date:20211028

[SCM] Samba Shared Repository - annotated tag samba-4.13.13 created

2021-10-28 Thread Jule Anger

The annotated tag, samba-4.13.13 has been created
at  8eb9ec518ab1e8fa6bd179c0cae5e82d63b6f96c (tag)
   tagging  88d73d0b4eeabc2544e48a8301b1caa0e9aaeccd (commit)
  replaces  ldb-2.2.2
 tagged by  Jule Anger
on  Fri Oct 29 08:19:20 2021 +0200

- Log -
samba: tag release samba-4.13.13
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmF7kmgACgkQqplEL7aA
tiCQJRAAtar34+c16883CXMsuImTiQ1DO9kRyAVme1LhL5FofsJcGhdcy5JiV7Xh
b6gXbPBX97iD/EISx3v7IPBQ0AgSBgp6A0uob4bzrKf4s8U1SH2/2gTB6hnQpJRf
XMyLKcuI2vAC0CdtAknh3ndjMdp/7a9zR4ahiCVfZ0wfmFJICUGAb2XUdNgrx2PH
QUPL/5zf0P4ZZrWGNkAP2+G9M1CKt4AoONeg1mwQs8UZB0exaABheeWbKbTcrnYR
n2HqvjrhT5rRCiLD9Lq0ETxAn1k5/HphPboE+Kjwpte3bc/hp2Eb+xhQG08mDZZX
MgR4XBGbs5jy2rf1RG8dvfk6UJ+n7apR84Nc2YyiUUfKIo5WpDY5aYQ/JzRzMK8L
8OtohFOiS+PIreKguCxLzkYCVMVfRGvNmvvkthPk0o54D9zVrvYrQf1ARN6sGUow
XrzeX24vbBq2p92mKA3vYgNpXj5RpLLLpdr+eZ2XDxj/Cht9o/OnMdyors+Wp/x8
Py9kb4tUKWMLwtAQZRtZajsg5ZJQ4cgXZMt+/iJIkimSI5c/+gEByFfzbZBcQqNi
d/y81bO/DvRUHsPnWOg35MvclSoRGcWq4aI/Np17F2VW2DK432eIkuKtVlc//9Bg
GdA+X8mTOxFqEB0CDczzmUjOBGASiQ1dSaPBwl/l+n8B+w6HWNM=
=b0mV
-END PGP SIGNATURE-

Jule Anger (2):
  WHATSNEW: Add release notes for Samba 4.13.13.
  VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

2021-10-28 Thread Jule Anger

The branch, v4-13-test has been updated
   via  6671c88157b VERSION: Bump version up to Samba 4.13.14...
   via  88d73d0b4ee VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.
   via  665022c7590 WHATSNEW: Add release notes for Samba 4.13.13.
  from  74e65d7c06c ldb: Release ldb 2.2.1

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 6671c88157bf29ddbcc36587a9547e292b185e85
Author: Jule Anger 
Date:   Fri Oct 29 08:12:27 2021 +0200

VERSION: Bump version up to Samba 4.13.14...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 88d73d0b4eeabc2544e48a8301b1caa0e9aaeccd
Author: Jule Anger 
Date:   Fri Oct 29 08:11:43 2021 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.

Signed-off-by: Jule Anger 

commit 665022c7590a16275472c25ae47f47f1417cfe20
Author: Jule Anger 
Date:   Fri Oct 29 08:11:05 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.13.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |   2 +-
 WHATSNEW.txt | 101 +--
 2 files changed, 100 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index c65285cf4cd..b2cca84b9c5 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 820185349ef..575ae48705f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,101 @@
+   ===
+   Release Notes for Samba 4.13.13
+  October 29, 2021
+   ===
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.12
+-
+
+o  Douglas Bagnall 
+   * BUG 14868: rodc_rwdc test flaps.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Andrew Bartlett 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+   * BUG 14845: "in" operator on ldb.Message is case sensitive.
+   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+   * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Isaac Boukris 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Viktor Dukhovni 
+   * BUG 12998: Fix transit path validation.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Luke Howard 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Stefan Metzmacher 
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  David Mulder 
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Andreas Schneider 
+   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Joseph Sutton 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order
+ violation: brlock.tdb, share_entries.tdb.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+   * BUG 14845: "in" operator on ldb.Message is case sensitive.
+   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+   * BUG 14868: rodc_rwdc test flaps.
+   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+   * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Nicolas Williams 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14881: Backpor

[SCM] Samba Shared Repository - branch master updated

2021-10-28 Thread Jeremy Allison

The branch, master has been updated
   via  7f6f4777b40 third_party: Update pam_wrapper to version 1.1.4
   via  6ed71ad7e6a lib: handle NTTIME_THAW in nt_time_to_full_timespec()
   via  0659069f829 torture: add a test for NTTIME_FREEZE and NTTIME_THAW
   via  194faa76161 lib: add a test for null_nttime(NTTIME_THAW)
   via  5503bde93bd lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
   via  e2740e4868f lib: use NTTIME_FREEZE in a null_nttime() test
   via  d84779302cc lib: fix null_nttime() tests
   via  f73aff502ca lib: add NTTIME_THAW
  from  16d43ccfddf lib:cmdline: Fix -k option which doesn't expect anything

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7f6f4777b4081dbfcd875bf6dcbbab03a1fa413d
Author: Andreas Schneider 
Date:   Thu Oct 28 10:50:30 2021 +0200

third_party: Update pam_wrapper to version 1.1.4

Signed-off-by: Andreas Schneider 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Thu Oct 28 19:03:04 UTC 2021 on sn-devel-184

commit 6ed71ad7e6aa98a34cfde95d7d62c46694d58469
Author: Ralph Boehme 
Date:   Tue Oct 5 15:10:33 2021 +0200

lib: handle NTTIME_THAW in nt_time_to_full_timespec()

Preliminary handling of NTTIME_THAW to avoid NTTIME_THAW is passed as some
mangled value down to the VFS set timestamps function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127
RN: Avoid storing NTTIME_THAW (-2) as value on disk

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit 0659069f8292996be475d407b53d161aa3f35554
Author: Ralph Boehme 
Date:   Thu Oct 28 12:55:39 2021 +0200

torture: add a test for NTTIME_FREEZE and NTTIME_THAW

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit 194faa76161a12ae1eae2b471d6f159d97ef75a8
Author: Ralph Boehme 
Date:   Thu Oct 28 10:18:54 2021 +0200

lib: add a test for null_nttime(NTTIME_THAW)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit 5503bde93bddf3634b183e665773399c110251d4
Author: Ralph Boehme 
Date:   Thu Oct 28 10:18:17 2021 +0200

lib: update null_nttime() of -1: -1 is NTTIME_FREEZE

NTTIME_FREEZE is not a nil sentinel value, instead it implies special, yet
unimplemented semantics. Callers must deal with those values specifically 
and
null_nttime() must not lie about their nature.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit e2740e4868f2a49877a86a8666d26226b5657317
Author: Ralph Boehme 
Date:   Thu Oct 28 10:17:01 2021 +0200

lib: use NTTIME_FREEZE in a null_nttime() test

No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit d84779302cc54a7b84c05ccc458e04b27fd142f4
Author: Ralph Boehme 
Date:   Wed Oct 27 17:02:48 2021 +0200

lib: fix null_nttime() tests

The test was checking -1 twice:

torture_assert(tctx, null_nttime(-1), "-1");
torture_assert(tctx, null_nttime(-1), "-1");

The first line was likely supposed to test the value "0".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit f73aff502cadabb7fe6b94a697f0a2256d1d4aca
Author: Ralph Boehme 
Date:   Tue Oct 5 15:10:10 2021 +0200

lib: add NTTIME_THAW

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14127

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 buildtools/wafsamba/samba_third_party.py   |   2 +-
 lib/util/tests/time.c  |   5 +-
 lib/util/time.c|   8 +-
 lib/util/time.h|   1 +
 source4/torture/smb2/timestamps.c  | 208 +
 third_party/pam_wrapper/libpamtest.c   |  19 ++-
 third_party/pam_wrapper/libpamtest.h   |  30 +++--
 third_party/pam_wrapper/pam_wrapper.c  | 142 +++-
 third_party/pam_wrapper/python/pypamtest.c | 192 --
 third_party/pam_wrapper/wscript|   7 +-
 10 files changed, 447 insertions(+), 167 deletions(-)


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_third_party.py 
b/buildtools/wafsamba/samba_third_party.py
index 1c027cb6870..f046ebc96da 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -44,5 +44,5 @@ Build.BuildContext.CHECK_UID_WRAPPER = CHECK_UID_WRAPPER
 
 @conf
 def CHECK_PAM_WRAPPER(conf

[SCM] Samba Shared Repository - annotated tag ldb-2.2.2 created

2021-10-28 Thread Stefan Metzmacher

The annotated tag, ldb-2.2.2 has been created
at  492762c29e2a199d012f1e759468380cfa602dcb (tag)
   tagging  74e65d7c06c5eda79105f43d87efcaec09dfbb77 (commit)
  replaces  samba-4.13.12
 tagged by  Stefan Metzmacher
on  Thu Oct 28 17:43:38 2021 +0200

- Log -
ldb: tag release ldb-2.2.2
-BEGIN PGP SIGNATURE-

iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF6xSoACgkQR5ORYRMI
QCXr1ggAhB94suP/riS28w2YURdJeXgbT/RTavV8lONJElCfOQRPOPd8KgnBLKUE
sBnMJg5kFhWn8EAEowAcj2eaZ/rtAHhmIFbZ4L6bT1JjMPhtA5e+5j4owe4CmfcX
lsZTZmRwyx/k18WF38xZWaYRxyN/ODVqFJxkQW9b7kdH9DMqU/M5Hkhhtxd9bbXQ
GOIDhFVU8wst1gTkAe6BO2NZQafMRQKFhvpXnwT4htERJw3/o7LyYLeT/HtxPVcW
OfEfrjHnbf0SkK0dDxoerNfcmIicdus44J/ML5aET1aiWFJNvQiC18S9znX0W5o9
WqiCt6KgO4sh8qM/xDhYje8AAfUToA==
=S2uI
-END PGP SIGNATURE-

Andreas Schneider (1):
  waf: Allow building with MIT KRB5 >= 1.20

Andrew Bartlett (9):
  autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
  selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
  kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
  kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED 
for servers
  selftest: Remove duplicate setup of $base_dn and $ldbmodify
  selftest: Improve error handling and perl style when setting up users in 
Samba4.pm
  dsdb: Allow special chars like "@" in samAccountName when generating the 
salt
  lib/krb5_wrap: Fix missing error check in new salt code
  ldb: Release ldb 2.2.1

David Mulder (1):
  python: Move dsdb_Dn to samdb

Douglas Bagnall (3):
  python/join: use the provided krbtgt link in cleanup_old_accounts
  pytest/rodc_rwdc: try to avoid race.
  pytest: dynamic tests optionally add __doc__

Isaac Boukris (4):
  kdc: remove KRB5SignedPath, to be replaced with PAC
  kdc: sign ticket using Windows PAC
  krb5: allow NULL parameter to krb5_pac_free()
  krb5: rework PAC validation loop

Joseph Sutton (150):
  krb5pac.idl: Add ticket checksum PAC buffer type
  security.idl: Add well-known SIDs for FAST
  tests/krb5: Calculate expected salt if not given explicitly
  tests/krb5: Add methods to obtain the length of checksum types
  tests/krb5: Use signed integers to represent key version numbers in ASN.1
  tests/krb5: Add KDCOptions flag for constrained delegation
  tests/krb5: Use more compact dict lookup
  tests/krb5: Replace expected_cname_private with expected_anon parameter
  tests/krb5: Allow specifying an OU to create accounts in
  tests/krb5: Allow specifying additional User Account Control flags for 
account
  tests/krb5: Keep track of account DN in credentials object
  tests/krb5: Move padata generation methods to base class
  tests/krb5: add options to kdc_exchange_dict to specify including 
PAC-REQUEST or PAC-OPTIONS
  tests/krb5: Don't create PAC request manually in as_req_tests
  tests/krb5: Don't create PAC request or options manually in fast_tests
  tests/krb5: Remove magic constants
  tests/krb5: Allow specifying ticket flags expected to be set or reset
  tests/krb5: Make time assertion less strict
  tests/krb5: Allow Kerberos requests to be sent to DC or RODC
  tests/krb5: Check for presence of 'renew-till' element
  tests/krb5: Check 'caddr' element
  tests/krb5: Check for presence of 'key-expiration' element
  tests/krb5: Create testing accounts in appropriate containers
  tests/krb5: Allow specifying status code to be checked
  tests/krb5: Get expected cname from TGT for TGS-REQ messages
  tests/krb5: Get encpart decryption key from kdc_exchange_dict
  tests/krb5: Add get_cached_creds() method to create persistent accounts 
for testing
  tests/krb5: Generate padata for FAST tests
  tests/krb5: Sign-extend kvno from 32-bit integer
  tests/krb5: Add method to get RODC krbtgt credentials
  tests/krb5: Add get_secrets() method to get the secret attributes of a DN
  tests/krb5: Allow replicating accounts to the RODC
  tests/krb5: Create RODC account for testing
  tests/krb5: Allow replicating accounts to the created RODC
  python: Don't leak file handles
  python/join: Check for correct msDS-KrbTgtLink attribute
  tests/krb5: Add helper method for modifying PACs
  tests/krb5: Check correct flags element
  tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
  tests/krb5: Allow tgs_req() to send additional padata
  tests/krb5: Allow tgs_req() to specify different kdc-options
  tests/krb5: Allow tgs_req() to send requests to the RODC
  tests/krb5: Allow as_req() to specify different kdc-options
  tests/krb5: Use PAC buffer type constants from krb5pac.idl
  tests/krb5: Don't manually create PAC request and options in fast_tests
  tests/krb5: Set DN of created accounts to ldb.Dn type

[SCM] Samba Shared Repository - branch master updated

2021-10-28 Thread Ralph Böhme

The branch, master has been updated
   via  16d43ccfddf lib:cmdline: Fix -k option which doesn't expect anything
   via  5c6640470aa testprogs: Use new cmdline option for kerberos
  from  2be0a19d448 Revert "samba-tool: Pick local host if calling 
samba-tool from DC"

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 16d43ccfddf0e67a0ae87e3f13b3114c858d64ac
Author: Andreas Schneider 
Date:   Wed Oct 27 13:45:15 2021 +0200

lib:cmdline: Fix -k option which doesn't expect anything

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Thu Oct 28 13:23:34 UTC 2021 on sn-devel-184

commit 5c6640470aa845780fbf17961e67b0d9302c2fbc
Author: Andreas Schneider 
Date:   Wed Oct 27 15:30:20 2021 +0200

testprogs: Use new cmdline option for kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14846

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 lib/cmdline/cmdline.c  | 2 +-
 testprogs/blackbox/test_kpasswd_heimdal.sh | 6 +++---
 testprogs/blackbox/test_kpasswd_mit.sh | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index 5dd543f244d..753cec27c3f 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -1251,7 +1251,7 @@ static struct poptOption popt_legacy_s3[] = {
{
.longName   = "kerberos",
.shortName  = 'k',
-   .argInfo= POPT_ARG_STRING,
+   .argInfo= POPT_ARG_NONE,
.val= 'k',
.descrip= "DEPRECATED: Migrate to --use-kerberos",
},
diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh 
b/testprogs/blackbox/test_kpasswd_heimdal.sh
index 1cf61e5d07d..43f38b09de2 100755
--- a/testprogs/blackbox/test_kpasswd_heimdal.sh
+++ b/testprogs/blackbox/test_kpasswd_heimdal.sh
@@ -71,10 +71,10 @@ testit "kinit with user password" \
do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
 
 test_smbclient "Test login with user kerberos ccache" \
-   "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
+   "ls" "$SMB_UNC" --use-kerberos=required || failed=`expr $failed + 1`
 
 testit "change user password with 'samba-tool user password' (unforced)" \
-   $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN 
-U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || 
failed=`expr $failed + 1`
+   $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN 
-U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off 
--newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1`
 
 TEST_PASSWORD_OLD=$TEST_PASSWORD
 TEST_PASSWORD=$TEST_PASSWORD_NEW
@@ -84,7 +84,7 @@ testit "kinit with user password" \
do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
 
 test_smbclient "Test login with user kerberos ccache" \
-   "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1`
+   "ls" "$SMB_UNC" --use-kerberos=required || failed=`expr $failed + 1`
 
 ###
 ### check that a short password is rejected
diff --git a/testprogs/blackbox/test_kpasswd_mit.sh 
b/testprogs/blackbox/test_kpasswd_mit.sh
index 0d1dcf2eae4..df0f53e0041 100755
--- a/testprogs/blackbox/test_kpasswd_mit.sh
+++ b/testprogs/blackbox/test_kpasswd_mit.sh
@@ -74,7 +74,7 @@ test_smbclient "Test login with user kerberos ccache" \
"ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 
1`
 
 testit "change user password with 'samba-tool user password' (unforced)" \
-   $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN 
-U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || 
failed=`expr $failed + 1`
+   $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN 
-U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off 
--newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1`
 
 TEST_PASSWORD_OLD=$TEST_PASSWORD
 TEST_PASSWORD=$TEST_PASSWORD_NEW


-- 
Samba Shared Repository

[SCM] pam wrapper repository - annotated tag pam_wrapper-1.1.4 created

2021-10-28 Thread Andreas Schneider

The annotated tag, pam_wrapper-1.1.4 has been created
at  be57e84778893d9933a9e02deaf94c5fcc79bee7 (tag)
   tagging  d938a84d88c5882a08babfb5e10f03a9135237a3 (commit)
  replaces  pam_wrapper-1.1.3
 tagged by  Andreas Schneider
on  Thu Oct 28 10:37:52 2021 +0200

- Log -
pam_wrapper-1.1.4

* NOTE: pam_wrapper stopped working with the latest OpenPAM on FreeBSD 12.
  Help is needed to add back support.
* Added support to retrieve the PAM environment from a python's
  PAMTEST_GETENVLIST
* Added a new keyword parameter to reuse the PAM handle in libpamtest
* Fixed pid range
* Fixed constructor/destructor on AIX
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAmF6YXkACgkQfuD8TcwB
Tj1XRBAApF8syv6/V4xJbLacvGGLc3A8K9I/UaCDGscE1G9ADkqgXCKTlAdtmMnS
rOlkvpCoLmePfkqrNcXB7XtIupWGXQex1S1TBloAuEvl+Q0N/xdzKYo/jRIIFv+t
+K7skBGBI5oxzHegXtlEUbJ4pdW+8dRnFtiRcouerqCDot8pI1x12NRXtWDuEcHp
qGneHOGkfyqKsP9kuNlbn7PFSuuP0Rmpt/HX0axAnBw3PN1f9fr4uypIHAi326kt
bujSgn4wjCmQwrjr7t5CZrg/n4fyDTy6Qt6pnkcxOry8hMenNzyfXypa9BnB8J95
2x0ZtlbKh4XEzrR7zOhO8vkMHKOsTtQ/hcGUdsZvnXax+FMg5QOeDfsJl2RegAIg
57JH/1G7JZ/WQizOITRCrMoF7mUfDVVGhtTDNYnbnbf5cbZGnLV4E1VDHvLA6fEb
zeq9aWJYcT0qFmlEibbOsGSAADtG8sGj+aFnFjaD/tGepNyk+KI9Ip0Jl99dY9Hk
a+i2xzv1aIlFJmNHetPLbAOPpWC91C5/07ZmZkToG7BQE+ifNXa8zgUZTfaAH+5/
ncqyCcFehAdqXKOdKTr+24VNrIbohqGlDvztWW9rB9823MnJlQUefNJRQmSyXvZ/
jDNqsulneLs6wAYVsvQVDjq1tl+pNpSU9CeTYGX3HTUwFM7zYlM=
=h9Hh
-END PGP SIGNATURE-

Andreas Schneider (7):
  tests: Correctly implement free_vlist()
  Revert "pwrap: Add back pso_copy for openSUSE Tumbleweed"
  cmake: Remove configure check for pam_modutil_search_key
  cmake: Check for -Wno-bad-function-cast
  tests: Allow to filter tests
  gitlab-ci: Allow freebsd to fail
  Bump version to 1.1.4

Björn Jacke (2):
  configure: check for pragma init/fini for constructors/destructors
  pam_wrapper.c: fall back to pragma init/fini for constructor/destructor 
if possible

Jakub Jelen (1):
  Accept whole range of supported pids

Samuel Cabrero (6):
  python: Store the pam env in the python test object
  python: Store the pam handle in the python test object
  libpamtest: Add a new keyword parameter to reuse the PAM handle
  python: Export pam_setcred flags, to be used in python testcase objects
  cmake: Silence warning with gcc version >= 8
  libpamtest: Fix missing pam_handle argument in run_pamtest_conv macro

Valentin Vidic (2):
  libpamtest: include stddef.h in libpamtest.h
  libpamtest: fix comments for pamtest_conv_data

---


-- 
pam wrapper repository

[SCM] Samba Shared Repository - branch v4-13-test updated

2021-10-28 Thread Stefan Metzmacher

The branch, v4-13-test has been updated
   via  74e65d7c06c ldb: Release ldb 2.2.1
   via  c532b425e73 pyldb: Make ldb.Message containment testing consistent 
with indexing
   via  64c41d30986 pyldb: Add tests for ldb.Message containment testing
   via  65f3e987675 pyldb: Raise TypeError for an invalid ldb.Message index
   via  4ff0a23a04b pyldb: Add test for an invalid ldb.Message index type
   via  f45e89e4326 s4/torture/drs/python: Fix attribute existence check
   via  4d1c5cc73b0 pyldb: Fix deleting an ldb.Control critical flag
   via  5e9441d55f6 pytest:segfault: Add test for deleting an ldb.Control 
critical flag
   via  a2e0682d928 pyldb: Fix deleting an ldb.Message dn
   via  d2189833c7e pytest:segfault: Add test for deleting an ldb.Message dn
   via  c7c10298973 Fix Python docstrings
   via  0c36416e319 pyldb: Avoid use-after-free in msg_diff()
   via  400d04533ab ldb_msg: Don't fail in ldb_msg_copy() if source DN is 
NULL
   via  f47f0f9f459 pytest:segfault: Add test for ldb.msg_diff()
  from  0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 74e65d7c06c5eda79105f43d87efcaec09dfbb77
Author: Andrew Bartlett 
Date:   Mon Oct 4 21:57:25 2021 +1300

ldb: Release ldb 2.2.1

* Corrected python behaviour for 'in' for LDAP attributes
  contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Andrew Bartlett 

Autobuild-User(v4-14-test): Stefan Metzmacher 
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184

commit c532b425e739a5a6860e37fd616dc5293cea0f37
Author: Joseph Sutton 
Date:   Sat Sep 25 14:39:59 2021 +1200

pyldb: Make ldb.Message containment testing consistent with indexing

Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.

Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69)

commit 64c41d30986a34b3311bc03ffce9a8856c7f4f18
Author: Joseph Sutton 
Date:   Sat Sep 25 13:48:57 2021 +1200

pyldb: Add tests for ldb.Message containment testing

These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8)

commit 65f3e987675d378afd7df4445d04c86d83cde853
Author: Joseph Sutton 
Date:   Sat Sep 25 13:39:56 2021 +1200

pyldb: Raise TypeError for an invalid ldb.Message index

Previously, a TypeError was raised and subsequently overridden by a
KeyError.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)

commit 4ff0a23a04b230bab3454cf88d317304df2cb5cb
Author: Joseph Sutton 
Date:   Sat Sep 25 13:22:05 2021 +1200

pyldb: Add test for an invalid ldb.Message index type

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06)

commit f45e89e432644b5c569808f29d27a537e07f
Author: Joseph Sutton 
Date:   Sat Sep 25 19:18:39 2021 +1200

s4/torture/drs/python: Fix attribute existence check

BUG: https://bugzilla.samba.org/show_bug.cg

[SCM] pam wrapper repository - branch master updated

2021-10-28 Thread Andreas Schneider

The branch, master has been updated
   via  d938a84 Bump version to 1.1.4
   via  42f9d4d gitlab-ci: Allow freebsd to fail
   via  6df5d14 tests: Allow to filter tests
   via  de959bc cmake: Check for -Wno-bad-function-cast
  from  4efe631 cmake: Remove configure check for pam_modutil_search_key

https://git.samba.org/?p=pam_wrapper.git;a=shortlog;h=master


- Log -
commit d938a84d88c5882a08babfb5e10f03a9135237a3
Author: Andreas Schneider 
Date:   Fri Jun 25 10:12:07 2021 +0200

Bump version to 1.1.4

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 

commit 42f9d4dee0c46174f305e65f87d82b2bcb12fe58
Author: Andreas Schneider 
Date:   Tue Oct 5 09:31:12 2021 +0200

gitlab-ci: Allow freebsd to fail

Reviewed-by: Ralph Boehme 

commit 6df5d14e49edc586b5000d552a26e0629b1f3b41
Author: Andreas Schneider 
Date:   Fri Jun 25 13:45:31 2021 +0200

tests: Allow to filter tests

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 

commit de959bc431c9f87eb25b9e006b3a783a66048bd0
Author: Andreas Schneider 
Date:   Fri Jun 25 10:52:14 2021 +0200

cmake: Check for -Wno-bad-function-cast

Fixes the build on freebsd.

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 .gitlab-ci.yml| 3 +++
 CHANGELOG | 9 +
 CMakeLists.txt| 8 
 CompilerChecks.cmake  | 3 +++
 src/python/CMakeLists.txt | 8 +---
 tests/test_pam_wrapper.c  | 7 ++-
 6 files changed, 30 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 839c834..1439b2c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -132,6 +132,9 @@ freebsd/x86_64:
 when: on_failure
 paths:
   - obj/
+  # pam_wrapper stopped to work with the latest OpenPAM version, this is a
+  # bigger effort to investigate.
+  allow_failure: true
 
 tumbleweed/x86_64/gcc:
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
diff --git a/CHANGELOG b/CHANGELOG
index 39772b3..608f45b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,15 @@
 ChangeLog
 ==
 
+version 1.1.4 (released 2020-10-28)
+  * NOTE: pam_wrapper stopped working with the latest OpenPAM on FreeBSD 12.
+Help is needed to add back support.
+  * Added support to retrieve the PAM environment from a python's
+PAMTEST_GETENVLIST
+  * Added a new keyword parameter to reuse the PAM handle in libpamtest
+  * Fixed pid range
+  * Fixed constructor/destructor on AIX
+
 version 1.1.3 (released 2020-03-26)
   * Fixed paths in pkgconfig and cmake config files
 
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b453ec3..37dff75 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -11,7 +11,7 @@ list(APPEND CMAKE_MODULE_PATH 
"${CMAKE_CURRENT_SOURCE_DIR}/cmake/Modules")
 include(DefineCMakeDefaults)
 include(DefineCompilerFlags)
 
-project(pam_wrapper VERSION 1.1.3 LANGUAGES C)
+project(pam_wrapper VERSION 1.1.4 LANGUAGES C)
 
 # global needed variables
 set(APPLICATION_NAME ${PROJECT_NAME})
@@ -25,13 +25,13 @@ set(APPLICATION_NAME ${PROJECT_NAME})
 # Increment PATCH.
 set(LIBRARY_VERSION_MAJOR 0)
 set(LIBRARY_VERSION_MINOR 0)
-set(LIBRARY_VERSION_PATCH 6)
+set(LIBRARY_VERSION_PATCH 7)
 set(LIBRARY_VERSION 
"${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}")
 set(LIBRARY_SOVERSION ${LIBRARY_VERSION_MAJOR})
 
-set(PAMTEST_LIBRARY_VERSION_MAJOR 0)
+set(PAMTEST_LIBRARY_VERSION_MAJOR 1)
 set(PAMTEST_LIBRARY_VERSION_MINOR 0)
-set(PAMTEST_LIBRARY_VERSION_PATCH 5)
+set(PAMTEST_LIBRARY_VERSION_PATCH 0)
 set(PAMTEST_LIBRARY_VERSION 
"${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}")
 set(PAMTEST_LIBRARY_SOVERSION ${LIBRARY_VERSION_MAJOR})
 
diff --git a/CompilerChecks.cmake b/CompilerChecks.cmake
index 4fa1a83..6c74b0b 100644
--- a/CompilerChecks.cmake
+++ b/CompilerChecks.cmake
@@ -95,6 +95,9 @@ if (UNIX)
 add_c_compiler_flag("-Wno-error=tautological-compare" 
SUPPORTED_COMPILER_FLAGS)
 endif()
 
+# Needed by src/python/CMakeLists.txt
+check_c_compiler_flag("-Wno-cast-function-type" 
WITH_WNO_CAST_FUNCTION_TYPE)
+
 # Unset CMAKE_REQUIRED_FLAGS
 unset(CMAKE_REQUIRED_FLAGS)
 endif()
diff --git a/src/python/CMakeLists.txt b/src/python/CMakeLists.txt
index e8730d9..faaf569 100644
--- a/src/python/CMakeLists.txt
+++ b/src/python/CMakeLists.txt
@@ -3,6 +3,8 @@ project(pypamtest C)
 add_subdirectory(python2)
 add_subdirectory(python3)
 
-set_source_files_properties(pypamtest.c
-DIRECTORY python2 python3
-PROPERTIES COMPILE_OPTIONS 
"-Wno-cast-function-type")
+if (WITH_WNO_CAST_FUNCTION_TYPE)
+set_source_files_properties(pypamtest.c
+DIRECTORY python2 python3
+

[SCM] Samba Shared Repository - branch v4-13-test updated

2021-10-28 Thread Stefan Metzmacher

The branch, v4-13-test has been updated
   via  0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code
   via  274f16103f6 dsdb: Allow special chars like "@" in samAccountName 
when generating the salt
   via  ae6d74c9ef8 tests/krb5: Add tests for account salt calculation
   via  d3b491c3116 tests/krb5: Fix account salt calculation to match 
Windows
   via  a742af325f9 tests/krb5: Allow specifying the UPN for test accounts
   via  3f376eeaa88 tests/krb5: Allow creating machine accounts without a 
trailing dollar
   via  a2a173d70ad tests/krb5: Allow specifying prefix or suffix for test 
account names
   via  4056198f4c9 tests/krb5: Decrease length of test account prefix
   via  89b9cb8b786 selftest/Samba3: replace (winbindd => "yes", skip_wait 
=> 1) with (winbindd => "offline")
   via  88f824aeb3f selftest/Samba3: remove unused close(USERMAP); calls
   via  c9e54bbe242 waf: Allow building with MIT KRB5 >= 1.20
   via  f01e4e19cf6 selftest: Improve error handling and perl style when 
setting up users in Samba4.pm
   via  2bf0e4224f8 selftest: Remove duplicate setup of $base_dn and 
$ldbmodify
   via  38ebe186f42 selftest: krb5 account creation: clarify account type 
as an enum
   via  18bce6fc477 pytest: dynamic tests optionally add __doc__
   via  a64c25ff097 selftest: Increase account lockout windows to make test 
more realiable
   via  a203de48197 pytest/rodc_rwdc: try to avoid race.
   via  f7d6826afea HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
   via  e9b12d2def9 tests/krb5: Add tests for constrained delegation to 
NO_AUTH_DATA_REQUIRED service
   via  999208d3afa tests/krb5: Ensure PAC is not present if expect_pac is 
false
   via  3eb78cd43b6 kdc: Correctly strip PAC, rather than error on 
UF_NO_AUTH_DATA_REQUIRED for servers
   via  106dc4a0492 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client 
principals
   via  fa32948c1d1 tests/krb5: Add tests for requesting a service ticket 
without a PAC
   via  473278c1301 tests/krb5: Add method to get the PAC from a ticket
   via  033249c56e1 tests/krb5: Allow specifying whether to expect a PAC 
with _test_as_exchange()
   via  33537398392 tests/krb5: Allow get_tgt() to request including or 
omitting a PAC
   via  543478fe985 heimdal:kdc: Fix ticket signing without a PAC
   via  4ff8af7d54d selftest/dbcheck: Fix up RODC one-way links (use 
correct dbcheck rule)
   via  cb044703b29 krb5: Fix PAC signature leak affecting KDC
   via  5919475dc90 s4:kdc: Check ticket signature
   via  9d3419c3068 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a 
global function
   via  6fbde548803 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match 
Windows
   via  e5ca4a51c80 kdc: correctly generate PAC TGS signature
   via  61fb0ba82c6 kdc: use ticket client name when signing PAC
   via  58bc0a4b7f1 kdc: only set HDB_F_GET_KRBTGT when requesting TGS 
principal
   via  49bcbcbb4d6 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum 
fails
   via  c73825d0b01 krb5: rework PAC validation loop
   via  c17bfba3001 krb5: allow NULL parameter to krb5_pac_free()
   via  4114e57a371 kdc: sign ticket using Windows PAC
   via  ff31503bd41 kdc: remove KRB5SignedPath, to be replaced with PAC
   via  6afc41b262e s4/torture: Expect ticket checksum PAC buffer
   via  1486a8a04b0 s4:kdc: Fix debugging messages
   via  8b363a630e5 s4:kdc: Simplify samba_kdc_update_pac_blob() to take 
ldb_context as parameter
   via  0e53c4353a2 tests/krb5: Fix duplicate account creation
   via  f3c36a06998 tests/krb5: Allow bypassing cache when creating accounts
   via  8b947965d4f tests/krb5: Don't include empty AD-IF-RELEVANT
   via  2373c1ac1ef tests/krb5: Add constrained delegation tests
   via  61ec92dc096 tests/krb5: Verify tickets obtained with 
get_service_ticket()
   via  6a1549a4955 tests/krb5: Require ticket checksums if decryption key 
is available
   via  91faad4ef6b tests/krb5: Add TKT_SIG_SUPPORT environment variable
   via  518e990f496 selftest/dbcheck: Fix up RODC one-way links
   via  1ca795a0cb9 tests/krb5: Fix sha1 checksum type
   via  2c6b918ab92 tests/krb5: Provide clearer assertion messages for test 
failures
   via  d46f0d1793b tests/krb5: Disable debugging output for tests
   via  90d58c72bd7 tests/krb5: Simplify padata checking
   via  b08fd85bcb2 tests/krb5: Check logon name in PAC
   via  07ace448a5c tests/krb5: Check padata types when STRICT_CHECKING=0
   via  54fb144fe9a tests/krb5: Add environment variable to specify KDC 
FAST support
   via  8ee28d96b29 tests/krb5: Fix padata checking at functional level 2003
   via  d82e7716f48 tests/krb5: Clarify checksum type assertion message
   via  07e242da411 tests/krb5: Use correct principal name type
   via  5f72fd098f0 tests/krb5: Add compatability tests fo

[SCM] Samba Shared Repository - annotated tag samba-4.13.13 created

[SCM] Samba Shared Repository - branch v4-13-test updated

[SCM] Samba Shared Repository - branch master updated

[SCM] Samba Shared Repository - annotated tag ldb-2.2.2 created

[SCM] Samba Shared Repository - branch master updated

[SCM] pam wrapper repository - annotated tag pam_wrapper-1.1.4 created

[SCM] Samba Shared Repository - branch v4-13-test updated

[SCM] pam wrapper repository - branch master updated

[SCM] Samba Shared Repository - branch v4-13-test updated

9 matches

Site Navigation

Mail list logo

Footer information