../Read-Only-Domain-Controller-Updates.md.unused | 10 +-
.../adprep/WindowsServerDocs/Schema-Updates.md | 355 ++++++++++++++-
.../adprep/samba-4.23-missing-for-schema81.ldif | 13 +
source4/setup/extended-rights.ldif | 17 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 3 +
testprogs/blackbox/upgradeprovision-oldrelease.sh | 3 +
28 files changed, 1296 insertions(+), 215 deletions(-)
create mode 100755 source4/dsdb/tests/python/key_credential_link.py
create mode 100644 source4/setup/adprep/samba-4.23-missing-for-schema81.ldif
Changeset truncated at 500 lines:
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index e90619056ed..b25d4cc3731 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -439,7 +439,7 @@ static bool writev_cancel(struct tevent_req *req)
static void writev_do(struct tevent_req *req, struct writev_state *state)
{
- ssize_t written;
+ ssize_t written = -1;
bool ok;
if (state->is_sock) {
@@ -627,7 +627,7 @@ static void read_packet_do(struct tevent_req *req,
struct read_packet_state *state =
tevent_req_data(req, struct read_packet_state);
size_t total;
- ssize_t nread, more;
+ ssize_t nread = -1, more;
uint8_t *tmp;
retry:
diff --git a/lib/compression/tests/test_lzx_huffman.c
b/lib/compression/tests/test_lzx_huffman.c
index 7770535c1e9..5016bcc6fce 100644
--- a/lib/compression/tests/test_lzx_huffman.c
+++ b/lib/compression/tests/test_lzx_huffman.c
@@ -1137,7 +1137,7 @@ static void
test_lzxpress_huffman_short_boring_strings(void **state)
size_t i;
/*
* How do short repetitive strings work? We're poking at the limit
- * around which LZ77 comprssion is turned on.
+ * around which LZ77 compression is turned on.
*
* For this test we don't change the blob memory between runs, just
* the declared length.
diff --git a/lib/crypto/md4.c b/lib/crypto/md4.c
index 831fe32ecb8..d71a14eb37e 100644
--- a/lib/crypto/md4.c
+++ b/lib/crypto/md4.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
a implementation of MD4 designed for use in the SMB authentication protocol
Copyright (C) Andrew Tridgell 1997-1998.
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -20,7 +20,7 @@
#include "replace.h"
#include "../lib/crypto/md4.h"
-/* NOTE: This code makes no attempt to be fast!
+/* NOTE: This code makes no attempt to be fast!
It assumes that a int is at least 32 bits long
*/
@@ -36,7 +36,7 @@ static uint32_t F(uint32_t X, uint32_t Y, uint32_t Z)
static uint32_t G(uint32_t X, uint32_t Y, uint32_t Z)
{
- return (X&Y) | (X&Z) | (Y&Z);
+ return (X&Y) | (X&Z) | (Y&Z);
}
static uint32_t H(uint32_t X, uint32_t Y, uint32_t Z)
@@ -66,41 +66,41 @@ static void mdfour64(struct mdfour_state *s, uint32_t *M)
AA = s->A; BB = s->B; CC = s->C; DD = s->D;
- ROUND1(s->A,s->B,s->C,s->D, 0, 3); ROUND1(s->D,s->A,s->B,s->C, 1,
7);
+ ROUND1(s->A,s->B,s->C,s->D, 0, 3); ROUND1(s->D,s->A,s->B,s->C, 1,
7);
ROUND1(s->C,s->D,s->A,s->B, 2, 11); ROUND1(s->B,s->C,s->D,s->A, 3,
19);
- ROUND1(s->A,s->B,s->C,s->D, 4, 3); ROUND1(s->D,s->A,s->B,s->C, 5,
7);
+ ROUND1(s->A,s->B,s->C,s->D, 4, 3); ROUND1(s->D,s->A,s->B,s->C, 5,
7);
ROUND1(s->C,s->D,s->A,s->B, 6, 11); ROUND1(s->B,s->C,s->D,s->A, 7,
19);
- ROUND1(s->A,s->B,s->C,s->D, 8, 3); ROUND1(s->D,s->A,s->B,s->C, 9,
7);
+ ROUND1(s->A,s->B,s->C,s->D, 8, 3); ROUND1(s->D,s->A,s->B,s->C, 9,
7);
ROUND1(s->C,s->D,s->A,s->B, 10, 11); ROUND1(s->B,s->C,s->D,s->A, 11,
19);
- ROUND1(s->A,s->B,s->C,s->D, 12, 3); ROUND1(s->D,s->A,s->B,s->C, 13,
7);
- ROUND1(s->C,s->D,s->A,s->B, 14, 11); ROUND1(s->B,s->C,s->D,s->A, 15,
19);
+ ROUND1(s->A,s->B,s->C,s->D, 12, 3); ROUND1(s->D,s->A,s->B,s->C, 13,
7);
+ ROUND1(s->C,s->D,s->A,s->B, 14, 11); ROUND1(s->B,s->C,s->D,s->A, 15,
19);
- ROUND2(s->A,s->B,s->C,s->D, 0, 3); ROUND2(s->D,s->A,s->B,s->C, 4,
5);
+ ROUND2(s->A,s->B,s->C,s->D, 0, 3); ROUND2(s->D,s->A,s->B,s->C, 4,
5);
ROUND2(s->C,s->D,s->A,s->B, 8, 9); ROUND2(s->B,s->C,s->D,s->A, 12,
13);
- ROUND2(s->A,s->B,s->C,s->D, 1, 3); ROUND2(s->D,s->A,s->B,s->C, 5,
5);
+ ROUND2(s->A,s->B,s->C,s->D, 1, 3); ROUND2(s->D,s->A,s->B,s->C, 5,
5);
ROUND2(s->C,s->D,s->A,s->B, 9, 9); ROUND2(s->B,s->C,s->D,s->A, 13,
13);
- ROUND2(s->A,s->B,s->C,s->D, 2, 3); ROUND2(s->D,s->A,s->B,s->C, 6,
5);
+ ROUND2(s->A,s->B,s->C,s->D, 2, 3); ROUND2(s->D,s->A,s->B,s->C, 6,
5);
ROUND2(s->C,s->D,s->A,s->B, 10, 9); ROUND2(s->B,s->C,s->D,s->A, 14,
13);
- ROUND2(s->A,s->B,s->C,s->D, 3, 3); ROUND2(s->D,s->A,s->B,s->C, 7,
5);
+ ROUND2(s->A,s->B,s->C,s->D, 3, 3); ROUND2(s->D,s->A,s->B,s->C, 7,
5);
ROUND2(s->C,s->D,s->A,s->B, 11, 9); ROUND2(s->B,s->C,s->D,s->A, 15,
13);
- ROUND3(s->A,s->B,s->C,s->D, 0, 3); ROUND3(s->D,s->A,s->B,s->C, 8,
9);
+ ROUND3(s->A,s->B,s->C,s->D, 0, 3); ROUND3(s->D,s->A,s->B,s->C, 8,
9);
ROUND3(s->C,s->D,s->A,s->B, 4, 11); ROUND3(s->B,s->C,s->D,s->A, 12,
15);
- ROUND3(s->A,s->B,s->C,s->D, 2, 3); ROUND3(s->D,s->A,s->B,s->C, 10,
9);
+ ROUND3(s->A,s->B,s->C,s->D, 2, 3); ROUND3(s->D,s->A,s->B,s->C, 10,
9);
ROUND3(s->C,s->D,s->A,s->B, 6, 11); ROUND3(s->B,s->C,s->D,s->A, 14,
15);
- ROUND3(s->A,s->B,s->C,s->D, 1, 3); ROUND3(s->D,s->A,s->B,s->C, 9,
9);
+ ROUND3(s->A,s->B,s->C,s->D, 1, 3); ROUND3(s->D,s->A,s->B,s->C, 9,
9);
ROUND3(s->C,s->D,s->A,s->B, 5, 11); ROUND3(s->B,s->C,s->D,s->A, 13,
15);
- ROUND3(s->A,s->B,s->C,s->D, 3, 3); ROUND3(s->D,s->A,s->B,s->C, 11,
9);
+ ROUND3(s->A,s->B,s->C,s->D, 3, 3); ROUND3(s->D,s->A,s->B,s->C, 11,
9);
ROUND3(s->C,s->D,s->A,s->B, 7, 11); ROUND3(s->B,s->C,s->D,s->A, 15,
15);
- s->A += AA;
- s->B += BB;
- s->C += CC;
+ s->A += AA;
+ s->B += BB;
+ s->C += CC;
s->D += DD;
-
- s->A &= 0xFFFFFFFF;
+
+ s->A &= 0xFFFFFFFF;
s->B &= 0xFFFFFFFF;
- s->C &= 0xFFFFFFFF;
+ s->C &= 0xFFFFFFFF;
s->D &= 0xFFFFFFFF;
for (j=0;j<16;j++)
@@ -127,7 +127,7 @@ static void copy4(uint8_t *out, uint32_t x)
}
/**
- * produce a md4 message digest from data of length n bytes
+ * produce a md4 message digest from data of length n bytes
*/
_PUBLIC_ void mdfour(uint8_t *out, const uint8_t *in, int n)
{
@@ -151,15 +151,17 @@ _PUBLIC_ void mdfour(uint8_t *out, const uint8_t *in, int
n)
for (i=0;i<128;i++)
buf[i] = 0;
- memcpy(buf, in, n);
+ if (in != NULL) {
+ memcpy(buf, in, n);
+ }
buf[n] = 0x80;
-
+
if (n <= 55) {
copy4(buf+56, b);
copy64(M, buf);
mdfour64(&state, M);
} else {
- copy4(buf+120, b);
+ copy4(buf+120, b);
copy64(M, buf);
mdfour64(&state, M);
copy64(M, buf+64);
@@ -175,5 +177,3 @@ _PUBLIC_ void mdfour(uint8_t *out, const uint8_t *in, int n)
copy4(out+8, state.C);
copy4(out+12, state.D);
}
-
-
diff --git a/lib/ldb/common/ldb_pack.c b/lib/ldb/common/ldb_pack.c
index 409be590611..86701ad7e71 100644
--- a/lib/ldb/common/ldb_pack.c
+++ b/lib/ldb/common/ldb_pack.c
@@ -1131,7 +1131,7 @@ int ldb_filter_attrs(struct ldb_context *ldb,
const char *const *attrs,
struct ldb_message *filtered_msg)
{
- unsigned int i;
+ unsigned int i = 0;
bool keep_all = false;
bool add_dn = false;
uint32_t num_elements;
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 9acea901558..c0b63285017 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -3717,7 +3717,7 @@ static PyObject
*py_ldb_msg_element_str(PyLdbMessageElementObject *self)
if (el->num_values == 1)
return PyUnicode_FromStringAndSize((char *)el->values[0].data,
el->values[0].length);
else
- Py_RETURN_NONE;
+ return PyUnicode_FromString("");
}
static void py_ldb_msg_element_dealloc(PyLdbMessageElementObject *self)
diff --git a/libcli/wsp/wsp_aqs.c b/libcli/wsp/wsp_aqs.c
index acf12293daf..08723cf07e9 100644
--- a/libcli/wsp/wsp_aqs.c
+++ b/libcli/wsp/wsp_aqs.c
@@ -831,8 +831,8 @@ t_value_holder *create_size_range_shortcut(TALLOC_CTX *ctx,
};
int i;
t_value_holder *result = NULL;
- uint32_t lower_size;
- uint32_t upper_size;
+ uint32_t lower_size = 0;
+ uint32_t upper_size = 0;
bool rangefound = false;
t_value_holder *left = NULL;
t_value_holder *right = NULL;
diff --git a/libds/common/flags.h b/libds/common/flags.h
index e8e5d625b5e..f970a4cb65d 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -242,9 +242,11 @@
#define DS_GUID_SCHEMA_ATTR_DEPARTMENT
"bf96794f-0de6-11d0-a285-00aa003049e2"
#define DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME
"72e39547-7b18-11d1-adef-00c04fd8d5cd"
#define DS_GUID_SCHEMA_ATTR_INSTANCE_TYPE
"bf96798c-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_MS_DS_KEY_CREDENTIAL_LINK
"5b47d60f-6090-40b2-9f37-2a4de88f3063"
#define DS_GUID_SCHEMA_ATTR_MS_SFU_30
"16c5d1d3-35c2-4061-a870-a5cefda804f0"
#define DS_GUID_SCHEMA_ATTR_NT_SECURITY_DESCRIPTOR
"bf9679e3-0de6-11d0-a285-00aa003049e2"
#define DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID
"bf967a00-0de6-11d0-a285-00aa003049e2"
+#define DS_GUID_SCHEMA_ATTR_SAM_ACCOUNT_NAME
"3e0abfd0-126a-11d0-a060-00aa006c33ed"
#define DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME
"f3a64788-5306-11d1-a9c5-0000f80367c1"
#define DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL
"bf967a68-0de6-11d0-a285-00aa003049e2"
#define DS_GUID_SCHEMA_ATTR_USER_PASSWORD
"bf967a6e-0de6-11d0-a285-00aa003049e2"
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 9f02ee10d92..6c07bff6eae 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -963,6 +963,7 @@ interface security
const string GUID_DRS_DNS_HOST_NAME =
"72e39547-7b18-11d1-adef-00c04fd8d5cd";
const string GUID_DRS_ADD_DNS_HOST_NAME =
"80863791-dbe9-4eb8-837e-7f0ab55d9ac7";
const string GUID_DRS_BEHAVIOR_VERSION =
"d31a8757-2447-4545-8081-3bb610cacbf2";
+ const string GUID_DRS_DS_VALIDATED_WRITE_COMPUTER =
"9b026da6-0d3c-465c-8bee-5199d7165cba";
/* A type to describe the mapping of generic access rights to object
specific access rights. */
diff --git a/pidl/lib/Parse/Pidl/Samba4/Python.pm
b/pidl/lib/Parse/Pidl/Samba4/Python.pm
index e6a5ac8bb17..b342704af4d 100644
--- a/pidl/lib/Parse/Pidl/Samba4/Python.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/Python.pm
@@ -2039,6 +2039,12 @@ sub ConvertObjectFromPythonData($$$$$$;$$)
}
if ($actual_ctype->{TYPE} eq "SCALAR" and $actual_ctype->{NAME} eq
"DATA_BLOB") {
+ $self->pidl("if (!PyBytes_Check($cvar)) {");
+ $self->indent;
+ $self->pidl("PyErr_Format(PyExc_TypeError, \"Expected bytes
object, got %s\", Py_TYPE($cvar)->tp_name);");
+ $self->pidl("$fail");
+ $self->deindent;
+ $self->pidl("}");
$self->pidl("$target = data_blob_talloc($mem_ctx,
PyBytes_AS_STRING($cvar), PyBytes_GET_SIZE($cvar));");
return;
}
diff --git a/python/samba/ms_forest_updates_markdown.py
b/python/samba/ms_forest_updates_markdown.py
index 0a0d2111a72..01615dca00b 100644
--- a/python/samba/ms_forest_updates_markdown.py
+++ b/python/samba/ms_forest_updates_markdown.py
@@ -112,9 +112,9 @@ def extract_dn(text):
if dn == 'CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims
Configuration,CN=Services':
return 'CN=ad://ext/AuthenticationSilo,CN=Claim Types,CN=Claims
Configuration,CN=Services,${CONFIG_DN}'
- # Granting the "CN=Send-As,CN=Extended-Rights" to gMSA accounts.
- if dn.endswith(',CN=Extended-Rights" to gMSA accounts.'):
- dn = dn.replace('" to gMSA accounts.', '')
+ # Granting the `CN=Send-As,CN=Extended-Rights` to gMSA accounts.
+ if dn.endswith(',CN=Extended-Rights to gMSA accounts.'):
+ dn = dn.replace(' to gMSA accounts.', '')
return dn + ",${CONFIG_DN}"
return dn
@@ -253,10 +253,11 @@ def read_ms_markdown(in_file, out_folder=None,
out_dict=None):
if updates:
for update in updates[2:]:
output = re.match(r'Operation (\d+): {(.*)}', update[0])
- if output:
- # print output.group(1), output.group(2)
- guid = output.group(2)
- filename = "%s-{%s}.ldif" % (output.group(1).zfill(4),
guid)
+ if not output:
+ raise Exception(update)
+
+ guid = output.group(2)
+ filename = "%s-{%s}.ldif" % (output.group(1).zfill(4), guid)
found = False
diff --git a/python/samba/provision/__init__.py
b/python/samba/provision/__init__.py
index 119ff3f49fa..0f7418786c6 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1462,11 +1462,15 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
protected1wd_descr =
b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)).decode('utf8')
protected2_descr =
b64encode(get_config_delete_protected2_descriptor(names.domainsid)).decode('utf8')
+ incl_2012 = ""
+ incl_2016 = ""
if "2008" in schema.base_schema:
- # exclude 2012-specific changes if we're using a 2008 schema
+ # exclude 2012 and later changes if we're using a 2008 schema
incl_2012 = "#"
- else:
- incl_2012 = ""
+ incl_2016 = "#"
+ elif "2012" in schema.base_schema:
+ # exclude 2016 and later changes if we're using a 2012 schema
+ incl_2016 = "#"
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
"CONFIGDN": names.configdn,
@@ -1493,6 +1497,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
setup_add_ldif(samdb, setup_path("extended-rights.ldif"), {
"CONFIGDN": names.configdn,
"INC2012": incl_2012,
+ "INC2016": incl_2016,
})
logger.info("Setting up display specifiers")
diff --git a/python/samba/tests/krb5/test_smb.py
b/python/samba/tests/krb5/test_smb.py
index f0a82a43229..a6f71f3469b 100755
--- a/python/samba/tests/krb5/test_smb.py
+++ b/python/samba/tests/krb5/test_smb.py
@@ -74,8 +74,6 @@ class SmbTests(KDCBaseTest):
mach_credentials = self.get_dc_creds()
- mach_credentials = self.get_dc_creds()
-
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
diff --git a/source3/lib/netapi/tests/netdisplay.c
b/source3/lib/netapi/tests/netdisplay.c
index d7967fa4150..e1078e1daad 100644
--- a/source3/lib/netapi/tests/netdisplay.c
+++ b/source3/lib/netapi/tests/netdisplay.c
@@ -34,7 +34,7 @@ static NET_API_STATUS test_netquerydisplayinformation(const
char *hostname,
NET_API_STATUS status;
uint32_t entries_read = 0;
int found_name = 0;
- const char *current_name;
+ const char *current_name = NULL;
uint8_t *buffer = NULL;
uint32_t idx = 0;
int i;
diff --git a/source4/dsdb/gmsa/gkdi.c b/source4/dsdb/gmsa/gkdi.c
index 7acc1b4996e..4726e31b600 100644
--- a/source4/dsdb/gmsa/gkdi.c
+++ b/source4/dsdb/gmsa/gkdi.c
@@ -525,8 +525,6 @@ static const char *const root_key_attrs[] = {
/*
* Create and return a new GKDI root key.
- *
- * This function goes unused.
*/
int gkdi_new_root_key(TALLOC_CTX *mem_ctx,
struct ldb_context *const ldb,
diff --git a/source4/dsdb/gmsa/gkdi.h b/source4/dsdb/gmsa/gkdi.h
index 4c5394167fd..bc40ef15c8c 100644
--- a/source4/dsdb/gmsa/gkdi.h
+++ b/source4/dsdb/gmsa/gkdi.h
@@ -44,8 +44,6 @@ NTTIME gkdi_root_key_use_start_time(const NTTIME
current_time);
/*
* Create and return a new GKDI root key.
- *
- * This function goes unused.
*/
struct ldb_context;
int gkdi_new_root_key(TALLOC_CTX *mem_ctx,
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 5c943c8893b..df46b288e4f 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -2069,9 +2069,11 @@ MODULE_INIT_FUNC(dsdb)
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_DEPARTMENT);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_DNS_HOST_NAME);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_INSTANCE_TYPE);
+ ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_MS_DS_KEY_CREDENTIAL_LINK);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_MS_SFU_30);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_NT_SECURITY_DESCRIPTOR);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_PRIMARY_GROUP_ID);
+ ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_SAM_ACCOUNT_NAME);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_SERVICE_PRINCIPAL_NAME);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_USER_ACCOUNT_CONTROL);
ADD_DSDB_STRING(DS_GUID_SCHEMA_ATTR_USER_PASSWORD);
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index d0b1216bcc1..8432dbfe25b 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -36,6 +36,8 @@
#include "auth/auth.h"
#include "libcli/security/security.h"
#include "dsdb/samdb/samdb.h"
+#include "librpc/gen_ndr/keycredlink.h"
+#include "librpc/gen_ndr/ndr_keycredlink.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
@@ -452,6 +454,7 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
const struct ldb_val *spn_value,
uint32_t userAccountControl,
const struct ldb_val *samAccountName,
+ const struct ldb_val *original_dnsHostName,
const struct ldb_val *dnsHostName,
const char *netbios_name,
const char *ntds_guid)
@@ -582,6 +585,14 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
{
goto success;
}
+ if ((original_dnsHostName != NULL) &&
+ strlen(instanceName) == original_dnsHostName->length &&
+ (strncasecmp(instanceName,
+ (const char *)original_dnsHostName->data,
+ original_dnsHostName->length) == 0))
+ {
+ goto success;
+ }
if (is_dc) {
const char *guid_str = NULL;
guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
@@ -637,6 +648,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
uint32_t userAccountControl;
const char *netbios_name;
+ const struct ldb_val *original_dns_host_name_val = NULL;
const struct ldb_val *dns_host_name_val = NULL;
const struct ldb_val *sam_account_name_val = NULL;
struct GUID ntds;
@@ -739,12 +751,13 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
}
if (req->operation == LDB_MODIFY) {
- dns_host_name_val = ldb_msg_find_ldb_val(search_res,
"dNSHostName");
+ original_dns_host_name_val = ldb_msg_find_ldb_val(
+ search_res, "dNSHostName");
}
ret = dsdb_msg_get_single_value(msg,
"dNSHostName",
- dns_host_name_val,
+ original_dns_host_name_val,
&dns_host_name_val,
req->operation);
if (ret != LDB_SUCCESS) {
@@ -809,6 +822,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
&el->values[i],
userAccountControl,
sam_account_name_val,
+ original_dns_host_name_val,
dns_host_name_val,
netbios_name,
ntds_guid);
@@ -924,8 +938,8 @@ static int acl_check_dns_host_name(TALLOC_CTX *mem_ctx,
* If not add or replace (eg delete),
* return success
*/
- if ((el->flags
- & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0)
+ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD &&
+ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE)
{
talloc_free(tmp_ctx);
return LDB_SUCCESS;
@@ -1110,6 +1124,216 @@ fail:
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+static int acl_check_ms_ds_key_credential_link(
+ TALLOC_CTX *mem_ctx,
+ struct ldb_module *module,
+ struct ldb_request *req,
+ const struct ldb_message_element *el,
+ struct security_descriptor *sd,
+ struct dom_sid *sid,
+ const struct dsdb_attribute *attr,
+ const struct dsdb_class *objectclass)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct dsdb_schema *schema = NULL;
+ const struct ldb_message *msg = NULL;
+ const struct dsdb_class *computer_objectclass = NULL;
+ bool is_subclass;
+
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ return ldb_oom(ldb);
+ }
--
Samba Shared Repository
