[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED
should be ignored
via 76fec2668e7 s4:dns_server: correctly sign dns update responses with
gss-tsig like Windows
via db350bc573b s4:dns_server: dns_verify_tsig should return REFUSED on
error
via 5906ed94f2c s4:dns_server: also search DNS_QTYPE_TKEY in the
answers section if it's the last section
via ae7538af044 s4:dns_server: use tkey->algorithm if available in
dns_sign_tsig()
via bd0235cd515 s4:dns_server: use the client provided algorithm for
the fake TSIG structure
via 3467d149149 s4:dns_server: only allow gss-tsig and
gss.microsoft.com for TSIG
via fa0f23e69ea s4:dns_server: only allow gss-tsig and
gss.microsoft.com for TKEY
via a56627b0d12 s4:dns_server: failed dns updates should result in
REFUSED for ACCESS_DENIED
via 708a6fae697 python:tests/dns_tkey: add
test_update_tsig_record_access_denied()
via 753428a3b6c s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to
samba.tests.dns_tkey
via 88457da00d4 python:tests/dns_base: add get_unpriv_creds() helper
via 848318338b2 python:tests/dns_tkey: let test_update_tsig_windows()
actually pass against windows 2022
via 8324d0739df python:tests/dns_base: let verify_packet() work against
Windows
via de4ed363d37 python:tests/dns_tkey: test bad and changing tsig
algorithms
via b9b03ca503c python:tests/dns_tkey: add gss.microsoft.com tsig
updates
via 3c7cb85eaf8 python:tests/dns_tkey: let us have
test_update_gss_tsig_tkey_req_{additional,answers}()
via 740bda87a80 python:tests/dns_tkey: test TKEY with gss-tsig,
gss.microsoft.com and invalid algorithms
via b0af60e7850 python:tests/dns_base: maintain a dict with tkey
related state
via 1b1e7e06cf6 python:tests/dns_base: let dns_transaction_udp() take
allow_{remaining,truncated}=True
via 27d92fa808c python:tests/dns_base: pass tkey_trans(expected_rcode)
via cd747307d84 python:tests/dns_base: let tkey_trans() take
tkey_req_in_answers
via f8dfa9b33bd python:tests/dns_base: let tkey_trans() and
sign_packet() take algorithm_name as argument
via 6e997f93d53 python:tests/dns_tkey: make use of
self.assert_echoed_dns_error()
via ce591464cb1 python:tests/dns_base: add
self.assert_echoed_dns_error()
via c741d0f3969 python:tests/dns_base: let dns_transaction_tcp() handle
short receives
via c594cbad4af python:tests/dns_base: use ndr_deepcopy() and
ndr_pack() in verify_packet()
via ae23d512a72 python:tests/dns_base: generate a real signature in
bad_sign_packet()
via 319836ce9e6 lib/addns: remove unused kerberos/gssapi includes in
dns.h
from 096d3807b05 build: Make "samba4" public libraries provided (mostly)
for OpenChange private
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit ed61c57e02309b738e73fb12877a0a565b627724
Author: Stefan Metzmacher
Date: Thu May 30 14:52:22 2024 +0200
s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224
commit 76fec2668e73b9d15447abee551d5c04148aaf27
Author: Stefan Metzmacher
Date: Thu May 30 14:39:28 2024 +0200
s4:dns_server: correctly sign dns update responses with gss-tsig like
Windows
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.
Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit db350bc573b378fb0615bdd8592cc9c62f6db146
Author: Stefan Metzmacher
Date: Thu May 30 14:42:53 2024 +0200
s4:dns_server: dns_verify_tsig should return REFUSED on error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7
Author: Stefan Metzmacher
Date: Thu May 30 14:41:21 2024 +0200
s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's
the last section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit ae7538af04435658d2ba6dcab109beecb6c5
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 096d3807b05 build: Make "samba4" public libraries provided (mostly)
for OpenChange private
via d11b281aefa build: Remove incorrect pyembed=True from samba-policy
via 829b52f99d5 s4-libnet: Split up samba-net into samba-net and
samba-net-join
from a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix
flapping test
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 096d3807b0588ed4d03bd99bc96163a4821ec010
Author: Andrew Bartlett
Date: Mon May 27 09:24:13 2024 +1200
build: Make "samba4" public libraries provided (mostly) for OpenChange
private
These libraries, mostly with ABI versions of 0.0.1 were made public in
the early development of Samba4 and have not been seriously considered
since. Most are to allow OpenChange to build.
While the OpenChange server is no longer actively used, the MAPI
client is used and we need to allow packages to be built that will
allow the Evolution MAPI client to still work.
Some appear to be mistakes (dcerpc-samr), historical abberations
(tevent-util) or ideas that did not go very far (the samba-policy
library for example).
To allow any remaining users to access them, they are not made private
in the build system but are instead listed so that they can be made
public again via ./configure with the same --private-libraries='!LIB'
syntax introduced to make ldb private by default.
Signed-off-by: Andrew Bartlett
Reviewed-by: Alexander Bokovoy
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Wed Jun 5 21:47:24 UTC 2024 on atb-devel-224
commit d11b281aefa98e6850053ccd6142253c6cf0d04f
Author: Andrew Bartlett
Date: Mon May 27 07:28:33 2024 +1200
build: Remove incorrect pyembed=True from samba-policy
This is a normal C library, used by python but does not use
any python itself (nor by dependencies any longer).
Signed-off-by: Andrew Bartlett
Reviewed-by: Alexander Bokovoy
commit 829b52f99d5a9c9df19c9eb67611618095967edd
Author: Andrew Bartlett
Date: Mon May 27 19:44:38 2024 +1200
s4-libnet: Split up samba-net into samba-net and samba-net-join
samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.
Signed-off-by: Andrew Bartlett
Reviewed-by: Alexander Bokovoy
---
Summary of changes:
WHATSNEW.txt | 21 +
source4/lib/policy/wscript_build | 13 -
source4/libnet/libnet_join.c | 1 +
source4/libnet/libnet_vampire.c | 1 +
source4/libnet/py_net.c | 1 +
source4/libnet/wscript_build | 23 +++
source4/torture/libnet/libnet_BecomeDC.c | 1 +
source4/torture/rpc/testjoin.c | 1 +
source4/torture/wscript_build| 6 +++---
wscript | 20 +++-
10 files changed, 67 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 67bdb963cca..6d1368c42b1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -69,6 +69,27 @@ never took into account later changes, and so has not worked
for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
+Some Samba public libraries made private by default
+---
+
+The following Samba C libraries are currently made public due to their
+use by OpenChange or for historical reasons that are no longer clear.
+
+ dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
+ samba-credentials, dcerpc_server, samdb
+
+The libraries used by the OpenChange client now private, but can be
+made public (like ldb above) with:
+
+ ./configure
--private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
+
+The C libraries without any known user or used only for the OpenChange
+server (a dead project) may be made private entirely in a future Samba
+version.
+
+If you use a Samba library in this list, please be in touch with the
+samba-technical mailing list.
+
Using ldaps from 'winbindd' and 'net ads'
-
diff --git a/source4/lib/policy/wscript_build b/source4/lib/policy/wscript_build
index 027d4bef0b6..f7d9b555f6a 100644
--- a/source4/lib/policy/wscript_build
+++ b/source4/lib/policy/wscript_build
@@ -3,20 +3,15 @@
pytalloc_util = bld.pyembed_libname('pytalloc-util')
-samba_policy = bld.pyembed_libname('samba-policy')
-samba_net = bld.pyembed_libname('samba-net')
-bld.SAMBA_LIBRARY(samba_policy,
+bld.SAMBA_LIBRARY('samba-pol
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated
via 65e781a30b2 s3:winbind: Fix idmap_ad creating an invalid local
krb5.conf
via fb4c338f030 s3:libads: Do not fail if we don't get an IP passed down
via 069729202c3 s3:libads: Allow get_kdc_ip_string() to lookup the KDCs
IP
via 1917b7f052d python: Fix NtVer check for site_dn_for_machine()
from 9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected
handling
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -
commit 65e781a30b247ab1056405322a8c9cbfb4bae03a
Author: Andreas Schneider
Date: Tue May 28 13:54:24 2024 +0200
s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee)
Autobuild-User(v4-20-test): Jule Anger
Autobuild-Date(v4-20-test): Wed Jun 5 15:01:54 UTC 2024 on atb-devel-224
commit fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f
Author: Andreas Schneider
Date: Tue May 28 13:53:51 2024 +0200
s3:libads: Do not fail if we don't get an IP passed down
The IP should be optional and we should look it up if not provided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2)
commit 069729202c3b287642e36c777e2b0863f593bca4
Author: Andreas Schneider
Date: Tue May 28 13:51:53 2024 +0200
s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb)
commit 1917b7f052dc7cb69f544e1f1ef94b48dd4212fb
Author: Andreas Schneider
Date: Mon Apr 15 07:32:02 2024 +0200
python: Fix NtVer check for site_dn_for_machine()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633
Signed-off-by: Andreas Schneider
Reviewed-by: David Mulder
(cherry picked from commit 7a5e7b821259890dd2978e6f113f4a3dad110ea4)
---
Summary of changes:
python/samba/gp/gpclass.py | 4 +---
source3/libads/kerberos.c | 32
source3/winbindd/idmap_ad.c | 11 +--
3 files changed, 26 insertions(+), 21 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 08be472e707..d86aacec138 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -805,9 +805,7 @@ def site_dn_for_machine(samdb, dc_hostname, lp, creds,
hostname):
samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response,
bytes(res.msgs[0]['Netlogon'][0]))
-if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX,
- (nbt.NETLOGON_NT_VERSION_1
-| nbt.NETLOGON_NT_VERSION_5EX)]:
+if not (samlogon_response.ntver & nbt.NETLOGON_NT_VERSION_5EX):
raise RuntimeError('site_dn_for_machine: Invalid NtVer in '
+ 'netlogon_samlogon_response')
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index f76c5665205..6c6d23c29da 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *kdc_str = NULL;
char *canon_sockaddr = NULL;
- SMB_ASSERT(pss != NULL);
-
- canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
- if (canon_sockaddr == NULL) {
- goto out;
- }
+ if (pss != NULL) {
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
- kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
- canon_sockaddr);
- if (kdc_str == NULL) {
- goto out;
- }
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+
