[SCM] Samba Shared Repository - branch master updated

2024-07-05 Thread Jeremy Allison 
The branch, master has been updated
   via  90c9d0d98d3 s3:ntlm_auth: make logs more consistent with length 
check
   via  09b91728d1a lib: Remove unused py_reparse_symlink_get
   via  93bde61f813 tests: Use the general py_reparse_get
   via  3a60fc5da4b tests: Remove a pointless ;
   via  6cfa3788339 lib: Add general py_reparse_get parsing routine
  from  e4d6a19e492 third_party/heimdal: Import 
lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 90c9d0d98d3c80c77764dbcaf9c24d7c4ea31b4a
Author: Jones Syue 
Date:   Fri Jul 5 17:36:46 2024 +0800

s3:ntlm_auth: make logs more consistent with length check

Run ntlm_auth with options --lm-response/--nt-response/--challenge, and pass
wrong length to these options, got error prompted logs about 'only got xxx
bytes', which are not consistent with length check. This patch revise logs
for length check to make it more consistent.

For example --lm-response requires exact 24 hex, let us input three kinds
of length 23 24 25, prompted logs said 'only got 25 bytes' seems confusing.

script:
for length in 23 24 25; \
do \
ntlm_auth --username=${un} --password=${pw} \
--lm-response="`openssl rand -hex ${length}`"; \
done;

output:
hex decode of 04db772593f5e6023d0ab4bc67a942c9179963477eb49d failed! (only 
got 23 bytes)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 1e57749feb46bedcf969af6cbbe10e21d0232e35c27eb07294 failed! 
(only got 25 bytes)

After patch it shows 'got 25 bytes, expected 24' seems more consistent:

hex decode of e13e70c9cf2ac1e20015657c4bec53435b1b948febb63f failed! (got 
23 bytes, expected 24)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 64647005243092b036856f572faad262e0b69386d095d60f54 failed! 
(got 25 bytes, expected 24)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15677

Signed-off-by: Jones Syue 
Reviewed-by: David Mulder 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Sat Jul  6 00:52:02 UTC 2024 on atb-devel-224

commit 09b91728d1a3bb71fa97f50685de7632ce72e078
Author: Volker Lendecke 
Date:   Thu Jul 4 13:48:37 2024 +0200

lib: Remove unused py_reparse_symlink_get

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 93bde61f81381c70fe970a517246fc69bd7228c7
Author: Volker Lendecke 
Date:   Thu Jul 4 13:46:38 2024 +0200

tests: Use the general py_reparse_get

This was the only user of py_reparse_symlink_get

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 3a60fc5da4bca13299d79757b77ccb96d7da6391
Author: Volker Lendecke 
Date:   Thu Jul 4 13:45:44 2024 +0200

tests: Remove a pointless ;

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 6cfa37883392254da08cd603ae98c225df700c62
Author: Volker Lendecke 
Date:   Mon Jun 17 19:50:18 2024 +0200

lib: Add general py_reparse_get parsing routine

Will superseed py_reparse_symlink_get

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 libcli/smb/py_reparse_symlink.c   | 133 --
 python/samba/tests/smb2symlink.py |   5 +-
 source3/utils/ntlm_auth.c |   6 +-
 3 files changed, 90 insertions(+), 54 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/smb/py_reparse_symlink.c b/libcli/smb/py_reparse_symlink.c
index 5626e270803..d28a8fd8b93 100644
--- a/libcli/smb/py_reparse_symlink.c
+++ b/libcli/smb/py_reparse_symlink.c
@@ -71,6 +71,86 @@ static PyObject *py_reparse_put(PyObject *module, PyObject 
*args)
return result;
 }
 
+static PyObject *py_reparse_get(PyObject *module, PyObject *args)
+{
+   char *buf = NULL;
+   Py_ssize_t buflen;
+   PyObject *result = NULL;
+   struct reparse_data_buffer *rep = NULL;
+   bool ok;
+   NTSTATUS status;
+
+   ok = PyArg_ParseTuple(args, PYARG_BYTES_LEN ":get", , );
+   if (!ok) {
+   return NULL;
+   }
+
+   rep = talloc(NULL, struct reparse_data_buffer);
+   if (rep == NULL) {
+   PyErr_NoMemory();
+   return NULL;
+   }
+
+   status = reparse_data_buffer_parse(rep, rep, (uint8_t *)buf, buflen);
+   if (!NT_STATUS_IS_OK(status)) {
+   TALLOC_FREE(rep);
+   PyErr_SetNTSTATUS(status);
+   return NULL;
+   }
+
+   switch (rep->tag) {
+   case IO_REPARSE_TAG_SYMLINK: {
+   const struct symlink_reparse_struct *lnk = >parsed.lnk;
+   result = Py_BuildValue("s(ssII)",
+

[SCM] Samba Shared Repository - branch master updated

2024-07-05 Thread Ralph Böhme 
The branch, master has been updated
   via  e4d6a19e492 third_party/heimdal: Import 
lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
  from  c9c74d819a2 s3:rpc_server: Initialize array struct security_ace 
ace[]

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e4d6a19e49260af22bffd2a417119489719ba364
Author: Ralph Boehme 
Date:   Thu Jul 4 18:00:52 2024 +0200

third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 
42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)

Fix clock skew error message and memory cache clock skew recovery

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676

Signed-off-by: Ralph Boehme 
Signed-off-by: Stefan Metzmacher 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Fri Jul  5 10:02:26 UTC 2024 on atb-devel-224

---

Summary of changes:
 third_party/heimdal/lib/krb5/fast.c   | 12 
 third_party/heimdal/lib/krb5/mcache.c |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/third_party/heimdal/lib/krb5/fast.c 
b/third_party/heimdal/lib/krb5/fast.c
index 90133a7abc0..4026ed62327 100644
--- a/third_party/heimdal/lib/krb5/fast.c
+++ b/third_party/heimdal/lib/krb5/fast.c
@@ -691,10 +691,14 @@ _krb5_fast_unwrap_error(krb5_context context,
 idx = 0;
 pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, );
 if (pa == NULL) {
-   ret = KRB5_KDCREP_MODIFIED;
-   krb5_set_error_message(context, ret,
-  N_("FAST fast response is missing FX-FAST", ""));
-   goto out;
+   /*
+* Typically _krb5_fast_wrap_req() has set KRB5_FAST_EXPECTED, which
+* means check_fast() will complain and return KRB5KRB_AP_ERR_MODIFIED.
+*
+* But for TGS-REP init_tgs_req() clears KRB5_FAST_EXPECTED and we'll
+* ignore a missing KRB5_PADATA_FX_FAST.
+*/
+   return check_fast(context, state);
 }
 
 ret = unwrap_fast_rep(context, state, pa, );
diff --git a/third_party/heimdal/lib/krb5/mcache.c 
b/third_party/heimdal/lib/krb5/mcache.c
index 9463e825af8..148fcf2624c 100644
--- a/third_party/heimdal/lib/krb5/mcache.c
+++ b/third_party/heimdal/lib/krb5/mcache.c
@@ -225,7 +225,7 @@ mcc_initialize(krb5_context context,
  */
 mcc_destroy_internal(context, m);
 m->dead = 0;
-m->kdc_offset = 0;
+m->kdc_offset = context->kdc_sec_offset;
 m->mtime = time(NULL);
 ret = krb5_copy_principal (context,
   primary_principal,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-05 Thread Volker Lendecke 
The branch, master has been updated
   via  c9c74d819a2 s3:rpc_server: Initialize array struct security_ace 
ace[]
   via  f434524b472 s4:torture: Initialize struct smb2_handle consistently 
in lease.c
   via  fd4afa309ef s3:registry: Initialize struct security_ace ace[]
   via  275ffbf5606 s3:rpcclient: Initialize spoolss_DriverDirectoryInfo 
info
   via  af3868d7036 s3:utils: Initialize DATA_BLOB blob
  from  8292481bc06 smbd: Don't talloc_zero where we assign the struct a 
line below

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c9c74d819a2749e56626144714a555948149754c
Author: Pavel Filipenský 
Date:   Wed Jul 3 17:55:31 2024 +0200

s3:rpc_server: Initialize array struct security_ace ace[]

Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:567: var_decl: Declaring 
variable "h" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:642: uninit_use_in_call: Using 
uninitialized value "h" when calling "smb2_util_close".
  640|
  641|done:
  642|-> smb2_util_close(tree, h);
  643|   smb2_util_close(tree, h2);
  644|

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Fri Jul  5 08:53:08 UTC 2024 on atb-devel-224

commit f434524b472f7c1ba34f4f4e5229722f7b73807d
Author: Pavel Filipenský 
Date:   Wed Jul 3 17:53:22 2024 +0200

s4:torture: Initialize struct smb2_handle consistently in lease.c

Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:567: var_decl: Declaring 
variable "h" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:642: uninit_use_in_call: Using 
uninitialized value "h" when calling "smb2_util_close".
  640|
  641|done:
  642|-> smb2_util_close(tree, h);
  643|   smb2_util_close(tree, h2);
  644|

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

commit fd4afa309efc97b75d032ca8f59b16b08c51f1c8
Author: Pavel Filipenský 
Date:   Wed Jul 3 17:34:47 2024 +0200

s3:registry: Initialize struct security_ace ace[]

Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/registry/reg_dispatcher.c:43: var_decl: Declaring 
variable "ace" without initializer.
samba-4.20.0rc2/source3/registry/reg_dispatcher.c:66: uninit_use_in_call: 
Using uninitialized value "*ace". Field "ace->object" is uninitialized when 
calling "make_sec_acl".
  64|   /* create the security descriptor */
  65|
  66|-> theacl = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace);
  67|   if (theacl == NULL) {
  68|   return WERR_NOT_ENOUGH_MEMORY;

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

commit 275ffbf5606735942b96afdaaa28fd824fe220ef
Author: Pavel Filipenský 
Date:   Wed Jul 3 17:33:20 2024 +0200

s3:rpcclient: Initialize spoolss_DriverDirectoryInfo info

Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/rpcclient/cmd_spoolss.c:1530: var_decl: Declaring 
variable "info" without initializer.
samba-4.20.0rc2/source3/rpcclient/cmd_spoolss.c:1578: uninit_use_in_call: 
Using uninitialized value "info" when calling "display_printdriverdir_1".
 1576|
 1577|   if (W_ERROR_IS_OK(result)) {
 1578|-> display_printdriverdir_1();
 1579|   }
 1580|

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

commit af3868d70367523db6d4ae4411e951baa5849803
Author: Pavel Filipenský 
Date:   Wed Jul 3 17:30:51 2024 +0200

s3:utils: Initialize DATA_BLOB blob

Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/utils/regedit_dialog.c:1965: var_decl: Declaring 
variable "blob" without initializer.
samba-4.20.0rc2/source3/utils/regedit_dialog.c:2044: uninit_use_in_call: 
Using uninitialized value "blob" when calling "reg_val_set".
 2042|
 2043|   if (W_ERROR_IS_OK(rv)) {
 2044|-> rv = reg_val_set(edit->key, name, edit->type, 
blob);
 2045|   }
 2046|

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

---

Summary of changes:
 source3/registry/reg_dispatcher.c   |   2 +-
 source3/rpc_server/lsa/srv_lsa_nt.c |   2 +-
 source3/rpcclient/cmd_spoolss.c |   2 +-
 source3/utils/regedit_dialog.c  |   2 +-
 source4/torture/smb2/lease.c| 144 +---
 5 files changed, 70 insertions(+), 82 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/registry/reg_dispatcher.c 
b/source3/registry/reg_dispatcher.c
index ab3fb24dc2f..097b6d4d30f 100644
--- a/source3/registry/reg_dispatcher.c
+++ b/source3/registry/reg_dispatcher.c
@@ -40,7 +40,7 @@

[SCM] NSS Wrapper Repository - annotated tag nss_wrapper-1.1.16 created

2024-07-05 Thread Andreas Schneider 
The annotated tag, nss_wrapper-1.1.16 has been created
at  0c35864eaabd7ae22e7737f0ff65b81e037222b9 (tag)
   tagging  2270a7cda76de28c554a7ed1167e49ce19a0fc2f (commit)
  replaces  nss_wrapper-1.1.15
 tagged by  Andreas Schneider
on  Fri Jul 5 10:36:36 2024 +0200

- Log -
nss_wrapper-1.1.16

* Fixed segfault on FreeBSD
* Fixed copy error in the destructor
* Fixed thread sanitizer on modern Linux Kernels
* Fixed building with newer cmocka versions
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmaHsKoACgkQfuD8TcwB
Tj159Q/+O6QdidYLPQzyjc2ap9BYjQj09Hcm963eA+/yOhCNbIe7fK4rv5yTtdJg
cvs8XiQ9JG02TsoJYdbMnwF1Nk4OWCZcE0bNlX55gLW2+ntCJ64G2r1FIqXaT++I
lZV+1tV7R2d9oXHI69RsSTiWUVZYSO1jC1i+UcK4GQZRbl6Aag/VoOT+hHNgBt84
bEJMIdUA9f6s6wwAbeNHXxIp4bs8oXCicmQIuJmbGkFSSsrXVNUUj80ew9w418T3
y1YVsajtUm0+nJlwQjsVEupqSBEqXqAKEWhMtSzLkVOIDuEkoIawQKLTl/Wtv65T
2hL8ugmABgz0Q86mvYYZbTT5UQdvd3HzCP7Hh4/9bMx19ZQXtohkJCywUSHVR+pN
6koHgnrm/gG/oiqH85E02mVa6W8aTILyP75CqES9S3dJm5XUMpnjg3zhbYnSdIv/
tq4Wwvqos39Ox+1/rSTY1zC/jL/niqmBpLz0P1kaY4+lwFPp/8gT/r9cAZGgxrdU
GKt0Qy3cSSpFBpyv1tdlwsJU+4PmKZksdjflQGpt+U4PkdOJxXL061BF7W1oz/ff
q2oWQNTCNPOIdggPX2mpmabT9vl8vq0BVcZaGUJADcuwDHxWCpQPu7Dn4G2VfPB9
gvUrlIbbeCGyu+d7ESaD9SiJlha8izunDtixI8iQgAus7Ur8HZY=
=OLX/
-END PGP SIGNATURE-

Andreas Schneider (8):
  cmake: Fix cmocka >= 1.1.6 find_package() in CONFIG mode
  gitlab-ci: Adopt to gitlab changes
  gitlab-ci: Disable ASLR for TSAN
  nswrap: Fix filling pw_class in nwrap_pw_parse_line()
  doc: Correctly describe the supported format of passwd and group files
  doc: Rename to nss_wrapper.1.adoc
  doc: Regenerate nss_wrapper manpage
  Bump version to 1.1.16

Jo Sutton (1):
  src: Fix copy‐paste error referring to wrong variable (Samba CID 1609453)

Pino Toscano (1):
  src: use LIBC_SO and LIBNSL_SO from GNU libc, if available

Simon Josefsson (1):
  doc/nss_wrapper.1: Fix typo of 'environment'.

---


-- 
NSS Wrapper Repository

[SCM] NSS Wrapper Repository - branch master updated

2024-07-05 Thread Andreas Schneider 
The branch, master has been updated
   via  2270a7c Bump version to 1.1.16
   via  f60b5ac doc: Regenerate nss_wrapper manpage
   via  20c5165 doc: Rename to nss_wrapper.1.adoc
   via  53dc194 doc: Correctly describe the supported format of passwd and 
group files
   via  e585cca nswrap: Fix filling pw_class in nwrap_pw_parse_line()
   via  fab4302 gitlab-ci: Disable ASLR for TSAN
   via  312e75a gitlab-ci: Adopt to gitlab changes
  from  199b6bc src: Fix copy‐paste error referring to wrong variable 
(Samba CID 1609453)

https://git.samba.org/?p=nss_wrapper.git;a=shortlog;h=master


- Log -
commit 2270a7cda76de28c554a7ed1167e49ce19a0fc2f
Author: Andreas Schneider 
Date:   Fri Jul 5 08:03:30 2024 +0200

Bump version to 1.1.16

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit f60b5ac0fda0a789c87297a7e6fb603ad88d687b
Author: Andreas Schneider 
Date:   Fri Jul 5 10:16:16 2024 +0200

doc: Regenerate nss_wrapper manpage

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 20c51654f2856bd5fc4412700a379cf7a0256842
Author: Andreas Schneider 
Date:   Fri Jul 5 10:15:14 2024 +0200

doc: Rename to nss_wrapper.1.adoc

This will give correct highlighting when opening the file.

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 53dc194fcce75a4c45c62ce0e42a3c8a18cf951f
Author: Andreas Schneider 
Date:   Fri Jul 5 10:14:22 2024 +0200

doc: Correctly describe the supported format of passwd and group files

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit e585ccae82ad797655ffbe34f919705ffadef597
Author: Andreas Schneider 
Date:   Fri Jul 5 10:21:44 2024 +0200

nswrap: Fix filling pw_class in nwrap_pw_parse_line()

This fixes a segfault on FreeBSD.

Pair-Programmed-With: Stefan Metzmacher 
Signed-off-by: Stefan Metzmacher 
Signed-off-by: Andreas Schneider 

commit fab4302d00bcd670102f823864fa5a5c877494d5
Author: Andreas Schneider 
Date:   Fri Jul 5 07:59:47 2024 +0200

gitlab-ci: Disable ASLR for TSAN

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 312e75a5b714e6c6ae0b4a2a886e0399a796a283
Author: Andreas Schneider 
Date:   Fri Jul 5 07:55:45 2024 +0200

gitlab-ci: Adopt to gitlab changes

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci.yml|  27 +---
 CHANGELOG |   6 +
 CMakeLists.txt|   4 +-
 doc/README|   6 +-
 doc/nss_wrapper.1 | 191 +++---
 doc/{nss_wrapper.1.txt => nss_wrapper.1.adoc} |  12 +-
 src/nss_wrapper.c |   9 +-
 7 files changed, 141 insertions(+), 114 deletions(-)
 rename doc/{nss_wrapper.1.txt => nss_wrapper.1.adoc} (92%)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f35b1f3..65b68c2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,8 +21,6 @@ centos7/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -40,8 +38,6 @@ fedora/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -59,8 +55,6 @@ fedora/address-sanitizer:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -77,8 +71,6 @@ fedora/undefined-sanitizer:
   -DCMAKE_BUILD_TYPE=UndefinedSanitizer
   -DUNIT_TESTING=ON ..
   && make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -91,14 +83,15 @@ fedora/thread-sanitizer:
   stage: analysis
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
   script:
+# Workaround for TSAN with ASLR on newer kernel
+# https://github.com/google/sanitizers/issues/1716
 - export TSAN_OPTIONS=second_deadlock_stack=1
 - mkdir -p obj && cd obj && cmake
   -DCMAKE_BUILD_TYPE=ThreadSanitizer
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
-  make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
+  make -j$(nproc) &&
+  setarch --addr-no-randomize -- ctest --output-on-failure
   except:
 - tags
   artifacts:
@@ -129,8 +122,6 @@ fedora/csbuild:
   --git-commit-range $CI_COMMIT_RANGE
   --color
   --print-current --print-fixed
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -170,8

[SCM] NSS Wrapper Repository - branch master updated

2024-07-04 Thread Andreas Schneider 
The branch, master has been updated
   via  199b6bc src: Fix copy‐paste error referring to wrong variable 
(Samba CID 1609453)
  from  2dd91af src: use LIBC_SO and LIBNSL_SO from GNU libc, if available

https://git.samba.org/?p=nss_wrapper.git;a=shortlog;h=master


- Log -
commit 199b6bc016a48c0ff1ef70c528e9ee0ba08ca626
Author: Jo Sutton 
Date:   Fri Jul 5 12:11:06 2024 +1200

src: Fix copy‐paste error referring to wrong variable (Samba CID 1609453)

Signed-off-by: Jo Sutton 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 src/nss_wrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/src/nss_wrapper.c b/src/nss_wrapper.c
index 78d88dc..4470d1c 100644
--- a/src/nss_wrapper.c
+++ b/src/nss_wrapper.c
@@ -6549,7 +6549,7 @@ void nwrap_destructor(void)
}
 
SAFE_FREE(nwrap_gr_global.list);
-   nwrap_pw_global.num = 0;
+   nwrap_gr_global.num = 0;
}
 
 #if defined(HAVE_SHADOW_H) && defined(HAVE_GETSPNAM)


-- 
NSS Wrapper Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-04 Thread Volker Lendecke 
The branch, master has been updated
   via  8292481bc06 smbd: Don't talloc_zero where we assign the struct a 
line below
   via  e989d7383ef lib: Remove a few duplicate prototypes
   via  a8405ed15b4 lib: Remove unused strnrchr_w
   via  f31478e782f lib: Remove unused strnrchr_m
   via  f1fae5403ea docs: "share:fake_fscaps" is per share, not global
   via  94f37866b5b smbd: Use new symlink_target_path routine
   via  b91e257f565 libcli: New routine symlink_target_path for [MS-SMB2] 
2.2.2.2.1.1
   via  659cb9f7280 smbd: Rename symlink_target_path to _symlink_target_path
  from  93a3dd48d66 gitlab-ci: Also add the git directory for pipeline in 
the main mirror

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8292481bc06f0a6a905e1cd98f24269cf40161b2
Author: Volker Lendecke 
Date:   Thu Jun 27 16:46:16 2024 +0200

smbd: Don't talloc_zero where we assign the struct a line below

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Thu Jul  4 16:31:39 UTC 2024 on atb-devel-224

commit e989d7383ef872e5b8cad41507ae0630d18efe61
Author: Volker Lendecke 
Date:   Thu Jun 27 18:20:05 2024 +0200

lib: Remove a few duplicate prototypes

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit a8405ed15b4d0f073153620c251582eedf771c65
Author: Volker Lendecke 
Date:   Thu Jun 27 17:54:56 2024 +0200

lib: Remove unused strnrchr_w

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit f31478e782ff28619f16be7dd95bf9d0f64f7d10
Author: Volker Lendecke 
Date:   Thu Jun 27 17:54:01 2024 +0200

lib: Remove unused strnrchr_m

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit f1fae5403ea672eca0bc4c1bc641003a9e641695
Author: Volker Lendecke 
Date:   Wed Jul 3 09:58:02 2024 +0200

docs: "share:fake_fscaps" is per share, not global

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 94f37866b5ba74f08509cac376c5d1ed84c9d3e3
Author: Volker Lendecke 
Date:   Thu Jul 4 11:07:54 2024 +0200

smbd: Use new symlink_target_path routine

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit b91e257f565797849d384cce8f8a200755f71700
Author: Volker Lendecke 
Date:   Wed Jul 3 15:55:46 2024 +0200

libcli: New routine symlink_target_path for [MS-SMB2] 2.2.2.2.1.1

Right now the only user is the user-space symlink following in
smbd. We will use it in libsmb as well to correctly handle
STOPPED_ON_SYMLINK. When trying to upstream that code I found the
previous_slash function incredibly hard to understand.

This new routine makes copy of "const char *_name_in", so that we can
replace previous_slash with a simple strrchr_m. If that's too
slow (which I doubt, this is "only" chasing symlinks) we can always do
something smarter again.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 659cb9f728036e18834fac5bad99f8ef7ba5230e
Author: Volker Lendecke 
Date:   Wed Jul 3 15:38:18 2024 +0200

smbd: Rename symlink_target_path to _symlink_target_path

Only temporary, next step is a new more general symlink_target_path
routine, we'll need that in libcli/smb as well.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 docs-xml/smbdotconf/protocol/sharefakefscaps.xml |  2 +-
 lib/util/charset/charset.h   |  1 -
 lib/util/charset/util_unistr_w.c | 26 ---
 libcli/smb/reparse.c | 94 
 libcli/smb/reparse.h |  8 ++
 source3/include/proto.h  |  7 --
 source3/lib/util_str.c   | 35 -
 source3/smbd/filename.c  | 81 +++-
 source3/smbd/files.c |  2 +-
 9 files changed, 114 insertions(+), 142 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/protocol/sharefakefscaps.xml 
b/docs-xml/smbdotconf/protocol/sharefakefscaps.xml
index 11f495526f5..31e7ebc0e75 100644
--- a/docs-xml/smbdotconf/protocol/sharefakefscaps.xml
+++ b/docs-xml/smbdotconf/protocol/sharefakefscaps.xml
@@ -1,5 +1,5 @@
 http://www.samba.org/samba/DTD/samba-doc;>
 
diff --git a/lib/util/charset/charset.h b/lib/util/charset/charset.h
index 8452b5766d1..4316c1b2c6c 100644
--- a/lib/util/charset/charset.h
+++ b/lib/util/charset/charset.h
@@ -292,7 +292,6 @@ size_t strnlen_w(const smb_ucs2_t *src, size_t max);
 smb_ucs2_t *strchr_w(const smb_ucs2_t *s, smb_ucs2_t c);
 smb_ucs2_t *strchr_wa(const smb_ucs2_t *s, char c);
 smb_ucs2_t

[SCM] Samba Shared Repository - branch master updated

2024-07-04 Thread Andreas Schneider 
The branch, master has been updated
   via  93a3dd48d66 gitlab-ci: Also add the git directory for pipeline in 
the main mirror
  from  2e0c693f78a Revert "pidl: Use non-existent function 
dissect_ndr_int64()"

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 93a3dd48d66786cb8765d3ce84ca9f3ad419ac88
Author: Andreas Schneider 
Date:   Wed Jul 3 13:05:51 2024 +0200

gitlab-ci: Also add the git directory for pipeline in the main mirror

Signed-off-by: Andreas Schneider 
Reviewed-by: Jo Sutton 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Thu Jul  4 08:08:49 UTC 2024 on atb-devel-224

---

Summary of changes:
 .gitlab-ci-main.yml | 1 +
 1 file changed, 1 insertion(+)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index ac7e403cd03..c70d9a6af41 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -148,6 +148,7 @@ include:
   # We are already running .gitlab-ci directives from this repo, remove 
additional checks that break our CI
 - git config --global --add safe.directory `pwd`
 - git config --global --add safe.directory 
/builds/samba-team/devel/samba/.git
+- git config --global --add safe.directory /builds/samba-team/samba/.git
   after_script:
 - mount
 - df -h


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-03 Thread Stefan Metzmacher 
The branch, master has been updated
   via  2e0c693f78a Revert "pidl: Use non-existent function 
dissect_ndr_int64()"
  from  2aca5cfbfa4 smbd: correctly restore ENOENT if fstatfs() modifies it

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2e0c693f78ad3741ac4ed4c21f1faa5d5a72d54a
Author: John Thacker 
Date:   Sat Jun 22 07:08:27 2024 -0400

Revert "pidl: Use non-existent function dissect_ndr_int64()"

This reverts commit a836b433ed7f0acca546558d2aec359155999f30.

Wireshark's NDR dissector dissects both signed and unsigned types
of the same size and alignment with the same functions, e.g. see
the handling of "udlong" and "dlong." It is passing the FT_UINT64
vs FT_INT64 field type enum value that determines at the last
moment whether a value is cast to signed. dissect_ndr_uint64()
already has the proper behavior for 8-byte aligned signed 64 bit
integers, and a dissect_ndr_int64() function will not need to be
introduced.

Signed-off-by: John Thacker 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Jo Sutton 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Wed Jul  3 14:19:04 UTC 2024 on atb-devel-224

---

Summary of changes:
 pidl/lib/Parse/Pidl/Wireshark/NDR.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/pidl/lib/Parse/Pidl/Wireshark/NDR.pm 
b/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
index 05ef8b78554..44d81dbabe2 100644
--- a/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
+++ b/pidl/lib/Parse/Pidl/Wireshark/NDR.pm
@@ -1105,7 +1105,7 @@ sub Initialize($$)
 
$self->register_type("uint3264", "offset = dissect_ndr_uint3264(tvb, 
offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_UINT32", "BASE_DEC", 0, 
"NULL", 8);
$self->register_type("hyper", "offset = dissect_ndr_uint64(tvb, offset, 
pinfo, tree, di, drep, \@HF\@, NULL);", "FT_UINT64", "BASE_DEC", 0, "NULL", 8);
-   $self->register_type("int64", "offset = dissect_ndr_int64(tvb, offset, 
pinfo, tree, di, drep, \@HF\@, NULL);", "FT_INT64", "BASE_DEC", 0, "NULL", 8);
+   $self->register_type("int64", "offset = dissect_ndr_uint64(tvb, offset, 
pinfo, tree, di, drep, \@HF\@, NULL);", "FT_INT64", "BASE_DEC", 0, "NULL", 8);
$self->register_type("udlong", "offset = dissect_ndr_duint32(tvb, 
offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_UINT64", "BASE_DEC", 0, 
"NULL", 4);
$self->register_type("bool8", "offset = PIDL_dissect_uint8(tvb, offset, 
pinfo, tree, di, drep, \@HF\@, \@PARAM\@);","FT_INT8", "BASE_DEC", 0, "NULL", 
1);
$self->register_type("char", "offset = PIDL_dissect_uint8(tvb, offset, 
pinfo, tree, di, drep, \@HF\@, \@PARAM\@);","FT_INT8", "BASE_DEC", 0, "NULL", 
1);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-03 Thread Stefan Metzmacher 
The branch, master has been updated
   via  2aca5cfbfa4 smbd: correctly restore ENOENT if fstatfs() modifies it
  from  95420715881 pidl:Wireshark Fix the type of array of pointerse to 
hf_ values

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2aca5cfbfa45d2fcf00688388688812445123f3f
Author: Stefan Metzmacher 
Date:   Wed Jul 3 10:58:33 2024 +0200

smbd: correctly restore ENOENT if fstatfs() modifies it

Review with: git show -U5

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Wed Jul  3 11:41:12 UTC 2024 on atb-devel-224

---

Summary of changes:
 source3/smbd/open.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 0c101c19b46..7999b3f082e 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1190,10 +1190,8 @@ static NTSTATUS reopen_from_fsp(struct files_struct 
*dirfsp,
struct statfs sbuf = {};
int ret = fstatfs(old_fd, );
if (ret == -1) {
-   int saved_errno = errno;
DBG_ERR("fstatfs failed: %s\n",
strerror(errno));
-   errno = saved_errno;
} else if (sbuf.f_type == AUTOFS_SUPER_MAGIC) {
/*
 * When reopening an as-yet
@@ -1203,6 +1201,8 @@ static NTSTATUS reopen_from_fsp(struct files_struct 
*dirfsp,
 */
goto namebased_open;
}
+   /* restore ENOENT if changed in the meantime */
+   errno = ENOENT;
}
 #endif
status = map_nt_error_from_unix(errno);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-07-03 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  bff728a842f third_party/heimdal: Import 
lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
   via  41c8a42c8ae tests/krb5: Add tests for errors produced when logging 
in with unusable accounts
   via  d4c1e215a9b tests/krb5: Allow creation of disabled accounts for 
testing
   via  50a417a2240 python/tests/krb5: Prepare for PKINIT tests with 
UF_SMARTCARD_REQUIRED
   via  c1433f821f7 tests/krb5: Fix PK-INIT test framework to allow expired 
password keys
   via  4e57b8a5fe6 dsdb: Reduce minimum maxPwdAge from 1 day to nil
  from  eeae9fe4b01 VERSION: Bump version up to Samba 4.20.3...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit bff728a842fde296d70f5c993087b4e47794a98a
Author: Jo Sutton 
Date:   Wed Jun 12 14:42:38 2024 +1200

third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 
4315286377278234be2f3b6d52225a17b6116d54)

This lets us match the Windows FAST reply when the password is expired.

Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit fe90576871b5d644b9e888fd7a0b0351feaba750)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Jul  3 10:06:33 UTC 2024 on atb-devel-224

commit 41c8a42c8ae8b89354ddaa02ea3d0035445d6b44
Author: Jo Sutton 
Date:   Thu Jun 27 12:29:52 2024 +1200

tests/krb5: Add tests for errors produced when logging in with unusable 
accounts

Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit c5ee0b60b20011aeaa60c2f549c2a78269c97c8f)

commit d4c1e215a9bd60c02f3450aa602725663d919d81
Author: Jo Sutton 
Date:   Tue Jun 25 12:51:48 2024 +1200

tests/krb5: Allow creation of disabled accounts for testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 
(backported from commit 6dc6168719cf232ac2c1d747f10aad9b13300c02)

[jsut...@samba.org Fixed conflicting import statements in
 python/samba/tests/krb5/kdc_base_test.py]

commit 50a417a2240f99b155fed436df32bf242e579f73
Author: Andrew Bartlett 
Date:   Tue Mar 19 14:37:24 2024 +1300

python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 
(backported from commit b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

[jsut...@samba.org Fixed conflicting import statements in
 python/samba/tests/krb5/pkinit_tests.py]

commit c1433f821f7c5f6ec3ce93c0c1d79c8a3f51fce1
Author: Jo Sutton 
Date:   Fri Mar 22 12:58:19 2024 +1300

tests/krb5: Fix PK-INIT test framework to allow expired password keys

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 7cc8f455191faacf32efc474c27e99d45ef2e024)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

commit 4e57b8a5fe68427b844d94f79ea071f333107f6b
Author: Andrew Bartlett 
Date:   Fri May 17 14:19:31 2024 +1200

dsdb: Reduce minimum maxPwdAge from 1 day to nil

This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 
(cherry picked from commit 3669479f22f2109a64250ffabd1f6453882d29f1)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

---

Summary of changes:
 python/samba/tests/krb5/kdc_base_test.py |  24 ++-
 python/samba/tests/krb5/lockout_tests.py | 210 ++-
 python/samba/tests/krb5/pkinit_tests.py  |  15 +-
 python/samba/tests/krb5/raw_testcase.py  |  18 ++-
 python/samba/tests/krb5/rfc4120_constants.py |   1 +
 selftest/knownfail_mit_kdc   |   5 +
 source4/dsdb/samdb/ldb_modules/operational.c |   4 +-
 third_party/heimdal/kdc/fast.c   |  13 +-
 8 files changed, 278 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/kdc_base_test.py 
b/python/samba/tests/krb5/kdc_base_test.py
index 373c73ecb9a..d983c631a46 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -74,6 +74,7 @@ from samba.dsdb import (
 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP,
 GTYPE_SECURITY_GLOBAL_GROUP,
 GTYPE_SECURITY_UNIVERSAL_GROUP,
+

[SCM] Samba Shared Repository - branch v4-19-test updated

2024-07-03 Thread Jule Anger 
The branch, v4-19-test has been updated
   via  2cf809bb1f3 third_party/heimdal: Import 
lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
   via  86034d86d98 tests/krb5: Add tests for errors produced when logging 
in with unusable accounts
   via  7cc2b7b0288 tests/krb5: Allow creation of disabled accounts for 
testing
   via  2102b619cf6 python/tests/krb5: Prepare for PKINIT tests with 
UF_SMARTCARD_REQUIRED
   via  9c64cd3f2e0 tests/krb5: Fix PK-INIT test framework to allow expired 
password keys
   via  e65a4281c13 dsdb: Reduce minimum maxPwdAge from 1 day to nil
   via  a35edbb5302 tests/krb5: Use __slots__ to indicate which attributes 
are used by classes
   via  fc8beb134d2 tests/krb5: Add method to perform an armored AS‐REQ
   via  bb5414a6088 auth/credentials: don't ignore "client use kerberos" 
and --use-kerberos for machine accounts
   via  b3519d06b63 auth/credentials: add tests for 
cli_credentials_get_kerberos_state[_obtained]()
   via  20fcb8f8bce auth/credentials: add 
cli_credentials_get_kerberos_state_obtained() helper
   via  b79e3492f80 testprogs/blackbox: add test_ldap_token.sh to test 
"client use kerberos" and --use-kerberos
   via  bfe5ad43a57 testprogs/blackbox: let test_trust_token.sh check for 
S-1-18-1 with kerberos
   via  28fbc8ff19b ctdb/docs: Include ceph rados namespace support in man 
page
   via  0597a2a62ac ctdb/ceph: Add optional namespace support for mutex 
helper
   via  ac5efd0302f vfs_default: also call vfs_offload_token_ctx_init in 
vfswrap_offload_write_send
   via  1af40f29c7e s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
   via  f525d2fef3d script/autobuild.py: Add test for --vendor-name and 
--vendor-patch-revision
   via  80655e22136 build: Add --vendor-name --vendor-patch-revision 
options to ./configure
   via  7ccbbb4baf1 s4:nbt_server: simulate nmbd and provide unexpected 
handling
   via  9a9dc998926 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw 
blobs
   via  a308204aa1b s4:libcli/dgram: make use of socket_address_copy()
   via  1d766f29245 s4:libcli/dgram: let the generic incoming handler also 
get unexpected mailslot messages
   via  e2cec0d2800 libcli/nbt: add nbt_name_send_raw()
   via  12a6060eed0 s3:libsmb/dsgetdcname: use 
NETLOGON_NT_VERSION_AVOID_NT4EMUL
   via  8b39131deb4 s3:libsmb/unexpected: pass nmbd_socket_dir from the 
callers of nb_packet_{server_create,reader_send}()
   via  8c06b437064 s3:libsmb/unexpected: don't use talloc_tos() in async 
code
   via  5de4ae88ced s3:wscript: LIBNMB requires lp_ functions
   via  39789dce2dd s3:include: split out fstring.h
   via  7e076141857 s3:include: let nameserv.h be useable on its own
   via  dfa0b1adb87 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share
   via  6c86b519936 selftest: Add a python blackbox test for some misc 
(widelink) DFS tests
   via  fd58608723f s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored
   via  c29dc6e79b0 s4:dns_server: correctly sign dns update responses with 
gss-tsig like Windows
   via  6d3d87babdc s4:dns_server: dns_verify_tsig should return REFUSED on 
error
   via  c7188e17464 s4:dns_server: also search DNS_QTYPE_TKEY in the 
answers section if it's the last section
   via  288744a74b5 s4:dns_server: use tkey->algorithm if available in 
dns_sign_tsig()
   via  7a457c6813d s4:dns_server: use the client provided algorithm for 
the fake TSIG structure
   via  cbf10a68e1c s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TSIG
   via  234503e2375 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TKEY
   via  662c4675666 s4:dns_server: failed dns updates should result in 
REFUSED for ACCESS_DENIED
   via  4a7d14efe47 python:tests/dns_tkey: add 
test_update_tsig_record_access_denied()
   via  d5c6276f534 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to 
samba.tests.dns_tkey
   via  e50968ed096 python:tests/dns_base: add get_unpriv_creds() helper
   via  0ee7660ffe5 python:tests/dns_tkey: let test_update_tsig_windows() 
actually pass against windows 2022
   via  4d4b39c102d python:tests/dns_base: let verify_packet() work against 
Windows
   via  4bc0619b1e2 python:tests/dns_tkey: test bad and changing tsig 
algorithms
   via  eb18b228d1b python:tests/dns_tkey: add gss.microsoft.com tsig 
updates
   via  f984b281c5f python:tests/dns_tkey: let us have 
test_update_gss_tsig_tkey_req_{additional,answers}()
   via  e120078e2c3 python:tests/dns_tkey: test TKEY with gss-tsig, 
gss.microsoft.com and invalid algorithms
   via  16c21888ea4 python:tests/dns_base: maintain a dict with tkey 
related state
   via  2741574e32f python:tests/dns_base: let dns_transaction_udp() take 
allow_{remaining,truncated}=True
   via  48be174b021 python:tests/dns_base: pass

[SCM] Samba Shared Repository - branch v4-19-test updated

2024-07-03 Thread Stefan Metzmacher 
The branch, v4-19-test has been updated
   via  fecc211af0e BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs
  from  6875787d129 VERSION: Bump version up to Samba 4.19.8...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit fecc211af0edc2f7d6a553df7a07317a2cfe27f6
Author: Stefan Metzmacher 
Date:   Thu Jun 13 15:31:48 2024 +0200

BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs

This should have been in commit:
6ca4df6374136d1d205de689618dc8fce5177d14

Signed-off-by: Stefan Metzmacher 

Autobuild-User(v4-19-test): Stefan Metzmacher 
Autobuild-Date(v4-19-test): Wed Jul  3 08:36:32 UTC 2024 on atb-devel-224

---

Summary of changes:
 lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} (100%)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs 
b/lib/ldb/ABI/pyldb-util-2.8.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.8.1.sigs


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-02 Thread Douglas Bagnall 
The branch, master has been updated
   via  95420715881 pidl:Wireshark Fix the type of array of pointerse to 
hf_ values
   via  4a050601322 pidl:Wireshark Rename tvb_new_subset()
   via  39f05512626 pidl:Wireshark Get rid of Boolean "flags" with no bit 
set
   via  b8d902df037 pidl:Wireshark Fix array of pointers NULL termination
   via  3c97ad41c3b pidl:Wireshark Use proto_tree_add_bitmask_with_flags
   via  97be45f9ea3 cmdline:burn: add a note about short option combinations
   via  63a83fb7bb3 cmdline:burn: explicitly burn --username
   via  f1fbba6dc60 cmdline:burn: use allowlist to ensure more passwords 
burn
   via  c4df89e9640 cmdline: test_cmdline tests more burning
   via  6effed31899 cmdline:burn: do not burn options starting --user-*, 
--password-*
   via  f5233ddf974 cmdline:burn: localise some variables
   via  d3d8dffc021 cmdline:burn: always return true if burnt
   via  53a11845252 cmdline:burn: handle arguments separated from their 
--options
   via  2f6020cf3da cmdline:burn: do not retain false memories
   via  05128a1f5f1 cmdline:tests: extend cmdline_burn tests
   via  f17a2b1b25f selftest: run the cmdline tests that we already have
   via  f3b240da5c2 cmdline:burn: '-U' does not imply secrets without '%'
   via  7fb38aee129 docs-xml:manpages: allow for longer version strings
   via  673c8e6ca59 build: --vendor-suffix instead of 
--vendor-patch-revision --vendor-name
   via  0bc5b6f2930 buildtools: sanitise strange characters in vendor 
strings
  from  056dd415dda ctdb-failover: omit "restrict" optimization keyword

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 95420715881337187bda2311ced667a704fab737
Author: John Thacker 
Date:   Tue Jun 25 18:40:20 2024 -0400

pidl:Wireshark Fix the type of array of pointerse to hf_ values

Picked from Wireshark's fork:

commit e1d9a226a2b8f2824a0eb162a8dc972e6e6c2dd4
Author: Guy Harris 
Date:   Thu Jun 18 18:14:46 2020 -0700

Fix the type of arrays of pointers to hf_ values for bitfield 
routines.

The static arrays are supposed to be arrays of const pointers to 
int,
not arrays of non-const pointers to const int.

Fixing that means some bugs (scribbling on what's *supposed* to be a
const array) will be caught (see packet-ieee80211-radiotap.c for
examples, the first of which inspired this change and the second of
which was discovered while testing compiles with this change), and
removes the need for some annoying casts.

Also make some of those arrays static while we're at it.

Update documentation and dissector-generator tools.

Change-Id: I789da5fc60aadc15797cefecfd9a9fbe9a130ccc
Reviewed-on: https://code.wireshark.org/review/37517
Petri-Dish: Guy Harris 
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman 

Signed-off-by: John Thacker 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Douglas Bagnall 
Autobuild-Date(master): Wed Jul  3 02:35:43 UTC 2024 on atb-devel-224

commit 4a050601322f51fb66c90fa8c457924838430158
Author: John Thacker 
Date:   Tue Jun 25 18:38:43 2024 -0400

pidl:Wireshark Rename tvb_new_subset()

Picked from Wireshark's fork:

commit 7cd6906056922e4b8f68f1216d94eaa0809896fe
Author: Guy Harris 
Date:   Mon Jan 9 22:18:49 2017 -0800

Rename tvb_new_subset() to tvb_new_subset_length_caplen().

This emphasizes that there is no such thing as *the* routine to
construct a subset tvbuff; you need to choose one of
tvb_new_subset_remaining() (if you want a new tvbuff that contains
everything past a certain point in an existing tvbuff),
tvb_new_subset_length() (if you want a subset that contains 
everything
past a certain point, for some number of bytes, in an existing 
tvbuff),
and tvb_new_subset_length_caplen() (for all other cases).

Many of the calls to tvb_new_subset_length_caplen() should really be
calling one of the other routines; that's the next step.  (This also
makes it easier to find the calls that need fixing.)

Change-Id: Ieb3d676d8cda535451c119487d7cd3b559221f2b
Reviewed-on: https://code.wireshark.org/review/19597
Reviewed-by: Guy Harris 

Signed-off-by: John Thacker 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Stefan Metzmacher 

commit 39f0551262671a6217cd0844437b9776b048578a
Author: John Thacker 
Date:   Tue Jun 25 18:37:28 2024 -0400

pidl:Wireshark Get rid of Boolean "flags" with no bit set

[SCM] Samba Shared Repository - branch master updated

2024-07-02 Thread Martin Schwenke 
The branch, master has been updated
   via  056dd415dda ctdb-failover: omit "restrict" optimization keyword
  from  6ba69da8d37 ctdb/wscript: Remove long pending unsupported option

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 056dd415ddad4ebdb73acb531dd339a03ca8ce51
Author: Björn Baumbach 
Date:   Tue Jul 2 18:04:40 2024 +0200

ctdb-failover: omit "restrict" optimization keyword

Fails with some compilers with

error: expected ';', ',' or ')' before 'lineptr'

Signed-off-by: Björn Baumbach 
Reviewed-by: Volker Lendecke 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Tue Jul  2 23:52:37 UTC 2024 on atb-devel-224

---

Summary of changes:
 ctdb/failover/statd_callout.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/failover/statd_callout.c b/ctdb/failover/statd_callout.c
index 9a85cad7fe2..2f703560b29 100644
--- a/ctdb/failover/statd_callout.c
+++ b/ctdb/failover/statd_callout.c
@@ -55,9 +55,9 @@ struct {
};
 } config;
 
-static bool getline_strip(char **restrict lineptr,
+static bool getline_strip(char **lineptr,
  size_t *n,
- FILE *restrict stream)
+ FILE *stream)
 {
bool was_null;
int ret;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-02 Thread Volker Lendecke 
The branch, master has been updated
   via  6ba69da8d37 ctdb/wscript: Remove long pending unsupported option
   via  121687e7bd7 source3/wscript: Remove long pending unsupported option
  from  03e9575e38d s3:smbd: Avoid compiler warning for unused label

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6ba69da8d37cdc1c851835048b2eea5d13e1810f
Author: Anoop C S 
Date:   Tue Jul 2 10:57:28 2024 +0530

ctdb/wscript: Remove long pending unsupported option

It has been a while since --with-libcephfs option was dropped. Therefore
stop advertising it through waf scripts.

Signed-off-by: Anoop C S 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Tue Jul  2 09:13:20 UTC 2024 on atb-devel-224

commit 121687e7bd7d0f268347c3e4a37ffd5f06914a4d
Author: Anoop C S 
Date:   Tue Jul 2 10:56:45 2024 +0530

source3/wscript: Remove long pending unsupported option

It has been a while since --with-libcephfs option was dropped. Therefore
stop advertising it through waf scripts.

Signed-off-by: Anoop C S 
Reviewed-by: Volker Lendecke 

---

Summary of changes:
 ctdb/wscript| 8 
 source3/wscript | 8 
 2 files changed, 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/wscript b/ctdb/wscript
index a557d0a872e..6a16991f413 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -102,9 +102,6 @@ def options(opt):
help=("Use pcap for packet capture (default=no)"),
action="store_true", dest='ctdb_pcap', default=False)
 
-opt.add_option('--with-libcephfs',
-   help=("Directory under which libcephfs is installed"),
-   action="store", dest='libcephfs_dir', default=None)
 opt.add_option('--enable-ceph-reclock',
help=("Enable Ceph CTDB recovery lock helper (default=no)"),
action="store_true", dest='ctdb_ceph_reclock', 
default=False)
@@ -282,11 +279,6 @@ def configure(conf):
 Logs.info('Building with etcd support')
 conf.env.etcd_reclock = have_etcd_reclock
 
-if Options.options.libcephfs_dir:
-Logs.error('''--with-libcephfs no longer supported, please use compiler
-   flags instead, e.g. GCC LIBRARY_PATH and C_INCLUDE_PATH''')
-sys.exit(1)
-
 if Options.options.ctdb_ceph_reclock:
 if (conf.CHECK_HEADERS('rados/librados.h', False, False, 'rados') and
conf.CHECK_LIB('rados', shlib=True)):
diff --git a/source3/wscript b/source3/wscript
index d8f04646b03..4415b373913 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -86,10 +86,6 @@ def options(opt):
 opt.samba_add_onoff_option('fake-kaserver',
   help=("Include AFS fake-kaserver support"), 
default=False)
 
-opt.add_option('--with-libcephfs',
-   help=("Directory under which libcephfs is installed"),
-   action="store", dest='libcephfs_dir', default=None)
-
 opt.samba_add_onoff_option('glusterfs', with_name="enable", 
without_name="disable", default=True)
 opt.samba_add_onoff_option('cephfs', with_name="enable", 
without_name="disable", default=True)
 
@@ -1622,10 +1618,6 @@ int main(void) {
 conf.DEFINE('HAVE_LINUX_IOCTL', '1')
 
 conf.env['CFLAGS_CEPHFS'] = "-D_FILE_OFFSET_BITS=64"
-if Options.options.libcephfs_dir:
-Logs.error('''--with-libcephfs no longer supported, please use compiler
-   flags instead, e.g. GCC LIBRARY_PATH and C_INCLUDE_PATH''')
-sys.exit(1)
 
 if (Options.options.with_cephfs and
 conf.CHECK_HEADERS('cephfs/libcephfs.h', False, False, 'cephfs') and


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-07-01 Thread Martin Schwenke 
The branch, master has been updated
   via  03e9575e38d s3:smbd: Avoid compiler warning for unused label
   via  e50a69334ea s4:dsdb: Remove unnecessary MIN()
   via  50c37d618f8 lib:krb5_wrap: Fix code spelling
   via  66928d858f3 s4:auth: Correct order of parameters in documentation
   via  ec73e99792d s3:rpc_server: Fix code spelling
   via  239a8f277ca lib:crypto: Remove unused macro definitions
   via  939481329ee perftest:ndr_pack_performance: Remove obselete comment
   via  4844b1c34cb perftest:ndr_pack_performance: Remove unused import
   via  32cd94b1e4a s3:rpc_server: Update deprecated directives
   via  a9ad964cf16 pyglue: Remove global variables used in only one place
   via  c4728578def s4:dsdb: Use appropriate type for userAccountControl 
flags
   via  3dffd0fa677 s4:auth: Use appropriate type for userAccountControl 
flags
   via  8a456f373f7 s3:param: Check return value of strlower_m() (CID 
1598446)
   via  9853bd69eb2 tests/krb5: Simplify code using dict.get()
   via  7ae89d8d3c7 tests/krb5: Fix type errors by giving ‘pwd_last_set’ an 
appropriate type
  from  60550fbe184 Fix starvation of pending writes in CTDB queues

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 03e9575e38d737e0972d4736a80949dcdb515c44
Author: Jo Sutton 
Date:   Mon Jul 1 15:55:13 2024 +1200

s3:smbd: Avoid compiler warning for unused label

If either of HAVE_FSTATFS and HAVE_LINUX_MAGIC_H are not defined, gcc
produces the following error:

../../source3/smbd/open.c: In function ‘reopen_from_fsp’:
../../source3/smbd/open.c:1222:1: error: label ‘namebased_open’ defined but 
not used [-Werror=unused-label]
 1222 | namebased_open:
  | ^~

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Tue Jul  2 04:44:56 UTC 2024 on atb-devel-224

commit e50a69334eaf6cadcf3ce93ab8b48e64c8940058
Author: Jo Sutton 
Date:   Thu Jan 18 15:16:36 2024 +1300

s4:dsdb: Remove unnecessary MIN()

Since we have ensured that val->length >= sizeof(hash->hash),
MIN(val->length, sizeof(hash->hash)) will here always be equal to
sizeof(hash->hash).

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit 50c37d618f8037e5b7f9e3e0efd9aa0baea394bf
Author: Jo Sutton 
Date:   Wed Jan 17 13:21:04 2024 +1300

lib:krb5_wrap: Fix code spelling

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit 66928d858f31cc08bd2cbe69bf34cab8ab5e
Author: Jo Sutton 
Date:   Wed Jan 17 12:45:15 2024 +1300

s4:auth: Correct order of parameters in documentation

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit ec73e99792d4b368d57d6d4d6f1e01b95e5c88e4
Author: Jo Sutton 
Date:   Tue Jan 16 10:38:27 2024 +1300

s3:rpc_server: Fix code spelling

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit 239a8f277ca5b30baac2255a720d8d43d12bfc69
Author: Jo Sutton 
Date:   Tue Dec 5 15:40:30 2023 +1300

lib:crypto: Remove unused macro definitions

As we now require GnuTLS 3.6.13, we can rely on GnuTLS providing these
macros.

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit 939481329ee06692ef832cfd374a994dabfbf8b6
Author: Jo Sutton 
Date:   Mon Jan 8 17:22:39 2024 +1300

perftest:ndr_pack_performance: Remove obselete comment

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit 4844b1c34cbc362b6103a13f7a67c95ad52c26af
Author: Jo Sutton 
Date:   Mon Jan 8 17:22:21 2024 +1300

perftest:ndr_pack_performance: Remove unused import

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit 32cd94b1e4a8cf98087819c7edff71aae0adc5ec
Author: Jo Sutton 
Date:   Fri Dec 22 13:35:26 2023 +1300

s3:rpc_server: Update deprecated directives

‘api.prefix’ and ‘parse.error’ have both been supported since Bison 3.0.

/data/samba/source3/rpc_server/mdssvc/es_parser.y:98.1-21: warning: 
deprecated directive: ‘%name-prefix "mdsyyl"’, use ‘%define api.prefix 
{mdsyyl}’ [-Wdeprecated]
   98 | %name-prefix "mdsyyl"
  | ^
  | %define api.prefix {mdsyyl}
/data/samba/source3/rpc_server/mdssvc/es_parser.y:100.1-14: warning: 
deprecated directive: ‘%error-verbose’, use ‘%define parse.error verbose’ 
[-Wdeprecated]
  100 | %error-verbose
  | ^~
  | %define parse.error verbose
/data/samba/source3/rpc_server/mdssvc/es_parser.y: warning: fix-its can be 
applied.  Rerun with option '--update'. [-Wother]

Signed-off-by: Jo Sutton 
Reviewed-by: Martin Schwenke 

commit a9ad964cf16c691a8cd97c1e7fa6416b66c85e95
Author: Jo Sutton 
Date:   Tue Dec 12 17:38:02 2023 +1300

pyglue: Remove global variables

[SCM] Samba Shared Repository - branch master updated

2024-07-01 Thread Volker Lendecke 
The branch, master has been updated
   via  60550fbe184 Fix starvation of pending writes in CTDB queues
  from  6d3cfb4b1c6 s4:torture: Initialize param arrays

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 60550fbe184a5cefa55a8f0bab508f70def7a684
Author: Xavi Hernandez 
Date:   Thu Jun 27 15:41:19 2024 +0200

Fix starvation of pending writes in CTDB queues

CTDB uses a queue to receive requests and send answers. It works
asynchronously using the tevent framework. However there was an issue
that gave priority to the receiving side so, when a request was
processed and the answer posted to the queue, if another incoming
request arrived, it was served before sending the previous answer.

This scenario could repeat for long periods of time if the frequency of
incoming requests was high enough.

Eventually, a small time gap between incoming request gave a chance to
process the pending output queue, sending many answers in a burst.

This patch makes sure that both queues (input and output) are processed
if the event contains the appropriate flag.

Signed-off-by: Xavi Hernandez 
Reviewed-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Mon Jul  1 09:17:43 UTC 2024 on atb-devel-224

---

Summary of changes:
 ctdb/common/ctdb_io.c | 17 +++--
 1 file changed, 11 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/common/ctdb_io.c b/ctdb/common/ctdb_io.c
index bf8bc73b77d..9ac9b84a7fb 100644
--- a/ctdb/common/ctdb_io.c
+++ b/ctdb/common/ctdb_io.c
@@ -272,7 +272,7 @@ static void queue_dead(struct tevent_context *ev, struct 
tevent_immediate *im,
 /*
   called when an incoming connection is writeable
 */
-static void queue_io_write(struct ctdb_queue *queue)
+static bool queue_io_write(struct ctdb_queue *queue)
 {
while (queue->out_queue) {
struct ctdb_queue_pkt *pkt = queue->out_queue;
@@ -294,14 +294,14 @@ static void queue_io_write(struct ctdb_queue *queue)
queue->fd = -1;
tevent_schedule_immediate(queue->im, queue->ctdb->ev,
  queue_dead, queue);
-   return;
+   return false;
}
-   if (n <= 0) return;
+   if (n <= 0) return true;

if (n != pkt->length) {
pkt->length -= n;
pkt->data += n;
-   return;
+   return true;
}
 
DLIST_REMOVE(queue->out_queue, pkt);
@@ -310,6 +310,8 @@ static void queue_io_write(struct ctdb_queue *queue)
}
 
TEVENT_FD_NOT_WRITEABLE(queue->fde);
+
+   return true;
 }
 
 /*
@@ -320,10 +322,13 @@ static void queue_io_handler(struct tevent_context *ev, 
struct tevent_fd *fde,
 {
struct ctdb_queue *queue = talloc_get_type(private_data, struct 
ctdb_queue);
 
+   if (flags & TEVENT_FD_WRITE) {
+   if (!queue_io_write(queue)) {
+   return;
+   }
+   }
if (flags & TEVENT_FD_READ) {
queue_io_read(queue);
-   } else {
-   queue_io_write(queue);
}
 }
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-06-30 Thread Martin Schwenke 
The branch, master has been updated
   via  6d3cfb4b1c6 s4:torture: Initialize param arrays
   via  f52e7fd3c02 s4:torture: Remove trailing spaces from gentest.c
   via  b11cf72c1be s3:winbind: Fix integer type of len
   via  aae8cab3f9b s3:smbd: Make sure struct security_ace is initialized
   via  321ee914a4b s3:libsmb: Check if we have a valid file descriptor
   via  57001527ae6 s4:torture: Initialize pointers
   via  1d38f6ee925 s4:torture: Initialize struct smb2_handle
   via  b6d66e55adc s4:torture: Initialize struct netr_LogonSamLogonEx
   via  d755bc43d8f s3:rpc_client: Initialize struct security_ace
   via  9ec0f8bd602 s4:torture: Make sure struct smb2_handle is initialized
   via  14786193632 s3:smbd: Make sure struct security_ace is initialized
   via  df8d19e53b6 s3:smbd: Remove trailing spaces in posix_acls.c
   via  5eb58b16ca7 examples: Make sure the array is probably initialized
   via  384d948b8d8 winexe: Make sure specificError is initialized
  from  0ebabaedbc0 smbd: Fix cached dos attributes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6d3cfb4b1c60bca966c21ee772f3b1ba5ac76371
Author: Andreas Schneider 
Date:   Fri Jun 21 13:36:23 2024 +0200

s4:torture: Initialize param arrays

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/gentest.c:2690: var_decl: Declaring 
variable ""parm"" without initializer.
samba-4.20.0rc2/source4/torture/gentest.c:2711: uninit_use: Using 
uninitialized value ""parm[0]"". Field ""parm[0].out"" is uninitialized.
 2709|  }
 2710|
 2711|->GEN_COPY_PARM;
 2712|  GEN_SET_FNUM_SMB2(in.file.handle);
 2713|  GEN_CALL_SMB2(smb2_lock(tree, [i]));"

Signed-off-by: Andreas Schneider 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Mon Jul  1 00:23:08 UTC 2024 on atb-devel-224

commit f52e7fd3c02592baebca8d493e37ba0a7bc6dd9d
Author: Andreas Schneider 
Date:   Fri Jun 21 13:37:46 2024 +0200

s4:torture: Remove trailing spaces from gentest.c

Signed-off-by: Andreas Schneider 
Reviewed-by: Martin Schwenke 

commit b11cf72c1be13b83fb9a3e8c852ba73ac3f7e9e2
Author: Andreas Schneider 
Date:   Fri Jun 21 10:57:32 2024 +0200

s3:winbind: Fix integer type of len

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source3/winbindd/winbindd_cache.c:849: cast_overflow: 
Truncation due to cast operation on ""len"" from 32 to 8 bits.
samba-4.20.0rc2/source3/winbindd/winbindd_cache.c:851: overflow_sink: 
""len"", which might have overflowed, is passed to ""memcpy(centry->data + 
centry->ofs, s, len)"". [Note: The source code implementation of the function 
has been overridden by a builtin model.]
  849|  centry_put_uint8(centry, len);
  850|  centry_expand(centry, len);
  851|->memcpy(centry->data + centry->ofs, s, len);
  852|  centry->ofs += len;
  853|   }"

Signed-off-by: Andreas Schneider 
Reviewed-by: Martin Schwenke 

commit aae8cab3f9be0189d6f76bf1a53a1d747b8ba2ff
Author: Andreas Schneider 
Date:   Fri Jun 21 10:49:53 2024 +0200

s3:smbd: Make sure struct security_ace is initialized

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source3/smbd/posix_acls.c:4706: var_decl: Declaring 
variable ""aces"" without initializer.
samba-4.20.0rc2/source3/smbd/posix_acls.c:4748: uninit_use_in_call: Using 
uninitialized value ""*aces"". Field ""aces->object"" is uninitialized when 
calling ""make_sec_acl"".
 4746|  idx++;
 4747|
 4748|->new_dacl = make_sec_acl(ctx,
 4749|  NT4_ACL_REVISION,
 4750|  idx,"

Signed-off-by: Andreas Schneider 
Reviewed-by: Martin Schwenke 

commit 321ee914a4b5232c2ff451352e2f5b5d0bf9a96c
Author: Andreas Schneider 
Date:   Fri Jun 21 10:48:01 2024 +0200

s3:libsmb: Check if we have a valid file descriptor

"Error: REVERSE_NEGATIVE (CWE-191):
samba-4.20.0rc2/source3/libsmb/pylibsmb.c:215: negative_sink_in_call: 
Passing ""t->shutdown_pipe[1]"" to a parameter that cannot be negative.
samba-4.20.0rc2/source3/libsmb/pylibsmb.c:230: check_after_sink: You might 
be using variable ""t->shutdown_pipe[1]"" before verifying that it is >= 0.
  228|  t->shutdown_pipe[0] = -1;
  229|  }
  230|->if (t->shutdown_pipe[1] != -1) {
  231|  close(t->shutdown_pipe[1]);
  232|  t->shutdown_pipe[1] = -1;"

Signed-off-by: Andreas Schneider 
Reviewed-by: Martin Schwenke 

commit 57001527ae6209ec907d37e8b96a2e545cfe632e
Author: Andreas Schneider 
Date:   Fri Jun 21 10:45:23 2024 +0200

s4:torture: Initialize pointers

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1518:

[SCM] Samba Shared Repository - branch master updated

2024-06-28 Thread Ralph Böhme 
The branch, master has been updated
   via  0ebabaedbc0 smbd: Fix cached dos attributes
   via  a32f52e5735 librpc: Make NDR_PRINT_DEBUG call just one DEBUG
   via  b565901a474 smbd: Simplify smbd_do_qfsinfo with direct struct 
initialization
   via  d2932c22e07 smbd: Simplify reopen_from_fsp
   via  c3799dfb4a7 smbd: Remove some unused code
   via  1fb07bc7213 smbd: Avoid a cast
   via  9cb187d1880 smbd: Print reparse_point in dos_mode_debug_print
   via  7b03fc3d9f2 smbd: Simplify dos_mode_from_sbuf
   via  e2ba6144657 smbd: Simplify fdos_mode
   via  6a077e2fcda smbd: Simplify filename_convert_dirfsp_nosymlink
   via  5e206ffbe36 smbd: Remove an obsolete comment
   via  e94de8a4af9 smbd: Simplify init_smb_file_time
   via  e5a304193ba smbd: Simplify copy_stat_ex_timestamps
   via  1d2fbbdd640 smbd: Modernize a DEBUG
   via  2edb49c5fc7 vfs: Fix typos
   via  6f68812d228 smbd: Don't leave a pointer variable uninitialized
   via  e6f8568541a smbd: Align an integer type
   via  0db47112bba smbd: Modernize a DEBUG
  from  11c4b253317 ctdb-conf: Rename config loading to not be 
daemon-specific

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0ebabaedbc06b3b4f658430dcf2edb0711f599fd
Author: Volker Lendecke 
Date:   Mon Jun 24 16:50:57 2024 +0200

smbd: Fix cached dos attributes

The callers of fset_dos_mode must set the cached attributes
themselves, which I did not see. I tried, but I did not find a clean
way to fix this behind SMB_VFS_FSET_DOS_ATTRIBUTES, with a smb_fname
and smb_fname->fsp->fsp_name we might have two copies of the cached
dos attributes around and if we only update fsp->fsp_name, we might
miss the outer one.

Not doing a test, this is really fresh code, and in the future we must
reorganize setting and caching dos attributes anyway.

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Fri Jun 28 14:32:27 UTC 2024 on atb-devel-224

commit a32f52e573561900cbed097c453b5240df3b0ae5
Author: Volker Lendecke 
Date:   Mon Jun 17 14:42:30 2024 +0200

librpc: Make NDR_PRINT_DEBUG call just one DEBUG

Give debug.c the chance to use just one write call (right now it
doesn't yet)

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit b565901a47483ec3782c532a1e87dcf213e30fbe
Author: Volker Lendecke 
Date:   Thu Jun 27 12:50:50 2024 +0200

smbd: Simplify smbd_do_qfsinfo with direct struct initialization

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit d2932c22e07de217766f622f57e6750f0cd4bc46
Author: Volker Lendecke 
Date:   Wed Jun 26 15:30:50 2024 +0200

smbd: Simplify reopen_from_fsp

In a variable declaration the (struct ...) is not needed

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit c3799dfb4a79ab048096ffa0d37f4a487a3a
Author: Volker Lendecke 
Date:   Wed Jun 26 08:57:26 2024 +0200

smbd: Remove some unused code

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit 1fb07bc7213d49577e5a853823e68328ca99b863
Author: Volker Lendecke 
Date:   Tue Jun 25 16:11:16 2024 +0200

smbd: Avoid a cast

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit 9cb187d1880bf9c56107ccce4dc8956284e94689
Author: Volker Lendecke 
Date:   Tue Jun 25 16:10:28 2024 +0200

smbd: Print reparse_point in dos_mode_debug_print

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit 7b03fc3d9f25ce3b82108e0deaffdf70dc83a414
Author: Volker Lendecke 
Date:   Tue Jun 25 16:07:58 2024 +0200

smbd: Simplify dos_mode_from_sbuf

We don't need that else branch, this could be a switch as well

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit e2ba6144657be84f35add7e4c7f7c178f80a4f07
Author: Volker Lendecke 
Date:   Tue Jun 25 16:04:53 2024 +0200

smbd: Simplify fdos_mode

We don't need the outer !NT_STATUS_IS_OK and the comment

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit 6a077e2fcdabae64c1ab6e1378ea10ea2b57f738
Author: Volker Lendecke 
Date:   Tue Jun 25 15:49:23 2024 +0200

smbd: Simplify filename_convert_dirfsp_nosymlink

Initialize the timestamps in the existing struct assignment

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit 5e206ffbe360004573c00b11fc0bfcdf74f7040d
Author: Volker Lendecke 
Date:   Tue Jun 25 13:08:58 2024 +0200

smbd: Remove an obsolete comment

We have a good understanding of SAMBA_UTIME_OMIT these days

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit e94de8a4af908c0e09185c6b1f1a04848d831dfb
Author: Volker Lendecke 
Date:   Tue Jun 25 13:06:35

[SCM] Samba Shared Repository - branch master updated

2024-06-28 Thread Anoop C S 
The branch, master has been updated
   via  11c4b253317 ctdb-conf: Rename config loading to not be 
daemon-specific
   via  cf25243421c ctdb-conf: Move conf.[ch] to conf/ subdirectory
   via  52e5e926934 ctdb-conf: Move all conf files to new conf/ subdirectory
  from  a77cffaa256 s4:torture: Initialize struct wrepl_wins_name

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 11c4b253317fb533b126e26a69e6a40b3c8b6c25
Author: Martin Schwenke 
Date:   Sat Jun 22 11:27:22 2024 +1000

ctdb-conf: Rename config loading to not be daemon-specific

We might end up using it elsewhere.

Signed-off-by: Martin Schwenke 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit cf25243421c9941cb8caabe22a99ceee7422d1f0
Author: Martin Schwenke 
Date:   Mon Aug 19 12:17:20 2019 +1000

ctdb-conf: Move conf.[ch] to conf/ subdirectory

Signed-off-by: Martin Schwenke 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit 52e5e9269345a16edf27df14392034738886c940
Author: Martin Schwenke 
Date:   Mon Aug 19 12:06:40 2019 +1000

ctdb-conf: Move all conf files to new conf/ subdirectory

Leave common/conf.[ch] where they are to make this commit
comprehensible.

Signed-off-by: Martin Schwenke 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

---

Summary of changes:
 ctdb/{cluster => conf}/cluster_conf.c   |  4 +--
 ctdb/{cluster => conf}/cluster_conf.h   |  2 +-
 ctdb/{common => conf}/conf.c|  2 +-
 ctdb/{common => conf}/conf.h|  0
 ctdb/{common => conf}/conf_tool.c   | 16 +-
 ctdb/{common => conf}/conf_tool.h   |  0
 ctdb/{server => conf}/ctdb_config.c | 20 ++--
 ctdb/{server => conf}/ctdb_config.h |  4 +--
 ctdb/{database => conf}/database_conf.c |  4 +--
 ctdb/{database => conf}/database_conf.h |  2 +-
 ctdb/{event => conf}/event_conf.c   |  4 +--
 ctdb/{event => conf}/event_conf.h   |  2 +-
 ctdb/{failover => conf}/failover_conf.c |  4 +--
 ctdb/{failover => conf}/failover_conf.h |  2 +-
 ctdb/{server => conf}/legacy_conf.c |  4 +--
 ctdb/{server => conf}/legacy_conf.h |  2 +-
 ctdb/{common => conf}/logging_conf.c|  5 +--
 ctdb/{common => conf}/logging_conf.h|  2 +-
 ctdb/event/event_config.c   |  7 +++--
 ctdb/server/ctdb_ltdb_server.c  |  2 +-
 ctdb/server/ctdb_recoverd.c |  2 +-
 ctdb/server/ctdb_takeover.c |  2 +-
 ctdb/server/ctdbd.c |  8 ++---
 ctdb/tests/src/conf_test.c  |  2 +-
 ctdb/wscript| 54 +
 25 files changed, 67 insertions(+), 89 deletions(-)
 rename ctdb/{cluster => conf}/cluster_conf.c (98%)
 rename ctdb/{cluster => conf}/cluster_conf.h (98%)
 rename ctdb/{common => conf}/conf.c (99%)
 rename ctdb/{common => conf}/conf.h (100%)
 rename ctdb/{common => conf}/conf_tool.c (96%)
 rename ctdb/{common => conf}/conf_tool.h (100%)
 rename ctdb/{server => conf}/ctdb_config.c (93%)
 rename ctdb/{server => conf}/ctdb_config.h (93%)
 rename ctdb/{database => conf}/database_conf.c (98%)
 rename ctdb/{database => conf}/database_conf.h (98%)
 rename ctdb/{event => conf}/event_conf.c (97%)
 rename ctdb/{event => conf}/event_conf.h (97%)
 rename ctdb/{failover => conf}/failover_conf.c (95%)
 rename ctdb/{failover => conf}/failover_conf.h (97%)
 rename ctdb/{server => conf}/legacy_conf.c (97%)
 rename ctdb/{server => conf}/legacy_conf.h (97%)
 rename ctdb/{common => conf}/logging_conf.c (98%)
 rename ctdb/{common => conf}/logging_conf.h (97%)


Changeset truncated at 500 lines:

diff --git a/ctdb/cluster/cluster_conf.c b/ctdb/conf/cluster_conf.c
similarity index 98%
rename from ctdb/cluster/cluster_conf.c
rename to ctdb/conf/cluster_conf.c
index bdd64ba112f..b49a2440026 100644
--- a/ctdb/cluster/cluster_conf.c
+++ b/ctdb/conf/cluster_conf.c
@@ -22,9 +22,9 @@
 
 #include "lib/util/debug.h"
 
-#include "common/conf.h"
+#include "conf/conf.h"
 
-#include "cluster_conf.h"
+#include "conf/cluster_conf.h"
 
 #define CLUSTER_TRANSPORT_DEFAULT "tcp"
 
diff --git a/ctdb/cluster/cluster_conf.h b/ctdb/conf/cluster_conf.h
similarity index 98%
rename from ctdb/cluster/cluster_conf.h
rename to ctdb/conf/cluster_conf.h
index 38c378fd571..9775b6fc080 100644
--- a/ctdb/cluster/cluster_conf.h
+++ b/ctdb/conf/cluster_conf.h
@@ -20,7 +20,7 @@
 #ifndef __CTDB_CLUSTER_CONF_H__
 #define __CTDB_CLUSTER_CONF_H__
 
-#include "common/conf.h"
+#include "conf/conf.h"
 
 #define CLUSTER_CONF_SECTION "cluster"
 
diff --git a/ctdb/common/conf.c b/ctdb/conf/conf.c
similarity index 99%
rename from ctdb/common/conf.c
rename to ctdb/conf/conf.c
index a8ff724e73f..67046c715e2 100644
--- a/ctdb/common/conf.c
+++ b/ctdb/conf/conf.c
@@ -26,7 +26,7 @@
 #include "lib/util/tini.h"
 #include

[SCM] Samba Shared Repository - branch master updated

2024-06-28 Thread Andreas Schneider 
The branch, master has been updated
   via  a77cffaa256 s4:torture: Initialize struct wrepl_wins_name
   via  909506c91c1 examples: Initialize char arrays
   via  c814681c6b9 examples: Use cp with force option
   via  54ce370f7d0 s4:torture: Fully initialize struct samr_OpenUser
   via  dd896862d0a s3:rpc_client: Check for array size instead of 
UINT16_MAX
   via  7990a2ba08c s4:torture: Initialize struct wrepl_wins_name
   via  ec7dfedccf6 s3:auth: Avoid passing freed pamh pointer to funcitons 
using it
   via  990a68fedb9 s3:auth: Remove trailing spaces in pampass.c
   via  09d731470e1 s4:torture: Initialize struct smb2_handle
   via  4777464946c s4:torture: Initialize struct nbt_name_query
   via  deced5eaae5 s3:torture: Remove trailing spaces in query.c
  from  f824e985167 doc: Update codeing guidelines for struct initialisation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a77cffaa256e6c4a6dbca115905c09ddbe9c22da
Author: Andreas Schneider 
Date:   Mon Jun 24 15:19:20 2024 +0200

s4:torture: Initialize struct wrepl_wins_name

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:1244: var_decl: 
Declaring variable ""wins_name1"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4835: assign: 
Assigning: ""wins_name_r1"" = ""_name1"", which points to uninitialized 
data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4905: 
uninit_use_in_call: Using uninitialized value ""*wins_name_r1"". Field 
""wins_name_r1->is_group"" is uninitialized when calling 
""test_wrepl_update_one"".
 4903|
 4904|  /* now apply R1 */
 4905|->ret &= test_wrepl_update_one(tctx, ctx, 
records[i].r1.owner, wins_name_r1);
 4906|  ret &= test_wrepl_is_applied(tctx, ctx, 
records[i].r1.owner,
 4907|   wins_name_r1, 
records[i].r1.apply_expected);"

Signed-off-by: Andreas Schneider 
Reviewed-by: Noel Power 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Fri Jun 28 12:44:31 UTC 2024 on atb-devel-224

commit 909506c91c1660f124d772b5caa0191f10ee320c
Author: Andreas Schneider 
Date:   Mon Jun 24 15:17:13 2024 +0200

examples: Initialize char arrays

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/examples/libsmbclient/testacl3.c:15: var_decl: Declaring 
variable ""value"" without initializer.
samba-4.20.0rc2/examples/libsmbclient/testacl3.c:55: uninit_use_in_call: 
Using uninitialized value ""*value"" as argument to ""%s"" when calling 
""printf"". [Note: The source code implementation of the function has been 
overridden by a builtin model.]
   53|  }
   54|
   55|->printf(""Attributes for [%s] are:\n%s\n"", path, value);
   56|  }
   57|"

Signed-off-by: Andreas Schneider 
Reviewed-by: Noel Power 

commit c814681c6b965b15b3d4895cc0d47f01ba2c31d3
Author: Andreas Schneider 
Date:   Mon Jun 24 15:14:43 2024 +0200

examples: Use cp with force option

"Error: SHELLCHECK_WARNING:
/usr/share/doc/samba/printing/VampireDriversFunctions:951:15: 
warning[SC2216]: Piping to 'cp', a command that doesn't read stdin. Wrong 
command or missing xargs?
  949|  CWD2=""$( pwd )"" ;
  950|  cd ""${i}"";
  951|->echo ""yes"" | cp ../alldriverfiles.txt . 2> /dev/null ;
  952|
  953|  cat alldriverfiles.txt \"

Signed-off-by: Andreas Schneider 
Reviewed-by: Noel Power 

commit 54ce370f7d0ac0972f9693cef424c4239b15c754
Author: Andreas Schneider 
Date:   Mon Jun 24 15:09:21 2024 +0200

s4:torture: Fully initialize struct samr_OpenUser

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samr.c:7381: var_decl: Declaring 
variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samr.c:7428: uninit_use: Using 
uninitialized value ""r.out.result.v"".
 7426|  torture_assert_ntstatus_ok(tctx, 
dcerpc_samr_QueryUserInfo_r(b, tctx, ),
 7427|  ""QueryUserInfo failed"");
 7428|->if (!NT_STATUS_IS_OK(r.out.result)) {
 7429|  torture_result(tctx, TORTURE_FAIL, 
""QueryUserInfo(%u) failed - %s\n"", r.in.rid, nt_errstr(r.out.result));
 7430|  return false;"

Signed-off-by: Andreas Schneider 
Reviewed-by: Noel Power 

commit dd896862d0a430daa2f0c38325b6ef56dabe174e
Author: Andreas Schneider 
Date:   Mon Jun 24 13:38:34 2024 +0200

s3:rpc_client: Check for array size instead of UINT16_MAX

mdscli_ctx->mdscmd_open.share_path is an array of size 1025. The
boundary is 1025 and not UINT16_MAX.

"Error: OVERRUN (CWE-119):
samba-4.20.0rc2/source3/rpc_client/cli_mdssvc.c:127: cond_at_least: 
Checking

[SCM] Samba Shared Repository - branch master updated

2024-06-28 Thread Noel Power 
The branch, master has been updated
   via  f824e985167 doc: Update codeing guidelines for struct initialisation
  from  ac7a16f9cc4 smbd: Fix crossing automounter mount points

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit f824e985167f08df80a5cf635809eed6573b2e13
Author: Noel Power 
Date:   Thu Jun 27 09:02:04 2024 +0100

doc: Update codeing guidelines for struct initialisation

Signed-off-by: Noel Power 
Reviewed-by: Ralph Boehme 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Noel Power 
Autobuild-Date(master): Fri Jun 28 10:17:14 UTC 2024 on atb-devel-224

---

Summary of changes:
 README.Coding.md | 42 ++
 1 file changed, 42 insertions(+)


Changeset truncated at 500 lines:

diff --git a/README.Coding.md b/README.Coding.md
index 76f2c70e95a..53a829cb4f2 100644
--- a/README.Coding.md
+++ b/README.Coding.md
@@ -390,6 +390,48 @@ Bad Example:
 
pointer1 = some_func1();
 ```
+### Initialize structs
+
+All structures MUST be at least initialised to 0/NULL.
+
+Current recommended initialization:
+
+```c
+struct somestruct {
+int ival;
+bool bval;
+double dval;
+char *sval;
+};
+
+struct somestruct var1 = {};
+```
+
+avoid:
+
+```c
+struct somestruct var1 = {0};
+```
+
+as it can be less portable, in particular if the first element of the struct 
in question is a nested struct.
+
+Of course if specific members need non-zero initialization then use something 
like:
+
+```c
+struct bar {
+int inner;
+};
+struct foo {
+int outer;
+struct bar nested;
+};
+struct foo var2 = {
+.outer = 5,
+.nested = {
+.inner = 3,
+},
+};
+```
 
 ### Make use of helper variables
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-06-27 Thread Ralph Böhme 
The branch, master has been updated
   via  ac7a16f9cc4 smbd: Fix crossing automounter mount points
  from  2d743185e0c vfs_ceph: use consistent code style when setting errno

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ac7a16f9cc4bd97ef546d1b7b02605991000d0f9
Author: Volker Lendecke 
Date:   Fri Dec 29 16:54:56 2023 +0100

smbd: Fix crossing automounter mount points

We get ENOENT on /proc/self/fd/ when we try to turn the
mountpoint's O_PATH handle into a real one. This does not trigger a
mount attempt, you have to use name-based calls.

This is not the real fix, because if the autofs mount triggers, the
inode number will change. For directories this is not a huge problem
as we don't touch the share mode database before we open the "real"
fd. We would only violate potential share modes with other pure
READ_ATTRIBUTES (i.e. stat-) opens that came before the mount
trigger.

As I don't think share modes on directories are really relevant, I
think we can live with this "fix". Once we do directory leases this
will potentially change.

As a quick remedy we could use our defer_open() mechanism that starts
path processing from scratch. But as long as this seems not really
required, we should not add users of this really bad way of going back
to square 1.

The "real" fix would be to go back to the point where we open the last
component with openat(). In the retry round we need to do this without
O_PATH to trigger the mount and only then do the initial fstat.

Right now I don't see an easy way to properly test this
behaviour. Intercepting with vfs_error_inject is certainly possible,
but nailing the exact call would clutter the main code path. So I have
just tested this manually.

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Thu Jun 27 11:59:05 UTC 2024 on atb-devel-224

---

Summary of changes:
 source3/smbd/open.c | 26 ++
 source3/wscript |  5 +
 2 files changed, 31 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 7d2227f9d9f..20db4cf5e23 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -43,6 +43,10 @@
 #include "lib/util/time_basic.h"
 #include "source3/smbd/dir.h"
 
+#if defined(HAVE_LINUX_MAGIC_H)
+#include 
+#endif
+
 extern const struct generic_mapping file_generic_mapping;
 
 struct deferred_open_record {
@@ -1180,6 +1184,27 @@ static NTSTATUS reopen_from_fsp(struct files_struct 
*dirfsp,
fsp,
how);
if (new_fd == -1) {
+#if defined(HAVE_FSTATFS) && defined(HAVE_LINUX_MAGIC_H)
+   if (S_ISDIR(fsp->fsp_name->st.st_ex_mode) &&
+   (errno == ENOENT)) {
+   struct statfs sbuf = {};
+   int ret = fstatfs(old_fd, );
+   if (ret == -1) {
+   int saved_errno = errno;
+   DBG_ERR("fstatfs failed: %s\n",
+   strerror(errno));
+   errno = saved_errno;
+   } else if (sbuf.f_type == AUTOFS_SUPER_MAGIC) {
+   /*
+* When reopening an as-yet
+* unmounted autofs mount
+* point we get ENOENT. We
+* have to retry pathbased.
+*/
+   goto namebased_open;
+   }
+   }
+#endif
status = map_nt_error_from_unix(errno);
fd_close(fsp);
return status;
@@ -1194,6 +1219,7 @@ static NTSTATUS reopen_from_fsp(struct files_struct 
*dirfsp,
return NT_STATUS_OK;
}
 
+namebased_open:
/*
 * Close the existing pathref fd and set the fsp flag
 * is_pathref to false so we get a "normal" fd this time.
diff --git a/source3/wscript b/source3/wscript
index 4048ec5aad5..d8f04646b03 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -118,6 +118,7 @@ def configure(conf):
 
 conf.CHECK_HEADERS('netdb.h')
 conf.CHECK_HEADERS('linux/falloc.h linux/ioctl.h')
+conf.CHECK_HEADERS('linux/magic.h')
 
 conf.CHECK_FUNCS('getcwd fchown chmod fchmod mknod mknodat')
 conf.CHECK_FUNCS('strtol strchr strupr chflags fchflags')
@@ -531,6

[SCM] Samba Shared Repository - branch master updated

2024-06-27 Thread Anoop C S 
The branch, master has been updated
   via  2d743185e0c vfs_ceph: use consistent code style when setting errno
   via  a7d34ec597f vfs_ceph: explicit cast to uint64_t upon failure of 
ceph_statfs
   via  0f92c6055a6 vfs_ceph: adjust code-style of cephwrap_disk_free
   via  691a397b270 vfs_ceph: replace WRAP_RETURN macro with convenience 
helpers
   via  0bc917b01fc vfs_ceph: use talloc in realpath hook
   via  ee72f127c34 vfs_ceph: re-map unimplemented hooks
   via  b7e3f93ef0f vfs_ceph: align lines-length with coding standard
   via  4e21a8b2786 vfs_ceph: improve readability of cephwrap_realpath
  from  3c1691aff55 Extended the documentation for the "tls certfile" 
parameter in the smb.conf.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2d743185e0c6e848f1aaf0395ea8824ac5381086
Author: Shachar Sharon 
Date:   Tue May 28 12:36:14 2024 +0300

vfs_ceph: use consistent code style when setting errno

When setting explicit value to 'errno' use same coding-style as used in
this entire module (spaces before and after assignment operator).

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

Autobuild-User(master): Anoop C S 
Autobuild-Date(master): Thu Jun 27 06:35:19 UTC 2024 on atb-devel-224

commit a7d34ec597fe810090d28bfda636b7450ecb06e5
Author: Shachar Sharon 
Date:   Thu May 30 11:02:37 2024 +0300

vfs_ceph: explicit cast to uint64_t upon failure of ceph_statfs

When a call to 'ceph_statfs' from with 'cephwrap_disk_free' returns
non-zero status do an explicit cast to uint64_t for the negative (-1)
value returned by 'status_code'.

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit 0f92c6055a6257f5bcbf3f27b21536f9d023cdfa
Author: Shachar Sharon 
Date:   Mon May 27 12:30:44 2024 +0300

vfs_ceph: adjust code-style of cephwrap_disk_free

The common convention in 'vfs_ceph.c' module is to bailout (by return or
goto) whenever the return value from libcephfs call is not OK. Apply
this code-style to cephwrap_disk_free hook.

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit 691a397b2707f2924e3f6910c9c574e01d811a97
Author: Shachar Sharon 
Date:   Thu May 23 17:15:40 2024 +0300

vfs_ceph: replace WRAP_RETURN macro with convenience helpers

The WRAP_RETURN is a non-hygienic macro, and as such has the potential
of creating bogus code (e.g. 'return WRAP_RETURN(ret);' which existed
in the code in the past but did not yield any compiler warning). Prefer
simple convenience helper functions instead, which are also type safe.

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit 0bc917b01fcf3b6a22b60c1bb57b379b1374a216
Author: Shachar Sharon 
Date:   Wed May 22 16:28:32 2024 +0300

vfs_ceph: use talloc in realpath hook

Prefer talloc_asprintf over asprintf when resolving realpath.
Re-format code using 'git clang-format'.

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit ee72f127c34f27ca496243631b2e7141de2bd59d
Author: Shachar Sharon 
Date:   Wed May 22 16:11:57 2024 +0300

vfs_ceph: re-map unimplemented hooks

Code cleanup: prefer standard convenience helpers for unimplemented
VFS hooks.

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit b7e3f93ef0f17a5c85385f2e5a333fcf965766b5
Author: Shachar Sharon 
Date:   Sun May 26 16:24:06 2024 +0300

vfs_ceph: align lines-length with coding standard

Coding standard requires following Linux kernel style guide, with an
explicit statement that "Maximum Line Width is 80 Characters". Align
vfs_ceph.c with this convention: split long lines into multiple lines
and use 'git clang-format' to do auto-formatting based on Samba project
'.clang-format' settings.

Signed-off-by: Shachar Sharon 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 
Reviewed-by: Ralph Boehme 
Reviewed-by: Guenther Deschner 
Reviewed-by: Anoop C S 

commit

[SCM] Samba Shared Repository - branch master updated

2024-06-26 Thread Douglas Bagnall 
The branch, master has been updated
   via  3c1691aff55 Extended the documentation for the "tls certfile" 
parameter in the smb.conf.
   via  f9215b37544 third_party/heimdal: Import 
lorikeet-heimdal-202406270253 (commit cbd2c0b8ec604686dc7b363d1dcec69bf5f7a7ec)
   via  fe90576871b third_party/heimdal: Import 
lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
   via  c5ee0b60b20 tests/krb5: Add tests for errors produced when logging 
in with unusable accounts
   via  6dc6168719c tests/krb5: Allow creation of disabled accounts for 
testing
  from  415f9f07456 ctdb-failover: Split statd_callout add-client/del-client

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 3c1691aff55518b8f361e43d2c80f40d896df1d7
Author: Oliver Mihatsch 
Date:   Thu Jun 13 12:16:05 2024 +0200

Extended the documentation for the "tls certfile" parameter in the smb.conf.

Signed-off-by: Oliver Mihatsch 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Douglas Bagnall 
Autobuild-Date(master): Thu Jun 27 05:33:17 UTC 2024 on atb-devel-224

commit f9215b37544610d68eb070fd85225c4b615c8687
Author: Jo Sutton 
Date:   Thu Jun 27 14:59:43 2024 +1200

third_party/heimdal: Import lorikeet-heimdal-202406270253 (commit 
cbd2c0b8ec604686dc7b363d1dcec69bf5f7a7ec)

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 

commit fe90576871b5d644b9e888fd7a0b0351feaba750
Author: Jo Sutton 
Date:   Wed Jun 12 14:42:38 2024 +1200

third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 
4315286377278234be2f3b6d52225a17b6116d54)

This lets us match the Windows FAST reply when the password is expired.

Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 

commit c5ee0b60b20011aeaa60c2f549c2a78269c97c8f
Author: Jo Sutton 
Date:   Thu Jun 27 12:29:52 2024 +1200

tests/krb5: Add tests for errors produced when logging in with unusable 
accounts

Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 

commit 6dc6168719cf232ac2c1d747f10aad9b13300c02
Author: Jo Sutton 
Date:   Tue Jun 25 12:51:48 2024 +1200

tests/krb5: Allow creation of disabled accounts for testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 docs-xml/smbdotconf/security/tlscertfile.xml   |   3 +-
 python/samba/tests/krb5/kdc_base_test.py   |   9 +-
 python/samba/tests/krb5/lockout_tests.py   | 210 -
 selftest/knownfail_mit_kdc |   5 +
 third_party/heimdal/ChangeLog.2005 |   2 +-
 third_party/heimdal/ChangeLog.2006 |   4 +-
 third_party/heimdal/ChangeLog.2007 |   2 +-
 third_party/heimdal/appl/dceutils/dfspag.exp   |   2 +-
 third_party/heimdal/appl/dceutils/dpagaix.c|   2 +-
 third_party/heimdal/cf/largefile.m4|   2 +-
 third_party/heimdal/doc/setup.texi |   4 +-
 third_party/heimdal/kadmin/ext.c   |   4 +-
 third_party/heimdal/kdc/default_config.c   |  21 +--
 third_party/heimdal/kdc/fast.c |  13 +-
 third_party/heimdal/kdc/kerberos5.c|   3 +
 third_party/heimdal/kdc/process.c  |   4 +-
 third_party/heimdal/lib/asn1/ChangeLog |   2 +-
 third_party/heimdal/lib/base/heimbase.h|   4 +-
 third_party/heimdal/lib/gssapi/krb5/display_name.c |   8 +-
 .../lib/gssapi/mech/gss_accept_sec_context.c   |   6 +-
 .../heimdal/lib/gssapi/mech/gss_compare_name.c |   2 +-
 third_party/heimdal/lib/gssapi/oid.txt |   2 +-
 .../heimdal/lib/hcrypto/libtommath/doc/bn.tex  |   4 +-
 third_party/heimdal/lib/hx509/ChangeLog|   2 +-
 third_party/heimdal/lib/kadm5/ChangeLog|   2 +-
 third_party/heimdal/lib/kafs/ChangeLog |   4 +-
 third_party/heimdal/lib/kdfs/k5dfspag.c|   2 +-
 third_party/heimdal/lib/krb5/acache.c  |   2 +-
 third_party/heimdal/lib/krb5/addr_families.c   |   4 +-
 third_party/heimdal/lib/krb5/context.c |  12 +-
 third_party/heimdal/lib/krb5/dcache.c  |   2 +-
 third_party/heimdal/lib/krb5/doxygen.c |   6 +-
 third_party/heimdal/lib/krb5/fcache.c  |   2 +-

[SCM] Samba Shared Repository - branch master updated

2024-06-24 Thread Martin Schwenke 
The branch, master has been updated
   via  415f9f07456 ctdb-failover: Split statd_callout add-client/del-client
   via  089aec2885f ctdb-doc: Drop unnecessary, broken attempt at rpc.statd 
stack trace
   via  707e0ef55b8 ctdb-scripts: Fail monitoring after 1 x NFS-Ganesha not 
running
   via  4766d4568bf ctdb-doc: Add example for NFS-Ganesha RPC checking
   via  d96078e263e ctdb-scripts: Implement NFS statistics retrieval for 
NFS-Ganesha
   via  5b7d17d44d9 ctdb-scripts: Add service_stats_command variable to NFS 
checks
  from  d86f9ff7fdd smbd: Simplify callers of notify_filter_string

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 415f9f07456e3fd24063e7508d8b2553df020c21
Author: Martin Schwenke 
Date:   Fri May 10 11:42:26 2024 +1000

ctdb-failover: Split statd_callout add-client/del-client

rpc.statd is single-threaded and runs its HA callout synchronously. If
it is too slow then latency accumulates and rpc.statd's backlog grows.

Running a pair of add-client/del-client events with the current code
averages ~0.030s in my test environment.  This mean that 1000 clients
reclaiming locks after failover can easily cause 10s of latency.  This
could cause rpc.statd to become unresponsive, resulting in a time out
for an rpcinfo-based health check of the status service.

Split the add-client/del-client events out to a standalone
statd_callout executable, written in C, to be used as the HA callout
for rpc.statd.  All other functions move to statd_callout_helper.
Now, running a pair of add-client/del-client events in my test
environment averages only ~0.002s.  This seems less likely to cause
latency problems.

The standalone statd_callout executable needs to read a configuration
file, which is generated by statd_callout_helper from the "startup"
event.  It also needs access to a list of currently assigned public
IPs.

For backward compatibility, during installation a symlink is created
from $CTDB_BASE/statd-callout to the new statd_callout, which is
installed in the helper directory.

Testing this as part of the eventscript unit tests starts to become
even more of a hack than it used to be.  However, the dependency on
stubs and the corresponding setup of fake state makes it hard to move
this elsewhere.

Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Tue Jun 25 04:24:57 UTC 2024 on atb-devel-224

commit 089aec2885fecce4fa202ccc402688c394774dc9
Author: Martin Schwenke 
Date:   Mon Mar 4 14:29:41 2024 +1100

ctdb-doc: Drop unnecessary, broken attempt at rpc.statd stack trace

There is a typo here, since there will be no process called "status".
Instead of fixing it, drop this because rpc.statd isn't the focus of
this monitoring check and when systemd is init rpc.statd isn't
restarted with nfs-ganesha.  It stays running, so a confusing stack
trace for rpc.statd is always logged.

Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

commit 707e0ef55b89e328cadd0f4ac3ad33a83039e287
Author: Martin Schwenke 
Date:   Fri May 24 11:55:59 2024 +1000

ctdb-scripts: Fail monitoring after 1 x NFS-Ganesha not running

If ganesha.nfsd is gone then a node can't provide an NFS service, so
should be marked unhealthy.  A later restart may bring it back to
health.

Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

commit 4766d4568bf45d74cbf8d41f9853d0afef3e4c45
Author: Martin Schwenke 
Date:   Mon Mar 4 14:28:11 2024 +1100

ctdb-doc: Add example for NFS-Ganesha RPC checking

This one does an rpcinfo check, along with statistics mitigation.  It
can be used in combination with the existing 20.nfs_ganesha.check.

The equivalent kernel NFS file only restarts every 10 failures.  This
one can be a little more proactive given that false positives are less
likely with the statistics mitigation.

Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

commit d96078e263ebc3119d646ddf154582351052c5b0
Author: Martin Schwenke 
Date:   Mon Mar 4 13:52:10 2024 +1100

ctdb-scripts: Implement NFS statistics retrieval for NFS-Ganesha

Simplicity is preferred here over absolute correctness.  If the
ganesha_stats command exits with an error or times out then no output
is produced so, implicitly, the statistics do not change.  Also, the
statistics always change at startup.  However, it is likely that the
statistics change when NFS makes progress and do not change when NFS
does not make progress.

Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

commit 5b7d17d44d9abdf2f3e15b225bd53b6d21ac41dd
Author: Martin Schwenke 
Date:

[SCM] Samba Shared Repository - branch master updated

2024-06-24 Thread Jeremy Allison 
The branch, master has been updated
   via  d86f9ff7fdd smbd: Simplify callers of notify_filter_string
   via  a37ea9d750e smbd: Simplify notify_filter_string
   via  6e7a1cc6467 smbd: Modernize a DEBUG
   via  6d0444a7bfb lib: Align an integer type
   via  fc0c605aac6 smbd: Simplify smbd_do_qfilepathinfo()
   via  4af84350bd2 lib: Avoid an includes.h
   via  1b47fae676b lib: Move 286 bytes from R/W data to R/O text segment
   via  3f2e45aa163 tdb: Update times in tdb_transaction_commit per fd, not 
per name
   via  06aff34586d smbd: Fix DEBUG messages
   via  1cea29c3987 credentials: Protect the cred's nt hash with 
talloc_keep_secret
   via  3c84a84fff1 spnego: Fix typos
   via  2b06123a9b6 gensec: Fix whitespace
   via  9be7dbd9c47 gse: Simplify gse_errstr() with talloc_asprintf_addbuf()
   via  221ef3ca865 gse: Avoid explicit ZERO_STRUCT in gse_errstr()
   via  7fba822817a libsmb: "clang-format" for an if-condition
   via  7f935e27749 lib: Remove pointless \ line endings
   via  4f64e455f6f tdb: Fix a typo
   via  f3934fb9d09 heimdal_build: Fix whitespace
   via  8a7aad7fe0f torture4: Fix some whitespace
  from  cfb81b0c313 packaging: Add missing quotes in smbprint

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d86f9ff7fdd042b76cf03cd84668c98391652f5e
Author: Volker Lendecke 
Date:   Thu Jun 20 20:25:24 2024 +0200

smbd: Simplify callers of notify_filter_string

This is exactly the application talloc_tos() was made for

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon Jun 24 17:27:04 UTC 2024 on atb-devel-224

commit a37ea9d750e1fcfc9e87ab747776bcc9cd70d568
Author: Volker Lendecke 
Date:   Thu Jun 20 20:19:52 2024 +0200

smbd: Simplify notify_filter_string

Just a single NULL check through talloc_asprintf_addbuf

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 6e7a1cc646786a51cedbdb971bf7b17b34eff652
Author: Volker Lendecke 
Date:   Thu Jun 20 20:06:44 2024 +0200

smbd: Modernize a DEBUG

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 6d0444a7bfbf25241d7a7045b9ba9290fbc98c5f
Author: Volker Lendecke 
Date:   Mon Jun 17 12:45:32 2024 +0200

lib: Align an integer type

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit fc0c605aac64a4ec41b74ccfbb035075910268e3
Author: Volker Lendecke 
Date:   Mon Jun 17 15:24:57 2024 +0200

smbd: Simplify smbd_do_qfilepathinfo()

Use fsctl_get_reparse_tag()

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 4af84350bd2ca3177f4153229565892383c8992c
Author: Volker Lendecke 
Date:   Mon Jun 10 14:32:27 2024 +0200

lib: Avoid an includes.h

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 1b47fae676b59d99e601e208ad365c152bd1e970
Author: Volker Lendecke 
Date:   Mon Jun 10 16:08:04 2024 +0200

lib: Move 286 bytes from R/W data to R/O text segment

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 3f2e45aa163bfb7c0b3c459f82d2677a9cd8a443
Author: Volker Lendecke 
Date:   Fri Jun 14 17:48:52 2024 +0200

tdb: Update times in tdb_transaction_commit per fd, not per name

We might have a relative filename in tdb->name, so we might do the
wrong thing here. And as we have the fd, why not use it...

We call futimens in vfs_default without #ifdef and it's Posix 2018 or
before. So I don't think we need to check for it.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 06aff34586d154cb183235c8775a59798b329b6c
Author: Volker Lendecke 
Date:   Fri Jun 14 18:28:10 2024 +0200

smbd: Fix DEBUG messages

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 1cea29c39874ec0c04b95966cb0889cee475f26c
Author: Volker Lendecke 
Date:   Fri May 24 17:16:14 2024 +0200

credentials: Protect the cred's nt hash with talloc_keep_secret

This avoids the need for an explict ZERO_STRUCT before TALLOC_FREE

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 3c84a84fff15500b6bbbfbbf29d2114bc3c7fed4
Author: Volker Lendecke 
Date:   Thu May 30 14:06:39 2024 +0200

spnego: Fix typos

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 2b06123a9b64f9a8b5015f107cb082ac12807fa0
Author: Volker Lendecke 
Date:   Thu May 30 14:04:51 2024 +0200

gensec: Fix whitespace

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 9be7dbd9c470493dfceb3647ac57cb42d78749b5
Author: Volker Lendecke 
Date:   Wed May 29 17:27:11 2024 +0200

gse: Simplify gse_errstr() with talloc_asprintf_addbuf()

Signed-off-by: Volker

[SCM] Samba Shared Repository - branch master updated

2024-06-24 Thread Andreas Schneider 
The branch, master has been updated
   via  cfb81b0c313 packaging: Add missing quotes in smbprint
   via  b57bddacd76 s3:registry: Add missing return value checks
   via  8c4f807350d s3:registry: Avoid possible double frees
   via  10b95ff4368 s3:registry: Remove trailing spaces in reg_perfcount.c
   via  3cb4073cd0e s4:dsdb: Avoid possible underflows with new_len
   via  44db391ae1c s4:dsdb: Remove trailing spaces in schema_query.c
   via  94c06dd1890 s4:torture: Initialize struct wrepl_wins_name
   via  5d568f6e613 s4:torture: Remove trailing spaces in winsreplication.c
   via  067a30c5273 s3:utils: Fix get_window_height() return value
   via  a0b6d18a254 s3:rpc_server: Make sure struct security_ace is 
initialized
   via  c709cb8a17c s3:lib: Make sure struct security_ace is fully 
initialized
   via  d6a7a97bc23 s3:lib: Remove trailing spaces in sharesec.c
   via  36fb8a3d654 nsswitch:krb5_plugin: Avoid a possible double free
  from  5b40cdf6e88 auth/credentials: don't ignore "client use kerberos" 
and --use-kerberos for machine accounts

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit cfb81b0c3138d6cb89cd88ce494c60acd7c2cc7f
Author: Andreas Schneider 
Date:   Wed Jun 19 11:50:26 2024 +0200

packaging: Add missing quotes in smbprint

Found by Covscan.

"Error: SHELLCHECK_WARNING (CWE-569):
/usr/bin/smbprint:49:21: warning[SC1083]: This } is literal. Check 
expression (missing ;/\n?) or quote it.
   47|   #   Concat this with /.config to get the config file.
   48|   #
   49|-> eval acct_file=\${$#}
   50|   spool_dir=$(dirname $acct_file)
   51|   config_file=$spool_dir/.config"

Signed-off-by: Andreas Schneider 
Reviewed-by: Signed-off-by: Martin Schwenke 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Mon Jun 24 07:14:54 UTC 2024 on atb-devel-224

commit b57bddacd765c48f3f427095ba4a474dbaf51c23
Author: Andreas Schneider 
Date:   Wed Jun 19 11:47:41 2024 +0200

s3:registry: Add missing return value checks

Signed-off-by: Andreas Schneider 
Reviewed-by: Signed-off-by: Martin Schwenke 

commit 8c4f807350d6815582019bb0c52358e7db43ea24
Author: Andreas Schneider 
Date:   Wed Jun 19 11:46:15 2024 +0200

s3:registry: Avoid possible double frees

Found by Covscan.

"Error: USE_AFTER_FREE (CWE-416):
samba-4.20.0rc2/source3/registry/reg_perfcount.c:309: freed_arg: 
""_reg_perfcount_multi_sz_from_tdb"" frees ""*retbuf"".
samba-4.20.0rc2/source3/registry/reg_perfcount.c:313: double_free: Calling 
""_reg_perfcount_multi_sz_from_tdb"" frees pointer ""*retbuf"" which has 
already been freed.
  311|  for(i = 1; i <= base_index; i++)
  312|  {
  313|->buffer_size = _reg_perfcount_multi_sz_from_tdb(names, 
i*2, retbuf, buffer_size);
  314|  }
  315|  tdb_close(names);"

Signed-off-by: Andreas Schneider 
Reviewed-by: Signed-off-by: Martin Schwenke 

commit 10b95ff436866e484755fc2c5189263394029a29
Author: Andreas Schneider 
Date:   Wed Jun 19 11:45:01 2024 +0200

s3:registry: Remove trailing spaces in reg_perfcount.c

Signed-off-by: Andreas Schneider 
Reviewed-by: Signed-off-by: Martin Schwenke 

commit 3cb4073cd0e24c8082d71d569a67a344af0f8cba
Author: Andreas Schneider 
Date:   Wed Jun 19 11:33:00 2024 +0200

s4:dsdb: Avoid possible underflows with new_len

Found by Covscan.

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:403: 
tainted_data_argument: The check ""i < new_len"" contains the tainted 
expression ""i"" which causes ""new_len"" to be considered tainted.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The 
expression ""new_len - i"" is deemed underflowed because at least one of its 
arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The 
expression ""(new_len - i) * 8UL"" is deemed underflowed because at least one 
of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow_sink: 
""(new_len - i) * 8UL"", which might have underflowed, is passed to 
""memmove(val1, val2, (new_len - i) * 8UL)"". [Note: The source code 
implementation of the function has been overridden by a builtin model.]
  405|  const char **val2 = _list[i];
  406|  if (ldb_attr_cmp(*val1, *val2) == 0) {
  407|->memmove(val1, val2, (new_len - i) * 
sizeof( *attr_list));
  408|  attr_list[new_len-1] = NULL;
  409|  new_len--;"

Signed-off-by: Andreas Schneider 
Reviewed-by: Signed-off-by: Martin Schwenke 

commit 44db391ae1cb52b13769d4a0dc27dec90618c7ce
Author: Andreas

[Announce] Samba 4.20.2 Available for Download

2024-06-19 Thread Jule Anger via samba-announce 

Release Announcements
-

This is the latest stable release of the Samba 4.20 release series.


Changes since 4.20.1


o  Jeremy Allison 
   * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.

o  Douglas Bagnall 
   * BUG 13213: Samba build is not reproducible.
   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive 
compare

 function.
   * BUG 15625: Many qsort() comparison functions are non-transitive, 
which can

 lead to out-of-bounds access in some circumstances.

o  Andrew Bartlett 
   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to 
avoid CI

 bill.
   * BUG 15654: We have added new options --vendor-name and --vendor-patch-
 revision arguments to ./configure to allow distributions and 
packagers to
 put their name in the Samba version string so that when debugging 
Samba the

 source of the binary is obvious.

o  Günther Deschner 
   * BUG 15665: CTDB RADOS mutex helper misses namespace support.

o  Stefan Metzmacher 
   * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
 SysvolReady=0.
   * BUG 15412: Anonymous smb3 signing/encryption should be allowed 
(similar to

 Windows Server 2022).
   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
   * BUG 15620: s4:nbt_server: does not provide unexpected handling, so 
winbindd

 can't use nmb requests instead cldap.
   * BUG 15642: winbindd, net ads join and other things don't work on 
an ipv6

 only host.
   * BUG 15659: Segmentation fault when deleting files in vfs_recycle.
   * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
   * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
 machine account.

o  Noel Power 
   * BUG 15435: Regression DFS not working with widelinks = true.

o  Andreas Schneider 
   * BUG 15633: samba-gpupdate - Invalid NtVer in 
netlogon_samlogon_response.
   * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case 
of trusted

 domain lookups.
   * BUG 15660: The images don't build after the git security release 
and CentOS

 8 Stream is EOL.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.20.2.html

If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:

https://download.samba.org/pub/ldb/ldb-2.9.1.tar.gz


Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[SCM] Samba Shared Repository - branch v4-20-stable updated

2024-06-19 Thread Jule Anger 
The branch, v4-20-stable has been updated
   via  569d541c9bb VERSION: Disable GIT_SNAPSHOT for the 4.20.2 release.
   via  55cd97dfef1 WHATSNEW: Add release notes for Samba 4.20.2.
   via  3dd39600da3 BUG 15569 ldb: Release LDB 2.9.1
   via  fc318c63e55 auth/credentials: don't ignore "client use kerberos" 
and --use-kerberos for machine accounts
   via  212b014679f auth/credentials: add tests for 
cli_credentials_get_kerberos_state[_obtained]()
   via  46ebf66fe96 auth/credentials: add 
cli_credentials_get_kerberos_state_obtained() helper
   via  cccd9c95c8b testprogs/blackbox: add test_ldap_token.sh to test 
"client use kerberos" and --use-kerberos
   via  694605f52a4 testprogs/blackbox: let test_trust_token.sh check for 
S-1-18-1 with kerberos
   via  7d69ec93e31 vfs_recycle: remember resolved config->repository in 
vfs_recycle_connect()
   via  f464a85c129 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory 
corruption in recycle_unlink_internal()"
   via  64d7108cddb vfs_recycle: fix memory hierarchy
   via  4bb5f8a92aa vfs_recycle: use the correct return in 
SMB_VFS_HANDLE_GET_DATA()
   via  a5d5d83c492 vfs_recycle: use a talloc_stackframe() in 
recycle_unlink_internal()
   via  69b9c140527 vfs_recycle: directly allocate 
smb_fname_final->base_name
   via  db098ff1aad vfs_recycle: don't unlink on allocation failure
   via  cf22968a8a1 TMP-REPRODUCE: vfs_recycle: demonstrate memory 
corruption in recycle_unlink_internal()
   via  7d277c424fc test_recycle.sh: make sure we don't see panics on the 
log files
   via  b3ce5a86489 vfs_default: also call vfs_offload_token_ctx_init in 
vfswrap_offload_write_send
   via  d7e0b5933fa s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
   via  5b90acbef15 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share
   via  4b4b0152fd7 selftest: Add a python blackbox test for some misc 
(widelink) DFS tests
   via  dceb2e56b63 script/autobuild.py: Add test for --vendor-name and 
--vendor-patch-revision
   via  5d593a735d3 build: Add --vendor-name --vendor-patch-revision 
options to ./configure
   via  f46faceae1f ctdb/docs: Include ceph rados namespace support in man 
page
   via  9110627bc24 ctdb/ceph: Add optional namespace support for mutex 
helper
   via  df54d3fdda9 s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored
   via  89817ed2165 s4:dns_server: correctly sign dns update responses with 
gss-tsig like Windows
   via  fdd61d60caa s4:dns_server: dns_verify_tsig should return REFUSED on 
error
   via  f663b386156 s4:dns_server: also search DNS_QTYPE_TKEY in the 
answers section if it's the last section
   via  3b36f447040 s4:dns_server: use tkey->algorithm if available in 
dns_sign_tsig()
   via  299818567ea s4:dns_server: use the client provided algorithm for 
the fake TSIG structure
   via  7ddd758da50 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TSIG
   via  6e395cabf38 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TKEY
   via  ed8ef00c297 s4:dns_server: failed dns updates should result in 
REFUSED for ACCESS_DENIED
   via  a7f3293ddf7 python:tests/dns_tkey: add 
test_update_tsig_record_access_denied()
   via  9137bb66ab4 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to 
samba.tests.dns_tkey
   via  5a98bc50263 python:tests/dns_base: add get_unpriv_creds() helper
   via  ff0afdd1b05 python:tests/dns_tkey: let test_update_tsig_windows() 
actually pass against windows 2022
   via  bda80382eb5 python:tests/dns_base: let verify_packet() work against 
Windows
   via  fdfd4e8adce python:tests/dns_tkey: test bad and changing tsig 
algorithms
   via  7dabac46b5a python:tests/dns_tkey: add gss.microsoft.com tsig 
updates
   via  6438249cf1e python:tests/dns_tkey: let us have 
test_update_gss_tsig_tkey_req_{additional,answers}()
   via  501a25a1f07 python:tests/dns_tkey: test TKEY with gss-tsig, 
gss.microsoft.com and invalid algorithms
   via  c7a936ecd27 python:tests/dns_base: maintain a dict with tkey 
related state
   via  da7c313740d python:tests/dns_base: let dns_transaction_udp() take 
allow_{remaining,truncated}=True
   via  85784854629 python:tests/dns_base: pass tkey_trans(expected_rcode)
   via  e58fe908371 python:tests/dns_base: let tkey_trans() take 
tkey_req_in_answers
   via  12d4e452410 python:tests/dns_base: let tkey_trans() and 
sign_packet() take algorithm_name as argument
   via  9cfc2e24331 python:tests/dns_tkey: make use of 
self.assert_echoed_dns_error()
   via  f7f0518b46a python:tests/dns_base: add 
self.assert_echoed_dns_error()
   via  c00749edb35 python:tests/dns_base: let dns_transaction_tcp() handle 
short receives
   via  3bd80a2545a python:tests/dns_base: use ndr_deepcopy() and 
ndr_pack() in verify_packet()
   via  19fc5bb6b9d python:tests/dns_base:

[SCM] Samba Website Repository - branch master updated

2024-06-19 Thread Jule Anger 
The branch, master has been updated
   via  4257c72 NEWS[4.20.2]: Samba 4.20.2 Available for Download
  from  19e1100 NEWS[4.19.7]: Samba 4.19.7 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 4257c7205fcf9e2af4eb3ef6b84326bd2de2759c
Author: Jule Anger 
Date:   Wed Jun 19 16:32:01 2024 +0200

NEWS[4.20.2]: Samba 4.20.2 Available for Download

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html  |  1 +
 history/samba-4.20.2.html| 82 
 posted_news/20240619-143251.4.20.2.body.html | 13 
 posted_news/20240619-143251.4.20.2.headline.html |  3 +
 4 files changed, 99 insertions(+)
 create mode 100644 history/samba-4.20.2.html
 create mode 100644 posted_news/20240619-143251.4.20.2.body.html
 create mode 100644 posted_news/20240619-143251.4.20.2.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 7ddf607..3e20311 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
Release Notes


+   samba-4.20.2
samba-4.20.1
samba-4.20.0
samba-4.19.7.
diff --git a/history/samba-4.20.2.html b/history/samba-4.20.2.html
new file mode 100644
index 000..17d71e7
--- /dev/null
+++ b/history/samba-4.20.2.html
@@ -0,0 +1,82 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.20.2 - Release Notes
+
+
+Samba 4.20.2 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.20.2.tar.gz;>Samba 
4.20.2 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.20.2.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.20.1-4.20.2.diffs.gz;>Patch
 (gzipped) against Samba 4.20.1
+https://download.samba.org/pub/samba/patches/samba-4.20.1-4.20.2.diffs.asc;>Signature
+
+
+
+   ==
+   Release Notes for Samba 4.20.2
+   June 19, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.1
+
+
+o  Jeremy Allison j...@samba.org
+   * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
+
+o  Douglas Bagnall douglas.bagn...@catalyst.net.nz
+   * BUG 13213: Samba build is not reproducible.
+   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function.
+   * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances.
+
+o  Andrew Bartlett abart...@samba.org
+   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+   * BUG 15654: We have added new options --vendor-name and --vendor-patch-
+ revision arguments to ./configure to allow distributions and packagers to
+ put their name in the Samba version string so that when debugging Samba 
the
+ source of the binary is obvious.
+
+o  Gnther Deschner g...@samba.org
+   * BUG 15665: CTDB RADOS mutex helper misses namespace support.
+
+o  Stefan Metzmacher me...@samba.org
+   * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
+   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+   * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+   * BUG 15620: s4:nbt_server: does not provide unexpected handling, so 
winbindd
+ cant use nmb requests instead cldap.
+   * BUG 15642: winbindd, net ads join and other things dont work on an 
ipv6
+ only host.
+   * BUG 15659: Segmentation fault when deleting files in vfs_recycle.
+   * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
+   * BUG 15666: client use kerberos and --use-kerberos is ignored 
for the
+ machine account.
+
+o  Noel Power noel.po...@suse.com
+   * BUG 15435: Regression DFS not working with widelinks = true.
+
+o  Andreas Schneider a...@samba.org
+   * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
+   * BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of 
trusted
+ domain lookups.
+   * BUG 15660: The images dont build after the git security release and 
CentOS
+ 8 Stream is EOL.
+
+
+
+
+
+
diff --git a/posted_news/20240619-143251.4.20.2.body.html 
b/posted_news/20240619-143251.4.20.2.body.html
new file mode 100644
index 000..361910e
--- /dev/null
+++

[SCM] Samba Shared Repository - annotated tag samba-4.20.2 created

2024-06-19 Thread Jule Anger 
The annotated tag, samba-4.20.2 has been created
at  014c6d8292108ac7b3ac76d80ac9bc9fd75e9229 (tag)
   tagging  569d541c9bb5110d113da3ccdeaeb98ca16eec5c (commit)
  replaces  ldb-2.9.1
 tagged by  Jule Anger
on  Wed Jun 19 16:31:39 2024 +0200

- Log -
samba: tag release samba-4.20.2
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmZy68sACgkQqplEL7aA
tiCOOA//fduBYEvDyRu7A8XBZ+lClFKVa3dGIG+YbDUkHIGx1z2c8SDg4EbsGIuK
/9nIic1sd5GSx5fLImuaQshYOOdObhWwG1XBPciU3lXVr60+tuB1wlddQhCh67Lh
eG10csBT10N5sc/uy6yOqYK059ZZAnHPH8VimtNJpJzThAuVUtXl+DpbgqF7pr5P
tUZl83/hkBjq44boysoIC8lVZ66QPD/iNnqnzgxMk+d+uENp8dCF9Oi+uK1D2d9R
BBMvpQtfZmo+HntiW/5EUg6hSFizdU05t9uVaHpfMVGN3MZ6ASGCx+grYxeW5wkL
NOXUaA31F9j10GWEDKsdyw2BrOo62eYZHcQK9JV02qVp9PKXSw9nefy8/TjzrsPL
cmQCwkL6p8b2s7rWJllq5mUrfXDeT5lWZZd5Neur+Avz9zhe3liAIBzWNaX8XMKx
0ghv02egwcyxNcZrYSpCXFp6iFvlsPWK/0b10+cnkixcaKT/WZ28v7fpwZ8QmbsI
EgOa4epRTCeHVoxzFXkrtuXbINsz/SYYFFjVRLhItuxHDtdZll49ACDPFnAX3dn/
yTPELo5XNXf3VuNXAqZoKwJQQAwOUQkH7ECR/n5TV0bbDezsafb91gp4pckV662R
N9lIkmhaicVspLRiyCbXM3RJ8G5RKy2BoDG5ILHEZm2UchygJbQ=
=aE4l
-END PGP SIGNATURE-

Jule Anger (2):
  WHATSNEW: Add release notes for Samba 4.20.2.
  VERSION: Disable GIT_SNAPSHOT for the 4.20.2 release.

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-19 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  eeae9fe4b01 VERSION: Bump version up to Samba 4.20.3...
   via  569d541c9bb VERSION: Disable GIT_SNAPSHOT for the 4.20.2 release.
   via  55cd97dfef1 WHATSNEW: Add release notes for Samba 4.20.2.
   via  3dd39600da3 BUG 15569 ldb: Release LDB 2.9.1
  from  fc318c63e55 auth/credentials: don't ignore "client use kerberos" 
and --use-kerberos for machine accounts

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit eeae9fe4b013c86f15bb59f4c21bcb03403b75fb
Author: Jule Anger 
Date:   Wed Jun 19 16:13:52 2024 +0200

VERSION: Bump version up to Samba 4.20.3...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 569d541c9bb5110d113da3ccdeaeb98ca16eec5c
Author: Jule Anger 
Date:   Wed Jun 19 16:13:12 2024 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.20.2 release.

Signed-off-by: Jule Anger 

commit 55cd97dfef1d3caddb2815f12eae9f33c0c6d10d
Author: Jule Anger 
Date:   Wed Jun 19 16:11:53 2024 +0200

WHATSNEW: Add release notes for Samba 4.20.2.

Signed-off-by: Jule Anger 

commit 3dd39600da3c0bedeae9f033c1333eb6b0f4ff33
Author: Jule Anger 
Date:   Wed Jun 19 16:07:51 2024 +0200

BUG 15569 ldb: Release LDB 2.9.1

* BUG 15569: Many qsort() comparison functions are non-transitive, which
  can lead to out-of-bounds access in some circumstances.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION|  2 +-
 WHATSNEW.txt   | 86 +-
 lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.9.1.sigs} |  0
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.9.1.sigs} |  0
 lib/ldb/wscript|  2 +-
 5 files changed, 86 insertions(+), 4 deletions(-)
 copy lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.9.1.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.9.1.sigs} (100%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index e279f2933b8..4cb90cc5643 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2024"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8249e9326f9..fb964d7a6f4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,86 @@
+   ==
+   Release Notes for Samba 4.20.2
+   June 19, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.1
+
+
+o  Jeremy Allison 
+   * BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
+
+o  Douglas Bagnall 
+   * BUG 13213: Samba build is not reproducible.
+   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function.
+   * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances.
+
+o  Andrew Bartlett 
+   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+   * BUG 15654: We have added new options --vendor-name and --vendor-patch-
+ revision arguments to ./configure to allow distributions and packagers to
+ put their name in the Samba version string so that when debugging Samba 
the
+ source of the binary is obvious.
+
+o  Günther Deschner 
+   * BUG 15665: CTDB RADOS mutex helper misses namespace support.
+
+o  Stefan Metzmacher 
+   * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
+   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+   * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+   * BUG 15620: s4:nbt_server: does not provide unexpected handling, so 
winbindd
+ can't use nmb requests instead cldap.
+   * BUG 15642: winbindd, net ads join and other things don't work on an ipv6
+ only host.
+   * BUG 15659: Segmentation fault when deleting files in vfs_recycle.
+   * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
+   * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
+ machine account.
+
+o  Noel Power 
+   * BUG 15435: Regression DFS not working with widelinks = true.
+
+o  Andreas Schneider 
+   * BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
+   * BUG 15653:

[SCM] Samba Shared Repository - annotated tag ldb-2.9.1 created

2024-06-19 Thread Jule Anger 
The annotated tag, ldb-2.9.1 has been created
at  2e3dd126db9e838111631315974785e95d88ceb5 (tag)
   tagging  3dd39600da3c0bedeae9f033c1333eb6b0f4ff33 (commit)
  replaces  samba-4.20.1
 tagged by  Jule Anger
on  Wed Jun 19 16:27:02 2024 +0200

- Log -
ldb: tag release ldb-2.9.1
-BEGIN PGP SIGNATURE-

iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmZy6rYACgkQR5ORYRMI
QCVCHAgAgyck8/vg928tsREA62mDVyuyJDUPVooaDJ7vEMRyG44czXbNA4QnAGsh
NMfmKbJWc2TfGpMbj60mgFWVFHHb7/KF+kAdrMAU6uKNjSlGzPAq3TFDpgPMDxW0
lm4rfm75SlDBh4hEOwYE5gnh+5mlHcf5Vmgl6CoOjePg70qgFevLEi6rWV85ZDuE
33PSidVprZ17m4faP4eqs0j5aHhEA/COo6vP9MeumgjwElWuvuvsVadxeEdi1jeR
hyGrbLTclWQtjaY/NqZAN3qcj8ECxW2GMRWHYeb35Hsv0wW6bAv24PmDAAK7dB2w
5nGW2HMvmik2/7xIoEHW0oZQIX4oUg==
=1NWc
-END PGP SIGNATURE-

Andreas Schneider (10):
  python: Fix NtVer check for site_dn_for_machine()
  s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
  s3:libads: Do not fail if we don't get an IP passed down
  s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
  bootstrap: Fix runner tags
  bootstrap: Set git safe.directory
  bootstrap: Fix building CentOS 8 Stream container images
  gitlab-ci: Set git safe.directory for devel repo
  third_party: Update uid_wrapper to version 1.3.1
  third_party: Update socket_wrapper to version 1.4.3

Andrew Bartlett (3):
  .gitlab-ci: Remove tags no longer provided by gitlab.com
  build: Add --vendor-name --vendor-patch-revision options to ./configure
  script/autobuild.py: Add test for --vendor-name and 
--vendor-patch-revision

Douglas Bagnall (69):
  pidl:Typelist: resolveType(): don't mistake a reference for a name
  buildtools:pidl: avoid hash randomisation in pidl
  examples:winexe: reproducible builds with zero timestamp
  examples:winexe: embed Samba version as exe timestamp
  ldb: avoid out of bounds read and write in ldb_qsort()
  lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename
  util:tsort.h: add a macro for safely comparing numbers
  ldb: add NUMERIC_CMP macro to ldb.h
  ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base()
  ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
  s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
  s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
  s4: use numeric_cmp in dns_common_sort_zones()
  util:binsearch: user NUMERIC_CMP()
  torture:charset: use < and > assertions for strcasecmp_m
  torture:charset: use < and > assertions for strncasecmp_m
  torture:charset: test more of strcasecmp_m
  util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle
  util:test: test_ms_fn_match_protocol_no_wildcard: allow -1
  util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP()
  util:charset:codepoints: codepoint_cmpi warning about non-transitivity
  s3:libsmb:namequery: note intransitivity in addr_compare()
  s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
  lib/torture: add assert_int_{less,greater} macros
  util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle
  ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP()
  ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP()
  util:datablob: avoid non-transitive comparison in data_blob_cmp()
  ldb: avoid non-transitive comparison in ldb_val_cmp()
  ldb: reduce non-transitive comparisons in ldb_msg_element_compare()
  libcli/security: use NUMERIC_CMP in dom_sid_compare()
  libcli/security: use NUMERIC_CMP in dom_sid_compare_auth()
  s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
  s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
  s4:dns_server: use NUMERIC_CMP in rec_cmp()
  s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
  s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
  s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort()
  s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()
  s3:smbcacls: use NUMERIC_CMP in ace_compare
  s3:util:sharesec ace_compare() uses NUMERIC_CMP()
  s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
  ldb:mod:sort: rearrange NULL checks
  ldb:sort: check that elements have values
  ldb:sort: generalise both-NULL check to equality check
  ldb:dn: make ldb_dn_compare() self-consistent
  s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
  s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
  s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
  dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
  s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
  gensec: sort_gensec uses NUMERIC_CMP
  lib/socket: rearrange iface_comp() to use NUMERIC_CMP
  s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
  s4:rpcsrv:dnsserver: make dns_name_compare transitive with

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-19 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  fc318c63e55 auth/credentials: don't ignore "client use kerberos" 
and --use-kerberos for machine accounts
   via  212b014679f auth/credentials: add tests for 
cli_credentials_get_kerberos_state[_obtained]()
   via  46ebf66fe96 auth/credentials: add 
cli_credentials_get_kerberos_state_obtained() helper
   via  cccd9c95c8b testprogs/blackbox: add test_ldap_token.sh to test 
"client use kerberos" and --use-kerberos
   via  694605f52a4 testprogs/blackbox: let test_trust_token.sh check for 
S-1-18-1 with kerberos
   via  7d69ec93e31 vfs_recycle: remember resolved config->repository in 
vfs_recycle_connect()
   via  f464a85c129 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory 
corruption in recycle_unlink_internal()"
   via  64d7108cddb vfs_recycle: fix memory hierarchy
   via  4bb5f8a92aa vfs_recycle: use the correct return in 
SMB_VFS_HANDLE_GET_DATA()
   via  a5d5d83c492 vfs_recycle: use a talloc_stackframe() in 
recycle_unlink_internal()
   via  69b9c140527 vfs_recycle: directly allocate 
smb_fname_final->base_name
   via  db098ff1aad vfs_recycle: don't unlink on allocation failure
   via  cf22968a8a1 TMP-REPRODUCE: vfs_recycle: demonstrate memory 
corruption in recycle_unlink_internal()
   via  7d277c424fc test_recycle.sh: make sure we don't see panics on the 
log files
   via  b3ce5a86489 vfs_default: also call vfs_offload_token_ctx_init in 
vfswrap_offload_write_send
   via  d7e0b5933fa s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
  from  5b90acbef15 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit fc318c63e5556e940ee846e63ebbc1ca5a39c945
Author: Stefan Metzmacher 
Date:   Tue Jun 18 20:28:25 2024 +0200

auth/credentials: don't ignore "client use kerberos" and --use-kerberos for 
machine accounts

We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

(cherry picked from commit 5b40cdf6e8885c9db6c5ffa972112f3516e4130a)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Jun 19 14:07:17 UTC 2024 on atb-devel-224

commit 212b014679f17808c20015ee6852ffbd5f4b847f
Author: Stefan Metzmacher 
Date:   Tue Jun 18 19:02:05 2024 +0200

auth/credentials: add tests for 
cli_credentials_get_kerberos_state[_obtained]()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 
(cherry picked from commit eeb60574b6bf1a5209b85a8af843b93300550ba7)

commit 46ebf66fe965ba361325877364b65c69b781484a
Author: Stefan Metzmacher 
Date:   Tue Jun 18 18:53:48 2024 +0200

auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 
(cherry picked from commit c715ac5e496ddde119212d3b880ff0e68c2da67b)

commit cccd9c95c8bbbde16f3251081ea2c3a1fc3b2ac3
Author: Stefan Metzmacher 
Date:   Tue Jun 18 19:34:30 2024 +0200

testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" 
and --use-kerberos

This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 
(cherry picked from commit db2c576f329675e8d66e19c336fe04ccba918b4a)

commit 694605f52a45ae31e2607895fff2ae60f9f64595
Author: Stefan Metzmacher 
Date:   Tue Jun 18 19:11:09 2024 +0200

testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 
(cherry picked from commit cda8beea45303a77080c64bb2391d22c59672deb)

commit 7d69ec93e3178105ee02aae24d056d65d2d70358
Author: Stefan Metzmacher 
Date:   Fri Jun 14 10:07:02 2024 +0200

vfs_recycle: remember resolved config->repository in vfs_recycle_connect()

This should not change during the lifetime of the tcon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Martin Schwenke 
Reviewed-by: Noel Power 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 53b72ea4d25d4aa6cf8de1c7555456d4cc03b809)

commit f464a85c12968c0791714af68c7d3a044e81adc6
Author: Stefan Metzmacher 
Date:   Tue Jun 18 14:18:17 2024 +0200

Revert "TMP-REPRODUCE:

[SCM] Samba Shared Repository - branch master updated

2024-06-19 Thread Stefan Metzmacher 
The branch, master has been updated
   via  5b40cdf6e88 auth/credentials: don't ignore "client use kerberos" 
and --use-kerberos for machine accounts
   via  eeb60574b6b auth/credentials: add tests for 
cli_credentials_get_kerberos_state[_obtained]()
   via  c715ac5e496 auth/credentials: add 
cli_credentials_get_kerberos_state_obtained() helper
   via  db2c576f329 testprogs/blackbox: add test_ldap_token.sh to test 
"client use kerberos" and --use-kerberos
   via  cda8beea453 testprogs/blackbox: let test_trust_token.sh check for 
S-1-18-1 with kerberos
   via  53b72ea4d25 vfs_recycle: remember resolved config->repository in 
vfs_recycle_connect()
   via  c229a84b449 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory 
corruption in recycle_unlink_internal()"
   via  2175856fef1 vfs_recycle: fix memory hierarchy
   via  b38241da3dd vfs_recycle: use the correct return in 
SMB_VFS_HANDLE_GET_DATA()
   via  cf7a6b521ac vfs_recycle: use a talloc_stackframe() in 
recycle_unlink_internal()
   via  220b0e977e2 vfs_recycle: directly allocate 
smb_fname_final->base_name
   via  691564f6ca7 vfs_recycle: don't unlink on allocation failure
   via  6467c47cbe5 TMP-REPRODUCE: vfs_recycle: demonstrate memory 
corruption in recycle_unlink_internal()
   via  2916b6096e1 test_recycle.sh: make sure we don't see panics on the 
log files
  from  462b74da79c vfs_default: also call vfs_offload_token_ctx_init in 
vfswrap_offload_write_send

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5b40cdf6e8885c9db6c5ffa972112f3516e4130a
Author: Stefan Metzmacher 
Date:   Tue Jun 18 20:28:25 2024 +0200

auth/credentials: don't ignore "client use kerberos" and --use-kerberos for 
machine accounts

We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

commit eeb60574b6bf1a5209b85a8af843b93300550ba7
Author: Stefan Metzmacher 
Date:   Tue Jun 18 19:02:05 2024 +0200

auth/credentials: add tests for 
cli_credentials_get_kerberos_state[_obtained]()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit c715ac5e496ddde119212d3b880ff0e68c2da67b
Author: Stefan Metzmacher 
Date:   Tue Jun 18 18:53:48 2024 +0200

auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit db2c576f329675e8d66e19c336fe04ccba918b4a
Author: Stefan Metzmacher 
Date:   Tue Jun 18 19:34:30 2024 +0200

testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" 
and --use-kerberos

This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit cda8beea45303a77080c64bb2391d22c59672deb
Author: Stefan Metzmacher 
Date:   Tue Jun 18 19:11:09 2024 +0200

testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 53b72ea4d25d4aa6cf8de1c7555456d4cc03b809
Author: Stefan Metzmacher 
Date:   Fri Jun 14 10:07:02 2024 +0200

vfs_recycle: remember resolved config->repository in vfs_recycle_connect()

This should not change during the lifetime of the tcon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Martin Schwenke 
Reviewed-by: Noel Power 
Reviewed-by: Volker Lendecke 

commit c229a84b449b8ba326ee0f6f702d91f101b99ee4
Author: Stefan Metzmacher 
Date:   Tue Jun 18 14:18:17 2024 +0200

Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in 
recycle_unlink_internal()"

This was only added to demonstrate the problem more reliable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Martin Schwenke 
Reviewed-by: Noel Power 
Reviewed-by: Volker Lendecke 

commit 2175856fef17964cef7cf8618b39736168219eec
Author: Stefan Metzmacher 
Date:   Fri Jun 14 10:07:02 2024 +0200

vfs_recycle: fix memory hierarchy

If the configuration is reloaded strings and string lists
in recycle_config_data could become stale pointers
leading to segmentation faults...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-18 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  5b90acbef15 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share
   via  4b4b0152fd7 selftest: Add a python blackbox test for some misc 
(widelink) DFS tests
   via  dceb2e56b63 script/autobuild.py: Add test for --vendor-name and 
--vendor-patch-revision
   via  5d593a735d3 build: Add --vendor-name --vendor-patch-revision 
options to ./configure
   via  f46faceae1f ctdb/docs: Include ceph rados namespace support in man 
page
   via  9110627bc24 ctdb/ceph: Add optional namespace support for mutex 
helper
   via  df54d3fdda9 s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored
   via  89817ed2165 s4:dns_server: correctly sign dns update responses with 
gss-tsig like Windows
   via  fdd61d60caa s4:dns_server: dns_verify_tsig should return REFUSED on 
error
   via  f663b386156 s4:dns_server: also search DNS_QTYPE_TKEY in the 
answers section if it's the last section
   via  3b36f447040 s4:dns_server: use tkey->algorithm if available in 
dns_sign_tsig()
   via  299818567ea s4:dns_server: use the client provided algorithm for 
the fake TSIG structure
   via  7ddd758da50 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TSIG
   via  6e395cabf38 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TKEY
   via  ed8ef00c297 s4:dns_server: failed dns updates should result in 
REFUSED for ACCESS_DENIED
   via  a7f3293ddf7 python:tests/dns_tkey: add 
test_update_tsig_record_access_denied()
   via  9137bb66ab4 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to 
samba.tests.dns_tkey
   via  5a98bc50263 python:tests/dns_base: add get_unpriv_creds() helper
   via  ff0afdd1b05 python:tests/dns_tkey: let test_update_tsig_windows() 
actually pass against windows 2022
   via  bda80382eb5 python:tests/dns_base: let verify_packet() work against 
Windows
   via  fdfd4e8adce python:tests/dns_tkey: test bad and changing tsig 
algorithms
   via  7dabac46b5a python:tests/dns_tkey: add gss.microsoft.com tsig 
updates
   via  6438249cf1e python:tests/dns_tkey: let us have 
test_update_gss_tsig_tkey_req_{additional,answers}()
   via  501a25a1f07 python:tests/dns_tkey: test TKEY with gss-tsig, 
gss.microsoft.com and invalid algorithms
   via  c7a936ecd27 python:tests/dns_base: maintain a dict with tkey 
related state
   via  da7c313740d python:tests/dns_base: let dns_transaction_udp() take 
allow_{remaining,truncated}=True
   via  85784854629 python:tests/dns_base: pass tkey_trans(expected_rcode)
   via  e58fe908371 python:tests/dns_base: let tkey_trans() take 
tkey_req_in_answers
   via  12d4e452410 python:tests/dns_base: let tkey_trans() and 
sign_packet() take algorithm_name as argument
   via  9cfc2e24331 python:tests/dns_tkey: make use of 
self.assert_echoed_dns_error()
   via  f7f0518b46a python:tests/dns_base: add 
self.assert_echoed_dns_error()
   via  c00749edb35 python:tests/dns_base: let dns_transaction_tcp() handle 
short receives
   via  3bd80a2545a python:tests/dns_base: use ndr_deepcopy() and 
ndr_pack() in verify_packet()
   via  19fc5bb6b9d python:tests/dns_base: generate a real signature in 
bad_sign_packet()
  from  8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 5b90acbef156174ea65014a298f926218a760c4e
Author: Noel Power 
Date:   Fri Jun 7 19:35:47 2024 +0100

s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share

This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224

(cherry picked from commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267)
[noel.po...@suse.com backported to Samba 4.20 minor change to use
   4.20 create_open_symlink_err fn instead of read_symlink_reparse]

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Tue Jun 18 08:33:30 UTC 2024 on atb-devel-224

commit 4b4b0152fd7cce2923ffcfe04eb07de4cc8721d7
Author: Noel Power 
Date:   Tue Jun 11 11:19:50 2024 +0100

selftest: Add a python blackbox test for some misc (widelink) DFS tests

On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
 cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power 
Reviewed-by: Jeremy

[SCM] Samba Shared Repository - branch master updated

2024-06-17 Thread Stefan Metzmacher 
The branch, master has been updated
   via  462b74da79c vfs_default: also call vfs_offload_token_ctx_init in 
vfswrap_offload_write_send
   via  372476aeb00 s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
  from  35f6c3f3d4a ctdb/docs: Include ceph rados namespace support in man 
page

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 462b74da79c51f9ba6dbd24e603aa904485d5123
Author: Stefan Metzmacher 
Date:   Mon Jun 17 10:41:53 2024 +0200

vfs_default: also call vfs_offload_token_ctx_init in 
vfswrap_offload_write_send

If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Noel Power 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224

commit 372476aeb003e9c608cd2c0a78a9c577b57ba8f4
Author: Stefan Metzmacher 
Date:   Mon Jun 17 11:18:07 2024 +0200

s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Noel Power 

---

Summary of changes:
 source3/modules/vfs_default.c |  6 
 source4/torture/smb2/ioctl.c  | 64 +++
 2 files changed, 70 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 48b5dd9e39f..e0ebc7bd1a2 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -2148,6 +2148,12 @@ static struct tevent_req *vfswrap_offload_write_send(
.remaining = to_copy,
};
 
+   status = vfs_offload_token_ctx_init(handle->conn->sconn->client,
+   _offload_ctx);
+   if (tevent_req_nterror(req, status)) {
+   return tevent_req_post(req, ev);
+   }
+
tevent_req_set_cleanup_fn(req, vfswrap_offload_write_cleanup);
 
switch (fsctl) {
diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c
index 3765dc0c1bd..beceaa5c551 100644
--- a/source4/torture/smb2/ioctl.c
+++ b/source4/torture/smb2/ioctl.c
@@ -7388,6 +7388,68 @@ static bool test_ioctl_bug14788_NETWORK_INTERFACE(struct 
torture_context *tortur
return true;
 }
 
+/*
+ * basic regression test for BUG 15664
+ * https://bugzilla.samba.org/show_bug.cgi?id=15664
+ */
+static bool test_ioctl_copy_chunk_bug15644(struct torture_context *torture,
+  struct smb2_tree *tree)
+{
+   struct smb2_handle dest_h;
+   NTSTATUS status;
+   union smb_ioctl ioctl;
+   TALLOC_CTX *tmp_ctx = talloc_new(tree);
+   struct srv_copychunk chunk;
+   struct srv_copychunk_copy cc_copy;
+   enum ndr_err_code ndr_ret;
+   bool ok;
+
+   ok = test_setup_create_fill(torture,
+   tree,
+   tmp_ctx,
+   FNAME2,
+   _h,
+   0,
+   SEC_RIGHTS_FILE_ALL,
+   FILE_ATTRIBUTE_NORMAL);
+   torture_assert(torture, ok, "dest file create fill");
+
+   ZERO_STRUCT(ioctl);
+   ioctl.smb2.level = RAW_IOCTL_SMB2;
+   ioctl.smb2.in.file.handle = dest_h;
+   ioctl.smb2.in.function = FSCTL_SRV_COPYCHUNK;
+   ioctl.smb2.in.max_output_response = sizeof(struct srv_copychunk_rsp);
+   ioctl.smb2.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL;
+
+   ZERO_STRUCT(chunk);
+   ZERO_STRUCT(cc_copy);
+   /* overwrite the resume key with a bogus value */
+   memcpy(cc_copy.source_key, "deadbeefdeadbeefdeadbeef", 24);
+   cc_copy.chunk_count = 1;
+   cc_copy.chunks = 
+   cc_copy.chunks[0].source_off = 0;
+   cc_copy.chunks[0].target_off = 0;
+   cc_copy.chunks[0].length = 4096;
+
+   ndr_ret = ndr_push_struct_blob(, tmp_ctx,
+  _copy,
+   (ndr_push_flags_fn_t)ndr_push_srv_copychunk_copy);
+   torture_assert_ndr_success(torture, ndr_ret,
+  "ndr_push_srv_copychunk_copy");
+
+   /* Server 2k12 returns NT_STATUS_OBJECT_NAME_NOT_FOUND */
+   status = smb2_ioctl(tree, tmp_ctx, );
+   torture_assert_ntstatus_equal(torture, status,
+ NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ "FSCTL_SRV_COPYCHUNK");
+
+   status = smb2_util_close(tree, dest_h);
+   torture_assert_ntstatus_ok(torture, status, "close");
+
+

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-14 Thread Stefan Metzmacher 
The branch, v4-20-test has been updated
   via  8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3
   via  87ac580b40f third_party: Update uid_wrapper to version 1.3.1
   via  e5293b114b1 gitlab-ci: Set git safe.directory for devel repo
   via  95c59655141 bootstrap: Fix building CentOS 8 Stream container images
   via  7edef3c7fb1 bootstrap: Set git safe.directory
   via  e8dc4bb0edf bootstrap: Fix runner tags
  from  e57e35908d5 s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 8b8fef4c9c8d517e40cb860eebb32f8781c43358
Author: Andreas Schneider 
Date:   Thu Jun 13 07:47:26 2024 +0200

third_party: Update socket_wrapper to version 1.4.3

This fixes issues with bind compiled with jemalloc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Thu Jun 13 08:41:39 UTC 2024 on atb-devel-224

(cherry picked from commit 8ae180e1678fc8565b8074d4886f7d3676a0f950)

Autobuild-User(v4-20-test): Stefan Metzmacher 
Autobuild-Date(v4-20-test): Fri Jun 14 12:17:55 UTC 2024 on atb-devel-224

commit 87ac580b40f3205576f06233cedb967b53a63638
Author: Andreas Schneider 
Date:   Thu Jun 13 07:41:41 2024 +0200

third_party: Update uid_wrapper to version 1.3.1

This fixes issues with bind compiled with jemalloc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit f88e60644e76c6310088934439f9c0da0f63905f)

commit e5293b114b15d1b20a665eca610c357bd08f21e7
Author: Andreas Schneider 
Date:   Fri Jun 7 16:20:10 2024 +0200

gitlab-ci: Set git safe.directory for devel repo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 54fed589cca245c716492bcc78b574c30378b19c)

commit 95c596551411eacd7de8057a62b61b7d17e97467
Author: Andreas Schneider 
Date:   Mon Jun 10 15:28:30 2024 +0200

bootstrap: Fix building CentOS 8 Stream container images

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit f3af6e860800d0f837cdf6c2d16d1cd12feb08df)

commit 7edef3c7fb136e7bb6dbd4d4e47a4d4add0d0dfd
Author: Andreas Schneider 
Date:   Thu Jun 6 16:10:14 2024 +0200

bootstrap: Set git safe.directory

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit d00e9482a50b5a756f4847cde977c40c80e179c5)

commit e8dc4bb0edfcb7b6622bf236aafe2a8e05290ee9
Author: Andreas Schneider 
Date:   Thu Jun 6 14:41:02 2024 +0200

bootstrap: Fix runner tags

See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 84fb5cc8451c0af354850f39ae6debf388849ebb)

---

Summary of changes:
 .gitlab-ci-main.yml |  3 +-
 bootstrap/.gitlab-ci.yml|  6 +--
 bootstrap/config.py |  3 ++
 bootstrap/generated-dists/centos8s/bootstrap.sh |  3 ++
 bootstrap/sha1sum.txt   |  2 +-
 buildtools/wafsamba/samba_third_party.py|  4 +-
 third_party/socket_wrapper/socket_wrapper.c | 45 ++-
 third_party/socket_wrapper/wscript  |  3 +-
 third_party/uid_wrapper/uid_wrapper.c   | 58 -
 third_party/uid_wrapper/wscript |  4 +-
 10 files changed, 118 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 26cf07d6fce..face2103327 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 9a406973474a7903fe7fd6215226660911ed73c0
+  SAMBA_CI_CONTAINER_TAG: b078783e082ead539940faaa644567bf4ed67f67
   #
   # We use the ubuntu2204 image as default as
   # it matches what we have on atb-devel-224
@@ -147,6 +147,7 @@ include:
 - ccache -s
   # We are already running .gitlab-ci directives from this repo, remove 
additional checks that break our CI
 - git config --global --add safe.directory `pwd`
+- git config --global --add

[SCM] Samba Shared Repository - branch master updated

2024-06-14 Thread Anoop C S 
The branch, master has been updated
   via  35f6c3f3d4a ctdb/docs: Include ceph rados namespace support in man 
page
   via  d8c52995f68 ctdb/ceph: Add optional namespace support for mutex 
helper
  from  9242f1e0ddb gitlab-ci: Update image to Fedora 40

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 35f6c3f3d4a5521e6576fcc0dd7dd3bbcea041b2
Author: Günther Deschner 
Date:   Fri Jun 7 14:40:07 2024 +0530

ctdb/docs: Include ceph rados namespace support in man page

Document the new optional argument to specify the namespace to be
associated with RADOS objects in a pool.

Pair-Programmed-With: Anoop C S 
Signed-off-by: Günther Deschner 
Reviewed-by: Günther Deschner 
Reviewed-by: David Disseldorp 

Autobuild-User(master): Anoop C S 
Autobuild-Date(master): Fri Jun 14 07:42:25 UTC 2024 on atb-devel-224

commit d8c52995f68fe088dd2174562faee69ed1c95edd
Author: Günther Deschner 
Date:   Fri Jun 7 14:39:37 2024 +0530

ctdb/ceph: Add optional namespace support for mutex helper

RADOS objects within a pool can be associated to a namespace for
logical separation. librados already provides an API to configure
such a namespace with respect to a context. Make use of it as an
optional argument to the helper binary.

Pair-Programmed-With: Anoop C S 
Signed-off-by: Günther Deschner 
Reviewed-by: Günther Deschner 
Reviewed-by: David Disseldorp 

---

Summary of changes:
 ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml|  4 ++-
 ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 50 +-
 2 files changed, 45 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml 
b/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
index f558f873d9a..93d79cea5dc 100644
--- a/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
+++ b/ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
@@ -29,12 +29,14 @@
   5:
 
 
-cluster lock = !ctdb_mutex_ceph_rados_helper [Cluster] [User] [Pool] [Object]
+cluster lock = !ctdb_mutex_ceph_rados_helper [Cluster] [User] [Pool] [Object] 
[Timeout] [-n Namespace]
 
 Cluster: Ceph cluster name (e.g. ceph)
 User: Ceph cluster user name (e.g. client.admin)
 Pool: Ceph RADOS pool name
 Object: Ceph RADOS object name
+Timeout: Ceph RADOS lock duration in seconds (optional)
+Namespace: Ceph RADOS pool namespace (optional)
 
 
   The Ceph cluster Cluster must be up and running,
diff --git a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c 
b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
index 7d868a38b23..46566c97a83 100644
--- a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
+++ b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
@@ -42,9 +42,18 @@
 
 static char *progname = NULL;
 
+static void usage(void)
+{
+   fprintf(stderr, "Usage: %s   "
+   "  "
+   "[lock duration secs] [-n RADOS namespace]\n",
+   progname);
+}
+
 static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name,
   const char *ceph_auth_name,
   const char *pool_name,
+  const char *namespace,
   rados_t *_ceph_cluster,
   rados_ioctx_t *_ioctx)
 {
@@ -87,6 +96,10 @@ static int ctdb_mutex_rados_ctx_create(const char 
*ceph_cluster_name,
return ret;
}
 
+   if (namespace != NULL) {
+   rados_ioctx_set_namespace(ioctx, namespace);
+   }
+
*_ceph_cluster = ceph_cluster;
*_ioctx = ioctx;
 
@@ -145,6 +158,7 @@ struct ctdb_mutex_rados_state {
const char *ceph_cluster_name;
const char *ceph_auth_name;
const char *pool_name;
+   const char *namespace;
const char *object;
uint64_t lock_duration_s;
int ppid;
@@ -295,15 +309,13 @@ static int ctdb_mutex_rados_mgr_reg(rados_t ceph_cluster)
 int main(int argc, char *argv[])
 {
int ret;
+   int opt;
struct ctdb_mutex_rados_state *cmr_state;
 
progname = argv[0];
 
-   if ((argc != 5) && (argc != 6)) {
-   fprintf(stderr, "Usage: %s   "
-   "  "
-   "[lock duration secs]\n",
-   progname);
+   if (argc < 5) {
+   usage();
ret = -EINVAL;
goto err_out;
}
@@ -325,15 +337,36 @@ int main(int argc, char *argv[])
cmr_state->ceph_auth_name = argv[2];
cmr_state->pool_name = argv[3];
cmr_state->object = argv[4];
-   if (argc == 6) {
+
+   optind = 5;
+   while ((opt = getopt(argc, argv, "n:")) != -1) {
+

[SCM] Samba Shared Repository - branch master updated

2024-06-13 Thread Andreas Schneider 
The branch, master has been updated
   via  9242f1e0ddb gitlab-ci: Update image to Fedora 40
   via  276db59eff2 gitlab-ci: Add CentOS 9 Stream
   via  11d1c4704a8 gitlab-ci: Remove CentOS7 which is EOL
   via  efa2d0bf82a selftest: Set NSS_WRAPPER_HOSTS for smbclient
   via  0b19bb12a4c selftest: Create the cmd outside of the loop
   via  4a48148a7d8 s4:torture: Add missing NULL checks in spoolss.c
   via  8d5b40296f8 lib:util: Fix size of tmp array
   via  6aaab84533c lib:util: Remove tailing spaces in util.c
  from  8ae180e1678 third_party: Update socket_wrapper to version 1.4.3

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9242f1e0ddbe3653f2612c704c0dba455f843ec3
Author: Andreas Schneider 
Date:   Tue Apr 30 11:30:48 2024 +0200

gitlab-ci: Update image to Fedora 40

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Thu Jun 13 13:29:48 UTC 2024 on atb-devel-224

commit 276db59eff2b4f959172c1ce66f21e2bfd79d8fe
Author: Andreas Schneider 
Date:   Fri Jun 7 14:16:28 2024 +0200

gitlab-ci: Add CentOS 9 Stream

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 11d1c4704a851e9275551c39d88f1c1cf1bdb96a
Author: Andreas Schneider 
Date:   Fri Jun 7 14:09:43 2024 +0200

gitlab-ci: Remove CentOS7 which is EOL

See

https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit efa2d0bf82ae2d57e30d83e43116cb678a1004fc
Author: Andreas Schneider 
Date:   Thu Jun 6 11:51:53 2024 +0200

selftest: Set NSS_WRAPPER_HOSTS for smbclient

This is calling getaddrinfo()

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 0b19bb12a4c6a86cee6fdda1319a173b02934e0a
Author: Andreas Schneider 
Date:   Thu Jun 6 11:51:24 2024 +0200

selftest: Create the cmd outside of the loop

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 4a48148a7d830fb0ec6884f39b2ab1e5d41f2181
Author: Andreas Schneider 
Date:   Tue Apr 30 17:31:00 2024 +0200

s4:torture: Add missing NULL checks in spoolss.c

source4/torture/rpc/spoolss.c: In function
  ‘check_printer_driver_file.isra’:
source4/torture/rpc/spoolss.c:10850:58: error: ‘%s’ directive argument
  is null [-Werror=format-overflow=]
10850 | const char *remote_name = talloc_asprintf(tctx, 
"%s\\%d\\%s",
  |  ^~

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 8d5b40296f89aee6c9a364017b0cb750cf0b7966
Author: Andreas Schneider 
Date:   Tue Apr 30 13:01:20 2024 +0200

lib:util: Fix size of tmp array

lib/util/util.c: In function ‘dump_data_block16’:
lib/util/util.c:503:40: error: ‘%04zX’ directive output may be truncated
writing between 4 and 16 bytes into a region of size 15
[-Werror=format-truncation=]
  503 | snprintf(tmp, sizeof(tmp), "%s[%04zX]", prefix, idx);
  |^

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 6aaab84533c5691fefa0108da40a41e74f53c89f
Author: Andreas Schneider 
Date:   Tue Apr 30 12:54:48 2024 +0200

lib:util: Remove tailing spaces in util.c

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci-main.yml| 30 
 bootstrap/.gitlab-ci.yml   |  9 +--
 bootstrap/config.py| 80 +++---
 bootstrap/generated-dists/Vagrantfile  | 24 +++
 .../{centos7 => centos9s}/Dockerfile   |  2 +-
 .../{centos7 => centos9s}/bootstrap.sh | 61 +
 .../{centos7 => centos9s}/locale.sh|  0
 .../{centos7 => centos9s}/packages.yml | 38 +-
 bootstrap/generated-dists/fedora39/Dockerfile  | 29 
 .../{centos7 => fedora40}/Dockerfile   |  2 +-
 .../{fedora39 => fedora40}/bootstrap.sh|  0
 .../{fedora39 => fedora40}/locale.sh   |  0
 .../{fedora39 => fedora40}/packages.yml|  0
 bootstrap/sha1sum.txt  |  2 +-
 lib/util/util.c| 28 
 selftest/target/Samba3.pm  | 12 ++--
 source4/torture/rpc/spoolss.c  | 17 +++--
 17 files changed, 158 insertions(+), 176 deletions(-)
 copy bootstrap/generated-dists/{centos7 => centos9s}/Dockerfile (90%)
 rename

[SCM] Samba Shared Repository - branch master updated

2024-06-13 Thread Andreas Schneider 
The branch, master has been updated
   via  8ae180e1678 third_party: Update socket_wrapper to version 1.4.3
   via  f88e60644e7 third_party: Update uid_wrapper to version 1.3.1
   via  54fed589cca gitlab-ci: Set git safe.directory for devel repo
   via  f3af6e86080 bootstrap: Fix building CentOS 8 Stream container images
   via  d00e9482a50 bootstrap: Set git safe.directory
   via  84fb5cc8451 bootstrap: Fix runner tags
  from  aecbfe52183 python/samba/tests/krb5: Add tests for password expiry 
with krb5 ENC-TS

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8ae180e1678fc8565b8074d4886f7d3676a0f950
Author: Andreas Schneider 
Date:   Thu Jun 13 07:47:26 2024 +0200

third_party: Update socket_wrapper to version 1.4.3

This fixes issues with bind compiled with jemalloc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Thu Jun 13 08:41:39 UTC 2024 on atb-devel-224

commit f88e60644e76c6310088934439f9c0da0f63905f
Author: Andreas Schneider 
Date:   Thu Jun 13 07:41:41 2024 +0200

third_party: Update uid_wrapper to version 1.3.1

This fixes issues with bind compiled with jemalloc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 54fed589cca245c716492bcc78b574c30378b19c
Author: Andreas Schneider 
Date:   Fri Jun 7 16:20:10 2024 +0200

gitlab-ci: Set git safe.directory for devel repo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit f3af6e860800d0f837cdf6c2d16d1cd12feb08df
Author: Andreas Schneider 
Date:   Mon Jun 10 15:28:30 2024 +0200

bootstrap: Fix building CentOS 8 Stream container images

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit d00e9482a50b5a756f4847cde977c40c80e179c5
Author: Andreas Schneider 
Date:   Thu Jun 6 16:10:14 2024 +0200

bootstrap: Set git safe.directory

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 84fb5cc8451c0af354850f39ae6debf388849ebb
Author: Andreas Schneider 
Date:   Thu Jun 6 14:41:02 2024 +0200

bootstrap: Fix runner tags

See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci-main.yml |  3 +-
 bootstrap/.gitlab-ci.yml|  6 +--
 bootstrap/config.py |  3 ++
 bootstrap/generated-dists/centos8s/bootstrap.sh |  3 ++
 bootstrap/sha1sum.txt   |  2 +-
 buildtools/wafsamba/samba_third_party.py|  4 +-
 third_party/socket_wrapper/socket_wrapper.c | 45 ++-
 third_party/socket_wrapper/wscript  |  3 +-
 third_party/uid_wrapper/uid_wrapper.c   | 58 -
 third_party/uid_wrapper/wscript |  4 +-
 10 files changed, 118 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 1e4bdf82e74..c56c84c89d4 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 9a406973474a7903fe7fd6215226660911ed73c0
+  SAMBA_CI_CONTAINER_TAG: b078783e082ead539940faaa644567bf4ed67f67
   #
   # We use the ubuntu2204 image as default as
   # it matches what we have on atb-devel-224
@@ -147,6 +147,7 @@ include:
 - ccache -s
   # We are already running .gitlab-ci directives from this repo, remove 
additional checks that break our CI
 - git config --global --add safe.directory `pwd`
+- git config --global --add safe.directory 
/builds/samba-team/devel/samba/.git
   after_script:
 - mount
 - df -h
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index ba82cdc1251..77b4e4fe290 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -6,9 +6,7 @@
 # We need to make sure we only use gitlab.com
 # runners and not our own runners, as our current runners
 # don't allow 'docker build ...' to run.
-- docker
-- gce
-- shared
+- saas-linux-small-amd64
   variables:
 SAMBA_CI_IS_BROKEN_IMAGE: "no"
 SAMBA_CI_TEST_JOB: "samba-o3"
@@

[SCM] Samba Shared Repository - branch master updated

2024-06-12 Thread Andrew Bartlett 
The branch, master has been updated
   via  aecbfe52183 python/samba/tests/krb5: Add tests for password expiry 
with krb5 ENC-TS
   via  ef87f0be600 python/samba/tests/krb5: Add check to confirm 
UF_SMARCARD_REQUIRED password is expired on NTLM
  from  43802f1bedd python: remove string_to_byte_array()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit aecbfe5218326c2b4eb9a4e6c6b05719035585f9
Author: Andrew Bartlett 
Date:   Wed Jun 12 10:24:18 2024 +1200

python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS

This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224

commit ef87f0be6009dcb95316dbfd71ce9834e7a5a8ed
Author: Andrew Bartlett 
Date:   Wed Jun 12 08:51:54 2024 +1200

python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password 
is expired on NTLM

8944a10b145e99eb6372cace8225e4c5e9d6160e broke password expiry
checking on NTLM, but that is fixed after CID 1603594 triggered
815d696d4471f1b3a4267eb774eb80b07576031b.  In the past we could
not have password expiry times small enough to test expiry
(unlike "must change now"), but having no test was not good.

As we are already doing the sleep() here, add a test to the
password rotation test.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

---

Summary of changes:
 python/samba/tests/krb5/as_req_tests.py | 80 -
 python/samba/tests/krb5/pkinit_tests.py | 14 +
 python/samba/tests/krb5/raw_testcase.py |  3 +-
 selftest/expectedfail.d/kdc_test_pw_expired |  2 +
 selftest/knownfail_mit_kdc  |  2 +
 5 files changed, 99 insertions(+), 2 deletions(-)
 create mode 100644 selftest/expectedfail.d/kdc_test_pw_expired


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/as_req_tests.py 
b/python/samba/tests/krb5/as_req_tests.py
index 4d0940caa46..55c27a2bed3 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -22,8 +22,12 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
-from samba import ntstatus
+import time
+
+from samba import credentials, ntstatus
+from samba.dcerpc import netlogon
 from samba.tests import DynamicTestCase
+from samba.tests.pso import PasswordSettings
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.kcrypto as kcrypto
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@@ -33,6 +37,8 @@ from samba.tests.krb5.rfc4120_constants import (
 KDC_ERR_S_PRINCIPAL_UNKNOWN,
 KDC_ERR_ETYPE_NOSUPP,
 KDC_ERR_PREAUTH_REQUIRED,
+KDC_ERR_PREAUTH_FAILED,
+KDC_ERR_KEY_EXPIRED,
 KU_PA_ENC_TIMESTAMP,
 NT_ENTERPRISE_PRINCIPAL,
 NT_PRINCIPAL,
@@ -150,6 +156,7 @@ class AsReqBaseTest(KDCBaseTest):
 etypes,
 preauth_padata,
 kdc_options,
+creds=client_creds,
 expected_supported_etypes=krbtgt_supported_etypes,
 expected_account_name=user_name,
 expect_edata=expect_pa_edata,
@@ -591,6 +598,77 @@ class AsReqKerberosTests(AsReqBaseTest):
 expected_pa_error=KDC_ERR_CLIENT_REVOKED,
 expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
 
+def test_pw_expired(self):
+"""Test making an AS-REQ with an expired password."""
+
+client_creds = self.get_cached_creds(
+account_type=self.AccountType.USER)
+client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
+
+userdn = str(client_creds.get_dn())
+samdb = self.get_samdb()
+
+# create a PSO setting password_age_max to 1 second
+#
+# The first parameter is not a username, just a new unique name for 
the PSO
+short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
+precedence=200,
+password_age_max=1)
+self.addCleanup(samdb.delete, short_expiry_pso.dn)
+short_expiry_pso.apply_to(userdn)
+
+time.sleep(1)
+
+# Expect to get a CLIENT_REVOKED error.
+self._run_as_req_enc_timestamp(
+client_creds,
+expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, 
KDC_ERR_PREAUTH_REQUIRED),
+expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
+expected_pa_error=KDC_ERR_KEY_EXPIRED,
+expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
+
+self._test_samlogon(creds=client_creds,
+

[SCM] Socket Wrapper Repository - branch master updated

2024-06-12 Thread Andreas Schneider 
The branch, master has been updated
   via  d7c4bb5 Bump version to 1.4.3
  from  03cea2e swrap: Fix syscall() with jemalloc to prevent a deadlock

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit d7c4bb54b3d1b5007041f04ef34f47862b736876
Author: Andreas Schneider 
Date:   Wed Jun 12 16:12:42 2024 +0200

Bump version to 1.4.3

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 CHANGELOG  | 6 ++
 CMakeLists.txt | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/CHANGELOG b/CHANGELOG
index 48192d5..2ef0aa6 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,12 @@
 CHANGELOG
 =
 
+version 1.4.3 (released 2024-06-12)
+  * Fixed socket_wrapper running with jemalloc compiled binaries
+  * Fixed thread sanitizer on modern Linux Kernels
+  * Fixed swrap_fake_uid_wrapper test
+  * Fixed building on Hurd
+
 version 1.4.2 (released 2023-06-29)
   * Fixed LFS issues on 32bit platforms
 
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5b235d7..f66cff9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -11,7 +11,7 @@ list(APPEND CMAKE_MODULE_PATH 
"${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)
 
-project(socket_wrapper VERSION 1.4.2 LANGUAGES C)
+project(socket_wrapper VERSION 1.4.3 LANGUAGES C)
 
 # global needed variables
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -25,7 +25,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 # Increment PATCH.
 set(LIBRARY_VERSION_MAJOR 0)
 set(LIBRARY_VERSION_MINOR 4)
-set(LIBRARY_VERSION_PATCH 1)
+set(LIBRARY_VERSION_PATCH 2)
 set(LIBRARY_VERSION 
"${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}")
 set(LIBRARY_SOVERSION ${LIBRARY_VERSION_MAJOR})
 


-- 
Socket Wrapper Repository

[SCM] UID Wrapper Repository - branch master updated

2024-06-12 Thread Andreas Schneider 
The branch, master has been updated
   via  184e610 Bump version to 1.3.1
   via  4127ba0 src: use LIBC_SO from GNU libc, if available
   via  16c0212 src/uid_wrapper.c: Fix typo of 'Initialize.'
  from  3916f98 uwrap: Fix syscall() with jemalloc to prevent a deadlock

https://git.samba.org/?p=uid_wrapper.git;a=shortlog;h=master


- Log -
commit 184e61007f60c644e8841c8fbca1acd6bff7fad8
Author: Andreas Schneider 
Date:   Wed Jun 12 15:51:35 2024 +0200

Bump version to 1.3.1

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 4127ba0298b1ebd220c8555b2a785d6cc8084fca
Author: Pino Toscano 
Date:   Fri May 30 19:06:10 2014 +0200

src: use LIBC_SO from GNU libc, if available

Look for gnu/lib-names.h and use the LIBC_SO define to dlopen libc, so
the right library is loaded without manually searching for libc.so.N.

Reviewed-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 16c0212f128ab1aba706422f437c585d714c6a48
Author: Simon Josefsson 
Date:   Fri Aug 4 10:48:45 2023 +0200

src/uid_wrapper.c: Fix typo of 'Initialize.'

Signed-off-by: Simon Josefsson 
Reviewed-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 CHANGELOG |  6 ++
 CMakeLists.txt|  4 ++--
 ConfigureChecks.cmake |  1 +
 config.h.cmake|  1 +
 src/uid_wrapper.c | 13 -
 5 files changed, 22 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/CHANGELOG b/CHANGELOG
index 92542f5..40a33c6 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,12 @@
 CHANGELOG
 =
 
+version 1.3.1 (released 2024-06-12)
+  * Added support to find libc via LIBC_SO define
+  * Fixed uid_wrapper running with jemalloc compiled binaries
+  * Fixed socket_wrapper interaction test
+  * Fixed thread sanitizer on modern Linux Kernels
+
 version 1.3.0 (released 2023-01-17)
   * Added support to interact with socket_wrapper syscall()
   * Fixed deadlocks with threads
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 1523bd7..14215c5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -11,7 +11,7 @@ list(APPEND CMAKE_MODULE_PATH 
"${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)
 
-project(uid_wrapper VERSION 1.3.0 LANGUAGES C)
+project(uid_wrapper VERSION 1.3.1 LANGUAGES C)
 
 # global needed variables
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -23,7 +23,7 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 # Increment AGE. Set REVISION to 0
 #   If the source code was changed, but there were no interface changes:
 # Increment REVISION.
-set(LIBRARY_VERSION "0.2.0")
+set(LIBRARY_VERSION "0.2.1")
 set(LIBRARY_SOVERSION "0")
 
 # add definitions
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index 3201131..6294b23 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -48,6 +48,7 @@ check_include_file(sys/syscall.h HAVE_SYS_SYSCALL_H)
 check_include_file(syscall.h HAVE_SYSCALL_H)
 check_include_file(grp.h HAVE_GRP_H)
 check_include_file(unistd.h HAVE_UNISTD_H)
+check_include_file(gnu/lib-names.h HAVE_GNU_LIB_NAMES_H)
 
 # FUNCTIONS
 check_function_exists(strncpy HAVE_STRNCPY)
diff --git a/config.h.cmake b/config.h.cmake
index dde70ec..97521f8 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -14,6 +14,7 @@
 #cmakedefine HAVE_SYSCALL_H 1
 #cmakedefine HAVE_UNISTD_H 1
 #cmakedefine HAVE_GRP_H 1
+#cmakedefine HAVE_GNU_LIB_NAMES_H 1
 
 /*** FUNCTIONS ***/
 
diff --git a/src/uid_wrapper.c b/src/uid_wrapper.c
index 4a174e1..ca578e6 100644
--- a/src/uid_wrapper.c
+++ b/src/uid_wrapper.c
@@ -38,6 +38,10 @@
 
 #include 
 
+#ifdef HAVE_GNU_LIB_NAMES_H
+#include 
+#endif
+
 #ifdef HAVE_GCC_THREAD_LOCAL_STORAGE
 # define UWRAP_THREAD __thread
 #else
@@ -558,6 +562,13 @@ static void *uwrap_load_lib_handle(enum uwrap_lib lib)
switch (lib) {
case UWRAP_LIBC:
handle = uwrap.libc.handle;
+#ifdef LIBC_SO
+   if (handle == NULL) {
+   handle = dlopen(LIBC_SO, flags);
+
+   uwrap.libc.handle = handle;
+   }
+#endif
if (handle == NULL) {
for (i = 10; i >= 0; i--) {
char soname[256] = {0};
@@ -1400,7 +1411,7 @@ static void uwrap_init_env(struct uwrap_thread *id)
exit(-1);
}
 
-   UWRAP_LOG(UWRAP_LOG_DEBUG, "Initalize groups with %s", env);
+   UWRAP_LOG(UWRAP_LOG_DEBUG, "Initialize groups with %s", env);
id->ngroups = ngroups;
}
 }


-- 
UID Wrapper Repository

[SCM] UID Wrapper Repository - branch master updated

2024-06-12 Thread Andreas Schneider 
The branch, master has been updated
   via  3916f98 uwrap: Fix syscall() with jemalloc to prevent a deadlock
   via  895197e gitlab-ci: Disable ASLR for TSAN
   via  a9b1ca6 gitlab-ci: Adapt config to gitlab changes
  from  c8bf3ae tests: Fix fake socket_wrapper_syscall_valid()

https://git.samba.org/?p=uid_wrapper.git;a=shortlog;h=master


- Log -
commit 3916f985e716c865269c1f0a437efdc1aa5cdc87
Author: Andreas Schneider 
Date:   Wed Jun 12 11:19:58 2024 +0200

uwrap: Fix syscall() with jemalloc to prevent a deadlock

This is a workaround to prevent a deadlock in jemalloc calling
malloc_init() twice. The first allocation call will trigger a
malloc_init() of jemalloc.  The functions calls syscall(SYS_open, ...)
so it goes to socket or uid wrapper. In this code path we need to avoid
any allocation calls. This will prevent the deadlock.

Pair-Programmed-With: Stefan Metzmacher 
Signed-off-by: Stefan Metzmacher 
Signed-off-by: Andreas Schneider 

commit 895197ece51df1b24ee163aaece1ed2f18812f79
Author: Andreas Schneider 
Date:   Wed Jun 12 11:22:41 2024 +0200

gitlab-ci: Disable ASLR for TSAN

This works around a TSAN issue with newer Linux Kernels (6.x).

See https://github.com/google/sanitizers/issues/1716

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit a9b1ca679a17d9d2d819f8099d7f51a63b2f1dfe
Author: Andreas Schneider 
Date:   Wed Jun 12 11:21:12 2024 +0200

gitlab-ci: Adapt config to gitlab changes

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci.yml| 27 ---
 src/uid_wrapper.c | 45 -
 2 files changed, 48 insertions(+), 24 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1a4a3b0..3a84a8e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,8 +22,6 @@ centos7/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -42,8 +40,6 @@ fedora/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure && make install
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -61,8 +57,6 @@ fedora/address-sanitizer:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -79,8 +73,6 @@ fedora/undefined-sanitizer:
   -DCMAKE_BUILD_TYPE=UndefinedSanitizer
   -DUNIT_TESTING=ON ..
   && make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -93,13 +85,14 @@ fedora/thread-sanitizer:
   stage: analysis
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
   script:
+# Workaround for TSAN with ASLR on newer kernel
+# https://github.com/google/sanitizers/issues/1716
 - mkdir -p obj && cd obj && cmake
   -DCMAKE_BUILD_TYPE=ThreadSanitizer
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
-  make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
+  make -j$(nproc) &&
+  setarch --addr-no-randomize -- ctest --output-on-failure
   except:
 - tags
   artifacts:
@@ -132,8 +125,6 @@ fedora/csbuild:
   --git-commit-range $CI_COMMIT_RANGE
   --color
   --print-current --print-fixed
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -174,8 +165,6 @@ tumbleweed/x86_64/gcc:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -194,8 +183,6 @@ tumbleweed/x86_64/gcc7:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -214,8 +201,6 @@ tumbleweed/x86_64/clang:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -236,8 +221,6 @@ tumbleweed/static-analysis:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   scan-build --status-bugs -o scan make -j$(nproc)
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -255,8 +238,6 @@ ubuntu/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
diff --git a/src/uid_wrapper.c b/src/uid_wrapper.c
index 5b6a82b..4a174e1 100644
--- a/src/uid_wrapper.c
+++ b/src/uid_wrapper.c
@@ -656,6 +656,9 @@ static void

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-12 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  e57e35908d5 s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.
   via  f681ee3bac0 s3/torture: Add test for widelink case insensitivity on 
a MSDFS share.
  from  50d4451bd4b s3:smbcacls: fix ace_compare

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit e57e35908d53124d44d4c275a9f6b248516204ae
Author: Jeremy Allison 
Date:   Mon Jun 10 17:25:32 2024 -0700

s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224

(cherry picked from commit e535bcc698bd5eb31f5c5e0c144692988a044e79)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Jun 12 10:22:36 UTC 2024 on atb-devel-224

commit f681ee3bac0ebe86ea1e810aca13e0b5738c58e0
Author: Jeremy Allison 
Date:   Mon Jun 10 15:14:19 2024 -0700

s3/torture: Add test for widelink case insensitivity on a MSDFS share.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 
(cherry picked from commit e37e4f474935819c75c078e52715cf3212f77359)

---

Summary of changes:
 source3/modules/vfs_widelinks.c  | 13 -
 source3/script/tests/test_widelink_dfs_ci.sh | 72 
 source3/selftest/tests.py| 11 +
 3 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100755 source3/script/tests/test_widelink_dfs_ci.sh


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_widelinks.c b/source3/modules/vfs_widelinks.c
index c5b5084e108..4339f6de9e0 100644
--- a/source3/modules/vfs_widelinks.c
+++ b/source3/modules/vfs_widelinks.c
@@ -383,8 +383,17 @@ static int widelinks_openat(vfs_handle_struct *handle,
}
lstat_ret = SMB_VFS_NEXT_LSTAT(handle,
full_fname);
-   if (lstat_ret != -1 &&
-   VALID_STAT(full_fname->st) &&
+   if (lstat_ret == -1) {
+   /*
+* Path doesn't exist. We must
+* return errno from LSTAT.
+*/
+   int saved_errno = errno;
+   TALLOC_FREE(full_fname);
+   errno = saved_errno;
+   return -1;
+   }
+   if (VALID_STAT(full_fname->st) &&
S_ISLNK(full_fname->st.st_ex_mode)) {
fsp->fsp_name->st = full_fname->st;
}
diff --git a/source3/script/tests/test_widelink_dfs_ci.sh 
b/source3/script/tests/test_widelink_dfs_ci.sh
new file mode 100755
index 000..6ae5cf5bd7f
--- /dev/null
+++ b/source3/script/tests/test_widelink_dfs_ci.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# regression test for dfs access with wide links enabled on dfs share
+# Ensure we still maintain case insensitivity.
+
+if [ $# -lt 7 ]; then
+   cat <
+EOF
+   exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+SHARE="$3"
+USERNAME="$4"
+PASSWORD="$5"
+PREFIX="$6"
+SMBCLIENT="$7"
+shift 7
+ADDARGS="$@"
+
+incdir=$(dirname "$0")"/../../../testprogs/blackbox"
+. "$incdir/subunit.sh"
+. "$incdir/common_test_fns.inc"
+
+failed=0
+
+# Do not let deprecated option warnings muck this up
+SAMBA_DEPRECATED_SUPPRESS=1
+export SAMBA_DEPRECATED_SUPPRESS
+
+# Test chdir'ing into a lowercase directory with upper case.
+test_ci()
+{
+tmpfile="$PREFIX/smbclient_ci_commands"
+
+cat >"$tmpfile" <

[SCM] Samba Shared Repository - branch master updated

2024-06-12 Thread Andrew Bartlett 
The branch, master has been updated
   via  43802f1bedd python: remove string_to_byte_array()
   via  982dab89326 samba-tool ldapcmp: remove a dodgy unused method
   via  6347b0c3736 pytest: simplify and fix HEXDUMP_FILTER used in hexdumps
   via  300bb809ab7 samba-tool domain trust: avoid useless use of 
string_to_byte_array
   via  f8fb9f19bca python:lsa_utils: avoid useless use of py2-compat 
string_to_byte_array
   via  3b349c29b59 python:join: avoid useless use of py2-compat 
string_to_byte_array
   via  46933bc25de py:emulate: remove py2 str/bytes workaround in 
traffic_packets
   via  25e6d7c6a33 py:emulate: remove py2 str/bytes workaround in traffic
   via  f0cf1879681 pytest: remove py2 str/bytes workaround in 
auth_log_samlogon
   via  bd3792005ba pytest: remove py2 str/bytes workaround in 
samr_change_password
   via  2dc111b4c18 pytest: remove py2 str/bytes workaround in lsa_utils
   via  b253b4e0eda pytest: remove py2 str/bytes workaround in dns_base
   via  5d2ea6908b1 pytest: remove py2 str/bytes workaround in 
py_credentials
   via  de19f4d6753 s4/pytest: remove py2 str/bytes workaround in getnc_exop
  from  788ef8f07c7 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 43802f1beddc875d1f4fc15babdbadf7615705c9
Author: Douglas Bagnall 
Date:   Wed Jun 12 12:16:46 2024 +1200

python: remove string_to_byte_array()

This was a useful function during the Python 2 -> 3 migration, but it
is not used any more. In all the cases it was used, we knew we already
had a bytes object, and this was just an inefficient way of confirming
that.

In cases where we actually want to cast a string into a mutable list
of byte-sized ints, the builtin bytearray() function will do a better
job than this, because it will encode high unicode characters as utf-8
bytes, rather than adding them as out-of-range values in the list.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun 12 09:16:39 UTC 2024 on atb-devel-224

commit 982dab893263b60609bf47a7138c91aefb41a038
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:42:27 2024 +1200

samba-tool ldapcmp: remove a dodgy unused method

We have bindings for stringifying GUIDs, so I intended to replace this
rather complicated code with that, but it turns out that this method
has been unused since 5d42260eecfd4f26cc82637ce1bc989083c9eb9d in 2013.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 6347b0c3736e1208d09f94e2b67f1b4234205374
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:34:36 2024 +1200

pytest: simplify and fix HEXDUMP_FILTER used in hexdumps

The old test

   x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.')

went through some contortions to see if the character was printable, and
it got it slightly wrong. The idea was that `repr(chr(97)` is "'a'",
while `repr(chr(167)` is "'\xa7'", which we can distinguish using the
length. But that miscategorised the backslash character, which is
represented as "'\\'", a string of length 4, so it was show as '.'
instead.

Instead we notice that the characters we want to print in a hexdump
are exactly those between 32 and 126, inclusive.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 300bb809ab7c06eb6abef91a313dbdb8edad7c83
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:21:59 2024 +1200

samba-tool domain trust: avoid useless use of string_to_byte_array

`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit f8fb9f19bca909fe4d29378f255bad33ccb1d778
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:21:09 2024 +1200

python:lsa_utils: avoid useless use of py2-compat string_to_byte_array

`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 3b349c29b59ebe7e1e389dc0d51b2063c657b210
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:19:55 2024 +1200

python:join: avoid useless use of py2-compat string_to_byte_array

This was a workaround for the migration to Python 3, but is now just
extra work for the computer and cognitive load for us.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 46933bc25de6515866c6b9d1ae76fad6701fb252
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:17:22 2024 +1200

py:emulate: remove py2 str/bytes workaround in traffic_packets

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 25e6d7c6a339f389cd13628e30b09a892e1a4144
Author: Douglas Bagnall 
Date:   Wed

[SCM] Socket Wrapper Repository - branch master updated

2024-06-12 Thread Andreas Schneider 
The branch, master has been updated
   via  03cea2e swrap: Fix syscall() with jemalloc to prevent a deadlock
   via  9b141c0 tests: Sleep less so that the test runs only for 60sec
   via  9658fec tests: Always link to cmocka library
   via  e3c2432 gitlab-ci: Disable ASLR for TSAN
   via  87f2b5a gitlab-ci: Adapt config to gitlab changes
  from  7af4f26 tests: Fix fake uid_wrapper_syscall_valid().

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit 03cea2ed18bc53bd0e658bc24be6913373d5f97e
Author: Andreas Schneider 
Date:   Fri Jun 7 09:39:20 2024 +0200

swrap: Fix syscall() with jemalloc to prevent a deadlock

This is a workaround to prevent a deadlock in jemalloc calling malloc_init()
twice. The first allocation call will trigger a malloc_init() of jemalloc.
The functions calls syscall(SYS_open, ...) so it goes to socket or uid
wrapper. In this code path we need to avoid any allocation calls. This will
prevent the eadlock.

Pair-Programmed-With: Stefan Metzmacher 
Signed-off-by: Stefan Metzmacher 
Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 9b141c06568bfba2b9fe63e7d43fb7d1cae12b55
Author: Andreas Schneider 
Date:   Tue Jun 11 08:05:09 2024 +0200

tests: Sleep less so that the test runs only for 60sec

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 9658fec68b9d20d280c70714d99bc76f23ec7a9a
Author: Andreas Schneider 
Date:   Tue Jun 11 09:41:55 2024 +0200

tests: Always link to cmocka library

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit e3c243237097750bbdf57bc2e4835ab5e89fcb0e
Author: Andreas Schneider 
Date:   Wed Jun 12 10:28:45 2024 +0200

gitlab-ci: Disable ASLR for TSAN

This works around a TSAN issue with newer Linux Kernels (6.x).

See https://github.com/google/sanitizers/issues/1716

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 87f2b5ae1c4b88639f76578c0463efe6ae1b051d
Author: Andreas Schneider 
Date:   Fri Jun 7 09:52:48 2024 +0200

gitlab-ci: Adapt config to gitlab changes

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci.yml | 33 -
 src/socket_wrapper.c   | 45 -
 tests/CMakeLists.txt   |  6 +++---
 tests/test_echo_tcp_poll.c |  2 +-
 4 files changed, 52 insertions(+), 34 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3643167..fdc11c3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,8 +22,6 @@ centos7/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -41,8 +39,6 @@ fedora/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -60,8 +56,6 @@ fedora/address-sanitizer:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -78,8 +72,6 @@ fedora/undefined-sanitizer:
   -DCMAKE_BUILD_TYPE=UndefinedSanitizer
   -DUNIT_TESTING=ON ..
   && make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -95,13 +87,14 @@ tumbleweed/thread-sanitizer:
   stage: analysis
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
   script:
+# Workaround for TSAN with ASLR on newer kernel
+# https://github.com/google/sanitizers/issues/1716
 - mkdir -p obj && cd obj && cmake
   -DCMAKE_BUILD_TYPE=ThreadSanitizer
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
-  make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
+  make -j$(nproc) &&
+  setarch --addr-no-randomize -- ctest --output-on-failure
   except:
 - tags
   artifacts:
@@ -133,8 +126,6 @@ fedora/csbuild:
   --git-commit-range $CI_COMMIT_RANGE
   --color
   --print-current --print-fixed
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -175,8 +166,6 @@ tumbleweed/x86_64/gcc:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -195,8 +184,6 @@ tumbleweed/x86_64/gcc7:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -215,8 +202,6 @@ tumbleweed/x86_64/clang:

[SCM] Samba Shared Repository - branch master updated

2024-06-11 Thread Jeremy Allison 
The branch, master has been updated
   via  788ef8f07c7 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share
   via  7f1de90f72d selftest: Add a python blackbox test for some misc 
(widelink) DFS tests
  from  e535bcc698b s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267
Author: Noel Power 
Date:   Fri Jun 7 19:35:47 2024 +0100

s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share

This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224

commit 7f1de90f72d6e8287aec6ab1d9f7776b7df624e5
Author: Noel Power 
Date:   Tue Jun 11 11:19:50 2024 +0100

selftest: Add a python blackbox test for some misc (widelink) DFS tests

On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
 cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

---

Summary of changes:
 python/samba/tests/blackbox/misc_dfs_widelink.py | 86 
 source3/smbd/files.c | 18 +
 source4/selftest/tests.py|  3 +
 3 files changed, 107 insertions(+)
 create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/misc_dfs_widelink.py 
b/python/samba/tests/blackbox/misc_dfs_widelink.py
new file mode 100644
index 000..7948590d710
--- /dev/null
+++ b/python/samba/tests/blackbox/misc_dfs_widelink.py
@@ -0,0 +1,86 @@
+# Blackbox tests for DFS (widelink)
+#
+# Copyright (C) Noel Power noel.po...@suse.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+from samba.tests import BlackboxTestCase, BlackboxProcessError
+from samba.samba3 import param as s3param
+
+from samba.credentials import Credentials
+
+import os
+
+class DfsWidelinkBlockboxTestBase(BlackboxTestCase):
+
+def setUp(self):
+super().setUp()
+self.lp = s3param.get_context()
+self.server = os.environ["SERVER"]
+self.user = os.environ["USER"]
+self.passwd = os.environ["PASSWORD"]
+self.creds = Credentials()
+self.creds.guess(self.lp)
+self.creds.set_username(self.user)
+self.creds.set_password(self.passwd)
+self.testdir = os.getenv("TESTDIR", "msdfs-share-wl")
+self.share = os.getenv("SHARE", "msdfs-share-wl")
+self.dirpath = os.path.join(os.environ["LOCAL_PATH"],self.testdir)
+# allow a custom teardown function to be defined
+self.cleanup = None
+self.cleanup_args = []
+
+def tearDown(self):
+try:
+if (self.cleanup):
+self.cleanup(self.cleanup_args)
+except Exception as e:
+print("remote remove failed: %s" % str(e))
+
+def build_test_cmd(self, cmd, args):
+cmd = [cmd, "-U%s%%%s" % (self.user, self.passwd)]
+cmd.extend(args)
+return cmd
+
+def test_ci_chdir(self):
+parent_dir = "msdfs-src1"
+dirs = [parent_dir, parent_dir.upper()]
+# try as named dir first then try upper-cased version
+for adir in dirs:
+smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % 
(self.server, self.share), "-c", "cd %s" % (adir)])
+try:
+out_str = self.check_output(smbclient_args)
+except BlackboxProcessError as e:
+print(str(e))
+self.fail(str(e))
+
+def test_nested_chdir(self):
+parent_dir = "dfshop1"
+child_dir =

[SCM] Samba Shared Repository - branch master updated

2024-06-11 Thread Jeremy Allison 
The branch, master has been updated
   via  e535bcc698b s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.
   via  e37e4f47493 s3/torture: Add test for widelink case insensitivity on 
a MSDFS share.
  from  db342d86a9c samba-tool user readpasswords: avoid `assert` for 
validation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e535bcc698bd5eb31f5c5e0c144692988a044e79
Author: Jeremy Allison 
Date:   Mon Jun 10 17:25:32 2024 -0700

s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224

commit e37e4f474935819c75c078e52715cf3212f77359
Author: Jeremy Allison 
Date:   Mon Jun 10 15:14:19 2024 -0700

s3/torture: Add test for widelink case insensitivity on a MSDFS share.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

---

Summary of changes:
 source3/modules/vfs_widelinks.c  | 13 -
 source3/script/tests/test_widelink_dfs_ci.sh | 72 
 source3/selftest/tests.py| 11 +
 3 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100755 source3/script/tests/test_widelink_dfs_ci.sh


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_widelinks.c b/source3/modules/vfs_widelinks.c
index c5b5084e108..4339f6de9e0 100644
--- a/source3/modules/vfs_widelinks.c
+++ b/source3/modules/vfs_widelinks.c
@@ -383,8 +383,17 @@ static int widelinks_openat(vfs_handle_struct *handle,
}
lstat_ret = SMB_VFS_NEXT_LSTAT(handle,
full_fname);
-   if (lstat_ret != -1 &&
-   VALID_STAT(full_fname->st) &&
+   if (lstat_ret == -1) {
+   /*
+* Path doesn't exist. We must
+* return errno from LSTAT.
+*/
+   int saved_errno = errno;
+   TALLOC_FREE(full_fname);
+   errno = saved_errno;
+   return -1;
+   }
+   if (VALID_STAT(full_fname->st) &&
S_ISLNK(full_fname->st.st_ex_mode)) {
fsp->fsp_name->st = full_fname->st;
}
diff --git a/source3/script/tests/test_widelink_dfs_ci.sh 
b/source3/script/tests/test_widelink_dfs_ci.sh
new file mode 100755
index 000..6ae5cf5bd7f
--- /dev/null
+++ b/source3/script/tests/test_widelink_dfs_ci.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# regression test for dfs access with wide links enabled on dfs share
+# Ensure we still maintain case insensitivity.
+
+if [ $# -lt 7 ]; then
+   cat <
+EOF
+   exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+SHARE="$3"
+USERNAME="$4"
+PASSWORD="$5"
+PREFIX="$6"
+SMBCLIENT="$7"
+shift 7
+ADDARGS="$@"
+
+incdir=$(dirname "$0")"/../../../testprogs/blackbox"
+. "$incdir/subunit.sh"
+. "$incdir/common_test_fns.inc"
+
+failed=0
+
+# Do not let deprecated option warnings muck this up
+SAMBA_DEPRECATED_SUPPRESS=1
+export SAMBA_DEPRECATED_SUPPRESS
+
+# Test chdir'ing into a lowercase directory with upper case.
+test_ci()
+{
+tmpfile="$PREFIX/smbclient_ci_commands"
+
+cat >"$tmpfile" <

[SCM] Samba Shared Repository - branch master updated

2024-06-10 Thread Andrew Bartlett 
The branch, master has been updated
   via  db342d86a9c samba-tool user readpasswords: avoid `assert` for 
validation
   via  b42c4891804 s4:auth: Handle expired accounts in 
authsam_account_ok() (CID 1603594)
   via  facb418c99d s4:dsdb: Remove trailing whitespace
   via  5ffa7683295 s4:auth: Add temporary memory context to 
authsam_reread_user_logon_data()
   via  7ae10eb25f8 s4:auth: Add common out path to 
authsam_reread_user_logon_data()
   via  4e8ca6140af ldb: Attach appropriate ldb context to returned result
  from  225e6aeafc7 s4/torture: Remove already existing test_dir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit db342d86a9ccd15f764cb8e0a91774e1f8fd7858
Author: Douglas Bagnall 
Date:   Fri Feb 2 15:01:21 2024 +1300

samba-tool user readpasswords: avoid `assert` for validation

`assert` can be optimised away if python is run with `-O`.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224

commit b42c489180474627270e09408f84841baa175157
Author: Jo Sutton 
Date:   Tue Jun 11 14:58:11 2024 +1200

s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)

We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit facb418c99d5be62ae7e111539ca497a783b6a37
Author: Jo Sutton 
Date:   Fri May 24 13:05:58 2024 +1200

s4:dsdb: Remove trailing whitespace

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5ffa7683295ae7006a51dc8244918ed89f500184
Author: Jo Sutton 
Date:   Mon Apr 29 17:07:43 2024 +1200

s4:auth: Add temporary memory context to authsam_reread_user_logon_data()

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 7ae10eb25f821e617100cad113f751833b7c0893
Author: Jo Sutton 
Date:   Mon Apr 29 17:09:12 2024 +1200

s4:auth: Add common out path to authsam_reread_user_logon_data()

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 4e8ca6140aff0cac534d2ea2e370c1dc70a73b21
Author: Jo Sutton 
Date:   Wed May 1 16:54:01 2024 +1200

ldb: Attach appropriate ldb context to returned result

This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/ABI/ldb-2.10.0.sigs  |  1 +
 lib/ldb/common/ldb_dn.c  | 16 +
 lib/ldb/include/ldb.h|  3 +++
 lib/ldb/ldb_key_value/ldb_kv_search.c|  2 +-
 python/samba/netcmd/user/readpasswords/common.py |  5 +++-
 python/samba/tests/krb5/gmsa_tests.py|  2 +-
 source4/auth/sam.c   | 29 
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c  | 28 +++
 8 files changed, 59 insertions(+), 27 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ABI/ldb-2.10.0.sigs b/lib/ldb/ABI/ldb-2.10.0.sigs
index f23014ffaaa..bd9aa54a005 100644
--- a/lib/ldb/ABI/ldb-2.10.0.sigs
+++ b/lib/ldb/ABI/ldb-2.10.0.sigs
@@ -47,6 +47,7 @@ ldb_dn_check_special: bool (struct ldb_dn *, const char *)
 ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *)
 ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *)
 ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_copy_with_ldb_context: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *, 
struct ldb_context *)
 ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val)
 ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const 
struct ldb_dn_extended_syntax *)
 ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *)
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index cb4266dca91..e785a6d9e3d 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -1398,6 +1398,22 @@ struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct 
ldb_dn *dn)
return new_dn;
 }
 
+struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx,
+   struct ldb_dn *dn,
+   struct ldb_context *ldb)
+{
+   struct ldb_dn *new_dn = NULL;
+
+   new_dn = ldb_dn_copy(mem_ctx, dn);
+   if (new_dn == NULL) {
+   return NULL;
+   }
+
+   /* Set the ldb context. */
+   new_dn->ldb = ldb;

[Announce] Samba 4.19.7 Available for Download

2024-06-10 Thread Jule Anger via samba-announce 

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.6


o  Douglas Bagnall 
   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive 
compare

 function (ldb 2.8.1 is already released).
   * BUG 15625: Many qsort() comparison functions are non-transitive, 
which can
 lead to out-of-bounds access in some circumstances (ldb 2.8.1 is 
already

 released).

o  Andrew Bartlett 
   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to 
avoid CI

 bill.

o  Stefan Metzmacher 
   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
 SysvolReady=0.
   * BUG 15412: Anonymous smb3 signing/encryption should be allowed 
(similar to

 Windows Server 2022).
   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
   * BUG 15642: winbindd, net ads join and other things don't work on 
an ipv6

 only host.

o  Anna Popova 
   * BUG 15636: Smbcacls incorrectly propagates inheritance with 
Inherit-Only

 flag.

o  Noel Power 
   * BUG 15611: http library doesn't support  'chunked transfer encoding'.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.7.html


If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:


https://download.samba.org/pub/ldb/ldb-2.8.1.tar.gz


Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[SCM] Samba Shared Repository - branch v4-19-stable updated

2024-06-10 Thread Jule Anger 
The branch, v4-19-stable has been updated
   via  bce5c475d12 VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.
   via  e71f7441c9e WHATSNEW: Add release notes for Samba 4.19.7.
   via  6ca4df63741 BUG 15569 ldb: Release LDB 2.8.1
   via  d4f9272b7e9 s3:smbcacls: fix ace_compare
   via  123f458dda6 ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  0382d17 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  ae8eb3d2b09 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  2a53574e07e s4:dsdb:mod: repl_md: make message_sort transitive
   via  92daa0a7801 ldb: avoid NULL deref in ldb_db_compare
   via  ca905ccbf1e ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  50bfb065e01 ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  5c5c652db7c ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  96f3db39522 ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  2b3416384ae ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  fae4e0b16aa ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  108f687cf22 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  5bf176b5692 s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  24d362e62d4 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  9314eaaba91 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  f0f9598d5d1 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  c1819217c0a gensec: sort_gensec uses NUMERIC_CMP
   via  4066451f6e8 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  16288b40eb9 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  069e651d4b8 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  f58d857d722 s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  13645e1131b s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  aa255148bbb ldb:dn: make ldb_dn_compare() self-consistent
   via  867dce05d21 ldb:sort: generalise both-NULL check to equality check
   via  87a6fe0058a ldb:sort: check that elements have values
   via  71d2c9093cf ldb:mod:sort: rearrange NULL checks
   via  d4477eab44a s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  075aae1d1a0 s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  32f4e0c7f5a s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  26e08f8fc7d s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  30f0a2fb131 s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  91dd5024010 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  0f8e25b897f s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  f14a1370f48 s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  622bf82fb32 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  6b07ce82a58 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  b7f581fb61f libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  60c318fc66b libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  23d792875f9 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  b2dbe57c977 ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  fe804401b9b util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  ad50158af05 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  9de4a5d3bbc ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  c85cb252af0 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  5847e53de2f lib/torture: add assert_int_{less,greater} macros
   via  12c6c305fb1 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  74befdb1387 s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  2557ab23014 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  120479e4e02 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  388b11b6dc1 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  59f6652aeee util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  3f8063530d2 torture:charset: test more of strcasecmp_m
   via  6b08f2ed860 torture:charset: use < and > assertions for 
strncasecmp_m
   via  5082378df18 torture:charset: use < and > assertions for strcasecmp_m
   via  1a45f172070 util:binsearch: user NUMERIC_CMP()
   via  ea27699bcd2 s4: use numeric_cmp in dns_common_sort_zones()
   via  792f8d40e1c s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  25e97cd7dba s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  6c9119371cd ldb:ldb_dn: use safe

[SCM] Samba Website Repository - branch master updated

2024-06-10 Thread Jule Anger 
The branch, master has been updated
   via  19e1100 NEWS[4.19.7]: Samba 4.19.7 Available for Download
  from  2ec8209 NEWS[4.20.1]: Samba 4.20.1 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 19e11008fca41dd540944dbf54f4cb1b36065cbc
Author: Jule Anger 
Date:   Mon Jun 10 17:29:25 2024 +0200

NEWS[4.19.7]: Samba 4.19.7 Available for Download

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html  |  1 +
 history/samba-4.19.7.html| 62 
 posted_news/20240610-153018.4.19.7.body.html | 13 +
 posted_news/20240610-153018.4.19.7.headline.html |  3 ++
 4 files changed, 79 insertions(+)
 create mode 100644 history/samba-4.19.7.html
 create mode 100644 posted_news/20240610-153018.4.19.7.body.html
 create mode 100644 posted_news/20240610-153018.4.19.7.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 984ad78..7ddf607 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -11,6 +11,7 @@

samba-4.20.1
samba-4.20.0
+   samba-4.19.7.
samba-4.19.6.
samba-4.19.5.
samba-4.19.4.
diff --git a/history/samba-4.19.7.html b/history/samba-4.19.7.html
new file mode 100644
index 000..d7d013c
--- /dev/null
+++ b/history/samba-4.19.7.html
@@ -0,0 +1,62 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.19.7 - Release Notes
+
+
+Samba 4.19.7 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.19.7.tar.gz;>Samba 
4.19.7 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.19.7.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.19.6-4.19.7.diffs.gz;>Patch
 (gzipped) against Samba 4.19.6
+https://download.samba.org/pub/samba/patches/samba-4.19.6-4.19.7.diffs.asc;>Signature
+
+
+
+   ==
+   Release Notes for Samba 4.19.7
+   June 10, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.6
+
+
+o  Douglas Bagnall douglas.bagn...@catalyst.net.nz
+   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function (ldb 2.8.1 is already released).
+   * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already
+ released).
+
+o  Andrew Bartlett abart...@samba.org
+   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+
+o  Stefan Metzmacher me...@samba.org
+   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+   * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+   * BUG 15642: winbindd, net ads join and other things dont work on an 
ipv6
+ only host.
+
+o  Anna Popova popova.anna...@gmail.com
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power noel.po...@suse.com
+   * BUG 15611: http library doesnt support  chunked transfer 
encoding.
+
+
+
+
+
+
diff --git a/posted_news/20240610-153018.4.19.7.body.html 
b/posted_news/20240610-153018.4.19.7.body.html
new file mode 100644
index 000..8b91043
--- /dev/null
+++ b/posted_news/20240610-153018.4.19.7.body.html
@@ -0,0 +1,13 @@
+
+10 June 2024
+Samba 4.19.7 Available for Download
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be https://download.samba.org/pub/samba/stable/samba-4.19.7.tar.gz;>downloaded
 now.
+A https://download.samba.org/pub/samba/patches/samba-4.19.6-4.19.7.diffs.gz;>patch
 against Samba 4.19.6 is also available.
+See https://www.samba.org/samba/history/samba-4.19.7.html;>the 
release notes for more info.
+
+
diff --git a/posted_news/20240610-153018.4.19.7.headline.html 
b/posted_news/20240610-153018.4.19.7.headline.html
new file mode 100644
index 000..e1b9b9e
--- /dev/null
+++ b/posted_news/20240610-153018.4.19.7.headline.html
@@ -0,0 +1,3 @@
+
+ 10 June 2024 Samba 4.19.7 Available for 
Download
+


-- 
Samba Website Repository

[SCM] Samba Shared Repository - annotated tag samba-4.19.7 created

2024-06-10 Thread Jule Anger 
The annotated tag, samba-4.19.7 has been created
at  92be2654d0c65af6c71d2da5b32c443812092b0d (tag)
   tagging  bce5c475d12fb75619bc85d176bfd40420b4fce8 (commit)
  replaces  ldb-2.8.1
 tagged by  Jule Anger
on  Mon Jun 10 17:29:04 2024 +0200

- Log -
samba: tag release samba-4.19.7
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmZnG8EACgkQqplEL7aA
tiAAVBAAlTEpL4A0BBsRJr9zVBHyT038hOpVXY3no5tbUZIj4Wwm0jixjg3MzI5O
hrKxAVXrn/FuRKmCLorewRHP9O9/GQWeSEwsMe/X5A4VA+q1ip91eiEaqYIJ3wxK
DZGq9ODRqR0dpvEhnWmKPu1eRtBwPh61ZA/5lX9VQG0PLKdGuVb18nyw9d0kphyI
fsmCqFafKM05BezoIMxcwStUbwGj4Qy1cXlKOHcL6QmieDR8hUeIDatr9K99JjXS
IAD8yOjqd718Kwn5SJsej1wIWEEVB1bBEgev43tkd5jp32soJ98ki18shd4jHgtS
/BhDKQaitvHqpfFO7j2UZHBadgasJxvSHyTZLatG90y1zN4JMmho4KXKbZ7vHnVy
QHYZyXaCoZ2ue+lathz2QHwoZXG7ASJP0fbA/zXHe1xmcDqpc8kZ9MZIugBLrhuF
BSED4+8CMX3aOM8vkVJMOmP+OmQznGTFBj+sGB+UdQ4KMdeSYWY62bYa3gARZ+Fm
9yrSkMnxFDCyNEtgFIRXskLVebLcdwlPNcdmj0BT1BX8aKcFkbcjSqlq89L4191u
lmObq4XB3EBzo5v4gyreyjjQz21eti+pa300XppaSjo3SPJ0xGViprXuw+CQpGrE
jSitgiUoP7ns56XXOj+quQbG6KV650ND2N3V79AjGaoj41lP8QU=
=xh3A
-END PGP SIGNATURE-

Jule Anger (2):
  WHATSNEW: Add release notes for Samba 4.19.7.
  VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-19-test updated

2024-06-10 Thread Jule Anger 
The branch, v4-19-test has been updated
   via  6875787d129 VERSION: Bump version up to Samba 4.19.8...
   via  bce5c475d12 VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.
   via  e71f7441c9e WHATSNEW: Add release notes for Samba 4.19.7.
   via  6ca4df63741 BUG 15569 ldb: Release LDB 2.8.1
  from  d4f9272b7e9 s3:smbcacls: fix ace_compare

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit 6875787d1294fc2cb0f6f0dce58b209c659ae871
Author: Jule Anger 
Date:   Mon Jun 10 17:26:01 2024 +0200

VERSION: Bump version up to Samba 4.19.8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit bce5c475d12fb75619bc85d176bfd40420b4fce8
Author: Jule Anger 
Date:   Mon Jun 10 17:25:44 2024 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.

Signed-off-by: Jule Anger 

commit e71f7441c9e2cf2ff895e1106506dec4632508b0
Author: Jule Anger 
Date:   Mon Jun 10 17:25:02 2024 +0200

WHATSNEW: Add release notes for Samba 4.19.7.

Signed-off-by: Jule Anger 

commit 6ca4df6374136d1d205de689618dc8fce5177d14
Author: Jule Anger 
Date:   Mon Jun 10 16:56:59 2024 +0200

BUG 15569 ldb: Release LDB 2.8.1

* BUG 15569: Many qsort() comparison functions are non-transitive, which
  can lead to out-of-bounds access in some circumstances.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION|  2 +-
 WHATSNEW.txt   | 66 +-
 lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.8.1.sigs} |  0
 lib/ldb/wscript|  2 +-
 4 files changed, 66 insertions(+), 4 deletions(-)
 copy lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.8.1.sigs} (100%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 939e114840c..e0f2394cfa6 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2023"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index be2edfb6ac4..fa27ad5083b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,66 @@
+   ==
+   Release Notes for Samba 4.19.7
+   June 10, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.6
+
+
+o  Douglas Bagnall 
+   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function (ldb 2.8.1 is already released).
+   * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already
+ released).
+
+o  Andrew Bartlett 
+   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+
+o  Stefan Metzmacher 
+   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+   * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+   * BUG 15642: winbindd, net ads join and other things don't work on an ipv6
+ only host.
+
+o  Anna Popova 
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power 
+   * BUG 15611: http library doesn't support  'chunked transfer encoding'.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
==
Release Notes for Samba 4.19.6
April 08, 2024
@@ -52,8 +115,7 @@

[SCM] Samba Shared Repository - annotated tag ldb-2.8.1 created

2024-06-10 Thread Jule Anger 
The annotated tag, ldb-2.8.1 has been created
at  994b7debdcd5fdb4d9617f84c6fa4456cfdcf51c (tag)
   tagging  6ca4df6374136d1d205de689618dc8fce5177d14 (commit)
  replaces  samba-4.19.6
 tagged by  Jule Anger
on  Mon Jun 10 17:20:50 2024 +0200

- Log -
ldb: tag release ldb-2.8.1
-BEGIN PGP SIGNATURE-

iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmZnGdIACgkQR5ORYRMI
QCVIMQf/axqBK6HeRTyfvdLQg2vCehM7P+tNypDWB5QHr+kQrIgyGUCsdQ8rS27A
RexD5/HLT2VIvoP1ftE1y5jOvQR4tjV0S8fZki8bpYxgOUBqdBwtaM2MPPau3WVv
Lrw8uKBbt5Le/d3p/ORqyai+ZgGLq94Zg4knKE+wsZ2hipdGviiz9QPrrADhJLac
DZQhU5S+24asjZZLOKzitnPKVTGMPJsBF5BwifuX1rO7yOY3RYABXLJ/um6cesaZ
pFsFtZPr/Ksxc8934dJWcMM3sK2Te4NFjUbAIGmzqDaX3bR7SofO59xEB+3M7NSJ
MClJlSGFd05hozCdZRUSjuf6pwHUeA==
=fiNG
-END PGP SIGNATURE-

Andrew Bartlett (1):
  .gitlab-ci: Remove tags no longer provided by gitlab.com

Anna Popova (1):
  s3:utils: Fix Inherit-Only flag being automatically propagated to children

Douglas Bagnall (65):
  ldb: avoid out of bounds read and write in ldb_qsort()
  lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename
  util:tsort.h: add a macro for safely comparing numbers
  ldb: add NUMERIC_CMP macro to ldb.h
  ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base()
  ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
  s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
  s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
  s4: use numeric_cmp in dns_common_sort_zones()
  util:binsearch: user NUMERIC_CMP()
  torture:charset: use < and > assertions for strcasecmp_m
  torture:charset: use < and > assertions for strncasecmp_m
  torture:charset: test more of strcasecmp_m
  util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle
  util:test: test_ms_fn_match_protocol_no_wildcard: allow -1
  util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP()
  util:charset:codepoints: codepoint_cmpi warning about non-transitivity
  s3:libsmb:namequery: note intransitivity in addr_compare()
  s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
  lib/torture: add assert_int_{less,greater} macros
  util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle
  ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP()
  ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP()
  util:datablob: avoid non-transitive comparison in data_blob_cmp()
  ldb: avoid non-transitive comparison in ldb_val_cmp()
  ldb: reduce non-transitive comparisons in ldb_msg_element_compare()
  libcli/security: use NUMERIC_CMP in dom_sid_compare()
  libcli/security: use NUMERIC_CMP in dom_sid_compare_auth()
  s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
  s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
  s4:dns_server: use NUMERIC_CMP in rec_cmp()
  s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
  s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
  s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort()
  s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()
  s3:smbcacls: use NUMERIC_CMP in ace_compare
  s3:util:sharesec ace_compare() uses NUMERIC_CMP()
  s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
  ldb:mod:sort: rearrange NULL checks
  ldb:sort: check that elements have values
  ldb:sort: generalise both-NULL check to equality check
  ldb:dn: make ldb_dn_compare() self-consistent
  s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
  s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
  s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
  dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
  s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
  gensec: sort_gensec uses NUMERIC_CMP
  lib/socket: rearrange iface_comp() to use NUMERIC_CMP
  s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
  s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
  s4:rpcsrv:samr: improve a comment in compare_msgRid
  ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
  ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
  ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
  ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted 
objects
  ldb-samba:ldif_handlers: dn_link_comparison leaks less
  ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
  ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
  ldb: avoid NULL deref in ldb_db_compare
  s4:dsdb:mod: repl_md: make message_sort transitive
  s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
  ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold
  ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-10 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  50d4451bd4b s3:smbcacls: fix ace_compare
   via  e21251926ba ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  3f9d9f83448 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  d12f3cced61 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  7ae866c6ffa s4:dsdb:mod: repl_md: make message_sort transitive
   via  21a01b3bad4 ldb: avoid NULL deref in ldb_db_compare
   via  7d295cb6fe5 ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  3d62269dfbf ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  586c0f3dd00 ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  d819b21464c ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  ae770139f25 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  956bff1dc63 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  da5c625e641 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  dcf393af595 s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  8f0490150b4 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  d2aaed5d969 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  de865f6c8b7 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  1d527c49df5 gensec: sort_gensec uses NUMERIC_CMP
   via  2f6c5b6603f s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  835594dea0e dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  29b17d296c0 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  6893310bd79 s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  94f38553adf s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  f61aabdb1a3 ldb:dn: make ldb_dn_compare() self-consistent
   via  f3b6ec046a0 ldb:sort: generalise both-NULL check to equality check
   via  a0a83539c30 ldb:sort: check that elements have values
   via  5f52991b931 ldb:mod:sort: rearrange NULL checks
   via  faed55f4f88 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  4d6f0ad643c s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  e3f491e3193 s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  48494283a66 s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  27becb5a7fc s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  20648aaf7fe s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  7acee3ae13a s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  a326992c07d s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  c6ed9351f81 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  39505028672 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  886818f5abb libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  bd548a92d42 libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  c95b73014d3 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  e0468b5a9ed ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  7990f5a2841 util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  f7e192e82f7 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  4fa00be3083 ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  1c6f16cdca9 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  6a0daf6818b lib/torture: add assert_int_{less,greater} macros
   via  ccd94628b58 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  f9a7ded26d1 s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  77b78b45330 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  64d55301410 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  10c0087dac8 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  eb8fd60e10c util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  d18a62836c0 torture:charset: test more of strcasecmp_m
   via  94b574cde12 torture:charset: use < and > assertions for 
strncasecmp_m
   via  767344ee512 torture:charset: use < and > assertions for strcasecmp_m
   via  be4965c69c8 util:binsearch: user NUMERIC_CMP()
   via  51fa8c0168e s4: use numeric_cmp in dns_common_sort_zones()
   via  f94b87da1be s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  3071a4af9a5 s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  696cca23e3e ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
   via  1b8ccbf031b ldb:ldb_dn: use safe NUMERIC_CMP in 
ldb_dn_compare_base()
   via  9e19cc17117 ldb: add NUMERIC_CMP macro to ldb.h
   via  b46af17050b util:tsort.h: add

[SCM] Samba Shared Repository - branch v4-19-test updated

2024-06-10 Thread Jule Anger 
The branch, v4-19-test has been updated
   via  d4f9272b7e9 s3:smbcacls: fix ace_compare
   via  123f458dda6 ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  0382d17 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  ae8eb3d2b09 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  2a53574e07e s4:dsdb:mod: repl_md: make message_sort transitive
   via  92daa0a7801 ldb: avoid NULL deref in ldb_db_compare
   via  ca905ccbf1e ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  50bfb065e01 ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  5c5c652db7c ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  96f3db39522 ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  2b3416384ae ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  fae4e0b16aa ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  108f687cf22 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  5bf176b5692 s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  24d362e62d4 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  9314eaaba91 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  f0f9598d5d1 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  c1819217c0a gensec: sort_gensec uses NUMERIC_CMP
   via  4066451f6e8 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  16288b40eb9 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  069e651d4b8 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  f58d857d722 s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  13645e1131b s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  aa255148bbb ldb:dn: make ldb_dn_compare() self-consistent
   via  867dce05d21 ldb:sort: generalise both-NULL check to equality check
   via  87a6fe0058a ldb:sort: check that elements have values
   via  71d2c9093cf ldb:mod:sort: rearrange NULL checks
   via  d4477eab44a s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  075aae1d1a0 s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  32f4e0c7f5a s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  26e08f8fc7d s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  30f0a2fb131 s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  91dd5024010 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  0f8e25b897f s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  f14a1370f48 s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  622bf82fb32 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  6b07ce82a58 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  b7f581fb61f libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  60c318fc66b libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  23d792875f9 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  b2dbe57c977 ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  fe804401b9b util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  ad50158af05 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  9de4a5d3bbc ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  c85cb252af0 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  5847e53de2f lib/torture: add assert_int_{less,greater} macros
   via  12c6c305fb1 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  74befdb1387 s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  2557ab23014 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  120479e4e02 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  388b11b6dc1 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  59f6652aeee util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  3f8063530d2 torture:charset: test more of strcasecmp_m
   via  6b08f2ed860 torture:charset: use < and > assertions for 
strncasecmp_m
   via  5082378df18 torture:charset: use < and > assertions for strcasecmp_m
   via  1a45f172070 util:binsearch: user NUMERIC_CMP()
   via  ea27699bcd2 s4: use numeric_cmp in dns_common_sort_zones()
   via  792f8d40e1c s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  25e97cd7dba s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  6c9119371cd ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
   via  8a706fa32be ldb:ldb_dn: use safe NUMERIC_CMP in 
ldb_dn_compare_base()
   via  20a8eaa8b86 ldb: add NUMERIC_CMP macro to ldb.h
   via  d386c57d68b util:tsort.h: add

[SCM] Samba Shared Repository - branch master updated

2024-06-10 Thread Ralph Böhme 
The branch, master has been updated
   via  225e6aeafc7 s4/torture: Remove already existing test_dir
   via  3b230769b02 s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
  from  469b22b849a python/samba/tests/krb5: Allow 
PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 225e6aeafc78d0508881915b8406273c15966e63
Author: Anoop C S 
Date:   Wed May 29 18:52:10 2024 +0530

s4/torture: Remove already existing test_dir

In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224

commit 3b230769b02e7c9ecbe7eac05e0344b233b3ae39
Author: Anoop C S 
Date:   Wed May 29 18:41:32 2024 +0530

s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL

In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 source4/torture/smb2/delete-on-close.c | 32 +---
 1 file changed, 9 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/torture/smb2/delete-on-close.c 
b/source4/torture/smb2/delete-on-close.c
index 05242876dcb..33561516fa0 100644
--- a/source4/torture/smb2/delete-on-close.c
+++ b/source4/torture/smb2/delete-on-close.c
@@ -518,45 +518,28 @@ static bool test_doc_create_if_exist(struct 
torture_context *tctx, struct smb2_t
 
 static bool test_doc_find_and_set_doc(struct torture_context *tctx, struct 
smb2_tree *tree)
 {
-   struct smb2_create io;
+   struct smb2_handle dir_handle;
struct smb2_find find;
NTSTATUS status;
union smb_search_data *d;
union smb_setfileinfo sfinfo;
unsigned int count;
-   uint32_t perms = 0;
-
-   perms = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_STD_DELETE |
-   SEC_DIR_WRITE_ATTRIBUTE | SEC_DIR_READ_ATTRIBUTE |
-   SEC_DIR_WRITE_EA | SEC_FILE_APPEND_DATA |
-   SEC_FILE_WRITE_DATA | SEC_DIR_LIST;
 
/* File should not exist for this first test, so make sure */
set_dir_delete_perms(tctx, tree);
 
smb2_deltree(tree, DNAME);
 
-   create_dir(tctx, tree);
-
torture_comment(tctx, "FIND and delete directory\n");
torture_comment(tctx, "We expect NT_STATUS_OK\n");
 
-   /* open the directory first */
-   ZERO_STRUCT(io);
-   io.in.desired_access = perms;
-   io.in.file_attributes= FILE_ATTRIBUTE_DIRECTORY;
-   io.in.create_disposition = NTCREATEX_DISP_OPEN_IF;
-   io.in.share_access   = NTCREATEX_SHARE_ACCESS_READ |
-  NTCREATEX_SHARE_ACCESS_DELETE;
-   io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
-   io.in.fname  = DNAME;
-
-   status = smb2_create(tree, tctx, );
+   /* create and open the directory first*/
+   status = torture_smb2_testdir(tree, DNAME, _handle);
CHECK_STATUS(status, NT_STATUS_OK);
 
/* list directory */
ZERO_STRUCT(find);
-   find.in.file.handle= io.out.file.handle;
+   find.in.file.handle= dir_handle;
find.in.pattern= "*";
find.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE;
find.in.max_response_size  = 0x100;
@@ -570,12 +553,12 @@ static bool test_doc_find_and_set_doc(struct 
torture_context *tctx, struct smb2_
ZERO_STRUCT(sfinfo);
sfinfo.generic.level = RAW_SFILEINFO_DISPOSITION_INFORMATION;
sfinfo.disposition_info.in.delete_on_close = 1;
-   sfinfo.generic.in.file.handle = io.out.file.handle;
+   sfinfo.generic.in.file.handle = dir_handle;
status = smb2_setinfo_file(tree, );
CHECK_STATUS(status, NT_STATUS_OK);

[SCM] Socket Wrapper Repository - branch master updated

2024-06-10 Thread Andreas Schneider 
The branch, master has been updated
   via  7af4f26 tests: Fix fake uid_wrapper_syscall_valid().
  from  c666ba4 tests: Define PATH_MAX for Hurd.

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit 7af4f26d9d6ec1d6c4c2ec08d0c52d42d47de881
Author: Simon Josefsson 
Date:   Sat Aug 19 09:34:14 2023 +0200

tests: Fix fake uid_wrapper_syscall_valid().

We want to return errno = ENOSYS in uid_wrapper_syscall_va(). However if we
do not handle __FAKE_SOCKET_WRAPPER_SYSCALL_NO+1 then we will call
libc_syscall() for __FAKE_SOCKET_WRAPPER_SYSCALL_NO+1.

Same problem as resolved for uid_wrapper, see:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15445
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15448

Signed-off-by: Simon Josefsson 
Reviewed-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 tests/swrap_fake_uid_wrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/tests/swrap_fake_uid_wrapper.c b/tests/swrap_fake_uid_wrapper.c
index 286d7ad..fc9cf46 100644
--- a/tests/swrap_fake_uid_wrapper.c
+++ b/tests/swrap_fake_uid_wrapper.c
@@ -23,7 +23,7 @@
 /* simulate uid_wrapper hooks */
 bool uid_wrapper_syscall_valid(long int sysno)
 {
-   if (sysno == __FAKE_UID_WRAPPER_SYSCALL_NO) {
+   if (sysno >= __FAKE_UID_WRAPPER_SYSCALL_NO) {
return true;
}
 


-- 
Socket Wrapper Repository

[SCM] Socket Wrapper Repository - branch master updated

2024-06-10 Thread Andreas Schneider 
The branch, master has been updated
   via  c666ba4 tests: Define PATH_MAX for Hurd.
  from  d07136e Bump version to 1.4.2

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit c666ba444b46d84c0c49f2c70c9b2c3cb1f6f974
Author: Simon Josefsson 
Date:   Sat Aug 19 11:25:56 2023 +0200

tests: Define PATH_MAX for Hurd.

Signed-off-by: Simon Josefsson 
Reviewed-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 tests/test_fcntl_lock.c | 4 
 tests/test_ioctl.c  | 4 
 2 files changed, 8 insertions(+)


Changeset truncated at 500 lines:

diff --git a/tests/test_fcntl_lock.c b/tests/test_fcntl_lock.c
index 0c172d6..5646f43 100644
--- a/tests/test_fcntl_lock.c
+++ b/tests/test_fcntl_lock.c
@@ -9,6 +9,10 @@
 #include 
 #include 
 
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
 static int setup(void **state)
 {
char test_tmpdir[256];
diff --git a/tests/test_ioctl.c b/tests/test_ioctl.c
index aebff91..25bec38 100644
--- a/tests/test_ioctl.c
+++ b/tests/test_ioctl.c
@@ -14,6 +14,10 @@
 #include 
 #include 
 
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
 static int setup(void **state)
 {
char test_tmpdir[256];


-- 
Socket Wrapper Repository

[SCM] Samba Shared Repository - branch master updated

2024-06-09 Thread Andrew Bartlett 
The branch, master has been updated
   via  469b22b849a python/samba/tests/krb5: Allow 
PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal
   via  15686fec981 python/samba/tests/krb5: Expand test without 
UF_SMARTCARD_REQUIRED to show rotation is not done
   via  f3528808aba WHATSNEW: Mention 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour
   via  2854ef29b82 provision: Match Windows 2022 and set 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default
   via  dee3c7be584 selftest: Add test that 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set
   via  491b79d445d kdc: Rotate smart-card only underlying password in 2nd 
half of lifetime
   via  8afe27058b0 kdc: Track the pwdLastSet of expired 
UF_SMARTCARD_REQUIRED accounts
   via  1e1c80656f7 kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED 
accounts and rotate passwords
   via  d03b3faeb8e s4-auth: Use consistant externally-supplied time in 
auth stack
   via  1dcd8be8f06 kdc: Use a consistent, stable time throughout the 
Heimdal KDC
   via  fe61009002d kdc: Mark KDC sam.ldb as not to use ldb_wrap cache
   via  e178f6b0e96 ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
   via  9ba5ebf4af7 kdc: Remove confusing duplicate open of sam.ldb to find 
RODC status
   via  09ae48b415b dsdb: Prepare to handle smartcard password rollover
   via  1bcc9f00157 dsdb: Use dsdb_gmsa_current_time() in 
construct_msds_user_account_control_computed
   via  cc3ea4ed571 dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, 
if configured!
   via  3669479f22f dsdb: Reduce minimum maxPwdAge from 1 day to nil
   via  302619f66f9 dsdb: Change the magic smartcard_reset to set AES keys 
like the krbtgt mode
   via  7c79abbab46 python/samba/tests/krb5: PKINIT tests of passwords that 
are naturally expired
   via  044cc538605 python/test/krb5: Use assertAlmostEqual in 
check_ticket_times()
   via  68fa90754fd python/tests/krb5: Move check_ticket_times() to 
kdc_base_test.py
   via  48bff4b95f8 python/samba/krb5: Add test for password rotation on 
UF_SMARCARD_REQUIRED accounts
   via  a85f4c661b1 python/tests/krb5: Remove unused utf16pw variable
   via  504a47ecfd6 python/tests/krb5: Expect AES keys for 
UF_SMARTCARD_REQUIRED
   via  dc6c4b215e2 python/samba/tests/krb5: Extend PKINIT tests to show 
kpasswd still works
   via  4ec24a20764 python/samba/tests/krb5: Move get_kpasswd_sname() into 
raw_testcase() to allow broader use
   via  b664392208c s4-auth: Use msDS-User-Account-Control-Computed for PW 
expiry check
   via  737f2414062 s4-auth: Update comment to mention 60mins in the NTLM 
grace period
   via  e04eb9bb170 dsdb: Make argument order of 
dsdb_update_gmsa_{entry_,}keys() consistant with other uses
  from  a9b3522f53a smbd: Ensure we grant owner sid in 
check_parent_access_fsp()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 469b22b849aa6a76739dc21d8a2d80907cdf8d73
Author: Andrew Bartlett 
Date:   Tue Jun 4 13:26:18 2024 +1200

python/samba/tests/krb5: Allow 
PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal

This flexiblity in the tests avoids requiring Samba/Heimdal to omit an 
NTSTATUS error
return and just be consistent between the different authentication paths.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224

commit 15686fec9819267f69a600cff859e52f77a64cef
Author: Andrew Bartlett 
Date:   Tue Jun 4 11:36:53 2024 +1200

python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show 
rotation is not done

This makes sense as otherwise the user would suddenly not know their 
password
for use when they do not use their smartcard.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

commit f3528808aba9419c0895bdb709e1b0dc0bdced1e
Author: Andrew Bartlett 
Date:   Mon May 27 11:51:59 2024 +1200

WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

commit 2854ef29b82d89fb5b5c9d8414227988783120b9
Author: Andrew Bartlett 
Date:   Mon May 27 11:30:29 2024 +1200

provision: Match Windows 2022 and set 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default

We do this by telling the Domain Functional Level upgrade code that
this is a new install.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

commit dee3c7be5846ae7c0952b1ace94dee23241dc794
Author: Andrew Bartlett 
Date:   Mon May 27 11:53:15 2024 +1200

selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is 
set

This assures us that the new provision sets the value by default.

[SCM] Samba Shared Repository - branch master updated

2024-06-07 Thread Jeremy Allison 
The branch, master has been updated
   via  a9b3522f53a smbd: Ensure we grant owner sid in 
check_parent_access_fsp()
  from  5d73bb4acd7 s3:utils: Use talloc instead of malloc functions

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a9b3522f53aa2e6151cf83f1eeb65e3adea2b1d0
Author: MikeLiu 
Date:   Fri May 31 15:31:46 2024 +0800

smbd: Ensure we grant owner sid in check_parent_access_fsp()

Grant owner sid to check for owner rights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15648

Signed-off-by: MikeLiu 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Fri Jun  7 18:30:34 UTC 2024 on atb-devel-224

---

Summary of changes:
 source3/smbd/open.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index f714b75d472..7d2227f9d9f 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -355,7 +355,7 @@ NTSTATUS check_parent_access_fsp(struct files_struct *fsp,
}
 
status = SMB_VFS_FGET_NT_ACL(fsp,
-   SECINFO_DACL,
+   (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL),
frame,
_sd);
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-06-06 Thread Andrew Bartlett 
The branch, master has been updated
   via  5d73bb4acd7 s3:utils: Use talloc instead of malloc functions
   via  b9d93eccbc0 s3:util: Use a talloc stackframe in 
rpc_trustdom_establish()
   via  e844f483bd8 s3:utils: Use a destructor in rpc_trustdom_establish()
   via  77a4ff5435b s3:utils: Remove overwrite of opt_workgroup in  
rpc_trustdom_establish()
   via  78f03c386c1 python: Add test for checking the SHA256SUM
   via  f5de1f8585e python:netcmd: Create a SHA256SUM file with checksums
   via  e584350a550 python:netcmd: Only put regular files into the tarball
   via  9fb57dab377 s3:utils: DNS_UTIL depends on libads headers so we need 
to depend on 'ads'
   via  1185410a0d7 s3:libsmb: we no longer need libads/kerberos_proto.h in 
namequery.c
  from  ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5d73bb4acd7cf062b9fd1a9ea6721e41a5e721fb
Author: Andreas Schneider 
Date:   Thu Jun 6 17:37:32 2024 +0200

s3:utils: Use talloc instead of malloc functions

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Jun  6 21:32:53 UTC 2024 on atb-devel-224

commit b9d93eccbc03f135ea14a8bd3a4f5b16ed0bbdc6
Author: Andreas Schneider 
Date:   Tue Apr 30 09:55:15 2024 +0200

s3:util: Use a talloc stackframe in rpc_trustdom_establish()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit e844f483bd825741d3532d3304c822ab02cf96b5
Author: Andreas Schneider 
Date:   Thu Jun 6 17:31:10 2024 +0200

s3:utils: Use a destructor in rpc_trustdom_establish()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 77a4ff5435be5b80e96d7f85e71aac1949c5cff9
Author: Andreas Schneider 
Date:   Tue Apr 30 09:46:33 2024 +0200

s3:utils: Remove overwrite of opt_workgroup in  rpc_trustdom_establish()

This is not used anywhere in that functions or the functions we are
calling. It was replaced by command line cli credentials stored in
c->creds. This fixes a memory leak.

Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x7f17fdaf5830 in strdup 
../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752
#2 0x55f079bf0723 in rpc_trustdom_establish 
../../source3/utils/net_rpc.c:6591
#3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483
#5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413
#7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436
#9 0x7f17f8a2a1ef in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 78f03c386c14b9e773763a8c41fdc1689a4f284d
Author: Andreas Schneider 
Date:   Thu Jun 6 10:12:08 2024 +0200

python: Add test for checking the SHA256SUM

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit f5de1f8585e1d4eda9530eee87046277a2c793e7
Author: Andreas Schneider 
Date:   Wed Feb 15 08:10:03 2023 +0100

python:netcmd: Create a SHA256SUM file with checksums

This allows to verify the backup tarball contents with:

  sha256sum -c SHA256SUM

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit e584350a550f7ec2008721ecafb254af92ed7525
Author: Andreas Schneider 
Date:   Wed Feb 15 08:05:42 2023 +0100

python:netcmd: Only put regular files into the tarball

We also have ldapi, other sockets or pipes around, we don't want to
add. This will be relevant for adding checksums later.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9fb57dab377e53c9bd8450dda51a164bc712dca3
Author: Stefan Metzmacher 
Date:   Thu Jun 6 10:39:33 2024 +0200

s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads'

Otherwise we don't get the correct header include paths and krb5.h in
a non default location won't be found.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 1185410a0d717e22b359e11a538a08c0352e8703
Author: Stefan Metzmacher 
Date:   Thu Jun 6 10:38:48 2024 +0200

s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/netcmd/domain/backup.py | 27

[SCM] Samba Shared Repository - branch master updated

2024-06-05 Thread Andrew Bartlett 
The branch, master has been updated
   via  ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored
   via  76fec2668e7 s4:dns_server: correctly sign dns update responses with 
gss-tsig like Windows
   via  db350bc573b s4:dns_server: dns_verify_tsig should return REFUSED on 
error
   via  5906ed94f2c s4:dns_server: also search DNS_QTYPE_TKEY in the 
answers section if it's the last section
   via  ae7538af044 s4:dns_server: use tkey->algorithm if available in 
dns_sign_tsig()
   via  bd0235cd515 s4:dns_server: use the client provided algorithm for 
the fake TSIG structure
   via  3467d149149 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TSIG
   via  fa0f23e69ea s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TKEY
   via  a56627b0d12 s4:dns_server: failed dns updates should result in 
REFUSED for ACCESS_DENIED
   via  708a6fae697 python:tests/dns_tkey: add 
test_update_tsig_record_access_denied()
   via  753428a3b6c s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to 
samba.tests.dns_tkey
   via  88457da00d4 python:tests/dns_base: add get_unpriv_creds() helper
   via  848318338b2 python:tests/dns_tkey: let test_update_tsig_windows() 
actually pass against windows 2022
   via  8324d0739df python:tests/dns_base: let verify_packet() work against 
Windows
   via  de4ed363d37 python:tests/dns_tkey: test bad and changing tsig 
algorithms
   via  b9b03ca503c python:tests/dns_tkey: add gss.microsoft.com tsig 
updates
   via  3c7cb85eaf8 python:tests/dns_tkey: let us have 
test_update_gss_tsig_tkey_req_{additional,answers}()
   via  740bda87a80 python:tests/dns_tkey: test TKEY with gss-tsig, 
gss.microsoft.com and invalid algorithms
   via  b0af60e7850 python:tests/dns_base: maintain a dict with tkey 
related state
   via  1b1e7e06cf6 python:tests/dns_base: let dns_transaction_udp() take 
allow_{remaining,truncated}=True
   via  27d92fa808c python:tests/dns_base: pass tkey_trans(expected_rcode)
   via  cd747307d84 python:tests/dns_base: let tkey_trans() take 
tkey_req_in_answers
   via  f8dfa9b33bd python:tests/dns_base: let tkey_trans() and 
sign_packet() take algorithm_name as argument
   via  6e997f93d53 python:tests/dns_tkey: make use of 
self.assert_echoed_dns_error()
   via  ce591464cb1 python:tests/dns_base: add 
self.assert_echoed_dns_error()
   via  c741d0f3969 python:tests/dns_base: let dns_transaction_tcp() handle 
short receives
   via  c594cbad4af python:tests/dns_base: use ndr_deepcopy() and 
ndr_pack() in verify_packet()
   via  ae23d512a72 python:tests/dns_base: generate a real signature in 
bad_sign_packet()
   via  319836ce9e6 lib/addns: remove unused kerberos/gssapi includes in 
dns.h
  from  096d3807b05 build: Make "samba4" public libraries provided (mostly) 
for OpenChange private

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ed61c57e02309b738e73fb12877a0a565b627724
Author: Stefan Metzmacher 
Date:   Thu May 30 14:52:22 2024 +0200

s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored

If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224

commit 76fec2668e73b9d15447abee551d5c04148aaf27
Author: Stefan Metzmacher 
Date:   Thu May 30 14:39:28 2024 +0200

s4:dns_server: correctly sign dns update responses with gss-tsig like 
Windows

This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit db350bc573b378fb0615bdd8592cc9c62f6db146
Author: Stefan Metzmacher 
Date:   Thu May 30 14:42:53 2024 +0200

s4:dns_server: dns_verify_tsig should return REFUSED on error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7
Author: Stefan Metzmacher 
Date:   Thu May 30 14:41:21 2024 +0200

s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's 
the last section

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit

[SCM] Samba Shared Repository - branch master updated

2024-06-05 Thread Andrew Bartlett 
The branch, master has been updated
   via  096d3807b05 build: Make "samba4" public libraries provided (mostly) 
for OpenChange private
   via  d11b281aefa build: Remove incorrect pyembed=True from samba-policy
   via  829b52f99d5 s4-libnet: Split up samba-net into samba-net and 
samba-net-join
  from  a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix 
flapping test

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 096d3807b0588ed4d03bd99bc96163a4821ec010
Author: Andrew Bartlett 
Date:   Mon May 27 09:24:13 2024 +1200

build: Make "samba4" public libraries provided (mostly) for OpenChange 
private

These libraries, mostly with ABI versions of 0.0.1 were made public in
the early development of Samba4 and have not been seriously considered
since.  Most are to allow OpenChange to build.

While the OpenChange server is no longer actively used, the MAPI
client is used and we need to allow packages to be built that will
allow the Evolution MAPI client to still work.

Some appear to be mistakes (dcerpc-samr), historical abberations
(tevent-util) or ideas that did not go very far (the samba-policy
library for example).

To allow any remaining users to access them, they are not made private
in the build system but are instead listed so that they can be made
public again via ./configure with the same --private-libraries='!LIB'
syntax introduced to make ldb private by default.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun  5 21:47:24 UTC 2024 on atb-devel-224

commit d11b281aefa98e6850053ccd6142253c6cf0d04f
Author: Andrew Bartlett 
Date:   Mon May 27 07:28:33 2024 +1200

build: Remove incorrect pyembed=True from samba-policy

This is a normal C library, used by python but does not use
any python itself (nor by dependencies any longer).

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

commit 829b52f99d5a9c9df19c9eb67611618095967edd
Author: Andrew Bartlett 
Date:   Mon May 27 19:44:38 2024 +1200

s4-libnet: Split up samba-net into samba-net and samba-net-join

samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

---

Summary of changes:
 WHATSNEW.txt | 21 +
 source4/lib/policy/wscript_build | 13 -
 source4/libnet/libnet_join.c |  1 +
 source4/libnet/libnet_vampire.c  |  1 +
 source4/libnet/py_net.c  |  1 +
 source4/libnet/wscript_build | 23 +++
 source4/torture/libnet/libnet_BecomeDC.c |  1 +
 source4/torture/rpc/testjoin.c   |  1 +
 source4/torture/wscript_build|  6 +++---
 wscript  | 20 +++-
 10 files changed, 67 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 67bdb963cca..6d1368c42b1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -69,6 +69,27 @@ never took into account later changes, and so has not worked 
for a
 number of years.  Samba 4.21 and LDB 2.10 removes this unused and
 broken feature.
 
+Some Samba public libraries made private by default
+---
+
+The following Samba C libraries are currently made public due to their
+use by OpenChange or for historical reasons that are no longer clear.
+
+ dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
+ samba-credentials, dcerpc_server, samdb
+
+The libraries used by the OpenChange client now private, but can be
+made public (like ldb above) with:
+
+ ./configure 
--private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
+
+The C libraries without any known user or used only for the OpenChange
+server (a dead project) may be made private entirely in a future Samba
+version.
+
+If you use a Samba library in this list, please be in touch with the
+samba-technical mailing list.
+
 Using ldaps from 'winbindd' and 'net ads'
 -
 
diff --git a/source4/lib/policy/wscript_build b/source4/lib/policy/wscript_build
index 027d4bef0b6..f7d9b555f6a 100644
--- a/source4/lib/policy/wscript_build
+++ b/source4/lib/policy/wscript_build
@@ -3,20 +3,15 @@
 
 
 pytalloc_util = bld.pyembed_libname('pytalloc-util')
-samba_policy = bld.pyembed_libname('samba-policy')
-samba_net = bld.pyembed_libname('samba-net')
-bld.SAMBA_LIBRARY(samba_policy,

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-06-05 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  65e781a30b2 s3:winbind: Fix idmap_ad creating an invalid local 
krb5.conf
   via  fb4c338f030 s3:libads: Do not fail if we don't get an IP passed down
   via  069729202c3 s3:libads: Allow get_kdc_ip_string() to lookup the KDCs 
IP
   via  1917b7f052d python: Fix NtVer check for site_dn_for_machine()
  from  9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected 
handling

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 65e781a30b247ab1056405322a8c9cbfb4bae03a
Author: Andreas Schneider 
Date:   Tue May 28 13:54:24 2024 +0200

s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Jun  5 15:01:54 UTC 2024 on atb-devel-224

commit fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f
Author: Andreas Schneider 
Date:   Tue May 28 13:53:51 2024 +0200

s3:libads: Do not fail if we don't get an IP passed down

The IP should be optional and we should look it up if not provided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2)

commit 069729202c3b287642e36c777e2b0863f593bca4
Author: Andreas Schneider 
Date:   Tue May 28 13:51:53 2024 +0200

s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP

Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb)

commit 1917b7f052dc7cb69f544e1f1ef94b48dd4212fb
Author: Andreas Schneider 
Date:   Mon Apr 15 07:32:02 2024 +0200

python: Fix NtVer check for site_dn_for_machine()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633

Signed-off-by: Andreas Schneider 
Reviewed-by: David Mulder 
(cherry picked from commit 7a5e7b821259890dd2978e6f113f4a3dad110ea4)

---

Summary of changes:
 python/samba/gp/gpclass.py  |  4 +---
 source3/libads/kerberos.c   | 32 
 source3/winbindd/idmap_ad.c | 11 +--
 3 files changed, 26 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 08be472e707..d86aacec138 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -805,9 +805,7 @@ def site_dn_for_machine(samdb, dc_hostname, lp, creds, 
hostname):
 
 samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response,
bytes(res.msgs[0]['Netlogon'][0]))
-if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX,
-   (nbt.NETLOGON_NT_VERSION_1
-| nbt.NETLOGON_NT_VERSION_5EX)]:
+if not (samlogon_response.ntver & nbt.NETLOGON_NT_VERSION_5EX):
 raise RuntimeError('site_dn_for_machine: Invalid NtVer in '
+ 'netlogon_samlogon_response')
 
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index f76c5665205..6c6d23c29da 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *kdc_str = NULL;
char *canon_sockaddr = NULL;
 
-   SMB_ASSERT(pss != NULL);
-
-   canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
-   if (canon_sockaddr == NULL) {
-   goto out;
-   }
+   if (pss != NULL) {
+   canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+   if (canon_sockaddr == NULL) {
+   goto out;
+   }
 
-   kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
- canon_sockaddr);
-   if (kdc_str == NULL) {
-   goto out;
-   }
+   kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+

[SCM] Samba Shared Repository - branch master updated

2024-06-04 Thread Andrew Bartlett 
The branch, master has been updated
   via  a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix 
flapping test
   via  9c700f790ba tests/krb5: Reset local database time in a cleaner (and 
nearly equivalent) fashion
   via  5eac95652a8 s4:dsdb: Use talloc_get_type_abort()
   via  3256c6bfd6b tests/krb5: Make use of update_password() method
   via  38cfdb66231 ldb: Fix typo
   via  8989aa47b74 s3:winbind: Fix idmap_ad creating an invalid local 
krb5.conf
   via  9dcc52d2a57 s3:libads: Do not fail if we don't get an IP passed down
   via  28aa0b815ba s3:libads: Allow get_kdc_ip_string() to lookup the KDCs 
IP
  from  c005de07aee smbd: list reparse tag in QUERY_DIRECTORY

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a54dca4ea546c596740d1afab70b1cdd25e1721b
Author: Jo Sutton 
Date:   Tue May 28 16:59:30 2024 +1200

tests/krb5: Calculate correct gMSA password to fix flapping test

If this test happens to be run in the five minute window prior to the
next ten‐hour GKDI interval — about once every one hundred and twenty
runs — the ‘current’ password requested from LDAP will actually be the
future password, which won’t match what’s in the database.

Instead of taking the password from LDAP, calculate it ourselves with
expected_gmsa_password_blob().

[330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local)
UNEXPECTED(failure): 
samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
  File 
"/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py",
 line 1091, in test_retrieving_managed_password_triggers_keys_update
self.assertEqual(creds.get_nt_hash(), nt_hash)
AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != 
b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14'

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun  4 20:52:09 UTC 2024 on atb-devel-224

commit 9c700f790baa5155465cb8e1bcdb4dcbbd28bbfd
Author: Jo Sutton 
Date:   Tue May 28 16:53:22 2024 +1200

tests/krb5: Reset local database time in a cleaner (and nearly equivalent) 
fashion

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5eac95652a89b4edb1e82f00c93267172aaeda42
Author: Jo Sutton 
Date:   Tue May 28 14:24:51 2024 +1200

s4:dsdb: Use talloc_get_type_abort()

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 3256c6bfd6b48bf08a8724f5e5bd654b9c5379fb
Author: Jo Sutton 
Date:   Mon May 27 17:53:17 2024 +1200

tests/krb5: Make use of update_password() method

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 38cfdb662319085569cf4d96bcbceeb74ae1c5f9
Author: Jo Sutton 
Date:   Fri Apr 12 15:10:33 2024 +1200

ldb: Fix typo

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee
Author: Andreas Schneider 
Date:   Tue May 28 13:54:24 2024 +0200

s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2
Author: Andreas Schneider 
Date:   Tue May 28 13:53:51 2024 +0200

s3:libads: Do not fail if we don't get an IP passed down

The IP should be optional and we should look it up if not provided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 28aa0b815baf4668e3df01d52597c40fd430e2fb
Author: Andreas Schneider 
Date:   Tue May 28 13:51:53 2024 +0200

s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP

Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/common/attrib_handlers.c |  2 +-
 python/samba/tests/krb5/gmsa_tests.py| 22 +--
 source3/libads/kerberos.c| 32 ++--
 source3/winbindd/idmap_ad.c

[SCM] Samba Shared Repository - branch master updated

2024-06-04 Thread Jeremy Allison 
The branch, master has been updated
   via  c005de07aee smbd: list reparse tag in QUERY_DIRECTORY
   via  1dba6d3cfc5 tests: Check that query_directory lists the reparse tag
  from  747a7fec01d s3:rpc_server: Check query level according to MS-NRPC

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c005de07aee30307c9d584130ec825bd7097961b
Author: Volker Lendecke 
Date:   Mon Jan 2 16:35:16 2023 +0100

smbd: list reparse tag in QUERY_DIRECTORY

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun  4 17:39:21 UTC 2024 on atb-devel-224

commit 1dba6d3cfc53931d3c8968e12e0d9cde272824be
Author: Volker Lendecke 
Date:   Mon Jan 2 16:01:28 2023 +0100

tests: Check that query_directory lists the reparse tag

With the source3/ based clilist.c, we can't test all infolevels where
this matters (see callers of get_dirent_ea_size()). But porting the
source4 based all-infolevel search code into source3/libsmb or doing
this one the reparse point test in the source4 infrastructure to me
seems like a lot of effort for moderate gain.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 python/samba/tests/reparsepoints.py | 20 
 source3/smbd/smb2_trans2.c  | 12 
 2 files changed, 28 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/reparsepoints.py 
b/python/samba/tests/reparsepoints.py
index 1f74c61bc64..bf96def422d 100644
--- a/python/samba/tests/reparsepoints.py
+++ b/python/samba/tests/reparsepoints.py
@@ -170,6 +170,26 @@ class ReparsePoints(samba.tests.libsmb.LibsmbTests):
 conn.delete_on_close(fd, 1)
 conn.close(fd)
 
+def test_query_dir_reparse(self):
+conn = self.connection()
+filename = 'reparse'
+self.clean_file(conn, filename)
+
+fd = conn.create(
+filename,
+DesiredAccess=sec.SEC_FILE_WRITE_ATTRIBUTE,
+CreateDisposition=libsmb.FILE_CREATE)
+b = reparse_symlink.symlink_put("y", "y", 0, 0)
+conn.fsctl(fd, libsmb.FSCTL_SET_REPARSE_POINT, b, 0)
+conn.close(fd)
+
+dirents = conn.list("", filename)
+self.assertEqual(
+dirents[0]["reparse_tag"],
+libsmb.IO_REPARSE_TAG_SYMLINK)
+
+self.clean_file(conn, filename)
+
 # Show that directories can carry reparse points
 
 def test_create_reparse_directory(self):
diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c
index 3c44a97d74c..65940295248 100644
--- a/source3/smbd/smb2_trans2.c
+++ b/source3/smbd/smb2_trans2.c
@@ -1064,11 +1064,15 @@ static bool smbd_dirptr_lanman2_match_fn(TALLOC_CTX 
*ctx,
 
 static uint32_t get_dirent_ea_size(uint32_t mode, files_struct *fsp)
 {
-   if (!(mode & FILE_ATTRIBUTE_REPARSE_POINT)) {
-   unsigned ea_size = estimate_ea_size(fsp);
-   return ea_size;
+   uint32_t ea_size = IO_REPARSE_TAG_DFS;
+
+   if (mode & FILE_ATTRIBUTE_REPARSE_POINT) {
+   (void)fsctl_get_reparse_tag(fsp, _size);
+   } else {
+   ea_size = estimate_ea_size(fsp);
}
-   return IO_REPARSE_TAG_DFS;
+
+   return ea_size;
 }
 
 static NTSTATUS smbd_marshall_dir_entry(TALLOC_CTX *ctx,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-06-04 Thread Noel Power 
The branch, master has been updated
   via  747a7fec01d s3:rpc_server: Check query level according to MS-NRPC
   via  8adbdbe50f7 s3:rpc_server: Check function code according to MS-NRPC
   via  0418b9fa929 s3/rpc_server: Fix dereference of client pointer
   via  a27525e555c s4/torture: Test with level 4 with 
NETLOGON_CONTROL_SET_DBFLAG function
   via  1297c7ca65b s4/torture: Prepare to handle Level 4 check with 
unknown func code
  from  6b3135078e0 lib: Align an integer type

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 747a7fec01d39453093ed48b167fa1d5d80aead4
Author: Jo Sutton 
Date:   Tue May 28 15:12:36 2024 +1200

s3:rpc_server: Check query level according to MS-NRPC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton 
Reviewed-by: Noel Power 

Autobuild-User(master): Noel Power 
Autobuild-Date(master): Tue Jun  4 09:39:42 UTC 2024 on atb-devel-224

commit 8adbdbe50f7ac69cb815794d1c3d214bbac7c848
Author: Jo Sutton 
Date:   Tue May 28 15:10:51 2024 +1200

s3:rpc_server: Check function code according to MS-NRPC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton 
Reviewed-by: Noel Power 

commit 0418b9fa929736a404b9ff976ff034009b913089
Author: Noel Power 
Date:   Mon Sep 25 09:58:33 2023 +0100

s3/rpc_server: Fix dereference of client pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power 
Reviewed-by: Jo Sutton 

commit a27525e555c2c88f3b3bbef17d6e803a3a231d2b
Author: Noel Power 
Date:   Sun Sep 24 01:03:37 2023 +0100

s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function

Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG

This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power 
Reviewed-by: Douglas Bagnall 

commit 1297c7ca65ba485febee4eabe32a8e1c793b187c
Author: Noel Power 
Date:   Mon Sep 25 10:30:30 2023 +0100

s4/torture: Prepare to handle Level 4 check with unknown func code

A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).

Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
  s3 server returns WERR_NOT_SUPPORTED and
  s4 server returns WERR_INVALID_PARAMETER.

For level 3 both return WERR_NOT_SUPPORTED.

MS-NRPC doesn't seem to specifically indicate the required response in
this case.

this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 source3/rpc_server/netlogon/srv_netlog_nt.c | 30 +++--
 source4/torture/rpc/netlogon.c  |  8 ++--
 2 files changed, 26 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c 
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index fa3e597fa8e..ccae62083cc 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -197,7 +197,6 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
struct netr_NETLOGON_INFO_1 *info1;
struct netr_NETLOGON_INFO_2 *info2;
struct netr_NETLOGON_INFO_3 *info3;
-   struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
NTSTATUS status;
struct netr_DsRGetDCNameInfo *dc_info;
@@ -264,10 +263,16 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
case NETLOGON_CONTROL_TRUNCATE_LOG:
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
case NETLOGON_CONTROL_FORCE_DNS_REG:
+   return WERR_NOT_SUPPORTED;
case NETLOGON_CONTROL_QUERY_DNS_REG:
+   if (r->in.level != 1) {
+   return WERR_INVALID_PARAMETER;
+   }
return WERR_NOT_SUPPORTED;
-
case NETLOGON_CONTROL_FIND_USER:
+   if (r->in.level != 4) {
+   return WERR_INVALID_PARAMETER;
+   }
if (!r->in.data || !r->in.data->user) {
return WERR_NOT_SUPPORTED;
}
@@ -278,6 +283,9 @@ WERROR

[SCM] Samba Shared Repository - branch master updated

2024-06-04 Thread Volker Lendecke 
The branch, master has been updated
   via  6b3135078e0 lib: Align an integer type
   via  5ae1605fc22 lib: Fix an error path memleak
   via  0321f31a8e1 lib: Use talloc_asprintf_addbufin 
_ber_read_OID_String_impl
   via  4313add2bf5 lib: Use unsigned long in ber_write_OID_String
   via  8f90ec12a56 lib: gensec.h references NTTIME, add time.h
   via  b317408591d wbclient: Fix a typo
   via  021dfe8f33b winbind: Modernize a few DEBUGs
   via  bc2b2350b94 smbd: Fix whitespace
   via  b29e408e140 libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3"
   via  5c736ffe354 gensec: Simplify gensec_security_by_fn()
   via  82c477b9807 gensec: Filter out disabled mechs in 
gensec_security_mechs()
   via  426c0847670 gensec: Refactor gensec_security_mechs()
   via  b28de27f6b8 gensec: Simplify gensec_security_by_*
   via  9445d8e06e8 torture: Remove some pointless local variables
   via  df30ec83c96 lib: Use cli_credentials_add_gensec_features in a few 
places
   via  b436f5fec11 creds: Add cli_credentials_add_gensec_features
   via  dc31a49830d libsmb: Slightly simplify cli_session_creds_init
  from  4cade04d1f1 vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for 
precise btime

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6b3135078e0f6c67566f4312998bc4032e387e19
Author: Volker Lendecke 
Date:   Thu May 23 16:13:58 2024 +0200

lib: Align an integer type

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Tue Jun  4 08:16:58 UTC 2024 on atb-devel-224

commit 5ae1605fc22acf672f46ba08f6b2ef4f675e92b8
Author: Volker Lendecke 
Date:   Thu May 23 16:12:53 2024 +0200

lib: Fix an error path memleak

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 0321f31a8e1364b32fad61e99856024eaed0b81e
Author: Volker Lendecke 
Date:   Thu May 23 16:06:37 2024 +0200

lib: Use talloc_asprintf_addbufin _ber_read_OID_String_impl

Just one NULL check required

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 4313add2bf5ee41a5cbcac79135da96d5424ec2d
Author: Volker Lendecke 
Date:   Thu May 23 16:04:52 2024 +0200

lib: Use unsigned long in ber_write_OID_String

This is what smb_strtoul returns, so use it.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 8f90ec12a560bfe08b0bf9ae447b789bbcc22dda
Author: Volker Lendecke 
Date:   Thu May 23 15:48:55 2024 +0200

lib: gensec.h references NTTIME, add time.h

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit b317408591da4cbb8facd1e9215fd204078722b7
Author: Volker Lendecke 
Date:   Fri May 24 18:34:05 2024 +0200

wbclient: Fix a typo

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 021dfe8f33b3d21ec16ac6e4a28f5a1d09b838a3
Author: Volker Lendecke 
Date:   Fri May 24 18:48:29 2024 +0200

winbind: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit bc2b2350b94cbfc53628852026f68f71f09607e6
Author: Volker Lendecke 
Date:   Sat May 25 12:17:46 2024 +0200

smbd: Fix whitespace

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit b29e408e140b74b82ba04391fd1ded43444c83b6
Author: Volker Lendecke 
Date:   Sat May 25 12:41:58 2024 +0200

libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3"

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 5c736ffe35408a6344e5c4c4ae57b89e09e51918
Author: Volker Lendecke 
Date:   Wed May 29 17:11:51 2024 +0200

gensec: Simplify gensec_security_by_fn()

We don't need that intermediate talloc ctx, we only allocate backends
and don't pass it anywhere else.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 82c477b98071346a0e4e9162d9a200d1755533a7
Author: Volker Lendecke 
Date:   Wed May 29 17:08:26 2024 +0200

gensec: Filter out disabled mechs in gensec_security_mechs()

Every single caller of gensec_security_mechs() had to manually filter
out disabled mechanisms. Don't offer them from the start.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 426c08476704f8ac574a18562719517c6084ed3f
Author: Volker Lendecke 
Date:   Tue May 28 18:49:41 2024 +0200

gensec: Refactor gensec_security_mechs()

The decision whether to offer a mechanism was split between
gensec_security_mechs() and gensec_use_kerberos_mechs() with two
booleans passed down. Consolidate that decision into one
gensec_offer_mech() function that queries all information on its own.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit b28de27f6b880962e9183d28d76f27ce0847bd36
Author: Volker

[SCM] Samba Shared Repository - branch master updated

2024-06-03 Thread Anoop C S 
The branch, master has been updated
   via  4cade04d1f1 vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for 
precise btime
   via  c36e79ef810 vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES
  from  98b443d9033 fuzzing: fix fuzz_stable_sort_r_unstable comparison

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 4cade04d1f1e7f1bbd99776bcf876a42488d0f78
Author: Anoop C S 
Date:   Fri May 17 11:57:26 2024 +0530

vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for precise btime

Previously we added an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES
so that the btime is always preserved unless explicitly changed using
SMB_VFS_FNTIMES. But there are situations with open file handle where
btime stored on dos attributes as create_time has to be precise for
comparison because a one-to-one conversion between timepsec and nttime
is not always guaranteed.

Accordingly preserve btime via SMB_VFS_FSET_DOS_ATTRIBUTES so that we
always compare the exact btime from fsp stat information while the file
handle is still open.

Signed-off-by: Anoop C S 
Reviewed-by: David Disseldorp 

Autobuild-User(master): Anoop C S 
Autobuild-Date(master): Mon Jun  3 11:10:11 UTC 2024 on atb-devel-224

commit c36e79ef8104b84c9df638cbec984ec3491d875b
Author: Anoop C S 
Date:   Sat May 18 12:37:44 2024 +0530

vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES

Signed-off-by: Anoop C S 
Reviewed-by: David Disseldorp 

---

Summary of changes:
 source3/modules/vfs_ceph.c | 26 ++
 1 file changed, 22 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 6dae8a5f9e8..bb1650446c9 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -1577,9 +1577,6 @@ static NTSTATUS cephwrap_fget_dos_attributes(struct 
vfs_handle_struct *handle,
NTSTATUS status;
 
status = fget_ea_dos_attribute(fsp, dosmode);
-   if (!NT_STATUS_IS_OK(status)) {
-   return status;
-   }
 
/*
 * Restore previously stored btime from statx timestamps as it should be
@@ -1589,7 +1586,27 @@ static NTSTATUS cephwrap_fget_dos_attributes(struct 
vfs_handle_struct *handle,
 */
fsp->fsp_name->st.st_ex_btime = saved_btime;
 
-   return NT_STATUS_OK;
+   return status;
+}
+
+static NTSTATUS cephwrap_fset_dos_attributes(struct vfs_handle_struct *handle,
+struct files_struct *fsp,
+uint32_t dosmode)
+{
+   struct timespec saved_btime = fsp->fsp_name->st.st_ex_btime;
+   NTSTATUS status;
+
+   status = set_ea_dos_attribute(handle->conn, fsp->fsp_name, dosmode);
+
+   /*
+* Restore previously stored btime from statx timestamps. This is done
+* to ensure that we have the exact btime in fsp stat information while
+* the file handle is still open since the create_time stored as part of
+* dos attributes can loose its precision when converted back to btime.
+*/
+   fsp->fsp_name->st.st_ex_btime = saved_btime;
+
+   return status;
 }
 
 /
@@ -1957,6 +1974,7 @@ static struct vfs_fn_pointers ceph_fns = {
.get_real_filename_at_fn = cephwrap_get_real_filename_at,
.connectpath_fn = cephwrap_connectpath,
.fget_dos_attributes_fn = cephwrap_fget_dos_attributes,
+   .fset_dos_attributes_fn = cephwrap_fset_dos_attributes,
 
/* EA operations. */
.getxattrat_send_fn = vfs_not_implemented_getxattrat_send,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-05-30 Thread Volker Lendecke 
The branch, master has been updated
   via  98b443d9033 fuzzing: fix fuzz_stable_sort_r_unstable comparison
   via  267f307689b s3/torture: local_rbtree: avoid birthday collisions
  from  3a7dbf8b77b examples:winexe: embed Samba version as exe timestamp

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 98b443d9033943c4fd2bde939985af125ccd9e73
Author: Douglas Bagnall 
Date:   Thu May 23 16:08:49 2024 +1200

fuzzing: fix fuzz_stable_sort_r_unstable comparison

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69176

Signed-off-by: Douglas Bagnall 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Fri May 31 05:29:08 UTC 2024 on atb-devel-224

commit 267f307689b92bc7e1e407fb7f1a9f556d7d8b90
Author: Douglas Bagnall 
Date:   Wed May 22 12:15:37 2024 +1200

s3/torture: local_rbtree: avoid birthday collisions

We insert 999 keys, but if two of them happen to be the same, we
don't find 1000 nodes, and that is upsetting for CI:

[130(1421)/303 at 4m46s] samba3.smbtorture_s3.LOCAL-RBTREE
UNEXPECTED(failure): samba3.smbtorture_s3.LOCAL-RBTREE.smbtorture(none)
REASON: Exception: Exception: using seed 1716333987
host=foo share=bar user= myname=runner-jlguopmm-project-6378020-concurrent-0
Running LOCAL-RBTREE
run_local_rbtree: read1: 999 999, NT_STATUS_OK
run_local_rbtree: delete: 999 999, NT_STATUS_OK
run_local_rbtree: read2: 0 0, NT_STATUS_OK
TEST LOCAL-RBTREE FAILED!
LOCAL-RBTREE took 0.002706 secs

This has been flapping very occasionally for a long time:
https://lists.samba.org/archive/samba-technical/2016-March/112861.html

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Volker Lendecke 

---

Summary of changes:
 lib/fuzzing/fuzz_stable_sort_r_unstable.c |  3 ++-
 source3/torture/torture.c | 10 +-
 2 files changed, 7 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/fuzzing/fuzz_stable_sort_r_unstable.c 
b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
index 68174ee460e..9338c75f7dc 100644
--- a/lib/fuzzing/fuzz_stable_sort_r_unstable.c
+++ b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
@@ -71,8 +71,9 @@ static int cmp_int8(int8_t *_a, int8_t *_b, int8_t *ctx)
 
 #define MAX_SIZE (1024 * 1024)
 
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
 {
+   const int8_t *buf = (const int8_t *)input;
int8_t buf2[MAX_SIZE];
int8_t aux[MAX_SIZE];
int8_t context;
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index e0cc39f732d..1f8621654ec 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -13634,17 +13634,17 @@ static bool run_local_rbtree(int dummy)
}
 
for (i = 0; i < 999; i++) {
-   char key[sizeof("key-9223372036854775807")];
-   char value[sizeof("value-9223372036854775807")];
+   char key[sizeof("key-9223372036854775807-1234")];
+   char value[sizeof("value-9223372036854775807-1234")];
 
-   snprintf(key, sizeof(key), "key%ld", random());
-   snprintf(value, sizeof(value) ,"value%ld", random());
+   snprintf(key, sizeof(key), "key%ld-%d", random(), i);
+   snprintf(value, sizeof(value) ,"value%ld-%d", random(), i);
 
if (!rbt_testval(db, key, value)) {
goto done;
}
 
-   snprintf(value, sizeof(value) ,"value%ld", random());
+   snprintf(value, sizeof(value) ,"value%ld-%d", random(), i + 1);
 
if (!rbt_testval(db, key, value)) {
goto done;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-05-30 Thread Douglas Bagnall 
The branch, master has been updated
   via  3a7dbf8b77b examples:winexe: embed Samba version as exe timestamp
   via  e604f757516 examples:winexe: reproducible builds with zero timestamp
   via  3c72f733f45 examples:winexe: more efficient C array generation, no 
py2
   via  068b366709d buildtools:pidl: avoid hash randomisation in pidl
   via  ea78a5ce830 pidl:python: Exception if unconvertable in 
ConvertObjectToPythonLevel
   via  f893c100c07 pidl:python: properly raise exception in 
ConvertObjectFromPythonData
   via  f3433f60b8e pidl:Typelist: resolveType(): don't mistake a reference 
for a name
   via  72112d4814e script/autobuild.py: Add test for --vendor-name and 
--vendor-patch-revision
   via  651fb94c374 build: Add --vendor-name --vendor-patch-revision 
options to ./configure
   via  8331475a183 python:smb tests: remove py2 compatibility code
   via  b4b8f18612a python/common: remove verbiage about old python versions
   via  5a317f7d8ef buildtools: remove Python2 compatibility
   via  564b0a21ceb tdb:pytests: remove unused Py2 test branches
   via  037e7ae9c59 ldb-samba:pytest: remove unused variable
   via  0fcba46957f talloc:pytest: remove tests that only test Python 2
   via  a0a025d9024 tdb:pytdb:_tdb_text: remove Py2 compatibility code
   via  87356b327b8 selftest:dnshub: remove py2 compatibility code
  from  e9eb5810438 ctdb-scripts: Protect against races when starting grace 
period

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 3a7dbf8b77b2a9e7cdc55bc5b339b9f501d037aa
Author: Douglas Bagnall 
Date:   Thu May 30 10:44:24 2024 +1200

examples:winexe: embed Samba version as exe timestamp

It turns out the timestamp doesn't need to be real, and it isn't used,
but it might as well tell you something. So let's make it tell you what
version of Samba it came from, which could be useful for people who have
lots of old winexes lying around, the poor souls.

0040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  
|!..L.!Th|
0050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program 
canno|
0060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in 
DOS |
0070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  
|mode$...|
0080  50 45 00 00 64 86 0a 00  00 15 04 00 00 00 00 00  
|PE..d...|
|  |  |
|  |  major  4.
|  minor 21.
release  0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13213

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Douglas Bagnall 
Autobuild-Date(master): Fri May 31 01:28:06 UTC 2024 on atb-devel-224

commit e604f7575167d3572e1b67c6e77ab7273508533d
Author: Douglas Bagnall 
Date:   Tue May 28 11:34:51 2024 +1200

examples:winexe: reproducible builds with zero timestamp

Windows Portable Executable files have a timestamp field and a
checksum field. By default the timestamp field is updated to the
current time, which consequently changes the checksum. This makes the
build nondeterministic. It looks like this:

  --- a/tmp/winexe-1/winexesvc64_exe_binary.c
  +++ b/tmp/winexe-2/winexesvc64_exe_binary.c
  @@ -23,7 +23,7 @@ const DATA_BLOB *winexesvc64_exe_binary(void)
0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A,
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x0A, 0x00,
  - 0xB2, 0x16, 0x55, 0x66, 0x00, 0x00, 0x00, 0x00,
  + 0xD3, 0x3B, 0x55, 0x66, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x2E, 0x02,
0x0B, 0x02, 0x02, 0x26, 0x00, 0x86, 0x00, 0x00,
0x00, 0xBA, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00,
  @@ -33,7 +33,7 @@ const DATA_BLOB *winexesvc64_exe_binary(void)
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x40, 0x01, 0x00, 0x00, 0x04, 0x00, 0x00,
  - 0x73, 0xD7, 0x00, 0x00, 0x03, 0x00, 0x60, 0x01,
  + 0x94, 0xFC, 0x00, 0x00, 0x03, 0x00, 0x60, 0x01,
0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,

https://learn.microsoft.com/en-us/windows/win32/debug/pe-format says
that a timestamp of zero can be used to represent a time that is not
"real or meaningful", so we do that.

As far as I can tell, the timestamp and

[SCM] Samba Shared Repository - branch master updated

2024-05-30 Thread Volker Lendecke 
The branch, master has been updated
   via  e9eb5810438 ctdb-scripts: Protect against races when starting grace 
period
   via  97c79a1 ctdb-scripts: Check NFS-Ganesha is running before 
attempting grace
   via  27c53880c2a ctdb-scripts: Improve service PID check
   via  bc10704aec6 ctdb-scripts: Improve NFS-Ganesha export path extraction
   via  944d9d308d5 ctdb-scripts: Add script option CTDB_NFS_EXPORTS_FILE
   via  1be5b1df1bd ctdb-scripts: Fix usage message
   via  2a3d7c09719 ctdb-scripts: Change NFS-Ganesha PID file location
   via  a534f713478 ctdb-scripts: Quote variable expansions
   via  6ffb73bb55e ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
   via  991d21d075c ctdb-scripts: No longer run statd-callout under sudo
   via  ecb9545b3fb ctdb-scripts: Use find_statd_sm_dir() in one more place
   via  50b3cebeb39 ctdb-scripts: Set ownership of statd-callout state 
directory
   via  608557c6ce3 ctdb-scripts: Avoid connecting to ctdbd in 
add-client/del-client
   via  5a4209b7132 ctdb-tests: Default PNN is 0
   via  ed3f041c309 ctdb-scripts: Add caching function for public IPs
   via  558cf280b22 ctdb-scripts: Move state directory creation to 
"startup" action
   via  d02fb20d793 ctdb-scripts: Avoid globally changing to queue directory
   via  b90d72c7b8f ctdb-scripts: Move ctdb.tdb attach to statd-callout
   via  c912e406c1c ctdb-scripts: Reformat with shfmt -w -p -i 0 -fn
   via  7b24cc032ea ctdb-scripts: Improve documentation
   via  5176b43da78 ctdb-scripts: Avoid ShellCheck warning SC2162
   via  54015223804 ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
  from  5a54c9b28ab s3:utils: let smbstatus report anonymous 
signing/encryption explicitly

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e9eb5810438c7de713a45f43af227798a6b5ec2f
Author: Martin Schwenke 
Date:   Fri May 10 18:00:18 2024 +1000

ctdb-scripts: Protect against races when starting grace period

While the PID check is worth it in relevant cases, NFS-Ganesha still
might go away after the check.  Unfortunately, neither grace command
fails an indicative exit code, so invent one by checking error
messages.  This can then be converted to success by the caller.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Thu May 30 12:50:01 UTC 2024 on atb-devel-224

commit 97c79a1c9a61a74aced8d87346dd25c8cce3
Author: Martin Schwenke 
Date:   Fri May 10 17:51:18 2024 +1000

ctdb-scripts: Check NFS-Ganesha is running before attempting grace

If monitoring has failed because it isn't running, then don't fail
"startipreallocate" or "relaseip" by trying to go into grace.

Don't check this for "takeip".  In that case NFS-Ganesha had better be
running.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

commit 27c53880c2a35a320bc31655ada3367d1be02b19
Author: Martin Schwenke 
Date:   Fri May 10 17:46:58 2024 +1000

ctdb-scripts: Improve service PID check

No need to grovel around in /proc.  ps will happily tell us the
command.

Factor out the actual check into a separate function that can be used
elsewhere.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

commit bc10704aec66e143b8c9e715a74ddb82f44a3204
Author: Martin Schwenke 
Date:   Tue Apr 30 15:00:34 2024 +1000

ctdb-scripts: Improve NFS-Ganesha export path extraction

Path values do not need to have quotes.  The current code fails if
there aren't any.

Instead, implement a 2 stage parser using 2 sed commands.  See
comments in the code for details.

Regexps are POSIX basic regular expressions, apart from \ (used
to ensure WORD is on word boundaries, and the 'i' flag for case
insensitivity.  The latter is supported in FreeBSD sed.

This code successfully parses Path values out of the following
monstrosity:

path = "/foo/bar1;a";
   Path = /foo/bar2;
Something = false;
Pseudo = "/foo/bar3x" ; Path = "/foo/bar3; y" ; Access_type = RO;
Pseudo = "/foo/bar4x" ; path=/foo/bar4; Access_type = RO;
Pseudo = "/foo/barNONONO" ; not_Path=/foo/barNONONO; Access_type = RO;
   Path = /foo/bar5
Pseudo = "/foo/bar6x Path=foo" ; Path=/foo/bar6; Access_type = RO

This is probably the best that can be done within a shell script.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

commit 944d9d308d53598ba0aa2dc599fc1f5c78e78313
Author: Martin Schwenke 
Date:   Wed Mar 27 14:24:09 2024 +1100

ctdb-scripts: Add script option CTDB_NFS_EXPORTS_FILE

Exports may be contained in an include file rather than the top-level
ganesha.conf.

Signed-off-by: Martin

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-05-30 Thread Stefan Metzmacher 
The branch, v4-20-test has been updated
   via  9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected 
handling
   via  6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw 
blobs
   via  82f73dc2312 s4:libcli/dgram: make use of socket_address_copy()
   via  40fe6480d0d s4:libcli/dgram: let the generic incoming handler also 
get unexpected mailslot messages
   via  cf37f9f5272 libcli/nbt: add nbt_name_send_raw()
   via  b440c11ea0f s3:libsmb/dsgetdcname: use 
NETLOGON_NT_VERSION_AVOID_NT4EMUL
   via  b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the 
callers of nb_packet_{server_create,reader_send}()
   via  234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async 
code
   via  2f73d251e0c s3:wscript: LIBNMB requires lp_ functions
   via  27e4297f4c7 s3:include: split out fstring.h
   via  260d1bbacf8 s3:include: let nameserv.h be useable on its own
   via  4257e3b8fef s3:libads: avoid changing ADS->server.workgroup
   via  ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
   via  0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
   via  2954489bd56 s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
   via  9530c418a38 s3:smbd: allow anonymous encryption after one 
authenticated session setup
   via  610e11af858 s3:utils: let smbstatus also report partial tcon 
signing/encryption
   via  6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
   via  c547e0c0ff7 s3:utils: let connections_forall_read() report if the 
session was authenticated
   via  fe91ed785ed s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
   via  716a0443c9f s3:utils: remove unused signing_flags in 
connections_forall()
   via  cd05e7ed937 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
   via  b945f645732 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
   via  b7606714959 smbXcli_base: add hacks to test anonymous signing and 
encryption
   via  dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
   via  1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the 
current runner
   via  d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com
  from  9b6bc91254c VERSION: Bump version up to Samba 4.20.2...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 9d80c928b0196839035c0272c0945aad8a3b461a
Author: Stefan Metzmacher 
Date:   Wed Feb 14 12:34:48 2024 +0100

s4:nbt_server: simulate nmbd and provide unexpected handling

This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)

Autobuild-User(v4-20-test): Stefan Metzmacher 
Autobuild-Date(v4-20-test): Thu May 30 10:57:04 UTC 2024 on atb-devel-224

commit 6a673a35ea0a5d79526b96ed462cd7d0d916abbb
Author: Stefan Metzmacher 
Date:   Wed Feb 14 13:49:21 2024 +0100

s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)

commit 82f73dc23127c033346604fdfc94d5bf94295375
Author: Stefan Metzmacher 
Date:   Thu Feb 15 17:47:45 2024 +0100

s4:libcli/dgram: make use of socket_address_copy()

This avoids talloc_reference...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)

commit 40fe6480d0d4c0dc00b05e8c52b234243c4e652b
Author: Stefan Metzmacher 
Date:   Thu Feb 15 16:42:16 2024 +0100

s4:libcli/dgram: let the generic incoming handler also get unexpected 
mailslot messages

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)

commit cf37f9f527269ac2d76577dc0df53f1d369f1817
Author: Stefan Metzmacher 
Date:   Thu Feb 15 17:47:13 2024 +0100

libcli/nbt: add nbt_name_send_raw()

BUG:

[SCM] Samba Shared Repository - branch v4-19-test updated

2024-05-29 Thread Stefan Metzmacher 
The branch, v4-19-test has been updated
   via  fab04efa325 s3:libads: avoid changing ADS->server.workgroup
   via  b6253028b30 s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
   via  3b922dd5759 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
   via  92a0533a9ea s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
   via  45b9b63283d s3:smbd: allow anonymous encryption after one 
authenticated session setup
   via  1925abda4c4 s3:utils: let smbstatus also report partial tcon 
signing/encryption
   via  70969d8da5a s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
   via  8cc6ccb54a3 s3:utils: let connections_forall_read() report if the 
session was authenticated
   via  8b6b837eb7d s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
   via  c9c83fb691f s3:utils: remove unused signing_flags in 
connections_forall()
   via  a6c549db3d8 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
   via  3f476fd8bf3 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
   via  7a75e6bdaf0 smbXcli_base: add hacks to test anonymous signing and 
encryption
   via  98adde991bf tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
   via  11edf47d3c3 .gitlab-ci-main.yml: debug kernel details of the 
current runner
   via  5502aa893cc .gitlab-ci: Remove tags no longer provided by gitlab.com
  from  b00c09bee3b s3:utils: Fix Inherit-Only flag being automatically 
propagated to children

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit fab04efa32564a47191c775d1b51362bf0c5658a
Author: Stefan Metzmacher 
Date:   Fri Oct 15 03:34:11 2021 +0200

s3:libads: avoid changing ADS->server.workgroup

ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().

The result are corrupted domain values in the debug output.

Valgrind shows this:

 Invalid read of size 1
at 0x483EF46: strlen (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
by 0x5D2ED3F: dbgtext (debug.c:1881)
by 0x4BFFB50: ads_find_dc (ldap.c:570)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
at 0x483CA3F: free (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4BFF0AF: ads_try_connect (ldap.c:299)
by 0x4BFF40E: cldap_ping_list (ldap.c:367)
by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
by 0x4BFFA91: ads_find_dc (ldap.c:556)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Block was alloc'd at
at 0x483B7F3: malloc (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x60B250E: strdup (strdup.c:42)
by 0x4FF1492: smb_xstrdup (util.c:743)
by 0x4C10E62: ads_init (ads_struct.c:148)
by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6)

Autobuild-User(v4-19-test): Stefan Metzmacher 
Autobuild-Date(v4-19-test): Wed May 29 19:25:10 UTC 2024 on atb-devel-224

commit b6253028b303f4bd59b399e43417c7b050969363
Author: Stefan Metzmacher 
Date:   Tue May 7 14:53:24 2024 +

s3:libsmb: allow store_cldap_reply() to work with a ipv6 response

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224

(cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2)

commit 3b922dd575919fd08c2b98249691ea11cb7ffe56
Author: Stefan Metzmacher 
Date:   Tue Feb 6 21:09:58 2024 +0100

s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()

I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

[SCM] Samba Shared Repository - branch master updated

2024-05-23 Thread Stefan Metzmacher 
The branch, master has been updated
   via  5a54c9b28ab s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
   via  f3ddfb828e6 s3:smbd: allow anonymous encryption after one 
authenticated session setup
   via  551756abd2c s3:utils: let smbstatus also report partial tcon 
signing/encryption
   via  8119fd6d6a4 s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
   via  5089d855064 s3:utils: let connections_forall_read() report if the 
session was authenticated
   via  596a10d1079 s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
   via  a9f84593f44 s3:utils: remove unused signing_flags in 
connections_forall()
   via  6c5781b5f15 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
   via  6a89615d781 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
   via  14d6e267212 smbXcli_base: add hacks to test anonymous signing and 
encryption
  from  d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:14:38 2023 +0200

s3:utils: let smbstatus report anonymous signing/encryption explicitly

We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224

commit f3ddfb828e66738ca461c3284c423defb774547c
Author: Stefan Metzmacher 
Date:   Fri Jun 30 18:05:51 2023 +0200

s3:smbd: allow anonymous encryption after one authenticated session setup

I have captures where a client tries smb3 encryption on an anonymous 
session,
we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47
was released with samba-4.15.0rc1.

Testing against Windows Server 2022 revealed that anonymous signing is 
always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 551756abd2c9e4922075bc3037db645355542363
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:12:38 2023 +0200

s3:utils: let smbstatus also report partial tcon signing/encryption

We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 8119fd6d6a49b869bd9e8ff653b500e194b070de
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:12:38 2023 +0200

s3:utils: let smbstatus also report AES-256 encryption types for tcons

We already do that for sessions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:10:08 2023 +0200

s3:utils: let connections_forall_read() report if the session was 
authenticated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 596a10d1079f5c4a954108c81efc862c22a11f28
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:08:31 2023 +0200

s3:lib: let sessionid_traverse_read() report if the session was 
authenticated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:05:59 2023 +0200

s3:utils: remove unused signing_flags in connections_forall()

We never use the signing flags from the session, as the tcon
has its own signing flags.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 6c5781b5f154857f1454f41133687fba8c4c9df9
Author: Stefan Metzmacher 
Date:   Wed May 15 10:02:00 2024 +0200

s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}

These

[SCM] Samba Shared Repository - branch master updated

2024-05-22 Thread Andrew Bartlett 
The branch, master has been updated
   via  d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h
   via  6dd68d89786 ldb: move struct ldb_utf8_fns to ldb_private.h
   via  a00c0ebd090 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
   via  b6974030e6a lib/fuzzing: add fuzz_strncasecmp_ldb
   via  b22e1d3207d ldb: don't cast to unsigned for ldb_ascii_toupper()
   via  e33a0dd70f0 ldb: ldb_set_utf8_functions follows README.Coding
   via  4a6a1d1f0af ldb: deprecate ldb_set_utf8_fns
   via  42ae85d70af ldb: remove old ldb_comparison_fold_utf8_broken()
   via  960724a06e4 ldb: ldb_comparison_fold always uses the casecmp 
function
   via  edabb9f4cb9 ldb-samba: use ldb_comparison_fold_utf8()
   via  0becc8a90cb ldb-samba: add ldb_comparison_fold_utf8, wrapping 
strncasecmp_ldb
   via  f9797950fd6 util:charset: strncasecmp_ldb avoids iconv for ASCII
   via  55397514db5 util:charset: strncasecmp_ldb degrades to ASCII 
strncasecmp
   via  eb91e3437b4 util:charset: add strncasecmp_ldb()
   via  7cc3c56293d ldb: ldb_set_utf8_default() sets comparison function
   via  6c27284f7e9 ldb: ldb_comparison_fold_ascii sorts unsigned
   via  92275e27947 ldb: add ldb_comparison_fold_ascii() for default 
comparisons
   via  947f977acb7 ldb: ldb_comparison_fold uses the utf-8 casecmp function
   via  ae7ca36830b ldb: add ldb_set_utf8_functions() for setting casefold 
functions
   via  1624ac7a987 ldb: move ldb_comparison_fold guts into a separate 
function
   via  278a3c7f7c6 ldb: add a utf-8 comparison fold callback
   via  f9fbc7a5067 lib/util/charset: be explicit about INVALID_CODEPOINT 
value
   via  023a7ce7d5a ldb: add test_ldb_comparison_fold
  from  589a9ea6767 s4:kdc: Add comment about possible interaction between 
the krbtgt account and Group Managed Service Accounts

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d6581d213d5f625da493f14620e1a12e79a8e195
Author: Douglas Bagnall 
Date:   Thu May 23 09:40:00 2024 +1200

ldb: move struct ldb_debug_ops to ldb_private.h

Only accessed through struct ldb_context -> debug_ops, which is already 
private.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224

commit 6dd68d897865bd2518a6a71753ca0bc76d51b37e
Author: Douglas Bagnall 
Date:   Thu May 23 09:36:57 2024 +1200

ldb: move struct ldb_utf8_fns to ldb_private.h

It is only accessed via ldb functions that find it on the already-private
struct ldb_context.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit a00c0ebd090f69f94ce6ba7774a9fc126d7de504
Author: Douglas Bagnall 
Date:   Mon May 13 11:08:35 2024 +1200

s4:dsdb:strcasecmp_with_ldb_val() avoids overflow

In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.

This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit b6974030e6a7ddb330894f46631c8da4359b2d18
Author: Douglas Bagnall 
Date:   Mon May 13 10:39:44 2024 +1200

lib/fuzzing: add fuzz_strncasecmp_ldb

As well as checking for the usual overflows, this asserts that
strncasecmp_ldb is always transitive, by splitting the input into 3
pieces and comparing all pairs.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit b22e1d3207d90f102247d690bfe31db55d7b681e
Author: Douglas Bagnall 
Date:   Fri May 17 11:38:10 2024 +1200

ldb: don't cast to unsigned for ldb_ascii_toupper()

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e33a0dd70f00481d1c3d9e2fdd227e26431402ef
Author: Douglas Bagnall 
Date:   Tue May 21 10:55:53 2024 +1200

ldb: ldb_set_utf8_functions follows README.Coding

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 4a6a1d1f0afa830a679781a522d724bd861a3601
Author: Douglas Bagnall 
Date:   Fri May 17 11:35:01 2024 +1200

ldb: deprecate ldb_set_utf8_fns

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 42ae85d70af8da1aecbf45f5fb6e7d7ee1c379fb
Author: Douglas Bagnall 
Date:   Fri May 10 15:43:36 2024 +1200

ldb: remove old ldb_comparison_fold_utf8_broken()

There are no callers.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 960724a06e4dcb793d606c71d6e79387761b3d42
Author: Douglas Bagnall 
Date:   Thu May 16 17:01:10 2024 +1200

ldb: ldb_comparison_fold always uses the casecmp function

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit

[SCM] Samba Shared Repository - branch master updated

2024-05-22 Thread Andrew Bartlett 
The branch, master has been updated
   via  589a9ea6767 s4:kdc: Add comment about possible interaction between 
the krbtgt account and Group Managed Service Accounts
   via  d8302e95326 s4:kdc: Merge current and previous gMSA keys during 
period when both are valid
   via  a0d639bfb82 tests/krb5: Test that previous keys are counted as 
current keys following a gMSA key rollover
   via  5ea07824655 s4:libnet: Allow simulating AS‐REQ flags combination 
for keytab export
   via  71899ceb40d s4:libnet: Update export_keytab() docstring
   via  048de3da01f s4:libnet: Pass SDB_F_ADMIN_DATA flag through to 
samba_kdc_message2entry()
   via  aa8aeeb655a python:tests: Extract keytab_as_set() function to be 
usable by other tests
   via  5682df15a09 python:tests: Manually raise AssertionError
   via  95e80bf1e05 python:tests: Rename ‘keytab_as_set’ variable to be 
distinct from keytab_as_set() method
   via  4597d314029 third_party/heimdal: Import 
lorikeet-heimdal-202405220400 (commit 8276d6311146b8ab5d57d092bc5d5fa28282a900)
   via  4de25061120 WHATSNEW: Add 'dns hostname'
   via  f64e728444b auth:ntlmssp: Use lpcfg_dns_hostname()
   via  78c2427d9b9 auth:ntlmssp: Remove trailing spaces
   via  26fd78040e5 s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c
   via  ad9198bb864 s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c
   via  6bd56a2c19d s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c
   via  cb9ff7b4c5b s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c
   via  8ae565a14b5 s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c
   via  f353ce5f965 s4:dfs_server: Use lpcfg_dns_hostname() in 
dfs_server_ad.c
   via  f3f8aa49641 s3:rpc_server: Use lpcfg_dns_hostname() in 
srv_witness_nt.c
   via  c00571a8b25 python:tests: Ignore case for group_name comparison
   via  c2d4fe11b4d s3:utils: Use lp_dnsdomain() in net_ads.c
   via  382c300acda s3:libnet: Convert myalias to lower case
   via  0e96092c189 s3:libnet: Use lp_dns_hostname() in libnet_join.c
   via  84989f2bf4a s3:lib: Remove obsolete name_to_fqdn()
   via  f6efc74670d s3:librpc: Use lp_dns_hostname() for creating the fqdn
   via  b93fef8e90d s3:utils: Use lp_dns_hostname() for 'net' dns updates
   via  758bb9aacd5 docs-xml: Add smb.conf option 'dns hostname'
  from  e0d9e285921 selftest/Samba4: make use of get_cmd_env_vars() to 
setup all relevant env variables

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 589a9ea6767a8112baf664dd18c4aa1667e57d76
Author: Jo Sutton 
Date:   Thu May 9 13:16:50 2024 +1200

s4:kdc: Add comment about possible interaction between the krbtgt account 
and Group Managed Service Accounts

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224

commit d8302e95326639c159fa46788cf645c11d56420c
Author: Jo Sutton 
Date:   Mon Apr 15 14:46:47 2024 +1200

s4:kdc: Merge current and previous gMSA keys during period when both are 
valid

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit a0d639bfb825c2ec0840c048b9b1b3d1474c1146
Author: Jo Sutton 
Date:   Fri Apr 26 13:43:57 2024 +1200

tests/krb5: Test that previous keys are counted as current keys following a 
gMSA key rollover

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5ea07824655170fb20bb0c6862d7697ca96b8697
Author: Jo Sutton 
Date:   Fri Apr 26 13:54:42 2024 +1200

s4:libnet: Allow simulating AS‐REQ flags combination for keytab export

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 71899ceb40dcea6a70102c7318c55cf9b3687379
Author: Jo Sutton 
Date:   Wed Apr 24 17:11:03 2024 +1200

s4:libnet: Update export_keytab() docstring

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 048de3da01f2f7c7210085a624e38d671b38aeda
Author: Jo Sutton 
Date:   Wed Apr 24 13:45:08 2024 +1200

s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry()

This will allow us to specify whether to specify this flag for a keytab
export.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit aa8aeeb655a5605b2ecbca89762f6a2402152116
Author: Jo Sutton 
Date:   Wed Apr 24 12:48:53 2024 +1200

python:tests: Extract keytab_as_set() function to be usable by other tests

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5682df15a098dcad7398d8dafdcbccac37371c1a
Author: Jo Sutton 
Date:   Wed Apr 24 13:38:53 2024 +1200

python:tests: Manually raise AssertionError

This removes the last dependency on ‘self’ in this method.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 95e80bf1e0533716a4a15dc2848b76bed2e28a2b
Author: Jo

[SCM] Samba Shared Repository - branch master updated

2024-05-21 Thread Andrew Bartlett 
The branch, master has been updated
   via  e0d9e285921 selftest/Samba4: make use of get_cmd_env_vars() to 
setup all relevant env variables
   via  83030780285 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
   via  5abeb724d74 s3:smbcacls: fix ace_compare
   via  c7299556845 lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch 
overrun
   via  99d26221311 spelling: comments: synthax -> syntax
   via  64003d86778 spelling: fix spelling of privilege.ldb in comments
   via  94b8deffa2d libsmb: Remove file_info->[ug]id
   via  f2b692fb458 smbd: Simplify request_timed_out
   via  0fe1a6e9dac lib: Use struct initialization
   via  c443d377a0b libsmb: Remove a talloc_strdup()
   via  335877ec04c libsmb: Remove an unneeded NULL check
   via  5384244f760 libsmb: Remove unused cli_list_trans()
   via  e79698c4be6 libsmb: Use SMB2_0_INFO_ constants instead of magic 
numbers
   via  7ecf3b0e25c libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT
   via  27ac0beaa01 lib: Fix a typo
   via  0013105eb55 libsmb: Avoid pointless intermediate variables
   via  06a322a17f8 libsmb: Use the direct FSCC_ infolevels
   via  dd1dd65026e smbd: Remove an unused function parameter
   via  f69fe79189e smbd: Remove an unnecessary else
   via  ff43158c528 smbd: Remove a no-op call to init_strict_lock_struct
   via  661532c46c0 smbd: Remove an unnecessary else branch
   via  6f0628c8485 smbd: Return correct error for fallback sendfile
   via  9115836687f smbd: Use direct struct initialization
   via  979f3e23990 smbd: Remove the ZERO_ZERO define
   via  3542f938c53 smbd: Fix whitespace
   via  a8b9a8358e2 smbd: Move a DBG_DEBUG up
   via  477dec3770b smbd: Modernize a few DEBUGs
  from  bdfbf25255e test_kinit_export_keytab: reset pw of the test account 
and test --only-current-keys

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e0d9e285921ce841e4872aadc6e4750b2ad48973
Author: Stefan Metzmacher 
Date:   Tue May 14 16:55:58 2024 +0200

selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env 
variables

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May 22 05:26:48 UTC 2024 on atb-devel-224

commit 83030780285290ecf64b57c1744634379b68ea01
Author: Stefan Metzmacher 
Date:   Tue Feb 6 21:09:58 2024 +0100

s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()

I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 5abeb724d74af2b861f2ee6bc27762bb5bf07bca
Author: Douglas Bagnall 
Date:   Tue May 21 20:20:36 2024 +1200

s3:smbcacls: fix ace_compare

We got this wrong in commit 31101a9fa1503be9d8137e42466f57d85136a156.

In fact, we should probably not reorder the inherited ACLs, but that
is for another patch series.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit c7299556845a764c7ca6195ede3f273bc20ebfbb
Author: Douglas Bagnall 
Date:   Tue May 14 14:58:51 2024 +1200

lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 99d2622131161d7d597f5b0a9e2b509817483217
Author: Douglas Bagnall 
Date:   Wed Apr 10 21:25:12 2024 +1200

spelling: comments: synthax -> syntax

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 64003d867786231c130b13f6d84f9d248631d3be
Author: Douglas Bagnall 
Date:   Wed Apr 10 21:22:57 2024 +1200

spelling: fix spelling of privilege.ldb in comments

'privileges' is a word, but the ldb referred to is privilege.ldb

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 94b8deffa2d8af39309a94d94f4c0c97ea85265b
Author: Volker Lendecke 
Date:   Tue May 21 11:21:03 2024 +0200

libsmb: Remove file_info->[ug]id

These fields were never assigned

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit f2b692fb458f0253adcb8b7ae2b9eb99346559fb
Author: Volker Lendecke 
Date:   Tue May 21 08:38:19 2024 +0200

smbd: Simplify request_timed_out

timeval_expired does what we need here

[SCM] Samba Shared Repository - branch master updated

2024-05-21 Thread Andrew Bartlett 
The branch, master has been updated
   via  bdfbf25255e test_kinit_export_keytab: reset pw of the test account 
and test --only-current-keys
   via  b4be5718d3d samba-tool: let 'samba-tool domain exportkeytab' take 
an --only-current-keys option
   via  2793ef3e163 samba.tests.dckeytab: add 
test_export_keytab_change3_update_only_current_keep()
   via  e2a5fbf5cf2 s4:libnet_export_keytab: add only_current_keys option
   via  7f1e89488a7 s4:kdc: also provide cross-realm keys via 
samba_kdc_seq()
   via  37292f8a60f s4:kdc: let samba_kdc_trust_message2entry() return all 
keys with SDB_F_ADMIN_DATA
   via  6ecc607edee s4:kdc: split out samba_kdc_fill_trust_keys() helper
   via  f5c8c212dcb s4:kdc: add available_enctypes to 
supported_session_etypes in samba_kdc_trust_message2entry()
   via  f48699641cf s4:kdc: add a returned_kvno helper variable in 
samba_kdc_trust_message2entry()
   via  d1efc396de4 s4:kdc: let samba_kdc_trust_message2entry() ignore 
KRB5_PROG_ETYPE_NOSUPP
   via  8cfebc36edc s4:kdc: split out samba_kdc_fill_trust_keys() helper
   via  83f03513fd5 s3:libnet: add a debug message to 
libnet_keytab_add_to_keytab_entries()
   via  888a785f476 s3:libnet: add support for trusted domains in 
libnet_dssync_keytab.c
   via  2b2cc544725 s3:libnet: split out store_or_fetch_attribute() from 
parse_user() in libnet_dssync_keytab.c
   via  feff15fc88b s3:libnet: split out parse_user() in 
libnet_dssync_keytab.c
   via  52df4063871 s3:libnet: let parse_user() in libnet_dssync_keytab.c 
work without nt hash
  from  01849ab1bca s4:kdc: Implement KDC plugin hardware authentication 
policy

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit bdfbf25255e457c3e5d5d75ee09fca3af461c5a7
Author: Stefan Metzmacher 
Date:   Wed Apr 17 16:15:17 2024 +0200

test_kinit_export_keytab: reset pw of the test account and test 
--only-current-keys

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May 22 04:07:02 UTC 2024 on atb-devel-224

commit b4be5718d3de3bc90d142cb53f79fe067d0a3e0a
Author: Stefan Metzmacher 
Date:   Fri Mar 15 16:14:18 2024 +0100

samba-tool: let 'samba-tool domain exportkeytab' take an 
--only-current-keys option

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 2793ef3e1632c735f9caac015503aab06f53d543
Author: Stefan Metzmacher 
Date:   Fri Mar 15 16:31:22 2024 +0100

samba.tests.dckeytab: add 
test_export_keytab_change3_update_only_current_keep()

This tests that only_current_keys=True works.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit e2a5fbf5cf2b65db77e7c5a859c896acca69f432
Author: Stefan Metzmacher 
Date:   Fri Mar 15 16:11:10 2024 +0100

s4:libnet_export_keytab: add only_current_keys option

By default we also export on the old and older passwords...

In order to do a kinit with a keytab it might we useful to
include only the current keys.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 7f1e89488a7212832819380a93fe137a6fa28c37
Author: Stefan Metzmacher 
Date:   Thu Feb 3 14:14:06 2022 +0100

s4:kdc: also provide cross-realm keys via samba_kdc_seq()

This means that 'samba-tool domain exportkeytab' is able to
export them.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 37292f8a60f8fa82faa7bde4314919dcae6fb7ab
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:23:46 2024 +0100

s4:kdc: let samba_kdc_trust_message2entry() return all keys with 
SDB_F_ADMIN_DATA

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 6ecc607edeeeb1877b5ecf02ba60d6c8799f583a
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:19:20 2024 +0100

s4:kdc: split out samba_kdc_fill_trust_keys() helper

This simplifies the logic in samba_kdc_trust_message2entry(),
is very similar to our samba_kdc_fill_user_keys() helper
and will make it trivial to provide the previous keys
in entry->old_keys in the next commit.

Review with: git show -p --patience

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit f5c8c212dcba48167d8ae8c555a5c4750cb763fd
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:19:20 2024 +0100

s4:kdc: add available_enctypes to supported_session_etypes in 
samba_kdc_trust_message2entry()

This aligns the logic of samba_kdc_trust_message2entry() with
samba_kdc_message2entry_keys().

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit f48699641cf95f1e2d197e0f8ea1ed4ce2c4fb41
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:19:20 2024 +0100

s4:kdc: add a returned_kvno helper variable in

[SCM] Samba Shared Repository - branch master updated

2024-05-15 Thread Andrew Bartlett 
The branch, master has been updated
   via  01849ab1bca s4:kdc: Implement KDC plugin hardware authentication 
policy
   via  0582cf6077c s4:kdc: Remove trailing whitespace
   via  09bcd48f790 third_party/heimdal: Import 
lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f)
   via  d36bfbf632e tests/krb5: Adjust tests to pass against newer Windows 
versions that include ticket checksums in response to AS‐REQs
   via  f3ff4915adf s4:kdc: Initialize local variable just in case (CID 
1596759)
   via  3b90753b552 s4:kdc: Free target principal string to avoid memory 
leak (CID 1596760)
   via  7e7bb259a60 s4:kdc: Initialize pointer variable just in case (CID 
1596762)
   via  e1460c9e342 s4:dsdb: Make map containing default attribute values 
static
   via  927c672faff s4:dsdb: Do not set lockoutTime for trust accounts
   via  4c759c26752 s4:dsdb: Make use of userAccountControl helper function
   via  1b8b8550aaa s4:dsdb: Add userAccountControl helper function
   via  0e93456a66b s4:dsdb: Remove redundant user flags macro
   via  32199b9bcfd s4:auth: Accept previous gMSA password for NTLM 
authentication five minutes after a password change
   via  fbdeb4b0b47 lib:crypto: Add constant denoting maximum GKDI clock 
skew in minutes
   via  c167ac53016 s4:libnet: Remove unnecessary declarations
   via  33ed55ce8f5 s4:libnet: Remove trailing whitespace
   via  5c4f2623c52 tests/krb5: Add more tests for gMSAs
   via  6f094180106 tests/krb5: Test viewing gMSA passwords after 
performing simple binds
   via  f9cbda9cf0e tests/krb5: Test that computers (and, by extension, 
gMSAs) cannot perform interactive logons
   via  336a58473ad tests/krb5: Don’t pass gMSA as 
‘domain_joined_mach_creds’ parameter
   via  ad0740751e8 tests/krb5: Test performing NTLMSSP logons at different 
times
   via  e5357c75a60 s4:auth: Let dsdb gMSA time influence NTLM previous 
password allowed period
   via  92d010af2d0 s4:dsdb: Let dsdb gMSA time influence pwdLastSet
   via  9fac9b776e7 tests/krb5: Test that gMSA passwords cannot be viewed 
over an unsealed connection
   via  aa4347ff23e tests/krb5: Add ‘expect_success’ parameter to 
gensec_ntlmssp_logon()
   via  41e71406a14 tests/krb5: Make use of gmsa_series_for_account() method
   via  577aa790425 tests/krb5: Add quantized_time() method
   via  65fe09007f8 tests/krb5: Read current time from correct SamDB
   via  fdaa2943697 python:tests: Pass ServerPasswordSet2() parameters in 
correct order
   via  cb357a011b0 python:tests: Remove unnecessary ‘pass’ statement
   via  e875193c1ca python:tests: Remove unused netlogon connection 
parameter
   via  170dd47eae5 s4:libcli: Add more controls to our list of known 
controls
   via  526652d162f s4:libcli: Fix code spelling
   via  e4045cd5b15 s4:setup: Update name of dsdb password change control
   via  f5cbe497897 s4:dsdb: Fix code spelling
   via  cbebffd56da s4:dsdb: Remove trailing whitespace
   via  359b3b63213 lib:fuzzing: Fix undefined shift
   via  be076b30972 lib:fuzzing: Remove unused variable
   via  7b02221c4f5 auth:credentials: Check for NT hash being NULL
  from  2b495c44a2a smbd: Fix a typo in a few places

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 01849ab1bcaad9e96b388cad178182d6a77ac3cb
Author: Jo Sutton 
Date:   Mon May 13 10:58:51 2024 +1200

s4:kdc: Implement KDC plugin hardware authentication policy

NOTE: This commit finally works again!

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224

commit 0582cf6077c3f6866f38e85440c8ed464b303bdd
Author: Jo Sutton 
Date:   Wed May 15 16:28:12 2024 +1200

s4:kdc: Remove trailing whitespace

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 09bcd48f79043e54fdce840f70e370b9a507d0fc
Author: Jo Sutton 
Date:   Thu May 9 16:57:14 2024 +1200

third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 
49c8e97b7221db53355258059ef385c856e1385f)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit d36bfbf632ed0d3c53c9ef24eac682cb91274ec8
Author: Jo Sutton 
Date:   Tue May 14 13:05:31 2024 +1200

tests/krb5: Adjust tests to pass against newer Windows versions that 
include ticket checksums in response to AS‐REQs

A lot of these tests are going to start failing, so skip them until
we’ve implemented the corresponding behaviour for the KDC.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit f3ff4915adfd63f287147c73fd69050c5b7de580
Author: Jo Sutton 
Date:   Mon May 6 12:20:44 2024 +1200

s4:kdc: Initialize

[SCM] Samba Shared Repository - branch master updated

2024-05-15 Thread Jeremy Allison 
The branch, master has been updated
   via  2b495c44a2a smbd: Fix a typo in a few places
   via  a99f2f3ae39 smbd: Modernize a few DEBUGs
   via  df75ae65e63 g_lock: Fix buffer length check in g_lock_parse()
   via  aca70be7829 smbd: Simplify check_parent_access_fsp()
   via  c422002ce5e smbd: Remove an obsolete comment
  from  b71f729698f smbd: Add reparse tag to smb3_posix_cc_info

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2b495c44a2abcfa9b9c7f520e0989ff72f7b651f
Author: Volker Lendecke 
Date:   Wed May 15 16:43:31 2024 +0200

smbd: Fix a typo in a few places

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Wed May 15 17:56:24 UTC 2024 on atb-devel-224

commit a99f2f3ae390ddc4d80548a593a3edf50eeb76f3
Author: Volker Lendecke 
Date:   Tue May 14 16:20:03 2024 +0200

smbd: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit df75ae65e6347736c96707c57e736d15662a6846
Author: Volker Lendecke 
Date:   Sat Feb 10 11:15:58 2024 +0100

g_lock: Fix buffer length check in g_lock_parse()

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit aca70be7829b97729b18a9c2c5e3add894e323c1
Author: Volker Lendecke 
Date:   Tue May 14 16:30:21 2024 +0200

smbd: Simplify check_parent_access_fsp()

We don't need to explicitly call fetch_share_mode_unlocked,
get_file_infos does it for us behind the scenes

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit c422002ce5ef8ea4dcac69b7167dcf67d5c373d1
Author: Volker Lendecke 
Date:   Tue May 14 17:01:40 2024 +0200

smbd: Remove an obsolete comment

notify_fname only sends a message to the notify daemon. There is no
potential deadlock anymore.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 source3/lib/g_lock.c  |  9 +
 source3/locking/locking.c | 19 +++
 source3/smbd/close.c  | 41 +++--
 source3/smbd/open.c   | 16 +---
 4 files changed, 32 insertions(+), 53 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 33f088b2a43..77b8287273b 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -58,7 +58,8 @@ static bool g_lock_parse(uint8_t *buf, size_t buflen, struct 
g_lock *lck)
uint64_t unique_data_epoch;
 
if (buflen < (SERVER_ID_BUF_LENGTH + /* exclusive */
- sizeof(uint64_t) + /* seqnum */
+ sizeof(uint64_t) + /* unique_lock_epoch */
+ sizeof(uint64_t) + /* unique_data_epoch */
  sizeof(uint32_t))) {   /* num_shared */
struct g_lock ret = {
.exclusive.pid = 0,
@@ -360,7 +361,7 @@ NTSTATUS g_lock_lock_cb_dump(struct g_lock_lock_cb_state 
*cb_state,
 {
struct g_lock *lck = cb_state->lck;
 
-   /* We allow a cn_fn only for G_LOCK_WRITE for now... */
+   /* We allow a cb_fn only for G_LOCK_WRITE for now... */
SMB_ASSERT(lck->num_shared == 0);
 
fn(lck->exclusive,
@@ -1018,7 +1019,7 @@ struct tevent_req *g_lock_lock_send(TALLOC_CTX *mem_ctx,
};
 
/*
-* We allow a cn_fn only for G_LOCK_WRITE for now.
+* We allow a cb_fn only for G_LOCK_WRITE for now.
 *
 * It's all we currently need and it makes a few things
 * easier to implement.
@@ -1238,7 +1239,7 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, TDB_DATA key,
SMB_ASSERT(!ctx->busy);
 
/*
-* We allow a cn_fn only for G_LOCK_WRITE for now.
+* We allow a cb_fn only for G_LOCK_WRITE for now.
 *
 * It's all we currently need and it makes a few things
 * easier to implement.
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
index fa1c85afe91..25735a3083d 100644
--- a/source3/locking/locking.c
+++ b/source3/locking/locking.c
@@ -158,12 +158,14 @@ bool strict_lock_check_default(files_struct *fsp, struct 
lock_struct *plock)
TALLOC_FREE(br_lck);
}
 
-   DEBUG(10, ("strict_lock_default: flavour = %s brl start=%ju "
-  "len=%ju %s for fnum %ju file %s\n",
-  lock_flav_name(plock->lock_flav),
-  (uintmax_t)plock->start, (uintmax_t)plock->size,
-  ret ? "unlocked" : "locked",
-  (uintmax_t)plock->fnum, fsp_str_dbg(fsp)));
+   DBG_DEBUG("flavour = %s brl start=%" PRIu64 " "
+ "len=%" PRIu64 " %s for fnum %" PRIu64 " file %s\n",
+ lock_flav_name(plock->lock_flav),
+

[SCM] Samba Shared Repository - branch master updated

2024-05-14 Thread Jeremy Allison 
The branch, master has been updated
   via  b71f729698f smbd: Add reparse tag to smb3_posix_cc_info
   via  ecb17c12c54 smbd: Test reparse tag in smb3_posix_cc_info
   via  d0cdb4160b8 smbd: Use fsctl_get_reparse_tag in 
fsctl_del_reparse_point
   via  7b6dc319b53 smbd: Use fsctl_get_reparse_tag in 
fsctl_set_reparse_point
   via  3a387673662 smbd: Add fsctl_get_reparse_tag() helper function
   via  2743127a6e3 smbd: Modernize a few DEBUGs
   via  a85b1e57542 libsmb: Cap max_rdata at UINT16_MAX
   via  1776918c5bf libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define
   via  5e0fe4d91ce smbd: Add DEBUG message got get_reparse_point
   via  ee653577630 smbd: Return reparse tag as of MS-FSCC 2.4.6
   via  d884c2fb0d5 smbd: Fix a DBG
   via  44b3eadacb3 tests: get TAG_INFORMATION
   via  ba40d97087b pylibsmb: Add py_cli_qfileinfo
   via  c13ac1f1a76 pylibsmb: Add FSCC QUERY_INFO levels
   via  291a353b16a libsmb: Remove smb2 branch from cli_qfileinfo_basic_send
   via  893e4f6ebf6 libsmb: Add smb2 branch to cli_qfileinfo
   via  6e9c18ed821 libsmb: Add a tevent_req_received() where appropriate
   via  bec5920ec91 libsmb: Convert cli_qfileinfo to use FSCC levels
   via  af4bb5f75f7 libsmb: Use SMB2_0_INFO_FILE instead of the raw "1"
   via  4eac4014c03 libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3"
   via  072e4d030ae smbd: Modernize a DEBUG
   via  7c59f110560 test: Align integer types
  from  1092d4b0a8e s3:winbindd: Update non cache entries keys 
(non_centry_keys)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit b71f729698fba58543645e9ec40e95d57ea19e3b
Author: Volker Lendecke 
Date:   Mon May 13 15:44:52 2024 +0200

smbd: Add reparse tag to smb3_posix_cc_info

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue May 14 23:29:46 UTC 2024 on atb-devel-224

commit ecb17c12c54214694ecc240ae290646d341cd9a5
Author: Volker Lendecke 
Date:   Mon May 13 15:44:14 2024 +0200

smbd: Test reparse tag in smb3_posix_cc_info

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit d0cdb4160b84a5f4e9c120c951beb55ac41cf1b3
Author: Volker Lendecke 
Date:   Mon May 13 14:30:30 2024 +0200

smbd: Use fsctl_get_reparse_tag in fsctl_del_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 7b6dc319b53ad6df109517ae425d770b62136f7a
Author: Volker Lendecke 
Date:   Mon May 13 14:28:55 2024 +0200

smbd: Use fsctl_get_reparse_tag in fsctl_set_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 3a3876736627a5c218661ffc6845e96b97322dca
Author: Volker Lendecke 
Date:   Mon May 13 14:26:22 2024 +0200

smbd: Add fsctl_get_reparse_tag() helper function

There's a few places where we only care about the tag

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 2743127a6e3092e292f74e2b851dc41b8b67f825
Author: Volker Lendecke 
Date:   Mon May 13 14:16:48 2024 +0200

smbd: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit a85b1e57542831bd26afc985c9add740a063f856
Author: Volker Lendecke 
Date:   Mon May 13 11:16:21 2024 +0200

libsmb: Cap max_rdata at UINT16_MAX

The caller does not necessarily query max values for smb1 and smb2+.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 1776918c5bf2e6db4ab9072e09326b91fa211322
Author: Volker Lendecke 
Date:   Wed May 8 16:05:40 2024 +0200

libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define

(SMB_FILE_ALL_INFORMATION - 1000) looks a bit silly if you look at the
definition of SMB_FILE_ALL_INFORMATION...

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 5e0fe4d91cee3cc687b2b4bbfc778a7bf8f58d5e
Author: Volker Lendecke 
Date:   Thu Dec 22 11:36:21 2022 +0100

smbd: Add DEBUG message got get_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit ee653577630d4f68f82fa93c03e0a33b7b6ccdc1
Author: Volker Lendecke 
Date:   Wed May 8 16:03:29 2024 +0200

smbd: Return reparse tag as of MS-FSCC 2.4.6

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit d884c2fb0d5a3b72d550d72c2f263f7d80a5dc8a
Author: Volker Lendecke 
Date:   Wed May 8 15:48:11 2024 +0200

smbd: Fix a DBG

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 44b3eadacb3df92238b30c38abe4abf48c60a971
Author: Volker Lendecke 
Date:   Thu May 9 11:54:31 2024 +0200

tests: get TAG_INFORMATION

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit ba40d97087bed742eb6178b2e5e03a77e040f343
Author: Volker Lendecke

[SCM] Samba Shared Repository - branch master updated

2024-05-14 Thread Jeremy Allison 
The branch, master has been updated
   via  1092d4b0a8e s3:winbindd: Update non cache entries keys 
(non_centry_keys)
   via  26d87d1fefa s3:winbindd: Use TDB_REPLACE in tdb_store
  from  68a1200f66e Restore empty string default for conf.env['icu-libs']

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1092d4b0a8e6d988e6bcbbd5e7cce7e34fc1ed54
Author: Pavel Filipenský 
Date:   Fri Mar 22 13:51:06 2024 +0100

s3:winbindd: Update non cache entries keys (non_centry_keys)

This change does NOT affect WHAT and HOW is cached. It only avoids
undefined behavior for "NDR" and "TRUSTDOMCACHE" when processed in
wcache_flush_cache() and wbcache_upgrade_v1_to_v2().

winbindd_cache.tdb contains two types of entries:

1) cache entries (typed as 'struct cache_entry')
  - internal format is:   [ntstatus; sequence_number; timeout]

2) non cache entries (keys listed in non_centry_keys)
  - for "NDR" internal format is: [sequence_number; timeout]

Without this commit, "NDR" would be processed as the first type (instead
as the second type). E.g. in the stack below:

wcache_fetch_raw()
traverse_fn_cleanup()
wcache_flush_cache()

the triplet [ntstatus; sequence_number; timeout] would be initialized
from data containing only [sequence_number; timeout], leading to
mismatched values ('ntstatus' would be filled from 'sequence_number').

Anyway, current code is never calling wcache_flush_cache(), since
wcache_flush_cache() can be called only from get_cache() and get_cache()
will call it only if global/static wcache was not set yet. But wcache is
set very early in the main winbind (and all winbind children get it
after fork), sooner than any call of get_cache() can happen:

   #1 init_wcache + 0x19
   #2 initialize_winbindd_cache + 0x35
   #3 winbindd_cache_validate_and_initialize + 0x25
   #4 main + 0x806

Signed-off-by: Pavel Filipenský 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue May 14 21:04:57 UTC 2024 on atb-devel-224

commit 26d87d1fefa67b759bc369983b4c55fcd007dca9
Author: Pavel Filipenský 
Date:   Tue May 7 13:01:02 2024 +0200

s3:winbindd: Use TDB_REPLACE in tdb_store

tdb_store() should use as a flag TDB_REPLACE instead of undocumented 0

Signed-off-by: Pavel Filipenský 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 source3/winbindd/winbindd_cache.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_cache.c 
b/source3/winbindd/winbindd_cache.c
index ca2341ef456..833862ab99e 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -68,7 +68,9 @@ static bool opt_nocache = False;
  */
 
 static const char *non_centry_keys[] = {
+   "NDR/",
"SEQNUM/",
+   "TRUSTDOMCACHE/",
"WINBINDD_OFFLINE",
WINBINDD_CACHE_VERSION_KEYSTR,
NULL
@@ -4605,7 +4607,7 @@ static bool wcache_tdc_store_list( struct 
winbindd_tdc_domain *domains, size_t n
goto done;
}
 
-   ret = tdb_store( wcache->tdb, key, data, 0 );
+   ret = tdb_store(wcache->tdb, key, data, TDB_REPLACE);
 
  done:
SAFE_FREE( data.dptr );
@@ -4922,7 +4924,7 @@ void wcache_store_ndr(struct winbindd_domain *domain, 
uint32_t opnum,
SBVAL(data.dptr, 4, timeout);
memcpy(data.dptr + 12, resp->data, resp->length);
 
-   tdb_store(wcache->tdb, key, data, 0);
+   tdb_store(wcache->tdb, key, data, TDB_REPLACE);
 
 done:
TALLOC_FREE(key.dptr);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-05-14 Thread Andreas Schneider 
The branch, master has been updated
   via  68a1200f66e Restore empty string default for conf.env['icu-libs']
  from  833c3f26b47 python/tests: Fix nlink test in smb3unix on btrfs 
filesystem

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 68a1200f66e9008ca0a739b37b48c49453ca9d83
Author: Earl Chew 
Date:   Fri May 10 19:46:28 2024 -0700

Restore empty string default for conf.env['icu-libs']

The reworked ICU libraries configuration code used [] as
default for conf.env['icu-libs']. This breaks dependency analysis
in samba_deps.py because SAMBA_SUBSYSTEM() expects deps to be
a string.

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Tue May 14 14:44:06 UTC 2024 on atb-devel-224

---

Summary of changes:
 lib/util/charset/wscript_configure | 2 ++
 1 file changed, 2 insertions(+)


Changeset truncated at 500 lines:

diff --git a/lib/util/charset/wscript_configure 
b/lib/util/charset/wscript_configure
index c49b55a4fd4..adae44eab5e 100644
--- a/lib/util/charset/wscript_configure
+++ b/lib/util/charset/wscript_configure
@@ -46,3 +46,5 @@ if conf.CHECK_CFG(package='icu-i18n icu-uc',
 if not conf.CHECK_HEADERS('unicode/ustring.h', lib='icui18n'):
 conf.fatal('Found icui18n, but unicode/ustring.h is missing')
 conf.DEFINE('HAVE_UTF8_NORMALISATION', 1)
+else:
+conf.env['icu-libs'] = ''


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-05-14 Thread Pavel Filipensky 
The branch, master has been updated
   via  833c3f26b47 python/tests: Fix nlink test in smb3unix on btrfs 
filesystem
  from  1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no 
longer used directly

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 833c3f26b476c5f27d8dd000cfa423f0726cef1a
Author: Pavel Filipenský 
Date:   Mon May 13 12:13:38 2024 +0200

python/tests: Fix nlink test in smb3unix on btrfs filesystem

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Pavel Filipensky 
Autobuild-Date(master): Tue May 14 13:37:53 UTC 2024 on atb-devel-224

---

Summary of changes:
 python/samba/tests/smb3unix.py | 18 ++
 1 file changed, 14 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/smb3unix.py b/python/samba/tests/smb3unix.py
index d88bd432239..1962852349c 100644
--- a/python/samba/tests/smb3unix.py
+++ b/python/samba/tests/smb3unix.py
@@ -24,6 +24,7 @@ from samba.dcerpc import smb3posix
 from samba.ndr import ndr_unpack
 from samba.dcerpc.security import dom_sid
 import os
+import subprocess
 
 def posix_context(mode):
 return (libsmb.SMB2_CREATE_TAG_POSIX, mode.to_bytes(4, 'little'))
@@ -34,6 +35,9 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
 super().setUp()
 
 self.samsid = os.environ["SAMSID"]
+prefix_abs = os.environ["PREFIX_ABS"]
+p = subprocess.run(['stat', '-f', '-c', '%T', prefix_abs], 
capture_output=True, text=True)
+self.fstype = p.stdout.strip().lower()
 
 def connections(self, share1=None, posix1=False, share2=None, posix2=True):
 if not share1:
@@ -303,7 +307,11 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
 self.assertEqual(found_files[fname]['attrib'],
  libsmb.FILE_ATTRIBUTE_ARCHIVE)
 else:
-self.assertEqual(found_files[fname]['nlink'], 2)
+# Note: btrfs always reports the link count of directories 
as one.
+if self.fstype == "btrfs":
+self.assertEqual(found_files[fname]['nlink'], 1)
+else:
+self.assertEqual(found_files[fname]['nlink'], 2)
 self.assertEqual(found_files[fname]['attrib'],
  libsmb.FILE_ATTRIBUTE_DIRECTORY)
 
@@ -368,9 +376,11 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
 
 cc = ndr_unpack(smb3posix.smb3_posix_cc_info, cc_out[0][1])
 
-# Note: this fails on btrfs which always reports the link
-# count of directories as one.
-self.assertEqual(cc.nlinks, 2)
+# Note: btrfs always reports the link count of directories as one.
+if self.fstype == "btrfs":
+self.assertEqual(cc.nlinks, 1)
+else:
+self.assertEqual(cc.nlinks, 2)
 
 self.assertEqual(cc.reparse_tag, 
libsmb.IO_REPARSE_TAG_RESERVED_ZERO)
 self.assertEqual(cc.posix_perms, 0o700)


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-05-14 Thread Stefan Metzmacher 
The branch, master has been updated
   via  1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no 
longer used directly
   via  afcd53b8d09 auth/credentials_krb5: let cli_credentials_set_ccache() 
use smb_force_krb5_cc_default()
   via  a5d46f69d12 auth/credentials_krb5: use system/{gssapi,kerberos}.h
   via  845a2aae6f0 smbspool: let kerberos_ccache_is_valid() use 
smb_force_krb5_cc_default_name()
   via  4514fb5f439 smbspool_krb5_wrapper: let 
kerberos_get_default_ccache() use smb_force_krb5_cc_default_name()
   via  a8da9de9f4a smbspool_krb5_wrapper: remove unused includes
   via  eb6dc35a704 krb5_wrap: let smb_krb5_renew_ticket() use 
smb_force_krb5_cc_default_name()
   via  f850bcfc0b4 krb5_wrap: add smb_force_krb5_cc_default[_name]() 
wrappers
   via  d49de777104 s3:libads: let kerberos_kinit_password_ext() require an 
explicit krb5 ccache
   via  70f9e3a0567 krb5_wrap: let ads_krb5_cli_get_ticket() require an 
explicit krb5 ccache
   via  fc92025ecb2 s3:libads: finally remove unused 
ads_connect[_user_creds]() and related code
   via  25806314dae s3:net: finally remove 
net_context->opt_{user_specified,user_name,password}
   via  a1ab1c8620c s3:net: remove unused net_context->smb_encrypt
   via  9620d2ecc18 s3:net: remove unused net_context->opt_kerberos
   via  2de585a9787 s3:include: remove unused krb5_env.h
   via  eb9ad5cc890 s3:net_ads: remove unused use_in_memory_ccache()
   via  e76fe56fdf6 s3:net_ads: make use of 
ads_connect_{cldap_only,creds}() in ads_startup_int()
   via  d59d957caba s3:libads: let ads_krb5_set_password() require an 
explicit krb5 ccache to operate on
   via  432273dd3ec s3:libads: kerberos_set_password() don't need to kinit 
before ads_krb5_chg_password()
   via  125db2ed815 s3:libads: remove unused kdc_host and time_offset 
arguments to kerberos_set_password()
   via  b641b35b028 s3:libads: remove unused kdc_host and time_offset 
arguments to ads_krb5_chg_password()
   via  3141423feb3 s3:libads: remove krb5_set_real_time() from 
ads_krb5_set_password()
   via  c85c084d69e s3:libads: remove unused kdc_host argument of 
ads_krb5_set_password()
   via  5f32f14ef58 s3:net_ads: require kerberos if we use 
ads_krb5_set_password() in ads_user_add()
   via  1eeeb76e6c5 s3:net_ads: use ADS_SASL_SEAL by default, so that we 
always get encryption
   via  612af29cef1 s3:net_ads: use cli_credentials_get_principal() in 
order to call kerberos functions
   via  55c9a6c0e3a s3:net: remove useless net_prompt_pass() wrapper
   via  d9082129f21 s3:net_rpc: make use of !c->explicit_credentials for 
NET_FLAGS_ANONYMOUS
   via  e690666fd10 s3:net: make use of c->explicit_credentials in order to 
check for valid credentials
   via  be1051f3792 s3:net: add net_context->explicit_credentials to check 
if credentials were passed
   via  a9beae36f0a s3:net: correctly implement --use-ccache as legacy for 
--use-winbind-ccache for 'net'
   via  579195769d6 s3:net_offlinejoin: we don't need to call 
libnetapi_set_use_kerberos() as we already passed cli_credentials
   via  f4f31236c4a s3:libnet_join: pass down cli_credentials 
*admin_credentials to libnet_{Join,Unjoin}Ctx()
   via  c0edd3406b9 s3:lib/netapi: make use of 
ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
   via  0470cc385d9 s3:lib/netapi: add libnetapi_get_creds()
   via  bd53e20764b libgpo/pygpo: make use of ads_connect_{creds,machine}()
   via  87e7a9488a0 s3:printing: make use of ads_connect_machine()
   via  f9496bfdf4e s3:libads: add ads_connect_machine() helper
   via  353abcb4d3e s3:libads: add ads_simple_creds() helper
   via  c36b0442244 s3:libads: make use of ads_connect_simple_anon() in 
ldap.c where possible
   via  7bfbea4c3c8 s3:libads: add ads_connect_simple_anon() helper
   via  c95a2785e20 lib/addns: rewrite signed dns update code to use gensec 
instead of plain gssapi
   via  5807689f968 s3:utils: let net_update_dns_internal() set status 
before goto done in all cases
   via  28af0829263 s3:winbindd: make use of 
winbindd_get_trust_credentials() in idmap_ad.c
   via  ed75331f525 s3:winbindd: make use of 
winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
   via  16bbb407fa5 s3:winbindd: make use of samba_sockaddr to avoid 
compiler warnings
   via  f903d80769b s3:winbindd: use 
winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
   via  8166642e1bd s3:winbindd: make winbindd_get_trust_credentials() 
public
   via  81a6c54fddc s3:libads: add ads_set_reconnect_fn() and only 
reconnect if we can get creds
   via  31e4614ee36 s3:libads: add ads_connect_creds() helper
   via  76e0d348ddd s3:libads: fix compiler warning in ads_mod_ber()
   via  bac243442a6 s3:libads: move ads->auth.time_offset to 
ads->config.time_offset
   via  ea97abd545e s3:libads: we

[SCM] Samba Shared Repository - branch master updated

2024-05-09 Thread Andrew Bartlett 
The branch, master has been updated
   via  712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
   via  05807488fd3 Combine ICU libraries icu-i18n and icu-uc into a single 
dependency
   via  0c983bd0095 Improve CHECK_LIB interaction with CHECK_PKG
   via  363c3318577 Augment library_flags() to return libraries
   via  5aafd2fb404 selftest: add test for User.get_primary_group method
   via  8fe7f0a6d50 python: models: add get_primary_group method to User 
model
   via  1f47c0f6093 python: models: rename argument ldb to samdb
   via  237d9d0228c tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
   via  380d9c5a739 .gitlab-ci-main.yml: debug kernel details of the 
current runner
  from  9844ac289be ldb-samba: ldif_read_objectSid avoids VLA

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2
Author: Stefan Metzmacher 
Date:   Tue May 7 14:53:24 2024 +

s3:libsmb: allow store_cldap_reply() to work with a ipv6 response

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224

commit 05807488fd340751ee976c5f8a367013ff94843e
Author: Earl Chew 
Date:   Sat Dec 16 08:48:36 2023 -0800

Combine ICU libraries icu-i18n and icu-uc into a single dependency

Rather than probing for icu-i18n, icu-uc, and icudata libraries
separately, only probe for icu-i18n, and icu-uc, as direct dependencies
This avoids overlinking with icudata, and allows the package
to build even when ICU is not installed as a system library.

RN: Only use icu-i18n and icu-uc to express ICU dependency

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 0c983bd0095d4fb20ef8b42f5efb740393073862
Author: Earl Chew 
Date:   Sat Dec 16 17:47:09 2023 -0800

Improve CHECK_LIB interaction with CHECK_PKG

When checking for shared libraries, only name the target library
if it was not previously discoverd by pkg-config --libs and now
available from uselib_store. This avoids using both sources of
information which results in the library being named twice on
the command line.

Once the library is confirmed by CHECK_LIB, append the library if
not already present, to avoid dropping libraries that were
previously discovered by CHECK_PKG.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 363c33185779141fdfbda695997d548939a0251f
Author: Earl Chew 
Date:   Sun Dec 17 08:37:33 2023 -0800

Augment library_flags() to return libraries

Extend library_flags() to return the libraries provided by
pkg-config --libs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 5aafd2fb4042a2f787dd6a7bc9584494d29c405f
Author: Rob van der Linde 
Date:   Tue Apr 30 23:54:13 2024 +1200

selftest: add test for User.get_primary_group method

Signed-off-by: Rob van der Linde 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 8fe7f0a6d507c4711c9edbc8eab86cf0a46facaf
Author: Rob van der Linde 
Date:   Tue Apr 30 23:43:30 2024 +1200

python: models: add get_primary_group method to User model

Signed-off-by: Rob van der Linde 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 1f47c0f609355aa469c04dafe6c4505f5823a6e3
Author: Rob van der Linde 
Date:   Tue Apr 30 23:42:05 2024 +1200

python: models: rename argument ldb to samdb

This argument is actually an instance of SamDB (which inherits from Ldb).

This should have been called samdb.

Signed-off-by: Rob van der Linde 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3
Author: Stefan Metzmacher 
Date:   Wed May 8 18:03:54 2024 +0200

tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative

This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 380d9c5a7392741ff2134ef1e83df45a29293db3
Author: Stefan Metzmacher 
Date:   Wed May 8 16:12:06 2024 +0200

.gitlab-ci-main.yml: debug kernel details of the current runner

Signed-off-by: Stefan Metzmacher

[Announce] Samba 4.20.1 Available for Download

2024-05-08 Thread Jule Anger via samba-announce 

Release Announcements
-

This is the latest stable release of the Samba 4.20 release series.


Changes since 4.20.0


o  Douglas Bagnall 
   * BUG 15630: dns update debug message is too noisy.

o  Alexander Bokovoy 
   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.

o  Pavel Filipenský 
   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.

o  Anna Popova 
   * BUG 15636: Smbcacls incorrectly propagates inheritance with 
Inherit-Only

 flag.

o  Noel Power 
   * BUG 15611: http library doesn't support 'chunked transfer encoding'.

o  Andreas Schneider 
   * BUG 15600: Provide a systemd service file for the background queue 
daemon.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.20.1.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[SCM] Samba Website Repository - branch master updated

2024-05-08 Thread Jule Anger 
The branch, master has been updated
   via  2ec8209 NEWS[4.20.1]: Samba 4.20.1 Available for Download
  from  4728e21 NEWS[4.19.6]: Samba 4.19.6 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 2ec82090dff0576c8d451b444d01b9e8d2d44abf
Author: Jule Anger 
Date:   Wed May 8 10:05:24 2024 +0200

NEWS[4.20.1]: Samba 4.20.1 Available for Download

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html  |  1 +
 history/samba-4.20.1.html| 54 
 posted_news/20240508-080633.4.20.1.body.html | 13 ++
 posted_news/20240508-080633.4.20.1.headline.html |  3 ++
 4 files changed, 71 insertions(+)
 create mode 100644 history/samba-4.20.1.html
 create mode 100644 posted_news/20240508-080633.4.20.1.body.html
 create mode 100644 posted_news/20240508-080633.4.20.1.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 8f60ff2..984ad78 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
Release Notes


+   samba-4.20.1
samba-4.20.0
samba-4.19.6.
samba-4.19.5.
diff --git a/history/samba-4.20.1.html b/history/samba-4.20.1.html
new file mode 100644
index 000..1206074
--- /dev/null
+++ b/history/samba-4.20.1.html
@@ -0,0 +1,54 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.20.1 - Release Notes
+
+
+Samba 4.20.1 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz;>Samba 
4.20.1 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.gz;>Patch
 (gzipped) against Samba 4.20.0
+https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.asc;>Signature
+
+
+
+   ==
+   Release Notes for Samba 4.20.1
+May 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.0
+
+
+o  Douglas Bagnall douglas.bagn...@catalyst.net.nz
+   * BUG 15630: dns update debug message is too noisy.
+
+o  Alexander Bokovoy a...@samba.org
+   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
+
+o  Pavel Filipenský pfilipen...@samba.org
+   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
+
+o  Anna Popova popova.anna...@gmail.com
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power noel.po...@suse.com
+   * BUG 15611: http library doesnt support chunked transfer 
encoding.
+
+o  Andreas Schneider a...@samba.org
+   * BUG 15600: Provide a systemd service file for the background queue daemon.
+
+
+
+
+
+
diff --git a/posted_news/20240508-080633.4.20.1.body.html 
b/posted_news/20240508-080633.4.20.1.body.html
new file mode 100644
index 000..0aef412
--- /dev/null
+++ b/posted_news/20240508-080633.4.20.1.body.html
@@ -0,0 +1,13 @@
+
+08 May 2024
+Samba 4.20.1 Available for Download
+
+This is the first stable release of the Samba 4.20 release series.
+
+
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz;>downloaded
 now.
+A https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.gz;>patch
 against Samba 4.20.0 is also available.
+See https://www.samba.org/samba/history/samba-4.20.1.html;>the 
release notes for more info.
+
+
diff --git a/posted_news/20240508-080633.4.20.1.headline.html 
b/posted_news/20240508-080633.4.20.1.headline.html
new file mode 100644
index 000..143404a
--- /dev/null
+++ b/posted_news/20240508-080633.4.20.1.headline.html
@@ -0,0 +1,3 @@
+
+ 08 May 2024 Samba 4.20.1 Available for Download
+


-- 
Samba Website Repository

[SCM] Samba Shared Repository - branch v4-20-stable updated

2024-05-08 Thread Jule Anger 
The branch, v4-20-stable has been updated
   via  0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.
   via  d01b50ec4f3 WHATSNEW: Add release notes for Samba 4.20.1.
   via  db658c40f5d s3:utils: Fix Inherit-Only flag being automatically 
propagated to children
   via  d28a889aed2 python/samba/tests/blackbox: Add tests for Inherit-only 
flag propagation
   via  83da49f3489 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh
   via  84f82a09ffd selftest: Add "winbind expand groups = 1" to 
setup_ad_member_idmap_ad
   via  83701298384 s3:winbindd: Improve performance of lookup_groupmem() 
in idmap_ad
   via  8857cf29979 docs-xml: Add parameter all_groupmem to idmap_ad
   via  215bb9bd48e Do not fail checksums for RFC8009 types
   via  db60a1947b8 s4:dns_server: less noisy, more informative debug 
messages
   via  9155d89a2ae packaging: Provide a systemd service file for samba-bgqd
   via  077f39baf7c libcli/http: Detect unsupported Transfer-encoding type
   via  2fb1bf0205f selftest: Add new test for testing non-chunk transfer 
encoding
   via  30bf3d1430f selftest: fix potential reference before assigned error
   via  a70e3a36c82 libcli/http: Handle http chunked transfer encoding
   via  7e17e4809d5 tests: add test for chunked encoding with http cli 
library
   via  26206392153 libcli/http: Optimise reading for content-length
   via  71eac5a065f selftest: Add basic content-lenght http tests
   via  19250e13ab6 Add simple http_client for use in black box tests (in 
following commits)
   via  eaefe50327d VERSION: Bump version up to Samba 4.20.1...
  from  8fdd82c8b9c VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable


- Log -
---

Summary of changes:
 VERSION|   2 +-
 WHATSNEW.txt   |  55 +++
 auth/kerberos/kerberos_pac.c   |  47 ++-
 docs-xml/manpages/idmap_ad.8.xml   |  10 +
 lib/krb5_wrap/krb5_samba.h |  28 ++
 libcli/http/http.c | 309 +++-
 libcli/http/http_internal.h|   4 +
 nsswitch/tests/test_idmap_ad.sh|  22 ++
 .../{samba.service.in => samba-bgqd.service.in}|   9 +-
 packaging/wscript_build|   3 +-
 python/samba/tests/blackbox/http_chunk.py  | 129 +++
 python/samba/tests/blackbox/http_content.py|  95 +
 .../blackbox/smbcacls_propagate_inhertance.py  | 108 ++
 selftest/target/Samba3.pm  |   1 +
 selftest/tests.py  |   2 +
 source3/utils/smbcacls.c   |   4 +
 source3/winbindd/winbindd_ads.c|  11 +-
 source4/client/http_test.c | 401 +
 source4/dns_server/dnsserver_common.c  |   9 +-
 source4/wscript_build  |   5 +
 20 files changed, 1200 insertions(+), 54 deletions(-)
 copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%)
 create mode 100644 python/samba/tests/blackbox/http_chunk.py
 create mode 100644 python/samba/tests/blackbox/http_content.py
 create mode 100644 source4/client/http_test.c


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 482360b7d68..cfa7539380b 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2024"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c97836d36f..8249e9326f9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+   ==
+   Release Notes for Samba 4.20.1
+May 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.0
+
+
+o  Douglas Bagnall 
+   * BUG 15630: dns update debug message is too noisy.
+
+o  Alexander Bokovoy 
+   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
+
+o  Pavel Filipenský 
+   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
+
+o  Anna Popova 
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power 
+   * BUG 15611: http library doesn't support 'chunked transfer encoding'.
+
+o  Andreas Schneider

[SCM] Samba Shared Repository - annotated tag samba-4.20.1 created

2024-05-08 Thread Jule Anger 
The annotated tag, samba-4.20.1 has been created
at  dc3912d4f21e57549c2062e03c9bf94afb9d8307 (tag)
   tagging  0ba948cba0b8b0dd4fddbc94999a61b883a3326d (commit)
  replaces  samba-4.20.0
 tagged by  Jule Anger
on  Wed May 8 10:05:04 2024 +0200

- Log -
samba: tag release samba-4.20.1
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmY7MjAACgkQqplEL7aA
tiDa3A//dCJ/HRwM2pK3vHtVoOVZ3FTDHRSDn+/ys4VDkby9nO78rosEmcUJhCfF
jX41DgU+j6s/Y47cHAtp2uVQOTws/tY8FbMxj84XbeDlOOCXo8UPcpqhxUGP5piL
LPXfENkirfAuS30G+B7tMqit+i/9fOTbKcjLfY1QPo06Cb8wle0twkVmOQzmm4rz
Mh2VjIESvVeo8CVNHpS7DANtJfh27/V4gRvusnmyip6HYqRMuzzJoqOPaCYd1/fj
/0E6iLFnfTfjEfqQcnLRJV5Z5UKuLgEowJ6PfUnsKIw28bFwKp5qh8Tn6n2z/sT8
kU8qO25ITAIItJy5tnrnIchvkBNxBt2MnO5OWIEbkWUhTIpcxrk69lxk0med+iDG
AovAw2hFsBhdsdmcp888HnGr1j9XcfD/55JK+ETgS39Nwbow1InvsFdc51wgUAAf
X39VkVLoL7W/WaFINRJS/PWkDYQ8esHXtqT7Zg/6+NNj4b2FKw6Z8yoj5r/Iwo44
TiqX+DUBWv70B0gXuRB65C++fiSJoPoCIOJR2HXV0OXFTL4Vyd0uwugiZznEd4AZ
g9ESUmt4DUzsENXHJaL1WaXa2rI8UBy3VMK6VIyLGfmH3YlhJFuvFTj/DkZpQHm1
kxXX3iZZmwPlfq/qste2Ig9RWuQth3Nwoong/1frR2Gjk1FEKp4=
=/YuZ
-END PGP SIGNATURE-

Alexander Bokovoy (1):
  Do not fail checksums for RFC8009 types

Andreas Schneider (1):
  packaging: Provide a systemd service file for samba-bgqd

Anna Popova (1):
  s3:utils: Fix Inherit-Only flag being automatically propagated to children

Douglas Bagnall (1):
  s4:dns_server: less noisy, more informative debug messages

Jule Anger (3):
  VERSION: Bump version up to Samba 4.20.1...
  WHATSNEW: Add release notes for Samba 4.20.1.
  VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.

Noel Power (8):
  Add simple http_client for use in black box tests (in following commits)
  selftest: Add basic content-lenght http tests
  libcli/http: Optimise reading for content-length
  tests: add test for chunked encoding with http cli library
  libcli/http: Handle http chunked transfer encoding
  selftest: fix potential reference before assigned error
  selftest: Add new test for testing non-chunk transfer encoding
  libcli/http: Detect unsupported Transfer-encoding type

Pavel Filipenský (4):
  docs-xml: Add parameter all_groupmem to idmap_ad
  s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad
  selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad
  tests: Add a test for "all_groups=no" to test_idmap_ad.sh

yuzu367 (1):
  python/samba/tests/blackbox: Add tests for Inherit-only flag propagation

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-20-test updated

2024-05-08 Thread Jule Anger 
The branch, v4-20-test has been updated
   via  9b6bc91254c VERSION: Bump version up to Samba 4.20.2...
   via  0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.
   via  d01b50ec4f3 WHATSNEW: Add release notes for Samba 4.20.1.
  from  db658c40f5d s3:utils: Fix Inherit-Only flag being automatically 
propagated to children

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 9b6bc91254c96a248047c01d68a074edea3f0e6a
Author: Jule Anger 
Date:   Wed May 8 10:00:33 2024 +0200

VERSION: Bump version up to Samba 4.20.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 0ba948cba0b8b0dd4fddbc94999a61b883a3326d
Author: Jule Anger 
Date:   Wed May 8 10:00:17 2024 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.

Signed-off-by: Jule Anger 

commit d01b50ec4f3cc3c91677703677e3b45cd1d94758
Author: Jule Anger 
Date:   Wed May 8 09:59:43 2024 +0200

WHATSNEW: Add release notes for Samba 4.20.1.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 55 +++
 2 files changed, 56 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 81c319ddc0c..e279f2933b8 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2024"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c97836d36f..8249e9326f9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+   ==
+   Release Notes for Samba 4.20.1
+May 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.0
+
+
+o  Douglas Bagnall 
+   * BUG 15630: dns update debug message is too noisy.
+
+o  Alexander Bokovoy 
+   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
+
+o  Pavel Filipenský 
+   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
+
+o  Anna Popova 
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power 
+   * BUG 15611: http library doesn't support 'chunked transfer encoding'.
+
+o  Andreas Schneider 
+   * BUG 15600: Provide a systemd service file for the background queue daemon.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
==
Release Notes for Samba 4.20.0
March 27, 2024


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2024-05-07 Thread Andrew Bartlett 
The branch, master has been updated
   via  9844ac289be ldb-samba: ldif_read_objectSid avoids VLA
   via  bf4af1a28a3 ldb-samba: ldif_read_objectSid() short-circuits without 
'S'
   via  6c0bdf37187 lib/fuzzing: add fuzz_stable_sort_r_unstable
   via  59cbaa91348 ldb: note a transitivity problem in ldb_comparison_fold
   via  e2051eebd49 ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  f81b7c7eb20 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  3e899ef5bfa ldb-samba: remove unused 
ldif_comparision_objectSid_isString()
   via  8c702735641 ldb-samba: simplify extended_dn_read_SID()
   via  c6c7cb8d4ba ldb-samba: simplify ldif_canonicalise_objectSid()
   via  be5fd9a3a1b ldb-samba: simplify ldif_comparison_objectSid()
   via  d801ed8b111 pytest: sid_strings: Samba DN object refuses sub-auth 
overflow
   via  edf9b282ba6 pytest: sid_strings: adjust to match Windows 2016
   via  473502d1701 pytest: sid_strings: Windows does allow lowercase 
s-1-... SIDs
   via  fb724c61107 pytest: sid_strings: use more reliable well known SID
   via  ae4f095586e ldb-samba: ldif_write_schemaInfo() uses correct size
   via  13af2cb0217 lib:util: codepoint_cmpi: be transitive and 
case-insensitive
   via  310d59c7cc3 lib:util:tests: more tests for codepoint_cmpi
   via  827b0c39ed0 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  c5c29f59fa6 s4:rpc_srv:getncchanges: USN sort uses qsort() instead 
of ldb_qsort()
   via  65df8ce05c1 s4:rpc_srv:getncchanges: 4.5 anc emulation uses 
qsort(), not ldb_qsort()
   via  5335f122fb5 s4:dsdb:mod: repl_md: make message_sort transitive
   via  7f995ab887a ldb:tools: ldbsearch doesn't need ldb_qsort()
   via  b37186cf917 s4:dsdb:util_trusts: simplify the NULL case in dns_cmp
   via  91b802941c1 s4:dsdb:util_trusts: describe dns_cmp return values
   via  8f080c0295d ldb:tests: add a test for dotted i uppercase
   via  af7654331fb ldb: avoid NULL deref in ldb_db_compare
  from  d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9844ac289be3430fd3f72c5e57fa00e012c5d417
Author: Douglas Bagnall 
Date:   Sat May 4 13:40:35 2024 +1200

ldb-samba: ldif_read_objectSid avoids VLA

I don't think this variable length array is any trouble, but people
complain about them (e.g. https://nullprogram.com/blog/2019/10/27/)
because they make things more complex at run-time, and this is a
somewhat performance sensitive path.

DOM_SID_STR_BUFLEN + 1 is 191 -- if that stack allocation is going to
cause trouble, then so was the VLA <= that.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May  8 00:26:42 UTC 2024 on atb-devel-224

commit bf4af1a28a3580223fcc3a861c7fdd1b43f234d1
Author: Douglas Bagnall 
Date:   Sat May 4 13:32:39 2024 +1200

ldb-samba: ldif_read_objectSid() short-circuits without 'S'

This avoids a memcpy, and level 3 debug verbosity from
dom_sid_parse_endp().

In other places we have something like `|| in->data[1] != '-'`, but
that is not useful here -- the value is either a string SID, or a
binary SID that starts with '\1', or some awful value that we *do*
want to get messages about.

This replaces the work of ldif_comparision_objectSid_isString().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 6c0bdf371878eb1a3a1c3b1663379a89bd0ec2c0
Author: Douglas Bagnall 
Date:   Wed May 1 17:16:38 2024 +1200

lib/fuzzing: add fuzz_stable_sort_r_unstable

This should find out how well stable_sort copes with an unstable
non-transitive comparison function.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 59cbaa91348857c51854ee5e6bc8f78cdcde4e56
Author: Douglas Bagnall 
Date:   Tue Apr 30 12:41:25 2024 +1200

ldb: note a transitivity problem in ldb_comparison_fold

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e2051eebd492a419f840280336eb242d0b4a26ac
Author: Douglas Bagnall 
Date:   Fri Apr 26 15:58:44 2024 +1200

ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold

If two strings are invalid UTF-8, the string is first compared with
memcmp(), which compares as unsigned char.

If the strings are of different lengths and one is a substring of the
other, the memcmp() returns 0 and a second comparison is made which
assumes the next character in the shorter string is '\0' -- but this
comparison was done using SIGNED chars (on most systems). That leads
to

[SCM] Samba Shared Repository - branch master updated

2024-05-07 Thread Stefan Metzmacher 
The branch, master has been updated
   via  d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com
  from  87e31f88f28 s3:libsmb: let cli_session_creds_init() keep the value 
from 'client use kerberos'

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d58a72c572f63619111f43f6ea39ff84ae0df16e
Author: Andrew Bartlett 
Date:   Tue May 7 22:32:08 2024 +1200

.gitlab-ci: Remove tags no longer provided by gitlab.com

GitLab.com removed a number of tags from their hosted
runners and this meant our CI was being redirected to
our private runners at a larger cost to the Samba Team.

The new infrastructure is much larger than when we last
selected runners so we can just use the default, even for
the code coverage build.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Andrew Bartlett 
Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue May  7 13:40:55 UTC 2024 on atb-devel-224

---

Summary of changes:
 .gitlab-ci-coverage-runners.yml |  8 +---
 .gitlab-ci-default-runners.yml  | 44 +++--
 2 files changed, 12 insertions(+), 40 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml
index 0f6b2ec1581..331c5d2399c 100644
--- a/.gitlab-ci-coverage-runners.yml
+++ b/.gitlab-ci-coverage-runners.yml
@@ -1,10 +1,4 @@
 include:
   - /.gitlab-ci-default-runners.yml
 
-.shared_runner_test:
-  # We need the more powerful n1-standard-2 runners
-  # in order to handle the lcov overhead.
-  #
-  # See .gitlab-ci-default-runners.yml for more details
-  tags:
-- gitlab-org-docker
+# Currently we're happy with the defaults
diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml
index f73f868d39c..bdc504aff21 100644
--- a/.gitlab-ci-default-runners.yml
+++ b/.gitlab-ci-default-runners.yml
@@ -1,48 +1,26 @@
-# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners:
+# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html
 #
 #   ...
 #
-#   All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, 
CoreOS
-#   and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB 
of
-#   HDD disk space. The default region of the VMs is US East1. Each instance is
-#   used only for one job, this ensures any sensitive data left on the system 
can’t
-#   be accessed by other people their CI jobs.
-#
-#   The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are 
dedicated
-#   for GitLab projects as well as community forks of them. They use a slightly
-#   larger machine type (n1-standard-2) and have a bigger SSD disk size. They 
don’t
-#   run untagged jobs and unlike the general fleet of shared runners, the 
instances
-#   are re-used up to 40 times.
-#
-#   ...
-#
-# The n1-standard-1 runners seem to be tagged with 'docker' together with 
'gce'.
-#
-# The more powerful n1-standard-2 runners seem to be tagged with
-# 'gitlab-org-docker' or some with just 'gitlab-org'.
-#
+#   Runner Tag  vCPUs   Memory   Storage
+#   saas-linux-small-amd64  2   8 GB 25 GB
 #
 # Our current private runner 'docker', 'samba-ci-private', 'shared' and
 # 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an
-# ext4 filesystem and similar RAM as the n1-standard-2 runners.
+# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM.
 #
 
 .shared_runner_build:
-  # We use n1-standard-1 shared runners by default.
-  #
-  # There are currently 5 shared runners with 'docker' and 'gce',
-  # while there are only 2 provising 'docker' together with 'shared'.
+  # We use saas-linux-small-amd64 shared runners by default.
+  # We avoid adding explicit tags for them in order
+  # to work with potential changes in future
   #
-  # We used to fallback to our private runner if the docker+shared runners
-  # were busy, but now that we use the 5 docker+gce runners, we try to only
-  # use shared runners without a fallback to our private runner!
-  # Lets see how that will work out.
-  tags:
-- docker
-- gce
+  # In order to generate valid yaml, we define a dummy variable...
+  variables:
+SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build
 
 .shared_runner_test:
-  # Currently we're fine using the n1-standard-1 runners also for testing
+  # We use saas-linux-small-amd64 shared runners by default.
   extends: .shared_runner_build
 
 .private_runner_test:


-- 
Samba Shared Repository

  1   2   3   4   5   6   7   8   9   10   >