[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bedeeb0b596 tdb: version 1.4.5 via aacd3ecb45a tdb: Fix invalid syntax in tdb.h from b724c1e6a66 utils: Avoid pylint warning https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bedeeb0b596f563e0918cd5f7195ed6aed0817ce Author: Stefan Metzmacher Date: Mon Jul 19 12:57:50 2021 +0200 tdb: version 1.4.5 * fix standalone usage of tdb.h Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jul 20 11:48:38 UTC 2021 on sn-devel-184 commit aacd3ecb45ab04cb2f8a38a385a45bdca6d88cd2 Author: Günther Deschner Date: Fri Jul 16 17:29:40 2021 +0200 tdb: Fix invalid syntax in tdb.h Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with a previous fix for Solaris Studio compiler 12.4 that prefixed all calls in tdb.h with _PUBLIC_. Thanks to Lukas Slebodnik . Bug: https://bugzilla.samba.org/show_bug.cgi?id=14762 Guenther Signed-off-by: Günther Deschner Reviewed-by: Stefan Metzmacher --- Summary of changes: lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.5.sigs} | 0 lib/tdb/include/tdb.h | 13 + lib/tdb/wscript | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) copy lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.5.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/tdb/ABI/tdb-1.3.17.sigs b/lib/tdb/ABI/tdb-1.4.5.sigs similarity index 100% copy from lib/tdb/ABI/tdb-1.3.17.sigs copy to lib/tdb/ABI/tdb-1.4.5.sigs diff --git a/lib/tdb/include/tdb.h b/lib/tdb/include/tdb.h index 696547c8cd9..884171c73d9 100644 --- a/lib/tdb/include/tdb.h +++ b/lib/tdb/include/tdb.h @@ -33,6 +33,19 @@ extern "C" { #include #include +/* for old gcc releases that don't have the feature test macro __has_attribute */ +#ifndef __has_attribute +#define __has_attribute(x) 0 +#endif + +#ifndef _PUBLIC_ +#if __has_attribute(visibility) +#define _PUBLIC_ __attribute__((visibility("default"))) +#else +#define _PUBLIC_ +#endif +#endif + /** * @defgroup tdb The tdb API * diff --git a/lib/tdb/wscript b/lib/tdb/wscript index cee0889bd4a..19b256f037c 100644 --- a/lib/tdb/wscript +++ b/lib/tdb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'tdb' -VERSION = '1.4.4' +VERSION = '1.4.5' import sys, os -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.5 created
The annotated tag, tdb-1.4.5 has been created at cab53d9a2f7b65198bf45ff85f285bc1630f44c7 (tag) tagging bedeeb0b596f563e0918cd5f7195ed6aed0817ce (commit) replaces samba-4.15.0rc1 tagged by Stefan Metzmacher on Tue Jul 20 13:57:18 2021 +0200 - Log - tdb: tag release tdb-1.4.5 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmD2uh4ACgkQR5ORYRMI QCUFRggAiYPhN95z2P7kDCZsu8NXYCKsQz/OmfGkuJEHFSvEQWd4vSHBuMEcZNLc U1wjMukv07RRswCZFz2J6XugLnUDYJ3+/qaKE/z8SVBjfB0p6h+du7eM6MrBsxr3 iF7qeM32laaEzzb4CB4T7mOJwNupsb0fQ8qxXHc+ZOh2oxpFL7sPBUyOczOWHjAB k8UZ/ttPH8NiuCwOQZX6lbeK5jVxUPvEASzEz2yaATdswuF/OrQWkHXjDY+Oem1K 5UhVwDQE1UCrFBOfRafOC7YP3zGIz8EJDRnFZwpwdZmVGHW5oPCwGsy4c4ochUgu ktXkhm+43fTCjVAKBSjQk/R0Pf8sdg== =e4Nb -END PGP SIGNATURE- Andreas Schneider (3): s3:utils: Use better error message for smbtree selftest: Add PYTHONPATH for lsp servers to devel_env.sh gitignore: Add .cache directory David Mulder (4): gpo: Add Certificate Auto Enrollment Policy gpo: Fix up rsop output of ca certificate gpo: Test Certificate Auto Enrollment Policy Update WHATSNEW for Certificate Auto Enrollment Günther Deschner (1): tdb: Fix invalid syntax in tdb.h Karolin Seeger (2): VERSION: Bump version up to 4.16.0pre1... WHATSNEW: Start release notes for Samba 4.16.0pre1. Martin Schwenke (9): utils: Use Python 3 utils: Clean up ctdb_etcd_lock using autopep8 utils: Reorder imports so that standard imports are first utils: Move argument processing into function and call from main() utils: Inline defaults and help strings utils: Simplify log level logic, drop global variable utils: Tweak exception handling to stop flake8 complaining utils: Reformat lines that are longer than 80 columns utils: Avoid pylint warning Stefan Metzmacher (6): s4:torture/smb2: add smb2.read.bug14607 test s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer() libcli/smb: allow unexpected padding in SMB2 READ responses tdb: version 1.4.5 Volker Lendecke (1): examples: Make winreg.py sample work with python3 in current master --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7818513053a samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry" from 2acad276860 s3: smbd: Don't leak meta-data about the containing directory of the share root. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7818513053aabda046645583fa5bb79a03e2b5ac Author: Volker Lendecke Date: Fri Jul 30 11:43:08 2021 +0200 samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry" With the above combination, some flavor of lp_load() already initializes global_event_ctx, for which the closeall_except() later on will happily close the epoll fd for. If we want to close all file descriptors at startup, this must be the very first thing overall. Can't really write a proper test for this with knownfail that is removed with the fix, because if we have clustering+include=registry, the whole clusteredmember environment does not even start up. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jul 31 16:58:41 UTC 2021 on sn-devel-184 --- Summary of changes: selftest/target/Samba3.pm | 1 + source3/printing/samba-bgqd.c | 58 +++ 2 files changed, 48 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index dc1c14e9628..d0ef659da99 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -517,6 +517,7 @@ sub setup_clusteredmember server signing = on clustering = yes ctdbd socket = ${socket} + include = registry dbwrap_tdb_mutexes:* = yes ${require_mutexes} "; diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c index 4b96fc43092..8ac6ec525b2 100644 --- a/source3/printing/samba-bgqd.c +++ b/source3/printing/samba-bgqd.c @@ -195,6 +195,44 @@ static int closeall_except(int *fds, size_t num_fds) return 0; } +static int closeall_except_fd_params( + size_t num_fd_params, + const char *fd_params[], + int argc, + const char *argv[]) +{ + int fds[num_fd_params+3]; + size_t i; + struct poptOption long_options[num_fd_params + 1]; + poptContext pc; + int ret; + + for (i=0; i
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 93bac5f1224 winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop() from 23e5b7cc79b s4:torture: Add rpc netlogon fips test https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 93bac5f12240597e1e92291de70a7000a403baca Author: Stefan Metzmacher Date: Mon Aug 2 14:17:47 2021 +0200 winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop() Handle the case where a NT4 DC does not fill in the acct_flags in the samlogon reply info3. Yes, in 2021, there are still admins arround with real NT4 DCs. NT4 DCs reject authentication with workstation accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified. We no longer call dcerpc_samr_QueryUserInfo(level=16) to get the acct_flags, as we only ever got ACB_NORMAL back (maybe with ACB_PWNOEXP in addition), which is easy to calculate on our own. This was removed in commit (for 4.15.0rc1): commit 73528f26eea24033a7093e5591b8f89ad2b8644e Author: Ralph Boehme AuthorDate: Mon Jan 11 14:59:46 2021 +0100 Commit: Jeremy Allison CommitDate: Thu Jan 21 22:56:20 2021 + winbind: remove legacy flags fallback Some very old NT4 DCs might have not returned the account flags filled in. This shouldn't be a problem anymore. Additionally, on a typical domain member server, this request is (and can only be) send to the primary domain, so this will not work with accounts from trusted domains. Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184 It means one more caller of the problematic cm_connect_sam() function is removed! SAMR connections may not be allowed for machine accounts with modern AD DCs. For network logons NT4 DCs also skip the account_name, so we have to fallback to the one given by the client. We have code to cope with that deeply hidden inside of netsamlogon_cache_store(). Up to Samba 4.7 netsamlogon_cache_store() operated on the info3 structure that was passed to the caller of winbind_dual_SamLogon() and pass propagated up to auth_winbind in smbd. But for Samba 4.8 the following commit: commit f153c95176b7759e10996b24b66d9917945372ed Author: Ralph Boehme Date: Mon Dec 11 16:25:35 2017 +0100 winbindd: let winbind_dual_SamLogon return validation Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher actually changed the situation and only a temporary info3 structure was passed into netsamlogon_cache_store(), which means account_name was NULL and get propagated as "" into auth_winbind in smbd, where getpwnam() is no longer possible and every smb access gets NT_STATUS_LOGON_FAILURE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Aug 3 11:10:27 UTC 2021 on sn-devel-184 --- Summary of changes: source3/winbindd/winbindd_pam.c | 65 + 1 file changed, 65 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index a2bb8816859..ea315aecf6d 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1507,6 +1507,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, enum netr_LogonInfoClass logon_type_n; uint16_t validation_level = UINT16_MAX; union netr_Validation *validation = NULL; + TALLOC_CTX *base_ctx = NULL; + struct netr_SamBaseInfo *base_info = NULL; do { struct rpc_pipe_client *netlogon_pipe; @@ -1713,6 +1715,69 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, return result; } + switch (validation_level) { + case 3: + base_ctx = validation->sam3; + base_info = &validation->sam3->base; + break; + case 6: + base_ctx = validation->sam6; + base_info = &validation->sam6->base; + break; + default: + smb_panic(__location__); + } + + if (base_info->acct_flags == 0 || base_info->account_name.string == NULL) { +
[SCM] Samba Shared Repository - annotated tag samba-4.15.0rc2 created
The annotated tag, samba-4.15.0rc2 has been created at 7f38b69e85c5a97fb592a4c17211b96ea75d9bba (tag) tagging 16fb5c685a58af1e1d8761ba2c039a6626dabd6a (commit) replaces samba-4.15.0rc1 tagged by Stefan Metzmacher on Mon Aug 9 16:06:30 2021 +0200 - Log - samba: tag release samba-4.15.0rc2 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmERNmYACgkQqplEL7aA tiAFoA//bSeFCtNyckrM3ETzjfx0KAuQkxoYnmXTNRHbKbvDXkpj/4Sy53jatb66 cDvjjJMJXZNlIymniTNXUIKet6tXYxYnzOc6MRnGrP4dOQ8ol9Xm6nUh9CDZ7+Qm h8M4t1KL/tBKkn6mf/o4Sza3HW04rtgNiBuhvTfBUDhZbqBQ72az5be9jIdcFVux AvOQv+6ugzmIFZx/L3ehYsTbgMzciSboByXbDS2/jgVoYbjNDW7XV+j43pLcdQSm 7Z1J1kdjsGkJ53S1/rtTtgRAm7L2zUQPu6OGWZSHtLhOKV1wgTzpUr/TXwywcCb5 NNnedM1dXTJ/ouLAT2MoAzbYDmHgolb70kAP2WH8AQL6i7S2iauEaUNpv6U7fWOY YMO/4lnD11VGWqqDXwuJRuES8caVyJmbfuQg4IMgHIOGzWC98ZUQ8WssIx+aDZ6G DWV0WkTkHg8cs7DNR9Xj7L/3Tik0RU43TfcrDB0JnVOGj4RwhBkjzxbH0VgJZjYk i0O6XfAy3EnhMygx3/A4SGs4kxiiYiIcTOMgtn+7eU7OZ89Ldo34OBCuyuVFGMi0 NpiwyMq6K/XNHNNCnVW1MpYpA9KDhUTMELvt+4o0rjn17Z4U2TmN8SFn2NZEj+cz KFDVtFsnvsQp3amxK1k2H2IrEFAWw5hEC7NF3yKCNYxoS6NUtVk= =2mX9 -END PGP SIGNATURE- Andreas Schneider (4): s3:winbindd: Add a check for the path length of 'winbindd socket directory' gitlab: Use shorter names for Samba AD DC env with MIT KRB5 lib:cmdline: Use lp_load_global() for servers configure: Do not put arguments into double quotes Günther Deschner (1): WHATSNEW: mention the offline domain join feature Jeremy Allison (2): s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage. s3: smbd: Don't leak meta-data about the containing directory of the share root. Jule Anger (2): WHATSNEW: Add release notes for Samba 4.15.0rc2. VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release. Karolin Seeger (1): VERSION: Bump version up to 4.15.0rc2... Ralph Boehme (2): smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS smbd: only open full fd for directories if needed Stefan Metzmacher (8): s4:torture/smb2: add smb2.read.bug14607 test s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer() libcli/smb: allow unexpected padding in SMB2 READ responses gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15 s4:torture/smb2: add tests to check all signing and encryption algorithms s3:smbd: really support AES-256* in the server Volker Lendecke (1): samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry" --- -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via bdf1c5a NEWS[4.15.0rc2]: Samba 4.15.0rc2 Available for Download from 109fdbb NEWS[4.15.0rc1]: Samba 4.15.0rc1 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit bdf1c5aec5d5e8c8771e4c4c6c34a8cb94ed05ec Author: Stefan Metzmacher Date: Mon Aug 9 16:06:44 2021 +0200 NEWS[4.15.0rc2]: Samba 4.15.0rc2 Available for Download Signed-off-by: Stefan Metzmacher --- Summary of changes: posted_news/20210809-140933.4.15.0rc2.body.html | 12 posted_news/20210809-140933.4.15.0rc2.headline.html | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 posted_news/20210809-140933.4.15.0rc2.body.html create mode 100644 posted_news/20210809-140933.4.15.0rc2.headline.html Changeset truncated at 500 lines: diff --git a/posted_news/20210809-140933.4.15.0rc2.body.html b/posted_news/20210809-140933.4.15.0rc2.body.html new file mode 100644 index 000..2feadcc --- /dev/null +++ b/posted_news/20210809-140933.4.15.0rc2.body.html @@ -0,0 +1,12 @@ + +09 August 2021 +Samba 4.15.0rc2 Available for Download + +This is the second release candidate of the upcoming Samba 4.15 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/rc/samba-4.15.0rc2.tar.gz";>downloaded now. +See https://download.samba.org/pub/samba/rc/samba-4.15.0rc2.WHATSNEW.txt";>the release notes for more info. + + diff --git a/posted_news/20210809-140933.4.15.0rc2.headline.html b/posted_news/20210809-140933.4.15.0rc2.headline.html new file mode 100644 index 000..514dc06 --- /dev/null +++ b/posted_news/20210809-140933.4.15.0rc2.headline.html @@ -0,0 +1,3 @@ + + 09 August 2021 Samba 4.15.0rc2 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8858cf72af1 wscript: fix installing pre-commit with 'git worktree' via c7f85146cb5 script/bisect-test.py: add support git worktree via 2e2d2eaa104 wafsamba: add support git worktree to vcs_dir_contents() from 289b7a1595a s3:libsmb: close the temporary IPC$ connection in cli_full_connection() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8858cf72af1cc15784749e58f184559a839dd4ef Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 wscript: fix installing pre-commit with 'git worktree' .git is not always a directory, with 'git worktree' it's a file. 'git rev-parse --git-path hooks' is the generic way to find the patch for the githooks. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184 commit c7f85146cb50795afcbb1c607e87d163d241c79a Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 script/bisect-test.py: add support git worktree .git is not always a directory, with 'git worktree' it's a file. Note we could also use 'git rev-parse --show-toplevel', but that's a patch for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02 Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 wafsamba: add support git worktree to vcs_dir_contents() .git is not always a directory, with 'git worktree' it's a file. Note we could also use 'git rev-parse --show-toplevel', but that's a patch for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- Summary of changes: buildtools/wafsamba/samba_dist.py | 2 +- script/bisect-test.py | 2 +- wscript | 20 +++- 3 files changed, 17 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py index c211a94d3db..0218cad6271 100644 --- a/buildtools/wafsamba/samba_dist.py +++ b/buildtools/wafsamba/samba_dist.py @@ -109,7 +109,7 @@ def vcs_dir_contents(path): """ repo = path while repo != "/": -if os.path.isdir(os.path.join(repo, ".git")): +if os.path.exists(os.path.join(repo, ".git")): ls_files_cmd = [ 'git', 'ls-files', '--full-name', os.path.relpath(path, repo) ] cwd = None diff --git a/script/bisect-test.py b/script/bisect-test.py index b87df54ac09..7c5cd635f58 100755 --- a/script/bisect-test.py +++ b/script/bisect-test.py @@ -48,7 +48,7 @@ def find_git_root(): '''get to the top of the git repo''' p = os.getcwd() while p != '/': -if os.path.isdir(os.path.join(p, ".git")): +if os.path.exists(os.path.join(p, ".git")): return p p = os.path.abspath(os.path.join(p, '..')) return None diff --git a/wscript b/wscript index ee7daa953b2..d8220b35095 100644 --- a/wscript +++ b/wscript @@ -141,11 +141,21 @@ def configure(conf): conf.env.DEVELOPER = True # if we are in a git tree without a pre-commit hook, install a # simple default. -pre_commit_hook = os.path.join(Context.g_module.top, '.git/hooks/pre-commit') -if (os.path.isdir(os.path.dirname(pre_commit_hook)) and -not os.path.exists(pre_commit_hook)): -shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'), -pre_commit_hook) +# we need git for 'waf dist' +githooksdir = None +conf.find_program('git', var='GIT') +if 'GIT' in conf.env: +githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' % conf.env.GIT[0], + msg='Finding githooks directory', + define=None, + on_target=False) +if githooksdir and os.path.isdir(githooksdir): +pre_commit_hook = os.path.join(githooksdir, 'pre-commit') +if not os.path.exists(pre_commit_hook): +Logs.info("Installing script/git-hooks/pre-commit-hook as %s" % + pre_commit_hook) +shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'), +pre_commit_hook) conf.ADD_EXTRA_INCLUDES('#include/public #source4 #lib #source4/lib #source4/include #include #lib/replace') -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via a8b40f15f90 wscript: fix installing pre-commit with 'git worktree' via e393635ab82 script/bisect-test.py: add support git worktree via 87b8e7f39be wafsamba: add support git worktree to vcs_dir_contents() from 25f3cb8c973 libcli/smb: allow unexpected padding in SMB2 READ responses https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit a8b40f15f907cef89075dba368ec611e4cdbb099 Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 wscript: fix installing pre-commit with 'git worktree' .git is not always a directory, with 'git worktree' it's a file. 'git rev-parse --git-path hooks' is the generic way to find the patch for the githooks. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184 (cherry picked from commit 8858cf72af1cc15784749e58f184559a839dd4ef) Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Thu Aug 12 11:49:18 UTC 2021 on sn-devel-184 commit e393635ab82dbca1d6fee9279a81e274e743b118 Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 script/bisect-test.py: add support git worktree .git is not always a directory, with 'git worktree' it's a file. Note we could also use 'git rev-parse --show-toplevel', but that's a patch for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit c7f85146cb50795afcbb1c607e87d163d241c79a) commit 87b8e7f39be6b9b513ed97a150fe814d35108d4c Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 wafsamba: add support git worktree to vcs_dir_contents() .git is not always a directory, with 'git worktree' it's a file. Note we could also use 'git rev-parse --show-toplevel', but that's a patch for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02) --- Summary of changes: buildtools/wafsamba/samba_dist.py | 2 +- script/bisect-test.py | 2 +- wscript | 20 +++- 3 files changed, 17 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py index c211a94d3db..0218cad6271 100644 --- a/buildtools/wafsamba/samba_dist.py +++ b/buildtools/wafsamba/samba_dist.py @@ -109,7 +109,7 @@ def vcs_dir_contents(path): """ repo = path while repo != "/": -if os.path.isdir(os.path.join(repo, ".git")): +if os.path.exists(os.path.join(repo, ".git")): ls_files_cmd = [ 'git', 'ls-files', '--full-name', os.path.relpath(path, repo) ] cwd = None diff --git a/script/bisect-test.py b/script/bisect-test.py index b87df54ac09..7c5cd635f58 100755 --- a/script/bisect-test.py +++ b/script/bisect-test.py @@ -48,7 +48,7 @@ def find_git_root(): '''get to the top of the git repo''' p = os.getcwd() while p != '/': -if os.path.isdir(os.path.join(p, ".git")): +if os.path.exists(os.path.join(p, ".git")): return p p = os.path.abspath(os.path.join(p, '..')) return None diff --git a/wscript b/wscript index 83d94211338..262f1bf8d86 100644 --- a/wscript +++ b/wscript @@ -148,11 +148,21 @@ def configure(conf): conf.env.DEVELOPER = True # if we are in a git tree without a pre-commit hook, install a # simple default. -pre_commit_hook = os.path.join(Context.g_module.top, '.git/hooks/pre-commit') -if (os.path.isdir(os.path.dirname(pre_commit_hook)) and -not os.path.exists(pre_commit_hook)): -shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'), -pre_commit_hook) +# we need git for 'waf dist' +githooksdir = None +conf.find_program('git', var='GIT') +if 'GIT' in conf.env: +githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' % conf.env.GIT[0], + msg='Finding githooks directory', + define=None, + on_target=False) +if gith
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via eb8518e4fb8 wscript: fix installing pre-commit with 'git worktree' via f9ed3a8cb95 script/bisect-test.py: add support git worktree via 24c95d2523f wafsamba: add support git worktree to vcs_dir_contents() from f834da87269 VERSION: Bump version up to Samba 4.15.0rc3... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit eb8518e4fb828337a331779fbac14a25b0761d45 Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 wscript: fix installing pre-commit with 'git worktree' .git is not always a directory, with 'git worktree' it's a file. 'git rev-parse --git-path hooks' is the generic way to find the patch for the githooks. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184 (cherry picked from commit 8858cf72af1cc15784749e58f184559a839dd4ef) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Thu Aug 12 12:03:18 UTC 2021 on sn-devel-184 commit f9ed3a8cb95551bb30a1f8ecf4030a3f701176c7 Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 script/bisect-test.py: add support git worktree .git is not always a directory, with 'git worktree' it's a file. Note we could also use 'git rev-parse --show-toplevel', but that's a patch for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit c7f85146cb50795afcbb1c607e87d163d241c79a) commit 24c95d2523fd686025bcb7cab88ee2335fab2241 Author: Stefan Metzmacher Date: Wed Aug 11 13:26:41 2021 +0200 wafsamba: add support git worktree to vcs_dir_contents() .git is not always a directory, with 'git worktree' it's a file. Note we could also use 'git rev-parse --show-toplevel', but that's a patch for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02) --- Summary of changes: buildtools/wafsamba/samba_dist.py | 2 +- script/bisect-test.py | 2 +- wscript | 20 +++- 3 files changed, 17 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py index c211a94d3db..0218cad6271 100644 --- a/buildtools/wafsamba/samba_dist.py +++ b/buildtools/wafsamba/samba_dist.py @@ -109,7 +109,7 @@ def vcs_dir_contents(path): """ repo = path while repo != "/": -if os.path.isdir(os.path.join(repo, ".git")): +if os.path.exists(os.path.join(repo, ".git")): ls_files_cmd = [ 'git', 'ls-files', '--full-name', os.path.relpath(path, repo) ] cwd = None diff --git a/script/bisect-test.py b/script/bisect-test.py index b87df54ac09..7c5cd635f58 100755 --- a/script/bisect-test.py +++ b/script/bisect-test.py @@ -48,7 +48,7 @@ def find_git_root(): '''get to the top of the git repo''' p = os.getcwd() while p != '/': -if os.path.isdir(os.path.join(p, ".git")): +if os.path.exists(os.path.join(p, ".git")): return p p = os.path.abspath(os.path.join(p, '..')) return None diff --git a/wscript b/wscript index ee7daa953b2..d8220b35095 100644 --- a/wscript +++ b/wscript @@ -141,11 +141,21 @@ def configure(conf): conf.env.DEVELOPER = True # if we are in a git tree without a pre-commit hook, install a # simple default. -pre_commit_hook = os.path.join(Context.g_module.top, '.git/hooks/pre-commit') -if (os.path.isdir(os.path.dirname(pre_commit_hook)) and -not os.path.exists(pre_commit_hook)): -shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'), -pre_commit_hook) +# we need git for 'waf dist' +githooksdir = None +conf.find_program('git', var='GIT') +if 'GIT' in conf.env: +githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' % conf.env.GIT[0], + msg='Finding githooks directory', + define=None, + on_target=False) +if githooksdir and os.path.i
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 83a654a4efd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service via cc3d27596b9 tests/krb5: Ensure PAC is not present if expect_pac is false via 031a8287642 kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers via 92e8ce18a79 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals from 8a607e7577a netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef Author: Joseph Sutton Date: Mon Oct 18 16:07:11 2021 +1300 tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184 commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf Author: Joseph Sutton Date: Mon Oct 18 16:05:19 2021 +1300 tests/krb5: Ensure PAC is not present if expect_pac is false BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542 Author: Andrew Bartlett Date: Mon Oct 18 16:00:45 2021 +1300 kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause the PAC to be stripped not to given an error if the PAC was still present. Tested against Windows 2019 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 92e8ce18a79e88c9b961dc20e39436c4cf653013 Author: Andrew Bartlett Date: Mon Oct 18 15:21:50 2021 +1300 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED applies to services only, not to clients. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/raw_testcase.py | 14 ++--- python/samba/tests/krb5/s4u_tests.py| 107 +++- selftest/knownfail_heimdal_kdc | 9 +-- selftest/knownfail_mit_kdc | 1 - source4/kdc/mit_samba.c | 7 --- source4/kdc/pac-glue.c | 5 -- source4/kdc/wdc-samba4.c| 38 7 files changed, 144 insertions(+), 37 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 0790ac13f99..0b9fe8e7a04 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2385,13 +2385,6 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(ticket_private, 'authorization-data', expect_empty=not expect_pac) -if expect_pac: -authorization_data = self.getElementValue(ticket_private, - 'authorization-data') -pac_data = self.get_pac(authorization_data) - -self.check_pac_buffers(pac_data, kdc_exchange_dict) - encpart_session_key = None if encpart_private is not None: self.assertElementPresent(encpart_private, 'key') @@ -2493,6 +2486,13 @@ class RawKerberosTest(TestCaseInTempDir): ticket_private=ticket_private, encpart_private=encpart_private) +if ticket_private is not None: +pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac) +if expect_pac: +self.check_pac_buffers(pac_data, kdc_exchange_dict) +else: +self.assertIsNone(pac_data) + expect_ticket_checksum = kdc_exchange_dict['expect_ticket_checksum'] if expect_ticket_checksum: self.assertIsNotNone(ticket_decryption_key) diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 9a25256081a..bbb7135b55b 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -538,6 +538,8 @@ class S4UKerberosTests(KDCBaseTest): transited_service = f'host/{service1_name}@{service1_realm}' expected_transited_services.append(transited_service) +expect_pac = kdc_di
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7e961f3f7a8 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594 from 83a654a4efd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7e961f3f7a815960ae25377d5b7515184d439690 Author: Viktor Dukhovni Date: Wed Aug 10 23:31:14 2016 + HEIMDAL:kdc: Fix transit path validation CVE-2017-6594 Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998 Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184 --- Summary of changes: source4/heimdal/kdc/krb5tgs.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 2de3b099199..7e9379db64a 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -409,8 +409,12 @@ fix_transited_encoding(krb5_context context, "Decoding transited encoding"); return ret; } + +/* + * If the realm of the presented tgt is neither the client nor the server + * realm, it is a transit realm and must be added to transited set. + */ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) { - /* not us, so add the previous realm to transited set */ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) { ret = ERANGE; goto free_realms; @@ -492,6 +496,7 @@ tgs_make_reply(krb5_context context, const char *server_name, hdb_entry_ex *client, krb5_principal client_principal, + const char *tgt_realm, hdb_entry_ex *krbtgt, krb5_pac mspac, uint16_t rodc_id, @@ -553,7 +558,7 @@ tgs_make_reply(krb5_context context, &tgt->transited, &et, krb5_principal_get_realm(context, client_principal), krb5_principal_get_realm(context, server->entry.principal), -krb5_principal_get_realm(context, krbtgt->entry.principal)); +tgt_realm); if(ret) goto out; @@ -1292,13 +1297,14 @@ tgs_build_reply(krb5_context context, HDB *clientdb, *s4u2self_impersonated_clientdb; krb5_realm ref_realm = NULL; EncTicketPart *tgt = &ticket->ticket; +const char *tgt_realm = /* Realm of TGT issuer */ +krb5_principal_get_realm(context, krbtgt->entry.principal); const EncryptionKey *ekey; krb5_keyblock sessionkey; krb5_kvno kvno; krb5_pac mspac = NULL; uint16_t rodc_id; krb5_boolean add_ticket_sig = FALSE; - hdb_entry_ex *krbtgt_out = NULL; METHOD_DATA enc_pa_data; @@ -2036,6 +2042,7 @@ server_lookup: spn, client, cp, +tgt_realm, krbtgt_out, mspac, rodc_id, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5eeb441b771 dsdb: Allow special chars like "@" in samAccountName when generating the salt via 46039baa813 tests/krb5: Add tests for account salt calculation via 25bdf4c994e tests/krb5: Fix account salt calculation to match Windows via 889476d1754 tests/krb5: Allow specifying the UPN for test accounts via f4785ccfefe tests/krb5: Allow creating machine accounts without a trailing dollar via 7e39994ed34 tests/krb5: Allow specifying prefix or suffix for test account names via a5a6296e57c tests/krb5: Decrease length of test account prefix via 4dc3c68c9a2 selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") via d998f7f8df2 selftest/Samba3: remove unused close(USERMAP); calls via 5d8e794551b waf: Allow building with MIT KRB5 >= 1.20 via 459200caba0 selftest: Improve error handling and perl style when setting up users in Samba4.pm via 2c0658d408f selftest: Remove duplicate setup of $base_dn and $ldbmodify via d4a75eead05 pytest: s3_net_join: avoid name clash via 49306f74eb2 selftest: krb5 account creation: clarify account type as an enum via aacb18f9203 pytest: dynamic tests optionally add __doc__ via 6292f0597f2 selftest: Increase account lockout windows to make test more realiable via a169e013e66 pytest/rodc_rwdc: try to avoid race. from 7e961f3f7a8 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed Author: Andrew Bartlett Date: Tue Oct 19 16:01:36 2021 +1300 dsdb: Allow special chars like "@" in samAccountName when generating the salt BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184 commit 46039baa81377df10e5b134e4bb064ed246795e4 Author: Joseph Sutton Date: Wed Oct 20 12:46:36 2021 +1300 tests/krb5: Add tests for account salt calculation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe Author: Joseph Sutton Date: Wed Oct 20 12:45:47 2021 +1300 tests/krb5: Fix account salt calculation to match Windows BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 889476d1754f8ce2a41557ed3bf5242c1293584e Author: Joseph Sutton Date: Wed Oct 20 12:45:08 2021 +1300 tests/krb5: Allow specifying the UPN for test accounts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit f4785ccfefe7c89f84ad847ca3c12f604172b321 Author: Joseph Sutton Date: Wed Oct 20 12:44:19 2021 +1300 tests/krb5: Allow creating machine accounts without a trailing dollar BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5 Author: Joseph Sutton Date: Wed Oct 20 12:41:39 2021 +1300 tests/krb5: Allow specifying prefix or suffix for test account names BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit a5a6296e57cab2b53617d997c37b4e92d4124cc7 Author: Joseph Sutton Date: Wed Oct 20 12:39:05 2021 +1300 tests/krb5: Decrease length of test account prefix This allows us more room to test with different account names. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de Author: Stefan Metzmacher Date: Tue Oct 5 16:42:00 2021 +0200 selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") This is much more flexible and concentrates the logic in a single place. We'll use winbindd => "offline" in other places soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d998f7f8df215866ab32e05be772e24fc0b2131c Author: Stefan Metzmacher Date: Fri Oct 8 18:04:55 2021 +0200 selftest/Samba3: remove unused close(USERMAP); calls BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett co
[SCM] Samba Shared Repository - branch v4-15-test updated
st_tests via 278eff6115f tests/krb5: Use PAC buffer type constants from krb5pac.idl via c8a724118e6 tests/krb5: Allow as_req() to specify different kdc-options via 3c77ef9dbb5 tests/krb5: Allow tgs_req() to send requests to the RODC via 063f1cbdbe7 tests/krb5: Allow tgs_req() to specify different kdc-options via e4b278566af tests/krb5: Allow tgs_req() to send additional padata via 3e3d205df7c tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange via cba0b1a6c48 tests/krb5: Check correct flags element via 159d451d817 tests/krb5: Add helper method for modifying PACs via 77227799d98 python/join: Check for correct msDS-KrbTgtLink attribute via c8bb7750c86 python: Don't leak file handles via 7b6a5c97092 tests/krb5: Allow replicating accounts to the created RODC via f2d6361dc33 tests/krb5: Create RODC account for testing via b0339d5a1a8 tests/krb5: Allow replicating accounts to the RODC via d413e7d79a3 tests/krb5: Add get_secrets() method to get the secret attributes of a DN via 56f49f117bf tests/krb5: Add method to get RODC krbtgt credentials via f730c68834c tests/krb5: Sign-extend kvno from 32-bit integer via 2af3293f67d tests/krb5: Generate padata for FAST tests via 1d2d30748a9 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing via f44a5b984b7 tests/krb5: Get encpart decryption key from kdc_exchange_dict via 336725dc79f tests/krb5: Get expected cname from TGT for TGS-REQ messages via bc7bdc5b7e0 tests/krb5: Allow specifying status code to be checked via 01b16673af8 tests/krb5: Create testing accounts in appropriate containers via 2bf5265847d tests/krb5: Check for presence of 'key-expiration' element via 6f04bd793ec tests/krb5: Check 'caddr' element via 9ff47e13441 tests/krb5: Check for presence of 'renew-till' element via a1face49c70 tests/krb5: Allow Kerberos requests to be sent to DC or RODC via 5a546788f45 tests/krb5: Make time assertion less strict via 22e1b694879 tests/krb5: Allow specifying ticket flags expected to be set or reset via 53336347494 tests/krb5: Remove magic constants via 6bf8e3cb537 tests/krb5: Don't create PAC request or options manually in fast_tests via 2c1a8950b5e tests/krb5: Don't create PAC request manually in as_req_tests via f6c3497e9f9 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS via 138ac8a3a70 tests/krb5: Move padata generation methods to base class via ebecaf715d3 tests/krb5: Keep track of account DN in credentials object via b8485a79791 tests/krb5: Allow specifying additional User Account Control flags for account via 4f47721d599 tests/krb5: Allow specifying an OU to create accounts in via dda665b918b tests/krb5: Replace expected_cname_private with expected_anon parameter via 31e990533c1 tests/krb5: Use more compact dict lookup via 6df25780147 tests/krb5: Add KDCOptions flag for constrained delegation via c625e16ffa6 tests/krb5: Use signed integers to represent key version numbers in ASN.1 via 7bb3ac920f9 tests/krb5: Add methods to obtain the length of checksum types via a08b603d822 tests/krb5: Calculate expected salt if not given explicitly via 487b57cd34e security.idl: Add well-known SIDs for FAST via aef886c7787 krb5pac.idl: Add ticket checksum PAC buffer type from be8fb0218af heimdal:kdc: Only check for default salt for des-cbc-crc enctype https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 753e0dfc6c9def1aebacc593fd4130882ce3ff32 Author: Andrew Bartlett Date: Fri Oct 22 10:50:36 2021 +1300 lib/krb5_wrap: Fix missing error check in new salt code CID 1492905: Control flow issues (DEADCODE) This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184 (cherry picked from commit 5094d986b7686f057195dcb10764295b88967019) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Mon Oct 25 13:05:31 UTC 2021 on sn-devel-184 commit c72b210cdca5bae5377d1069b8e59044f219356c Author: Andrew Bartlett Date: Tue Oct 19 16:01:36 2021 +1300 dsdb: Allow special chars like "@" in samAccountName when generating the salt BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmach
[SCM] Samba Shared Repository - branch v4-14-test updated
t_tgt() to get tickets from the RODC via 1e6c77a03af tests/krb5: Allow get_service_ticket() to get tickets from the RODC via 690d90ba615 tests/krb5: Set DN of created accounts to ldb.Dn type via 7ad68c8cc59 tests/krb5: Don't manually create PAC request and options in fast_tests via 71c46e032a9 tests/krb5: Use PAC buffer type constants from krb5pac.idl via eb103f6337a tests/krb5: Allow as_req() to specify different kdc-options via aff414e2a75 tests/krb5: Allow tgs_req() to send requests to the RODC via 8c7d78a2e1a tests/krb5: Allow tgs_req() to specify different kdc-options via c2a61c2c911 tests/krb5: Allow tgs_req() to send additional padata via 76f1deb3cd8 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange via 61cc6767c32 tests/krb5: Check correct flags element via 5812a13ec5f tests/krb5: Add helper method for modifying PACs via bf06918b44d python/join: Check for correct msDS-KrbTgtLink attribute via 0dcab6505c6 python: Don't leak file handles via 6614fee6e8b tests/krb5: Allow replicating accounts to the created RODC via 82a19ce548e tests/krb5: Create RODC account for testing via 10e46b9b74b tests/krb5: Allow replicating accounts to the RODC via fadecadfe2f tests/krb5: Add get_secrets() method to get the secret attributes of a DN via 61739d1a33a tests/krb5: Add method to get RODC krbtgt credentials via 811714e4f6b tests/krb5: Sign-extend kvno from 32-bit integer via 58f68bf357f tests/krb5: Generate padata for FAST tests via 18c892942ee tests/krb5: Add get_cached_creds() method to create persistent accounts for testing via 7594ba47c19 tests/krb5: Get encpart decryption key from kdc_exchange_dict via 0e1d6fda206 tests/krb5: Get expected cname from TGT for TGS-REQ messages via dcd13ba166e tests/krb5: Allow specifying status code to be checked via 23eaf0160ad tests/krb5: Create testing accounts in appropriate containers via fc91b526f7d tests/krb5: Check for presence of 'key-expiration' element via 95c7eba3951 tests/krb5: Check 'caddr' element via 1984c30ce37 tests/krb5: Check for presence of 'renew-till' element via 0e80a7ef9c4 tests/krb5: Allow Kerberos requests to be sent to DC or RODC via 39a7676c868 tests/krb5: Make time assertion less strict via d5b1b59cde4 tests/krb5: Allow specifying ticket flags expected to be set or reset via 3edaa318df9 tests/krb5: Remove magic constants via d94233f1e0c tests/krb5: Don't create PAC request or options manually in fast_tests via 7d955391e29 tests/krb5: Don't create PAC request manually in as_req_tests via f63461ffd80 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS via 7b6848c73b0 tests/krb5: Move padata generation methods to base class via c8c0af0b20f tests/krb5: Keep track of account DN in credentials object via ee2a85aba9f tests/krb5: Allow specifying additional User Account Control flags for account via dadedd0d550 tests/krb5: Allow specifying an OU to create accounts in via e1fa2fff930 tests/krb5: Replace expected_cname_private with expected_anon parameter via 231d508a472 tests/krb5: Use more compact dict lookup via a87fdc6629f tests/krb5: Add KDCOptions flag for constrained delegation via 22aa29993e0 tests/krb5: Use signed integers to represent key version numbers in ASN.1 via ba22aee1d8c tests/krb5: Add methods to obtain the length of checksum types via 67d713b9362 tests/krb5: Calculate expected salt if not given explicitly via fb63bdd8283 security.idl: Add well-known SIDs for FAST via 6acbb94dadd krb5pac.idl: Add ticket checksum PAC buffer type from 44636fa0378 ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit c1d2a0570dfc697bbdda6047f10da4ea9cf261f8 Author: Andrew Bartlett Date: Mon Oct 4 21:57:25 2021 +1300 ldb: Release ldb 2.3.1 * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Andrew Bartlett Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184 commit e425abeb7d228615a2766ddd497b26af228a022b Author: Joseph Sutton Date:
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via a795e0c8459 Release ldb 2.4.1 via 9e2da222f7f pyldb: Make ldb.Message containment testing consistent with indexing via b4601d0db20 pyldb: Add tests for ldb.Message containment testing via 2311987af25 pyldb: Raise TypeError for an invalid ldb.Message index via bef676475fe pyldb: Add test for an invalid ldb.Message index type via ba4032b73a4 s4/torture/drs/python: Fix attribute existence check via d32f732c796 pyldb: Fix deleting an ldb.Control critical flag via 3b6c8bd55b3 pytest:segfault: Add test for deleting an ldb.Control critical flag via 6db664a07da pyldb: Fix deleting an ldb.Message dn via f4ca03b0cc2 pytest:segfault: Add test for deleting an ldb.Message dn via 34d50f415ae Fix Python docstrings from 753e0dfc6c9 lib/krb5_wrap: Fix missing error check in new salt code https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit a795e0c84597aa045d011e663dbad3cdabf0f1e6 Author: Andrew Bartlett Date: Wed Sep 29 11:27:41 2021 +1300 Release ldb 2.4.1 * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison (cherry picked from commit 76899e236149ff3b86cd9032a3c6bdafe3a2f036) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Tue Oct 26 15:09:58 UTC 2021 on sn-devel-184 commit 9e2da222f7f9993443cabcd42cd38e61abcd7a5d Author: Joseph Sutton Date: Sat Sep 25 14:39:59 2021 +1200 pyldb: Make ldb.Message containment testing consistent with indexing Previously, containment testing using the 'in' operator was handled by performing an equality comparison between the chosen object and each of the message's keys in turn. This behaviour was prone to errors due to not considering differences in case between otherwise equal elements, as the indexing operations do. Containment testing should now be more consistent with the indexing operations and with the get() method of ldb.Message. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69) commit b4601d0db20c4ccb933c0264c577fe0df07923c1 Author: Joseph Sutton Date: Sat Sep 25 13:48:57 2021 +1200 pyldb: Add tests for ldb.Message containment testing These tests verify that the 'in' operator on ldb.Message is consistent with indexing and the get() method. This means that the 'dn' element should always be present, lookups should be case-insensitive, and use of an invalid type should result in a TypeError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8) commit 2311987af25e43596cda5bfa8505e0acfd4477bd Author: Joseph Sutton Date: Sat Sep 25 13:39:56 2021 +1200 pyldb: Raise TypeError for an invalid ldb.Message index Previously, a TypeError was raised and subsequently overridden by a KeyError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7) commit bef676475fe25846172152f6492839e74b588ed6 Author: Joseph Sutton Date: Sat Sep 25 13:22:05 2021 +1200 pyldb: Add test for an invalid ldb.Message index type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06) commit ba4032b73a49246f4987549666d7b6880a85990f Author: Joseph Sutton Date: Sat Sep 25 19:18:39 2021 +1200 s4/torture/drs/python: Fix attribute existence check BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit fb758c32e7633178f42dc2c031667b10c2ca6e90) commit d32f732c7964c56445394abc080243e564ff2585 Author: Joseph Sutton Date: Sat Sep 25 11:16:09 2021 +1200 pyldb: Fix deleting an ldb.Control critical flag BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 9d25
[SCM] Samba Shared Repository - annotated tag ldb-2.3.1 created
The annotated tag, ldb-2.3.1 has been created at 331ecebff59dadd17a413ef250e7535f96a54d7f (tag) tagging c1d2a0570dfc697bbdda6047f10da4ea9cf261f8 (commit) replaces samba-4.14.8 tagged by Stefan Metzmacher on Wed Oct 27 13:19:17 2021 +0200 - Log - ldb: tag release ldb-2.3.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NbUACgkQR5ORYRMI QCXKUAgAtgirh94Ney1p476sqZeCum0cvnptOvtrxQjBZk4fk6FTezhvD2JZ2XrB poPt/XeOxJc5myzMV7SrXq/O9JEmtm2SV8aDvKMYyM74sQFCEzwhNigQbGXhTZQ+ r0zxS58MwhxC2kNuZXvqari+N2rZ6GqmDzWgu1H0Y9K/0zFXrWmTvhdmniwhwbAR gnF7EQs/REFtrVDf2CQo0LybuMyqgYSeMd3rzCRWr/o0oUmOJUT/cyOLv1pRESF+ tNHHV31PsevUUVPISWdCxkCL8W1cgYtl6Bj+h9IpU8F1GHwlOUNayPj26V3DjwbA 9Uq1HcM6McY15tCMuyQp2Wyf+zqrHA== =y5CZ -END PGP SIGNATURE- Andreas Schneider (1): waf: Allow building with MIT KRB5 >= 1.20 Andrew Bartlett (8): selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers selftest: Remove duplicate setup of $base_dn and $ldbmodify selftest: Improve error handling and perl style when setting up users in Samba4.pm dsdb: Allow special chars like "@" in samAccountName when generating the salt lib/krb5_wrap: Fix missing error check in new salt code ldb: Release ldb 2.3.1 Douglas Bagnall (2): pytest/rodc_rwdc: try to avoid race. pytest: dynamic tests optionally add __doc__ Isaac Boukris (4): kdc: remove KRB5SignedPath, to be replaced with PAC kdc: sign ticket using Windows PAC krb5: allow NULL parameter to krb5_pac_free() krb5: rework PAC validation loop Jeremy Allison (2): s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share. s3: smbd: Ensure when we change security context we delete any $cwd cache. Joseph Sutton (147): krb5pac.idl: Add ticket checksum PAC buffer type security.idl: Add well-known SIDs for FAST tests/krb5: Calculate expected salt if not given explicitly tests/krb5: Add methods to obtain the length of checksum types tests/krb5: Use signed integers to represent key version numbers in ASN.1 tests/krb5: Add KDCOptions flag for constrained delegation tests/krb5: Use more compact dict lookup tests/krb5: Replace expected_cname_private with expected_anon parameter tests/krb5: Allow specifying an OU to create accounts in tests/krb5: Allow specifying additional User Account Control flags for account tests/krb5: Keep track of account DN in credentials object tests/krb5: Move padata generation methods to base class tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS tests/krb5: Don't create PAC request manually in as_req_tests tests/krb5: Don't create PAC request or options manually in fast_tests tests/krb5: Remove magic constants tests/krb5: Allow specifying ticket flags expected to be set or reset tests/krb5: Make time assertion less strict tests/krb5: Allow Kerberos requests to be sent to DC or RODC tests/krb5: Check for presence of 'renew-till' element tests/krb5: Check 'caddr' element tests/krb5: Check for presence of 'key-expiration' element tests/krb5: Create testing accounts in appropriate containers tests/krb5: Allow specifying status code to be checked tests/krb5: Get expected cname from TGT for TGS-REQ messages tests/krb5: Get encpart decryption key from kdc_exchange_dict tests/krb5: Add get_cached_creds() method to create persistent accounts for testing tests/krb5: Generate padata for FAST tests tests/krb5: Sign-extend kvno from 32-bit integer tests/krb5: Add method to get RODC krbtgt credentials tests/krb5: Add get_secrets() method to get the secret attributes of a DN tests/krb5: Allow replicating accounts to the RODC tests/krb5: Create RODC account for testing tests/krb5: Allow replicating accounts to the created RODC python: Don't leak file handles python/join: Check for correct msDS-KrbTgtLink attribute tests/krb5: Add helper method for modifying PACs tests/krb5: Check correct flags element tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange tests/krb5: Allow tgs_req() to send additional padata tests/krb5: Allow tgs_req() to specify different kdc-options tests/krb5: Allow tgs_req() to send requests to the RODC tests/krb5: Allow as_req() to specify different kdc-options tests/krb5: Use PAC buffer type constants from krb5pac.idl tests/krb5: Don't manually create PAC reques
[SCM] Samba Shared Repository - annotated tag ldb-2.4.1 created
The annotated tag, ldb-2.4.1 has been created at dd3f1a38d3836348f0d409429742ac14a2066237 (tag) tagging a795e0c84597aa045d011e663dbad3cdabf0f1e6 (commit) replaces samba-4.15.0 tagged by Stefan Metzmacher on Wed Oct 27 13:20:09 2021 +0200 - Log - ldb: tag release ldb-2.4.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NekACgkQR5ORYRMI QCU1qggAr6napVnbmKReHpm1viIPigOlZReiU2sEe86+rHWcoM4Gd1k1lI35tMt6 iJI03Di4M3uhCMl+mqqngtJaqh0XDUgxAis8gj+b2mF7D0VkkO3VND6GGK/DgPXh YRlgctBiGJ5G8cwuqdhY9KPQ6U8Z+WTl5Qvf4M4irCiZ854RNFc6GbgemQt7t/c8 BLvFnuXcR2jE1LD4SlS9hvCvSeCvDDvLNdZYRwWLTiLivOlSMfbb0hMcsjRmugX2 zZyoW6uUswuutXEDSvEPAhf4ocVdrLr/HVnZv/5WvY6NE7qrPFBVtfz7q5heiKQJ v1oh5twnq+v2LgS8FU3jydAqHFD7TQ== =fxZP -END PGP SIGNATURE- Alex Richardson (7): charset_macosxfs.c: fix compilation on macOS audit_logging.c: fix compilation on macOS source3/printing/queue_process.c: fix build on macOS sec_ctx.c: Fix -Wunused-function warning on macOS source3/smbd/statcache.c: Fix -Wformat build error on macOS vfs_preopen.c: Fix -Wformat error on macOS Fix detection of rpc/xdr.h on macOS Andreas Schneider (1): waf: Allow building with MIT KRB5 >= 1.20 Andrew Bartlett (16): autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) samldb: Address birthday paradox adding an RODC .gitlab-ci: Allow a 1 hour to build Samba .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI .gitlab-ci.yml: Restore building most of our jobs .gitlab-ci: Avoid duplicate CI on all merge requests gitlab-ci: Do not retry for job_execution_timeout gitlab-ci: Do not download artifacts of unrelated builds selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers selftest: Remove duplicate setup of $base_dn and $ldbmodify selftest: Improve error handling and perl style when setting up users in Samba4.pm dsdb: Allow special chars like "@" in samAccountName when generating the salt lib/krb5_wrap: Fix missing error check in new salt code Release ldb 2.4.1 Douglas Bagnall (3): pytest/rodc_rwdc: try to avoid race. pytest: dynamic tests optionally add __doc__ pytest: s3_net_join: avoid name clash Isaac Boukris (4): kdc: remove KRB5SignedPath, to be replaced with PAC kdc: sign ticket using Windows PAC krb5: allow NULL parameter to krb5_pac_free() krb5: rework PAC validation loop Jeremy Allison (4): s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share. s3: smbd: Ensure when we change security context we delete any $cwd cache. s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs. s3: smbspool. Remove last use of 'extern char **environ;'. Joseph Sutton (152): pytest:segfault: Add test for ldb.msg_diff() ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL pyldb: Avoid use-after-free in msg_diff() heimdal:kdc: Only check for default salt for des-cbc-crc enctype krb5pac.idl: Add ticket checksum PAC buffer type security.idl: Add well-known SIDs for FAST tests/krb5: Calculate expected salt if not given explicitly tests/krb5: Add methods to obtain the length of checksum types tests/krb5: Use signed integers to represent key version numbers in ASN.1 tests/krb5: Add KDCOptions flag for constrained delegation tests/krb5: Use more compact dict lookup tests/krb5: Replace expected_cname_private with expected_anon parameter tests/krb5: Allow specifying an OU to create accounts in tests/krb5: Allow specifying additional User Account Control flags for account tests/krb5: Keep track of account DN in credentials object tests/krb5: Move padata generation methods to base class tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS tests/krb5: Don't create PAC request manually in as_req_tests tests/krb5: Don't create PAC request or options manually in fast_tests tests/krb5: Remove magic constants tests/krb5: Allow specifying ticket flags expected to be set or reset tests/krb5: Make time assertion less strict tests/krb5: Allow Kerberos requests to be sent to DC or RODC tests/krb5: Check for presence of 'renew-till' element tests/krb5: Check 'caddr' element tests/krb5: Check for presence of 'key-expiration' element tests/krb5: Create testing accounts in appropriate containers tests/krb5: Allow speci
[SCM] Samba Shared Repository - branch v4-13-test updated
via 286d69daf8b tests/krb5: Check correct flags element via b2f98011015 tests/krb5: Add helper method for modifying PACs via 3f2c977d478 python/join: Check for correct msDS-KrbTgtLink attribute via 4b9b3e92256 python: Don't leak file handles via b68eae6687b tests/krb5: Allow replicating accounts to the created RODC via 8c7d0544035 tests/krb5: Create RODC account for testing via c7491a9e760 tests/krb5: Allow replicating accounts to the RODC via 329fcc65aa6 tests/krb5: Add get_secrets() method to get the secret attributes of a DN via 9b151de2653 tests/krb5: Add method to get RODC krbtgt credentials via 7d6ad51b20c tests/krb5: Sign-extend kvno from 32-bit integer via c2cbe6e9aab tests/krb5: Generate padata for FAST tests via 860f7704650 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing via 9926198bce0 tests/krb5: Get encpart decryption key from kdc_exchange_dict via ac14815f849 tests/krb5: Get expected cname from TGT for TGS-REQ messages via 36f8c7080a7 tests/krb5: Allow specifying status code to be checked via a57391cf431 tests/krb5: Create testing accounts in appropriate containers via 26b6b6e630b tests/krb5: Check for presence of 'key-expiration' element via 39541dfa2d0 tests/krb5: Check 'caddr' element via eef81ead620 tests/krb5: Check for presence of 'renew-till' element via 829de7f89a7 tests/krb5: Allow Kerberos requests to be sent to DC or RODC via 9bd79bfe7a8 tests/krb5: Make time assertion less strict via af38bdc0569 tests/krb5: Allow specifying ticket flags expected to be set or reset via f86766afd92 tests/krb5: Remove magic constants via e4c5a3ea34f tests/krb5: Don't create PAC request or options manually in fast_tests via 36eb76b6c2f tests/krb5: Don't create PAC request manually in as_req_tests via 99702d5d7db tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS via dcde84d9268 tests/krb5: Move padata generation methods to base class via 1837ddb3481 tests/krb5: Keep track of account DN in credentials object via a2d8713c55c tests/krb5: Allow specifying additional User Account Control flags for account via 9b75a279c03 tests/krb5: Allow specifying an OU to create accounts in via 4892fa1315f tests/krb5: Replace expected_cname_private with expected_anon parameter via c978fcdf535 tests/krb5: Use more compact dict lookup via 735d514ec11 tests/krb5: Add KDCOptions flag for constrained delegation via 20df014fb13 tests/krb5: Use signed integers to represent key version numbers in ASN.1 via a91f36d7bc4 tests/krb5: Add methods to obtain the length of checksum types via efb8340f41f tests/krb5: Calculate expected salt if not given explicitly via d5572676f51 security.idl: Add well-known SIDs for FAST via 0d0d609dc07 krb5pac.idl: Add ticket checksum PAC buffer type via 6882fb5c3e6 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) via d4872f50bc4 python/join: use the provided krbtgt link in cleanup_old_accounts via 283a128129f python: Move dsdb_Dn to samdb via beaae4c5d67 wscript: fix installing pre-commit with 'git worktree' via 3ba31fd4de8 script/bisect-test.py: add support git worktree via 0e62cfec458 wafsamba: add support git worktree to vcs_dir_contents() from 2b97c11bca6 VERSION: Bump version up to Samba 4.13.13... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 0cea7f53c01718ec1d5d86a415ca494e1899501f Author: Andrew Bartlett Date: Fri Oct 22 10:50:36 2021 +1300 lib/krb5_wrap: Fix missing error check in new salt code CID 1492905: Control flow issues (DEADCODE) This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184 (cherry picked from commit 5094d986b7686f057195dcb10764295b88967019) Autobuild-User(v4-13-test): Stefan Metzmacher Autobuild-Date(v4-13-test): Wed Oct 27 23:29:34 UTC 2021 on sn-devel-184 commit 274f16103f69d98b9262575d043d84bb9a1b53eb Author: Andrew Bartlett Date: Tue Oct 19 16:01:36 2021 +1300 dsdb: Allow special chars like "@" in samAccountName when generating the salt BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via 74e65d7c06c ldb: Release ldb 2.2.1 via c532b425e73 pyldb: Make ldb.Message containment testing consistent with indexing via 64c41d30986 pyldb: Add tests for ldb.Message containment testing via 65f3e987675 pyldb: Raise TypeError for an invalid ldb.Message index via 4ff0a23a04b pyldb: Add test for an invalid ldb.Message index type via f45e89e4326 s4/torture/drs/python: Fix attribute existence check via 4d1c5cc73b0 pyldb: Fix deleting an ldb.Control critical flag via 5e9441d55f6 pytest:segfault: Add test for deleting an ldb.Control critical flag via a2e0682d928 pyldb: Fix deleting an ldb.Message dn via d2189833c7e pytest:segfault: Add test for deleting an ldb.Message dn via c7c10298973 Fix Python docstrings via 0c36416e319 pyldb: Avoid use-after-free in msg_diff() via 400d04533ab ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL via f47f0f9f459 pytest:segfault: Add test for ldb.msg_diff() from 0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 74e65d7c06c5eda79105f43d87efcaec09dfbb77 Author: Andrew Bartlett Date: Mon Oct 4 21:57:25 2021 +1300 ldb: Release ldb 2.2.1 * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184 Autobuild-User(v4-13-test): Stefan Metzmacher Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184 commit c532b425e739a5a6860e37fd616dc5293cea0f37 Author: Joseph Sutton Date: Sat Sep 25 14:39:59 2021 +1200 pyldb: Make ldb.Message containment testing consistent with indexing Previously, containment testing using the 'in' operator was handled by performing an equality comparison between the chosen object and each of the message's keys in turn. This behaviour was prone to errors due to not considering differences in case between otherwise equal elements, as the indexing operations do. Containment testing should now be more consistent with the indexing operations and with the get() method of ldb.Message. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69) commit 64c41d30986a34b3311bc03ffce9a8856c7f4f18 Author: Joseph Sutton Date: Sat Sep 25 13:48:57 2021 +1200 pyldb: Add tests for ldb.Message containment testing These tests verify that the 'in' operator on ldb.Message is consistent with indexing and the get() method. This means that the 'dn' element should always be present, lookups should be case-insensitive, and use of an invalid type should result in a TypeError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8) commit 65f3e987675d378afd7df4445d04c86d83cde853 Author: Joseph Sutton Date: Sat Sep 25 13:39:56 2021 +1200 pyldb: Raise TypeError for an invalid ldb.Message index Previously, a TypeError was raised and subsequently overridden by a KeyError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7) commit 4ff0a23a04b230bab3454cf88d317304df2cb5cb Author: Joseph Sutton Date: Sat Sep 25 13:22:05 2021 +1200 pyldb: Add test for an invalid ldb.Message index type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06) commit f45e89e432644b5c569808f29d27a537e07f Author: Joseph Sutton Date: Sat Sep 25 19:18:39 2021 +1200 s4/torture/drs/python: Fix attribute existe
[SCM] Samba Shared Repository - annotated tag ldb-2.2.2 created
The annotated tag, ldb-2.2.2 has been created at 492762c29e2a199d012f1e759468380cfa602dcb (tag) tagging 74e65d7c06c5eda79105f43d87efcaec09dfbb77 (commit) replaces samba-4.13.12 tagged by Stefan Metzmacher on Thu Oct 28 17:43:38 2021 +0200 - Log - ldb: tag release ldb-2.2.2 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF6xSoACgkQR5ORYRMI QCXr1ggAhB94suP/riS28w2YURdJeXgbT/RTavV8lONJElCfOQRPOPd8KgnBLKUE sBnMJg5kFhWn8EAEowAcj2eaZ/rtAHhmIFbZ4L6bT1JjMPhtA5e+5j4owe4CmfcX lsZTZmRwyx/k18WF38xZWaYRxyN/ODVqFJxkQW9b7kdH9DMqU/M5Hkhhtxd9bbXQ GOIDhFVU8wst1gTkAe6BO2NZQafMRQKFhvpXnwT4htERJw3/o7LyYLeT/HtxPVcW OfEfrjHnbf0SkK0dDxoerNfcmIicdus44J/ML5aET1aiWFJNvQiC18S9znX0W5o9 WqiCt6KgO4sh8qM/xDhYje8AAfUToA== =S2uI -END PGP SIGNATURE- Andreas Schneider (1): waf: Allow building with MIT KRB5 >= 1.20 Andrew Bartlett (9): autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers selftest: Remove duplicate setup of $base_dn and $ldbmodify selftest: Improve error handling and perl style when setting up users in Samba4.pm dsdb: Allow special chars like "@" in samAccountName when generating the salt lib/krb5_wrap: Fix missing error check in new salt code ldb: Release ldb 2.2.1 David Mulder (1): python: Move dsdb_Dn to samdb Douglas Bagnall (3): python/join: use the provided krbtgt link in cleanup_old_accounts pytest/rodc_rwdc: try to avoid race. pytest: dynamic tests optionally add __doc__ Isaac Boukris (4): kdc: remove KRB5SignedPath, to be replaced with PAC kdc: sign ticket using Windows PAC krb5: allow NULL parameter to krb5_pac_free() krb5: rework PAC validation loop Joseph Sutton (150): krb5pac.idl: Add ticket checksum PAC buffer type security.idl: Add well-known SIDs for FAST tests/krb5: Calculate expected salt if not given explicitly tests/krb5: Add methods to obtain the length of checksum types tests/krb5: Use signed integers to represent key version numbers in ASN.1 tests/krb5: Add KDCOptions flag for constrained delegation tests/krb5: Use more compact dict lookup tests/krb5: Replace expected_cname_private with expected_anon parameter tests/krb5: Allow specifying an OU to create accounts in tests/krb5: Allow specifying additional User Account Control flags for account tests/krb5: Keep track of account DN in credentials object tests/krb5: Move padata generation methods to base class tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS tests/krb5: Don't create PAC request manually in as_req_tests tests/krb5: Don't create PAC request or options manually in fast_tests tests/krb5: Remove magic constants tests/krb5: Allow specifying ticket flags expected to be set or reset tests/krb5: Make time assertion less strict tests/krb5: Allow Kerberos requests to be sent to DC or RODC tests/krb5: Check for presence of 'renew-till' element tests/krb5: Check 'caddr' element tests/krb5: Check for presence of 'key-expiration' element tests/krb5: Create testing accounts in appropriate containers tests/krb5: Allow specifying status code to be checked tests/krb5: Get expected cname from TGT for TGS-REQ messages tests/krb5: Get encpart decryption key from kdc_exchange_dict tests/krb5: Add get_cached_creds() method to create persistent accounts for testing tests/krb5: Generate padata for FAST tests tests/krb5: Sign-extend kvno from 32-bit integer tests/krb5: Add method to get RODC krbtgt credentials tests/krb5: Add get_secrets() method to get the secret attributes of a DN tests/krb5: Allow replicating accounts to the RODC tests/krb5: Create RODC account for testing tests/krb5: Allow replicating accounts to the created RODC python: Don't leak file handles python/join: Check for correct msDS-KrbTgtLink attribute tests/krb5: Add helper method for modifying PACs tests/krb5: Check correct flags element tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange tests/krb5: Allow tgs_req() to send additional padata tests/krb5: Allow tgs_req() to specify different kdc-options tests/krb5: Allow tgs_req() to send requests to the RODC tests/krb5: Allow as_req() to specify different kdc-options tests/krb5: Use PAC buffer type constants from krb5pac.idl tests/krb5: Don't manually create PAC request and options in fast_te
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 5e3b924cb35 ldb: version 2.3.2 via 7a1128cb9a9 lib:ldb-samba: Improve calculate_popt_array_length() via 48f3f52c1be lib:ldb: Use C99 initializers for builtin_popt_options[] via 7158c947065 pyldb: fix a typo via e6aff15a774 ldb: improve comments for ldb_module_connect_backend() via 461096c521c ldb: correct comments in attrib_handers val_to_int64 via e4741f2a119 ldb.h: remove undefined async_ctx function signatures via 65cdcb4848d lib:ldb: Add missing break in switch statement via 2c8091ab973 pyldb: Fix Message.items() for a message containing elements via 7c3f03589ac ldb_match: remove redundant check via 0a794271f84 pyldb: catch potential overflow error in py_timestring via 3e2a1671d69 ldb: fix ldb_comparison_fold off-by-one overrun via 1870e5b46c1 ldb_match: trailing chunk must match end of string via 4548760ee8e ldb/attrib_handler casefold: simplify space dropping from 0e4837eb0d4 VERSION: Bump version up to Samba 4.14.10... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 5e3b924cb3558271de036a14ffe5063ae96a3d1c Author: Stefan Metzmacher Date: Tue Nov 2 15:19:31 2021 +0100 ldb: version 2.3.2 Backport all C code changes from ldb-2.4.1 to be available for Samba 4.14.x Signed-off-by: Stefan Metzmacher Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Tue Nov 2 21:47:27 UTC 2021 on sn-devel-184 commit 7a1128cb9a91234ea3e608f02698690673994108 Author: Andreas Schneider Date: Thu Dec 17 19:16:13 2020 +0100 lib:ldb-samba: Improve calculate_popt_array_length() Note that memcmp() doesn't work well with padding bytes. So avoid it! (gdb) ptype/o struct poptOption /* offset| size */ type = struct poptOption { /*0 | 8 */const char *longName; /*8 | 1 */char shortName; /* XXX 3-byte hole */ /* 12 | 4 */unsigned int argInfo; /* 16 | 8 */void *arg; /* 24 | 4 */int val; /* XXX 4-byte hole */ /* 32 | 8 */const char *descrip; /* 40 | 8 */const char *argDescrip; /* total size (bytes): 48 */ Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def) commit 48f3f52c1be444db33c368d1e674fb829d8af9fc Author: Andreas Schneider Date: Thu Dec 17 11:56:08 2020 +0100 lib:ldb: Use C99 initializers for builtin_popt_options[] Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit a593065c7f22e17434f33d0132cc6a7073acf414) commit 7158c9470651907302fa27b2ff845839ce12e159 Author: Björn Baumbach Date: Mon Jan 18 16:48:21 2021 +0100 pyldb: fix a typo Signed-off-by: Björn Baumbach Reviewed-by: Rowland penny (cherry picked from commit 6fcde09f093db5d26c582a3c28531265f06b9fde) commit e6aff15a77403058656dd82ee36ce3491e5ebd78 Author: Douglas Bagnall Date: Fri Jan 29 13:49:02 2021 +1300 ldb: improve comments for ldb_module_connect_backend() There is no flags argument. There are more URI forms. Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison (cherry picked from commit 48068a58df0313cd904f27e2c918ee10275ae373) commit 461096c521ce3e0c884161bf75902a8963878e61 Author: Douglas Bagnall Date: Sat Mar 6 09:57:44 2021 +1300 ldb: correct comments in attrib_handers val_to_int64 c.f. the identical static function in lib/ldb-samba/ldif_handlers.c Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison (cherry picked from commit 46e6f6ef8436df7e083f34556c25f66f65ea1ce5) commit e4741f2a11989f34fd9ab85c574c99774a5f7994 Author: Douglas Bagnall Date: Sat Dec 19 11:43:56 2020 +1300 ldb.h: remove undefined async_ctx function signatures These functions do not exist. Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison (cherry picked from commit 1a05b58edaf96e7da707f9ad0a237551dbe13eb5) commit 65cdcb4848d99af49c3f09dff57487c0ff25edf1 Author: Andreas Schneider Date: Mon Feb 1 14:21:21 2021 +0100 lib:ldb: Add missing break in switch statement error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough] Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 1ffacac547a8ce29c6696dda73991a8db7e34dfd) commit 2c8091ab9730ef00457f6bf5cf829ad9f4f6d824 Author: Joseph Sutton Date: Fri May 28 14:15:43 2021 +1200 pyldb: Fix Message.items() for a message containing elements Previously, message elements were being
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via 20ce74008b3 ldb: version 2.2.3 via 767bafc50ae ldb_kv_index: fix empty initializer compile warning via 0dc05f591db ldb: Use hex_byte() in ldb_binary_decode() via 9ad6b86ccc9 lib: Add "hex_byte()" to replace.h via 8c29175f7fe ldb_controls: control_to_string avoids crash via 7dd52901904 lib:ldb-samba: Improve calculate_popt_array_length() via 68d736a73f1 lib:ldb: Use C99 initializers for builtin_popt_options[] via 5363e0340d7 pyldb: fix a typo via bbc5373b872 ldb: improve comments for ldb_module_connect_backend() via 90729aed778 ldb: correct comments in attrib_handers val_to_int64 via 1253ee80bd1 ldb.h: remove undefined async_ctx function signatures via e96b3f7185a lib:ldb: Add missing break in switch statement via 933fbc8ca9e pyldb: Fix Message.items() for a message containing elements via 7e8d2bcca98 ldb_match: remove redundant check via f2c0ab2daed pyldb: catch potential overflow error in py_timestring via cb04bfc55a8 ldb: fix ldb_comparison_fold off-by-one overrun via e431362a701 ldb_match: trailing chunk must match end of string via 0c32ab5f61a ldb/attrib_handler casefold: simplify space dropping from 6671c88157b VERSION: Bump version up to Samba 4.13.14... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 20ce74008b3347256139e3d10caef0fd6322f87f Author: Stefan Metzmacher Date: Tue Nov 2 15:19:31 2021 +0100 ldb: version 2.2.3 Backport all C code changes from ldb-2.4.1 to be available for Samba 4.13.x Signed-off-by: Stefan Metzmacher Autobuild-User(v4-13-test): Stefan Metzmacher Autobuild-Date(v4-13-test): Tue Nov 2 22:41:39 UTC 2021 on sn-devel-184 commit 767bafc50aed115cab1eccd997cf4cc9758db8b1 Author: Björn Jacke Date: Mon Oct 19 02:39:46 2020 +0200 ldb_kv_index: fix empty initializer compile warning Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett (cherry picked from commit c862ad64aea31d1d5ec66385bb50d9b97e609071) commit 0dc05f591db1cd137e85fcb0ebc1dfc7eb320aed Author: Volker Lendecke Date: Mon Jan 4 13:55:01 2021 +0100 ldb: Use hex_byte() in ldb_binary_decode() Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit b6a57c49c00a778f954aaf10db6ebe6dca8f5ae2) commit 9ad6b86ccc9df76311e3e9f1908f815a292d1b6d Author: Volker Lendecke Date: Mon Jan 4 13:12:30 2021 +0100 lib: Add "hex_byte()" to replace.h This is required in quite a few places, and replace.h has things like ZERO_STRUCT already, so this is not completely outplaced. Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit c8d9ce3f7c8c486ab21e320a0adcb71311dcb453) commit 8c29175f7fe10bbf37595cb2e5afd26a4617fd7a Author: Douglas Bagnall Date: Fri Jul 24 12:41:29 2020 +1200 ldb_controls: control_to_string avoids crash Otherwise a malformed control with unexpected NULL data will segfault ldb_control_to_string(), though this is not very likely to affect anyone in practice as converting controls to strings is rarely necessary. If it happens at all in Samba it is in Python code. Found by Honggfuzz using fuzz_ldb_parse_control. Signed-off-by: Douglas Bagnall Reviewed-by: Andreas Schneider Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Wed Jul 29 04:43:23 UTC 2020 on sn-devel-184 (cherry picked from commit 2aace18f170644da9c293342a6df5e5b2ae8da25) commit 7dd529019045949bcc5d7fbb49322868bfda52c7 Author: Andreas Schneider Date: Thu Dec 17 19:16:13 2020 +0100 lib:ldb-samba: Improve calculate_popt_array_length() Note that memcmp() doesn't work well with padding bytes. So avoid it! (gdb) ptype/o struct poptOption /* offset| size */ type = struct poptOption { /*0 | 8 */const char *longName; /*8 | 1 */char shortName; /* XXX 3-byte hole */ /* 12 | 4 */unsigned int argInfo; /* 16 | 8 */void *arg; /* 24 | 4 */int val; /* XXX 4-byte hole */ /* 32 | 8 */const char *descrip; /* 40 | 8 */const char *argDescrip; /* total size (bytes): 48 */ Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def) commit 68d736a73f175c949ae19a15228b7e5e4d90a610 Author: Andreas Schneider Date: Thu Dec 17 11:56:08 2020 +0100 lib:ldb: Use C99 initializers for builtin_popt_options[] Signed-
[SCM] Samba Shared Repository - annotated tag ldb-2.3.2 created
The annotated tag, ldb-2.3.2 has been created at 53bfbfada20fb854308d09253f48f60aaade8f45 (tag) tagging 5e3b924cb3558271de036a14ffe5063ae96a3d1c (commit) replaces samba-4.14.9 tagged by Stefan Metzmacher on Tue Nov 2 23:52:30 2021 +0100 - Log - ldb: tag release ldb-2.3.2 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmGBwS4ACgkQR5ORYRMI QCVLJQf+J2AKhShKWCHGezPMoaRm/KGtOq/dsg0bAlpegP0bu79ZPPdr+GeWmDcd 96N5StFs9kUbLwoSMdUsFujQ4FoDzXOhJhWDKXvQlKWIdJaL0T2pncHMdGd949YI IN9KBmrxu3lrv7j5oEYVfvloqrken/GlYDPX74N6BKusR6cZwviTNDbj+VsuuRJL 6Cacy4bL/eozEB5NDGdzdGt27iJ6i7Iu13iqqmfjNbJoUD58qMabRD34M99jQmr3 CL5lxiGLPsiEi09uqPJhXKxgQLML9xXdKyRbTHdaNfx0n/VLg9EjmDsw5IiK+Ls/ Y6VJabRKO230SzFh/AVvd++swuUiMw== =zwEX -END PGP SIGNATURE- Andreas Schneider (3): lib:ldb: Add missing break in switch statement lib:ldb: Use C99 initializers for builtin_popt_options[] lib:ldb-samba: Improve calculate_popt_array_length() Björn Baumbach (1): pyldb: fix a typo Douglas Bagnall (7): ldb/attrib_handler casefold: simplify space dropping ldb_match: trailing chunk must match end of string ldb: fix ldb_comparison_fold off-by-one overrun ldb_match: remove redundant check ldb.h: remove undefined async_ctx function signatures ldb: correct comments in attrib_handers val_to_int64 ldb: improve comments for ldb_module_connect_backend() Joseph Sutton (1): pyldb: Fix Message.items() for a message containing elements Jule Anger (1): VERSION: Bump version up to Samba 4.14.10... Stefan Metzmacher (2): pyldb: catch potential overflow error in py_timestring ldb: version 2.3.2 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.2.3 created
The annotated tag, ldb-2.2.3 has been created at 9e02c0a04ed6e7504a5a7d8bc352324c6b99ea74 (tag) tagging 20ce74008b3347256139e3d10caef0fd6322f87f (commit) replaces samba-4.13.13 tagged by Stefan Metzmacher on Tue Nov 2 23:53:17 2021 +0100 - Log - ldb: tag release ldb-2.2.3 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmGBwV0ACgkQR5ORYRMI QCVYCggArV2z4kZOZfDcoweYAUr/2XQ+id8d0hMNjFZJyG+Pec67v6bdLQNG70IH ScdEY8TuXt3lT4l3yMwGko8tZCmef4jGrIrHyKVPSfR3h6BFwoGS5OvkdqO6taii zmXALv7QL68IU4Ib4S1MI5bF56pzdqa5vmFAgy9CT+vSC+6BP1vrhKLA2ITp1i5H o8wTRhvf5xTYooJNKykYJN6Al+7JVK5dzx88DBIWVr3FbnbpkX7+F3JMXsJ1foTK oIcrcaKcKbCf+gIQF0A4jt76h/Iafr1FuWVkuom22wwRhMJuxiUQDlQ9MYwegI/r H65K+8CB9hryVZq1pXHlAsQSdPpH9w== =Nnue -END PGP SIGNATURE- Andreas Schneider (3): lib:ldb: Add missing break in switch statement lib:ldb: Use C99 initializers for builtin_popt_options[] lib:ldb-samba: Improve calculate_popt_array_length() Björn Baumbach (1): pyldb: fix a typo Björn Jacke (1): ldb_kv_index: fix empty initializer compile warning Douglas Bagnall (8): ldb/attrib_handler casefold: simplify space dropping ldb_match: trailing chunk must match end of string ldb: fix ldb_comparison_fold off-by-one overrun ldb_match: remove redundant check ldb.h: remove undefined async_ctx function signatures ldb: correct comments in attrib_handers val_to_int64 ldb: improve comments for ldb_module_connect_backend() ldb_controls: control_to_string avoids crash Joseph Sutton (1): pyldb: Fix Message.items() for a message containing elements Jule Anger (1): VERSION: Bump version up to Samba 4.13.14... Stefan Metzmacher (2): pyldb: catch potential overflow error in py_timestring ldb: version 2.2.3 Volker Lendecke (2): lib: Add "hex_byte()" to replace.h ldb: Use hex_byte() in ldb_binary_decode() --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
ass=computer are workstations by default now via cafbb2fd60b CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality via 0cdfa6aa607 CVE-2020-25722 selftest: Split test_userAccountControl into unit tests via 9e515f095e7 CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change via c52e0c06591 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default via 7f4a73a46ec CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $ via 2a991280343 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation via 856c34fec0c CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types via 80ff13f19c0 CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) via 2dddaa5d3a5 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass. via 2439f3c242a CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName via 45a7506af62 CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC via a32ff3ba268 CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default via cd0747d1913 CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests via c1056e7a900 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied() via 0459578510a CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind via ba97d5c59ce CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user via 762ef653b9d CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION via e90034d9182 CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify via 7bd4145daa7 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed via 6bdda2d93ed CVE-2020-25722 dsdb: Tests for our known set of privileged attributes via b49fd977462 CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests via 8ad19dda2ec CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test via cb89e352cf4 CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019 via c1fdd2d7508 CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass via 1723d89f2ec CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass via ce958b960f3 CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify() via 39d90c85d4d CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags via 131f06517ee CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py via 237a961da90 CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU via 025cbda295e CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase via 064c41a7696 CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly via d92787c05a0 CVE-2020-25717 auth4: Remove sync check_password from auth_operations via 3815c92cc87 CVE-2020-25717 auth4: Make auth_sam pseudo-async via e0ae20193e3 CVE-2020-25717 auth4: Make auth_unix pseudo-async via 849ef477cb3 CVE-2020-25717 auth4: Make auth_developer pseudo-async via 16098012df9 CVE-2020-25717 auth4: Make auth_anonymous pseudo-async via 5a5b1a06d6d CVE-2020-25717 auth: Simplify DEBUG statements in make_auth3_context_for_ntlm() via 44270951af6 CVE-2020-25717 auth3: Simplify check_samba4_security() via 93289e90d6f CVE-2020-25717 selftest: Only set netbios aliases for the ad_member env via 6dbc3f11c02 CVE-2020-25717 selftest: Pass down the machine account name to provision_ad_member from 5e3b924cb35 ldb: version 2.3.2 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log --------- commit a1dae6a208ad29d4a771a6d4d4f32e188ba2541b Author: Stefan Metzmacher Date: Tue Nov 9 19:43:02 2021 +0100 VERSION: Bump version up to Samba 4.14.11... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION
[SCM] Samba Shared Repository - branch v4-13-test updated
in wb_queryuser_send() via 4925a110c4e CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH via bd12ce56f03 CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE via 04e10a84318 CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE via ed1542b9f37 CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config via 69c53f9c317 CVE-2020-25717 wb_sids2xids: fill cache as soon as possible via 0ec6beec7da CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results via ed766403618 CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() via ab4f028db00 CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit via 5e4491e8455 CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix() via ca5cf8d35b9 CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix() via 27b73f9d343 CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids' via e226e0a163a CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache via 713f9c96007 CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix() via 3812930e641 CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child() via be816313636 CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle() via 12fb0f40f60 CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed via a3cca16fac5 CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step via 5e04b985acc CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers via f3957ca5ce2 CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers via aebe4cec6c5 CVE-2020-25717 winbindd: add and use is_idmap_child() via b7b4bb1c55b CVE-2020-25717 winbindd: add and use idmap_child_pid() via 39da0df37c4 CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead via 861bc4ddd8d CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead via d4c9be23183 CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead via 68a823fd032 CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers via 337cb0847bf CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers via 340e2153c7e CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function via 0792d340860 CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_* via 05b27742da4 CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint from 20ce74008b3 ldb: version 2.2.3 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 959fb5a4c69478848d3fbcff7d952a727cef518d Author: Stefan Metzmacher Date: Tue Nov 9 19:45:46 2021 +0100 VERSION: Bump version up to Samba 4.13.15... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION|2 +- WHATSNEW.txt | 113 +- auth/auth_util.c |9 +- auth/credentials/tests/bind.py | 13 +- auth/gensec/gensec_util.c | 27 +- auth/ntlmssp/ntlmssp_server.c |2 +- docs-xml/smbdotconf/security/mindomainuid.xml | 17 + docs-xml/smbdotconf/security/serverrole.xml|7 + docs-xml/smbdotconf/winbind/idmapconfig.xml|4 + lib/param/loadparm.c |4 + lib/param/loadparm_server_role.c |2 + lib/param/param_table.c|1 + lib/param/util.c |1 + libcli/auth/wscript_build | 10 +- libcli/netlogon/netlogon.c |2 +- libds/common/flag_mapping.c| 50 + libds/common/flag_mapping.h|1 + libds/common/flags.h |5 + libds/common/roles.h |1 + librpc/idl/idmap.idl | 23 +- librpc/idl/krb5pac.idl | 38 +- librpc/idl/winbind.idl |2 +- librpc/ndr/ndr_krb5pac.c
[SCM] Samba Shared Repository - annotated tag samba-4.15.2 created
on CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (3): VERSION: Bump version up to Samba 4.15.2... WHATSNEW: Add release notes for Samba 4.15.2. VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (1): CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (47): CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true CVE-2020-25717: s4:torture: start with authoritative = 1 CVE-2020-25717: s4:smb_server: start with authoritative = 1 CVE-2020-25717: s4:auth_simple: start with authoritative = 1 CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 CVE-2020-25717: s3:torture: start with authoritative = 1 CVE-2020-25717: s3:rpcclient: start with authoritative = 1 CVE-2020-25717: s3:auth: start with authoritative = 1 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors CVE-2020-25717: s3:auth: we should not try to autocreate the guest account CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect() CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests CVE-2021-3738 auth_ut
[SCM] Samba Shared Repository - annotated tag samba-4.14.10 created
heimdal:kdc: Check name in request against name in user-to-user TGT CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (2): WHATSNEW: Add release notes for Samba 4.14.10. VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (1): CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (48): CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true CVE-2020-25717: s4:torture: start with authoritative = 1 CVE-2020-25717: s4:smb_server: start with authoritative = 1 CVE-2020-25717: s4:auth_simple: start with authoritative = 1 CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 CVE-2020-25717: s3:torture: start with authoritative = 1 CVE-2020-25717: s3:rpcclient: start with authoritative = 1 CVE-2020-25717: s3:auth: start with authoritative = 1 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors CVE-2020-25717: s3:auth: we should not try to autocreate the guest account CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect() CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
[SCM] Samba Shared Repository - annotated tag samba-4.13.14 created
ESTER_SID PAC buffer CVE-2020-25719 heimdal:kdc: Check return code CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (2): WHATSNEW: Add release notes for Samba 4.13.14. VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (4): CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix() CVE-2020-25717 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send() CVE-2020-25717 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (76): CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_* CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead CVE-2020-25717 winbindd: add and use idmap_child_pid() CVE-2020-25717 winbindd: add and use is_idmap_child() CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle() CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child() CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids' CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix() CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix() CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results CVE-2020-25717 wb_sids2xids: fill cache as soon as possible CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults t
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8f637db NEWS[4.15.2]: Samba 4.15.2, 4.14.10 and 4.13.14 Security Releases Available for Download from 96771b0 Add Samba 4.13.13 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 8f637db9c22c4d37dc60b20731ec0de5f437df26 Author: Stefan Metzmacher Date: Tue Nov 9 18:59:24 2021 +0100 NEWS[4.15.2]: Samba 4.15.2, 4.14.10 and 4.13.14 Security Releases Available for Download Signed-off-by: Stefan Metzmacher Signed-off-by: Karolin Seeger --- Summary of changes: history/header_history.html | 3 + history/samba-4.13.14.html | 106 history/samba-4.14.10.html | 106 history/samba-4.15.2.html| 105 history/security.html| 34 posted_news/20211108-113640.4.15.2.body.html | 49 ++ posted_news/20211108-113640.4.15.2.headline.html | 4 + security/CVE-2016-2124.html | 114 + security/CVE-2020-25717.html | 197 +++ security/CVE-2020-25718.html | 89 ++ security/CVE-2020-25719.html | 130 +++ security/CVE-2020-25721.html | 131 +++ security/CVE-2020-25722.html | 155 ++ security/CVE-2021-23192.html | 107 security/CVE-2021-3738.html | 83 ++ 15 files changed, 1413 insertions(+) create mode 100644 history/samba-4.13.14.html create mode 100644 history/samba-4.14.10.html create mode 100644 history/samba-4.15.2.html create mode 100644 posted_news/20211108-113640.4.15.2.body.html create mode 100644 posted_news/20211108-113640.4.15.2.headline.html create mode 100644 security/CVE-2016-2124.html create mode 100644 security/CVE-2020-25717.html create mode 100644 security/CVE-2020-25718.html create mode 100644 security/CVE-2020-25719.html create mode 100644 security/CVE-2020-25721.html create mode 100644 security/CVE-2020-25722.html create mode 100644 security/CVE-2021-23192.html create mode 100644 security/CVE-2021-3738.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 5d40704..7dbe7f8 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,8 +9,10 @@ Release Notes + samba-4.15.2 samba-4.15.1 samba-4.15.0 + samba-4.14.10 samba-4.14.9 samba-4.14.8 samba-4.14.7 @@ -21,6 +23,7 @@ samba-4.14.2 samba-4.14.1 samba-4.14.0 + samba-4.13.14 samba-4.13.13 samba-4.13.12 samba-4.13.11 diff --git a/history/samba-4.13.14.html b/history/samba-4.13.14.html new file mode 100644 index 000..6bf24a6 --- /dev/null +++ b/history/samba-4.13.14.html @@ -0,0 +1,106 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +http://www.w3.org/1999/xhtml";> + +Samba 4.13.14 - Release Notes + + +Samba 4.13.14 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.13.14.tar.gz";>Samba 4.13.14 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.13.14.tar.asc";>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.13.13-4.13.14.diffs.gz";>Patch (gzipped) against Samba 4.13.13 +https://download.samba.org/pub/samba/patches/samba-4.13.13-4.13.14.diffs.asc";>Signature + + + + === + Release Notes for Samba 4.13.14 + November 9, 2021 + === + + +This is a security release in order to address the following defects: + +o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext + authentication. + https://www.samba.org/samba/security/CVE-2016-2124.html + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + (PLEASE READ! There are important behaviour changes described) + +o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued + by an RODC. + https://www.samba.org/samba/security/CVE-2020-25718.html + +o CVE-2020-25719: Samba AD DC did not always rely on the SID
[SCM] Samba Shared Repository - branch v4-15-test updated
ftest: Split test_userAccountControl into unit tests via 7211afa9a5c CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change via 2812b7cc0e4 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default via 73468f3f4a1 CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $ via d396fcadc19 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation via a228f45f63e CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types via e353a62513a CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now) via cc64ec21039 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass. via a72cec41c21 CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName via 758c422c11e CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC via 4868385d45b CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default via a6048aaae63 CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests via cf5a3ebaf00 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied() via b999e14700d CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind via df525689abc CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user via 53de95a1f6a CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION via 07aef1e648d CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify via b02578014f7 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed via 65973d2efd4 CVE-2020-25722 dsdb: Tests for our known set of privileged attributes via 85e3788d829 CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests via 6807b81f40b CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test via 6f20d53279d CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019 via ce8fbffd3a1 CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass via f970d8b549d CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass via 5719cddc268 CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify() via 7d3a0e08c48 CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags via a8578a41263 CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py via 1a0630b9bc7 CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU via 8292a799180 CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase from 19f0172708e VERSION: Bump version up to Samba 4.15.2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log --------- commit bdc33fa61f81d3223279a852991d8aded886881b Author: Stefan Metzmacher Date: Tue Nov 9 19:39:35 2021 +0100 VERSION: Bump version up to Samba 4.15.3... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION|2 +- WHATSNEW.txt | 112 +- auth/auth_util.c |9 +- auth/credentials/tests/bind.py | 13 +- auth/gensec/gensec_util.c | 27 +- auth/ntlmssp/ntlmssp_server.c |2 +- docs-xml/smbdotconf/security/mindomainuid.xml | 17 + docs-xml/smbdotconf/security/serverrole.xml|7 + docs-xml/smbdotconf/winbind/idmapconfig.xml|4 + lib/param/loadparm.c |4 + lib/param/loadparm_server_role.c |2 + lib/param/param_table.c|1 + lib/param/util.c |1 + libcli/netlogon/netlogon.c |2 +- libds/common/flag_mapping.c| 50 + libds/common/flag_mapping.h|1 + libds/common/flags.h |5 + libds/common/roles.h
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a7f6c60cb03 s3:winbindd: fix "allow trusted domains = no" regression from 3121be69cac CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a7f6c60cb037b4bc9eee276236539b8282213935 Author: Stefan Metzmacher Date: Tue Nov 9 20:50:20 2021 +0100 s3:winbindd: fix "allow trusted domains = no" regression add_trusted_domain() should only reject domains based on is_allowed_domain(), which now also checks "allow trusted domains = no", if we don't have an explicit trust to the domain (SEC_CHAN_NULL). We use at least SEC_CHAN_LOCAL for local domains like BUILTIN. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 --- Summary of changes: source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index fe68adec534..a8c510fafc6 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -135,7 +135,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, return NT_STATUS_INVALID_PARAMETER; } - if (!is_allowed_domain(domain_name)) { + if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { return NT_STATUS_NO_SUCH_DOMAIN; } -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8375dbc add a reference to the regression fixes at https://bugzilla.samba.org/show_bug.cgi?id=14899 from 8f637db NEWS[4.15.2]: Samba 4.15.2, 4.14.10 and 4.13.14 Security Releases Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 8375dbc88c9fd1cc7f69a6be09611a1abc6c7e0d Author: Stefan Metzmacher Date: Wed Nov 10 13:22:10 2021 +0100 add a reference to the regression fixes at https://bugzilla.samba.org/show_bug.cgi?id=14899 --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 00fc078..7ebb6a3 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -19,8 +19,8 @@ as there are important behaviour changes for CVE-2020-25717. There's sadly a regression that "allow trusted domains = no" -prevents winbindd from starting, we'll try to provide a follow up fix as soon as -possible. +prevents winbindd from starting, fixes are available at +https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 5b1d789632f s3:winbindd: fix "allow trusted domains = no" regression from 4a106c2322c lib: handle NTTIME_THAW in nt_time_to_full_timespec() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 5b1d789632fe67708e64ab9fc4f5b10408699682 Author: Stefan Metzmacher Date: Tue Nov 9 20:50:20 2021 +0100 s3:winbindd: fix "allow trusted domains = no" regression add_trusted_domain() should only reject domains based on is_allowed_domain(), which now also checks "allow trusted domains = no", if we don't have an explicit trust to the domain (SEC_CHAN_NULL). We use at least SEC_CHAN_LOCAL for local domains like BUILTIN. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 (cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Wed Nov 10 23:45:06 UTC 2021 on sn-devel-184 --- Summary of changes: source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 42ddbfd2f44..9d54e462c42 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, return NT_STATUS_INVALID_PARAMETER; } - if (!is_allowed_domain(domain_name)) { + if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { return NT_STATUS_NO_SUCH_DOMAIN; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via db4e342291f s3:winbindd: fix "allow trusted domains = no" regression from 962b7b0f92d s3-winexe: Fix winexe core dump (use-after-free) https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit db4e342291f86c05fd548161c8c6b2c50e41f533 Author: Stefan Metzmacher Date: Tue Nov 9 20:50:20 2021 +0100 s3:winbindd: fix "allow trusted domains = no" regression add_trusted_domain() should only reject domains based on is_allowed_domain(), which now also checks "allow trusted domains = no", if we don't have an explicit trust to the domain (SEC_CHAN_NULL). We use at least SEC_CHAN_LOCAL for local domains like BUILTIN. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 (cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Wed Nov 10 23:29:45 UTC 2021 on sn-devel-184 --- Summary of changes: source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index fe68adec534..a8c510fafc6 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -135,7 +135,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, return NT_STATUS_INVALID_PARAMETER; } - if (!is_allowed_domain(domain_name)) { + if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { return NT_STATUS_NO_SUCH_DOMAIN; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via b7158d4ce85 s3:winbindd: fix "allow trusted domains = no" regression from 959fb5a4c69 VERSION: Bump version up to Samba 4.13.15... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit b7158d4ce853f3ce4342ff9756490104ad163b9c Author: Stefan Metzmacher Date: Tue Nov 9 20:50:20 2021 +0100 s3:winbindd: fix "allow trusted domains = no" regression add_trusted_domain() should only reject domains based on is_allowed_domain(), which now also checks "allow trusted domains = no", if we don't have an explicit trust to the domain (SEC_CHAN_NULL). We use at least SEC_CHAN_LOCAL for local domains like BUILTIN. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 (cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) Autobuild-User(v4-13-test): Stefan Metzmacher Autobuild-Date(v4-13-test): Thu Nov 11 10:37:06 UTC 2021 on sn-devel-184 --- Summary of changes: source3/winbindd/winbindd_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 1ae4a8d3ca3..a4f33c4765b 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -131,7 +131,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, return NT_STATUS_INVALID_PARAMETER; } - if (!is_allowed_domain(domain_name)) { + if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { return NT_STATUS_NO_SUCH_DOMAIN; } -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901 from 8375dbc add a reference to the regression fixes at https://bugzilla.samba.org/show_bug.cgi?id=14899 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 76041187b55e10febd033ce7087c3ef4c6160af1 Author: Stefan Metzmacher Date: Thu Nov 11 21:23:05 2021 +0100 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901 --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 6 ++ security/CVE-2020-25717.html | 10 ++ 2 files changed, 16 insertions(+) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 7ebb6a3..4370442 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -21,6 +21,12 @@ as there are important behaviour changes for There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. + +Please also notice the additional fix and advanced example +for the 'username map [script]' based fallback from +'DOMAIN\user' to 'user'. See +https://bugzilla.samba.org/show_bug.cgi?id=14901";>bug #14901 and +https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2251. diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html index 8371c90..49811db 100644 --- a/security/CVE-2020-25717.html +++ b/security/CVE-2020-25717.html @@ -94,6 +94,16 @@ Please consult 'man 5 smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above example '\' refers to the default value of the 'winbind separator' option. +[Added 2021-11-11] + There's sadly a regression that "allow trusted domains = no" + prevents winbindd from starting, fixes are available at + https://bugzilla.samba.org/show_bug.cgi?id=14899 + + Please also notice the additional fix and advanced example + for the 'username map [script]' based fallback from + 'DOMAIN\user' to 'user'. See + https://bugzilla.samba.org/show_bug.cgi?id=14901 and + https://gitlab.com/samba-team/samba/-/merge_requests/2251 Beyond Samba -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 from 7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit d0e3915ecd116eab2883c7db41c2fd47849db3b6 Author: Stefan Metzmacher Date: Tue Nov 16 20:22:41 2021 +0100 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 8 +++ security/CVE-2020-25717.html | 34 ++-- 2 files changed, 26 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 4370442..11bf4f8 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -22,11 +22,11 @@ There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. -Please also notice the additional fix and advanced example -for the 'username map [script]' based fallback from -'DOMAIN\user' to 'user'. See +Please also notice the additional fixes from https://bugzilla.samba.org/show_bug.cgi?id=14901";>bug #14901 and -https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2251. +https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2253. +obsolete required 'username map [script]' based fallback from +'DOMAIN\user' to 'user' in most cases. diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html index 49811db..1321426 100644 --- a/security/CVE-2020-25717.html +++ b/security/CVE-2020-25717.html @@ -81,29 +81,39 @@ as it dangerous and not needed when nss_winbind is used (even when However there are setups which are joined to an active directory domain just for authentication, but the authorization is handled without nss_winbind by mapping the domain account to a local user -provided by nss_file, nss_ldap or something similar. NOTE: These -setups won't work anymore without explicitly mapping the users! +provided by nss_file, nss_ldap or something similar. -For these setups administrators need to use the 'username map' or -'username map script' option in order to map domain users explicitly -to local users, e.g. +[Obsoleted 2021-11-16] +NOTE: These setups won't work anymore without explicitly mapping the users! - user = DOMAIN\user +For these setups administrators need to use the 'username map' or +'username map script' option in order to map domain users explicitly +to local users, e.g. -Please consult 'man 5 smb.conf' for further details on 'username -map' or 'username map script'. Also note that in the above example '\' -refers to the default value of the 'winbind separator' option. + user = DOMAIN\user + +Please consult 'man 5 smb.conf' for further details on 'username +map' or 'username map script'. Also note that in the above example '\' +refers to the default value of the 'winbind separator' option. [Added 2021-11-11] There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899 - Please also notice the additional fix and advanced example - for the 'username map [script]' based fallback from +[Updated 2021-11-16] + + Please also notice the additional fix that obsoletes + the above 'username map [script]' based fallback from 'DOMAIN\user' to 'user'. See https://bugzilla.samba.org/show_bug.cgi?id=14901 and - https://gitlab.com/samba-team/samba/-/merge_requests/2251 + https://gitlab.com/samba-team/samba/-/merge_requests/2253 + + It's possible have setups make use of 'idmap_nss' in order + to provide a mapping from the domain account to a local user, + often even without 'nss_winbindd'. Such setups should work again + as before with the patches from bug 14901. + But note the 'min domain uid' setting may still be required. Beyond Samba -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 62c6ffe mark changes with red from d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 62c6ffe0388989b325d80023026939e2e917a08d Author: Stefan Metzmacher Date: Tue Nov 16 20:36:44 2021 +0100 mark changes with red --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 11bf4f8..1fec9f7 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -17,11 +17,11 @@ These are Security Releases in order to address Please read the individual advisories, as there are important behaviour changes for CVE-2020-25717. - + There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. - + Please also notice the additional fixes from https://bugzilla.samba.org/show_bug.cgi?id=14901";>bug #14901 and https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2253. -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ccfefe28909 s4:samba: split out a samba_service_init() helper function via 5d295e41af4 vfs_not_implemented: mark all functions with _PUBLIC_ via 6745968a154 script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols via 4862a8ff2f0 script/autobuild.py: make sure nss and pam plugins don't link any samba libraries via 66e90b7391b nsswitch: reduce dependecies to private libraries and link static/builtin if possible via 05ca7b9809d lib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled() via 62d05a81087 nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_ via fa98a44cb4d nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD via 419ca68de0c nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux via 3f9948bd6dc nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_ via a663c9648f1 nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_ via 9615395b1fd nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response() via 41108b9ed9f nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h via f3c5980f76f s4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response() via ac8977d1e76 s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response() via 35446c27f8e s3:utils: remove notify_msg.c from smbstatus sources via 600ebefa5af libwbclient: fix strict-overflow warning in wbcSidToString() via c461b906ca5 heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY() via 6c64f3cee83 heimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY() via e35f23195f9 heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY() via f168f548784 wafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for private libraries via 38d37d4a532 wafsamba: introduce SAMBA[3]_PLUGIN() via 70da83a8ca7 wafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to SAMBA_{SUBSYSTEM,LIBRARY} via 38ef29bc219 wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are more than one via 295e5270f60 wafsamba: add SAMBA_SUBSYSTEM(force_empty=False) via 3aff74e29ed wafsamba: assert for *.sigs source files in abi_build_vscript() via 33e6949dda8 wafsamba: the symbol version string of private libraries should be based on the toplevel project via da7c41e2601 wafsamba: use private extentions also for bundled public libraries via 43b90da1867 wafsamba: remove unused private_library argument of PRIVATE_NAME() via d6749f590f3 wafsamba: SAMBA_GENERATOR() should not alter the callers dep_vars via 932c408c1b4 wafsamba: fix '--private-libraries' option when using 'ALL,!something' via 893c24605a5 wafsamba: mark SAMBA_MODULE() with private_library=True via 03cd1449f69 script/autobuild.py: fix "nondevel" builds of 'samba-libs' from 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----- commit ccfefe289093457587009e1862e1ed8591495aac Author: Stefan Metzmacher Date: Fri Aug 27 13:06:00 2021 +0200 s4:samba: split out a samba_service_init() helper function The loading function should be in the same SAMBA_LIBRARY() as the modules. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Nov 30 16:44:57 UTC 2021 on sn-devel-184 commit 5d295e41af4e9316aee1b4cf1c3087663b7c06a4 Author: Stefan Metzmacher Date: Fri Aug 27 13:10:41 2021 +0200 vfs_not_implemented: mark all functions with _PUBLIC_ These functions are used directly by other modules. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 6745968a15497c88646c1213ec6a8b198e624abb Author: Stefan Metzmacher Date: Mon Aug 23 12:56:15 2021 + script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 4862a8ff2f02cf7c735d666520846f6a0d63c6b0 Author: Stefan Metzmacher Date: Mon Aug 23 12:56:15 2021 + script/autobuild.py: make sure nss and pam plugins don't link any samba libraries Note th
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0991946ab2e heimdal_build: Remove memset_s from roken, already in libreplace via d6a1a849a2a heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result via 6f7b555dad9 heimdal_build: Do not list hx509 files twice via 93de0f017fd Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c via de18c9bf410 heimdal_build: Allow errors integer overflow errors in gen.c (only) via 75e1000d280 heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS() from ccfefe28909 s4:samba: split out a samba_service_init() helper function https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0991946ab2e64cb9aa3ed9f177e5a545c82c7b3d Author: Andrew Bartlett Date: Thu Dec 20 16:24:28 2018 +1300 heimdal_build: Remove memset_s from roken, already in libreplace Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Nov 30 19:18:59 UTC 2021 on sn-devel-184 commit d6a1a849a2aec1172ead1b85482b4cea37cd10bd Author: Gary Lockyer Date: Fri Sep 29 10:22:20 2017 +1300 heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result [abart...@samba.org Squashed with TODO commit from Gary that provided HEIMDAL_UNUSED_ATTRIBUTE etc] Signed-off-by: Gary Lockyer Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6f7b555dad96f9d36cb48d46b232a74f18ce2eb7 Author: Andrew Bartlett Date: Wed Nov 24 11:49:37 2021 +1300 heimdal_build: Do not list hx509 files twice This makes maintaining the file lists easier. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 93de0f017fddbd84e1356c7bdc5c43ab7456422e Author: Andrew Bartlett Date: Wed Jul 7 15:23:17 2021 +1200 Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c This is in preperation for the Heimdal upgrade (which otherwise can be compiled with stricter flags). Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit de18c9bf4108dd4f838a4711eda0ed2a59f6ff09 Author: Andrew Bartlett Date: Tue Jul 6 12:26:17 2021 +1200 heimdal_build: Allow errors integer overflow errors in gen.c (only) This is in preperation for the Heimdal upgrade. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 75e1000d280a1310d64c9bfffe55f7b67b402463 Author: Stefan Metzmacher Date: Tue Nov 30 17:03:06 2021 +0100 heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS() Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: source4/heimdal_build/config.h | 3 --- source4/heimdal_build/include/krb5-types.h | 35 ++ source4/heimdal_build/roken.h | 4 source4/heimdal_build/wscript_build| 25 - source4/heimdal_build/wscript_configure| 7 +++--- 5 files changed, 62 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/heimdal_build/config.h b/source4/heimdal_build/config.h index fb43cdc1319..d9ba31b3b45 100644 --- a/source4/heimdal_build/config.h +++ b/source4/heimdal_build/config.h @@ -9,9 +9,6 @@ #include "include/config.h" #include "../replace/replace.h" #include "../lib/util/attr.h" -#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_ -#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x) -#define HEIMDAL_UNUSED_ATTRIBUTE _UNUSED_ #define VERSIONLIST {"Lorikeet-Heimdal, Modified for Samba4"} diff --git a/source4/heimdal_build/include/krb5-types.h b/source4/heimdal_build/include/krb5-types.h index 7e9972b8a6a..62a54dd9722 100644 --- a/source4/heimdal_build/include/krb5-types.h +++ b/source4/heimdal_build/include/krb5-types.h @@ -16,6 +16,41 @@ typedef int krb5_socket_t; typedef ssize_t krb5_ssize_t; #endif + +#ifndef HEIMDAL_DEPRECATED +#define HEIMDAL_DEPRECATED _DEPRECATED_ +#endif + +#ifndef HEIMDAL_PRINTF_ATTRIBUTE +#ifdef HAVE_ATTRIBUTE_PRINTF +#define HEIMDAL_PRINTF_ATTRIBUTE(x) __attribute__((format x)) +#else +#define HEIMDAL_PRINTF_ATTRIBUTE(x) +#endif +#endif + +#ifndef HEIMDAL_NORETURN_ATTRIBUTE +#ifdef HAVE___ATTRIBUTE__ +#define HEIMDAL_NORETURN_ATTRIBUTE __attribute__((noreturn)) +#else +#define HEIMDAL_NORETURN_ATTRIBUTE +#endif +#endif + +#ifndef HEIMDAL_UNUSED_ATTRIBUTE +#ifdef HAVE___ATTRIBUTE__ +#define HEIMDAL_UNUSED_ATTRIBUTE __attribute__((unused)) +#else +#define HEIMDAL_UNUSED_ATTRIBUTE +#endif +#endif + +#ifndef HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE +#ifdef HAVE___ATTRIBUTE__ #define HEIMDAL_WARN_UNUSED_RESULT_ATTRIB
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0 via 1e61de83066 CVE-2020-25717: s3-auth: fix MIT Realm regression via f621317e3b2 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object from d1ea9c5aaba libcli:auth: Allow to connect to netlogon server offering only AES https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5e3df5f9ee64a80898f73585b19113354f463c44 Author: Ralph Boehme Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 commit 1e61de8306604a0d3858342df8a1d2412d8d418b Author: Ralph Boehme Date: Fri Nov 26 10:57:17 2021 +0100 CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher commit f621317e3b25a8925ab6e448068264488a0a47c7 Author: Andrew Bartlett Date: Fri Nov 12 12:44:44 2021 +1300 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object This may allow further processing when the DN normalisation has changed which changes the indexing, such as seen after fixes for bug 14656. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: source3/auth/user_krb5.c| 9 + source3/libsmb/dsgetdcname.c| 4 source4/dsdb/samdb/ldb_modules/operational.c| 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 - 4 files changed, 26 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index b8f37cbeee0..169bf563368 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, char *fuser = NULL; char *unixuser = NULL; struct passwd *pw = NULL; + bool may_retry = false; DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, domain = realm; } else { domain = lp_workgroup(); + may_retry = true; } fuser = talloc_asprintf(mem_ctx, @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, *mapped_to_guest = false; pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + if (may_retry && pw == NULL && !*is_mapped) { + fuser = talloc_strdup(mem_ctx, user); + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + } if (pw) { if (!unixuser) { return NT_STATUS_NO_MEMORY; diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index f8ae96109b7..5954e48d747 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx, for (i = 0; i < numdcs; i++) { size_t j; + if (dcs[i].num_ips == 0) { + continue; + } + dclist[ret_count].hostname = talloc_move(dclist, &dcs[i].hostname); diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 11b87bdf5ca..2b3cd2d7954 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -1408,7 +1408,7 @@ static const struct op_attributes_r
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c via fea324d9cc4 testprogs: Add rpcclient schannel tests via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression from 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 5e846fcf74edb883e8aa7756ee51ef8bfbfb6026 Author: Ralph Boehme Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 (cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Wed Dec 8 10:46:08 UTC 2021 on sn-devel-184 commit 18c7681358775b079d95cc44c4146b715ffb54cd Author: Andreas Schneider Date: Thu Nov 18 13:46:26 2021 +0100 libcli:auth: Allow to connect to netlogon server offering only AES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 (cherry picked from commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93) commit b1f0aa5c22fdf65114540d4bb15ac6980f194abf Author: Günther Deschner Date: Thu Nov 18 11:52:18 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e) commit aca47d48f516b43ef20f44f85d50993ca25eb3fa Author: Andreas Schneider Date: Thu Nov 18 11:47:26 2021 +0100 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 62aa769667464451cda672fc073e52a8e52ae4c1) commit 16d886511f158a56fb0ebb71df91fea127bed606 Author: Günther Deschner Date: Thu Nov 18 11:43:08 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Andreas Schneider Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd) commit 2b9882a4c2fb94653982d3d4ab9a53d84d658226 Author: Andreas Schneider Date: Wed Nov 24 13:21:28 2021 +0100 s3:libsmb: Remove trailing white spaces from passchange.c Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0) commit 460cf672e65432d79512ceca2212572c470865f3 Author: Günther Deschner Date: Thu Nov 18 11:31:00 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 3d35397e103 smbd: s3-dsgetdcname: handle num_ips == 0 via ce1186e06ed dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via b0d67dc3d42 CVE-2020-25717: s3-auth: fix MIT Realm regression from aef700ad3c8 s3: docs-xml: Clarify the "delete veto files" paramter. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 3d35397e10348317ab2adbaf033c5becf59fcc33 Author: Ralph Boehme Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 (cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44) Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Wed Dec 8 14:36:05 UTC 2021 on sn-devel-184 commit ce1186e06ed2581a29af794eb66405a4efe26b71 Author: Andrew Bartlett Date: Fri Nov 12 12:44:44 2021 +1300 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object This may allow further processing when the DN normalisation has changed which changes the indexing, such as seen after fixes for bug 14656. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7) commit b0d67dc3d42b81e5e35da26a333c4fcd67baab1f Author: Ralph Boehme Date: Fri Nov 26 10:57:17 2021 +0100 CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) --- Summary of changes: source3/auth/user_krb5.c| 9 + source3/libsmb/dsgetdcname.c| 4 source4/dsdb/samdb/ldb_modules/operational.c| 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 - 4 files changed, 26 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index b8f37cbeee0..169bf563368 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, char *fuser = NULL; char *unixuser = NULL; struct passwd *pw = NULL; + bool may_retry = false; DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, domain = realm; } else { domain = lp_workgroup(); + may_retry = true; } fuser = talloc_asprintf(mem_ctx, @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, *mapped_to_guest = false; pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + if (may_retry && pw == NULL && !*is_mapped) { + fuser = talloc_strdup(mem_ctx, user); + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + } if (pw) { if (!unixuser) { return NT_STATUS_NO_MEMORY; diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index ae90e07de77..c313259bcb1 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx, for (i = 0; i < numdcs; i++) { size_t j; + if (dcs[i].num_ips == 0) { + continue; + } + dclist[ret_count].hostname =
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 1e27b820dff CVE-2020-25717: s3-auth: fix MIT Realm regression from 105c6a15eff CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit dd679ce7f4450765274b085bbee97d1fa8e0f2a0 Author: Andrew Bartlett Date: Fri Nov 12 12:44:44 2021 +1300 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object This may allow further processing when the DN normalisation has changed which changes the indexing, such as seen after fixes for bug 14656. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7) Autobuild-User(v4-13-test): Stefan Metzmacher Autobuild-Date(v4-13-test): Wed Dec 8 16:49:25 UTC 2021 on sn-devel-184 commit 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4 Author: Ralph Boehme Date: Fri Nov 26 10:57:17 2021 +0100 CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. As a quick solution it might be possible to use the username map script based on the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not sure this behaves identical, but it might work in the standalone server case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher (cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) --- Summary of changes: source3/auth/user_krb5.c| 9 + source4/dsdb/samdb/ldb_modules/operational.c| 2 +- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 - 3 files changed, 22 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index b8f37cbeee0..169bf563368 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, char *fuser = NULL; char *unixuser = NULL; struct passwd *pw = NULL; + bool may_retry = false; DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); @@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, domain = realm; } else { domain = lp_workgroup(); + may_retry = true; } fuser = talloc_asprintf(mem_ctx, @@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, *mapped_to_guest = false; pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + if (may_retry && pw == NULL && !*is_mapped) { + fuser = talloc_strdup(mem_ctx, user); + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); + } if (pw) { if (!unixuser) { return NT_STATUS_NO_MEMORY; diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 5eaebf98141..4e60feaf14f 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -1399,7 +1399,7 @@ static const struct op_attributes_replace search_sub[] = { { "tokenGroups", "primaryGroupID", objectSid_attr, construct_token_groups }, { "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, construct_token_groups_no_gc}, { "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, construct_global_universal_token_groups }, - { "parentGUID", NULL, NULL, construct_parent_guid }, + { "parentGUID", "objectGUID", NULL, construct_parent_guid }, { "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry }, { "msDS-isRODC", "objectClass", objectCategory_attr, construct_msds_isrodc }, { "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, construct_msds_keyversionnumber }, diff --git a/source4/dsd
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e2b7a2f7811 s4-auth: Remove unused headers via 1bacf26d30a auth/credentials: Fix cli_credentials_shallow_ccache error case via ce293eb861b auth/credentials: Handle ENOENT when obtaining ccache lifetime from 102ad9ee6a0 librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e2b7a2f78117e20739aa4f895ce68825e160d451 Author: Andrew Bartlett Date: Wed Dec 8 15:30:02 2021 +1300 s4-auth: Remove unused headers These changes were submitted in a patch by Stefan Metzmacher in his lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal. Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Dec 9 14:14:12 UTC 2021 on sn-devel-184 commit 1bacf26d30adc89348786bff7b9e2fe6d6f43856 Author: Stefan Metzmacher Date: Fri Apr 3 15:29:32 2020 +0200 auth/credentials: Fix cli_credentials_shallow_ccache error case Avoid dangling values if something fails... Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit ce293eb861b2fc6c7a88cf67664c91735bf49d44 Author: Stefan Metzmacher Date: Fri Apr 3 15:27:45 2020 +0200 auth/credentials: Handle ENOENT when obtaining ccache lifetime The new Heimdal may return ENOENT instead of KRB5_CC_END. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton --- Summary of changes: auth/credentials/credentials_krb5.c | 13 + source4/auth/kerberos/kerberos.h | 1 - source4/auth/kerberos/krb5_init_context.c | 1 - 3 files changed, 9 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index d2e7a76a69e..e69e1a83b3c 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -686,7 +686,7 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred, bool expired = false; ret = smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context, cred->ccache->ccache, &lifetime); - if (ret == KRB5_CC_END) { + if (ret == KRB5_CC_END || ret == ENOENT) { /* If we have a particular ccache set, without * an initial ticket, then assume there is a * good reason */ @@ -1060,15 +1060,22 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred) { krb5_error_code ret; const struct ccache_container *old_ccc = NULL; + enum credentials_obtained old_obtained; struct ccache_container *ccc = NULL; char *ccache_name = NULL; krb5_principal princ; + old_obtained = cred->ccache_obtained; old_ccc = cred->ccache; if (old_ccc == NULL) { return 0; } + cred->ccache = NULL; + cred->ccache_obtained = CRED_UNINITIALISED; + cred->client_gss_creds = NULL; + cred->client_gss_creds_obtained = CRED_UNINITIALISED; + ret = krb5_cc_get_principal( old_ccc->smb_krb5_context->krb5_context, old_ccc->ccache, @@ -1077,7 +1084,6 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred) /* * This is an empty ccache. No point in copying anything. */ - cred->ccache = NULL; return 0; } krb5_free_principal(old_ccc->smb_krb5_context->krb5_context, princ); @@ -1110,8 +1116,7 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred) } cred->ccache = ccc; - cred->client_gss_creds = NULL; - cred->client_gss_creds_obtained = CRED_UNINITIALISED; + cred->ccache_obtained = old_obtained; return ret; } diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 1dd63acc838..33ee4f301ed 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -27,7 +27,6 @@ #include "auth/kerberos/krb5_init_context.h" #include "librpc/gen_ndr/krb5pac.h" #include "lib/krb5_wrap/krb5_samba.h" -#include "lib/krb5_wrap/gss_samba.h" struct auth_user_info_dc; struct cli_credentials; diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index 639718cb6a6..616eebc968e 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2da538a4585 python:tests: Don't require an emtpy 'authorization-data' to be present via bd804e0eef8 Revert "python:tests: Don't require an emtpy 'authorization-data' to be present" from 00c2425c2c1 s3/rpc_server: Remove duplicate dependency listing for RPC_SERVICE https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2da538a4585bc8ead5fc4e4c4422b8fe638cb621 Author: Andreas Schneider Date: Thu Dec 16 07:24:58 2021 +0100 python:tests: Don't require an emtpy 'authorization-data' to be present Signed-off-by: Andreas Schneider Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184 commit bd804e0eef85ed4e05f9a3b7afbd29b1ba4a5d97 Author: Stefan Metzmacher Date: Mon Dec 20 17:02:12 2021 +0100 Revert "python:tests: Don't require an emtpy 'authorization-data' to be present" This reverts commit 36325f1ee907d38c978229da67de3844f969cd33. This was not the latest version from: https://gitlab.com/samba-team/samba/-/merge_requests/2304 The correct version follows... Signed-off-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/raw_testcase.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 8b6eec3c40d..1496ff961cd 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2502,7 +2502,9 @@ class RawKerberosTest(TestCaseInTempDir): v = self.getElementValue(ticket_private, 'authorization-data') if v is not None: -self.assertEqual(0, len(v)) +self.assertElementPresent(ticket_private, + 'authorization-data', + expect_empty=True) encpart_session_key = None if encpart_private is not None: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 07cb2246cb3 Happy New Year 2022! from 96b10702295 smbd: Assert we don't leak fd's in struct fd_handle https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 07cb2246cb36c70588ab19b2dd83d0a29851ae59 Author: Stefan Metzmacher Date: Sat Jan 1 01:31:01 2022 +0100 Happy New Year 2022! Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 1 01:24:21 UTC 2022 on sn-devel-184 --- Summary of changes: source3/include/smb.h | 2 +- source4/samba/server.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/smb.h b/source3/include/smb.h index 8638c80bf95..90105e00b14 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -30,7 +30,7 @@ #include "libds/common/roles.h" /* logged when starting the various Samba daemons */ -#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2021" +#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2022" #define SAFETY_MARGIN 1024 #define LARGE_WRITEX_HDR_SIZE 65 diff --git a/source4/samba/server.c b/source4/samba/server.c index 2915cd327c2..21a1d71b283 100644 --- a/source4/samba/server.c +++ b/source4/samba/server.c @@ -622,7 +622,7 @@ static int binary_smbd_main(TALLOC_CTX *mem_ctx, binary_name, SAMBA_VERSION_STRING)); DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team" - " 1992-2021\n")); + " 1992-2022\n")); if (sizeof(uint16_t) < 2 || sizeof(uint32_t) < 4 || -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7d16a56b9d1 s4:dsdb/vlv_pagination: fix segfault in vlv_results() via 19fa22b1fbc s4:dsdb/paged_results: fix segfault in paged_results() from 7055827b8ff HEIMDAL: move code from source4/heimdal* to third_party/heimdal* https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc Author: Stefan Metzmacher Date: Wed Jan 19 15:57:08 2022 +0100 s4:dsdb/vlv_pagination: fix segfault in vlv_results() It can happen that the vlv_results() failes, e.g. due to LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not dereference ares->response, if ares is NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184 commit 19fa22b1fbcf33dbc4defe4dd2e487a642786c49 Author: Stefan Metzmacher Date: Wed Jan 19 15:57:08 2022 +0100 s4:dsdb/paged_results: fix segfault in paged_results() It can happen that the paged_results() failes, e.g. due to LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not dereference ares->response, if ares is NULL. We also should not call ldb_module_done() if paged_results() fails, as it was already called. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Reviewed-by: Douglas Bagnall --- Summary of changes: source4/dsdb/samdb/ldb_modules/paged_results.c | 19 --- source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 21 + 2 files changed, 25 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c index 3eea3236e7d..2063e84e157 100644 --- a/source4/dsdb/samdb/ldb_modules/paged_results.c +++ b/source4/dsdb/samdb/ldb_modules/paged_results.c @@ -239,6 +239,7 @@ static int paged_search_by_dn_guid(struct ldb_module *module, static int paged_results(struct paged_context *ac, struct ldb_reply *ares) { + struct ldb_extended *response = (ares != NULL ? ares->response : NULL); struct ldb_paged_control *paged; unsigned int i, num_ctrls; int ret; @@ -246,7 +247,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares) if (ac->store == NULL) { ret = LDB_ERR_OPERATIONS_ERROR; return ldb_module_done( - ac->req, ac->controls, ares->response, ret); + ac->req, ac->controls, response, ret); } while (ac->store->last_i < ac->store->num_entries && ac->size > 0) { @@ -276,7 +277,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares) continue; } else if (ret != LDB_SUCCESS) { return ldb_module_done( - ac->req, ac->controls, ares->response, ret); + ac->req, ac->controls, response, ret); } ret = ldb_module_send_entry(ac->req, result->msgs[0], @@ -318,7 +319,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares) if (ac->controls == NULL) { ret = LDB_ERR_OPERATIONS_ERROR; return ldb_module_done( - ac->req, ac->controls, ares->response, ret); + ac->req, ac->controls, response, ret); } ac->controls[num_ctrls] = NULL; @@ -331,7 +332,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares) if (ac->controls[i] == NULL) { ret = LDB_ERR_OPERATIONS_ERROR; return ldb_module_done( - ac->req, ac->controls, ares->response, ret); + ac->req, ac->controls, response, ret); } ac->controls[i]->oid = talloc_strdup(ac->controls[i], @@ -339,7 +340,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares) if (ac->controls[i]->oid == NULL) { ret = LDB_ERR_OPERATIONS_ERROR; return ldb_module_done( - ac->req, ac->controls, ares->response, ret); + ac->req, ac->controls, response, ret); } ac->controls[i]->critical = 0; @@ -348,7 +349,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares) if
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d1891a0c4f6 autobuild: Fix path for libwbclient ldd checks from 7d16a56b9d1 s4:dsdb/vlv_pagination: fix segfault in vlv_results() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d1891a0c4f6f639f60d2063ca4c54d3b283e3636 Author: Andreas Schneider Date: Thu Jan 20 11:17:29 2022 +0100 autobuild: Fix path for libwbclient ldd checks Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 20 14:19:02 UTC 2022 on sn-devel-184 --- Summary of changes: script/autobuild.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/script/autobuild.py b/script/autobuild.py index 041169e022e..6634356f031 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -894,14 +894,14 @@ tasks = { ("allshared-no-libldb", "find ./bin | grep -v 'module' | grep -v 'libldbsamba' | grep 'libldb' && exit 1; exit 0"), ("allshared-no-samba-nss_winbind", "ldd ./bin/plugins/libnss_winbind.so.2 | grep 'samba' && exit 1; exit 0"), ("allshared-no-samba-nss_wins", "ldd ./bin/plugins/libnss_wins.so.2 | grep 'samba' && exit 1; exit 0"), -("allshared-no-samba-libwbclient", "ldd ./bin/plugins/libwbclient.so.0 | grep 'samba' && exit 1; exit 0"), +("allshared-no-samba-libwbclient", "ldd ./bin/shared/libwbclient.so.0 | grep 'samba' && exit 1; exit 0"), ("allshared-no-samba-pam_winbind", "ldd ./bin/plugins/pam_winbind.so | grep -v 'libtalloc.so.2' | grep 'samba' && exit 1; exit 0"), ("allshared-no-public-nss_winbind", nm_grep_symbols("./bin/plugins/libnss_winbind.so.2", " T _nss_winbind_")), ("allshared-no-public-nss_wins", nm_grep_symbols("./bin/plugins/libnss_wins.so.2", " T _nss_wins_")), ("allshared-no-public-libwbclient", -nm_grep_symbols("./bin/plugins/libwbclient.so.0", " T wbc")), +nm_grep_symbols("./bin/shared/libwbclient.so.0", " T wbc")), ("allshared-no-public-pam_winbind", nm_grep_symbols("./bin/plugins/pam_winbind.so", "T pam_sm_")), ("allshared-no-public-winbind_krb5_locator", -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fa5413b63c8 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode via f03abaec2ab s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode via fcf225a356a s3:winbindd: Remove trailing spaces from winbindd_ads.c via 9624e60e8c3 s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap via eb0fa26dce7 tests: Add test for disabling NTLMSSP for ldap client connections via 17ea2ccdabb s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos) via 5f6251abf2f s3:libads: Improve debug messages for SASL bind via 7785eb9b780 s3:libads: Disable NTLMSSP for FIPS via 49d18f2d6e8 s3:libads: Remove trailing spaces from sasl.c via afcdb090769 s3:utils: set ads->auth.flags using krb5_state via 6843bdae306 wafsamba: Add our own implmentation to generate the clangdb via 85dbc023c30 wafsamba: Remove clangdb code which doesn't work from 82a21581c63 build: Without getrandom() require gnutls 3.7.2 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9 Author: Pavel Filipenský Date: Fri Jan 21 12:01:33 2022 +0100 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96 Author: Pavel Filipenský Date: Tue Jan 18 19:44:54 2022 +0100 s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit fcf225a356abb06d1205f66eb79f707c85803cb5 Author: Pavel Filipenský Date: Tue Jan 18 19:47:38 2022 +0100 s3:winbindd: Remove trailing spaces from winbindd_ads.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95 Author: Pavel Filipenský Date: Tue Jan 4 12:00:20 2022 +0100 s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit eb0fa26dce77829995505f542af02e32df088cd6 Author: Pavel Filipenský Date: Mon Jan 3 15:33:46 2022 +0100 tests: Add test for disabling NTLMSSP for ldap client connections BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 17ea2ccdabbe935ef571e1227908d51b755707bc Author: Pavel Filipenský Date: Mon Jan 3 11:13:06 2022 +0100 s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 5f6251abf2f468b3744a96376b0e1c3bc317c738 Author: Pavel Filipenský Date: Fri Jan 7 10:31:19 2022 +0100 s3:libads: Improve debug messages for SASL bind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329 Author: Pavel Filipenský Date: Thu Dec 9 13:43:08 2021 +0100 s3:libads: Disable NTLMSSP for FIPS BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4 Author: Pavel Filipenský Date: Wed Dec 8 16:05:17 2021 +0100 s3:libads: Remove trailing spaces from sasl.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit afcdb090769f6f0f66428cd29f88b0283c6bd527 Author: Pavel Filipenský Date: Fri Dec 10 16:08:04 2021 +0100 s3:utils: set ads->auth.flags using krb5_state BUG: https://bugzilla.samba.org/show
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 809f4fe2c78 s4:librpc: raise log level for failed connection attempts from fa5413b63c8 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 809f4fe2c7862f25547cbdcf01160537e43e3f95 Author: Björn Jacke Date: Sun Jan 23 12:35:22 2022 +0100 s4:librpc: raise log level for failed connection attempts this keeps the log files silent when other DCs are currently not running. We saw frequent NT_STATUS_HOST_UNREACHABLE messages at log level 0 for now. https://bugzilla.samba.org/show_bug.cgi?id=11537 Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jan 23 12:51:44 UTC 2022 on sn-devel-184 --- Summary of changes: source4/librpc/rpc/dcerpc_sock.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c index e7ecca73e3c..ec5a5ca8f8e 100644 --- a/source4/librpc/rpc/dcerpc_sock.c +++ b/source4/librpc/rpc/dcerpc_sock.c @@ -58,9 +58,9 @@ static void continue_socket_connect(struct composite_context *ctx) c->status = socket_connect_recv(ctx); if (!NT_STATUS_IS_OK(c->status)) { - DEBUG(0, ("Failed to connect host %s on port %d - %s\n", + DBG_NOTICE("Failed to connect host %s on port %d - %s\n", s->server->addr, s->server->port, - nt_errstr(c->status))); + nt_errstr(c->status)); composite_error(c, c->status); return; } @@ -240,9 +240,9 @@ static void continue_ip_open_socket(struct composite_context *ctx) c->status = dcerpc_pipe_open_socket_recv(ctx, s, &localaddr); if (!NT_STATUS_IS_OK(c->status)) { /* something went wrong... */ - DEBUG(0, ("Failed to connect host %s (%s) on port %d - %s.\n", + DBG_NOTICE("Failed to connect host %s (%s) on port %d - %s.\n", s->addresses[s->index - 1], s->target_hostname, - s->port, nt_errstr(c->status))); + s->port, nt_errstr(c->status)); if (s->addresses[s->index]) { struct composite_context *sock_ip_req; talloc_free(s->srvaddr); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via d93892d2e8e ldb: version 2.4.2 from cf1ee828aa1 waf: Fix resolv_wrapper with glibc 2.34 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit d93892d2e8ed69758c15ab18bc03bba09e715bc6 Author: Stefan Metzmacher Date: Mon Jan 24 12:37:28 2022 +0100 ldb: version 2.4.2 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694 Signed-off-by: Stefan Metzmacher Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Mon Jan 24 12:44:54 UTC 2022 on sn-devel-184 --- Summary of changes: lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.2.sigs} | 0 lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.2.sigs} | 0 lib/ldb/wscript | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.2.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.2.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.4.2.sigs similarity index 100% copy from lib/ldb/ABI/ldb-2.0.5.sigs copy to lib/ldb/ABI/ldb-2.4.2.sigs diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.4.2.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs copy to lib/ldb/ABI/pyldb-util-2.4.2.sigs diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 986690181ec..c470f854b99 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -2,7 +2,7 @@ APPNAME = 'ldb' # For Samba 4.15.x -VERSION = '2.4.1' +VERSION = '2.4.2' import sys, os -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 401df670af4 VERSION: Disable GIT_SNAPSHOT for the Samba 4.16.0rc1 release. via c6bc927ac8f WHATSNEW: Up to Samba 4.16.0rc1. via 1c776e54cf3 tdb: version 1.4.6 from 809f4fe2c78 s4:librpc: raise log level for failed connection attempts https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - --- Summary of changes: VERSION | 6 +++--- WHATSNEW.txt| 2 +- lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.6.sigs} | 0 lib/tdb/wscript | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) copy lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.6.sigs} (100%) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ec3b043eaaa..ddecf60a1f0 100644 --- a/VERSION +++ b/VERSION @@ -77,7 +77,7 @@ SAMBA_VERSION_BETA_RELEASE= # e.g. SAMBA_VERSION_PRE_RELEASE=1 # # -> "2.2.9pre1" # -SAMBA_VERSION_PRE_RELEASE=1 +SAMBA_VERSION_PRE_RELEASE= # For 'rc' releases the version will be# @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=1 # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE= +SAMBA_VERSION_RC_RELEASE=1 # To mark SVN snapshots this should be set to 'yes'# @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=yes +SAMBA_VERSION_IS_GIT_SNAPSHOT=no # This is for specifying a release nickname# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a65439c43da..71a8d9a103e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the first pre release of Samba 4.16. This is *not* +This is the first release candidate of Samba 4.16. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. diff --git a/lib/tdb/ABI/tdb-1.3.17.sigs b/lib/tdb/ABI/tdb-1.4.6.sigs similarity index 100% copy from lib/tdb/ABI/tdb-1.3.17.sigs copy to lib/tdb/ABI/tdb-1.4.6.sigs diff --git a/lib/tdb/wscript b/lib/tdb/wscript index 81132dc3276..2eb25b7f235 100644 --- a/lib/tdb/wscript +++ b/lib/tdb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'tdb' -VERSION = '1.4.5' +VERSION = '1.4.6' import sys, os -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.4.2 created
The annotated tag, ldb-2.4.2 has been created at 7dd33795ae7be3c9556aae71d2e0a399be689941 (tag) tagging d93892d2e8ed69758c15ab18bc03bba09e715bc6 (commit) replaces samba-4.15.4 tagged by Stefan Metzmacher on Mon Jan 24 13:47:50 2022 +0100 - Log - ldb: tag release ldb-2.4.2 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHun/YACgkQR5ORYRMI QCXkaAf/Qfz6VEvhC2dFSV2ekWkCkFcuQWS90fFaXdawkvyIlHFhzBWqlBNsqVLg Y41UZJqEsCnmsHbhRnoa56lTOcEwS7zH68WHqYZeGKTzlhCIUH8KIaGb9NjSDN92 3Ff72W4iim3KehtsXmhc9zwZHMZsPd88sJ7XMqc1baUVOq6NPhc9l6BMJWv21JzP pPrAl4ea2PKXXM6EnayVaHcptb+2JxmNwpBkv0Z2PAJybgf1BhVE/hTepDnM/7tk VhJytMjKNn3inUIp8V9IyaRVDwpFzt84BdqsC/qDe8a0s4Vtui9BlrlSj6QKhAvB bKemmft8QbJRdtBOSqLAdUFPzPPphw== =JEuL -END PGP SIGNATURE- Andreas Schneider (1): waf: Fix resolv_wrapper with glibc 2.34 Jule Anger (1): VERSION: Bump version up to Samba 4.15.5... Stefan Metzmacher (1): ldb: version 2.4.2 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.5.0 created
The annotated tag, ldb-2.5.0 has been created at 3e87034f37af8e68b85968b71fc65e60b891697e (tag) tagging 1d5b155619bc532c46932965b215bd73a920e56f (commit) replaces tdb-1.4.5 tagged by Stefan Metzmacher on Mon Jan 24 13:25:10 2022 +0100 - Log - ldb: tag release ldb-2.5.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumqYACgkQR5ORYRMI QCXB/gf/WgksmkBsIhXzSraUKKeraOEGLz/YAbG/zpLhVA7diV9B8HCr66f6R5i0 Tq5bUisLi7FrxdgLyqrHBUn00urjzApFmX/gfmyVAIeOuh8JPI5ArsP8DXztQXPD ukP4G3RmUbs7TLl542xHjWcsm34gOzuzLSowfjtnRwCRaAgJjauAtRkY3z0eSR/r YFnDXAG91IBxlVIVCdHTahhdigEroDnhhPA9ezea6YQSA8ILnXhZpbKus+sr5/dM cti5Ytmfp5AkgXJZqChIbkt8L14LefKAnqnFS7Xn7ewfx+YnuoLWMg4B8cbyq4sG DT+TFH/tYWIaHoHEeFhPbjiLs6hWxQ== =LxmQ -END PGP SIGNATURE- Alenka Glukhovskaya (1): Added russian translate file Alex Richardson (8): Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups() charset_macosxfs.c: fix compilation on macOS audit_logging.c: fix compilation on macOS source3/printing/queue_process.c: fix build on macOS sec_ctx.c: Fix -Wunused-function warning on macOS source3/smbd/statcache.c: Fix -Wformat build error on macOS vfs_preopen.c: Fix -Wformat error on macOS Fix detection of rpc/xdr.h on macOS Alexander Bokovoy (2): CVE-2020-25717: Add FreeIPA domain controller role IPA DC: add missing checks Amitay Isaacs (1): lib/tsocket: Fix build on Freebsd Andreas Schneider (64): bootstrap: Install krb5-workstation on Fedora based distros autobuild: Exclude fips envs from samba and samba-mitkrb5 s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips python:waf: Correctly check for python-dateutil bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros lib:cmdline: Use lp_load_global() for servers selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() s3:selftests: Pass env variables to fips tests s4:selftests: Pass env variables to fips tests selftest: Pass env variables to fips tests selftest: Remove fips env variables from client env auth:gensec: Use lpcfg_weak_crypto() s4:rpc_server: Allow to set user password in FIPS mode s4:libnet: Remove trailing whitespaces s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections netlogon:schannel: If weak crypto is disabled, do not announce RC4 support. selftest: Fix setting environ for plansmbtorture4testsuite() s4:selftest: Pass environ to plansmbtorture4testsuite() s4:torture: Remove trailing whitespaces in rpc.c s4:torture: Add rpc netlogon fips test configure: Do not put arguments into double quotes s3:winbindd: Add a check for the path length of 'winbindd socket directory' gitlab: Use shorter names for Samba AD DC env with MIT KRB5 mit-samba: Define debug class for kdb module mit-samba: Send the logging to the kdc log facility mit-samba: Use talloc_get_type_abort() instead of casting mit-samba: Only set the function opening bracket once s3:winbind: Do not start if the priviliged socket path is too long s3:winbindd: Pass the right variable to the debug message lib:replace: Remove trailing spaces from testsuite.c testsuite: Fix build with gcc >= 11.1.1 selftest: Add python path for compiled python modules like ldb third_party: Add a script to update waf third_party: Update waf to version 2.0.22 s3:utils: Fix format error lib:fuzzing: Fix quoting of --fuzz-target-ldflags docs-xml: Remove trailing spaces in smb.conf.5.xml docs-xml: Use /var/tmp for spooling in smb.conf.5 waf: Allow building with MIT KRB5 >= 1.20 Revert "gp: Apply Firewalld Policy" Revert "gp: Test Firewalld Group Policy Apply" Revert "gp: Add Firewalld ADMX templates" testprogs: Use new cmdline option for kerberos lib:cmdline: Fix -k option which doesn't expect anything third_party: Update pam_wrapper to version 1.1.4 editorconfig: Heimdal has mixed spaces and tabs with different width waf: Fix resolv_wrapper with glibc 2.34 gitlab-ci: Add Fedora 35 and drop Fedora 33 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public CVE-2020-25719 mit-samba: Add ks_free_principal() CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac() CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 6417cadc277 ldb: version 2.3.3 from 1d181de02de auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 6417cadc2770f5abc8aa78f32e1c25b83c4063f1 Author: Stefan Metzmacher Date: Mon Jan 24 12:37:28 2022 +0100 ldb: version 2.3.3 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694 Signed-off-by: Stefan Metzmacher Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Mon Jan 24 14:00:42 UTC 2022 on sn-devel-184 --- Summary of changes: lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.3.sigs} | 0 lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.3.sigs} | 0 lib/ldb/wscript | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.3.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.3.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.3.3.sigs similarity index 100% copy from lib/ldb/ABI/ldb-2.0.5.sigs copy to lib/ldb/ABI/ldb-2.3.3.sigs diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.3.3.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs copy to lib/ldb/ABI/pyldb-util-2.3.3.sigs diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 38f2d578c2e..4a0d807a731 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -2,7 +2,7 @@ APPNAME = 'ldb' # For Samba 4.14.x -VERSION = '2.3.2' +VERSION = '2.3.3' import sys, os -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.3.3 created
The annotated tag, ldb-2.3.3 has been created at 21997eae2e65206bbdbe92c99a2bd5b08fdd15f7 (tag) tagging 6417cadc2770f5abc8aa78f32e1c25b83c4063f1 (commit) replaces samba-4.14.11 tagged by Stefan Metzmacher on Mon Jan 24 15:04:10 2022 +0100 - Log - ldb: tag release ldb-2.3.3 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHusdoACgkQR5ORYRMI QCVc6QgAk/iE4puU9NhRb5/L5X4Yu8+BnPd2itytKCskwbECfCpMNdB44TASB/xh oKM6o3VPE2uyWw4Br+Qj1zHN+1bf4HPv4IfwNRv4dh69ssWjaW99DAOfPNtzb+5p sH5tugaCTUk8Nk1j81pPaIoQtFJ+NBgGJoF39p3Nb7Get6oe19i73ab/+9eQYuDJ LX2iy9m7vUbner7ts+qFO3QrujQeJEO7eJ0SYo5DZEnHiSnBpUD8yLKzyMWj6qrZ UNxLG6F/3Ld3h9wX2FfTYa6cZQrr68egNJAXG/iABeLgna4WaTnGmrL37Bq0nnmc DJX86hr0omvLN9B5V+4zLFH5fJeLew== =yQ9O -END PGP SIGNATURE- Jeremy Allison (5): tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories. lib: util: Add a function nt_time_to_unix_timespec_raw(). s3: smbd: Create and use a common function for generating a fileid - create_clock_itime(). s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..). s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory() Jones Syue (1): s3: includes: Make the comments describing itime consistent. Always use "invented" time. Jule Anger (1): VERSION: Bump version up to Samba 4.14.12... Stefan Metzmacher (10): selftest/Samba3: enable SMB1 for maptoguest s4:torture/libsmbclient: add libsmbclient.noanon_list test s4:selftest: run libsmbclient.noanon_list against maptoguest s3:libsmb: fix signing regression SMBC_server_internal() auth/credentials: cli_credentials_set_ntlm_response() pass session_keys s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors ldb: version 2.3.3 Volker Lendecke (1): ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.6 created
The annotated tag, tdb-1.4.6 has been created at 294de0b8779c13cf2137cf3b70d1a5d0e11780c5 (tag) tagging 1c776e54cf33b46b2ed73263f093d596a0cdbb2f (commit) replaces tdb-1.4.5 tagged by Stefan Metzmacher on Mon Jan 24 13:24:26 2022 +0100 - Log - tdb: tag release tdb-1.4.6 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumnoACgkQR5ORYRMI QCWvEAgAvdd1Vov9LzJfNzbFgJELxlgZFjQ76MzuCKiUUi/70f6zIW79bv090qU4 dFOnQ6WnOUnQMBTKTOaXkDbLH+DgX8JF9rdg01XHr+oPeENKNHBv1Zn31KpW0N7j AWn7Kdm3kBRrRR03Zs5c/AK58KbeTbjQB9Xd1yY9hcjxhOI3VKwJesdWOVpiq6c9 xJzz6aSNLXQ8x/WZPUnYR5ucHDmjWfQEmq0Jv3QkWkXEbD76YqLB003Hho57i2Bm YFkeFpuXBXkQ7JU41rbPhgjNHEhw+SWPNXSXtcXg6yF+Iog/bovE2vBrLArw7G9h tyan8b0aNzqUXJjHf1Xqv7uGCRpquA== =frvx -END PGP SIGNATURE- Alenka Glukhovskaya (1): Added russian translate file Alex Richardson (8): Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups() charset_macosxfs.c: fix compilation on macOS audit_logging.c: fix compilation on macOS source3/printing/queue_process.c: fix build on macOS sec_ctx.c: Fix -Wunused-function warning on macOS source3/smbd/statcache.c: Fix -Wformat build error on macOS vfs_preopen.c: Fix -Wformat error on macOS Fix detection of rpc/xdr.h on macOS Alexander Bokovoy (2): CVE-2020-25717: Add FreeIPA domain controller role IPA DC: add missing checks Amitay Isaacs (2): lib/tsocket: Fix build on Freebsd ctdb-tests: Implement srvid_handler for dispatching messages Andreas Schneider (106): bootstrap: Install krb5-workstation on Fedora based distros autobuild: Exclude fips envs from samba and samba-mitkrb5 s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips python:waf: Correctly check for python-dateutil bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros lib:cmdline: Use lp_load_global() for servers selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() s3:selftests: Pass env variables to fips tests s4:selftests: Pass env variables to fips tests selftest: Pass env variables to fips tests selftest: Remove fips env variables from client env auth:gensec: Use lpcfg_weak_crypto() s4:rpc_server: Allow to set user password in FIPS mode s4:libnet: Remove trailing whitespaces s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections netlogon:schannel: If weak crypto is disabled, do not announce RC4 support. selftest: Fix setting environ for plansmbtorture4testsuite() s4:selftest: Pass environ to plansmbtorture4testsuite() s4:torture: Remove trailing whitespaces in rpc.c s4:torture: Add rpc netlogon fips test configure: Do not put arguments into double quotes s3:winbindd: Add a check for the path length of 'winbindd socket directory' gitlab: Use shorter names for Samba AD DC env with MIT KRB5 mit-samba: Define debug class for kdb module mit-samba: Send the logging to the kdc log facility mit-samba: Use talloc_get_type_abort() instead of casting mit-samba: Only set the function opening bracket once s3:winbind: Do not start if the priviliged socket path is too long s3:winbindd: Pass the right variable to the debug message lib:replace: Remove trailing spaces from testsuite.c testsuite: Fix build with gcc >= 11.1.1 selftest: Add python path for compiled python modules like ldb third_party: Add a script to update waf third_party: Update waf to version 2.0.22 s3:utils: Fix format error lib:fuzzing: Fix quoting of --fuzz-target-ldflags docs-xml: Remove trailing spaces in smb.conf.5.xml docs-xml: Use /var/tmp for spooling in smb.conf.5 waf: Allow building with MIT KRB5 >= 1.20 Revert "gp: Apply Firewalld Policy" Revert "gp: Test Firewalld Group Policy Apply" Revert "gp: Add Firewalld ADMX templates" testprogs: Use new cmdline option for kerberos lib:cmdline: Fix -k option which doesn't expect anything third_party: Update pam_wrapper to version 1.1.4 editorconfig: Heimdal has mixed spaces and tabs with different width waf: Fix resolv_wrapper with glibc 2.34 gitlab-ci: Add Fedora 35 and drop Fedora 33 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public CVE-2020-25719 mit-samba: Add ks_free_principal() CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac(
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 12464bd4c22 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test via 43648e95a51 librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0 via 8da26cb6725 s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong via 1dc385cb648 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output. via d1a7f392a8c ndrdump: make use of dump_data_file_diff() in order to show differences via b489b7feda1 lib/util: add dump_data_diff*() helpers via 9110a8854a5 blackbox.ndrdump: adjust example files to changed dump_data() output. via 58b09e107ca lib/util: split out a dump_data_block16() helper via 0651fa474cd dcesrv_core: wrap gensec_*() calls in [un]become_root() calls via be1935dac8a WHATSNEW: Start release notes for Samba 4.17.0pre1. from d844bc6cbdb ldb: bump version to 2.6.0 for Samba 4.17.x releases https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 12464bd4c222d996aac6d6250b7945d63f20f4bc Author: Stefan Metzmacher Date: Fri Jan 21 20:42:45 2022 +0100 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test This actually reveals that ndr_push_string() for TargetName="" was failing before because it resulted in 1 byte for a subcontext with TargetLen=0. This is fixed now and we no longer expect ndrdump to exit with 1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184 commit 43648e95a514020da4c7efa62df55d0882e3db85 Author: Stefan Metzmacher Date: Wed Nov 3 13:57:50 2021 +0100 librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0 convert_string_talloc_handle() tries to play an the safe side and always returns a null terminated array. But for NDR we need to be correct on the wire... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 8da26cb6725b5d853ab481a348a3a672966715b5 Author: Stefan Metzmacher Date: Fri Jan 21 01:09:23 2022 +0100 s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong convert_string_talloc() never returns a string with len=0 and always implies zero termination byte(s). For ndr_push_string this is unexpected as we need to be compatible on the wire and push 0 bytes for an empty string. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 1dc385cb648f0c37b04f4ede6b1c96916e379b23 Author: Stefan Metzmacher Date: Fri Jan 21 20:28:59 2022 +0100 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit d1a7f392a8ceef111a5d6c3d2a3bdb9dcb90db5e Author: Stefan Metzmacher Date: Wed Nov 3 13:32:48 2021 +0100 ndrdump: make use of dump_data_file_diff() in order to show differences This makes it much easier to detect differences in the given and generated buffers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit b489b7feda19b3c0f0fe2300f2c76d416776355b Author: Stefan Metzmacher Date: Wed Nov 3 11:40:13 2021 +0100 lib/util: add dump_data_diff*() helpers That will make it easy to see the difference between two memory buffers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 9110a8854a518befa2908c26076e17a085c5ec48 Author: Stefan Metzmacher Date: Fri Jan 21 20:06:40 2022 +0100 blackbox.ndrdump: adjust example files to changed dump_data() output. The cleanup using dump_data_block16() fixed the space handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 58b09e107cadd7fb8191822d4e7e42657b1ed4c7 Author: Stefan Metzmacher Date: Wed Nov 3 11:05:52 2021 +0100 lib/util: split out a dump_data_block16() helper This simplifies the logic a lot for me. It also fixes some corner cases regarding whitespaces in the output, that's why we have to mark a few tests as knownfail, they will be fixed in the next commit. BUG: https://bugzi
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 3fdc553c981 VERSION: Bump version up to 4.16.0rc2... from 401df670af4 VERSION: Disable GIT_SNAPSHOT for the Samba 4.16.0rc1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 3fdc553c9812f1d857abc7ed328e21ec7b56796d Author: Stefan Metzmacher Date: Fri Jan 28 11:18:06 2022 +0100 VERSION: Bump version up to 4.16.0rc2... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Fri Jan 28 11:17:33 UTC 2022 on sn-devel-184 --- Summary of changes: VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ddecf60a1f0..89dddc40217 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=1 +SAMBA_VERSION_RC_RELEASE=2 # To mark SVN snapshots this should be set to 'yes'# @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=1 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 29355d0a2d4 VERSION: Bump version up to Samba 4.16.0rc3... via a4763bd9d87 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc2 release. via 4c3863633d3 WHATSNEW: Add release notes for Samba 4.16.0rc2. via c278515c492 s3/rpc_server: install elasticsearch_mappings.json via b88d24e33b2 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). via 239e915b8f7 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename. via 86157b3c7bf CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert(). via f4202a0bccd CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks. via 4106af6d620 CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND. via b8da8b72205 CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture. via c6d70dad3a2 CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND. via ea20599ff17 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix via e6ccaced533 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1. via 1dcd818303b CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2. via ef822984360 CVE-2021-44142: libadouble: harden parsing code via 03c6ba0054b CVE-2021-44142: libadouble: add basic cmocka tests via 39eb60d97a4 CVE-2021-44142: libadouble: harden ad_unpack_xattrs() via 36f847861bc CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs via 9d7dd721b81 CVE-2021-44142: libadouble: add defines for icon lengths via e4f18bfaec8 CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object via eaede91afd6 CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN from 4d3054261df blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 29355d0a2d4e2b64a0cd1b8d16067f94f1594114 Author: Jule Anger Date: Mon Jan 31 12:56:33 2022 +0100 VERSION: Bump version up to Samba 4.16.0rc3... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Mon Jan 31 15:26:29 UTC 2022 on sn-devel-184 commit a4763bd9d87f9efe93fa6d3ffc0ae9588663f8ef Author: Jule Anger Date: Mon Jan 31 12:56:06 2022 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc2 release. Signed-off-by: Jule Anger commit 4c3863633d31a3a45e5259e495c970e71df32732 Author: Jule Anger Date: Mon Jan 31 12:55:04 2022 +0100 WHATSNEW: Add release notes for Samba 4.16.0rc2. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit c278515c492a1b9ca842e809120ecf3a1328d112 Author: Ralph Boehme Date: Thu Jan 27 12:06:55 2022 +0100 s3/rpc_server: install elasticsearch_mappings.json This was removed accidentally remvoed by a7c65958a15149918415b7456d6f20ee8c9669d2 because the original code only installed the json file if the mdssvc was built as module: if bld.SAMBA3_IS_ENABLED_MODULE('rpc_mdssvc_module'): bld.INSTALL_FILES(bld.env.SAMBA_DATADIR, 'mdssvc/elasticsearch_mappings.json') Installing the json file should just depend on Elasticsearch support being enabled, regardless of the removed module support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14961 Signed-off-by: Ralph Boehme Reviewed-by: Noel Power Autobuild-User(master): Noel Power Autobuild-Date(master): Fri Jan 28 10:22:31 UTC 2022 on sn-devel-184 (cherry picked from commit 0eecfddd071ea54844c56516dd7adc761be03c27) commit b88d24e33b2f4a2a540698520d76f1b8a2fe3e4d Author: Jeremy Allison Date: Tue Dec 7 22:19:29 2021 -0800 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). We need to take SMB1+POSIX into account here and do an LSTAT if it's a POSIX name. Remove knownfail.d/posix_sylink_rename BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit 239e915b8f721bab820ffba6ff355d828a34ffe9 Author: Jeremy Allison D
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e4e5539e402 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). via a44435c6e76 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename. via be138920200 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert(). via 43455edd29a CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks. via 458c7555a94 CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND. via f5b28d8aa33 CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture. via 3e9f6d704d3 CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND. via 4e75e24baab CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix via 3bc85d615e6 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1. via 1f7e870ddad CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2. via 751d7696646 CVE-2021-44142: libadouble: harden parsing code via eb087934025 CVE-2021-44142: libadouble: add basic cmocka tests via c61a06503ed CVE-2021-44142: libadouble: harden ad_unpack_xattrs() via 96083abc0c3 CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs via a9211cfe6e4 CVE-2021-44142: libadouble: add defines for icon lengths via 1a5dc817c0c CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object via c58ede44f38 CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN from 6063e8016fc s4:kdc: Translate HDB flags to SDB flags https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e4e5539e402fd2116b4eb4f4f2d687da509491d6 Author: Jeremy Allison Date: Tue Dec 7 22:19:29 2021 -0800 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). We need to take SMB1+POSIX into account here and do an LSTAT if it's a POSIX name. Remove knownfail.d/posix_sylink_rename BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jan 31 16:26:26 UTC 2022 on sn-devel-184 commit a44435c6e763e042e6c4cdbb70fc0479f1662c66 Author: Jeremy Allison Date: Tue Dec 7 22:15:46 2021 -0800 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename. Add a knownfail.d/posix_sylink_rename BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit be13892020013377994634a2367c3aff53245f44 Author: Jeremy Allison Date: Tue Dec 7 14:39:42 2021 -0800 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert(). If filename_convert() fails to convert the path, we never call check_name(). This means we can return an incorrect error code (NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points outside the share to a non-readable directory. We need to make sure in this case we always call check_name(). Remove knownfail.d/symlink_traversal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit 43455edd29af00a0a4186f83557eec7481434170 Author: Jeremy Allison Date: Tue Dec 7 14:33:17 2021 -0800 CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks. NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure. NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure. Remove: samba3.blackbox.test_symlink_traversal.SMB1.posix samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\) samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\) in knownfail.d/symlink_traversal as we now pass these. Only one more fix remaining to get rid of knownfail.d/symlink_traversal completely. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit 458c7555a94f8d1e6e132b2568e900fddba3b2f9 Author: Jeremy Allison Date: Tue Dec 7 11:44:09 2021 -0800 CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 735f3d7dde3 libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug via 99182af4ab5 libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len via 68e62962b08 selftest/quick: add smb2.session from 1905c77a080 lib:replace: Fix NULL issue reported by covscan https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 735f3d7dde3daf5d0af2e8a1de60422b88663992 Author: Stefan Metzmacher Date: Mon Jan 31 20:33:43 2022 +0100 libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug The initial implementation of gnutls_aead_cipher_decrypt() had a bug and used: *ptext_len = ctext_len; instead of: *ptext_len = ctext_len - tag_size; This got fixed with gnutls 3.5.2. As we only require gnutls 3.4.7 we need to cope with this... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Feb 2 18:29:08 UTC 2022 on sn-devel-184 commit 99182af4ab5a3413311e27c2a193e09babceb01c Author: Stefan Metzmacher Date: Mon Jan 31 20:33:43 2022 +0100 libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid ptext_len When the ptext_size != m_total check fails, we call this: status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); goto out; As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu() with NT_STATUS_OK, but without copying the decrypted data back into the callers buffer. Which leads to strange errors in the caller. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 68e62962b08497da8359ddbe4324443818c05cd1 Author: Stefan Metzmacher Date: Tue Feb 1 10:52:27 2022 +0100 selftest/quick: add smb2.session We run the quicktest on each linux distro as part of samba-o3 builds. We should make sure smb2 signing/enctyption works on all of them and all different system libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- Summary of changes: libcli/smb/smb2_signing.c | 24 +++- selftest/quick | 1 + wscript_configure_system_gnutls | 3 +++ 3 files changed, 27 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index 4a94b026ccc..6efb87801cb 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -1251,9 +1251,31 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, ctext_size, ptext, &ptext_size); - if (rc < 0 || ptext_size != m_total) { + if (rc < 0) { + TALLOC_FREE(ptext); + TALLOC_FREE(ctext); + status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); + goto out; + } +#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG + /* +* Note that gnutls before 3.5.2 had a bug and returned +* *ptext_len = ctext_len, instead of +* *ptext_len = ctext_len - tag_size +*/ + if (ptext_size != ctext_size) { + TALLOC_FREE(ptext); + TALLOC_FREE(ctext); + rc = GNUTLS_E_SHORT_MEMORY_BUFFER; + status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); + goto out; + } + ptext_size -= tag_size; +#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */ + if (ptext_size != m_total) { TALLOC_FREE(ptext); TALLOC_FREE(ctext); + rc = GNUTLS_E_SHORT_MEMORY_BUFFER; status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); goto out; } diff --git a/selftest/quick b/selftest/quick index 0e79f1020bf..6700180c2c2 100644 --- a/selftest/quick +++ b/selftest/quick @@ -33,6 +33,7 @@ rpc.join rpc.handles rpc.echo smb.signing +smb2.session drs.unit samba4.blackbox.dbcheck.dc # This needs to be here to get testing of crypt_r() diff --git a/wscript_configure_
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via c1f3b97 history/security.html: fix link to samba-4.13.17-security-2022-01-31.patch from e34ef99 CVE-2021-44142.html: fix CVE version https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit c1f3b97c449f7027f5a8f841478a8e1d18e649a9 Author: Stefan Metzmacher Date: Thu Feb 3 17:44:46 2022 +0100 history/security.html: fix link to samba-4.13.17-security-2022-01-31.patch Signed-off-by: Stefan Metzmacher --- Summary of changes: history/security.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/history/security.html b/history/security.html index 16f9acf..608884f 100755 --- a/history/security.html +++ b/history/security.html @@ -32,7 +32,7 @@ link to full release notes for each release. patch for Samba 4.15.5 patch for Samba 4.14.12 - + patch for Samba 4.13.17 CVE-2021-44141, CVE-2021-44142 and CVE-2022-0336. Please see announcements for details. -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5e2386336c4 s3:trusts_utils: use a password length of 120 for machine accounts via ad0b5561b49 upgradehelpers.py: add a comment to update_krbtgt_account_password() via 725c94d57d3 provision: add a comment that the value of krbtgtpass is ignored in the backend via 6bb7c0f2491 upgradehelpers.py: let update_machine_account_password() use 120 character passwords via 3b91be36581 provision: use 120 characters for the dns account password via 59ac782452c samba-tool/join_member: let py_net_join_member() choose the password via 576bdb08c51 s3:py_net: allow machinepass=None to py_net_join_member() from 0d8084ed628 ctdb-protocol: CID 1499395: Uninitialized variables (UNINIT) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5e2386336c49fab46c1192db972af5da1e916b32 Author: Stefan Metzmacher Date: Mon Feb 21 15:28:53 2022 +0100 s3:trusts_utils: use a password length of 120 for machine accounts This is important when we change the machine password against an RODC that proxies the request to an RWDC. An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER and reports NT_STATUS_OK as result of NetrServerPasswordSet2(). This hopefully found the last hole in our very robust machine account password handling logic inside of trust_pw_change(). The lesson is: try to be as identical to how windows works as possible, everything else may use is untested code paths on Windows. A similar problem was fixed by this commit: commit 609ca657652862fd9c81fd11f818efb74f72ff55 Author: Joseph Sutton Date: Wed Feb 24 02:03:25 2021 +1300 provision: Decrease the length of random machine passwords The current length of 128-255 UTF-16 characters currently causes generation of crypt() passwords to typically fail. This commit decreases the length to 120 UTF-16 characters, which is the same as that used by Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184 commit ad0b5561b492dfa28acfc9604b2358bb8b490703 Author: Stefan Metzmacher Date: Mon Feb 21 15:23:54 2022 +0100 upgradehelpers.py: add a comment to update_krbtgt_account_password() The backend generates its own random krbtgt password values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 725c94d57d3d656bc94633dacbac683a4c11d3e6 Author: Stefan Metzmacher Date: Mon Feb 21 15:22:50 2022 +0100 provision: add a comment that the value of krbtgtpass is ignored in the backend BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 6bb7c0f24918329804b7f4fb71908e8fab99e266 Author: Stefan Metzmacher Date: Mon Feb 21 15:22:06 2022 +0100 upgradehelpers.py: let update_machine_account_password() use 120 character passwords We already changed provision to use 120 character passwords with commit 609ca657652862fd9c81fd11f818efb74f72ff55. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 3b91be36581de1007427d539daffdaa62752412d Author: Stefan Metzmacher Date: Mon Feb 21 15:08:34 2022 +0100 provision: use 120 characters for the dns account password We should use the same as for the computer account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 59ac782452c4993274fa837256a8b9c5675e707b Author: Stefan Metzmacher Date: Mon Feb 21 15:03:22 2022 +0100 samba-tool/join_member: let py_net_join_member() choose the password It means we'll let trust_pw_new_value() generate the password. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 576bdb08c51c47c390cc390fbefdcfee275b7f0f Author: S
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9eb27f296ae third_party/heimdal_build: Determine whether time_t is signed via 9936038fae7 s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer() via 6d8fec7006e third_party/heimdal_build: Add KDC_LIB macro definitions via ef95fb43923 auth: Cope with NULL upn_name in PAC via f6fe86924c2 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc() from afc2103da0f vfs_shadow_copy2: remove async getxattrat https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9eb27f296ae2b797803fffbb7f4cb34d8eb06f34 Author: Joseph Sutton Date: Thu Feb 24 15:24:13 2022 +1300 third_party/heimdal_build: Determine whether time_t is signed Without this, Heimdal will assume time_t is unsigned, and a wrong assumption will cause 'infinite' ticket lifetimes to be reckoned as from the past, and thus requests will fail with KDC_ERR_NEVER_VALID. This is an adaptation to Heimdal: commit 9ae9902249732237aa1711591604a6adf24963fe Author: Nicolas Williams Date: Tue Feb 15 17:01:00 2022 -0600 cf: Check if time_t is signed BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Mar 1 18:07:50 UTC 2022 on sn-devel-184 commit 9936038fae72fb440864be543e9afd500444d502 Author: Joseph Sutton Date: Thu Feb 24 15:30:17 2022 +1300 s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer() Heimdal will no longer allow us to pass a dummy zero-length buffer to krb5_pac_add_buffer(), so we have to pass a buffer of length 1 instead. This is an adaption to Heimdal: commit 190263bb7a56fc775b50a6cd0dc91820d2b2e5eb Author: Jeffrey Altman Date: Wed Jan 19 22:55:33 2022 -0500 assert non-NULL ptrs before calling mem funcs The definitions of memcpy(), memmove(), and memset() state that the behaviour is undefined if any of the pointer arguments are NULL, and some compilers are known to make use of this to optimise away existing NULL checks in the source. Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9 Link: https://www.imperialviolet.org/2016/06/26/nonnull.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 6d8fec7006e8eadf5967a6f2f5add7d3c2c7bd3e Author: Joseph Sutton Date: Tue Feb 22 15:30:17 2022 +1300 third_party/heimdal_build: Add KDC_LIB macro definitions This is an adaptation to Heimdal: commit 7bb00a40eabbed2bc1c268f5244bfb9736d9bebe Author: Luke Howard Date: Tue Jan 4 13:08:35 2022 +1100 kdc: fix Windows build BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit ef95fb439237910b945b8d6a3ad4a140a8d6d1ea Author: Joseph Sutton Date: Tue Feb 22 14:15:43 2022 +1300 auth: Cope with NULL upn_name in PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit f6fe86924c2ca756083d3628d5dbace0b12d06b0 Author: Stefan Metzmacher Date: Fri Feb 25 07:40:17 2022 +0100 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc() This is most likely not a problem for the current callers, but that it is unexpected and will likely cause problems with future changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: auth/auth_sam_reply.c | 12 +++- buildtools/wafsamba/samba_autoconf.py | 17 + source4/auth/sam.c | 19 ++- source4/kdc/pac-glue.c | 5 +++-- third_party/heimdal_build/wscript_build | 2 +- third_party/heimdal_build/wscript_configure | 2 ++ 6 files changed, 44 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index b5b6362dc93..fda014c87d5 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -616,11 +616,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, } if (pac_upn_dns_info != NULL) { -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b7bc1f6dddc s4-kdc: Fix memory leak in FAST cookie handling from 688604a423b smbd: Simplify non_widelink_open() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b7bc1f6dddc1c5fee8a39422823f167db1f24bb2 Author: Andrew Bartlett Date: Tue Mar 8 22:46:02 2022 +1300 s4-kdc: Fix memory leak in FAST cookie handling The call to sdb_free_entry() was forgotten. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15000 Signed-off-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 11 11:05:55 UTC 2022 on sn-devel-184 --- Summary of changes: source4/kdc/hdb-samba4.c | 1 + 1 file changed, 1 insertion(+) Changeset truncated at 500 lines: diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index b10cc37e608..5720dfadc1f 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -229,6 +229,7 @@ static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context, ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex); + sdb_free_entry(&sdb_entry_ex); TALLOC_FREE(mem_ctx); return ret; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9b48e7f7eda third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d) via f1a71e24864 selftest: use 'kdc enable fast = no' for fl2000 fl2003 via 2db7589d69a s4:kdc: make use of the 'kdc enable fast' option via 12b623088cf docs-xml: add 'kdc enable fast' option via 67bdc922f98 third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864) from b7bc1f6dddc s4-kdc: Fix memory leak in FAST cookie handling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9b48e7f7eda5e368c1192d562c268885c1f68d8b Author: Stefan Metzmacher Date: Thu Mar 10 17:49:52 2022 +0100 third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d) This fixes the regressions against KDCs without FAST support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184 commit f1a71e24864367a55a30813dd642e7ef392b5ac9 Author: Stefan Metzmacher Date: Wed Mar 9 12:53:18 2022 +0100 selftest: use 'kdc enable fast = no' for fl2000 fl2003 This makes sure we still run tests against KDCs without FAST support and it already found a few regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit 2db7589d69abebad16b66d933114367f815d5fc3 Author: Stefan Metzmacher Date: Wed Mar 9 12:39:07 2022 +0100 s4:kdc: make use of the 'kdc enable fast' option This will useful to test against a KDC without FAST support and find/prevent regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit 12b623088cf48cf9e4a046441810ef20e1f079b8 Author: Stefan Metzmacher Date: Wed Mar 9 12:39:07 2022 +0100 docs-xml: add 'kdc enable fast' option This will be useful to test against a KDC without FAST support and find/prevent regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton commit 67bdc922f9836779f1b37805575c5c4eea9ba3e6 Author: Stefan Metzmacher Date: Thu Mar 10 16:12:43 2022 +0100 third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton --- Summary of changes: docs-xml/smbdotconf/security/kdcenablefast.xml | 15 +++ lib/param/loadparm.c | 2 + selftest/target/Samba4.pm | 2 + source3/param/loadparm.c | 2 + source4/kdc/db-glue.c | 8 +- source4/kdc/kdc-heimdal.c | 7 + source4/selftest/tests.py | 5 +- third_party/heimdal/.github/workflows/coverity.yml | 68 ++ third_party/heimdal/.github/workflows/linux.yml| 146 + third_party/heimdal/.github/workflows/osx.yml | 122 + .../heimdal/.github/workflows/scanbuild.yml| 67 ++ third_party/heimdal/.github/workflows/valgrind.yml | 71 ++ third_party/heimdal/.github/workflows/windows.yml | 92 + third_party/heimdal/kdc/default_config.c | 9 ++ third_party/heimdal/kdc/fast.c | 3 + third_party/heimdal/kdc/kdc.h | 1 + third_party/heimdal/kdc/krb5tgs.c | 3 + third_party/heimdal/lib/krb5/fast.c| 98 -- third_party/heimdal/lib/krb5/get_cred.c| 76 +++ third_party/heimdal/lib/krb5/init_creds_pw.c | 1 - third_party/heimdal/lib/krb5/krb5.conf.5 | 2 + third_party/heimdal/lib/krb5/pac.c | 12 +- third_party/heimdal/tests/gss/check-context.in | 4 - 23 files changed, 762 insertions(+), 54 deletions(-) create mode 100644 docs-xml/smbdotconf/security/kdcenablefast.xml create mode 100644 third_party/heimdal/.github/wo
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via e79f04a3179 WHATSNEW for Heimdal upgrade via f4236271500 WHATSNEW: older SMB1 command removal/simpliciation and deprecation from 41054b61231 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit e79f04a317906b1fbd9a53c831800088e2aab680 Author: Andrew Bartlett Date: Wed Mar 16 12:53:47 2022 +1300 WHATSNEW for Heimdal upgrade Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit f42362715008716ed8508645329a9b16995e7db9 Author: Andrew Bartlett Date: Thu Mar 17 07:53:37 2022 +1300 WHATSNEW: older SMB1 command removal/simpliciation and deprecation Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- Summary of changes: WHATSNEW.txt | 118 +++ 1 file changed, 103 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 83d77b5c028..31f656e4095 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -52,6 +52,46 @@ samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. +Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support +-- + +Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos +implementation. This snapshot has now been updated and will closely +match what will be released as Heimdal 8.0 shortly. + +This is a major update, previously we used a snapshot of Heimdal from +2011, and brings important new Kerberos security features such as +Kerberos request armoring, known as FAST. This tunnels ticket +requests and replies that might be encrypted with a weak password +inside a wrapper built with a stronger password, say from a machine +account. + +In Heimdal and MIT modes Samba's KDC now supports FAST, for the +support of non-Windows clients. + +Windows clients will not use this feature however, as they do not +attempt to do so against a server not advertising domain Functional +Level 2012. Samba users are of course free to modify how Samba +advertises itself, but use with Windows clients is not supported "out +of the box". + +Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of +the FAST protocol. A future version will align this more closely with +Microsoft AD behaviour. + +If FAST needs to be disabled on your Samba KDC, set + + kdc enable fast = no + +in the smb.conf. + +The Samba project wishes to thank the numerous developers who have put +in a massive effort to make this possible over many years. In +particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, +Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank +their employers and in turn their customers who have supported this +effort over many years. + Certificate Auto Enrollment --- @@ -135,21 +175,69 @@ CTDB changes REMOVED FEATURES -SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed -=== - -In preparation for the removal of the SMB1 server, the unused -SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been -removed from the Samba smbd server. In addition, the ability -to process file name wildcards in requests using the SMB1 commands -SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command -number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and -SMB_COM_DELETE (SMB1 command number 0x6) have been removed. - -This only affects clients using MS-DOS based versions of -SMB1, the last release of which was Windows 98. Users requiring -support for these features will need to use older versions -of Samba. +Older SMB1 protocol SMBCopy command removed +--- + +SMB is a nearly 30-year old protocol, and some protocol commands that +while supported in all versions, have not seen widespread use. + +One of those is SMBCopy, a feature for a server-side copy of a file. +This feature has been so unmaintained that Samba has no testsuite for +it. + +The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was +introduced in the LAN Manager 1.0 dialect and it was rendered obsolete +in the NT LAN Manager dialect. + +Therefore it has been removed from the Samba smbd server. + +We do note that a fully supported and tested server-side copy is +present in SMB2, and can be accessed with "scopy" subcommand in +smbclient) + +SMB
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 9d91942913e s3:libads: Fix creating local krb5.conf via 736df42fdf9 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() via 9319309ac1a s3:libads: Remove obsolete free's of kdc_str via 3016f01d0c4 s3:libads: Allocate all memory on the talloc stackframe via a76c64f86d8 s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string() via 1f7b6fc56c5 s3:libads: Improve debug messages for get_kdc_ip_string() via 5608804f02d s3:libads: Leave early on error in get_kdc_ip_string() via fd2373c6bcf s3:libads: Remove trailing spaces in kerberos.c via 12c58adffe4 testprogs: Add test that local krb5.conf has been created via 9b6e8ae65e2 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() via 1f1d6d4e745 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names via 54fd8eb1aac auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available via 5e81cde9fae s4:auth: rename user_info->mapped_state to user_info->cracknames_called via 2c15a949f5d winbindd: don't set mapped_state in winbindd_dual_auth_passdb() via 2e41cbc8bec nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN via 8cd57a22283 s3:auth: make_user_info_map() should not set mapped_state via 249b023f2b8 s4:auth: fix confusing DEBUG message in authsam_want_check() via a304052c4fc s4:auth: check for user_info->mapped.account_name if it needs to be filled via 070af6f1fa0 s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging via 63a6fb82a77 s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging via c6bb5e62776 s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging via dffebcba823 s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info via 240785f4e4f auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info via db17de0b611 s4:auth: encrypt_user_info() should set password_state instead of mapped_state via 2d425bb116a s4:auth: a simple bind uses the DCs name as workstation via 02824c7942d s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name() via e6926484533 rodc: Add tests for simple BIND alongside NTLMSSP binds via af30bd71cd3 s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon via 0fcbfd39583 s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON via 0da8b2b3683 dsdb/tests: add test_login_basics_simple() via ec84a7acfcc dsdb/tests: prepare BasePasswordTestCase for simple bind tests via 72698f73949 dsdb/tests: introduce assertLoginSuccess via 7b63119267a dsdb/tests: make use of assertLoginFailure helper via 92da29a1136 dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps] via 84f7b94852a dsdb/tests: passwords.py don't need to import BasePasswordTestCase via 2bbb9a4298c python:tests: let insta_creds() also copy the bind_dn from the template from 39ae6f10fa6 VERSION: Bump version up to Samba 4.15.7... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 9d91942913e0481cfb4af80eeb5a316f6c9d2c3f Author: Andreas Schneider Date: Tue Mar 15 13:10:06 2022 +0100 s3:libads: Fix creating local krb5.conf We create an KDC ip string entry directly at the beginning, use it if we don't have any additional DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner Autobuild-User(master): Günther Deschner Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184 (cherry picked from commit 68d181ee676e17a5cdcfc12c5cc7eef242fdfa6c) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Thu Mar 17 10:35:11 UTC 2022 on sn-devel-184 commit 736df42fdf9b4f7977eb6857ff3ab91a5df62b65 Author: Andreas Schneider Date: Tue Mar 15 13:02:05 2022 +0100 s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 12c843ad0a97fcbaaea738b82941533e5d2aec99) commit 9319309ac1adf42765e9f3bf325000b92585cd3e Author: Andreas Schneider Date: Tue Mar 15 12:57:18 2022 +0100 s3:libads: Remove obsolete free's of kdc_str This is allocated on the stackframe now! BUG: ht
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via 1a1b789b2fe s4:kdc: redirect pre-authentication failured to an RWDC via 68f55294eb0 HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE from 3ae7ead5fd5 s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit 1a1b789b2fe6672604f2e2f5c5e7a30f5a1c90a2 Author: Stefan Metzmacher Date: Fri Feb 18 17:17:02 2022 +0100 s4:kdc: redirect pre-authentication failured to an RWDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher (similar to commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be) Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Fri Mar 18 11:55:11 UTC 2022 on sn-devel-184 commit 68f55294eb0c37da3c4e3f76d5c3154e762d46ad Author: Stefan Metzmacher Date: Fri Feb 18 17:17:02 2022 +0100 HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE On an RODC we need to redirect failing preauthentication to an RWDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher (similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216) --- Summary of changes: selftest/knownfail | 1 - source4/dsdb/tests/python/rodc_rwdc.py | 3 +- source4/heimdal/kdc/kerberos5.c| 10 - source4/kdc/hdb-samba4.c | 79 +++--- 4 files changed, 24 insertions(+), 69 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 2701fe4c5b3..c4c050403d0 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -374,7 +374,6 @@ ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\) # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos # NETLOGON is disabled in any non-DC environments ^samba.tests.netlogonsvc.python\(ad_member\) ^samba.tests.netlogonsvc.python\(simpleserver\) diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py index 21b7c05fcbe..6cd0e50e47b 100644 --- a/source4/dsdb/tests/python/rodc_rwdc.py +++ b/source4/dsdb/tests/python/rodc_rwdc.py @@ -1166,8 +1166,7 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): creds2 = make_creds(username, password) self.try_ldap_logon(RWDC, creds2) -# We can forward WRONG_PASSWORD over NTLM. -# This SHOULD succeed. +# The RODC forward WRONG_PASSWORD to the RWDC self.try_ldap_logon(RODC, creds2) def test_change_password_reveal_on_demand_ntlm(self): diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index c1d4cb1d4aa..9684364c519 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1357,13 +1357,19 @@ _kdc_as_rep(krb5_context context, free_EncryptedData(&enc_data); - if (clientdb->hdb_auth_status) - (clientdb->hdb_auth_status)(context, clientdb, client, + if (clientdb->hdb_auth_status) { + ret = (clientdb->hdb_auth_status)(context, clientdb, client, from_addr, &_kdc_now, client_name, str ? str : "unknown enctype", HDB_AUTH_WRONG_PASSWORD); + if (ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name); + free(str); + goto out; + } + } free(str); diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 2ed7a5e0623..43e836f8360 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -311,60 +311,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, irpc_handle, &req); } -static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, - struct samba_kdc_db_context *kdc_db_ctx, - struct auth_usersupplied_info *user_info) -{ - struct dcerpc_binding_handle
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cf8048cd49a s4:rpc_server/samr: Use extended DN when searching for user via 7b710a05de4 samba-tool group: Add --special parameter to add predefined special group via 4f1b7684ed4 functionalprep.sh: Add test for samba-tool add group --special via bf509bf7df1 tests/sam: Ensure that Protected Users group cannot be deleted via 62cf7a4ad3e s4:rpc_server/samr: Simplify lp_ctx expression via 16a7ce0cdfb s4:auth: Disable NTLM authentication for Protected Users via 402d5f59bcb s4:kdc: Add KDC support for Protected Users group via 233ce6b2b88 s4:kdc: Add function to get user_info_dc from database via 831c245adb3 s4:kdc: simplify samba_kdc_message2entry by using data_blob_string_const("computer") via 3a8670c4ca2 dsdb/common: Add helper function for determining if account is in Protected Users group via fb0f65b0b5f s4:provision_users.ldif: Add Protected Users group via 410b8b7e06b tests/passwords: Test that LDAP password changes work for Protected Users via fd765aaa5b3 tests/password_lockout: Test NTLM and SAMR password changes with Protected Users via 3e0c94a345d tests/krb5: Add tests for the Protected Users group via eba1a9d964b auth/credentials: Add encrypt_samr_password() via b308240cb4b selftest/dbcheck: Fix up msDS-RevealedUsers links with deleted target DN via ded5115f73d tests/krb5: Add helper function to modify ticket flags via c80cd8c9570 tests/krb5: Remove unused import via 042137f8fa5 tests/krb5: Add account to cleanup list before adding it to database via 539cdaa75ba tests/krb5: Add more encryption type constants via 90e5802773a tests/krb5: Remove accounts in reverse order of addition via 26334df74fa s4:kdc: Fix copy-paste typo from c91af5f1a8b tests/krb5: Simplify logic https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cf8048cd49abba5f3da297530219fca6c67f4da1 Author: Joseph Sutton Date: Thu Mar 3 14:54:00 2022 +1300 s4:rpc_server/samr: Use extended DN when searching for user Switch to dsdb_search() for looking up the user for changing the password, and specify that we want extended DNs. Using the SID or GUID avoids a race condition if the DN of the user changes. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 18 12:45:17 UTC 2022 on sn-devel-184 commit 7b710a05de4aa66b6b20ff399f7ef64c506353af Author: Joseph Sutton Date: Thu Feb 10 17:14:56 2022 +1300 samba-tool group: Add --special parameter to add predefined special group This allows default security groups that have been added since Windows Server 2008 R2, such as Protected Users, to be created in pre-existing domains. An error message is generated if a group already exists with the same name, DN, or SID. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 4f1b7684ed437d1e4bf77a867ee0384bc939f312 Author: Joseph Sutton Date: Thu Mar 3 20:59:48 2022 +1300 functionalprep.sh: Add test for samba-tool add group --special Test that we can add the special Protected Users group, and that we get an appropriate error message when attempting to add it a second time. We add these tests here so that we can make use of an old provision that does not already have the Protected Users group added. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit bf509bf7df1348f4793a32dea99c9ec3384c9ad0 Author: Joseph Sutton Date: Wed Feb 2 15:47:05 2022 +1300 tests/sam: Ensure that Protected Users group cannot be deleted Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 62cf7a4ad3eaad056604809880549ab7c8f4196c Author: Joseph Sutton Date: Thu Feb 3 15:17:40 2022 +1300 s4:rpc_server/samr: Simplify lp_ctx expression Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 16a7ce0cdfb8acba782436066cc8383900ef7e93 Author: Joseph Sutton Date: Tue Feb 1 21:08:44 2022 +1300 s4:auth: Disable NTLM authentication for Protected Users We also move the authentication to after checking whether the user is protected, so that if a user in the Protected Users group tries to authenticate with a wrong password, the bag password count is not incremented and the account is not locked out. This does not match MS-APDS, but matches the behaviour of Windows. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher commit 402d5f59bcb1929cf3db5efb03edf2f62748e40e Author: Joseph Sutton Date: Wed Feb 2 17:08:41 2022 +1300 s4:kdc: Add KDC support for Protected Users group Accounts in the
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via b4d5a906df8 s4:kdc: redirect pre-authentication failured to an RWDC via 5aa5648cc4b HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE from 9d91942913e s3:libads: Fix creating local krb5.conf https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit b4d5a906df8b23363365559e31887403bace1482 Author: Stefan Metzmacher Date: Fri Feb 18 17:17:02 2022 +0100 s4:kdc: redirect pre-authentication failured to an RWDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher (similar to commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Sat Mar 19 02:38:24 UTC 2022 on sn-devel-184 commit 5aa5648cc4b0497a000c31e8b40cdaaa6c18769e Author: Stefan Metzmacher Date: Fri Feb 18 17:17:02 2022 +0100 HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE On an RODC we need to redirect failing preauthentication to an RWDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher (similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216) --- Summary of changes: selftest/knownfail | 1 - source4/dsdb/tests/python/rodc_rwdc.py | 3 +- source4/heimdal/kdc/kerberos5.c| 10 - source4/kdc/hdb-samba4.c | 79 +++--- 4 files changed, 24 insertions(+), 69 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 9f362c02b47..b5e52753968 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -365,7 +365,6 @@ ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\) # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos # NETLOGON is disabled in any non-DC environments ^samba.tests.netlogonsvc.python\(ad_member\) ^samba.tests.netlogonsvc.python\(simpleserver\) diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py index d405cd0d5ec..53d54807a3d 100644 --- a/source4/dsdb/tests/python/rodc_rwdc.py +++ b/source4/dsdb/tests/python/rodc_rwdc.py @@ -1165,8 +1165,7 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): creds2 = make_creds(username, password) self.try_ldap_logon(RWDC, creds2) -# We can forward WRONG_PASSWORD over NTLM. -# This SHOULD succeed. +# The RODC forward WRONG_PASSWORD to the RWDC self.try_ldap_logon(RODC, creds2) def test_change_password_reveal_on_demand_ntlm(self): diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index b8fec62333d..11b334e46fe 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1358,13 +1358,19 @@ _kdc_as_rep(krb5_context context, free_EncryptedData(&enc_data); - if (clientdb->hdb_auth_status) - (clientdb->hdb_auth_status)(context, clientdb, client, + if (clientdb->hdb_auth_status) { + ret = (clientdb->hdb_auth_status)(context, clientdb, client, from_addr, &_kdc_now, client_name, str ? str : "unknown enctype", HDB_AUTH_WRONG_PASSWORD); + if (ret == HDB_ERR_NOT_FOUND_HERE) { + kdc_log(context, config, 5, "client %s HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name); + free(str); + goto out; + } + } free(str); diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 2ed7a5e0623..43e836f8360 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -311,60 +311,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, irpc_handle, &req); } -static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, - struct samba_kdc_db_context *kdc_db_ctx, - struct auth_usersupplied_info *user_info) -{ - struct dcerpc_binding_handle *irpc_handle; - struct winbi
[SCM] Samba Shared Repository - branch master updated
ia 829bb366f33 s4:kdc: let sdb_free_entry clear sdb_entry_ex at the end via 6152db35a66 s4:kdc: let sdb_entry_ex_to_krb5_db_entry() initialize 'k' at the beginning via ba6fccf4439 s4:kdc: let sdb_entry_to_hdb_entry() initialize *h at the beginning via 7312bca8c7a s4:kdc: remove unused mkvno from sdb_key via ab0946a75d5 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos from 80d72b532f6 smbd: Make an if-statement in ReadDirName() a bit more readable https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d1d65d271ecda41dc13627bbca213181dac28c41 Author: Andrew Bartlett Date: Tue Mar 8 22:49:31 2022 +1300 s4:kdc: Expose samba_kdc_message2entry_keys() This allows the KDC to share the supplementalCredentials parsing code with other parts of Samba that could use it. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184 commit 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8 Author: Andrew Bartlett Date: Wed Mar 23 13:07:29 2022 +1300 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys() By putting this in the caller we potentially allow samba_kdc_message2entry_keys() to be reused by a non-KDC caller. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit 2340a9a44f429f0b2e15668c1646b8efedece6c9 Author: Andrew Bartlett Date: Wed Mar 23 10:13:54 2022 +1300 s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to samba_kdc_message2entry() This avoids making a call out in samba_kdc_message2entry_keys() and allows for potential reuse of the key parsing code. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit 2684856aac6a789ef13fbcfc631890d7447b53f8 Author: Andrew Bartlett Date: Tue Mar 8 22:48:50 2022 +1300 s4:kdc: Add const to "msg" parameter in samba_kdc_message2entry_keys() This will help with a future caller. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 548169a3e20cd6ee4a5d9320b85b2dea4ffe0eea Author: Andrew Bartlett Date: Wed Mar 23 09:47:53 2022 +1300 s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys() We should not supprise the callers by returning more keys than we asked to filter by and avoids duplicating the protected_users logic within samba_kdc_set_fixed_keys(). Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit 2d9fd3855f3c50c17111a72f6247aabd02e575be Author: Andrew Bartlett Date: Wed Mar 23 09:47:53 2022 +1300 s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys() Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit 01e7425fab7fcd8887dbd25c7179bb6669853fae Author: Stefan Metzmacher Date: Fri Feb 11 21:42:06 2022 +0100 s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys too We return the requested kvno if given, otherwise we include the old and older keys for CLIENT|FOR_AS_REQ or SDB_F_ADMIN_DATA lookups. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 5f28a9481f45903d9d7a405f89ead314dbebd775 Author: Stefan Metzmacher Date: Wed Mar 23 00:41:13 2022 +0100 s4:kdc: add old and older keys to sdb_entry This is the first step to return the password history in order to avoid badPwdCount updates for failing pre-authentication with passwords from the recent history. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d062225e25c85c942f79ce426a003d122b69ae9b Author: Stefan Metzmacher Date: Fri Jul 19 13:22:48 2019 +0200 s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys() We need a ways to ask for a specific kvno if SDB_F_KVNO_SPECIFIED is requested. And also include the old and older keys from the password history in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d05f2323d308fe4f3e88979f3ee5b41461c436f9 Author: Stefan Metzmacher Date: Wed Mar 23 04:29:20 2022 +0100 s4:kdc: finally remove unused 'struct sdb_entry_ex' Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 57bf97523150f2052bee2e
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 41c72ae9f95 examples: Update winbindd.stp and its generator script via 3e747891a04 s3:winbind: Convert Ping parent/child call to NDR via 0d668dfb751 s3:winbind: Return NTSTATUS from wbint_Ping() RPC function via 00ea654961a s3:winbind: Convert wcache_opnum_cacheable() to a whitelist from c788ed7b8b4 samba-gpupdate: Implement enhanced logging https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 41c72ae9f9530e04e249bbd73356bb44a7e945e4 Author: Samuel Cabrero Date: Wed Mar 9 12:11:00 2022 +0100 examples: Update winbindd.stp and its generator script Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 25 17:57:18 UTC 2022 on sn-devel-184 commit 3e747891a04a161b34e8be1aab03371632ede192 Author: Samuel Cabrero Date: Wed Feb 16 13:41:05 2022 +0100 s3:winbind: Convert Ping parent/child call to NDR Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher commit 0d668dfb75145af654eb779bdbbc0261d8f5bb15 Author: Samuel Cabrero Date: Wed Mar 9 11:56:33 2022 +0100 s3:winbind: Return NTSTATUS from wbint_Ping() RPC function There are no users of this function but the next commit will convert the struct-based WINBINDD_PING call to a local RPC wbint_Ping() call. Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher commit 00ea654961a790acd17e445b1eb0aec3296a60cc Author: Samuel Cabrero Date: Wed Mar 9 17:44:17 2022 +0100 s3:winbind: Convert wcache_opnum_cacheable() to a whitelist It avoids having to explicitly blacklist new DCE/RPC calls. This is the current list of non cacheable calls: NDR_WBINT_PING NDR_WBINT_QUERYSEQUENCENUMBER NDR_WBINT_ALLOCATEUID NDR_WBINT_ALLOCATEGID NDR_WBINT_CHECKMACHINEACCOUNT NDR_WBINT_CHANGEMACHINEACCOUNT NDR_WBINT_PINGDC NDR_WBINT_LISTTRUSTEDDOMAINS It includes the ListTrustedDomains call recently converted to a local RPC call. Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher --- Summary of changes: examples/systemtap/generate-winbindd.stp.sh | 4 +-- examples/systemtap/winbindd.stp | 42 ++--- librpc/idl/winbind.idl | 2 +- source3/winbindd/winbindd_async.c | 34 --- source3/winbindd/winbindd_cache.c | 24 ++--- source3/winbindd/winbindd_domain.c | 4 --- source3/winbindd/winbindd_domain_info.c | 38 -- source3/winbindd/winbindd_dual_srv.c| 3 ++- source3/winbindd/winbindd_idmap.c | 4 --- source3/winbindd/winbindd_locator.c | 4 --- source3/winbindd/winbindd_proto.h | 3 --- source3/winbindd/wscript_build | 1 - 12 files changed, 65 insertions(+), 98 deletions(-) delete mode 100644 source3/winbindd/winbindd_async.c Changeset truncated at 500 lines: diff --git a/examples/systemtap/generate-winbindd.stp.sh b/examples/systemtap/generate-winbindd.stp.sh index ec8e3af2828..5a4507874e4 100755 --- a/examples/systemtap/generate-winbindd.stp.sh +++ b/examples/systemtap/generate-winbindd.stp.sh @@ -2,13 +2,13 @@ outfile="$(dirname $0)/winbindd.stp" -child_funcs="winbindd_dual_ping -winbindd_dual_init_connection +child_funcs="winbindd_dual_init_connection winbindd_dual_pam_auth winbindd_dual_pam_auth_crap winbindd_dual_pam_logoff winbindd_dual_pam_chng_pswd_auth_crap winbindd_dual_pam_chauthtok +_wbint_Ping _wbint_ListTrustedDomains _wbint_LookupSid _wbint_LookupSids diff --git a/examples/systemtap/winbindd.stp b/examples/systemtap/winbindd.stp index 60dd80a5c76..94f05596771 100644 --- a/examples/systemtap/winbindd.stp +++ b/examples/systemtap/winbindd.stp @@ -2,7 +2,7 @@ # # Systemtap script to instrument winbindd # -# Generated by examples/systemtap/generate-winbindd.stp.sh on mar 15 feb 2022 17:45:48 CET, do not edit +# Generated by examples/systemtap/generate-winbindd.stp.sh on mié 09 mar 2022 12:10:37 CET, do not edit # # Usage: # @@ -23,26 +23,6 @@ probe begin { printf("Collecting data, press ctrl-C to stop... ") } -# -# winbind domain child function winbindd_dual_ping -# - -probe process("winbindd").function("winbindd_dual_ping") { - dc_running[tid(), "winbindd_dual_ping"] = gettimeofday_us() -} - -probe process("winbindd").function("winbindd_dual_ping").return { - if (!([tid(), "winbindd_dual_ping"] in dc_running)) - next - - end = gettimeofday_us() - begin = dc_running[tid(), "winbindd_dual_ping"] -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 14e7112734b waf: Document the confusing --nonshared-binary, --builtin-libraries, --private-libraries and --bundled-libraries from 127f728d58e vfs_gpfs: Initialize litemask to 0 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 14e7112734bbb31db99e394323ef2cb31385ebf7 Author: Andrew Bartlett Date: Mon Mar 28 11:16:51 2022 +1300 waf: Document the confusing --nonshared-binary, --builtin-libraries, --private-libraries and --bundled-libraries These options are confusing to all who encounter them. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8731 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Mar 28 10:06:01 UTC 2022 on sn-devel-184 --- Summary of changes: buildtools/wafsamba/wscript | 67 - 1 file changed, 60 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript index 62b63fef145..a4d6f3e5c49 100644 --- a/buildtools/wafsamba/wscript +++ b/buildtools/wafsamba/wscript @@ -30,11 +30,37 @@ def options(opt): gr = opt.option_group('library handling options') gr.add_option('--bundled-libraries', - help=("comma separated list of bundled libraries. May include !LIBNAME to disable bundling a library. Can be 'NONE' or 'ALL' [auto]"), + help=(f'''comma separated list of bundled libraries. + +{Context.g_module.APPNAME} includes copies of externally maintained +system libraries (such as popt, cmokca) as well as Samba-maintained +libraries that can be found on the system already (such as talloc, +tdb). + +This option, most useful for packagers, controls if each library +should be forced to be obtained from inside Samba (bundled), forced to +be obtained from the system (bundling disabled, ensuing that +dependency errors are not silently missed) or if that choice should be +automatic (best for end users). + +May include !LIBNAME to disable bundling a library. + +Can be 'NONE' or 'ALL' [auto]'''), action="store", dest='BUNDLED_LIBS', default='') gr.add_option('--private-libraries', - help=("comma separated list of normally public libraries to build instead as private libraries. May include !LIBNAME to disable making a library private in order to limit the effect of 'ALL'"), + help=(f'''comma separated list of normally public libraries to build instead as private libraries. + +By default {Context.g_module.APPNAME} will publish a number of public +libraries for use by other software. For Samba this would include +libwbclient, libsmbclient and others. + +This allows that to be disabled, to ensure that other software does +not use these libraries and they are placed in a private filesystem +prefix. + +May include !LIBNAME to disable making a library private in order to +limit the effect of 'ALL' '''), action="store", dest='PRIVATE_LIBS', default='') extension_default = default_value('PRIVATE_EXTENSION_DEFAULT') @@ -48,12 +74,33 @@ def options(opt): action="store", dest='PRIVATE_EXTENSION_EXCEPTION', default=extension_exception) builtin_default = default_value('BUILTIN_LIBRARIES_DEFAULT') -gr.add_option('--builtin-libraries', - help=("command separated list of libraries to build directly into binaries [%s]" % builtin_default), - action="store", dest='BUILTIN_LIBRARIES', default=builtin_default) +gr.add_option('--builtin-libraries', help=( +f'''comma separated list of libraries to build directly into binaries. + +By default {Context.g_module.APPNAME} will build a large number of +shared libraries, to reduce binary size. This overrides this +behaviour and essentially statically links the specified libraries into +each binary [{builtin_default}]'''), + action="store", + dest='BUILTIN_LIBRARIES', default=builtin_default) gr.add_option('--minimum-library-version', - help=("list of minimum system library versions (LIBNAME1:version,LIBNAME2:version)"), + help=( +f'''list of minimum system library versions for otherwise bundled +libraries. + +{Context.g_module.APPNAME} by def
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f7f65ceb46d s4:dsdb/descriptor: skip duplicates in descriptor_sd_propagation_object() via bd1e667a62d s4:dsdb/descriptor: sort descriptor_changes tree based via ce38b30cdcf s4:dsdb/descriptor: pass parent guid to dsdb_module_schedule_sd_propagation() via b812ade416f s4:dsdb/descriptor: skip duplicates in descriptor_extended_sec_desc_propagation() via 4c32f46a868 s4:dsdb/descriptor: add statistics for security descriptor propagation via 8597cc9d6c8 s4:dsdb/descriptor: split out struct descriptor_transaction via 36ccb98aba8 python/join: improve logging of join_replicate() from 420bbb1d92f wafsamba: require PYTHONHASHSEED=1 to be exported https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f7f65ceb46d04e48667e6cba8f3e9b9fd0cd290e Author: Stefan Metzmacher Date: Thu Feb 10 12:46:10 2022 +0100 s4:dsdb/descriptor: skip duplicates in descriptor_sd_propagation_object() We're now sure that the security descriptor propagation happened first for parent objects. It means we can safely skip processing the same object twice in descriptor_sd_propagation_object(). For the database with ~ 22000 objects it reduced the commit time from 2m 50s down to 2m 24s. The statistics are changed from: descriptor_prepare_commit: changes: num_registrations=5 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_toplevel=5 descriptor_prepare_commit: changes: num_processed=5200 descriptor_prepare_commit: objects: num_processed=68800 to: descriptor_prepare_commit: changes: num_registrations=5 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_toplevel=5 descriptor_prepare_commit: changes: num_processed=5200 descriptor_prepare_commit: objects: num_processed=22000 descriptor_prepare_commit: objects: num_skipped=41600 It means that we have "changes: num_registered" and "objects: num_processed" exactly match the number of replicated objects. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Mar 30 12:06:21 UTC 2022 on sn-devel-184 commit bd1e667a62d63c51a3b5e43660c7c23dd855785a Author: Stefan Metzmacher Date: Thu Feb 10 17:19:31 2022 +0100 s4:dsdb/descriptor: sort descriptor_changes tree based For the hot code path, e.g. the commit after the initial replication, we typically have one descriptor_changes for each object in the database. It means that we most likely have 5 naming contexts/partitions. Except of their head/root object have a valid parent_guid, so can move all of them into the tree structure. Now we start the processing at the partition root objects, which means that we also process all child objects in the same run. While processing these objects we are most likely able to mark their related descriptor_changes structure as done removing it from the hierarchy. With the 22000 object domain it reduces the time spend in the commit stage from 3m 20s down to 2m 50s. The statistics are changed from: descriptor_prepare_commit: changes: num_registrations=5 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_processed=22000 descriptor_prepare_commit: objects: num_processed=80800 to: descriptor_prepare_commit: changes: num_registrations=5 descriptor_prepare_commit: changes: num_registered=22000 descriptor_prepare_commit: changes: num_toplevel=5 descriptor_prepare_commit: changes: num_processed=5200 descriptor_prepare_commit: objects: num_processed=68800 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit ce38b30cdcf4a8d7225f830b8054c1df1d748da0 Author: Stefan Metzmacher Date: Thu Feb 10 15:08:47 2022 +0100 s4:dsdb/descriptor: pass parent guid to dsdb_module_schedule_sd_propagation() This is preparation to optimize the security descriptor propagation in the following commits. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit b812ade416faf6e41e9def5689f9b2e21d7f718f Author: Stefan Metzmacher Date: Thu Feb 10 14:36:28 2022 +0100 s4:dsdb/descriptor: skip duplicates in descriptor_extended_sec_desc_propagation() During replication we may need to fallback to using DRS_GET_TGT, which means that we'll get a lot of objects more than once, the most important one it the partition root object. It means we'll also do the security descriptor propagation more than once for
[SCM] Samba Shared Repository - annotated tag tevent-0.12.0 created
The annotated tag, tevent-0.12.0 has been created at 355edbaebad11d45987d21d9caea04917638bcdc (tag) tagging a20d41accdc999262da94531627c7e1e8ec7677f (commit) replaces samba-4.16.0rc1 tagged by Stefan Metzmacher on Tue Apr 12 01:59:10 2022 +0200 - Log - tevent: tag release tevent-0.12.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmJUwM4ACgkQR5ORYRMI QCVQcwf+Pzla6PjTpGPLth3+Ch62X+QhTg5JbDjgs5eYSw986RnLXs7pwqFZfNgJ kXe6T8cE8P4qe4MrwdTK2fZ/355E/kBS4OtBkLn62r2VvhaM+FBb8rjSsHRtz0Qb FD5SbsDWmsLMVcC16x/71Uvn2Cn4HoaKuzmJ6S7vNsJ3m6njyuVrgLS8ei8WDQ3d fmpeGV0VCe60Mi9tgrqt4xDheerokvdoDupbrHu1JE8JAHpbv9g8uaJzyFpYFzTR Cbi4fWV9DBlsrWpmCN5WytKUqR5pamPvCfdFYgDCF0v9VyrIEcLx9RptWkE4bgMs 3AMJlR8zYe/G4R2TPhjFyUSm5ElVIg== =nth+ -END PGP SIGNATURE- Andreas Schneider (107): s4:kdc: Add a HDB to SDB mask s4:kdc: Remove trailing spaces in hdb-samba4.c s4:kdc: Translate HDB flags to SDB flags bootstrap: Fix CentOS8 runner bootstrap: Migrate to CentOS8 Stream selftest: Do not force -d0 for smbd/nmbd/winbindd builtools: Make abi_gen.sh less prone to errors bootstrap: If the mold linker is available prefer it over gold bootstrap: Install mold linker on Fedora 35 s3:winbindd: Add a sanity check for the range s3:utils: Add a testparm check for idmap autorid docs-xml: Fix idmap_autorid documentation editorconfig: Final newlines are pycodestyle third_party:waf: Print the version of waf at the end of the update script third_party: Update waf to verison 2.0.23 s3:utils: Fix missing space in testparm output autobuild: Rewrite the symbol checking editorconfig: Change shell to tabs with tab width 8 configure: Reformat wrapper script buildtools: Reformat shell scripts docs-xml: Reformat shell scripts examples: Reformat shell scripts selftest: Add ad member with idmap_autorid backend s3:tests: Run test_idmap_rid.sh against admem_idmap_autorid autobuild: Run admem_idmap_autorid tests lib:fuzzing: Reformat shell scripts lib:ldb: Reformat shell scripts lib:replace: Reformat shell scripts lib:tdb: Reformat shell scripts lib:tevent: Reformat shell scripts nsswitch: Reformat shell scripts packaging: Reformat shell scripts editorconfig: We always inserted a new line so keep doing that python: Reformat shell scripts release-scripts: Reformat shell scripts script: Reformat shell scripts selftest: Reformat shell scripts s3:locale: Reformat shell scripts s3:script: Reformat shell scripts s4:kdc: Align sflags type s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization selftest: More tests are passing with MIT KRB5 >= 1.20 s4:mitkdc: Set KRB5_KDB_NO_AUTH_DATA_REQUIRED based on sdb no_auth_data_reqd s4:mitkdc: Add support for MIT Kerberos 1.20 s4:mitkdc: Add support for S4U2Self & S4U2Proxy s4:kdc: Implement new Microsoft forwardable flag behavior s4:auth: Remove trailing spaces in sam.c s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD) gitlab-ci: Print the krb5 version gitlab-ci: Run krb5 tests also with MIT Kerberos 1.20 (prerelease) WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20 testprogs: Add test that local krb5.conf has been created s3:libads: Remove trailing spaces in kerberos.c s3:libads: Leave early on error in get_kdc_ip_string() s3:libads: Improve debug messages for get_kdc_ip_string() s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string() s3:libads: Allocate all memory on the talloc stackframe s3:libads: Remove obsolete free's of kdc_str s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() s3:libads: Fix creating local krb5.conf python:tests: Fix type error in raw_testcase.py s4:kdc: Fix return code in mit_samba_update_pac() s4:kdc: Make sure ret is set if we goto bad_option s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy() auth: Add required headers to auth_sam_reply.h lib:krb5_wrap: Implement smb_krb5_principal_is_tgs() s4:kdc: Cleanup include files in pac-glue.c s4:kdc: Make pac parameter of samba_client_requested_pac() const s4:kdc: Implement common samba_kdc_update_pac() s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac() s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac() s4:kdc: Remove ks_is_tgs_principal() s4:kdc: Rem
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 07081d03da2 script/autobuild.py: allow to run from within git rebase -i from 922261d77ae smbd: Use filename_convert_dirfsp() in smbd_smb2_create_send() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 07081d03da2a49010fdc905a39e48dd589be47b2 Author: Stefan Metzmacher Date: Tue Apr 12 15:04:53 2022 + script/autobuild.py: allow to run from within git rebase -i The 'git clone' used by autobuild.py fails if GIT_DIR and GIT_WORK_TREE are already defined in the environment. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Apr 28 15:23:24 UTC 2022 on sn-devel-184 --- Summary of changes: script/autobuild.py | 5 + 1 file changed, 5 insertions(+) Changeset truncated at 500 lines: diff --git a/script/autobuild.py b/script/autobuild.py index d309fa0e97c..9f790d8a53e 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -31,6 +31,11 @@ os.environ["PYTHONUNBUFFERED"] = "1" # This speeds up testing remarkably. os.environ['TDB_NO_FSYNC'] = '1' +# allow autobuild to run within git rebase -i +if "GIT_DIR" in os.environ: +del os.environ["GIT_DIR"] +if "GIT_WORK_TREE" in os.environ: +del os.environ["GIT_WORK_TREE"] def find_git_root(): '''get to the top of the git repo''' -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 82d86282ca6 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos from 6cbaa31fe0a s3:passdb: Also allow to handle UPNs in lookup_name_smbconf() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 82d86282ca64177fe65cb5ab017a475a95d67cf3 Author: Stefan Metzmacher Date: Wed Feb 16 14:11:10 2022 +0100 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos Even if the msDS-KeyVersionNumber of the main krbtgt account if larger than 65535, we need to have the 16 upper bits all zero in order to avoid mixing the keys with an RODC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit ab0946a75d51b8f4826d98c61c3ad503615009fe) Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Thu Apr 28 15:42:38 UTC 2022 on sn-devel-184 --- Summary of changes: source4/kdc/db-glue.c | 51 +++ 1 file changed, 43 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index bdadc1278c3..3e1f7a6b4dc 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -45,6 +45,9 @@ #define SAMBA_KVNO_GET_KRBTGT(kvno) \ ((uint16_t)(((uint32_t)kvno) >> 16)) +#define SAMBA_KVNO_GET_VALUE(kvno) \ + ((uint16_t)(((uint32_t)kvno) & 0x)) + #define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \ ((krb5_kvno)uint32_t)kvno) & 0x) | \ uint32_t)krbtgt) << 16) & 0x))) @@ -427,6 +430,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct sdb_entry_ex *entry_ex, uint32_t *supported_enctypes_out) { + struct sdb_entry *entry = &entry_ex->entry; krb5_error_code ret = 0; enum ndr_err_code ndr_err; struct samr_Password *hash; @@ -437,10 +441,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct package_PrimaryKerberosBlob _pkb; struct package_PrimaryKerberosCtr3 *pkb3 = NULL; struct package_PrimaryKerberosCtr4 *pkb4 = NULL; + bool is_krbtgt = false; + int krbtgt_number = 0; + uint32_t current_kvno; + uint32_t returned_kvno = 0; uint16_t i; uint16_t allocated_keys = 0; - int rodc_krbtgt_number = 0; - int kvno = 0; uint32_t supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", @@ -452,6 +458,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* KDCs (and KDCs on RODCs) use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; + is_krbtgt = true; enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); if (enable_fast) { @@ -481,9 +488,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* Is this the krbtgt or a RODC krbtgt */ if (is_rodc) { - rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); + krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); - if (rodc_krbtgt_number == -1) { + if (krbtgt_number == -1) { + return EINVAL; + } + if (krbtgt_number == 0) { return EINVAL; } } @@ -503,11 +513,20 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, goto out; } - kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0); - if (is_rodc) { - kvno = SAMBA_KVNO_AND_KRBTGT(kvno, rodc_krbtgt_number); + current_kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0); + if (is_krbtgt) { + /* +* Even for the main krbtgt account +* we have to strictly split the kvno into +* two 16-bit parts and the upper 16-bit +* need to be all zero, even if +* the msDS-KeyVersionNumber has a value +* larger than 65535. +* +* See https://bugzilla.samba.org/show_bug.cgi?id=14951 +*/ + current_kvno = SAMBA_KVNO_GET_VALUE(current_kvno); } - entry_ex->entry.kvno = kvno; /* Get keys fro
[SCM] Samba Shared Repository - branch v4-4-test updated
The branch, v4-4-test has been updated via 0708007 Merge tag 'samba-4.4.6' into v4-4-test via 99ced63 Revert "script/release.sh: use 8 byte gpg key ids" from 816c764 ctdb-daemon: Log when removing stale Unix domain socket https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log - commit 0708007457141eb9ddb05966b9c03288e35eede0 Merge: 816c764 99ced63 Author: Stefan Metzmacher Date: Fri Sep 23 19:30:06 2016 +0200 Merge tag 'samba-4.4.6' into v4-4-test samba: tag release samba-4.4.6 --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 631e063 s3-lib: Do not set an empty string in split_domain_user() via 0c4e132 s3-lib: Parse WORKGROUP\username in set_cmdline_auth_info_username() via 5328325 s3-lib: Do not create 'MACHINE$@' usernames via 7f14776 nsswitch: Use own credential cache for wbinfo tests via 2dac252 testprogs: Use own credential cache for test_client_etypes.sh via 7abda74 testprogs: Use better KRB5CCNAME in test_password_settings.sh via 9413e33 s3-script: Use unique krb5ccache name via 3470dca s3-selftest: Rename samba3.ntlm_auth.krb5 old ccache test from c60ea2c glusterfs: Avoid tevent_internal.h https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 631e063f6bb49da426ca7343b6987f7831078d7f Author: Andreas Schneider Date: Tue Sep 20 19:51:15 2016 +0200 s3-lib: Do not set an empty string in split_domain_user() The function should also return if it failed or not. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Sep 25 12:56:17 CEST 2016 on sn-devel-144 commit 0c4e13243826871e0597fcd37bd90b184c296e21 Author: Andreas Schneider Date: Thu Sep 15 12:08:24 2016 +0200 s3-lib: Parse WORKGROUP\username in set_cmdline_auth_info_username() Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 5328325f94fc2b49f34cf5f2c699ec7440ef1ec9 Author: Andreas Schneider Date: Thu Sep 15 12:54:42 2016 +0200 s3-lib: Do not create 'MACHINE$@' usernames If there is no realm set we should not add it to the machine account. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 7f14776ba7704bdefcbd6ad71856b6efdeacf052 Author: Andreas Schneider Date: Mon Sep 19 13:27:30 2016 +0200 nsswitch: Use own credential cache for wbinfo tests If we do not set it will add the credentials to the system default credential cache, which is e.g. FILE:/tmp/krb5cc_1000. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 2dac25249749734dfc2f27cb10088e97cecdc6ad Author: Andreas Schneider Date: Wed Sep 21 00:01:35 2016 +0200 testprogs: Use own credential cache for test_client_etypes.sh Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 7abda740f5671ff6f1ef326cf80afb8b65a4e5e7 Author: Andreas Schneider Date: Tue Sep 20 09:46:34 2016 +0200 testprogs: Use better KRB5CCNAME in test_password_settings.sh Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 9413e337cee630d3357b9a3299a67a4160bbc495 Author: Andreas Schneider Date: Mon Sep 19 12:18:31 2016 +0200 s3-script: Use unique krb5ccache name Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 3470dca36df56aaf08589632462865154c9fa869 Author: Andreas Schneider Date: Thu Sep 15 15:47:25 2016 +0200 s3-selftest: Rename samba3.ntlm_auth.krb5 old ccache test This makes it easier to run only one of them. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- Summary of changes: nsswitch/tests/test_wbinfo.sh | 10 +++- nsswitch/tests/test_wbinfo_simple.sh | 10 +++- source3/include/proto.h| 2 +- source3/lib/util.c | 16 +- source3/lib/util_cmdline.c | 61 +- source3/libnet/libnet_join.c | 40 ++ source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 24 ++--- .../script/tests/test_smbclient_netbios_aliases.sh | 5 +- source3/selftest/tests.py | 2 +- testprogs/blackbox/test_client_etypes.sh | 8 +++ testprogs/blackbox/test_password_settings.sh | 8 ++- 11 files changed, 156 insertions(+), 30 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh index 1d14ca3..69cc437 100755 --- a/nsswitch/tests/test_wbinfo.sh +++ b/nsswitch/tests/test_wbinfo.sh @@ -51,6 +51,12 @@ knownfail() { return $status } +KRB5CCNAME_PATH="$PREFIX/test_wbinfo_krb5ccache" +rm -f $KRB5CCNAME_PATH + +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + # List users testit "wbinfo -u against $TARGET" $wbinfo -u || failed=`expr $failed + 1` # List groups @@ -244,8 +250,10 @@ testit "wbinfo --getdcname against $TARGET" $wbinfo --getdcname=$DOMAIN testit "wbinfo -p against $TARGET" $wbinfo -p || failed=`expr $failed + 1` -testit "wbinfo -K against $TARGET with domain creds"
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eb75553 s3-printing: fix migrate printer code (bug 8618) from 402c3c4 tevent: version 0.9.31 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eb7555397fd4e9f66e041179aadff59f2a39d14f Author: Björn Baumbach Date: Fri Nov 18 18:54:56 2011 +0100 s3-printing: fix migrate printer code (bug 8618) Removed path from driver files. We only need the basenames. (cherry picked from commit d61993043fcb7676a58658476421f5f4ff1a3fea) (cherry picked from commit 9f07ef2249dc21eab37cd5888623e6edc84b2b59) BUG: https://bugzilla.samba.org/show_bug.cgi?id=8618 Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 5 19:19:39 CEST 2016 on sn-devel-144 --- Summary of changes: source3/printing/nt_printing_migrate.c | 27 +++ 1 file changed, 27 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/printing/nt_printing_migrate.c b/source3/printing/nt_printing_migrate.c index eacafa2..f56aa70 100644 --- a/source3/printing/nt_printing_migrate.c +++ b/source3/printing/nt_printing_migrate.c @@ -3,6 +3,7 @@ * RPC Pipe client / server routines * * Copyright (c) Andreas Schneider2010. + * Copyright (C) Bjoern Baumbach 2011 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,6 +28,20 @@ #include "librpc/gen_ndr/ndr_security.h" #include "rpc_client/cli_winreg_spoolss.h" +static const char *driver_file_basename(const char *file) +{ + const char *basefile; + + basefile = strrchr(file, '\\'); + if (basefile == NULL) { + basefile = file; + } else { + basefile++; + } + + return basefile; +} + NTSTATUS printing_tdb_migrate_form(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *winreg_pipe, const char *key_name, @@ -101,6 +116,7 @@ NTSTATUS printing_tdb_migrate_driver(TALLOC_CTX *mem_ctx, WERROR result; const char *driver_name; uint32_t driver_version; + int i; blob = data_blob_const(data, length); @@ -123,8 +139,19 @@ NTSTATUS printing_tdb_migrate_driver(TALLOC_CTX *mem_ctx, ZERO_STRUCT(d3); ZERO_STRUCT(a); + /* remove paths from file names */ + if (r.dependent_files != NULL) { + for (i = 0 ; r.dependent_files[i] != NULL; i++) { + r.dependent_files[i] = driver_file_basename(r.dependent_files[i]); + } + } a.string = r.dependent_files; + r.driverpath = driver_file_basename(r.driverpath); + r.configfile = driver_file_basename(r.configfile); + r.datafile = driver_file_basename(r.datafile); + r.helpfile = driver_file_basename(r.helpfile); + d3.architecture = r.environment; d3.config_file = r.configfile; d3.data_file = r.datafile; -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tevent-0.9.31 created
The annotated tag, tevent-0.9.31 has been created at c8e1bdcd6d1017092bcec8a59a879cf9f8903850 (tag) tagging 402c3c4062864df4a6da76df9ac1734c7bcbee8e (commit) replaces tdb-1.3.11 tagged by Stefan Metzmacher on Fri Oct 7 06:46:41 2016 +0200 - Log - tevent: tag release tevent-0.9.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJX9yixAAoJEEeTkWETCEAlIcYH/iFAYrfDqt6oBn/R5Q9lnDHZ Zfk9IvihKedZUJB9pB06KuwNqq+kmjRnrcFqq2K1dkqpNe+sbAfgvHQfVrsy7CAq ircJ2cDyPyJ+cs4hjE3wYI0RFTQFzwzm1vmUzmThegsHP1bmOeOgIiFxuEWxzkdZ wn8oEzIN6FIRBsx0QYI1D7SEjdlR8jNe+srK57Y9wySbNlBnnouGv8ZbNcH3dbmr ZD6zdhout8/i/nBTWe9o+sBC2LTfMYLmVNdnECikggxoqrMRV+bl6hik9smaUNuH NfAGjEF5d8pZQpWIgkT1y10uCmGo3HM7zo3FXZ6N50yI8kVKpntrKds6mcDk0UE= =N/Ki -END PGP SIGNATURE- Amitay Isaacs (12): ctdb-protocol: Fix marshalling for GET_DB_SEQNUM control request ctdb-common: Use correct db_id size in marshalling record buffer s3-ctdb: Use correct db_id size in marshalling record buffer ctdb-recoverd: Drop code to freeze databases from set_recovery_mode() ctdb-daemon: Remove NUM_DB_PRIORITIES ctdb-recovery-helper: Add missing initialisation of ban_credits ctdb-daemon: Avoid extra condition in tevent trace callback ctdb-daemon: Log a message when fork() takes long time ctdb-daemon: Log a message when vfork() takes long time ctdb-locking: Log if ctdb is unable to take db locks in INACTIVE state ctdb-locking: Restrict lock debugging to once per second ctdb-common: Add routines to manage PID file Andreas Schneider (115): mit_samba: Add missing argument passed to authsam_make_user_info_dc() mit_samba: Add missing copyright s4-kdc: pac-glue: Add support for MIT pkinit gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal gensec_krb5: Rename smb_rd_req_return_stuff() gensec_krb5: Use krb5_wrap setup_kaddr() to convert address gensec_krb5: Only set the event context with Heimdal gensec_krb5: Use kerberos_free_data_contents() to free krb5 data gensec_krb5: Use implementation idependent krb5_mk_req_extended() gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() krb5_wrap: Rename setup_kaddr() krb5_wrap: Rename get_kerberos_allowed_etypes() krb5_wrap: Rename kerberos_free_data_contents() krb5_wrap: Rename krb5_copy_data_contents() krb5_wrap: Move krb5_auth_con_setuseruserkey() to the top krb5_wrap: Move all ads function to the end krb5_wrap: Use consistent naming for setup_auth_context() krb5_wrap: Use consistent naming for create_gss_checksum() krb5_wrap: Fix formatting issues in ads_krb5_mk_req() krb5_wrap: Improve return value checks and debug messsages krb5_wrap: Rename cli_krb5_get_ticket() krb5_wrap: Fix ads_krb5_cli_get_ticket() return checks and debug messages krb5_wrap: Cleanup some code in ads_krb5_cli_get_ticket() krb5_wrap: Move krb5_free_unparsed_name() to the top krb5_wrap: Rename get_krb5_smb_session_key() krb5_wrap: Move krb5_princ_component() to the top krb5_wrap: Remove redundant comment krb5_wrap: Document smb_krb5_renew_ticket() krb5_wrap: Document smb_krb5_free_addresses() krb5_wrap: Document smb_krb5_gen_netbios_krb5_address() krb5_wrap: Remove unneded smb_krb5_free_error() krb5_wrap: Remove unused handle_krberror_packet() krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_alloc() krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_free() krb5_wrap: Rename smb_get_enctype_from_kt_entry() krb5_wrap: Document smb_krb5_kt_get_enctype_from_entry() krb5_wrap: Document smb_krb5_kt_free_entry() krb5_wrap: Document smb_krb5_enctype_to_string() krb5_wrap: Rename smb_krb5_open_keytab_relative() krb5_wrap: Document smb_krb5_kt_open_relative() krb5_wrap: Fix whitespace issues in smb_krb5_kt_open_relative() krb5_wrap: Rename smb_krb5_open_keytab() krb5_wrap: Document smb_krb5_kt_open() krb5_wrap: Rename smb_krb5_keytab_name() krb5_wrap: Document smb_krb5_kt_get_name() krb5_wrap: Document smb_krb5_keyblock_init_contents() waf: Check for the correct function name krb5_wrap: Add MIT implmentation of smb_krb5_keyblock_init_contents() krb5_wrap: Rename kerberos_kinit_keyblock_cc() krb5_wrap: Improve smb_krb5_kinit_keyblock_cache() documentation krb5_wrap: Rename kerberos_kinit_password_cc() krb5_wrap: Document smb_krb5_kinit_password_ccache() krb5_wrap: Rename kerberos_kinit_s4u2_cc() krb5_wrap: Improve smb_krb5_kinit_s4u2_ccache() documentation krb5_wrap: Document smb_krb5_make_principal() krb5_wrap: Document smb_krb5_make_pac_checksum() krb5_wrap: Fix documentation of smb_krb5_principal_get_realm() krb5_wrap
[SCM] Samba Shared Repository - branch v4-3-test updated
The branch, v4-3-test has been updated via 2014c08 s3-spoolss: fix winreg_printer_ver_to_qword via e0c9067 gencache: Bail out of stabilize if we can not get the allrecord lock from 0b0574e lib: poll_funcs : poll_funcs_context_slot_find can select the wrong slot to replace. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test - Log - commit 2014c088d32daf5efe93fd9843c7a395907b4499 Author: Günther Deschner Date: Mon Sep 12 17:55:37 2016 +0200 s3-spoolss: fix winreg_printer_ver_to_qword Bug: https://bugzilla.samba.org/show_bug.cgi?id=12285 We were reporting the OS minor number as the driver version number in all GetDriver/EnumDriver calls. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison (cherry picked from commit a9a1a16cc8b87a84cdfa049ebd26bf4eac1b3618) Autobuild-User(v4-3-test): Stefan Metzmacher Autobuild-Date(v4-3-test): Thu Oct 13 20:12:54 CEST 2016 on sn-devel-104 commit e0c9067b4a46147057ec3454bb4d0a9e27bc854e Author: Volker Lendecke Date: Mon Sep 19 14:29:21 2016 -0700 gencache: Bail out of stabilize if we can not get the allrecord lock Bug: https://bugzilla.samba.org/show_bug.cgi?id=12045 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Sep 20 04:09:33 CEST 2016 on sn-devel-144 (cherry picked from commit b208499960eefef02d305a3bd59b03a7c2aafcac) --- Summary of changes: source3/lib/gencache.c | 2 +- source3/rpc_client/cli_winreg_spoolss.c | 7 --- 2 files changed, 5 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c index 90eafaa..7ac9eba 100644 --- a/source3/lib/gencache.c +++ b/source3/lib/gencache.c @@ -658,7 +658,7 @@ bool gencache_stabilize(void) return false; } - res = tdb_lockall(cache_notrans->tdb); + res = tdb_lockall_nonblock(cache_notrans->tdb); if (res != 0) { tdb_transaction_cancel(cache->tdb); DEBUG(10, ("Could not get allrecord lock on " diff --git a/source3/rpc_client/cli_winreg_spoolss.c b/source3/rpc_client/cli_winreg_spoolss.c index ac4fe86..68ac053 100644 --- a/source3/rpc_client/cli_winreg_spoolss.c +++ b/source3/rpc_client/cli_winreg_spoolss.c @@ -529,8 +529,9 @@ static WERROR winreg_printer_write_ver(TALLOC_CTX *mem_ctx, NTSTATUS status; char *str; - /* FIXME: check format is right, -* this needs to be something like: 6.1.7600.16385 */ + /* +* this needs to be something like: 6.1.7600.16385 +*/ str = talloc_asprintf(mem_ctx, "%u.%u.%u.%u", (unsigned)((data >> 48) & 0x), (unsigned)((data >> 32) & 0x), @@ -574,7 +575,7 @@ static WERROR winreg_printer_ver_to_dword(const char *str, uint64_t *data) *data = ((uint64_t)(v1 & 0x) << 48) + ((uint64_t)(v2 & 0x) << 32) + ((uint64_t)(v3 & 0x) << 16) + - (uint64_t)(v2 & 0x); + (uint64_t)(v4 & 0x); return WERR_OK; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via 416d062 ctdb-daemon: Log when removing stale Unix domain socket via 14313b0 ctdb-daemon: Drop attempt to connect to Unix domain socket via 8866233 ctdb-daemon: Don't try to reopen TDB files via 2ebed56 ctdb-daemon: Bind to Unix domain socket after PID file creation via 81d8f89 ctdb-daemon: Use PID file abstraction via a1a1fe4 ctdb-common: Add routines to manage PID file via aefc593 s3-spoolss: fix winreg_printer_ver_to_qword via a23ff4c nsswitch: Also set h_errnop for nss_wins functions via 568f9fb nsswitch: Add missing arguments to wins gethostbyname* via 62f4e3d s3/smbd: set FILE_ATTRIBUTE_DIRECTORY as necessary via 5bd28ff gencache: Bail out of stabilize if we can not get the allrecord lock from 68302ce ctdb-recovery-helper: Add missing initialisation of ban_credits https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit 416d062225f51edbb5461d90aceb211ded763582 Author: Martin Schwenke Date: Thu Sep 22 14:52:55 2016 +1000 ctdb-daemon: Log when removing stale Unix domain socket BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Thu Sep 22 12:28:12 CEST 2016 on sn-devel-144 (cherry picked from commit 0ec01826d32019b06dd10bb9b6ea5232786d5699) Autobuild-User(v4-5-test): Stefan Metzmacher Autobuild-Date(v4-5-test): Thu Oct 13 20:46:42 CEST 2016 on sn-devel-144 commit 14313b0d57edc027d2c3b375071daf4a70e01752 Author: Martin Schwenke Date: Thu Sep 22 14:47:02 2016 +1000 ctdb-daemon: Drop attempt to connect to Unix domain socket This was a weak attempt at exclusivity. PID file creation now does that properly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 8eff9e96037627b1e4adf3ccc8da94ef8f0bad2a) commit 8866233e5d3d4d14d7d1738b14bea2cb92e98652 Author: Martin Schwenke Date: Thu Sep 22 14:46:12 2016 +1000 ctdb-daemon: Don't try to reopen TDB files There aren't any open at this stage. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit d719a87fe021b0c704fc4b12ddfc0345fe3af146) commit 2ebed563e42000de8327797b76e446bab70102ad Author: Martin Schwenke Date: Thu Sep 22 14:43:58 2016 +1000 ctdb-daemon: Bind to Unix domain socket after PID file creation No use touching the socket if PID file creation fails. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 1e501c77492d25b760c7b10849460ee6490f39dc) commit 81d8f89385fcf1e79a3c9d7b1fbab1cd696a03ee Author: Martin Schwenke Date: Thu Sep 22 14:35:03 2016 +1000 ctdb-daemon: Use PID file abstraction BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 5148e02adb7b2ea34da9c826a682c1387773402b) commit a1a1fe45533edaee94923e6cf2978e186e612a14 Author: Amitay Isaacs Date: Mon Sep 19 16:30:12 2016 +1000 ctdb-common: Add routines to manage PID file BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 97b6ac7f662d8de316ed520e038779e79bcdb7bc) commit aefc59359d980ebb7ea4b75219dad0e62ff52ab0 Author: Günther Deschner Date: Mon Sep 12 17:55:37 2016 +0200 s3-spoolss: fix winreg_printer_ver_to_qword Bug: https://bugzilla.samba.org/show_bug.cgi?id=12285 We were reporting the OS minor number as the driver version number in all GetDriver/EnumDriver calls. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison (cherry picked from commit a9a1a16cc8b87a84cdfa049ebd26bf4eac1b3618) commit a23ff4c66c3dd45616da8beb40e4e9eda7f74a7d Author: Andreas Schneider Date: Tue Sep 20 13:26:52 2016 +0200 nsswitch: Also set h_errnop for nss_wins functions BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 Signed-off-by: Andreas Schneider Reviewed-by: Jim McDonough (cherry picked from commit 382345126c56e26d3dbc319f1c7c1dae3c4fafc9) commit 568f9fb5b0772b744ac9c6092dc7e35720e42cdf Author: Andreas Schneider Date: Mon Sep 19 16:17:11 2016 +0200 nsswitch: Add missing arguments to wins gethostbyname* The errno pointer argument is missing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 Signed-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 001e23f ntlmssp.idl: don't generate python bindings for ntlmssp_NTLM_RESPONSE and ntlmssp_LM_RESPONSE via 0f1859b spoolss.idl: use access mask defines from security.idl via 63686a1 nfs4acl.idl: rename interface to nfs4acl.idl to avoid naming clash in the python bindings from caff670 libcli: Remove code clone https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 001e23fd6250f8426b0866370fb4fdcbe5b29147 Author: Stefan Metzmacher Date: Tue Sep 13 07:25:38 2016 +0200 ntlmssp.idl: don't generate python bindings for ntlmssp_NTLM_RESPONSE and ntlmssp_LM_RESPONSE ntlmssp_NTLM_RESPONSE and NTLM_RESPONSE will both result in "ntlmssp.NTLM_RESPONSE". The same applies to ntlmssp_LM_RESPONSE and LM_RESPONSE. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Oct 13 21:56:27 CEST 2016 on sn-devel-144 commit 0f1859b85ec7b755c7a3f39ae57a250858cf8252 Author: Stefan Metzmacher Date: Tue Sep 13 06:30:34 2016 +0200 spoolss.idl: use access mask defines from security.idl Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 63686a1c82126f0aa90317e4790d01b4bcf1a9e1 Author: Stefan Metzmacher Date: Tue Sep 13 08:07:21 2016 +0200 nfs4acl.idl: rename interface to nfs4acl.idl to avoid naming clash in the python bindings Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- Summary of changes: librpc/idl/nfs4acl.idl | 2 +- librpc/idl/ntlmssp.idl | 4 ++-- librpc/idl/spoolss.idl | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/nfs4acl.idl b/librpc/idl/nfs4acl.idl index aeab0a0..13a6d13 100644 --- a/librpc/idl/nfs4acl.idl +++ b/librpc/idl/nfs4acl.idl @@ -11,7 +11,7 @@ import "misc.idl", "security.idl"; version(1.0), pointer_default(unique) ] -interface nfs4acl +interface nfs4acl_interface { const char *NFS4ACL_XATTR_NAME = "system.nfs4acl"; diff --git a/librpc/idl/ntlmssp.idl b/librpc/idl/ntlmssp.idl index f041e32..6b22886 100644 --- a/librpc/idl/ntlmssp.idl +++ b/librpc/idl/ntlmssp.idl @@ -207,7 +207,7 @@ interface ntlmssp uint8 ChallengeFromClient[8]; } LMv2_RESPONSE; - typedef [nodiscriminant] union { + typedef [nopython,nodiscriminant] union { [case(24)] LM_RESPONSE v1; [default]; } ntlmssp_LM_RESPONSE; @@ -238,7 +238,7 @@ interface ntlmssp NTLMv2_CLIENT_CHALLENGE Challenge; } NTLMv2_RESPONSE; - typedef [public,nodiscriminant] union { + typedef [public,nopython,nodiscriminant] union { [case(0)] ; [case(0x18)] NTLM_RESPONSE v1; [default] NTLMv2_RESPONSE v2; diff --git a/librpc/idl/spoolss.idl b/librpc/idl/spoolss.idl index 9010a95..df19bee 100644 --- a/librpc/idl/spoolss.idl +++ b/librpc/idl/spoolss.idl @@ -2867,10 +2867,10 @@ cpp_quote("#define spoolss_security_descriptor security_descriptor") PRINTER_ALL_ACCESS; const int PRINTER_ACE_MANAGE_DOCUMENTS = SEC_GENERIC_ALL | - READ_CONTROL_ACCESS; +SEC_STD_READ_CONTROL; - const int PRINTER_ACE_PRINT = GENERIC_EXECUTE_ACCESS | - READ_CONTROL_ACCESS | + const int PRINTER_ACE_PRINT = SEC_GENERIC_EXECUTE | + SEC_STD_READ_CONTROL | PRINTER_ACCESS_USE; /**/ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-4-test updated
The branch, v4-4-test has been updated via 5a0b28a lib: Fix bug 12291 via 46780e3 s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME" via f2a0f86 s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME" via 3b98cde HEIMDAL:lib/krb5: destroy a memory ccache on reinit via 60ffbab s3-printing: fix migrate printer code (bug 8618) via cc3b76b s3: cldap: cldap_multi_netlogon_send() fails with one bad IPv6 address. via 9ecc6ac s3-utils: Fix loading smb.conf in smbcquotas via ab1c3d4 ctdb-scripts: Fix incorrect variable reference via bf7e0fb ctdb-scripts: Avoid dividing by zero in memory calculation via 0fcbce8 s3/winbindd: using default domain with u...@domain.com format fails via 0790769 Add a blackbox tests for id & getent to test domain@realm type credentials via 6e12cac s3-lib: Fix %G substitution in AD member environment via dba617a torture/ioctl: test compression responses when unsupported via 3af480f smbd/ioctl: match WS2016 ReFS get compression behaviour via 15a8ee6 vfs_glusterfs: Fix a memory leak in connect path via 17e61a1 spoolss: Fix caching of printername->sharename via 49d4c63 s4:samba_spnupdate: do not attempt to parse log level, use parsed value via 4c54612 python/join: do not attempt to parse log level, use parsed value via 430e9d2 python/drs_utils: do not attempt to parse log level, use parsed value via 4fe66b5 tests/param add a test for LoadParm.log_level via cfa3e0f s4:param add log_level function to retrieve log level in Python code via ad96251 glusterfs: Avoid tevent_internal.h via 3170f53 s3: events. Move events.c to util_event.c via fc82907 s3: server: s3_tevent_context_init() -> samba_tevent_context_init() via a60c9ce s3: winbind: Remove dump_event_list() calls. via ed6b8bc s3: nmbd: Final changeover to stock tevent for nmbd. via 95401c5 s3: nmbd: Change over to using tevent functions from direct poll. via e9cf61d s3: nmbd: Add a talloc_stackframe(). via f8d8ed5 s3: nmbd: Add (currently unused) timeout and fd handlers. via 1ccbb07 s3: nmbd: Now attrs array mirrors fd's array use it in preference. via b8ae31c s3: nmbd: Ensure attrs array mirrors fd's array for dns. via 5d160ee s3: nmbd: Add fd, triggered elements to struct socket_attributes. via e4c48c9 s3:nmbd: fix talloc_zero_array() check in nmbd_packets.c via 257644f s3: winbind: Ensure we store name2sid with the correct cache sequence number. via 47ab4a0 s3: winbind: Trust name2sid mappings from the PAC. via 1d28a24 s3: winbind: refresh_sequence_number is only ever called with 'false'. via 275ae03 s3: auth: Use wbcAuthenticateUserEx to prime the caches. via 2dfbdc5 s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache. via ba1356d ctdb-scripts: ctdbd_wrapper should never remove the PID file from 0708007 Merge tag 'samba-4.4.6' into v4-4-test https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log - commit 5a0b28a30d8e4187e184e86ef7f1cf0abe625678 Author: Jeremy Allison Date: Fri Oct 21 14:38:49 2016 -0700 lib: Fix bug 12291 Bug: https://bugzilla.samba.org/show_bug.cgi?id=12291 Back-ported from f92590d10aaf9a289b5f6aac8ffc79129b83a517 in master. Signed-off-by: Jeremy Allison Autobuild-User(v4-4-test): Stefan Metzmacher Autobuild-Date(v4-4-test): Mon Oct 24 14:24:42 CEST 2016 on sn-devel-144 commit 46780e34aa43e24f7354ee463f3b11891ffacdf9 Author: Stefan Metzmacher Date: Mon Oct 10 17:07:12 2016 +0200 s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME" Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Uri Simchoni Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144 (cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca) commit f2a0f86b3facc22a9ce873e16e18106330d88ffb Author: Stefan Metzmacher Date: Mon Oct 10 17:07:12 2016 +0200 s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME" Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Uri Simchoni (cherry picked from commit 890b1bbdb8e965c4
[SCM] Samba Shared Repository - branch v4-5-stable updated
The branch, v4-5-stable has been updated via 548e16c Revert "script/release.sh: use 8 byte gpg key ids" from bc07150 VERSION: Disable git snapshots for the 4.5.1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log - commit 548e16ca617ca8d5ad2171907c2a2cc8bc15f85c Author: Karolin Seeger Date: Mon Oct 24 21:44:07 2016 +0200 Revert "script/release.sh: use 8 byte gpg key ids" This reverts commit 181d05005e1e5887052887a58bb33a9adc98bd92. --- Summary of changes: script/release.sh | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/script/release.sh b/script/release.sh index 769f742..7db4e53 100755 --- a/script/release.sh +++ b/script/release.sh @@ -662,7 +662,7 @@ announcement_samba_rc() { echo "" echo "" echo "The uncompressed tarballs and patch files have been signed" - echo "using GnuPG (ID ${GPG_KEYID}). The source code can be downloaded" + echo "using GnuPG (ID 6568B7EA). The source code can be downloaded" echo "from:" echo "" echo "${download_url}" @@ -845,7 +845,7 @@ announcement_samba_stable() { echo "" echo "" echo "The uncompressed tarballs and patch files have been signed" - echo "using GnuPG (ID ${GPG_KEYID}). The source code can be downloaded" + echo "using GnuPG (ID 6568B7EA). The source code can be downloaded" echo "from:" echo "" echo "${release_url}" @@ -1052,7 +1052,7 @@ talloc | tdb | tevent | ldb) } test -z "${GPG_KEYID-}" && { - GPG_KEYID='4793916113084025' + GPG_KEYID='13084025' } productbase="${product}" @@ -1071,7 +1071,7 @@ samba-rc) } test -z "${GPG_KEYID-}" && { - GPG_KEYID='6F33915B6568B7EA' + GPG_KEYID='6568B7EA' } productbase="samba" @@ -1092,7 +1092,7 @@ samba-stable) } test -z "${GPG_KEYID-}" && { - GPG_KEYID='6F33915B6568B7EA' + GPG_KEYID='6568B7EA' } productbase="samba" @@ -1114,7 +1114,7 @@ TODO-samba-security) } test -z "${GPG_KEYID-}" && { - GPG_KEYID='6F33915B6568B7EA' + GPG_KEYID='6568B7EA' } productbase="samba" -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via e70b87b Merge tag 'samba-4.5.1' into v4-5-test via 548e16c Revert "script/release.sh: use 8 byte gpg key ids" from 670022c VERSION: Bump version up to 4.5.2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit e70b87bb227b0f9849745a8807a670b6858469d4 Merge: 670022c 548e16c Author: Stefan Metzmacher Date: Wed Oct 26 16:26:58 2016 +0200 Merge tag 'samba-4.5.1' into v4-5-test samba: tag release samba-4.5.1 --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 530c2c8 ldb: version 1.1.28 via e369d80 pyldb: protect PyErr_LDB_ERROR_IS_ERR_RAISE() with do {} while(0) from 28fbc5e s3-net: use SMB_SIGNING_DEFAULT in connect_to_service() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 530c2c8f976281be941c314090be7bc60e6b22ed Author: Volker Lendecke Date: Sat Nov 12 14:14:34 2016 + ldb: version 1.1.28 * Fix the build with installed ldb-devel 1.1.27 We depend on LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC. * Some build fixes. * More performance improvements. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Nov 23 20:48:31 CET 2016 on sn-devel-144 commit e369d800ba64a4047787afd0b416f7d26cfd33f4 Author: Stefan Metzmacher Date: Tue Nov 8 09:18:52 2016 +0100 pyldb: protect PyErr_LDB_ERROR_IS_ERR_RAISE() with do {} while(0) This should avoid the following warning: CID 1394274: Control flow issues (DEADCODE) Execution cannot reach this statement: ";". Signed-off-by: Stefan Metzmacher Reviewed-by: Stefan Metzmacher --- Summary of changes: lib/ldb/ABI/{ldb-1.1.27.sigs => ldb-1.1.28.sigs} | 0 lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.1.28.sigs} | 0 lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.1.28.sigs} | 0 lib/ldb/pyldb.h| 5 +++-- lib/ldb/wscript| 2 +- 5 files changed, 4 insertions(+), 3 deletions(-) copy lib/ldb/ABI/{ldb-1.1.27.sigs => ldb-1.1.28.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.1.28.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.1.28.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-1.1.27.sigs b/lib/ldb/ABI/ldb-1.1.28.sigs similarity index 100% copy from lib/ldb/ABI/ldb-1.1.27.sigs copy to lib/ldb/ABI/ldb-1.1.28.sigs diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.1.28.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs copy to lib/ldb/ABI/pyldb-util-1.1.28.sigs diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.1.28.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs copy to lib/ldb/ABI/pyldb-util.py3-1.1.28.sigs diff --git a/lib/ldb/pyldb.h b/lib/ldb/pyldb.h index e0cce1e..4fc89ec 100644 --- a/lib/ldb/pyldb.h +++ b/lib/ldb/pyldb.h @@ -95,11 +95,12 @@ typedef struct { struct ldb_control *data; } PyLdbControlObject; -#define PyErr_LDB_ERROR_IS_ERR_RAISE(err,ret,ldb) \ +#define PyErr_LDB_ERROR_IS_ERR_RAISE(err,ret,ldb) do { \ if (ret != LDB_SUCCESS) { \ PyErr_SetLdbError(err, ret, ldb); \ return NULL; \ - } + } \ +} while(0) /* Picked out of thin air. To do this properly, we should probably have some part of the * errors in LDB be allocated to bindings ? */ diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 13f1d93..1bab04d 100755 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'ldb' -VERSION = '1.1.27' +VERSION = '1.1.28' blddir = 'bin' -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-1.1.28 created
The annotated tag, ldb-1.1.28 has been created at 7ba4a035dc202da08e2ddf41762f29b79527fe62 (tag) tagging 530c2c8f976281be941c314090be7bc60e6b22ed (commit) replaces tevent-0.9.31 tagged by Stefan Metzmacher on Thu Nov 24 08:27:16 2016 +0100 - Log - ldb: tag release ldb-1.1.28 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJYNpZUAAoJEEeTkWETCEAlLdkH/04LJj19/8sF4g2Nxjf68zn/ LM+eJjjY54D3xRGrtl/nGjimeEvNt+PMYawD9G75PznR9fXm0N/Xq/UE9tnGDVxP 8l1EGxibWlMBf2VsH0wt8OUd/62Y4nFS3AGzf26MnRONE8kjLGfm4eLECD+pfPnx /Sd6Gq6mged+jL0YTCxd6RDTU6Bjq/KkvJ4VoRSlv4eghudkngPXtY+WWs9D9Pmv tJJvljGxOSA152KGuTB2p9WrsT7BbdU4jQKO1gG9SnJGwZvc3Zy1HX4y0GE8pToN Na2ZizDLFQRULgeZshFwliV3aSsy3t99ag4+GWvkGW/HgNfiUSuQKhh17d29AV4= =v7Ok -END PGP SIGNATURE- Amitay Isaacs (19): Revert "ctdb-common: Use SCHED_RESET_ON_FORK when setting SCHED_FIFO" ctdb-common: Simplify code using local variables ctdb-daemon: Simplify code using local variable ctdb-common: Simplify code using tdb_storev ctdb-daemon: Simplify code using tdb_storev ctdb-client: Simplify using a local variable ctdb-client: Simplify using tdb_storev ctdb-tool: Simplify using tdb_storev ctdb-tools: Simplify using tdb_storev ctdb-tools: Simplify using a local variable ctdb-packaging: Update required tdb version for tdb_storev() dlz-bind: Fix preprocessor checks for BIND versions dlz-bind: Fix initialization of DLZ_DLOPEN_AGE dlz-bind: Set DNS_CLIENTINFO_VERSION based on BIND version dlz-bind: Add support for BIND 9.11.x provision: Add support for BIND 9.11.x ctdb-scripts: Fix calculation of CTDB_BASE ctdb-locking: Reset real-time priority in lock helper ctdb-recovery: Avoid NULL dereference in failure case Andreas Schneider (43): s4-libnet: Use SetUserInfo2 to set the account flags s3-libnet: Pass enum value names to dcerpc_samr_SetUserInfo2() s3-utils: Fix loading smb.conf in smbcquotas s3-param: Add comment to call lp_load_global() after popt processing s3-rpcclient: Fix initializing rpcclient selftest: Create AD users alice and bob s3-lib: Fix %G substitution in AD member environment selftest: Create a share with %D %U and %G substituion s3-selftest: Add a substituions testcase waf: Cleanup deps list for smbregistry waf: Cleanup deps list for smbd s4-rpc_server: Use DCERPC_NCA_S_UNKNOWN_IF for fault code idl: Remove unused DCERPC_FAULT_UNK_IF s3-winbind: Do not return NO_MEMORY if we have an empty user list s3-printing: Improve debug message s3-spoolss: Remove printer from registry if it is unpublished s3-client: Sync in tool cmdline help with smbclient manpage s3-printing: Correctly encode CUPS printer URIs s3-printing: Allow printer names longer than 16 chars s3-epmapper: Ignore epm_Map object guid libcli/smb: add smb1cli_session_setup_lm21_send/recv() s3:libsmb: handle the spnego as a first action in cli_session_setup_send() s3:libsmb: split out a cli_session_creds_init() function s3-winbind: Directly pass creds with cli_session_setup_creds() s3:tests: Set missing directories for test_registry_upgrade.sh lib:util: Don't print lstat warning on ERROR debug level s3:rpcclient: Print a new line on exit s3:messaging: Create an messaging_init_internal() returning NTSTATUS s3:messaging: Add messaging_init_client() function s3:rpcclient: Use messaging_init_client() s3:net: Use messaging_init_client() nss_wins: Fix errno values for HOST_NOT_FOUND s4:torture: Strip trailing whitespaces in session_key.c s4:torture: Normalizes names in session_key test s4:torture: Fix cleanup of the secrets object in session_key test Update .ycm_extra_conf.py s3:spoolss: Set default OS Version to Windows Server 2003 R2 SP2 s3:spoolss: Return error when there is no driver assigned s3:spoolss: Improve debug messages in construct_printer_driver s3:spoolss: Add support for COPY_FROM_DIRECTORY in AddPrinterDriverEx s3:spoolss: Add some useful debug messages on error lib:torture: Make variables const s4:torture: Add tortue test for AddPrinterDriverEx with COPY_FROM_DIRECTORY Andrew Bartlett (17): build: Fix build with perl on debian sid. dsdb: Add python hooks to allocate a RID set and allocate a RID pool dbcheck: Correctly initialise keep_transaction in missing_parent test dsdb: Create RID Set as SYSTEM dsdb: Rework DSDB code to use WERROR dsdb: Catch errors in extended operations (like allocating a RID Set) python: create NTSTATUSError, HRESULTError and WERRORError pyerrors: Add PyErr_Set{WERROR,HRESULT,NTSTATUS}_and_string() python: Add DsExtendedError Excepti
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 78a77d4 tdb: version 1.3.12 from 6e95fd8 param: fix lp_parameter_value_is_valid() for parametric options https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 78a77d468f4bef633d9039b155c4b2d66e70ac84 Author: Stefan Metzmacher Date: Wed Nov 30 16:05:28 2016 +0100 tdb: version 1.3.12 * Bug 12455 - tdb mutexes don't work on FreeBSD Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Nov 30 20:02:28 CET 2016 on sn-devel-144 --- Summary of changes: lib/tdb/ABI/{tdb-1.3.11.sigs => tdb-1.3.12.sigs} | 0 lib/tdb/wscript | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) copy lib/tdb/ABI/{tdb-1.3.11.sigs => tdb-1.3.12.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/tdb/ABI/tdb-1.3.11.sigs b/lib/tdb/ABI/tdb-1.3.12.sigs similarity index 100% copy from lib/tdb/ABI/tdb-1.3.11.sigs copy to lib/tdb/ABI/tdb-1.3.12.sigs diff --git a/lib/tdb/wscript b/lib/tdb/wscript index 4e52b6c..34058e4 100644 --- a/lib/tdb/wscript +++ b/lib/tdb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'tdb' -VERSION = '1.3.11' +VERSION = '1.3.12' blddir = 'bin' -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.3.12 created
The annotated tag, tdb-1.3.12 has been created at c86fd21b598eb89a0f80ce3447c9462e5506703e (tag) tagging 78a77d468f4bef633d9039b155c4b2d66e70ac84 (commit) replaces ldb-1.1.28 tagged by Stefan Metzmacher on Thu Dec 1 14:13:37 2016 +0100 - Log - tdb: tag release tdb-1.3.12 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJYQCIBAAoJEEeTkWETCEAlU58IAJxSNan0P4T65ylX3+p/5npc cHvHnRKEy3Z6W2i0lLsD3qkV63XdtNuoZRKwKUfS7cZpnYHCfm1CowIxuaxmio7X JPxcOVXVkhzHNGFmCsxAh5B8z+h+mlAvbsT/PEAFosD+nvoVUYv0piFQs5dDA22w wbLx90n8iG6JtwMYw7rmnInV+OJ9ita8licZHHFzfr7LWThe7oZ+1IjZpv0WNUOf ifri/sPCF+7bDi65UV2VMXt7BNZM9sS0z4XFhrvJfd0GxMblQZJoqcKaIvtfS9bk f1HFtSCrn6tcH3U7hTR5idIttjpPIZRA0dKA4uNoa7AiABZDU9ve5GFtx6XD5hU= =I/bE -END PGP SIGNATURE- Amitay Isaacs (4): ctdb-tests: Remove unused test code ctdb-daemon: Consolidate command line options to ctdbd ctdb-daemon: Remove unused code cmdline.[ch] ctdb-daemon: Mark RecoverPDBBySeqNum tunable deprecated Anoop C S (1): s3/dump_core: Honour pipe symbol (|) in system-wide core_pattern under linux Günther Deschner (13): docs: fix funny typo in smb.conf manpage wrt Samba's FSRVP server. s3-rpc_cli: Support the use of the object_uuid in rpc_cli interfaces s3-rpcclient: Add rpcclient IRemoteWinspool commands s3-rpcclient: Add AsyncCorePrinterDriverInstalled command librpc: Introduce cab.idl librpc: Add autogenerated checksum calculation for Cabinet files librpc: Add autogenerated total cabinet size for Cabinet files librpc: Add autogenerated file offset calculation for Cabinet files librpc: Add ndr_cab_get_compression() for Cabinet compression evaluation s4-torture: Introduce Cabinet ndr testsuite s4-torture: Add a validation test for uncompressed Cabinet files s4-torture: Add MSZIP compressed cabinet test s4-torture: Add LZX compressed cabinet test Martin Schwenke (3): lib/util: Make sys_rw available to CTDB ctdb-lock-helper: Drop include of ctdb_private.h ctdb-common: Drop CTDB's copy of sys_read() and sys_write() Ralph Wuerthner (1): param: fix lp_parameter_value_is_valid() for parametric options Stefan Metzmacher (1): tdb: version 1.3.12 Uri Simchoni (2): WHATSNEW: document kerberos encryption types WHATSNEW: document new inherit owner option Volker Lendecke (5): selftest: Fix timestamps on FreeBSD 11 ntlm_auth4: Remove it tdb: NULL out tdb->mutexes in tdb_mutex_munmap tdb: Only mmap the mutex area if not already mmap'ed tdb: Fix mutexes on FreeBSD --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-1.1.29 created
The annotated tag, ldb-1.1.29 has been created at 1db0d5255605dc569839015862ea9dc56b0f0a99 (tag) tagging aa63600afb925715f7a24a3af5c0df433541bc12 (commit) replaces tdb-1.3.12 tagged by Stefan Metzmacher on Thu Dec 1 14:15:24 2016 +0100 - Log - ldb: tag release ldb-1.1.29 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJYQCJsAAoJEEeTkWETCEAlMuoH/3nm9bycHDFCBAdz19sGBfxM o+D6OwdAss6VbTioTuSUAOS3xHQ3mhAdbaygo8sJIufVh46LveWi7/97xmKK0nk7 nynMVWl6puReRjMZVGWMtlFinvdReyad6STez7ZMP03KbLIe74HcpQ2HOWgz6wUz rF3FyFRvhClC/o0eAU3YIwEvRQXXysly3+0eT0vP+39K4/dyipKTrBlv9cSbGJ7q 0+34b/t3nzMkgXMIBLinxeaXJZ48rnaY3jjxspAao5HXUlSNGppcO1xbo7QFPwnL fzEpDLhZUBBurMXp4MB9J4K+P+W6RNGfSwto6mPHKmVa+YzFEIBAKdaxheqLurI= =ozU7 -END PGP SIGNATURE- Alexis La Goutte (1): Fix typo Andrew Bartlett (23): selftest: Rework child process cleanup selftest: Ensure vampiredc has a full copy of localdc before we start join.py: Attempt to allocate a RID Set during the join talloc: add ASCII art to describe parent/child arrangement talloc: clarify that talloc_magic never includes the bits in TALLOC_FLAG_MASK talloc: Add tests for talloc_parent() after realloc() of the parent s4/rpc_server: Show what RPC interfaces are listening on which TCP port torture: Remove access to LSARPC via \\pipe\netlogon in rpc.netlogon for ManyGetDCName test pidl: Use a static const initialised struct in dcerpc_server_$name_init(void) s4-rpc_server: Use a type-safe struct signature in dcerpc_register_ep_server s4-rpc_server: Use an initialised static const struct in dcerpc_server_remote_init pidl: Change *_get_pipe_fns() to return const struct api_struct * pidl: Make static struct api_struct also const dsdb: specify attributes when loading schema ldb: Avoid individual memory allocations when searching for indexlist ldb: Add helper function ldb_schema_attribute_remove_flagged() ldb: Reduce scope of allocation and de-allocation of @ATTRIBUTES ldb: Reduce per-attribute memory allocation during @ATTRIBUTES load ldb: Add helper function ldb_schema_attribute_fill_with_syntax() ldb: load @ATTRIBUTES faster by sorting once, not at each insertion ldb: Cope with a->name being * ldb: Add test for behaviour of rdn_name ldb: new ldb version 1.1.29 Douglas Bagnall (3): lib/registry/regf: better initialise nk_block smbd/service_stream: connection processing flag is not really bool smbclient: fix string formatting in print command Jeremy Allison (2): librpc: cab: Integer wrap protection for ndr_count_cfdata(). librpc: cab: Fix ndr_size_cab_file() to detect integer wrap. Lumir Balhar (3): python: wscript_build: Prepare build environment for Python 3 porting python: selftesthelpers: Add possibility for planning tests for python: samba.subunit.run: Fix Python 3 compatibility. Petr Viktorin (1): python: Add py3compat.h Stefan Metzmacher (4): selftest/gdb_*: make use of 'mktemp' ldb:controls: add LDB_CONTROL_RECALCULATE_RDN_OID ldb:rdn_name: normalize rdn_name in rdn_rename_callback() ldb:rdn_name: add support for LDB_CONTROL_RECALCULATE_RDN_OID on ldb_modify() Volker Lendecke (2): ldb: Fix typos ldb: Fix an unused variable warning --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via 91a3133 Merge tag 'samba-4.5.2' into v4-5-test via 6ead525 VERSION: Disable git snapshots for the 4.5.2 release. via 2109236 WHATSNEW: Add release notes for Samba 4.5.2. via 1084656 printing: Fix building with CUPS version older than 1.7 from 343718c printing: Fix building with CUPS version older than 1.7 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit 91a3133747556c174a606aa97990b0e2b820f74e Merge: 343718c 6ead525 Author: Stefan Metzmacher Date: Wed Dec 7 10:31:23 2016 +0100 Merge tag 'samba-4.5.2' into v4-5-test samba: tag release samba-4.5.2 Signed-off-by: Stefan Metzmacher --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 50dff7e pidl: Make dcesrv\_$name\_interface "static const" via 0e2f03f s4-rpc_server: Avoid extern reference to dcesrv_mgmt_interface and memcpy() from 52fad16 s3: torture: Regression test case for permissions check on rename. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 50dff7e094d48793b432992a28571a6f7e5cc73c Author: Andrew Bartlett Date: Mon Nov 21 11:21:50 2016 +1300 pidl: Make dcesrv\_$name\_interface "static const" This moves it out of the global namespace Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Dec 8 13:25:57 CET 2016 on sn-devel-144 commit 0e2f03f9bd1cf91aa09e528d1a02c88262fdb2a9 Author: Andrew Bartlett Date: Mon Nov 21 11:31:27 2016 +1300 s4-rpc_server: Avoid extern reference to dcesrv_mgmt_interface and memcpy() Use a typesafe struct-returning function instead Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm | 2 +- source4/rpc_server/dcerpc_server.c | 5 + source4/rpc_server/dcesrv_mgmt.c | 6 ++ 3 files changed, 8 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm index 7077864..7ca18a8 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm @@ -192,7 +192,7 @@ static NTSTATUS $name\__op_ndr_push(struct dcesrv_call_state *dce_call, TALLOC_C return NT_STATUS_OK; } -const struct dcesrv_interface dcesrv\_$name\_interface = { +static const struct dcesrv_interface dcesrv\_$name\_interface = { .name = \"$name\", .syntax_id = {".print_uuid($uuid).",$if_version}, .bind = $name\__op_bind, diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 862127b..072e352 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -42,8 +42,6 @@ #include "lib/util/samba_modules.h" #include "librpc/gen_ndr/ndr_dcerpc.h" -extern const struct dcesrv_interface dcesrv_mgmt_interface; - static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call, const struct dcerpc_bind *b, struct dcerpc_ack_ctx *ack_ctx_list); @@ -283,8 +281,7 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx, return NT_STATUS_NO_MEMORY; } - memcpy(&(ifl->iface), &dcesrv_mgmt_interface, - sizeof(struct dcesrv_interface)); + ifl->iface = dcesrv_get_mgmt_interface(); DLIST_ADD(ep->interface_list, ifl); } diff --git a/source4/rpc_server/dcesrv_mgmt.c b/source4/rpc_server/dcesrv_mgmt.c index 4d3428d..577f0fb 100644 --- a/source4/rpc_server/dcesrv_mgmt.c +++ b/source4/rpc_server/dcesrv_mgmt.c @@ -21,6 +21,7 @@ #include "includes.h" #include "rpc_server/dcerpc_server.h" +#include "rpc_server/dcerpc_server_proto.h" #include "librpc/gen_ndr/ndr_mgmt.h" #define DCESRV_INTERFACE_MGMT_BIND(call, iface) \ @@ -107,3 +108,8 @@ static WERROR dcesrv_mgmt_inq_princ_name(struct dcesrv_call_state *dce_call, TAL /* include the generated boilerplate */ #include "librpc/gen_ndr/ndr_mgmt_s.c" + +const struct dcesrv_interface dcesrv_get_mgmt_interface(void) +{ + return dcesrv_mgmt_interface; +} -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cf536e3 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon via 5434bde torture: Add ServerReqChallengeReuse to rpc.netlogon via 568d250 torture: Add new test ServerReqChallengeReuseGlobal to rpc.netlogon via f55dc9c torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS via 380ec1b torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2 test via ecb1f56 torture: Add credentials downgrade and challenge reuse test to rpc.netlogon from 91d5ea2 librpc/ndr/uuid.c: improve speed and accuracy of GUID string parsing https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cf536e36fbb87a691b78bbea999497e3ce1049dc Author: Andrew Bartlett Date: Wed Dec 14 15:59:08 2016 +1300 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon This test ensures that when the per-pipe challenge is used, the tdb cache is wiped as well Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 14 15:56:37 CET 2016 on sn-devel-144 commit 5434bde87bb7fc7625642fd020c5835a6de10ce5 Author: Andrew Bartlett Date: Wed Dec 14 15:17:24 2016 +1300 torture: Add ServerReqChallengeReuse to rpc.netlogon This test covers credentials reuse on the same process. We test with direct re-use, and for the case where the challenge is reset to zeros. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 568d250bfb26edbf9ad8370f2e0ce470839301bc Author: Andrew Bartlett Date: Wed Dec 14 15:12:12 2016 +1300 torture: Add new test ServerReqChallengeReuseGlobal to rpc.netlogon This tests ensures we can not re-use the entries in global challenge table. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit f55dc9cf72d7d8a2a3754dd8901d50e5611d8f5d Author: Andrew Bartlett Date: Wed Dec 14 15:09:15 2016 +1300 torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS This allows this test to pass after "allow nt4 crypto" is removed from the default environment. We now only set it in ad_dc Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 380ec1bb72378b7acfe52da25839633016367337 Author: Andrew Bartlett Date: Wed Dec 14 17:45:19 2016 +1300 torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2 test This allows it to run against modern servers that do not permit NT4 crypto Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit ecb1f569d7a297dda6ff6ce040d3555a89404fd7 Author: Andrew Bartlett Date: Wed Dec 14 14:50:20 2016 +1300 torture: Add credentials downgrade and challenge reuse test to rpc.netlogon This test confirms that the challenge set up is available after the ServerAuthenticate has failed at the NT_STATUS_DOWNGRADE_DETECTED check. This is needed for NetApp ONTAP member servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: selftest/knownfail | 2 + selftest/target/Samba4.pm | 2 +- source4/torture/rpc/netlogon.c | 344 source4/torture/rpc/samba3rpc.c | 2 +- source4/torture/rpc/schannel.c | 2 +- 5 files changed, 349 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 97ec6ef..0e168ab 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -79,6 +79,8 @@ ^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx ^samba4.rpc.netlogon.*.GetPassword ^samba4.rpc.netlogon.*.DatabaseRedo +^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) # Broken by allowing NT4 crypto on this environment +^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs:local\) # Broken by allowing NT4 crypto on this environment ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*bigendian # should only work with seal ^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.validate # should only work with seal diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index da60c44..9e30475 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -860,7 +860,6 @@ sub provision($$) server max protocol = SMB2 host msdfs = $msdfs lanman auth = yes - allow nt4 crypto = yes # fruit:copyfile is a global option fruit:copyfile = yes @@ -1399,6 +1398,7 @@ sub provision_ad_dc_ntvfs($$) my $extra_conf_options = "
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a7598fb rpc_server:netlogon Move from memcache to a tdb cache from cf536e3 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a7598fb53b3a5238d49edbcbdfd218311ae73807 Author: Douglas Bagnall Date: Wed Nov 9 15:17:00 2016 +1300 rpc_server:netlogon Move from memcache to a tdb cache This allows the netlogon server to be moved into a multi-process model while still supporting clients that use a challenge from a different network connection. Pair-Programmed-With: Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144 --- Summary of changes: libcli/auth/schannel_state.h | 12 ++ libcli/auth/schannel_state_tdb.c | 261 ++ librpc/idl/schannel.idl | 7 + source4/rpc_server/netlogon/dcerpc_netlogon.c | 92 + 4 files changed, 325 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h index f9d02dd..a333098 100644 --- a/libcli/auth/schannel_state.h +++ b/libcli/auth/schannel_state.h @@ -39,4 +39,16 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out); +NTSTATUS schannel_get_challenge(struct loadparm_context *lp_ctx, + struct netr_Credential *client_challenge, + struct netr_Credential *server_challenge, + const char *computer_name); + +NTSTATUS schannel_save_challenge(struct loadparm_context *lp_ctx, +const struct netr_Credential *client_challenge, +const struct netr_Credential *server_challenge, +const char *computer_name); + +NTSTATUS schannel_delete_challenge(struct loadparm_context *lp_ctx, + const char *computer_name); #endif diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 2d3481d..d884279 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -272,6 +272,267 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, return status; } + +/* + * Create a very lossy hash of the computer name. + * + * The idea here is to compress the computer name into small space so + * that malicious clients cannot fill the database with junk, as only a + * maximum of 16k of entries are possible. + * + * Collisions are certainly possible, and the design behaves in the + * same way as when the hostname is reused, but clients that use the + * same connection do not go via the cache, and the cache only needs + * to function between the ReqChallenge and ServerAuthenticate + * packets. + */ +static void hash_computer_name(const char *computer_name, + char keystr[16]) +{ + unsigned int hash; + TDB_DATA computer_tdb_data = { + .dptr = (uint8_t *)discard_const_p(char, computer_name), + .dsize = strlen(computer_name) + }; + hash = tdb_jenkins_hash(&computer_tdb_data); + + /* we are using 14 bits of the digest to index our connections, so + that we use at most 16,384 buckets.*/ + snprintf(keystr, 15, "CHALLENGE/%x%x", hash & 0xFF, +(hash & 0xFF00 >> 8) & 0x3f); + return; +} + + +static +NTSTATUS schannel_store_challenge_tdb(struct db_context *db_sc, + TALLOC_CTX *mem_ctx, + const struct netr_Credential *client_challenge, + const struct netr_Credential *server_challenge, + const char *computer_name) +{ + enum ndr_err_code ndr_err; + DATA_BLOB blob; + TDB_DATA value; + char *name_upper = NULL; + NTSTATUS status; + char keystr[16] = { 0, }; + struct netlogon_cache_entry cache_entry; + + if (strlen(computer_name) > 255) { + /* +* We don't make this a limit at 15 chars as Samba has +* a test showing this can be longer :-( +*/ + return STATUS_BUFFER_OVERFLOW; + } + + name_upper = strupper_talloc(mem_ctx, comput