[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via bedeeb0b596 tdb: version 1.4.5
via aacd3ecb45a tdb: Fix invalid syntax in tdb.h
from b724c1e6a66 utils: Avoid pylint warning
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit bedeeb0b596f563e0918cd5f7195ed6aed0817ce
Author: Stefan Metzmacher
Date: Mon Jul 19 12:57:50 2021 +0200
tdb: version 1.4.5
* fix standalone usage of tdb.h
Signed-off-by: Stefan Metzmacher
Reviewed-by: Günther Deschner
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Tue Jul 20 11:48:38 UTC 2021 on sn-devel-184
commit aacd3ecb45ab04cb2f8a38a385a45bdca6d88cd2
Author: Günther Deschner
Date: Fri Jul 16 17:29:40 2021 +0200
tdb: Fix invalid syntax in tdb.h
Defining _PUBLIC_ in the same way as in talloc.h resolves an issue with
a previous fix for Solaris Studio compiler 12.4 that prefixed all calls
in tdb.h with _PUBLIC_. Thanks to Lukas Slebodnik
.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14762
Guenther
Signed-off-by: Günther Deschner
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.5.sigs} | 0
lib/tdb/include/tdb.h | 13 +
lib/tdb/wscript | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
copy lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.5.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/tdb/ABI/tdb-1.3.17.sigs b/lib/tdb/ABI/tdb-1.4.5.sigs
similarity index 100%
copy from lib/tdb/ABI/tdb-1.3.17.sigs
copy to lib/tdb/ABI/tdb-1.4.5.sigs
diff --git a/lib/tdb/include/tdb.h b/lib/tdb/include/tdb.h
index 696547c8cd9..884171c73d9 100644
--- a/lib/tdb/include/tdb.h
+++ b/lib/tdb/include/tdb.h
@@ -33,6 +33,19 @@ extern "C" {
#include
#include
+/* for old gcc releases that don't have the feature test macro __has_attribute
*/
+#ifndef __has_attribute
+#define __has_attribute(x) 0
+#endif
+
+#ifndef _PUBLIC_
+#if __has_attribute(visibility)
+#define _PUBLIC_ __attribute__((visibility("default")))
+#else
+#define _PUBLIC_
+#endif
+#endif
+
/**
* @defgroup tdb The tdb API
*
diff --git a/lib/tdb/wscript b/lib/tdb/wscript
index cee0889bd4a..19b256f037c 100644
--- a/lib/tdb/wscript
+++ b/lib/tdb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'tdb'
-VERSION = '1.4.4'
+VERSION = '1.4.5'
import sys, os
--
Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.5 created
The annotated tag, tdb-1.4.5 has been created at cab53d9a2f7b65198bf45ff85f285bc1630f44c7 (tag) tagging bedeeb0b596f563e0918cd5f7195ed6aed0817ce (commit) replaces samba-4.15.0rc1 tagged by Stefan Metzmacher on Tue Jul 20 13:57:18 2021 +0200 - Log - tdb: tag release tdb-1.4.5 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmD2uh4ACgkQR5ORYRMI QCUFRggAiYPhN95z2P7kDCZsu8NXYCKsQz/OmfGkuJEHFSvEQWd4vSHBuMEcZNLc U1wjMukv07RRswCZFz2J6XugLnUDYJ3+/qaKE/z8SVBjfB0p6h+du7eM6MrBsxr3 iF7qeM32laaEzzb4CB4T7mOJwNupsb0fQ8qxXHc+ZOh2oxpFL7sPBUyOczOWHjAB k8UZ/ttPH8NiuCwOQZX6lbeK5jVxUPvEASzEz2yaATdswuF/OrQWkHXjDY+Oem1K 5UhVwDQE1UCrFBOfRafOC7YP3zGIz8EJDRnFZwpwdZmVGHW5oPCwGsy4c4ochUgu ktXkhm+43fTCjVAKBSjQk/R0Pf8sdg== =e4Nb -END PGP SIGNATURE- Andreas Schneider (3): s3:utils: Use better error message for smbtree selftest: Add PYTHONPATH for lsp servers to devel_env.sh gitignore: Add .cache directory David Mulder (4): gpo: Add Certificate Auto Enrollment Policy gpo: Fix up rsop output of ca certificate gpo: Test Certificate Auto Enrollment Policy Update WHATSNEW for Certificate Auto Enrollment Günther Deschner (1): tdb: Fix invalid syntax in tdb.h Karolin Seeger (2): VERSION: Bump version up to 4.16.0pre1... WHATSNEW: Start release notes for Samba 4.16.0pre1. Martin Schwenke (9): utils: Use Python 3 utils: Clean up ctdb_etcd_lock using autopep8 utils: Reorder imports so that standard imports are first utils: Move argument processing into function and call from main() utils: Inline defaults and help strings utils: Simplify log level logic, drop global variable utils: Tweak exception handling to stop flake8 complaining utils: Reformat lines that are longer than 80 columns utils: Avoid pylint warning Stefan Metzmacher (6): s4:torture/smb2: add smb2.read.bug14607 test s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer() libcli/smb: allow unexpected padding in SMB2 READ responses tdb: version 1.4.5 Volker Lendecke (1): examples: Make winreg.py sample work with python3 in current master --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 7818513053a samba-bgqd: Fix samba-bgqd with
"clustering=yes"/"include=registry"
from 2acad276860 s3: smbd: Don't leak meta-data about the containing
directory of the share root.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 7818513053aabda046645583fa5bb79a03e2b5ac
Author: Volker Lendecke
Date: Fri Jul 30 11:43:08 2021 +0200
samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
With the above combination, some flavor of lp_load() already
initializes global_event_ctx, for which the closeall_except() later on
will happily close the epoll fd for. If we want to close all file
descriptors at startup, this must be the very first thing overall.
Can't really write a proper test for this with knownfail that is
removed with the fix, because if we have clustering+include=registry,
the whole clusteredmember environment does not even start up.
Signed-off-by: Volker Lendecke
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Sat Jul 31 16:58:41 UTC 2021 on sn-devel-184
---
Summary of changes:
selftest/target/Samba3.pm | 1 +
source3/printing/samba-bgqd.c | 58 +++
2 files changed, 48 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index dc1c14e9628..d0ef659da99 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -517,6 +517,7 @@ sub setup_clusteredmember
server signing = on
clustering = yes
ctdbd socket = ${socket}
+ include = registry
dbwrap_tdb_mutexes:* = yes
${require_mutexes}
";
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index 4b96fc43092..8ac6ec525b2 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -195,6 +195,44 @@ static int closeall_except(int *fds, size_t num_fds)
return 0;
}
+static int closeall_except_fd_params(
+ size_t num_fd_params,
+ const char *fd_params[],
+ int argc,
+ const char *argv[])
+{
+ int fds[num_fd_params+3];
+ size_t i;
+ struct poptOption long_options[num_fd_params + 1];
+ poptContext pc;
+ int ret;
+
+ for (i=0; i
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 93bac5f1224 winbindd_pam: add NT4 DC handling into
winbind_samlogon_retry_loop()
from 23e5b7cc79b s4:torture: Add rpc netlogon fips test
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 93bac5f12240597e1e92291de70a7000a403baca
Author: Stefan Metzmacher
Date: Mon Aug 2 14:17:47 2021 +0200
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
Handle the case where a NT4 DC does not fill in the acct_flags in
the samlogon reply info3. Yes, in 2021, there are still admins
arround with real NT4 DCs.
NT4 DCs reject authentication with workstation accounts with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified.
We no longer call dcerpc_samr_QueryUserInfo(level=16)
to get the acct_flags, as we only ever got
ACB_NORMAL back (maybe with ACB_PWNOEXP in addition),
which is easy to calculate on our own.
This was removed in commit (for 4.15.0rc1):
commit 73528f26eea24033a7093e5591b8f89ad2b8644e
Author: Ralph Boehme
AuthorDate: Mon Jan 11 14:59:46 2021 +0100
Commit: Jeremy Allison
CommitDate: Thu Jan 21 22:56:20 2021 +
winbind: remove legacy flags fallback
Some very old NT4 DCs might have not returned the account flags
filled in. This
shouldn't be a problem anymore. Additionally, on a typical domain
member server,
this request is (and can only be) send to the primary domain, so this
will not
work with accounts from trusted domains.
Signed-off-by: Ralph Boehme
Reviewed-by: Jeremy Allison
Autobuild-User(master): Jeremy Allison
Autobuild-Date(master): Thu Jan 21 22:56:20 UTC 2021 on sn-devel-184
It means one more caller of the problematic cm_connect_sam()
function is removed! SAMR connections may not be allowed for
machine accounts with modern AD DCs.
For network logons NT4 DCs also skip the
account_name, so we have to fallback to the
one given by the client. We have code to cope
with that deeply hidden inside of netsamlogon_cache_store().
Up to Samba 4.7 netsamlogon_cache_store() operated on the
info3 structure that was passed to the caller of winbind_dual_SamLogon()
and pass propagated up to auth_winbind in smbd.
But for Samba 4.8 the following commit:
commit f153c95176b7759e10996b24b66d9917945372ed
Author: Ralph Boehme
Date: Mon Dec 11 16:25:35 2017 +0100
winbindd: let winbind_dual_SamLogon return validation
Signed-off-by: Ralph Boehme
Reviewed-by: Stefan Metzmacher
actually changed the situation and only a temporary info3 structure
was passed into netsamlogon_cache_store(), which means
account_name was NULL and get propagated as "" into auth_winbind
in smbd, where getpwnam() is no longer possible and every
smb access gets NT_STATUS_LOGON_FAILURE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14772
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Jeremy Allison
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Tue Aug 3 11:10:27 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/winbindd/winbindd_pam.c | 65 +
1 file changed, 65 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a2bb8816859..ea315aecf6d 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1507,6 +1507,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct
winbindd_domain *domain,
enum netr_LogonInfoClass logon_type_n;
uint16_t validation_level = UINT16_MAX;
union netr_Validation *validation = NULL;
+ TALLOC_CTX *base_ctx = NULL;
+ struct netr_SamBaseInfo *base_info = NULL;
do {
struct rpc_pipe_client *netlogon_pipe;
@@ -1713,6 +1715,69 @@ static NTSTATUS winbind_samlogon_retry_loop(struct
winbindd_domain *domain,
return result;
}
+ switch (validation_level) {
+ case 3:
+ base_ctx = validation->sam3;
+ base_info = &validation->sam3->base;
+ break;
+ case 6:
+ base_ctx = validation->sam6;
+ base_info = &validation->sam6->base;
+ break;
+ default:
+ smb_panic(__location__);
+ }
+
+ if (base_info->acct_flags == 0 || base_info->account_name.string ==
NULL) {
+
[SCM] Samba Shared Repository - annotated tag samba-4.15.0rc2 created
The annotated tag, samba-4.15.0rc2 has been created at 7f38b69e85c5a97fb592a4c17211b96ea75d9bba (tag) tagging 16fb5c685a58af1e1d8761ba2c039a6626dabd6a (commit) replaces samba-4.15.0rc1 tagged by Stefan Metzmacher on Mon Aug 9 16:06:30 2021 +0200 - Log - samba: tag release samba-4.15.0rc2 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmERNmYACgkQqplEL7aA tiAFoA//bSeFCtNyckrM3ETzjfx0KAuQkxoYnmXTNRHbKbvDXkpj/4Sy53jatb66 cDvjjJMJXZNlIymniTNXUIKet6tXYxYnzOc6MRnGrP4dOQ8ol9Xm6nUh9CDZ7+Qm h8M4t1KL/tBKkn6mf/o4Sza3HW04rtgNiBuhvTfBUDhZbqBQ72az5be9jIdcFVux AvOQv+6ugzmIFZx/L3ehYsTbgMzciSboByXbDS2/jgVoYbjNDW7XV+j43pLcdQSm 7Z1J1kdjsGkJ53S1/rtTtgRAm7L2zUQPu6OGWZSHtLhOKV1wgTzpUr/TXwywcCb5 NNnedM1dXTJ/ouLAT2MoAzbYDmHgolb70kAP2WH8AQL6i7S2iauEaUNpv6U7fWOY YMO/4lnD11VGWqqDXwuJRuES8caVyJmbfuQg4IMgHIOGzWC98ZUQ8WssIx+aDZ6G DWV0WkTkHg8cs7DNR9Xj7L/3Tik0RU43TfcrDB0JnVOGj4RwhBkjzxbH0VgJZjYk i0O6XfAy3EnhMygx3/A4SGs4kxiiYiIcTOMgtn+7eU7OZ89Ldo34OBCuyuVFGMi0 NpiwyMq6K/XNHNNCnVW1MpYpA9KDhUTMELvt+4o0rjn17Z4U2TmN8SFn2NZEj+cz KFDVtFsnvsQp3amxK1k2H2IrEFAWw5hEC7NF3yKCNYxoS6NUtVk= =2mX9 -END PGP SIGNATURE- Andreas Schneider (4): s3:winbindd: Add a check for the path length of 'winbindd socket directory' gitlab: Use shorter names for Samba AD DC env with MIT KRB5 lib:cmdline: Use lp_load_global() for servers configure: Do not put arguments into double quotes Günther Deschner (1): WHATSNEW: mention the offline domain join feature Jeremy Allison (2): s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage. s3: smbd: Don't leak meta-data about the containing directory of the share root. Jule Anger (2): WHATSNEW: Add release notes for Samba 4.15.0rc2. VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release. Karolin Seeger (1): VERSION: Bump version up to 4.15.0rc2... Ralph Boehme (2): smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS smbd: only open full fd for directories if needed Stefan Metzmacher (8): s4:torture/smb2: add smb2.read.bug14607 test s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer() libcli/smb: allow unexpected padding in SMB2 READ responses gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15 s4:torture/smb2: add tests to check all signing and encryption algorithms s3:smbd: really support AES-256* in the server Volker Lendecke (1): samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry" --- -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via bdf1c5a NEWS[4.15.0rc2]: Samba 4.15.0rc2 Available for Download from 109fdbb NEWS[4.15.0rc1]: Samba 4.15.0rc1 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit bdf1c5aec5d5e8c8771e4c4c6c34a8cb94ed05ec Author: Stefan Metzmacher Date: Mon Aug 9 16:06:44 2021 +0200 NEWS[4.15.0rc2]: Samba 4.15.0rc2 Available for Download Signed-off-by: Stefan Metzmacher --- Summary of changes: posted_news/20210809-140933.4.15.0rc2.body.html | 12 posted_news/20210809-140933.4.15.0rc2.headline.html | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 posted_news/20210809-140933.4.15.0rc2.body.html create mode 100644 posted_news/20210809-140933.4.15.0rc2.headline.html Changeset truncated at 500 lines: diff --git a/posted_news/20210809-140933.4.15.0rc2.body.html b/posted_news/20210809-140933.4.15.0rc2.body.html new file mode 100644 index 000..2feadcc --- /dev/null +++ b/posted_news/20210809-140933.4.15.0rc2.body.html @@ -0,0 +1,12 @@ + +09 August 2021 +Samba 4.15.0rc2 Available for Download + +This is the second release candidate of the upcoming Samba 4.15 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/rc/samba-4.15.0rc2.tar.gz";>downloaded now. +See https://download.samba.org/pub/samba/rc/samba-4.15.0rc2.WHATSNEW.txt";>the release notes for more info. + + diff --git a/posted_news/20210809-140933.4.15.0rc2.headline.html b/posted_news/20210809-140933.4.15.0rc2.headline.html new file mode 100644 index 000..514dc06 --- /dev/null +++ b/posted_news/20210809-140933.4.15.0rc2.headline.html @@ -0,0 +1,3 @@ + + 09 August 2021 Samba 4.15.0rc2 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 8858cf72af1 wscript: fix installing pre-commit with 'git worktree'
via c7f85146cb5 script/bisect-test.py: add support git worktree
via 2e2d2eaa104 wafsamba: add support git worktree to vcs_dir_contents()
from 289b7a1595a s3:libsmb: close the temporary IPC$ connection in
cli_full_connection()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 8858cf72af1cc15784749e58f184559a839dd4ef
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
wscript: fix installing pre-commit with 'git worktree'
.git is not always a directory, with 'git worktree' it's a file.
'git rev-parse --git-path hooks' is the generic way to find the
patch for the githooks.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184
commit c7f85146cb50795afcbb1c607e87d163d241c79a
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
script/bisect-test.py: add support git worktree
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
wafsamba: add support git worktree to vcs_dir_contents()
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
---
Summary of changes:
buildtools/wafsamba/samba_dist.py | 2 +-
script/bisect-test.py | 2 +-
wscript | 20 +++-
3 files changed, 17 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_dist.py
b/buildtools/wafsamba/samba_dist.py
index c211a94d3db..0218cad6271 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -109,7 +109,7 @@ def vcs_dir_contents(path):
"""
repo = path
while repo != "/":
-if os.path.isdir(os.path.join(repo, ".git")):
+if os.path.exists(os.path.join(repo, ".git")):
ls_files_cmd = [ 'git', 'ls-files', '--full-name',
os.path.relpath(path, repo) ]
cwd = None
diff --git a/script/bisect-test.py b/script/bisect-test.py
index b87df54ac09..7c5cd635f58 100755
--- a/script/bisect-test.py
+++ b/script/bisect-test.py
@@ -48,7 +48,7 @@ def find_git_root():
'''get to the top of the git repo'''
p = os.getcwd()
while p != '/':
-if os.path.isdir(os.path.join(p, ".git")):
+if os.path.exists(os.path.join(p, ".git")):
return p
p = os.path.abspath(os.path.join(p, '..'))
return None
diff --git a/wscript b/wscript
index ee7daa953b2..d8220b35095 100644
--- a/wscript
+++ b/wscript
@@ -141,11 +141,21 @@ def configure(conf):
conf.env.DEVELOPER = True
# if we are in a git tree without a pre-commit hook, install a
# simple default.
-pre_commit_hook = os.path.join(Context.g_module.top,
'.git/hooks/pre-commit')
-if (os.path.isdir(os.path.dirname(pre_commit_hook)) and
-not os.path.exists(pre_commit_hook)):
-shutil.copy(os.path.join(Context.g_module.top,
'script/git-hooks/pre-commit-hook'),
-pre_commit_hook)
+# we need git for 'waf dist'
+githooksdir = None
+conf.find_program('git', var='GIT')
+if 'GIT' in conf.env:
+githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' %
conf.env.GIT[0],
+ msg='Finding githooks directory',
+ define=None,
+ on_target=False)
+if githooksdir and os.path.isdir(githooksdir):
+pre_commit_hook = os.path.join(githooksdir, 'pre-commit')
+if not os.path.exists(pre_commit_hook):
+Logs.info("Installing script/git-hooks/pre-commit-hook as %s" %
+ pre_commit_hook)
+shutil.copy(os.path.join(Context.g_module.top,
'script/git-hooks/pre-commit-hook'),
+pre_commit_hook)
conf.ADD_EXTRA_INCLUDES('#include/public #source4 #lib #source4/lib
#source4/include #include #lib/replace')
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via a8b40f15f90 wscript: fix installing pre-commit with 'git worktree'
via e393635ab82 script/bisect-test.py: add support git worktree
via 87b8e7f39be wafsamba: add support git worktree to vcs_dir_contents()
from 25f3cb8c973 libcli/smb: allow unexpected padding in SMB2 READ
responses
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit a8b40f15f907cef89075dba368ec611e4cdbb099
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
wscript: fix installing pre-commit with 'git worktree'
.git is not always a directory, with 'git worktree' it's a file.
'git rev-parse --git-path hooks' is the generic way to find the
patch for the githooks.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184
(cherry picked from commit 8858cf72af1cc15784749e58f184559a839dd4ef)
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Thu Aug 12 11:49:18 UTC 2021 on sn-devel-184
commit e393635ab82dbca1d6fee9279a81e274e743b118
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
script/bisect-test.py: add support git worktree
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
(cherry picked from commit c7f85146cb50795afcbb1c607e87d163d241c79a)
commit 87b8e7f39be6b9b513ed97a150fe814d35108d4c
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
wafsamba: add support git worktree to vcs_dir_contents()
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
(cherry picked from commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02)
---
Summary of changes:
buildtools/wafsamba/samba_dist.py | 2 +-
script/bisect-test.py | 2 +-
wscript | 20 +++-
3 files changed, 17 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_dist.py
b/buildtools/wafsamba/samba_dist.py
index c211a94d3db..0218cad6271 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -109,7 +109,7 @@ def vcs_dir_contents(path):
"""
repo = path
while repo != "/":
-if os.path.isdir(os.path.join(repo, ".git")):
+if os.path.exists(os.path.join(repo, ".git")):
ls_files_cmd = [ 'git', 'ls-files', '--full-name',
os.path.relpath(path, repo) ]
cwd = None
diff --git a/script/bisect-test.py b/script/bisect-test.py
index b87df54ac09..7c5cd635f58 100755
--- a/script/bisect-test.py
+++ b/script/bisect-test.py
@@ -48,7 +48,7 @@ def find_git_root():
'''get to the top of the git repo'''
p = os.getcwd()
while p != '/':
-if os.path.isdir(os.path.join(p, ".git")):
+if os.path.exists(os.path.join(p, ".git")):
return p
p = os.path.abspath(os.path.join(p, '..'))
return None
diff --git a/wscript b/wscript
index 83d94211338..262f1bf8d86 100644
--- a/wscript
+++ b/wscript
@@ -148,11 +148,21 @@ def configure(conf):
conf.env.DEVELOPER = True
# if we are in a git tree without a pre-commit hook, install a
# simple default.
-pre_commit_hook = os.path.join(Context.g_module.top,
'.git/hooks/pre-commit')
-if (os.path.isdir(os.path.dirname(pre_commit_hook)) and
-not os.path.exists(pre_commit_hook)):
-shutil.copy(os.path.join(Context.g_module.top,
'script/git-hooks/pre-commit-hook'),
-pre_commit_hook)
+# we need git for 'waf dist'
+githooksdir = None
+conf.find_program('git', var='GIT')
+if 'GIT' in conf.env:
+githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' %
conf.env.GIT[0],
+ msg='Finding githooks directory',
+ define=None,
+ on_target=False)
+if gith
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated
via eb8518e4fb8 wscript: fix installing pre-commit with 'git worktree'
via f9ed3a8cb95 script/bisect-test.py: add support git worktree
via 24c95d2523f wafsamba: add support git worktree to vcs_dir_contents()
from f834da87269 VERSION: Bump version up to Samba 4.15.0rc3...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -
commit eb8518e4fb828337a331779fbac14a25b0761d45
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
wscript: fix installing pre-commit with 'git worktree'
.git is not always a directory, with 'git worktree' it's a file.
'git rev-parse --git-path hooks' is the generic way to find the
patch for the githooks.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184
(cherry picked from commit 8858cf72af1cc15784749e58f184559a839dd4ef)
Autobuild-User(v4-15-test): Stefan Metzmacher
Autobuild-Date(v4-15-test): Thu Aug 12 12:03:18 UTC 2021 on sn-devel-184
commit f9ed3a8cb95551bb30a1f8ecf4030a3f701176c7
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
script/bisect-test.py: add support git worktree
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
(cherry picked from commit c7f85146cb50795afcbb1c607e87d163d241c79a)
commit 24c95d2523fd686025bcb7cab88ee2335fab2241
Author: Stefan Metzmacher
Date: Wed Aug 11 13:26:41 2021 +0200
wafsamba: add support git worktree to vcs_dir_contents()
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
(cherry picked from commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02)
---
Summary of changes:
buildtools/wafsamba/samba_dist.py | 2 +-
script/bisect-test.py | 2 +-
wscript | 20 +++-
3 files changed, 17 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_dist.py
b/buildtools/wafsamba/samba_dist.py
index c211a94d3db..0218cad6271 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -109,7 +109,7 @@ def vcs_dir_contents(path):
"""
repo = path
while repo != "/":
-if os.path.isdir(os.path.join(repo, ".git")):
+if os.path.exists(os.path.join(repo, ".git")):
ls_files_cmd = [ 'git', 'ls-files', '--full-name',
os.path.relpath(path, repo) ]
cwd = None
diff --git a/script/bisect-test.py b/script/bisect-test.py
index b87df54ac09..7c5cd635f58 100755
--- a/script/bisect-test.py
+++ b/script/bisect-test.py
@@ -48,7 +48,7 @@ def find_git_root():
'''get to the top of the git repo'''
p = os.getcwd()
while p != '/':
-if os.path.isdir(os.path.join(p, ".git")):
+if os.path.exists(os.path.join(p, ".git")):
return p
p = os.path.abspath(os.path.join(p, '..'))
return None
diff --git a/wscript b/wscript
index ee7daa953b2..d8220b35095 100644
--- a/wscript
+++ b/wscript
@@ -141,11 +141,21 @@ def configure(conf):
conf.env.DEVELOPER = True
# if we are in a git tree without a pre-commit hook, install a
# simple default.
-pre_commit_hook = os.path.join(Context.g_module.top,
'.git/hooks/pre-commit')
-if (os.path.isdir(os.path.dirname(pre_commit_hook)) and
-not os.path.exists(pre_commit_hook)):
-shutil.copy(os.path.join(Context.g_module.top,
'script/git-hooks/pre-commit-hook'),
-pre_commit_hook)
+# we need git for 'waf dist'
+githooksdir = None
+conf.find_program('git', var='GIT')
+if 'GIT' in conf.env:
+githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' %
conf.env.GIT[0],
+ msg='Finding githooks directory',
+ define=None,
+ on_target=False)
+if githooksdir and os.path.i
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 83a654a4efd tests/krb5: Add tests for constrained delegation to
NO_AUTH_DATA_REQUIRED service
via cc3d27596b9 tests/krb5: Ensure PAC is not present if expect_pac is
false
via 031a8287642 kdc: Correctly strip PAC, rather than error on
UF_NO_AUTH_DATA_REQUIRED for servers
via 92e8ce18a79 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client
principals
from 8a607e7577a netlogon_creds_cli: add
netlogon_creds_cli_SendToSam_recv() and don't ignore result
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef
Author: Joseph Sutton
Date: Mon Oct 18 16:07:11 2021 +1300
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED
service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf
Author: Joseph Sutton
Date: Mon Oct 18 16:05:19 2021 +1300
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542
Author: Andrew Bartlett
Date: Mon Oct 18 16:00:45 2021 +1300
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for
servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
Author: Andrew Bartlett
Date: Mon Oct 18 15:21:50 2021 +1300
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
python/samba/tests/krb5/raw_testcase.py | 14 ++---
python/samba/tests/krb5/s4u_tests.py| 107 +++-
selftest/knownfail_heimdal_kdc | 9 +--
selftest/knownfail_mit_kdc | 1 -
source4/kdc/mit_samba.c | 7 ---
source4/kdc/pac-glue.c | 5 --
source4/kdc/wdc-samba4.c| 38
7 files changed, 144 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/raw_testcase.py
b/python/samba/tests/krb5/raw_testcase.py
index 0790ac13f99..0b9fe8e7a04 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2385,13 +2385,6 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementPresent(ticket_private, 'authorization-data',
expect_empty=not expect_pac)
-if expect_pac:
-authorization_data = self.getElementValue(ticket_private,
- 'authorization-data')
-pac_data = self.get_pac(authorization_data)
-
-self.check_pac_buffers(pac_data, kdc_exchange_dict)
-
encpart_session_key = None
if encpart_private is not None:
self.assertElementPresent(encpart_private, 'key')
@@ -2493,6 +2486,13 @@ class RawKerberosTest(TestCaseInTempDir):
ticket_private=ticket_private,
encpart_private=encpart_private)
+if ticket_private is not None:
+pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac)
+if expect_pac:
+self.check_pac_buffers(pac_data, kdc_exchange_dict)
+else:
+self.assertIsNone(pac_data)
+
expect_ticket_checksum = kdc_exchange_dict['expect_ticket_checksum']
if expect_ticket_checksum:
self.assertIsNotNone(ticket_decryption_key)
diff --git a/python/samba/tests/krb5/s4u_tests.py
b/python/samba/tests/krb5/s4u_tests.py
index 9a25256081a..bbb7135b55b 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -538,6 +538,8 @@ class S4UKerberosTests(KDCBaseTest):
transited_service = f'host/{service1_name}@{service1_realm}'
expected_transited_services.append(transited_service)
+expect_pac = kdc_di
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 7e961f3f7a8 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
from 83a654a4efd tests/krb5: Add tests for constrained delegation to
NO_AUTH_DATA_REQUIRED service
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 7e961f3f7a815960ae25377d5b7515184d439690
Author: Viktor Dukhovni
Date: Wed Aug 10 23:31:14 2016 +
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
Reviewed-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
---
Summary of changes:
source4/heimdal/kdc/krb5tgs.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 2de3b099199..7e9379db64a 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -409,8 +409,12 @@ fix_transited_encoding(krb5_context context,
"Decoding transited encoding");
return ret;
}
+
+/*
+ * If the realm of the presented tgt is neither the client nor the server
+ * realm, it is a transit realm and must be added to transited set.
+ */
if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
- /* not us, so add the previous realm to transited set */
if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
ret = ERANGE;
goto free_realms;
@@ -492,6 +496,7 @@ tgs_make_reply(krb5_context context,
const char *server_name,
hdb_entry_ex *client,
krb5_principal client_principal,
+ const char *tgt_realm,
hdb_entry_ex *krbtgt,
krb5_pac mspac,
uint16_t rodc_id,
@@ -553,7 +558,7 @@ tgs_make_reply(krb5_context context,
&tgt->transited, &et,
krb5_principal_get_realm(context,
client_principal),
krb5_principal_get_realm(context,
server->entry.principal),
-krb5_principal_get_realm(context,
krbtgt->entry.principal));
+tgt_realm);
if(ret)
goto out;
@@ -1292,13 +1297,14 @@ tgs_build_reply(krb5_context context,
HDB *clientdb, *s4u2self_impersonated_clientdb;
krb5_realm ref_realm = NULL;
EncTicketPart *tgt = &ticket->ticket;
+const char *tgt_realm = /* Realm of TGT issuer */
+krb5_principal_get_realm(context, krbtgt->entry.principal);
const EncryptionKey *ekey;
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_pac mspac = NULL;
uint16_t rodc_id;
krb5_boolean add_ticket_sig = FALSE;
-
hdb_entry_ex *krbtgt_out = NULL;
METHOD_DATA enc_pa_data;
@@ -2036,6 +2042,7 @@ server_lookup:
spn,
client,
cp,
+tgt_realm,
krbtgt_out,
mspac,
rodc_id,
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5eeb441b771 dsdb: Allow special chars like "@" in samAccountName
when generating the salt
via 46039baa813 tests/krb5: Add tests for account salt calculation
via 25bdf4c994e tests/krb5: Fix account salt calculation to match
Windows
via 889476d1754 tests/krb5: Allow specifying the UPN for test accounts
via f4785ccfefe tests/krb5: Allow creating machine accounts without a
trailing dollar
via 7e39994ed34 tests/krb5: Allow specifying prefix or suffix for test
account names
via a5a6296e57c tests/krb5: Decrease length of test account prefix
via 4dc3c68c9a2 selftest/Samba3: replace (winbindd => "yes", skip_wait
=> 1) with (winbindd => "offline")
via d998f7f8df2 selftest/Samba3: remove unused close(USERMAP); calls
via 5d8e794551b waf: Allow building with MIT KRB5 >= 1.20
via 459200caba0 selftest: Improve error handling and perl style when
setting up users in Samba4.pm
via 2c0658d408f selftest: Remove duplicate setup of $base_dn and
$ldbmodify
via d4a75eead05 pytest: s3_net_join: avoid name clash
via 49306f74eb2 selftest: krb5 account creation: clarify account type
as an enum
via aacb18f9203 pytest: dynamic tests optionally add __doc__
via 6292f0597f2 selftest: Increase account lockout windows to make test
more realiable
via a169e013e66 pytest/rodc_rwdc: try to avoid race.
from 7e961f3f7a8 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed
Author: Andrew Bartlett
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the
salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
commit 46039baa81377df10e5b134e4bb064ed246795e4
Author: Joseph Sutton
Date: Wed Oct 20 12:46:36 2021 +1300
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe
Author: Joseph Sutton
Date: Wed Oct 20 12:45:47 2021 +1300
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 889476d1754f8ce2a41557ed3bf5242c1293584e
Author: Joseph Sutton
Date: Wed Oct 20 12:45:08 2021 +1300
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit f4785ccfefe7c89f84ad847ca3c12f604172b321
Author: Joseph Sutton
Date: Wed Oct 20 12:44:19 2021 +1300
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5
Author: Joseph Sutton
Date: Wed Oct 20 12:41:39 2021 +1300
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit a5a6296e57cab2b53617d997c37b4e92d4124cc7
Author: Joseph Sutton
Date: Wed Oct 20 12:39:05 2021 +1300
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de
Author: Stefan Metzmacher
Date: Tue Oct 5 16:42:00 2021 +0200
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd
=> "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit d998f7f8df215866ab32e05be772e24fc0b2131c
Author: Stefan Metzmacher
Date: Fri Oct 8 18:04:55 2021 +0200
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
co
[SCM] Samba Shared Repository - branch v4-15-test updated
st_tests
via 278eff6115f tests/krb5: Use PAC buffer type constants from
krb5pac.idl
via c8a724118e6 tests/krb5: Allow as_req() to specify different
kdc-options
via 3c77ef9dbb5 tests/krb5: Allow tgs_req() to send requests to the RODC
via 063f1cbdbe7 tests/krb5: Allow tgs_req() to specify different
kdc-options
via e4b278566af tests/krb5: Allow tgs_req() to send additional padata
via 3e3d205df7c tests/krb5: Refactor tgs_req() to use
_generic_kdc_exchange
via cba0b1a6c48 tests/krb5: Check correct flags element
via 159d451d817 tests/krb5: Add helper method for modifying PACs
via 77227799d98 python/join: Check for correct msDS-KrbTgtLink attribute
via c8bb7750c86 python: Don't leak file handles
via 7b6a5c97092 tests/krb5: Allow replicating accounts to the created
RODC
via f2d6361dc33 tests/krb5: Create RODC account for testing
via b0339d5a1a8 tests/krb5: Allow replicating accounts to the RODC
via d413e7d79a3 tests/krb5: Add get_secrets() method to get the secret
attributes of a DN
via 56f49f117bf tests/krb5: Add method to get RODC krbtgt credentials
via f730c68834c tests/krb5: Sign-extend kvno from 32-bit integer
via 2af3293f67d tests/krb5: Generate padata for FAST tests
via 1d2d30748a9 tests/krb5: Add get_cached_creds() method to create
persistent accounts for testing
via f44a5b984b7 tests/krb5: Get encpart decryption key from
kdc_exchange_dict
via 336725dc79f tests/krb5: Get expected cname from TGT for TGS-REQ
messages
via bc7bdc5b7e0 tests/krb5: Allow specifying status code to be checked
via 01b16673af8 tests/krb5: Create testing accounts in appropriate
containers
via 2bf5265847d tests/krb5: Check for presence of 'key-expiration'
element
via 6f04bd793ec tests/krb5: Check 'caddr' element
via 9ff47e13441 tests/krb5: Check for presence of 'renew-till' element
via a1face49c70 tests/krb5: Allow Kerberos requests to be sent to DC or
RODC
via 5a546788f45 tests/krb5: Make time assertion less strict
via 22e1b694879 tests/krb5: Allow specifying ticket flags expected to
be set or reset
via 53336347494 tests/krb5: Remove magic constants
via 6bf8e3cb537 tests/krb5: Don't create PAC request or options
manually in fast_tests
via 2c1a8950b5e tests/krb5: Don't create PAC request manually in
as_req_tests
via f6c3497e9f9 tests/krb5: add options to kdc_exchange_dict to specify
including PAC-REQUEST or PAC-OPTIONS
via 138ac8a3a70 tests/krb5: Move padata generation methods to base class
via ebecaf715d3 tests/krb5: Keep track of account DN in credentials
object
via b8485a79791 tests/krb5: Allow specifying additional User Account
Control flags for account
via 4f47721d599 tests/krb5: Allow specifying an OU to create accounts in
via dda665b918b tests/krb5: Replace expected_cname_private with
expected_anon parameter
via 31e990533c1 tests/krb5: Use more compact dict lookup
via 6df25780147 tests/krb5: Add KDCOptions flag for constrained
delegation
via c625e16ffa6 tests/krb5: Use signed integers to represent key
version numbers in ASN.1
via 7bb3ac920f9 tests/krb5: Add methods to obtain the length of
checksum types
via a08b603d822 tests/krb5: Calculate expected salt if not given
explicitly
via 487b57cd34e security.idl: Add well-known SIDs for FAST
via aef886c7787 krb5pac.idl: Add ticket checksum PAC buffer type
from be8fb0218af heimdal:kdc: Only check for default salt for
des-cbc-crc enctype
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -
commit 753e0dfc6c9def1aebacc593fd4130882ce3ff32
Author: Andrew Bartlett
Date: Fri Oct 22 10:50:36 2021 +1300
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
Autobuild-User(v4-15-test): Stefan Metzmacher
Autobuild-Date(v4-15-test): Mon Oct 25 13:05:31 UTC 2021 on sn-devel-184
commit c72b210cdca5bae5377d1069b8e59044f219356c
Author: Andrew Bartlett
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the
salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmach
[SCM] Samba Shared Repository - branch v4-14-test updated
t_tgt() to get tickets from the RODC via 1e6c77a03af tests/krb5: Allow get_service_ticket() to get tickets from the RODC via 690d90ba615 tests/krb5: Set DN of created accounts to ldb.Dn type via 7ad68c8cc59 tests/krb5: Don't manually create PAC request and options in fast_tests via 71c46e032a9 tests/krb5: Use PAC buffer type constants from krb5pac.idl via eb103f6337a tests/krb5: Allow as_req() to specify different kdc-options via aff414e2a75 tests/krb5: Allow tgs_req() to send requests to the RODC via 8c7d78a2e1a tests/krb5: Allow tgs_req() to specify different kdc-options via c2a61c2c911 tests/krb5: Allow tgs_req() to send additional padata via 76f1deb3cd8 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange via 61cc6767c32 tests/krb5: Check correct flags element via 5812a13ec5f tests/krb5: Add helper method for modifying PACs via bf06918b44d python/join: Check for correct msDS-KrbTgtLink attribute via 0dcab6505c6 python: Don't leak file handles via 6614fee6e8b tests/krb5: Allow replicating accounts to the created RODC via 82a19ce548e tests/krb5: Create RODC account for testing via 10e46b9b74b tests/krb5: Allow replicating accounts to the RODC via fadecadfe2f tests/krb5: Add get_secrets() method to get the secret attributes of a DN via 61739d1a33a tests/krb5: Add method to get RODC krbtgt credentials via 811714e4f6b tests/krb5: Sign-extend kvno from 32-bit integer via 58f68bf357f tests/krb5: Generate padata for FAST tests via 18c892942ee tests/krb5: Add get_cached_creds() method to create persistent accounts for testing via 7594ba47c19 tests/krb5: Get encpart decryption key from kdc_exchange_dict via 0e1d6fda206 tests/krb5: Get expected cname from TGT for TGS-REQ messages via dcd13ba166e tests/krb5: Allow specifying status code to be checked via 23eaf0160ad tests/krb5: Create testing accounts in appropriate containers via fc91b526f7d tests/krb5: Check for presence of 'key-expiration' element via 95c7eba3951 tests/krb5: Check 'caddr' element via 1984c30ce37 tests/krb5: Check for presence of 'renew-till' element via 0e80a7ef9c4 tests/krb5: Allow Kerberos requests to be sent to DC or RODC via 39a7676c868 tests/krb5: Make time assertion less strict via d5b1b59cde4 tests/krb5: Allow specifying ticket flags expected to be set or reset via 3edaa318df9 tests/krb5: Remove magic constants via d94233f1e0c tests/krb5: Don't create PAC request or options manually in fast_tests via 7d955391e29 tests/krb5: Don't create PAC request manually in as_req_tests via f63461ffd80 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS via 7b6848c73b0 tests/krb5: Move padata generation methods to base class via c8c0af0b20f tests/krb5: Keep track of account DN in credentials object via ee2a85aba9f tests/krb5: Allow specifying additional User Account Control flags for account via dadedd0d550 tests/krb5: Allow specifying an OU to create accounts in via e1fa2fff930 tests/krb5: Replace expected_cname_private with expected_anon parameter via 231d508a472 tests/krb5: Use more compact dict lookup via a87fdc6629f tests/krb5: Add KDCOptions flag for constrained delegation via 22aa29993e0 tests/krb5: Use signed integers to represent key version numbers in ASN.1 via ba22aee1d8c tests/krb5: Add methods to obtain the length of checksum types via 67d713b9362 tests/krb5: Calculate expected salt if not given explicitly via fb63bdd8283 security.idl: Add well-known SIDs for FAST via 6acbb94dadd krb5pac.idl: Add ticket checksum PAC buffer type from 44636fa0378 ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit c1d2a0570dfc697bbdda6047f10da4ea9cf261f8 Author: Andrew Bartlett Date: Mon Oct 4 21:57:25 2021 +1300 ldb: Release ldb 2.3.1 * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Andrew Bartlett Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184 commit e425abeb7d228615a2766ddd497b26af228a022b Author: Joseph Sutton Date:
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via a795e0c8459 Release ldb 2.4.1 via 9e2da222f7f pyldb: Make ldb.Message containment testing consistent with indexing via b4601d0db20 pyldb: Add tests for ldb.Message containment testing via 2311987af25 pyldb: Raise TypeError for an invalid ldb.Message index via bef676475fe pyldb: Add test for an invalid ldb.Message index type via ba4032b73a4 s4/torture/drs/python: Fix attribute existence check via d32f732c796 pyldb: Fix deleting an ldb.Control critical flag via 3b6c8bd55b3 pytest:segfault: Add test for deleting an ldb.Control critical flag via 6db664a07da pyldb: Fix deleting an ldb.Message dn via f4ca03b0cc2 pytest:segfault: Add test for deleting an ldb.Message dn via 34d50f415ae Fix Python docstrings from 753e0dfc6c9 lib/krb5_wrap: Fix missing error check in new salt code https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit a795e0c84597aa045d011e663dbad3cdabf0f1e6 Author: Andrew Bartlett Date: Wed Sep 29 11:27:41 2021 +1300 Release ldb 2.4.1 * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison (cherry picked from commit 76899e236149ff3b86cd9032a3c6bdafe3a2f036) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Tue Oct 26 15:09:58 UTC 2021 on sn-devel-184 commit 9e2da222f7f9993443cabcd42cd38e61abcd7a5d Author: Joseph Sutton Date: Sat Sep 25 14:39:59 2021 +1200 pyldb: Make ldb.Message containment testing consistent with indexing Previously, containment testing using the 'in' operator was handled by performing an equality comparison between the chosen object and each of the message's keys in turn. This behaviour was prone to errors due to not considering differences in case between otherwise equal elements, as the indexing operations do. Containment testing should now be more consistent with the indexing operations and with the get() method of ldb.Message. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69) commit b4601d0db20c4ccb933c0264c577fe0df07923c1 Author: Joseph Sutton Date: Sat Sep 25 13:48:57 2021 +1200 pyldb: Add tests for ldb.Message containment testing These tests verify that the 'in' operator on ldb.Message is consistent with indexing and the get() method. This means that the 'dn' element should always be present, lookups should be case-insensitive, and use of an invalid type should result in a TypeError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8) commit 2311987af25e43596cda5bfa8505e0acfd4477bd Author: Joseph Sutton Date: Sat Sep 25 13:39:56 2021 +1200 pyldb: Raise TypeError for an invalid ldb.Message index Previously, a TypeError was raised and subsequently overridden by a KeyError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7) commit bef676475fe25846172152f6492839e74b588ed6 Author: Joseph Sutton Date: Sat Sep 25 13:22:05 2021 +1200 pyldb: Add test for an invalid ldb.Message index type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06) commit ba4032b73a49246f4987549666d7b6880a85990f Author: Joseph Sutton Date: Sat Sep 25 19:18:39 2021 +1200 s4/torture/drs/python: Fix attribute existence check BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit fb758c32e7633178f42dc2c031667b10c2ca6e90) commit d32f732c7964c56445394abc080243e564ff2585 Author: Joseph Sutton Date: Sat Sep 25 11:16:09 2021 +1200 pyldb: Fix deleting an ldb.Control critical flag BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 9d25
[SCM] Samba Shared Repository - annotated tag ldb-2.3.1 created
The annotated tag, ldb-2.3.1 has been created at 331ecebff59dadd17a413ef250e7535f96a54d7f (tag) tagging c1d2a0570dfc697bbdda6047f10da4ea9cf261f8 (commit) replaces samba-4.14.8 tagged by Stefan Metzmacher on Wed Oct 27 13:19:17 2021 +0200 - Log - ldb: tag release ldb-2.3.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NbUACgkQR5ORYRMI QCXKUAgAtgirh94Ney1p476sqZeCum0cvnptOvtrxQjBZk4fk6FTezhvD2JZ2XrB poPt/XeOxJc5myzMV7SrXq/O9JEmtm2SV8aDvKMYyM74sQFCEzwhNigQbGXhTZQ+ r0zxS58MwhxC2kNuZXvqari+N2rZ6GqmDzWgu1H0Y9K/0zFXrWmTvhdmniwhwbAR gnF7EQs/REFtrVDf2CQo0LybuMyqgYSeMd3rzCRWr/o0oUmOJUT/cyOLv1pRESF+ tNHHV31PsevUUVPISWdCxkCL8W1cgYtl6Bj+h9IpU8F1GHwlOUNayPj26V3DjwbA 9Uq1HcM6McY15tCMuyQp2Wyf+zqrHA== =y5CZ -END PGP SIGNATURE- Andreas Schneider (1): waf: Allow building with MIT KRB5 >= 1.20 Andrew Bartlett (8): selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers selftest: Remove duplicate setup of $base_dn and $ldbmodify selftest: Improve error handling and perl style when setting up users in Samba4.pm dsdb: Allow special chars like "@" in samAccountName when generating the salt lib/krb5_wrap: Fix missing error check in new salt code ldb: Release ldb 2.3.1 Douglas Bagnall (2): pytest/rodc_rwdc: try to avoid race. pytest: dynamic tests optionally add __doc__ Isaac Boukris (4): kdc: remove KRB5SignedPath, to be replaced with PAC kdc: sign ticket using Windows PAC krb5: allow NULL parameter to krb5_pac_free() krb5: rework PAC validation loop Jeremy Allison (2): s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share. s3: smbd: Ensure when we change security context we delete any $cwd cache. Joseph Sutton (147): krb5pac.idl: Add ticket checksum PAC buffer type security.idl: Add well-known SIDs for FAST tests/krb5: Calculate expected salt if not given explicitly tests/krb5: Add methods to obtain the length of checksum types tests/krb5: Use signed integers to represent key version numbers in ASN.1 tests/krb5: Add KDCOptions flag for constrained delegation tests/krb5: Use more compact dict lookup tests/krb5: Replace expected_cname_private with expected_anon parameter tests/krb5: Allow specifying an OU to create accounts in tests/krb5: Allow specifying additional User Account Control flags for account tests/krb5: Keep track of account DN in credentials object tests/krb5: Move padata generation methods to base class tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS tests/krb5: Don't create PAC request manually in as_req_tests tests/krb5: Don't create PAC request or options manually in fast_tests tests/krb5: Remove magic constants tests/krb5: Allow specifying ticket flags expected to be set or reset tests/krb5: Make time assertion less strict tests/krb5: Allow Kerberos requests to be sent to DC or RODC tests/krb5: Check for presence of 'renew-till' element tests/krb5: Check 'caddr' element tests/krb5: Check for presence of 'key-expiration' element tests/krb5: Create testing accounts in appropriate containers tests/krb5: Allow specifying status code to be checked tests/krb5: Get expected cname from TGT for TGS-REQ messages tests/krb5: Get encpart decryption key from kdc_exchange_dict tests/krb5: Add get_cached_creds() method to create persistent accounts for testing tests/krb5: Generate padata for FAST tests tests/krb5: Sign-extend kvno from 32-bit integer tests/krb5: Add method to get RODC krbtgt credentials tests/krb5: Add get_secrets() method to get the secret attributes of a DN tests/krb5: Allow replicating accounts to the RODC tests/krb5: Create RODC account for testing tests/krb5: Allow replicating accounts to the created RODC python: Don't leak file handles python/join: Check for correct msDS-KrbTgtLink attribute tests/krb5: Add helper method for modifying PACs tests/krb5: Check correct flags element tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange tests/krb5: Allow tgs_req() to send additional padata tests/krb5: Allow tgs_req() to specify different kdc-options tests/krb5: Allow tgs_req() to send requests to the RODC tests/krb5: Allow as_req() to specify different kdc-options tests/krb5: Use PAC buffer type constants from krb5pac.idl tests/krb5: Don't manually create PAC reques
[SCM] Samba Shared Repository - annotated tag ldb-2.4.1 created
The annotated tag, ldb-2.4.1 has been created at dd3f1a38d3836348f0d409429742ac14a2066237 (tag) tagging a795e0c84597aa045d011e663dbad3cdabf0f1e6 (commit) replaces samba-4.15.0 tagged by Stefan Metzmacher on Wed Oct 27 13:20:09 2021 +0200 - Log - ldb: tag release ldb-2.4.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NekACgkQR5ORYRMI QCU1qggAr6napVnbmKReHpm1viIPigOlZReiU2sEe86+rHWcoM4Gd1k1lI35tMt6 iJI03Di4M3uhCMl+mqqngtJaqh0XDUgxAis8gj+b2mF7D0VkkO3VND6GGK/DgPXh YRlgctBiGJ5G8cwuqdhY9KPQ6U8Z+WTl5Qvf4M4irCiZ854RNFc6GbgemQt7t/c8 BLvFnuXcR2jE1LD4SlS9hvCvSeCvDDvLNdZYRwWLTiLivOlSMfbb0hMcsjRmugX2 zZyoW6uUswuutXEDSvEPAhf4ocVdrLr/HVnZv/5WvY6NE7qrPFBVtfz7q5heiKQJ v1oh5twnq+v2LgS8FU3jydAqHFD7TQ== =fxZP -END PGP SIGNATURE- Alex Richardson (7): charset_macosxfs.c: fix compilation on macOS audit_logging.c: fix compilation on macOS source3/printing/queue_process.c: fix build on macOS sec_ctx.c: Fix -Wunused-function warning on macOS source3/smbd/statcache.c: Fix -Wformat build error on macOS vfs_preopen.c: Fix -Wformat error on macOS Fix detection of rpc/xdr.h on macOS Andreas Schneider (1): waf: Allow building with MIT KRB5 >= 1.20 Andrew Bartlett (16): autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) samldb: Address birthday paradox adding an RODC .gitlab-ci: Allow a 1 hour to build Samba .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI .gitlab-ci.yml: Restore building most of our jobs .gitlab-ci: Avoid duplicate CI on all merge requests gitlab-ci: Do not retry for job_execution_timeout gitlab-ci: Do not download artifacts of unrelated builds selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers selftest: Remove duplicate setup of $base_dn and $ldbmodify selftest: Improve error handling and perl style when setting up users in Samba4.pm dsdb: Allow special chars like "@" in samAccountName when generating the salt lib/krb5_wrap: Fix missing error check in new salt code Release ldb 2.4.1 Douglas Bagnall (3): pytest/rodc_rwdc: try to avoid race. pytest: dynamic tests optionally add __doc__ pytest: s3_net_join: avoid name clash Isaac Boukris (4): kdc: remove KRB5SignedPath, to be replaced with PAC kdc: sign ticket using Windows PAC krb5: allow NULL parameter to krb5_pac_free() krb5: rework PAC validation loop Jeremy Allison (4): s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share. s3: smbd: Ensure when we change security context we delete any $cwd cache. s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs. s3: smbspool. Remove last use of 'extern char **environ;'. Joseph Sutton (152): pytest:segfault: Add test for ldb.msg_diff() ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL pyldb: Avoid use-after-free in msg_diff() heimdal:kdc: Only check for default salt for des-cbc-crc enctype krb5pac.idl: Add ticket checksum PAC buffer type security.idl: Add well-known SIDs for FAST tests/krb5: Calculate expected salt if not given explicitly tests/krb5: Add methods to obtain the length of checksum types tests/krb5: Use signed integers to represent key version numbers in ASN.1 tests/krb5: Add KDCOptions flag for constrained delegation tests/krb5: Use more compact dict lookup tests/krb5: Replace expected_cname_private with expected_anon parameter tests/krb5: Allow specifying an OU to create accounts in tests/krb5: Allow specifying additional User Account Control flags for account tests/krb5: Keep track of account DN in credentials object tests/krb5: Move padata generation methods to base class tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS tests/krb5: Don't create PAC request manually in as_req_tests tests/krb5: Don't create PAC request or options manually in fast_tests tests/krb5: Remove magic constants tests/krb5: Allow specifying ticket flags expected to be set or reset tests/krb5: Make time assertion less strict tests/krb5: Allow Kerberos requests to be sent to DC or RODC tests/krb5: Check for presence of 'renew-till' element tests/krb5: Check 'caddr' element tests/krb5: Check for presence of 'key-expiration' element tests/krb5: Create testing accounts in appropriate containers tests/krb5: Allow speci
[SCM] Samba Shared Repository - branch v4-13-test updated
via 286d69daf8b tests/krb5: Check correct flags element
via b2f98011015 tests/krb5: Add helper method for modifying PACs
via 3f2c977d478 python/join: Check for correct msDS-KrbTgtLink attribute
via 4b9b3e92256 python: Don't leak file handles
via b68eae6687b tests/krb5: Allow replicating accounts to the created
RODC
via 8c7d0544035 tests/krb5: Create RODC account for testing
via c7491a9e760 tests/krb5: Allow replicating accounts to the RODC
via 329fcc65aa6 tests/krb5: Add get_secrets() method to get the secret
attributes of a DN
via 9b151de2653 tests/krb5: Add method to get RODC krbtgt credentials
via 7d6ad51b20c tests/krb5: Sign-extend kvno from 32-bit integer
via c2cbe6e9aab tests/krb5: Generate padata for FAST tests
via 860f7704650 tests/krb5: Add get_cached_creds() method to create
persistent accounts for testing
via 9926198bce0 tests/krb5: Get encpart decryption key from
kdc_exchange_dict
via ac14815f849 tests/krb5: Get expected cname from TGT for TGS-REQ
messages
via 36f8c7080a7 tests/krb5: Allow specifying status code to be checked
via a57391cf431 tests/krb5: Create testing accounts in appropriate
containers
via 26b6b6e630b tests/krb5: Check for presence of 'key-expiration'
element
via 39541dfa2d0 tests/krb5: Check 'caddr' element
via eef81ead620 tests/krb5: Check for presence of 'renew-till' element
via 829de7f89a7 tests/krb5: Allow Kerberos requests to be sent to DC or
RODC
via 9bd79bfe7a8 tests/krb5: Make time assertion less strict
via af38bdc0569 tests/krb5: Allow specifying ticket flags expected to
be set or reset
via f86766afd92 tests/krb5: Remove magic constants
via e4c5a3ea34f tests/krb5: Don't create PAC request or options
manually in fast_tests
via 36eb76b6c2f tests/krb5: Don't create PAC request manually in
as_req_tests
via 99702d5d7db tests/krb5: add options to kdc_exchange_dict to specify
including PAC-REQUEST or PAC-OPTIONS
via dcde84d9268 tests/krb5: Move padata generation methods to base class
via 1837ddb3481 tests/krb5: Keep track of account DN in credentials
object
via a2d8713c55c tests/krb5: Allow specifying additional User Account
Control flags for account
via 9b75a279c03 tests/krb5: Allow specifying an OU to create accounts in
via 4892fa1315f tests/krb5: Replace expected_cname_private with
expected_anon parameter
via c978fcdf535 tests/krb5: Use more compact dict lookup
via 735d514ec11 tests/krb5: Add KDCOptions flag for constrained
delegation
via 20df014fb13 tests/krb5: Use signed integers to represent key
version numbers in ASN.1
via a91f36d7bc4 tests/krb5: Add methods to obtain the length of
checksum types
via efb8340f41f tests/krb5: Calculate expected salt if not given
explicitly
via d5572676f51 security.idl: Add well-known SIDs for FAST
via 0d0d609dc07 krb5pac.idl: Add ticket checksum PAC buffer type
via 6882fb5c3e6 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from
a gitlab variable)
via d4872f50bc4 python/join: use the provided krbtgt link in
cleanup_old_accounts
via 283a128129f python: Move dsdb_Dn to samdb
via beaae4c5d67 wscript: fix installing pre-commit with 'git worktree'
via 3ba31fd4de8 script/bisect-test.py: add support git worktree
via 0e62cfec458 wafsamba: add support git worktree to vcs_dir_contents()
from 2b97c11bca6 VERSION: Bump version up to Samba 4.13.13...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -
commit 0cea7f53c01718ec1d5d86a415ca494e1899501f
Author: Andrew Bartlett
Date: Fri Oct 22 10:50:36 2021 +1300
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
Autobuild-User(v4-13-test): Stefan Metzmacher
Autobuild-Date(v4-13-test): Wed Oct 27 23:29:34 UTC 2021 on sn-devel-184
commit 274f16103f69d98b9262575d043d84bb9a1b53eb
Author: Andrew Bartlett
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the
salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via 74e65d7c06c ldb: Release ldb 2.2.1 via c532b425e73 pyldb: Make ldb.Message containment testing consistent with indexing via 64c41d30986 pyldb: Add tests for ldb.Message containment testing via 65f3e987675 pyldb: Raise TypeError for an invalid ldb.Message index via 4ff0a23a04b pyldb: Add test for an invalid ldb.Message index type via f45e89e4326 s4/torture/drs/python: Fix attribute existence check via 4d1c5cc73b0 pyldb: Fix deleting an ldb.Control critical flag via 5e9441d55f6 pytest:segfault: Add test for deleting an ldb.Control critical flag via a2e0682d928 pyldb: Fix deleting an ldb.Message dn via d2189833c7e pytest:segfault: Add test for deleting an ldb.Message dn via c7c10298973 Fix Python docstrings via 0c36416e319 pyldb: Avoid use-after-free in msg_diff() via 400d04533ab ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL via f47f0f9f459 pytest:segfault: Add test for ldb.msg_diff() from 0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 74e65d7c06c5eda79105f43d87efcaec09dfbb77 Author: Andrew Bartlett Date: Mon Oct 4 21:57:25 2021 +1300 ldb: Release ldb 2.2.1 * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett Autobuild-User(v4-14-test): Stefan Metzmacher Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184 Autobuild-User(v4-13-test): Stefan Metzmacher Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184 commit c532b425e739a5a6860e37fd616dc5293cea0f37 Author: Joseph Sutton Date: Sat Sep 25 14:39:59 2021 +1200 pyldb: Make ldb.Message containment testing consistent with indexing Previously, containment testing using the 'in' operator was handled by performing an equality comparison between the chosen object and each of the message's keys in turn. This behaviour was prone to errors due to not considering differences in case between otherwise equal elements, as the indexing operations do. Containment testing should now be more consistent with the indexing operations and with the get() method of ldb.Message. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69) commit 64c41d30986a34b3311bc03ffce9a8856c7f4f18 Author: Joseph Sutton Date: Sat Sep 25 13:48:57 2021 +1200 pyldb: Add tests for ldb.Message containment testing These tests verify that the 'in' operator on ldb.Message is consistent with indexing and the get() method. This means that the 'dn' element should always be present, lookups should be case-insensitive, and use of an invalid type should result in a TypeError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8) commit 65f3e987675d378afd7df4445d04c86d83cde853 Author: Joseph Sutton Date: Sat Sep 25 13:39:56 2021 +1200 pyldb: Raise TypeError for an invalid ldb.Message index Previously, a TypeError was raised and subsequently overridden by a KeyError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7) commit 4ff0a23a04b230bab3454cf88d317304df2cb5cb Author: Joseph Sutton Date: Sat Sep 25 13:22:05 2021 +1200 pyldb: Add test for an invalid ldb.Message index type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06) commit f45e89e432644b5c569808f29d27a537e07f Author: Joseph Sutton Date: Sat Sep 25 19:18:39 2021 +1200 s4/torture/drs/python: Fix attribute existe
[SCM] Samba Shared Repository - annotated tag ldb-2.2.2 created
The annotated tag, ldb-2.2.2 has been created at 492762c29e2a199d012f1e759468380cfa602dcb (tag) tagging 74e65d7c06c5eda79105f43d87efcaec09dfbb77 (commit) replaces samba-4.13.12 tagged by Stefan Metzmacher on Thu Oct 28 17:43:38 2021 +0200 - Log - ldb: tag release ldb-2.2.2 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF6xSoACgkQR5ORYRMI QCXr1ggAhB94suP/riS28w2YURdJeXgbT/RTavV8lONJElCfOQRPOPd8KgnBLKUE sBnMJg5kFhWn8EAEowAcj2eaZ/rtAHhmIFbZ4L6bT1JjMPhtA5e+5j4owe4CmfcX lsZTZmRwyx/k18WF38xZWaYRxyN/ODVqFJxkQW9b7kdH9DMqU/M5Hkhhtxd9bbXQ GOIDhFVU8wst1gTkAe6BO2NZQafMRQKFhvpXnwT4htERJw3/o7LyYLeT/HtxPVcW OfEfrjHnbf0SkK0dDxoerNfcmIicdus44J/ML5aET1aiWFJNvQiC18S9znX0W5o9 WqiCt6KgO4sh8qM/xDhYje8AAfUToA== =S2uI -END PGP SIGNATURE- Andreas Schneider (1): waf: Allow building with MIT KRB5 >= 1.20 Andrew Bartlett (9): autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers selftest: Remove duplicate setup of $base_dn and $ldbmodify selftest: Improve error handling and perl style when setting up users in Samba4.pm dsdb: Allow special chars like "@" in samAccountName when generating the salt lib/krb5_wrap: Fix missing error check in new salt code ldb: Release ldb 2.2.1 David Mulder (1): python: Move dsdb_Dn to samdb Douglas Bagnall (3): python/join: use the provided krbtgt link in cleanup_old_accounts pytest/rodc_rwdc: try to avoid race. pytest: dynamic tests optionally add __doc__ Isaac Boukris (4): kdc: remove KRB5SignedPath, to be replaced with PAC kdc: sign ticket using Windows PAC krb5: allow NULL parameter to krb5_pac_free() krb5: rework PAC validation loop Joseph Sutton (150): krb5pac.idl: Add ticket checksum PAC buffer type security.idl: Add well-known SIDs for FAST tests/krb5: Calculate expected salt if not given explicitly tests/krb5: Add methods to obtain the length of checksum types tests/krb5: Use signed integers to represent key version numbers in ASN.1 tests/krb5: Add KDCOptions flag for constrained delegation tests/krb5: Use more compact dict lookup tests/krb5: Replace expected_cname_private with expected_anon parameter tests/krb5: Allow specifying an OU to create accounts in tests/krb5: Allow specifying additional User Account Control flags for account tests/krb5: Keep track of account DN in credentials object tests/krb5: Move padata generation methods to base class tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS tests/krb5: Don't create PAC request manually in as_req_tests tests/krb5: Don't create PAC request or options manually in fast_tests tests/krb5: Remove magic constants tests/krb5: Allow specifying ticket flags expected to be set or reset tests/krb5: Make time assertion less strict tests/krb5: Allow Kerberos requests to be sent to DC or RODC tests/krb5: Check for presence of 'renew-till' element tests/krb5: Check 'caddr' element tests/krb5: Check for presence of 'key-expiration' element tests/krb5: Create testing accounts in appropriate containers tests/krb5: Allow specifying status code to be checked tests/krb5: Get expected cname from TGT for TGS-REQ messages tests/krb5: Get encpart decryption key from kdc_exchange_dict tests/krb5: Add get_cached_creds() method to create persistent accounts for testing tests/krb5: Generate padata for FAST tests tests/krb5: Sign-extend kvno from 32-bit integer tests/krb5: Add method to get RODC krbtgt credentials tests/krb5: Add get_secrets() method to get the secret attributes of a DN tests/krb5: Allow replicating accounts to the RODC tests/krb5: Create RODC account for testing tests/krb5: Allow replicating accounts to the created RODC python: Don't leak file handles python/join: Check for correct msDS-KrbTgtLink attribute tests/krb5: Add helper method for modifying PACs tests/krb5: Check correct flags element tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange tests/krb5: Allow tgs_req() to send additional padata tests/krb5: Allow tgs_req() to specify different kdc-options tests/krb5: Allow tgs_req() to send requests to the RODC tests/krb5: Allow as_req() to specify different kdc-options tests/krb5: Use PAC buffer type constants from krb5pac.idl tests/krb5: Don't manually create PAC request and options in fast_te
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via 5e3b924cb35 ldb: version 2.3.2
via 7a1128cb9a9 lib:ldb-samba: Improve calculate_popt_array_length()
via 48f3f52c1be lib:ldb: Use C99 initializers for builtin_popt_options[]
via 7158c947065 pyldb: fix a typo
via e6aff15a774 ldb: improve comments for ldb_module_connect_backend()
via 461096c521c ldb: correct comments in attrib_handers val_to_int64
via e4741f2a119 ldb.h: remove undefined async_ctx function signatures
via 65cdcb4848d lib:ldb: Add missing break in switch statement
via 2c8091ab973 pyldb: Fix Message.items() for a message containing
elements
via 7c3f03589ac ldb_match: remove redundant check
via 0a794271f84 pyldb: catch potential overflow error in py_timestring
via 3e2a1671d69 ldb: fix ldb_comparison_fold off-by-one overrun
via 1870e5b46c1 ldb_match: trailing chunk must match end of string
via 4548760ee8e ldb/attrib_handler casefold: simplify space dropping
from 0e4837eb0d4 VERSION: Bump version up to Samba 4.14.10...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit 5e3b924cb3558271de036a14ffe5063ae96a3d1c
Author: Stefan Metzmacher
Date: Tue Nov 2 15:19:31 2021 +0100
ldb: version 2.3.2
Backport all C code changes from ldb-2.4.1
to be available for Samba 4.14.x
Signed-off-by: Stefan Metzmacher
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Tue Nov 2 21:47:27 UTC 2021 on sn-devel-184
commit 7a1128cb9a91234ea3e608f02698690673994108
Author: Andreas Schneider
Date: Thu Dec 17 19:16:13 2020 +0100
lib:ldb-samba: Improve calculate_popt_array_length()
Note that memcmp() doesn't work well with padding bytes. So avoid it!
(gdb) ptype/o struct poptOption
/* offset| size */ type = struct poptOption {
/*0 | 8 */const char *longName;
/*8 | 1 */char shortName;
/* XXX 3-byte hole */
/* 12 | 4 */unsigned int argInfo;
/* 16 | 8 */void *arg;
/* 24 | 4 */int val;
/* XXX 4-byte hole */
/* 32 | 8 */const char *descrip;
/* 40 | 8 */const char *argDescrip;
/* total size (bytes): 48 */
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
(cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def)
commit 48f3f52c1be444db33c368d1e674fb829d8af9fc
Author: Andreas Schneider
Date: Thu Dec 17 11:56:08 2020 +0100
lib:ldb: Use C99 initializers for builtin_popt_options[]
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
(cherry picked from commit a593065c7f22e17434f33d0132cc6a7073acf414)
commit 7158c9470651907302fa27b2ff845839ce12e159
Author: Björn Baumbach
Date: Mon Jan 18 16:48:21 2021 +0100
pyldb: fix a typo
Signed-off-by: Björn Baumbach
Reviewed-by: Rowland penny
(cherry picked from commit 6fcde09f093db5d26c582a3c28531265f06b9fde)
commit e6aff15a77403058656dd82ee36ce3491e5ebd78
Author: Douglas Bagnall
Date: Fri Jan 29 13:49:02 2021 +1300
ldb: improve comments for ldb_module_connect_backend()
There is no flags argument.
There are more URI forms.
Signed-off-by: Douglas Bagnall
Reviewed-by: Jeremy Allison
(cherry picked from commit 48068a58df0313cd904f27e2c918ee10275ae373)
commit 461096c521ce3e0c884161bf75902a8963878e61
Author: Douglas Bagnall
Date: Sat Mar 6 09:57:44 2021 +1300
ldb: correct comments in attrib_handers val_to_int64
c.f. the identical static function in lib/ldb-samba/ldif_handlers.c
Signed-off-by: Douglas Bagnall
Reviewed-by: Jeremy Allison
(cherry picked from commit 46e6f6ef8436df7e083f34556c25f66f65ea1ce5)
commit e4741f2a11989f34fd9ab85c574c99774a5f7994
Author: Douglas Bagnall
Date: Sat Dec 19 11:43:56 2020 +1300
ldb.h: remove undefined async_ctx function signatures
These functions do not exist.
Signed-off-by: Douglas Bagnall
Reviewed-by: Jeremy Allison
(cherry picked from commit 1a05b58edaf96e7da707f9ad0a237551dbe13eb5)
commit 65cdcb4848d99af49c3f09dff57487c0ff25edf1
Author: Andreas Schneider
Date: Mon Feb 1 14:21:21 2021 +0100
lib:ldb: Add missing break in switch statement
error: unannotated fall-through between switch labels
[-Werror,-Wimplicit-fallthrough]
Signed-off-by: Andreas Schneider
Reviewed-by: Jeremy Allison
(cherry picked from commit 1ffacac547a8ce29c6696dda73991a8db7e34dfd)
commit 2c8091ab9730ef00457f6bf5cf829ad9f4f6d824
Author: Joseph Sutton
Date: Fri May 28 14:15:43 2021 +1200
pyldb: Fix Message.items() for a message containing elements
Previously, message elements were being
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated
via 20ce74008b3 ldb: version 2.2.3
via 767bafc50ae ldb_kv_index: fix empty initializer compile warning
via 0dc05f591db ldb: Use hex_byte() in ldb_binary_decode()
via 9ad6b86ccc9 lib: Add "hex_byte()" to replace.h
via 8c29175f7fe ldb_controls: control_to_string avoids crash
via 7dd52901904 lib:ldb-samba: Improve calculate_popt_array_length()
via 68d736a73f1 lib:ldb: Use C99 initializers for builtin_popt_options[]
via 5363e0340d7 pyldb: fix a typo
via bbc5373b872 ldb: improve comments for ldb_module_connect_backend()
via 90729aed778 ldb: correct comments in attrib_handers val_to_int64
via 1253ee80bd1 ldb.h: remove undefined async_ctx function signatures
via e96b3f7185a lib:ldb: Add missing break in switch statement
via 933fbc8ca9e pyldb: Fix Message.items() for a message containing
elements
via 7e8d2bcca98 ldb_match: remove redundant check
via f2c0ab2daed pyldb: catch potential overflow error in py_timestring
via cb04bfc55a8 ldb: fix ldb_comparison_fold off-by-one overrun
via e431362a701 ldb_match: trailing chunk must match end of string
via 0c32ab5f61a ldb/attrib_handler casefold: simplify space dropping
from 6671c88157b VERSION: Bump version up to Samba 4.13.14...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -
commit 20ce74008b3347256139e3d10caef0fd6322f87f
Author: Stefan Metzmacher
Date: Tue Nov 2 15:19:31 2021 +0100
ldb: version 2.2.3
Backport all C code changes from ldb-2.4.1
to be available for Samba 4.13.x
Signed-off-by: Stefan Metzmacher
Autobuild-User(v4-13-test): Stefan Metzmacher
Autobuild-Date(v4-13-test): Tue Nov 2 22:41:39 UTC 2021 on sn-devel-184
commit 767bafc50aed115cab1eccd997cf4cc9758db8b1
Author: Björn Jacke
Date: Mon Oct 19 02:39:46 2020 +0200
ldb_kv_index: fix empty initializer compile warning
Signed-off-by: Bjoern Jacke
Reviewed-by: Andrew Bartlett
(cherry picked from commit c862ad64aea31d1d5ec66385bb50d9b97e609071)
commit 0dc05f591db1cd137e85fcb0ebc1dfc7eb320aed
Author: Volker Lendecke
Date: Mon Jan 4 13:55:01 2021 +0100
ldb: Use hex_byte() in ldb_binary_decode()
Signed-off-by: Volker Lendecke
Reviewed-by: Ralph Boehme
Reviewed-by: Jeremy Allison
(cherry picked from commit b6a57c49c00a778f954aaf10db6ebe6dca8f5ae2)
commit 9ad6b86ccc9df76311e3e9f1908f815a292d1b6d
Author: Volker Lendecke
Date: Mon Jan 4 13:12:30 2021 +0100
lib: Add "hex_byte()" to replace.h
This is required in quite a few places, and replace.h has things like
ZERO_STRUCT already, so this is not completely outplaced.
Signed-off-by: Volker Lendecke
Reviewed-by: Ralph Boehme
Reviewed-by: Jeremy Allison
(cherry picked from commit c8d9ce3f7c8c486ab21e320a0adcb71311dcb453)
commit 8c29175f7fe10bbf37595cb2e5afd26a4617fd7a
Author: Douglas Bagnall
Date: Fri Jul 24 12:41:29 2020 +1200
ldb_controls: control_to_string avoids crash
Otherwise a malformed control with unexpected NULL data will segfault
ldb_control_to_string(), though this is not very likely to affect
anyone in practice as converting controls to strings is rarely
necessary. If it happens at all in Samba it is in Python code.
Found by Honggfuzz using fuzz_ldb_parse_control.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andreas Schneider
Autobuild-User(master): Douglas Bagnall
Autobuild-Date(master): Wed Jul 29 04:43:23 UTC 2020 on sn-devel-184
(cherry picked from commit 2aace18f170644da9c293342a6df5e5b2ae8da25)
commit 7dd529019045949bcc5d7fbb49322868bfda52c7
Author: Andreas Schneider
Date: Thu Dec 17 19:16:13 2020 +0100
lib:ldb-samba: Improve calculate_popt_array_length()
Note that memcmp() doesn't work well with padding bytes. So avoid it!
(gdb) ptype/o struct poptOption
/* offset| size */ type = struct poptOption {
/*0 | 8 */const char *longName;
/*8 | 1 */char shortName;
/* XXX 3-byte hole */
/* 12 | 4 */unsigned int argInfo;
/* 16 | 8 */void *arg;
/* 24 | 4 */int val;
/* XXX 4-byte hole */
/* 32 | 8 */const char *descrip;
/* 40 | 8 */const char *argDescrip;
/* total size (bytes): 48 */
Signed-off-by: Andreas Schneider
Reviewed-by: Andrew Bartlett
(cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def)
commit 68d736a73f175c949ae19a15228b7e5e4d90a610
Author: Andreas Schneider
Date: Thu Dec 17 11:56:08 2020 +0100
lib:ldb: Use C99 initializers for builtin_popt_options[]
Signed-
[SCM] Samba Shared Repository - annotated tag ldb-2.3.2 created
The annotated tag, ldb-2.3.2 has been created at 53bfbfada20fb854308d09253f48f60aaade8f45 (tag) tagging 5e3b924cb3558271de036a14ffe5063ae96a3d1c (commit) replaces samba-4.14.9 tagged by Stefan Metzmacher on Tue Nov 2 23:52:30 2021 +0100 - Log - ldb: tag release ldb-2.3.2 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmGBwS4ACgkQR5ORYRMI QCVLJQf+J2AKhShKWCHGezPMoaRm/KGtOq/dsg0bAlpegP0bu79ZPPdr+GeWmDcd 96N5StFs9kUbLwoSMdUsFujQ4FoDzXOhJhWDKXvQlKWIdJaL0T2pncHMdGd949YI IN9KBmrxu3lrv7j5oEYVfvloqrken/GlYDPX74N6BKusR6cZwviTNDbj+VsuuRJL 6Cacy4bL/eozEB5NDGdzdGt27iJ6i7Iu13iqqmfjNbJoUD58qMabRD34M99jQmr3 CL5lxiGLPsiEi09uqPJhXKxgQLML9xXdKyRbTHdaNfx0n/VLg9EjmDsw5IiK+Ls/ Y6VJabRKO230SzFh/AVvd++swuUiMw== =zwEX -END PGP SIGNATURE- Andreas Schneider (3): lib:ldb: Add missing break in switch statement lib:ldb: Use C99 initializers for builtin_popt_options[] lib:ldb-samba: Improve calculate_popt_array_length() Björn Baumbach (1): pyldb: fix a typo Douglas Bagnall (7): ldb/attrib_handler casefold: simplify space dropping ldb_match: trailing chunk must match end of string ldb: fix ldb_comparison_fold off-by-one overrun ldb_match: remove redundant check ldb.h: remove undefined async_ctx function signatures ldb: correct comments in attrib_handers val_to_int64 ldb: improve comments for ldb_module_connect_backend() Joseph Sutton (1): pyldb: Fix Message.items() for a message containing elements Jule Anger (1): VERSION: Bump version up to Samba 4.14.10... Stefan Metzmacher (2): pyldb: catch potential overflow error in py_timestring ldb: version 2.3.2 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.2.3 created
The annotated tag, ldb-2.2.3 has been created at 9e02c0a04ed6e7504a5a7d8bc352324c6b99ea74 (tag) tagging 20ce74008b3347256139e3d10caef0fd6322f87f (commit) replaces samba-4.13.13 tagged by Stefan Metzmacher on Tue Nov 2 23:53:17 2021 +0100 - Log - ldb: tag release ldb-2.2.3 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmGBwV0ACgkQR5ORYRMI QCVYCggArV2z4kZOZfDcoweYAUr/2XQ+id8d0hMNjFZJyG+Pec67v6bdLQNG70IH ScdEY8TuXt3lT4l3yMwGko8tZCmef4jGrIrHyKVPSfR3h6BFwoGS5OvkdqO6taii zmXALv7QL68IU4Ib4S1MI5bF56pzdqa5vmFAgy9CT+vSC+6BP1vrhKLA2ITp1i5H o8wTRhvf5xTYooJNKykYJN6Al+7JVK5dzx88DBIWVr3FbnbpkX7+F3JMXsJ1foTK oIcrcaKcKbCf+gIQF0A4jt76h/Iafr1FuWVkuom22wwRhMJuxiUQDlQ9MYwegI/r H65K+8CB9hryVZq1pXHlAsQSdPpH9w== =Nnue -END PGP SIGNATURE- Andreas Schneider (3): lib:ldb: Add missing break in switch statement lib:ldb: Use C99 initializers for builtin_popt_options[] lib:ldb-samba: Improve calculate_popt_array_length() Björn Baumbach (1): pyldb: fix a typo Björn Jacke (1): ldb_kv_index: fix empty initializer compile warning Douglas Bagnall (8): ldb/attrib_handler casefold: simplify space dropping ldb_match: trailing chunk must match end of string ldb: fix ldb_comparison_fold off-by-one overrun ldb_match: remove redundant check ldb.h: remove undefined async_ctx function signatures ldb: correct comments in attrib_handers val_to_int64 ldb: improve comments for ldb_module_connect_backend() ldb_controls: control_to_string avoids crash Joseph Sutton (1): pyldb: Fix Message.items() for a message containing elements Jule Anger (1): VERSION: Bump version up to Samba 4.13.14... Stefan Metzmacher (2): pyldb: catch potential overflow error in py_timestring ldb: version 2.2.3 Volker Lendecke (2): lib: Add "hex_byte()" to replace.h ldb: Use hex_byte() in ldb_binary_decode() --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
ass=computer are workstations by default now
via cafbb2fd60b CVE-2020-25722 selftest: Adjust sam.py
test_userAccountControl_computer_add_trust to new reality
via 0cdfa6aa607 CVE-2020-25722 selftest: Split test_userAccountControl
into unit tests
via 9e515f095e7 CVE-2020-25722 samdb: Fill in isCriticalSystemObject on
any account type change
via c52e0c06591 CVE-2020-25722 selftest: Adapt sam.py
test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
via 7f4a73a46ec CVE-2020-25722 dsdb: Add restrictions on computer
accounts without a trailing $
via 2a991280343 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is
only called on ADD, so remove indentation
via 856c34fec0c CVE-2020-25722 selftest: Adapt selftest to restriction
on swapping account types
via 80ff13f19c0 CVE-2020-25722 selftest/priv_attrs: Mention that these
knownfails are OK (for now)
via 2dddaa5d3a5 CVE-2020-25722 dsdb: Prohibit mismatch between UF_
account types and objectclass.
via 2439f3c242a CVE-2020-25722 dsdb: Add tests for modifying
objectClass, userAccountControl and sAMAccountName
via 45a7506af62 CVE-2020-25722 dsdb: Improve privileged and
unprivileged tests for objectclass/doller/UAC
via a32ff3ba268 CVE-2020-25722 dsdb: objectclass computer becomes
UF_WORKSTATION_TRUST by default
via cd0747d1913 CVE-2020-25722 selftest: Catch errors from
samdb.modify() in user_account_control tests
via c1056e7a900 CVE-2020-25722 selftest: Catch possible errors in
PasswordSettingsTestCase.test_pso_none_applied()
via 0459578510a CVE-2020-25722 selftest: allow for future failures in
BindTests.test_virtual_email_account_style_bind
via ba97d5c59ce CVE-2020-25722 selftest: Test combinations of account
type and objectclass for creating a user
via 762ef653b9d CVE-2020-25722 selftest: Extend priv_attrs test - work
around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or
a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
via e90034d9182 CVE-2020-25722 dsdb: Restrict the setting of privileged
attributes during LDAP add/modify
via 7bd4145daa7 CVE-2020-25722 dsdb: Move krbtgt password setup after
the point of checking if any passwords are changed
via 6bdda2d93ed CVE-2020-25722 dsdb: Tests for our known set of
privileged attributes
via b49fd977462 CVE-2020-17049 tests/krb5: Check account name and SID
in PAC for S4U tests
via 8ad19dda2ec CVE-2020-25722 selftest: Use
self.assertRaisesLdbError() in user_account_control.py test
via cb89e352cf4 CVE-2020-25722 selftest: Update user_account_control
tests to pass against Windows 2019
via c1fdd2d7508 CVE-2020-25722 selftest: Replace internal loop in
test_uac_bits_set() using @DynamicTestClass
via 1723d89f2ec CVE-2020-25722 selftest: Replace internal loop in
test_uac_bits_add() using @DynamicTestClass
via ce958b960f3 CVE-2020-25722 selftest: Use @DynamicTestCase in
user_account_control test_uac_bits_unrelated_modify()
via 39d90c85d4d CVE-2020-25722 pydsdb: Add API to return strings of
known UF_ flags
via 131f06517ee CVE-2020-25722 selftest: Use addCleanup rather than
tearDown in user_account_control.py
via 237a961da90 CVE-2020-25722 selftest: Modernise
user_account_control.py tests use a common self.OU
via 025cbda295e CVE-2020-25722 selftest: Move
self.assertRaisesLdbError() to samba.tests.TestCase
via 064c41a7696 CVE-2020-25719 selftest/knownfail_mit_kdc: Add
pointless knownfail to allow a later cherry-pick to apply cleanly
via d92787c05a0 CVE-2020-25717 auth4: Remove sync check_password from
auth_operations
via 3815c92cc87 CVE-2020-25717 auth4: Make auth_sam pseudo-async
via e0ae20193e3 CVE-2020-25717 auth4: Make auth_unix pseudo-async
via 849ef477cb3 CVE-2020-25717 auth4: Make auth_developer pseudo-async
via 16098012df9 CVE-2020-25717 auth4: Make auth_anonymous pseudo-async
via 5a5b1a06d6d CVE-2020-25717 auth: Simplify DEBUG statements in
make_auth3_context_for_ntlm()
via 44270951af6 CVE-2020-25717 auth3: Simplify check_samba4_security()
via 93289e90d6f CVE-2020-25717 selftest: Only set netbios aliases for
the ad_member env
via 6dbc3f11c02 CVE-2020-25717 selftest: Pass down the machine account
name to provision_ad_member
from 5e3b924cb35 ldb: version 2.3.2
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log ---------
commit a1dae6a208ad29d4a771a6d4d4f32e188ba2541b
Author: Stefan Metzmacher
Date: Tue Nov 9 19:43:02 2021 +0100
VERSION: Bump version up to Samba 4.14.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Stefan Metzmacher
---
Summary of changes:
VERSION
[SCM] Samba Shared Repository - branch v4-13-test updated
in wb_queryuser_send() via 4925a110c4e CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH via bd12ce56f03 CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE via 04e10a84318 CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE via ed1542b9f37 CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config via 69c53f9c317 CVE-2020-25717 wb_sids2xids: fill cache as soon as possible via 0ec6beec7da CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results via ed766403618 CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() via ab4f028db00 CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit via 5e4491e8455 CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix() via ca5cf8d35b9 CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix() via 27b73f9d343 CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids' via e226e0a163a CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache via 713f9c96007 CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix() via 3812930e641 CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child() via be816313636 CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle() via 12fb0f40f60 CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed via a3cca16fac5 CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step via 5e04b985acc CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers via f3957ca5ce2 CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers via aebe4cec6c5 CVE-2020-25717 winbindd: add and use is_idmap_child() via b7b4bb1c55b CVE-2020-25717 winbindd: add and use idmap_child_pid() via 39da0df37c4 CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead via 861bc4ddd8d CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead via d4c9be23183 CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead via 68a823fd032 CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers via 337cb0847bf CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers via 340e2153c7e CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function via 0792d340860 CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_* via 05b27742da4 CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint from 20ce74008b3 ldb: version 2.2.3 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 959fb5a4c69478848d3fbcff7d952a727cef518d Author: Stefan Metzmacher Date: Tue Nov 9 19:45:46 2021 +0100 VERSION: Bump version up to Samba 4.13.15... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION|2 +- WHATSNEW.txt | 113 +- auth/auth_util.c |9 +- auth/credentials/tests/bind.py | 13 +- auth/gensec/gensec_util.c | 27 +- auth/ntlmssp/ntlmssp_server.c |2 +- docs-xml/smbdotconf/security/mindomainuid.xml | 17 + docs-xml/smbdotconf/security/serverrole.xml|7 + docs-xml/smbdotconf/winbind/idmapconfig.xml|4 + lib/param/loadparm.c |4 + lib/param/loadparm_server_role.c |2 + lib/param/param_table.c|1 + lib/param/util.c |1 + libcli/auth/wscript_build | 10 +- libcli/netlogon/netlogon.c |2 +- libds/common/flag_mapping.c| 50 + libds/common/flag_mapping.h|1 + libds/common/flags.h |5 + libds/common/roles.h |1 + librpc/idl/idmap.idl | 23 +- librpc/idl/krb5pac.idl | 38 +- librpc/idl/winbind.idl |2 +- librpc/ndr/ndr_krb5pac.c
[SCM] Samba Shared Repository - annotated tag samba-4.15.2 created
on CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (3): VERSION: Bump version up to Samba 4.15.2... WHATSNEW: Add release notes for Samba 4.15.2. VERSION: Disable GIT_SNAPSHOT for the 4.15.2 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (1): CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (47): CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true CVE-2020-25717: s4:torture: start with authoritative = 1 CVE-2020-25717: s4:smb_server: start with authoritative = 1 CVE-2020-25717: s4:auth_simple: start with authoritative = 1 CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 CVE-2020-25717: s3:torture: start with authoritative = 1 CVE-2020-25717: s3:rpcclient: start with authoritative = 1 CVE-2020-25717: s3:auth: start with authoritative = 1 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors CVE-2020-25717: s3:auth: we should not try to autocreate the guest account CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect() CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind() CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests CVE-2021-3738 auth_ut
[SCM] Samba Shared Repository - annotated tag samba-4.14.10 created
heimdal:kdc: Check name in request against name in user-to-user TGT CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (2): WHATSNEW: Add release notes for Samba 4.14.10. VERSION: Disable GIT_SNAPSHOT for the 4.14.10 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (1): CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (48): CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true CVE-2020-25717: s4:torture: start with authoritative = 1 CVE-2020-25717: s4:smb_server: start with authoritative = 1 CVE-2020-25717: s4:auth_simple: start with authoritative = 1 CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 CVE-2020-25717: s3:torture: start with authoritative = 1 CVE-2020-25717: s3:rpcclient: start with authoritative = 1 CVE-2020-25717: s3:auth: start with authoritative = 1 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors CVE-2020-25717: s3:auth: we should not try to autocreate the guest account CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain() CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect() CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual() CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False) CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
[SCM] Samba Shared Repository - annotated tag samba-4.13.14 created
ESTER_SID PAC buffer CVE-2020-25719 heimdal:kdc: Check return code CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication CVE-2020-25719 heimdal:kdc: Require PAC to be present CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation Jule Anger (2): WHATSNEW: Add release notes for Samba 4.13.14. VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release. Nadezhda Ivanova (2): CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute Ralph Boehme (4): CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix() CVE-2020-25717 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send() CVE-2020-25717 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() Samuel Cabrero (4): CVE-2020-25717: loadparm: Add new parameter "min domain uid" CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter CVE-2020-25717: s3:auth: Check minimum domain uid Stefan Metzmacher (76): CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_* CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead CVE-2020-25717 winbindd: add and use idmap_child_pid() CVE-2020-25717 winbindd: add and use is_idmap_child() CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle() CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child() CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids' CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix() CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix() CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done() CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results CVE-2020-25717 wb_sids2xids: fill cache as soon as possible CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults t
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8f637db NEWS[4.15.2]: Samba 4.15.2, 4.14.10 and 4.13.14 Security Releases Available for Download from 96771b0 Add Samba 4.13.13 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 8f637db9c22c4d37dc60b20731ec0de5f437df26 Author: Stefan Metzmacher Date: Tue Nov 9 18:59:24 2021 +0100 NEWS[4.15.2]: Samba 4.15.2, 4.14.10 and 4.13.14 Security Releases Available for Download Signed-off-by: Stefan Metzmacher Signed-off-by: Karolin Seeger --- Summary of changes: history/header_history.html | 3 + history/samba-4.13.14.html | 106 history/samba-4.14.10.html | 106 history/samba-4.15.2.html| 105 history/security.html| 34 posted_news/20211108-113640.4.15.2.body.html | 49 ++ posted_news/20211108-113640.4.15.2.headline.html | 4 + security/CVE-2016-2124.html | 114 + security/CVE-2020-25717.html | 197 +++ security/CVE-2020-25718.html | 89 ++ security/CVE-2020-25719.html | 130 +++ security/CVE-2020-25721.html | 131 +++ security/CVE-2020-25722.html | 155 ++ security/CVE-2021-23192.html | 107 security/CVE-2021-3738.html | 83 ++ 15 files changed, 1413 insertions(+) create mode 100644 history/samba-4.13.14.html create mode 100644 history/samba-4.14.10.html create mode 100644 history/samba-4.15.2.html create mode 100644 posted_news/20211108-113640.4.15.2.body.html create mode 100644 posted_news/20211108-113640.4.15.2.headline.html create mode 100644 security/CVE-2016-2124.html create mode 100644 security/CVE-2020-25717.html create mode 100644 security/CVE-2020-25718.html create mode 100644 security/CVE-2020-25719.html create mode 100644 security/CVE-2020-25721.html create mode 100644 security/CVE-2020-25722.html create mode 100644 security/CVE-2021-23192.html create mode 100644 security/CVE-2021-3738.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 5d40704..7dbe7f8 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,8 +9,10 @@ Release Notes + samba-4.15.2 samba-4.15.1 samba-4.15.0 + samba-4.14.10 samba-4.14.9 samba-4.14.8 samba-4.14.7 @@ -21,6 +23,7 @@ samba-4.14.2 samba-4.14.1 samba-4.14.0 + samba-4.13.14 samba-4.13.13 samba-4.13.12 samba-4.13.11 diff --git a/history/samba-4.13.14.html b/history/samba-4.13.14.html new file mode 100644 index 000..6bf24a6 --- /dev/null +++ b/history/samba-4.13.14.html @@ -0,0 +1,106 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +http://www.w3.org/1999/xhtml";> + +Samba 4.13.14 - Release Notes + + +Samba 4.13.14 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.13.14.tar.gz";>Samba 4.13.14 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.13.14.tar.asc";>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.13.13-4.13.14.diffs.gz";>Patch (gzipped) against Samba 4.13.13 +https://download.samba.org/pub/samba/patches/samba-4.13.13-4.13.14.diffs.asc";>Signature + + + + === + Release Notes for Samba 4.13.14 + November 9, 2021 + === + + +This is a security release in order to address the following defects: + +o CVE-2016-2124: SMB1 client connections can be downgraded to plaintext + authentication. + https://www.samba.org/samba/security/CVE-2016-2124.html + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + (PLEASE READ! There are important behaviour changes described) + +o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued + by an RODC. + https://www.samba.org/samba/security/CVE-2020-25718.html + +o CVE-2020-25719: Samba AD DC did not always rely on the SID
[SCM] Samba Shared Repository - branch v4-15-test updated
ftest: Split test_userAccountControl
into unit tests
via 7211afa9a5c CVE-2020-25722 samdb: Fill in isCriticalSystemObject on
any account type change
via 2812b7cc0e4 CVE-2020-25722 selftest: Adapt sam.py
test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
via 73468f3f4a1 CVE-2020-25722 dsdb: Add restrictions on computer
accounts without a trailing $
via d396fcadc19 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is
only called on ADD, so remove indentation
via a228f45f63e CVE-2020-25722 selftest: Adapt selftest to restriction
on swapping account types
via e353a62513a CVE-2020-25722 selftest/priv_attrs: Mention that these
knownfails are OK (for now)
via cc64ec21039 CVE-2020-25722 dsdb: Prohibit mismatch between UF_
account types and objectclass.
via a72cec41c21 CVE-2020-25722 dsdb: Add tests for modifying
objectClass, userAccountControl and sAMAccountName
via 758c422c11e CVE-2020-25722 dsdb: Improve privileged and
unprivileged tests for objectclass/doller/UAC
via 4868385d45b CVE-2020-25722 dsdb: objectclass computer becomes
UF_WORKSTATION_TRUST by default
via a6048aaae63 CVE-2020-25722 selftest: Catch errors from
samdb.modify() in user_account_control tests
via cf5a3ebaf00 CVE-2020-25722 selftest: Catch possible errors in
PasswordSettingsTestCase.test_pso_none_applied()
via b999e14700d CVE-2020-25722 selftest: allow for future failures in
BindTests.test_virtual_email_account_style_bind
via df525689abc CVE-2020-25722 selftest: Test combinations of account
type and objectclass for creating a user
via 53de95a1f6a CVE-2020-25722 selftest: Extend priv_attrs test - work
around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or
a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
via 07aef1e648d CVE-2020-25722 dsdb: Restrict the setting of privileged
attributes during LDAP add/modify
via b02578014f7 CVE-2020-25722 dsdb: Move krbtgt password setup after
the point of checking if any passwords are changed
via 65973d2efd4 CVE-2020-25722 dsdb: Tests for our known set of
privileged attributes
via 85e3788d829 CVE-2020-17049 tests/krb5: Check account name and SID
in PAC for S4U tests
via 6807b81f40b CVE-2020-25722 selftest: Use
self.assertRaisesLdbError() in user_account_control.py test
via 6f20d53279d CVE-2020-25722 selftest: Update user_account_control
tests to pass against Windows 2019
via ce8fbffd3a1 CVE-2020-25722 selftest: Replace internal loop in
test_uac_bits_set() using @DynamicTestClass
via f970d8b549d CVE-2020-25722 selftest: Replace internal loop in
test_uac_bits_add() using @DynamicTestClass
via 5719cddc268 CVE-2020-25722 selftest: Use @DynamicTestCase in
user_account_control test_uac_bits_unrelated_modify()
via 7d3a0e08c48 CVE-2020-25722 pydsdb: Add API to return strings of
known UF_ flags
via a8578a41263 CVE-2020-25722 selftest: Use addCleanup rather than
tearDown in user_account_control.py
via 1a0630b9bc7 CVE-2020-25722 selftest: Modernise
user_account_control.py tests use a common self.OU
via 8292a799180 CVE-2020-25722 selftest: Move
self.assertRaisesLdbError() to samba.tests.TestCase
from 19f0172708e VERSION: Bump version up to Samba 4.15.2...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log ---------
commit bdc33fa61f81d3223279a852991d8aded886881b
Author: Stefan Metzmacher
Date: Tue Nov 9 19:39:35 2021 +0100
VERSION: Bump version up to Samba 4.15.3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Stefan Metzmacher
---
Summary of changes:
VERSION|2 +-
WHATSNEW.txt | 112 +-
auth/auth_util.c |9 +-
auth/credentials/tests/bind.py | 13 +-
auth/gensec/gensec_util.c | 27 +-
auth/ntlmssp/ntlmssp_server.c |2 +-
docs-xml/smbdotconf/security/mindomainuid.xml | 17 +
docs-xml/smbdotconf/security/serverrole.xml|7 +
docs-xml/smbdotconf/winbind/idmapconfig.xml|4 +
lib/param/loadparm.c |4 +
lib/param/loadparm_server_role.c |2 +
lib/param/param_table.c|1 +
lib/param/util.c |1 +
libcli/netlogon/netlogon.c |2 +-
libds/common/flag_mapping.c| 50 +
libds/common/flag_mapping.h|1 +
libds/common/flags.h |5 +
libds/common/roles.h
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a7f6c60cb03 s3:winbindd: fix "allow trusted domains = no" regression
from 3121be69cac CVE-2021-3738 s4:rpc_server/samr: make use of
dcesrv_samdb_connect_as_*() helper
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a7f6c60cb037b4bc9eee276236539b8282213935
Author: Stefan Metzmacher
Date: Tue Nov 9 20:50:20 2021 +0100
s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index fe68adec534..a8c510fafc6 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -135,7 +135,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL &&
!is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8375dbc add a reference to the regression fixes at https://bugzilla.samba.org/show_bug.cgi?id=14899 from 8f637db NEWS[4.15.2]: Samba 4.15.2, 4.14.10 and 4.13.14 Security Releases Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 8375dbc88c9fd1cc7f69a6be09611a1abc6c7e0d Author: Stefan Metzmacher Date: Wed Nov 10 13:22:10 2021 +0100 add a reference to the regression fixes at https://bugzilla.samba.org/show_bug.cgi?id=14899 --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 00fc078..7ebb6a3 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -19,8 +19,8 @@ as there are important behaviour changes for CVE-2020-25717. There's sadly a regression that "allow trusted domains = no" -prevents winbindd from starting, we'll try to provide a follow up fix as soon as -possible. +prevents winbindd from starting, fixes are available at +https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via 5b1d789632f s3:winbindd: fix "allow trusted domains = no" regression
from 4a106c2322c lib: handle NTTIME_THAW in nt_time_to_full_timespec()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit 5b1d789632fe67708e64ab9fc4f5b10408699682
Author: Stefan Metzmacher
Date: Tue Nov 9 20:50:20 2021 +0100
s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Wed Nov 10 23:45:06 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 42ddbfd2f44..9d54e462c42 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL &&
!is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated
via db4e342291f s3:winbindd: fix "allow trusted domains = no" regression
from 962b7b0f92d s3-winexe: Fix winexe core dump (use-after-free)
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -
commit db4e342291f86c05fd548161c8c6b2c50e41f533
Author: Stefan Metzmacher
Date: Tue Nov 9 20:50:20 2021 +0100
s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
Autobuild-User(v4-15-test): Stefan Metzmacher
Autobuild-Date(v4-15-test): Wed Nov 10 23:29:45 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index fe68adec534..a8c510fafc6 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -135,7 +135,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL &&
!is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated
via b7158d4ce85 s3:winbindd: fix "allow trusted domains = no" regression
from 959fb5a4c69 VERSION: Bump version up to Samba 4.13.15...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -
commit b7158d4ce853f3ce4342ff9756490104ad163b9c
Author: Stefan Metzmacher
Date: Tue Nov 9 20:50:20 2021 +0100
s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
Autobuild-User(v4-13-test): Stefan Metzmacher
Autobuild-Date(v4-13-test): Thu Nov 11 10:37:06 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 1ae4a8d3ca3..a4f33c4765b 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -131,7 +131,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL &&
!is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901 from 8375dbc add a reference to the regression fixes at https://bugzilla.samba.org/show_bug.cgi?id=14899 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 76041187b55e10febd033ce7087c3ef4c6160af1 Author: Stefan Metzmacher Date: Thu Nov 11 21:23:05 2021 +0100 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901 --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 6 ++ security/CVE-2020-25717.html | 10 ++ 2 files changed, 16 insertions(+) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 7ebb6a3..4370442 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -21,6 +21,12 @@ as there are important behaviour changes for There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. + +Please also notice the additional fix and advanced example +for the 'username map [script]' based fallback from +'DOMAIN\user' to 'user'. See +https://bugzilla.samba.org/show_bug.cgi?id=14901";>bug #14901 and +https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2251. diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html index 8371c90..49811db 100644 --- a/security/CVE-2020-25717.html +++ b/security/CVE-2020-25717.html @@ -94,6 +94,16 @@ Please consult 'man 5 smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above example '\' refers to the default value of the 'winbind separator' option. +[Added 2021-11-11] + There's sadly a regression that "allow trusted domains = no" + prevents winbindd from starting, fixes are available at + https://bugzilla.samba.org/show_bug.cgi?id=14899 + + Please also notice the additional fix and advanced example + for the 'username map [script]' based fallback from + 'DOMAIN\user' to 'user'. See + https://bugzilla.samba.org/show_bug.cgi?id=14901 and + https://gitlab.com/samba-team/samba/-/merge_requests/2251 Beyond Samba -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 from 7604118 add references to https://bugzilla.samba.org/show_bug.cgi?id=14901 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit d0e3915ecd116eab2883c7db41c2fd47849db3b6 Author: Stefan Metzmacher Date: Tue Nov 16 20:22:41 2021 +0100 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 8 +++ security/CVE-2020-25717.html | 34 ++-- 2 files changed, 26 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 4370442..11bf4f8 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -22,11 +22,11 @@ There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. -Please also notice the additional fix and advanced example -for the 'username map [script]' based fallback from -'DOMAIN\user' to 'user'. See +Please also notice the additional fixes from https://bugzilla.samba.org/show_bug.cgi?id=14901";>bug #14901 and -https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2251. +https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2253. +obsolete required 'username map [script]' based fallback from +'DOMAIN\user' to 'user' in most cases. diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html index 49811db..1321426 100644 --- a/security/CVE-2020-25717.html +++ b/security/CVE-2020-25717.html @@ -81,29 +81,39 @@ as it dangerous and not needed when nss_winbind is used (even when However there are setups which are joined to an active directory domain just for authentication, but the authorization is handled without nss_winbind by mapping the domain account to a local user -provided by nss_file, nss_ldap or something similar. NOTE: These -setups won't work anymore without explicitly mapping the users! +provided by nss_file, nss_ldap or something similar. -For these setups administrators need to use the 'username map' or -'username map script' option in order to map domain users explicitly -to local users, e.g. +[Obsoleted 2021-11-16] +NOTE: These setups won't work anymore without explicitly mapping the users! - user = DOMAIN\user +For these setups administrators need to use the 'username map' or +'username map script' option in order to map domain users explicitly +to local users, e.g. -Please consult 'man 5 smb.conf' for further details on 'username -map' or 'username map script'. Also note that in the above example '\' -refers to the default value of the 'winbind separator' option. + user = DOMAIN\user + +Please consult 'man 5 smb.conf' for further details on 'username +map' or 'username map script'. Also note that in the above example '\' +refers to the default value of the 'winbind separator' option. [Added 2021-11-11] There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899 - Please also notice the additional fix and advanced example - for the 'username map [script]' based fallback from +[Updated 2021-11-16] + + Please also notice the additional fix that obsoletes + the above 'username map [script]' based fallback from 'DOMAIN\user' to 'user'. See https://bugzilla.samba.org/show_bug.cgi?id=14901 and - https://gitlab.com/samba-team/samba/-/merge_requests/2251 + https://gitlab.com/samba-team/samba/-/merge_requests/2253 + + It's possible have setups make use of 'idmap_nss' in order + to provide a mapping from the domain account to a local user, + often even without 'nss_winbindd'. Such setups should work again + as before with the patches from bug 14901. + But note the 'min domain uid' setting may still be required. Beyond Samba -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 62c6ffe mark changes with red from d0e3915 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14901 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 62c6ffe0388989b325d80023026939e2e917a08d Author: Stefan Metzmacher Date: Tue Nov 16 20:36:44 2021 +0100 mark changes with red --- Summary of changes: posted_news/20211108-113640.4.15.2.body.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/posted_news/20211108-113640.4.15.2.body.html b/posted_news/20211108-113640.4.15.2.body.html index 11bf4f8..1fec9f7 100644 --- a/posted_news/20211108-113640.4.15.2.body.html +++ b/posted_news/20211108-113640.4.15.2.body.html @@ -17,11 +17,11 @@ These are Security Releases in order to address Please read the individual advisories, as there are important behaviour changes for CVE-2020-25717. - + There's sadly a regression that "allow trusted domains = no" prevents winbindd from starting, fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14899";>bug #14899. - + Please also notice the additional fixes from https://bugzilla.samba.org/show_bug.cgi?id=14901";>bug #14901 and https://gitlab.com/samba-team/samba/-/merge_requests/2251";>Gitlab merge request 2253. -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ccfefe28909 s4:samba: split out a samba_service_init() helper
function
via 5d295e41af4 vfs_not_implemented: mark all functions with _PUBLIC_
via 6745968a154 script/autobuild.py: make sure nss, pam and krb5
plugins don't provide unexpected symbols
via 4862a8ff2f0 script/autobuild.py: make sure nss and pam plugins
don't link any samba libraries
via 66e90b7391b nsswitch: reduce dependecies to private libraries and
link static/builtin if possible
via 05ca7b9809d lib/replace: use dlsym(RTLD_DEFAULT,) for
{nss,nss_host,uid,socket}_wrapper_enabled()
via 62d05a81087 nsswitch/libwbclient: explicitly mark all wbc* symbols
as _PUBLIC_
via fa98a44cb4d nsswitch: explicitly mark nss_module_register()
_PUBLIC_ on FreeBSD
via 419ca68de0c nsswitch: explicitly mark NSS_STATUS _nss_winbind_*
symbols as _PUBLIC_ on Linux
via 3f9948bd6dc nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols
as _PUBLIC_
via a663c9648f1 nsswitch: explicitly mark magic krb5 plugin symbols as
_PUBLIC_
via 9615395b1fd nsswitch/wbinfo: use wbcRequestResponse() instead of
winbindd_request_response()
via 41108b9ed9f nsswitch: move winbindd_free_response() as inline
function to winbind_struct_protocol.h
via f3c5980f76f s4:torture/winbind: use wbcRequestResponse() instead of
winbindd_request_response()
via ac8977d1e76 s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of
winbindd_request_response()
via 35446c27f8e s3:utils: remove notify_msg.c from smbstatus sources
via 600ebefa5af libwbclient: fix strict-overflow warning in
wbcSidToString()
via c461b906ca5 heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()
via 6c64f3cee83 heimdal_build: avoid using hardcoded vnum values passed
to HEIMDAL_LIBRARY()
via e35f23195f9 heimdal_build: remove unused cflags argument of
HEIMDAL_LIBRARY()
via f168f548784 wafsamba: allow SAMBA_LIBRARY() to get and use original
'version-script.map' for private libraries
via 38d37d4a532 wafsamba: introduce SAMBA[3]_PLUGIN()
via 70da83a8ca7 wafsamba: introduce
require_builtin_deps/provide_builtin_linking/builtin_cflags to
SAMBA_{SUBSYSTEM,LIBRARY}
via 38ef29bc219 wafsamba: let reduce_objects() not remove duplicates of
BUILTINS even if there are more than one
via 295e5270f60 wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)
via 3aff74e29ed wafsamba: assert for *.sigs source files in
abi_build_vscript()
via 33e6949dda8 wafsamba: the symbol version string of private
libraries should be based on the toplevel project
via da7c41e2601 wafsamba: use private extentions also for bundled
public libraries
via 43b90da1867 wafsamba: remove unused private_library argument of
PRIVATE_NAME()
via d6749f590f3 wafsamba: SAMBA_GENERATOR() should not alter the
callers dep_vars
via 932c408c1b4 wafsamba: fix '--private-libraries' option when using
'ALL,!something'
via 893c24605a5 wafsamba: mark SAMBA_MODULE() with private_library=True
via 03cd1449f69 script/autobuild.py: fix "nondevel" builds of
'samba-libs'
from 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present
for TGTs
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----
commit ccfefe289093457587009e1862e1ed8591495aac
Author: Stefan Metzmacher
Date: Fri Aug 27 13:06:00 2021 +0200
s4:samba: split out a samba_service_init() helper function
The loading function should be in the same SAMBA_LIBRARY()
as the modules.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Tue Nov 30 16:44:57 UTC 2021 on sn-devel-184
commit 5d295e41af4e9316aee1b4cf1c3087663b7c06a4
Author: Stefan Metzmacher
Date: Fri Aug 27 13:10:41 2021 +0200
vfs_not_implemented: mark all functions with _PUBLIC_
These functions are used directly by other modules.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
commit 6745968a15497c88646c1213ec6a8b198e624abb
Author: Stefan Metzmacher
Date: Mon Aug 23 12:56:15 2021 +
script/autobuild.py: make sure nss, pam and krb5 plugins don't provide
unexpected symbols
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
commit 4862a8ff2f02cf7c735d666520846f6a0d63c6b0
Author: Stefan Metzmacher
Date: Mon Aug 23 12:56:15 2021 +
script/autobuild.py: make sure nss and pam plugins don't link any samba
libraries
Note th
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 0991946ab2e heimdal_build: Remove memset_s from roken, already in
libreplace
via d6a1a849a2a heimdal_build: Use HAVE___ATTRIBUTE__ for unused,
noreturn and unused_result
via 6f7b555dad9 heimdal_build: Do not list hx509 files twice
via 93de0f017fd Allow overflow in lib/hx509.c and
lib/gssapi/mech/gss_inquire_cred.c
via de18c9bf410 heimdal_build: Allow errors integer overflow errors in
gen.c (only)
via 75e1000d280 heimdal_build: consistently pass extra_cflags=cflags to
HEIMDAL_CFLAGS()
from ccfefe28909 s4:samba: split out a samba_service_init() helper
function
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 0991946ab2e64cb9aa3ed9f177e5a545c82c7b3d
Author: Andrew Bartlett
Date: Thu Dec 20 16:24:28 2018 +1300
heimdal_build: Remove memset_s from roken, already in libreplace
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Tue Nov 30 19:18:59 UTC 2021 on sn-devel-184
commit d6a1a849a2aec1172ead1b85482b4cea37cd10bd
Author: Gary Lockyer
Date: Fri Sep 29 10:22:20 2017 +1300
heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result
[abart...@samba.org Squashed with TODO commit from Gary that provided
HEIMDAL_UNUSED_ATTRIBUTE etc]
Signed-off-by: Gary Lockyer
Reviewed-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 6f7b555dad96f9d36cb48d46b232a74f18ce2eb7
Author: Andrew Bartlett
Date: Wed Nov 24 11:49:37 2021 +1300
heimdal_build: Do not list hx509 files twice
This makes maintaining the file lists easier.
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit 93de0f017fddbd84e1356c7bdc5c43ab7456422e
Author: Andrew Bartlett
Date: Wed Jul 7 15:23:17 2021 +1200
Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c
This is in preperation for the Heimdal upgrade (which otherwise
can be compiled with stricter flags).
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit de18c9bf4108dd4f838a4711eda0ed2a59f6ff09
Author: Andrew Bartlett
Date: Tue Jul 6 12:26:17 2021 +1200
heimdal_build: Allow errors integer overflow errors in gen.c (only)
This is in preperation for the Heimdal upgrade.
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit 75e1000d280a1310d64c9bfffe55f7b67b402463
Author: Stefan Metzmacher
Date: Tue Nov 30 17:03:06 2021 +0100
heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
---
Summary of changes:
source4/heimdal_build/config.h | 3 ---
source4/heimdal_build/include/krb5-types.h | 35 ++
source4/heimdal_build/roken.h | 4
source4/heimdal_build/wscript_build| 25 -
source4/heimdal_build/wscript_configure| 7 +++---
5 files changed, 62 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal_build/config.h b/source4/heimdal_build/config.h
index fb43cdc1319..d9ba31b3b45 100644
--- a/source4/heimdal_build/config.h
+++ b/source4/heimdal_build/config.h
@@ -9,9 +9,6 @@
#include "include/config.h"
#include "../replace/replace.h"
#include "../lib/util/attr.h"
-#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_
-#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x)
-#define HEIMDAL_UNUSED_ATTRIBUTE _UNUSED_
#define VERSIONLIST {"Lorikeet-Heimdal, Modified for Samba4"}
diff --git a/source4/heimdal_build/include/krb5-types.h
b/source4/heimdal_build/include/krb5-types.h
index 7e9972b8a6a..62a54dd9722 100644
--- a/source4/heimdal_build/include/krb5-types.h
+++ b/source4/heimdal_build/include/krb5-types.h
@@ -16,6 +16,41 @@ typedef int krb5_socket_t;
typedef ssize_t krb5_ssize_t;
#endif
+
+#ifndef HEIMDAL_DEPRECATED
+#define HEIMDAL_DEPRECATED _DEPRECATED_
+#endif
+
+#ifndef HEIMDAL_PRINTF_ATTRIBUTE
+#ifdef HAVE_ATTRIBUTE_PRINTF
+#define HEIMDAL_PRINTF_ATTRIBUTE(x) __attribute__((format x))
+#else
+#define HEIMDAL_PRINTF_ATTRIBUTE(x)
+#endif
+#endif
+
+#ifndef HEIMDAL_NORETURN_ATTRIBUTE
+#ifdef HAVE___ATTRIBUTE__
+#define HEIMDAL_NORETURN_ATTRIBUTE __attribute__((noreturn))
+#else
+#define HEIMDAL_NORETURN_ATTRIBUTE
+#endif
+#endif
+
+#ifndef HEIMDAL_UNUSED_ATTRIBUTE
+#ifdef HAVE___ATTRIBUTE__
+#define HEIMDAL_UNUSED_ATTRIBUTE __attribute__((unused))
+#else
+#define HEIMDAL_UNUSED_ATTRIBUTE
+#endif
+#endif
+
+#ifndef HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE
+#ifdef HAVE___ATTRIBUTE__
#define HEIMDAL_WARN_UNUSED_RESULT_ATTRIB
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0
via 1e61de83066 CVE-2020-25717: s3-auth: fix MIT Realm regression
via f621317e3b2 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
for the local replicated object
from d1ea9c5aaba libcli:auth: Allow to connect to netlogon server
offering only AES
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5e3df5f9ee64a80898f73585b19113354f463c44
Author: Ralph Boehme
Date: Fri Nov 26 11:59:45 2021 +0100
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
Reviewed-by: Guenther Deschner
Reviewed-by: Jeremy Allison
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
commit 1e61de8306604a0d3858342df8a1d2412d8d418b
Author: Ralph Boehme
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're
not
sure this behaves identical, but it might work in the standalone server
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
commit f621317e3b25a8925ab6e448068264488a0a47c7
Author: Andrew Bartlett
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
source3/auth/user_krb5.c| 9 +
source3/libsmb/dsgetdcname.c| 4
source4/dsdb/samdb/ldb_modules/operational.c| 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
4 files changed, 26 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index f8ae96109b7..5954e48d747 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
for (i = 0; i < numdcs; i++) {
size_t j;
+ if (dcs[i].num_ips == 0) {
+ continue;
+ }
+
dclist[ret_count].hostname =
talloc_move(dclist, &dcs[i].hostname);
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c
b/source4/dsdb/samdb/ldb_modules/operational.c
index 11b87bdf5ca..2b3cd2d7954 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1408,7 +1408,7 @@ static const struct op_attributes_r
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c via fea324d9cc4 testprogs: Add rpcclient schannel tests via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression from 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 5e846fcf74edb883e8aa7756ee51ef8bfbfb6026 Author: Ralph Boehme Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 (cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Wed Dec 8 10:46:08 UTC 2021 on sn-devel-184 commit 18c7681358775b079d95cc44c4146b715ffb54cd Author: Andreas Schneider Date: Thu Nov 18 13:46:26 2021 +0100 libcli:auth: Allow to connect to netlogon server offering only AES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 (cherry picked from commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93) commit b1f0aa5c22fdf65114540d4bb15ac6980f194abf Author: Günther Deschner Date: Thu Nov 18 11:52:18 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e) commit aca47d48f516b43ef20f44f85d50993ca25eb3fa Author: Andreas Schneider Date: Thu Nov 18 11:47:26 2021 +0100 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 62aa769667464451cda672fc073e52a8e52ae4c1) commit 16d886511f158a56fb0ebb71df91fea127bed606 Author: Günther Deschner Date: Thu Nov 18 11:43:08 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Andreas Schneider Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd) commit 2b9882a4c2fb94653982d3d4ab9a53d84d658226 Author: Andreas Schneider Date: Wed Nov 24 13:21:28 2021 +0100 s3:libsmb: Remove trailing white spaces from passchange.c Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0) commit 460cf672e65432d79512ceca2212572c470865f3 Author: Günther Deschner Date: Thu Nov 18 11:31:00 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via 3d35397e103 smbd: s3-dsgetdcname: handle num_ips == 0
via ce1186e06ed dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
for the local replicated object
via b0d67dc3d42 CVE-2020-25717: s3-auth: fix MIT Realm regression
from aef700ad3c8 s3: docs-xml: Clarify the "delete veto files" paramter.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit 3d35397e10348317ab2adbaf033c5becf59fcc33
Author: Ralph Boehme
Date: Fri Nov 26 11:59:45 2021 +0100
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
Reviewed-by: Guenther Deschner
Reviewed-by: Jeremy Allison
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Wed Dec 8 14:36:05 UTC 2021 on sn-devel-184
commit ce1186e06ed2581a29af794eb66405a4efe26b71
Author: Andrew Bartlett
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)
commit b0d67dc3d42b81e5e35da26a333c4fcd67baab1f
Author: Ralph Boehme
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're
not
sure this behaves identical, but it might work in the standalone server
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
---
Summary of changes:
source3/auth/user_krb5.c| 9 +
source3/libsmb/dsgetdcname.c| 4
source4/dsdb/samdb/ldb_modules/operational.c| 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
4 files changed, 26 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index ae90e07de77..c313259bcb1 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
for (i = 0; i < numdcs; i++) {
size_t j;
+ if (dcs[i].num_ips == 0) {
+ continue;
+ }
+
dclist[ret_count].hostname =
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated
via dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
for the local replicated object
via 1e27b820dff CVE-2020-25717: s3-auth: fix MIT Realm regression
from 105c6a15eff CVE-2020-25717: s3:auth: Fallback to a SID/UID based
mapping if the named based lookup fails
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -
commit dd679ce7f4450765274b085bbee97d1fa8e0f2a0
Author: Andrew Bartlett
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)
Autobuild-User(v4-13-test): Stefan Metzmacher
Autobuild-Date(v4-13-test): Wed Dec 8 16:49:25 UTC 2021 on sn-devel-184
commit 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4
Author: Ralph Boehme
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're
not
sure this behaves identical, but it might work in the standalone server
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
---
Summary of changes:
source3/auth/user_krb5.c| 9 +
source4/dsdb/samdb/ldb_modules/operational.c| 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
3 files changed, 22 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c
b/source4/dsdb/samdb/ldb_modules/operational.c
index 5eaebf98141..4e60feaf14f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1399,7 +1399,7 @@ static const struct op_attributes_replace search_sub[] = {
{ "tokenGroups", "primaryGroupID", objectSid_attr,
construct_token_groups },
{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr,
construct_token_groups_no_gc},
{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr,
construct_global_universal_token_groups },
- { "parentGUID", NULL, NULL, construct_parent_guid },
+ { "parentGUID", "objectGUID", NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
{ "msDS-isRODC", "objectClass", objectCategory_attr,
construct_msds_isrodc },
{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL,
construct_msds_keyversionnumber },
diff --git a/source4/dsd
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via e2b7a2f7811 s4-auth: Remove unused headers
via 1bacf26d30a auth/credentials: Fix cli_credentials_shallow_ccache
error case
via ce293eb861b auth/credentials: Handle ENOENT when obtaining ccache
lifetime
from 102ad9ee6a0 librpc: match gensec_gssapi and call
gsskrb5_set_dns_canonicalize() for Heimdal
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit e2b7a2f78117e20739aa4f895ce68825e160d451
Author: Andrew Bartlett
Date: Wed Dec 8 15:30:02 2021 +1300
s4-auth: Remove unused headers
These changes were submitted in a patch by
Stefan Metzmacher in his lorikeet-heimdal
import branch of patches to upgrade to a modern Heimdal.
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Dec 9 14:14:12 UTC 2021 on sn-devel-184
commit 1bacf26d30adc89348786bff7b9e2fe6d6f43856
Author: Stefan Metzmacher
Date: Fri Apr 3 15:29:32 2020 +0200
auth/credentials: Fix cli_credentials_shallow_ccache error case
Avoid dangling values if something fails...
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
commit ce293eb861b2fc6c7a88cf67664c91735bf49d44
Author: Stefan Metzmacher
Date: Fri Apr 3 15:27:45 2020 +0200
auth/credentials: Handle ENOENT when obtaining ccache lifetime
The new Heimdal may return ENOENT instead of KRB5_CC_END.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
---
Summary of changes:
auth/credentials/credentials_krb5.c | 13 +
source4/auth/kerberos/kerberos.h | 1 -
source4/auth/kerberos/krb5_init_context.c | 1 -
3 files changed, 9 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index d2e7a76a69e..e69e1a83b3c 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -686,7 +686,7 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct
cli_credentials *cred,
bool expired = false;
ret =
smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context,
cred->ccache->ccache, &lifetime);
- if (ret == KRB5_CC_END) {
+ if (ret == KRB5_CC_END || ret == ENOENT) {
/* If we have a particular ccache set, without
* an initial ticket, then assume there is a
* good reason */
@@ -1060,15 +1060,22 @@ static int cli_credentials_shallow_ccache(struct
cli_credentials *cred)
{
krb5_error_code ret;
const struct ccache_container *old_ccc = NULL;
+ enum credentials_obtained old_obtained;
struct ccache_container *ccc = NULL;
char *ccache_name = NULL;
krb5_principal princ;
+ old_obtained = cred->ccache_obtained;
old_ccc = cred->ccache;
if (old_ccc == NULL) {
return 0;
}
+ cred->ccache = NULL;
+ cred->ccache_obtained = CRED_UNINITIALISED;
+ cred->client_gss_creds = NULL;
+ cred->client_gss_creds_obtained = CRED_UNINITIALISED;
+
ret = krb5_cc_get_principal(
old_ccc->smb_krb5_context->krb5_context,
old_ccc->ccache,
@@ -1077,7 +1084,6 @@ static int cli_credentials_shallow_ccache(struct
cli_credentials *cred)
/*
* This is an empty ccache. No point in copying anything.
*/
- cred->ccache = NULL;
return 0;
}
krb5_free_principal(old_ccc->smb_krb5_context->krb5_context, princ);
@@ -1110,8 +1116,7 @@ static int cli_credentials_shallow_ccache(struct
cli_credentials *cred)
}
cred->ccache = ccc;
- cred->client_gss_creds = NULL;
- cred->client_gss_creds_obtained = CRED_UNINITIALISED;
+ cred->ccache_obtained = old_obtained;
return ret;
}
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 1dd63acc838..33ee4f301ed 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -27,7 +27,6 @@
#include "auth/kerberos/krb5_init_context.h"
#include "librpc/gen_ndr/krb5pac.h"
#include "lib/krb5_wrap/krb5_samba.h"
-#include "lib/krb5_wrap/gss_samba.h"
struct auth_user_info_dc;
struct cli_credentials;
diff --git a/source4/auth/kerberos/krb5_init_context.c
b/source4/auth/kerberos/krb5_init_context.c
index 639718cb6a6..616eebc968e 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 2da538a4585 python:tests: Don't require an emtpy
'authorization-data' to be present
via bd804e0eef8 Revert "python:tests: Don't require an emtpy
'authorization-data' to be present"
from 00c2425c2c1 s3/rpc_server: Remove duplicate dependency listing for
RPC_SERVICE
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 2da538a4585bc8ead5fc4e4c4422b8fe638cb621
Author: Andreas Schneider
Date: Thu Dec 16 07:24:58 2021 +0100
python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider
Reviewed-by: Joseph Sutton
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184
commit bd804e0eef85ed4e05f9a3b7afbd29b1ba4a5d97
Author: Stefan Metzmacher
Date: Mon Dec 20 17:02:12 2021 +0100
Revert "python:tests: Don't require an emtpy 'authorization-data' to be
present"
This reverts commit 36325f1ee907d38c978229da67de3844f969cd33.
This was not the latest version from:
https://gitlab.com/samba-team/samba/-/merge_requests/2304
The correct version follows...
Signed-off-by: Stefan Metzmacher
---
Summary of changes:
python/samba/tests/krb5/raw_testcase.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/raw_testcase.py
b/python/samba/tests/krb5/raw_testcase.py
index 8b6eec3c40d..1496ff961cd 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2502,7 +2502,9 @@ class RawKerberosTest(TestCaseInTempDir):
v = self.getElementValue(ticket_private,
'authorization-data')
if v is not None:
-self.assertEqual(0, len(v))
+self.assertElementPresent(ticket_private,
+ 'authorization-data',
+ expect_empty=True)
encpart_session_key = None
if encpart_private is not None:
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 07cb2246cb3 Happy New Year 2022!
from 96b10702295 smbd: Assert we don't leak fd's in struct fd_handle
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 07cb2246cb36c70588ab19b2dd83d0a29851ae59
Author: Stefan Metzmacher
Date: Sat Jan 1 01:31:01 2022 +0100
Happy New Year 2022!
Signed-off-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Sat Jan 1 01:24:21 UTC 2022 on sn-devel-184
---
Summary of changes:
source3/include/smb.h | 2 +-
source4/samba/server.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 8638c80bf95..90105e00b14 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -30,7 +30,7 @@
#include "libds/common/roles.h"
/* logged when starting the various Samba daemons */
-#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the
Samba Team 1992-2021"
+#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the
Samba Team 1992-2022"
#define SAFETY_MARGIN 1024
#define LARGE_WRITEX_HDR_SIZE 65
diff --git a/source4/samba/server.c b/source4/samba/server.c
index 2915cd327c2..21a1d71b283 100644
--- a/source4/samba/server.c
+++ b/source4/samba/server.c
@@ -622,7 +622,7 @@ static int binary_smbd_main(TALLOC_CTX *mem_ctx,
binary_name,
SAMBA_VERSION_STRING));
DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team"
- " 1992-2021\n"));
+ " 1992-2022\n"));
if (sizeof(uint16_t) < 2 ||
sizeof(uint32_t) < 4 ||
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 7d16a56b9d1 s4:dsdb/vlv_pagination: fix segfault in vlv_results()
via 19fa22b1fbc s4:dsdb/paged_results: fix segfault in paged_results()
from 7055827b8ff HEIMDAL: move code from source4/heimdal* to
third_party/heimdal*
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc
Author: Stefan Metzmacher
Date: Wed Jan 19 15:57:08 2022 +0100
s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher
Reviewed-by: Douglas Bagnall
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
commit 19fa22b1fbcf33dbc4defe4dd2e487a642786c49
Author: Stefan Metzmacher
Date: Wed Jan 19 15:57:08 2022 +0100
s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher
Reviewed-by: Volker Lendecke
Reviewed-by: Douglas Bagnall
---
Summary of changes:
source4/dsdb/samdb/ldb_modules/paged_results.c | 19 ---
source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 21 +
2 files changed, 25 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c
b/source4/dsdb/samdb/ldb_modules/paged_results.c
index 3eea3236e7d..2063e84e157 100644
--- a/source4/dsdb/samdb/ldb_modules/paged_results.c
+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c
@@ -239,6 +239,7 @@ static int paged_search_by_dn_guid(struct ldb_module
*module,
static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
{
+ struct ldb_extended *response = (ares != NULL ? ares->response : NULL);
struct ldb_paged_control *paged;
unsigned int i, num_ctrls;
int ret;
@@ -246,7 +247,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->store == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
while (ac->store->last_i < ac->store->num_entries && ac->size > 0) {
@@ -276,7 +277,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
continue;
} else if (ret != LDB_SUCCESS) {
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ret = ldb_module_send_entry(ac->req, result->msgs[0],
@@ -318,7 +319,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->controls == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[num_ctrls] = NULL;
@@ -331,7 +332,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->controls[i] == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[i]->oid = talloc_strdup(ac->controls[i],
@@ -339,7 +340,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->controls[i]->oid == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[i]->critical = 0;
@@ -348,7 +349,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via d1891a0c4f6 autobuild: Fix path for libwbclient ldd checks
from 7d16a56b9d1 s4:dsdb/vlv_pagination: fix segfault in vlv_results()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit d1891a0c4f6f639f60d2063ca4c54d3b283e3636
Author: Andreas Schneider
Date: Thu Jan 20 11:17:29 2022 +0100
autobuild: Fix path for libwbclient ldd checks
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Jan 20 14:19:02 UTC 2022 on sn-devel-184
---
Summary of changes:
script/autobuild.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/script/autobuild.py b/script/autobuild.py
index 041169e022e..6634356f031 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -894,14 +894,14 @@ tasks = {
("allshared-no-libldb", "find ./bin | grep -v 'module' | grep -v
'libldbsamba' | grep 'libldb' && exit 1; exit 0"),
("allshared-no-samba-nss_winbind", "ldd
./bin/plugins/libnss_winbind.so.2 | grep 'samba' && exit 1; exit 0"),
("allshared-no-samba-nss_wins", "ldd
./bin/plugins/libnss_wins.so.2 | grep 'samba' && exit 1; exit 0"),
-("allshared-no-samba-libwbclient", "ldd
./bin/plugins/libwbclient.so.0 | grep 'samba' && exit 1; exit 0"),
+("allshared-no-samba-libwbclient", "ldd
./bin/shared/libwbclient.so.0 | grep 'samba' && exit 1; exit 0"),
("allshared-no-samba-pam_winbind", "ldd
./bin/plugins/pam_winbind.so | grep -v 'libtalloc.so.2' | grep 'samba' && exit
1; exit 0"),
("allshared-no-public-nss_winbind",
nm_grep_symbols("./bin/plugins/libnss_winbind.so.2", " T
_nss_winbind_")),
("allshared-no-public-nss_wins",
nm_grep_symbols("./bin/plugins/libnss_wins.so.2", " T
_nss_wins_")),
("allshared-no-public-libwbclient",
-nm_grep_symbols("./bin/plugins/libwbclient.so.0", " T wbc")),
+nm_grep_symbols("./bin/shared/libwbclient.so.0", " T wbc")),
("allshared-no-public-pam_winbind",
nm_grep_symbols("./bin/plugins/pam_winbind.so", "T pam_sm_")),
("allshared-no-public-winbind_krb5_locator",
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fa5413b63c8 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode via f03abaec2ab s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode via fcf225a356a s3:winbindd: Remove trailing spaces from winbindd_ads.c via 9624e60e8c3 s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap via eb0fa26dce7 tests: Add test for disabling NTLMSSP for ldap client connections via 17ea2ccdabb s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos) via 5f6251abf2f s3:libads: Improve debug messages for SASL bind via 7785eb9b780 s3:libads: Disable NTLMSSP for FIPS via 49d18f2d6e8 s3:libads: Remove trailing spaces from sasl.c via afcdb090769 s3:utils: set ads->auth.flags using krb5_state via 6843bdae306 wafsamba: Add our own implmentation to generate the clangdb via 85dbc023c30 wafsamba: Remove clangdb code which doesn't work from 82a21581c63 build: Without getrandom() require gnutls 3.7.2 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9 Author: Pavel Filipenský Date: Fri Jan 21 12:01:33 2022 +0100 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96 Author: Pavel Filipenský Date: Tue Jan 18 19:44:54 2022 +0100 s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit fcf225a356abb06d1205f66eb79f707c85803cb5 Author: Pavel Filipenský Date: Tue Jan 18 19:47:38 2022 +0100 s3:winbindd: Remove trailing spaces from winbindd_ads.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95 Author: Pavel Filipenský Date: Tue Jan 4 12:00:20 2022 +0100 s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit eb0fa26dce77829995505f542af02e32df088cd6 Author: Pavel Filipenský Date: Mon Jan 3 15:33:46 2022 +0100 tests: Add test for disabling NTLMSSP for ldap client connections BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 17ea2ccdabbe935ef571e1227908d51b755707bc Author: Pavel Filipenský Date: Mon Jan 3 11:13:06 2022 +0100 s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 5f6251abf2f468b3744a96376b0e1c3bc317c738 Author: Pavel Filipenský Date: Fri Jan 7 10:31:19 2022 +0100 s3:libads: Improve debug messages for SASL bind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329 Author: Pavel Filipenský Date: Thu Dec 9 13:43:08 2021 +0100 s3:libads: Disable NTLMSSP for FIPS BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4 Author: Pavel Filipenský Date: Wed Dec 8 16:05:17 2021 +0100 s3:libads: Remove trailing spaces from sasl.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit afcdb090769f6f0f66428cd29f88b0283c6bd527 Author: Pavel Filipenský Date: Fri Dec 10 16:08:04 2021 +0100 s3:utils: set ads->auth.flags using krb5_state BUG: https://bugzilla.samba.org/show
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 809f4fe2c78 s4:librpc: raise log level for failed connection
attempts
from fa5413b63c8 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 809f4fe2c7862f25547cbdcf01160537e43e3f95
Author: Björn Jacke
Date: Sun Jan 23 12:35:22 2022 +0100
s4:librpc: raise log level for failed connection attempts
this keeps the log files silent when other DCs are currently not running. We
saw frequent NT_STATUS_HOST_UNREACHABLE messages at log level 0 for now.
https://bugzilla.samba.org/show_bug.cgi?id=11537
Signed-off-by: Bjoern Jacke
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Sun Jan 23 12:51:44 UTC 2022 on sn-devel-184
---
Summary of changes:
source4/librpc/rpc/dcerpc_sock.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c
index e7ecca73e3c..ec5a5ca8f8e 100644
--- a/source4/librpc/rpc/dcerpc_sock.c
+++ b/source4/librpc/rpc/dcerpc_sock.c
@@ -58,9 +58,9 @@ static void continue_socket_connect(struct composite_context
*ctx)
c->status = socket_connect_recv(ctx);
if (!NT_STATUS_IS_OK(c->status)) {
- DEBUG(0, ("Failed to connect host %s on port %d - %s\n",
+ DBG_NOTICE("Failed to connect host %s on port %d - %s\n",
s->server->addr, s->server->port,
- nt_errstr(c->status)));
+ nt_errstr(c->status));
composite_error(c, c->status);
return;
}
@@ -240,9 +240,9 @@ static void continue_ip_open_socket(struct
composite_context *ctx)
c->status = dcerpc_pipe_open_socket_recv(ctx, s, &localaddr);
if (!NT_STATUS_IS_OK(c->status)) {
/* something went wrong... */
- DEBUG(0, ("Failed to connect host %s (%s) on port %d - %s.\n",
+ DBG_NOTICE("Failed to connect host %s (%s) on port %d - %s.\n",
s->addresses[s->index - 1], s->target_hostname,
- s->port, nt_errstr(c->status)));
+ s->port, nt_errstr(c->status));
if (s->addresses[s->index]) {
struct composite_context *sock_ip_req;
talloc_free(s->srvaddr);
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated
via d93892d2e8e ldb: version 2.4.2
from cf1ee828aa1 waf: Fix resolv_wrapper with glibc 2.34
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -
commit d93892d2e8ed69758c15ab18bc03bba09e715bc6
Author: Stefan Metzmacher
Date: Mon Jan 24 12:37:28 2022 +0100
ldb: version 2.4.2
CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter
processing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Stefan Metzmacher
Autobuild-User(v4-15-test): Stefan Metzmacher
Autobuild-Date(v4-15-test): Mon Jan 24 12:44:54 UTC 2022 on sn-devel-184
---
Summary of changes:
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.2.sigs} | 0
lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.2.sigs} | 0
lib/ldb/wscript | 2 +-
3 files changed, 1 insertion(+), 1 deletion(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.2.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.2.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.4.2.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs
b/lib/ldb/ABI/pyldb-util-2.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.4.2.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 986690181ec..c470f854b99 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -2,7 +2,7 @@
APPNAME = 'ldb'
# For Samba 4.15.x
-VERSION = '2.4.1'
+VERSION = '2.4.2'
import sys, os
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated
via 401df670af4 VERSION: Disable GIT_SNAPSHOT for the Samba 4.16.0rc1
release.
via c6bc927ac8f WHATSNEW: Up to Samba 4.16.0rc1.
via 1c776e54cf3 tdb: version 1.4.6
from 809f4fe2c78 s4:librpc: raise log level for failed connection
attempts
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -
---
Summary of changes:
VERSION | 6 +++---
WHATSNEW.txt| 2 +-
lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.6.sigs} | 0
lib/tdb/wscript | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
copy lib/tdb/ABI/{tdb-1.3.17.sigs => tdb-1.4.6.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ec3b043eaaa..ddecf60a1f0 100644
--- a/VERSION
+++ b/VERSION
@@ -77,7 +77,7 @@ SAMBA_VERSION_BETA_RELEASE=
# e.g. SAMBA_VERSION_PRE_RELEASE=1 #
# -> "2.2.9pre1" #
-SAMBA_VERSION_PRE_RELEASE=1
+SAMBA_VERSION_PRE_RELEASE=
# For 'rc' releases the version will be#
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=1
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
-SAMBA_VERSION_RC_RELEASE=
+SAMBA_VERSION_RC_RELEASE=1
# To mark SVN snapshots this should be set to 'yes'#
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
-SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
# This is for specifying a release nickname#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a65439c43da..71a8d9a103e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=
-This is the first pre release of Samba 4.16. This is *not*
+This is the first release candidate of Samba 4.16. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
diff --git a/lib/tdb/ABI/tdb-1.3.17.sigs b/lib/tdb/ABI/tdb-1.4.6.sigs
similarity index 100%
copy from lib/tdb/ABI/tdb-1.3.17.sigs
copy to lib/tdb/ABI/tdb-1.4.6.sigs
diff --git a/lib/tdb/wscript b/lib/tdb/wscript
index 81132dc3276..2eb25b7f235 100644
--- a/lib/tdb/wscript
+++ b/lib/tdb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'tdb'
-VERSION = '1.4.5'
+VERSION = '1.4.6'
import sys, os
--
Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.4.2 created
The annotated tag, ldb-2.4.2 has been created at 7dd33795ae7be3c9556aae71d2e0a399be689941 (tag) tagging d93892d2e8ed69758c15ab18bc03bba09e715bc6 (commit) replaces samba-4.15.4 tagged by Stefan Metzmacher on Mon Jan 24 13:47:50 2022 +0100 - Log - ldb: tag release ldb-2.4.2 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHun/YACgkQR5ORYRMI QCXkaAf/Qfz6VEvhC2dFSV2ekWkCkFcuQWS90fFaXdawkvyIlHFhzBWqlBNsqVLg Y41UZJqEsCnmsHbhRnoa56lTOcEwS7zH68WHqYZeGKTzlhCIUH8KIaGb9NjSDN92 3Ff72W4iim3KehtsXmhc9zwZHMZsPd88sJ7XMqc1baUVOq6NPhc9l6BMJWv21JzP pPrAl4ea2PKXXM6EnayVaHcptb+2JxmNwpBkv0Z2PAJybgf1BhVE/hTepDnM/7tk VhJytMjKNn3inUIp8V9IyaRVDwpFzt84BdqsC/qDe8a0s4Vtui9BlrlSj6QKhAvB bKemmft8QbJRdtBOSqLAdUFPzPPphw== =JEuL -END PGP SIGNATURE- Andreas Schneider (1): waf: Fix resolv_wrapper with glibc 2.34 Jule Anger (1): VERSION: Bump version up to Samba 4.15.5... Stefan Metzmacher (1): ldb: version 2.4.2 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.5.0 created
The annotated tag, ldb-2.5.0 has been created at 3e87034f37af8e68b85968b71fc65e60b891697e (tag) tagging 1d5b155619bc532c46932965b215bd73a920e56f (commit) replaces tdb-1.4.5 tagged by Stefan Metzmacher on Mon Jan 24 13:25:10 2022 +0100 - Log - ldb: tag release ldb-2.5.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumqYACgkQR5ORYRMI QCXB/gf/WgksmkBsIhXzSraUKKeraOEGLz/YAbG/zpLhVA7diV9B8HCr66f6R5i0 Tq5bUisLi7FrxdgLyqrHBUn00urjzApFmX/gfmyVAIeOuh8JPI5ArsP8DXztQXPD ukP4G3RmUbs7TLl542xHjWcsm34gOzuzLSowfjtnRwCRaAgJjauAtRkY3z0eSR/r YFnDXAG91IBxlVIVCdHTahhdigEroDnhhPA9ezea6YQSA8ILnXhZpbKus+sr5/dM cti5Ytmfp5AkgXJZqChIbkt8L14LefKAnqnFS7Xn7ewfx+YnuoLWMg4B8cbyq4sG DT+TFH/tYWIaHoHEeFhPbjiLs6hWxQ== =LxmQ -END PGP SIGNATURE- Alenka Glukhovskaya (1): Added russian translate file Alex Richardson (8): Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups() charset_macosxfs.c: fix compilation on macOS audit_logging.c: fix compilation on macOS source3/printing/queue_process.c: fix build on macOS sec_ctx.c: Fix -Wunused-function warning on macOS source3/smbd/statcache.c: Fix -Wformat build error on macOS vfs_preopen.c: Fix -Wformat error on macOS Fix detection of rpc/xdr.h on macOS Alexander Bokovoy (2): CVE-2020-25717: Add FreeIPA domain controller role IPA DC: add missing checks Amitay Isaacs (1): lib/tsocket: Fix build on Freebsd Andreas Schneider (64): bootstrap: Install krb5-workstation on Fedora based distros autobuild: Exclude fips envs from samba and samba-mitkrb5 s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips python:waf: Correctly check for python-dateutil bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros lib:cmdline: Use lp_load_global() for servers selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() s3:selftests: Pass env variables to fips tests s4:selftests: Pass env variables to fips tests selftest: Pass env variables to fips tests selftest: Remove fips env variables from client env auth:gensec: Use lpcfg_weak_crypto() s4:rpc_server: Allow to set user password in FIPS mode s4:libnet: Remove trailing whitespaces s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections netlogon:schannel: If weak crypto is disabled, do not announce RC4 support. selftest: Fix setting environ for plansmbtorture4testsuite() s4:selftest: Pass environ to plansmbtorture4testsuite() s4:torture: Remove trailing whitespaces in rpc.c s4:torture: Add rpc netlogon fips test configure: Do not put arguments into double quotes s3:winbindd: Add a check for the path length of 'winbindd socket directory' gitlab: Use shorter names for Samba AD DC env with MIT KRB5 mit-samba: Define debug class for kdb module mit-samba: Send the logging to the kdc log facility mit-samba: Use talloc_get_type_abort() instead of casting mit-samba: Only set the function opening bracket once s3:winbind: Do not start if the priviliged socket path is too long s3:winbindd: Pass the right variable to the debug message lib:replace: Remove trailing spaces from testsuite.c testsuite: Fix build with gcc >= 11.1.1 selftest: Add python path for compiled python modules like ldb third_party: Add a script to update waf third_party: Update waf to version 2.0.22 s3:utils: Fix format error lib:fuzzing: Fix quoting of --fuzz-target-ldflags docs-xml: Remove trailing spaces in smb.conf.5.xml docs-xml: Use /var/tmp for spooling in smb.conf.5 waf: Allow building with MIT KRB5 >= 1.20 Revert "gp: Apply Firewalld Policy" Revert "gp: Test Firewalld Group Policy Apply" Revert "gp: Add Firewalld ADMX templates" testprogs: Use new cmdline option for kerberos lib:cmdline: Fix -k option which doesn't expect anything third_party: Update pam_wrapper to version 1.1.4 editorconfig: Heimdal has mixed spaces and tabs with different width waf: Fix resolv_wrapper with glibc 2.34 gitlab-ci: Add Fedora 35 and drop Fedora 33 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public CVE-2020-25719 mit-samba: Add ks_free_principal() CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac() CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via 6417cadc277 ldb: version 2.3.3
from 1d181de02de auth/ntlmssp: make sure we return INVALID_PARAMETER for
NTLMv2_RESPONSE parsing errors
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit 6417cadc2770f5abc8aa78f32e1c25b83c4063f1
Author: Stefan Metzmacher
Date: Mon Jan 24 12:37:28 2022 +0100
ldb: version 2.3.3
CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter
processing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14694
Signed-off-by: Stefan Metzmacher
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Mon Jan 24 14:00:42 UTC 2022 on sn-devel-184
---
Summary of changes:
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.3.sigs} | 0
lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.3.sigs} | 0
lib/ldb/wscript | 2 +-
3 files changed, 1 insertion(+), 1 deletion(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.3.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.3.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.3.3.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.3.3.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs
b/lib/ldb/ABI/pyldb-util-2.3.3.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.3.3.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 38f2d578c2e..4a0d807a731 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -2,7 +2,7 @@
APPNAME = 'ldb'
# For Samba 4.14.x
-VERSION = '2.3.2'
+VERSION = '2.3.3'
import sys, os
--
Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-2.3.3 created
The annotated tag, ldb-2.3.3 has been created at 21997eae2e65206bbdbe92c99a2bd5b08fdd15f7 (tag) tagging 6417cadc2770f5abc8aa78f32e1c25b83c4063f1 (commit) replaces samba-4.14.11 tagged by Stefan Metzmacher on Mon Jan 24 15:04:10 2022 +0100 - Log - ldb: tag release ldb-2.3.3 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHusdoACgkQR5ORYRMI QCVc6QgAk/iE4puU9NhRb5/L5X4Yu8+BnPd2itytKCskwbECfCpMNdB44TASB/xh oKM6o3VPE2uyWw4Br+Qj1zHN+1bf4HPv4IfwNRv4dh69ssWjaW99DAOfPNtzb+5p sH5tugaCTUk8Nk1j81pPaIoQtFJ+NBgGJoF39p3Nb7Get6oe19i73ab/+9eQYuDJ LX2iy9m7vUbner7ts+qFO3QrujQeJEO7eJ0SYo5DZEnHiSnBpUD8yLKzyMWj6qrZ UNxLG6F/3Ld3h9wX2FfTYa6cZQrr68egNJAXG/iABeLgna4WaTnGmrL37Bq0nnmc DJX86hr0omvLN9B5V+4zLFH5fJeLew== =yQ9O -END PGP SIGNATURE- Jeremy Allison (5): tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories. lib: util: Add a function nt_time_to_unix_timespec_raw(). s3: smbd: Create and use a common function for generating a fileid - create_clock_itime(). s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..). s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory() Jones Syue (1): s3: includes: Make the comments describing itime consistent. Always use "invented" time. Jule Anger (1): VERSION: Bump version up to Samba 4.14.12... Stefan Metzmacher (10): selftest/Samba3: enable SMB1 for maptoguest s4:torture/libsmbclient: add libsmbclient.noanon_list test s4:selftest: run libsmbclient.noanon_list against maptoguest s3:libsmb: fix signing regression SMBC_server_internal() auth/credentials: cli_credentials_set_ntlm_response() pass session_keys s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors ldb: version 2.3.3 Volker Lendecke (1): ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.6 created
The annotated tag, tdb-1.4.6 has been created at 294de0b8779c13cf2137cf3b70d1a5d0e11780c5 (tag) tagging 1c776e54cf33b46b2ed73263f093d596a0cdbb2f (commit) replaces tdb-1.4.5 tagged by Stefan Metzmacher on Mon Jan 24 13:24:26 2022 +0100 - Log - tdb: tag release tdb-1.4.6 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumnoACgkQR5ORYRMI QCWvEAgAvdd1Vov9LzJfNzbFgJELxlgZFjQ76MzuCKiUUi/70f6zIW79bv090qU4 dFOnQ6WnOUnQMBTKTOaXkDbLH+DgX8JF9rdg01XHr+oPeENKNHBv1Zn31KpW0N7j AWn7Kdm3kBRrRR03Zs5c/AK58KbeTbjQB9Xd1yY9hcjxhOI3VKwJesdWOVpiq6c9 xJzz6aSNLXQ8x/WZPUnYR5ucHDmjWfQEmq0Jv3QkWkXEbD76YqLB003Hho57i2Bm YFkeFpuXBXkQ7JU41rbPhgjNHEhw+SWPNXSXtcXg6yF+Iog/bovE2vBrLArw7G9h tyan8b0aNzqUXJjHf1Xqv7uGCRpquA== =frvx -END PGP SIGNATURE- Alenka Glukhovskaya (1): Added russian translate file Alex Richardson (8): Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups() charset_macosxfs.c: fix compilation on macOS audit_logging.c: fix compilation on macOS source3/printing/queue_process.c: fix build on macOS sec_ctx.c: Fix -Wunused-function warning on macOS source3/smbd/statcache.c: Fix -Wformat build error on macOS vfs_preopen.c: Fix -Wformat error on macOS Fix detection of rpc/xdr.h on macOS Alexander Bokovoy (2): CVE-2020-25717: Add FreeIPA domain controller role IPA DC: add missing checks Amitay Isaacs (2): lib/tsocket: Fix build on Freebsd ctdb-tests: Implement srvid_handler for dispatching messages Andreas Schneider (106): bootstrap: Install krb5-workstation on Fedora based distros autobuild: Exclude fips envs from samba and samba-mitkrb5 s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips python:waf: Correctly check for python-dateutil bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros lib:cmdline: Use lp_load_global() for servers selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() s3:selftests: Pass env variables to fips tests s4:selftests: Pass env variables to fips tests selftest: Pass env variables to fips tests selftest: Remove fips env variables from client env auth:gensec: Use lpcfg_weak_crypto() s4:rpc_server: Allow to set user password in FIPS mode s4:libnet: Remove trailing whitespaces s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections netlogon:schannel: If weak crypto is disabled, do not announce RC4 support. selftest: Fix setting environ for plansmbtorture4testsuite() s4:selftest: Pass environ to plansmbtorture4testsuite() s4:torture: Remove trailing whitespaces in rpc.c s4:torture: Add rpc netlogon fips test configure: Do not put arguments into double quotes s3:winbindd: Add a check for the path length of 'winbindd socket directory' gitlab: Use shorter names for Samba AD DC env with MIT KRB5 mit-samba: Define debug class for kdb module mit-samba: Send the logging to the kdc log facility mit-samba: Use talloc_get_type_abort() instead of casting mit-samba: Only set the function opening bracket once s3:winbind: Do not start if the priviliged socket path is too long s3:winbindd: Pass the right variable to the debug message lib:replace: Remove trailing spaces from testsuite.c testsuite: Fix build with gcc >= 11.1.1 selftest: Add python path for compiled python modules like ldb third_party: Add a script to update waf third_party: Update waf to version 2.0.22 s3:utils: Fix format error lib:fuzzing: Fix quoting of --fuzz-target-ldflags docs-xml: Remove trailing spaces in smb.conf.5.xml docs-xml: Use /var/tmp for spooling in smb.conf.5 waf: Allow building with MIT KRB5 >= 1.20 Revert "gp: Apply Firewalld Policy" Revert "gp: Test Firewalld Group Policy Apply" Revert "gp: Add Firewalld ADMX templates" testprogs: Use new cmdline option for kerberos lib:cmdline: Fix -k option which doesn't expect anything third_party: Update pam_wrapper to version 1.1.4 editorconfig: Heimdal has mixed spaces and tabs with different width waf: Fix resolv_wrapper with glibc 2.34 gitlab-ci: Add Fedora 35 and drop Fedora 33 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public CVE-2020-25719 mit-samba: Add ks_free_principal() CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac() CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac(
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 12464bd4c22 blackbox.ndrdump: fix
test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
via 43648e95a51 librpc/ndr: let ndr_push_string() let s_len == 0 result
in d_len = 0
via 8da26cb6725 s4:torture/ndr: demonstrate the
ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong
via 1dc385cb648 blackbox.ndrdump: adjust example files to the usage of
dump_data_diff output.
via d1a7f392a8c ndrdump: make use of dump_data_file_diff() in order to
show differences
via b489b7feda1 lib/util: add dump_data_diff*() helpers
via 9110a8854a5 blackbox.ndrdump: adjust example files to changed
dump_data() output.
via 58b09e107ca lib/util: split out a dump_data_block16() helper
via 0651fa474cd dcesrv_core: wrap gensec_*() calls in [un]become_root()
calls
via be1935dac8a WHATSNEW: Start release notes for Samba 4.17.0pre1.
from d844bc6cbdb ldb: bump version to 2.6.0 for Samba 4.17.x releases
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 12464bd4c222d996aac6d6250b7945d63f20f4bc
Author: Stefan Metzmacher
Date: Fri Jan 21 20:42:45 2022 +0100
blackbox.ndrdump: fix
test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.
This is fixed now and we no longer expect ndrdump to exit with 1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184
commit 43648e95a514020da4c7efa62df55d0882e3db85
Author: Stefan Metzmacher
Date: Wed Nov 3 13:57:50 2021 +0100
librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0
convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.
But for NDR we need to be correct on the wire...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit 8da26cb6725b5d853ab481a348a3a672966715b5
Author: Stefan Metzmacher
Date: Fri Jan 21 01:09:23 2022 +0100
s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of ""
is wrong
convert_string_talloc() never returns a string with len=0 and always
implies zero termination byte(s).
For ndr_push_string this is unexpected as we need to be compatible on
the wire and push 0 bytes for an empty string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit 1dc385cb648f0c37b04f4ede6b1c96916e379b23
Author: Stefan Metzmacher
Date: Fri Jan 21 20:28:59 2022 +0100
blackbox.ndrdump: adjust example files to the usage of dump_data_diff
output.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit d1a7f392a8ceef111a5d6c3d2a3bdb9dcb90db5e
Author: Stefan Metzmacher
Date: Wed Nov 3 13:32:48 2021 +0100
ndrdump: make use of dump_data_file_diff() in order to show differences
This makes it much easier to detect differences in the given and
generated buffers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit b489b7feda19b3c0f0fe2300f2c76d416776355b
Author: Stefan Metzmacher
Date: Wed Nov 3 11:40:13 2021 +0100
lib/util: add dump_data_diff*() helpers
That will make it easy to see the difference
between two memory buffers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit 9110a8854a518befa2908c26076e17a085c5ec48
Author: Stefan Metzmacher
Date: Fri Jan 21 20:06:40 2022 +0100
blackbox.ndrdump: adjust example files to changed dump_data() output.
The cleanup using dump_data_block16() fixed the space handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit 58b09e107cadd7fb8191822d4e7e42657b1ed4c7
Author: Stefan Metzmacher
Date: Wed Nov 3 11:05:52 2021 +0100
lib/util: split out a dump_data_block16() helper
This simplifies the logic a lot for me.
It also fixes some corner cases regarding whitespaces in the
output, that's why we have to mark a few tests as knownfail,
they will be fixed in the next commit.
BUG: https://bugzi
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via 3fdc553c981 VERSION: Bump version up to 4.16.0rc2... from 401df670af4 VERSION: Disable GIT_SNAPSHOT for the Samba 4.16.0rc1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit 3fdc553c9812f1d857abc7ed328e21ec7b56796d Author: Stefan Metzmacher Date: Fri Jan 28 11:18:06 2022 +0100 VERSION: Bump version up to 4.16.0rc2... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher Autobuild-User(v4-16-test): Stefan Metzmacher Autobuild-Date(v4-16-test): Fri Jan 28 11:17:33 UTC 2022 on sn-devel-184 --- Summary of changes: VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ddecf60a1f0..89dddc40217 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=1 +SAMBA_VERSION_RC_RELEASE=2 # To mark SVN snapshots this should be set to 'yes'# @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=1 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated
via 29355d0a2d4 VERSION: Bump version up to Samba 4.16.0rc3...
via a4763bd9d87 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc2 release.
via 4c3863633d3 WHATSNEW: Add release notes for Samba 4.16.0rc2.
via c278515c492 s3/rpc_server: install elasticsearch_mappings.json
via b88d24e33b2 CVE-2021-44141: s3: smbd: Inside
rename_internals_fsp(), we must use vfs_stat() for existence, not
SMB_VFS_STAT().
via 239e915b8f7 CVE-2021-44141: s3: torture: Add a test
samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target
info across a SMB1+POSIX rename.
via 86157b3c7bf CVE-2021-44141: s3: smbd: Fix a subtle bug in the error
returns from filename_convert().
via f4202a0bccd CVE-2021-44141: s3: smbd: Inside check_reduced_name()
ensure we return the correct error codes when failing symlinks.
via 4106af6d620 CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying
to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.
via b8da8b72205 CVE-2021-44141: s3: torture: Change expected error
return for samba3.smbtorture_s3.plain.POSIX.smbtorture.
via c6d70dad3a2 CVE-2021-44141: s3: torture: In test_smbclient_s3,
change the error codes expected for test_widelinks() and test_nosymlinks() from
ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.
via ea20599ff17 CVE-2021-44141: s3: torture: Add
samba3.blackbox.test_symlink_traversal.SMB1.posix
via e6ccaced533 CVE-2021-44141: s3: torture: Add
samba3.blackbox.test_symlink_traversal.SMB1.
via 1dcd818303b CVE-2021-44141: s3: torture: Add
samba3.blackbox.test_symlink_traversal.SMB2.
via ef822984360 CVE-2021-44142: libadouble: harden parsing code
via 03c6ba0054b CVE-2021-44142: libadouble: add basic cmocka tests
via 39eb60d97a4 CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
via 36f847861bc CVE-2021-44142: smbd: add Netatalk xattr used by
vfs_fruit to the list of private Samba xattrs
via 9d7dd721b81 CVE-2021-44142: libadouble: add defines for icon lengths
via e4f18bfaec8 CVE-2022-0336: s4/dsdb/samldb: Don't return early when
an SPN is re-added to an object
via eaede91afd6 CVE-2022-0336: pytest: Add a test for an SPN conflict
with a re-added SPN
from 4d3054261df blackbox.ndrdump: fix
test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -
commit 29355d0a2d4e2b64a0cd1b8d16067f94f1594114
Author: Jule Anger
Date: Mon Jan 31 12:56:33 2022 +0100
VERSION: Bump version up to Samba 4.16.0rc3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger
Autobuild-User(v4-16-test): Stefan Metzmacher
Autobuild-Date(v4-16-test): Mon Jan 31 15:26:29 UTC 2022 on sn-devel-184
commit a4763bd9d87f9efe93fa6d3ffc0ae9588663f8ef
Author: Jule Anger
Date: Mon Jan 31 12:56:06 2022 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc2 release.
Signed-off-by: Jule Anger
commit 4c3863633d31a3a45e5259e495c970e71df32732
Author: Jule Anger
Date: Mon Jan 31 12:55:04 2022 +0100
WHATSNEW: Add release notes for Samba 4.16.0rc2.
Signed-off-by: Jule Anger
Signed-off-by: Stefan Metzmacher
commit c278515c492a1b9ca842e809120ecf3a1328d112
Author: Ralph Boehme
Date: Thu Jan 27 12:06:55 2022 +0100
s3/rpc_server: install elasticsearch_mappings.json
This was removed accidentally remvoed by
a7c65958a15149918415b7456d6f20ee8c9669d2 because the original code
only installed the json file if the mdssvc was built as module:
if bld.SAMBA3_IS_ENABLED_MODULE('rpc_mdssvc_module'):
bld.INSTALL_FILES(bld.env.SAMBA_DATADIR,
'mdssvc/elasticsearch_mappings.json')
Installing the json file should just depend on Elasticsearch support
being enabled, regardless of the removed module support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14961
Signed-off-by: Ralph Boehme
Reviewed-by: Noel Power
Autobuild-User(master): Noel Power
Autobuild-Date(master): Fri Jan 28 10:22:31 UTC 2022 on sn-devel-184
(cherry picked from commit 0eecfddd071ea54844c56516dd7adc761be03c27)
commit b88d24e33b2f4a2a540698520d76f1b8a2fe3e4d
Author: Jeremy Allison
Date: Tue Dec 7 22:19:29 2021 -0800
CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use
vfs_stat() for existence, not SMB_VFS_STAT().
We need to take SMB1+POSIX into account here and do an LSTAT if it's
a POSIX name.
Remove knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison
commit 239e915b8f721bab820ffba6ff355d828a34ffe9
Author: Jeremy Allison
D
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e4e5539e402 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). via a44435c6e76 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename. via be138920200 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert(). via 43455edd29a CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks. via 458c7555a94 CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND. via f5b28d8aa33 CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture. via 3e9f6d704d3 CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND. via 4e75e24baab CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix via 3bc85d615e6 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1. via 1f7e870ddad CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2. via 751d7696646 CVE-2021-44142: libadouble: harden parsing code via eb087934025 CVE-2021-44142: libadouble: add basic cmocka tests via c61a06503ed CVE-2021-44142: libadouble: harden ad_unpack_xattrs() via 96083abc0c3 CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs via a9211cfe6e4 CVE-2021-44142: libadouble: add defines for icon lengths via 1a5dc817c0c CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object via c58ede44f38 CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN from 6063e8016fc s4:kdc: Translate HDB flags to SDB flags https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e4e5539e402fd2116b4eb4f4f2d687da509491d6 Author: Jeremy Allison Date: Tue Dec 7 22:19:29 2021 -0800 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). We need to take SMB1+POSIX into account here and do an LSTAT if it's a POSIX name. Remove knownfail.d/posix_sylink_rename BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jan 31 16:26:26 UTC 2022 on sn-devel-184 commit a44435c6e763e042e6c4cdbb70fc0479f1662c66 Author: Jeremy Allison Date: Tue Dec 7 22:15:46 2021 -0800 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename. Add a knownfail.d/posix_sylink_rename BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit be13892020013377994634a2367c3aff53245f44 Author: Jeremy Allison Date: Tue Dec 7 14:39:42 2021 -0800 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert(). If filename_convert() fails to convert the path, we never call check_name(). This means we can return an incorrect error code (NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points outside the share to a non-readable directory. We need to make sure in this case we always call check_name(). Remove knownfail.d/symlink_traversal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit 43455edd29af00a0a4186f83557eec7481434170 Author: Jeremy Allison Date: Tue Dec 7 14:33:17 2021 -0800 CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks. NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure. NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure. Remove: samba3.blackbox.test_symlink_traversal.SMB1.posix samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\) samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\) in knownfail.d/symlink_traversal as we now pass these. Only one more fix remaining to get rid of knownfail.d/symlink_traversal completely. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911 Signed-off-by: Jeremy Allison commit 458c7555a94f8d1e6e132b2568e900fddba3b2f9 Author: Jeremy Allison Date: Tue Dec 7 11:44:09 2021 -0800 CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 735f3d7dde3 libcli/smb: let smb2_signing_decrypt_pdu() cope with
gnutls_aead_cipher_decrypt() ptext_len bug
via 99182af4ab5 libcli/smb: fix error checking in
smb2_signing_decrypt_pdu() invalid ptext_len
via 68e62962b08 selftest/quick: add smb2.session
from 1905c77a080 lib:replace: Fix NULL issue reported by covscan
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 735f3d7dde3daf5d0af2e8a1de60422b88663992
Author: Stefan Metzmacher
Date: Mon Jan 31 20:33:43 2022 +0100
libcli/smb: let smb2_signing_decrypt_pdu() cope with
gnutls_aead_cipher_decrypt() ptext_len bug
The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
*ptext_len = ctext_len;
instead of:
*ptext_len = ctext_len - tag_size;
This got fixed with gnutls 3.5.2.
As we only require gnutls 3.4.7 we need to cope with this...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Feb 2 18:29:08 UTC 2022 on sn-devel-184
commit 99182af4ab5a3413311e27c2a193e09babceb01c
Author: Stefan Metzmacher
Date: Mon Jan 31 20:33:43 2022 +0100
libcli/smb: fix error checking in smb2_signing_decrypt_pdu() invalid
ptext_len
When the ptext_size != m_total check fails, we call this:
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
As rc is 0 at that point we'll exit smb2_signing_decrypt_pdu()
with NT_STATUS_OK, but without copying the decrypted data
back into the callers buffer. Which leads to strange errors
in the caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
commit 68e62962b08497da8359ddbe4324443818c05cd1
Author: Stefan Metzmacher
Date: Tue Feb 1 10:52:27 2022 +0100
selftest/quick: add smb2.session
We run the quicktest on each linux distro as part of samba-o3 builds.
We should make sure smb2 signing/enctyption works on all of them
and all different system libraries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
---
Summary of changes:
libcli/smb/smb2_signing.c | 24 +++-
selftest/quick | 1 +
wscript_configure_system_gnutls | 3 +++
3 files changed, 27 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 4a94b026ccc..6efb87801cb 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -1251,9 +1251,31 @@ NTSTATUS smb2_signing_decrypt_pdu(struct
smb2_signing_key *decryption_key,
ctext_size,
ptext,
&ptext_size);
- if (rc < 0 || ptext_size != m_total) {
+ if (rc < 0) {
+ TALLOC_FREE(ptext);
+ TALLOC_FREE(ctext);
+ status = gnutls_error_to_ntstatus(rc,
NT_STATUS_INTERNAL_ERROR);
+ goto out;
+ }
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG
+ /*
+* Note that gnutls before 3.5.2 had a bug and returned
+* *ptext_len = ctext_len, instead of
+* *ptext_len = ctext_len - tag_size
+*/
+ if (ptext_size != ctext_size) {
+ TALLOC_FREE(ptext);
+ TALLOC_FREE(ctext);
+ rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
+ status = gnutls_error_to_ntstatus(rc,
NT_STATUS_INTERNAL_ERROR);
+ goto out;
+ }
+ ptext_size -= tag_size;
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */
+ if (ptext_size != m_total) {
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
+ rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
status = gnutls_error_to_ntstatus(rc,
NT_STATUS_INTERNAL_ERROR);
goto out;
}
diff --git a/selftest/quick b/selftest/quick
index 0e79f1020bf..6700180c2c2 100644
--- a/selftest/quick
+++ b/selftest/quick
@@ -33,6 +33,7 @@ rpc.join
rpc.handles
rpc.echo
smb.signing
+smb2.session
drs.unit
samba4.blackbox.dbcheck.dc
# This needs to be here to get testing of crypt_r()
diff --git a/wscript_configure_
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via c1f3b97 history/security.html: fix link to samba-4.13.17-security-2022-01-31.patch from e34ef99 CVE-2021-44142.html: fix CVE version https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit c1f3b97c449f7027f5a8f841478a8e1d18e649a9 Author: Stefan Metzmacher Date: Thu Feb 3 17:44:46 2022 +0100 history/security.html: fix link to samba-4.13.17-security-2022-01-31.patch Signed-off-by: Stefan Metzmacher --- Summary of changes: history/security.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/history/security.html b/history/security.html index 16f9acf..608884f 100755 --- a/history/security.html +++ b/history/security.html @@ -32,7 +32,7 @@ link to full release notes for each release. patch for Samba 4.15.5 patch for Samba 4.14.12 - + patch for Samba 4.13.17 CVE-2021-44141, CVE-2021-44142 and CVE-2022-0336. Please see announcements for details. -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5e2386336c4 s3:trusts_utils: use a password length of 120 for machine accounts via ad0b5561b49 upgradehelpers.py: add a comment to update_krbtgt_account_password() via 725c94d57d3 provision: add a comment that the value of krbtgtpass is ignored in the backend via 6bb7c0f2491 upgradehelpers.py: let update_machine_account_password() use 120 character passwords via 3b91be36581 provision: use 120 characters for the dns account password via 59ac782452c samba-tool/join_member: let py_net_join_member() choose the password via 576bdb08c51 s3:py_net: allow machinepass=None to py_net_join_member() from 0d8084ed628 ctdb-protocol: CID 1499395: Uninitialized variables (UNINIT) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5e2386336c49fab46c1192db972af5da1e916b32 Author: Stefan Metzmacher Date: Mon Feb 21 15:28:53 2022 +0100 s3:trusts_utils: use a password length of 120 for machine accounts This is important when we change the machine password against an RODC that proxies the request to an RWDC. An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER and reports NT_STATUS_OK as result of NetrServerPasswordSet2(). This hopefully found the last hole in our very robust machine account password handling logic inside of trust_pw_change(). The lesson is: try to be as identical to how windows works as possible, everything else may use is untested code paths on Windows. A similar problem was fixed by this commit: commit 609ca657652862fd9c81fd11f818efb74f72ff55 Author: Joseph Sutton Date: Wed Feb 24 02:03:25 2021 +1300 provision: Decrease the length of random machine passwords The current length of 128-255 UTF-16 characters currently causes generation of crypt() passwords to typically fail. This commit decreases the length to 120 UTF-16 characters, which is the same as that used by Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184 commit ad0b5561b492dfa28acfc9604b2358bb8b490703 Author: Stefan Metzmacher Date: Mon Feb 21 15:23:54 2022 +0100 upgradehelpers.py: add a comment to update_krbtgt_account_password() The backend generates its own random krbtgt password values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 725c94d57d3d656bc94633dacbac683a4c11d3e6 Author: Stefan Metzmacher Date: Mon Feb 21 15:22:50 2022 +0100 provision: add a comment that the value of krbtgtpass is ignored in the backend BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 6bb7c0f24918329804b7f4fb71908e8fab99e266 Author: Stefan Metzmacher Date: Mon Feb 21 15:22:06 2022 +0100 upgradehelpers.py: let update_machine_account_password() use 120 character passwords We already changed provision to use 120 character passwords with commit 609ca657652862fd9c81fd11f818efb74f72ff55. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 3b91be36581de1007427d539daffdaa62752412d Author: Stefan Metzmacher Date: Mon Feb 21 15:08:34 2022 +0100 provision: use 120 characters for the dns account password We should use the same as for the computer account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 59ac782452c4993274fa837256a8b9c5675e707b Author: Stefan Metzmacher Date: Mon Feb 21 15:03:22 2022 +0100 samba-tool/join_member: let py_net_join_member() choose the password It means we'll let trust_pw_new_value() generate the password. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 576bdb08c51c47c390cc390fbefdcfee275b7f0f Author: S
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9eb27f296ae third_party/heimdal_build: Determine whether time_t is
signed
via 9936038fae7 s4:kdc: Don't pass empty PAC buffers to
krb5_pac_add_buffer()
via 6d8fec7006e third_party/heimdal_build: Add KDC_LIB macro definitions
via ef95fb43923 auth: Cope with NULL upn_name in PAC
via f6fe86924c2 s4:sam: Don't use talloc_steal for msg attributes in
authsam_make_user_info_dc()
from afc2103da0f vfs_shadow_copy2: remove async getxattrat
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9eb27f296ae2b797803fffbb7f4cb34d8eb06f34
Author: Joseph Sutton
Date: Thu Feb 24 15:24:13 2022 +1300
third_party/heimdal_build: Determine whether time_t is signed
Without this, Heimdal will assume time_t is unsigned, and a wrong
assumption will cause 'infinite' ticket lifetimes to be reckoned as from
the past, and thus requests will fail with KDC_ERR_NEVER_VALID.
This is an adaptation to Heimdal:
commit 9ae9902249732237aa1711591604a6adf24963fe
Author: Nicolas Williams
Date: Tue Feb 15 17:01:00 2022 -0600
cf: Check if time_t is signed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Tue Mar 1 18:07:50 UTC 2022 on sn-devel-184
commit 9936038fae72fb440864be543e9afd500444d502
Author: Joseph Sutton
Date: Thu Feb 24 15:30:17 2022 +1300
s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer()
Heimdal will no longer allow us to pass a dummy zero-length buffer to
krb5_pac_add_buffer(), so we have to pass a buffer of length 1 instead.
This is an adaption to Heimdal:
commit 190263bb7a56fc775b50a6cd0dc91820d2b2e5eb
Author: Jeffrey Altman
Date: Wed Jan 19 22:55:33 2022 -0500
assert non-NULL ptrs before calling mem funcs
The definitions of memcpy(), memmove(), and memset() state that
the behaviour is undefined if any of the pointer arguments are
NULL, and some compilers are known to make use of this to
optimise away existing NULL checks in the source.
Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
Link: https://www.imperialviolet.org/2016/06/26/nonnull.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit 6d8fec7006e8eadf5967a6f2f5add7d3c2c7bd3e
Author: Joseph Sutton
Date: Tue Feb 22 15:30:17 2022 +1300
third_party/heimdal_build: Add KDC_LIB macro definitions
This is an adaptation to Heimdal:
commit 7bb00a40eabbed2bc1c268f5244bfb9736d9bebe
Author: Luke Howard
Date: Tue Jan 4 13:08:35 2022 +1100
kdc: fix Windows build
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit ef95fb439237910b945b8d6a3ad4a140a8d6d1ea
Author: Joseph Sutton
Date: Tue Feb 22 14:15:43 2022 +1300
auth: Cope with NULL upn_name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit f6fe86924c2ca756083d3628d5dbace0b12d06b0
Author: Stefan Metzmacher
Date: Fri Feb 25 07:40:17 2022 +0100
s4:sam: Don't use talloc_steal for msg attributes in
authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
---
Summary of changes:
auth/auth_sam_reply.c | 12 +++-
buildtools/wafsamba/samba_autoconf.py | 17 +
source4/auth/sam.c | 19 ++-
source4/kdc/pac-glue.c | 5 +++--
third_party/heimdal_build/wscript_build | 2 +-
third_party/heimdal_build/wscript_configure | 2 ++
6 files changed, 44 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index b5b6362dc93..fda014c87d5 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -616,11 +616,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
}
if (pac_upn_dns_info != NULL) {
-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b7bc1f6dddc s4-kdc: Fix memory leak in FAST cookie handling from 688604a423b smbd: Simplify non_widelink_open() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b7bc1f6dddc1c5fee8a39422823f167db1f24bb2 Author: Andrew Bartlett Date: Tue Mar 8 22:46:02 2022 +1300 s4-kdc: Fix memory leak in FAST cookie handling The call to sdb_free_entry() was forgotten. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15000 Signed-off-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 11 11:05:55 UTC 2022 on sn-devel-184 --- Summary of changes: source4/kdc/hdb-samba4.c | 1 + 1 file changed, 1 insertion(+) Changeset truncated at 500 lines: diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index b10cc37e608..5720dfadc1f 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -229,6 +229,7 @@ static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context, ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex); + sdb_free_entry(&sdb_entry_ex); TALLOC_FREE(mem_ctx); return ret; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9b48e7f7eda third_party/heimdal: import
lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d)
via f1a71e24864 selftest: use 'kdc enable fast = no' for fl2000 fl2003
via 2db7589d69a s4:kdc: make use of the 'kdc enable fast' option
via 12b623088cf docs-xml: add 'kdc enable fast' option
via 67bdc922f98 third_party/heimdal: import
lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864)
from b7bc1f6dddc s4-kdc: Fix memory leak in FAST cookie handling
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9b48e7f7eda5e368c1192d562c268885c1f68d8b
Author: Stefan Metzmacher
Date: Thu Mar 10 17:49:52 2022 +0100
third_party/heimdal: import lorikeet-heimdal-202203101710 (commit
df8d801544144949931cd742169be1207b239c3d)
This fixes the regressions against KDCs without FAST support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184
commit f1a71e24864367a55a30813dd642e7ef392b5ac9
Author: Stefan Metzmacher
Date: Wed Mar 9 12:53:18 2022 +0100
selftest: use 'kdc enable fast = no' for fl2000 fl2003
This makes sure we still run tests against KDCs without FAST support
and it already found a few regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
commit 2db7589d69abebad16b66d933114367f815d5fc3
Author: Stefan Metzmacher
Date: Wed Mar 9 12:39:07 2022 +0100
s4:kdc: make use of the 'kdc enable fast' option
This will useful to test against a KDC without FAST support
and find/prevent regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
commit 12b623088cf48cf9e4a046441810ef20e1f079b8
Author: Stefan Metzmacher
Date: Wed Mar 9 12:39:07 2022 +0100
docs-xml: add 'kdc enable fast' option
This will be useful to test against a KDC without FAST support
and find/prevent regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
commit 67bdc922f9836779f1b37805575c5c4eea9ba3e6
Author: Stefan Metzmacher
Date: Thu Mar 10 16:12:43 2022 +0100
third_party/heimdal: import lorikeet-heimdal-202203101709 (commit
47863866da25cc21d292ce335a976b8b33fa1864)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher
Reviewed-by: Joseph Sutton
---
Summary of changes:
docs-xml/smbdotconf/security/kdcenablefast.xml | 15 +++
lib/param/loadparm.c | 2 +
selftest/target/Samba4.pm | 2 +
source3/param/loadparm.c | 2 +
source4/kdc/db-glue.c | 8 +-
source4/kdc/kdc-heimdal.c | 7 +
source4/selftest/tests.py | 5 +-
third_party/heimdal/.github/workflows/coverity.yml | 68 ++
third_party/heimdal/.github/workflows/linux.yml| 146 +
third_party/heimdal/.github/workflows/osx.yml | 122 +
.../heimdal/.github/workflows/scanbuild.yml| 67 ++
third_party/heimdal/.github/workflows/valgrind.yml | 71 ++
third_party/heimdal/.github/workflows/windows.yml | 92 +
third_party/heimdal/kdc/default_config.c | 9 ++
third_party/heimdal/kdc/fast.c | 3 +
third_party/heimdal/kdc/kdc.h | 1 +
third_party/heimdal/kdc/krb5tgs.c | 3 +
third_party/heimdal/lib/krb5/fast.c| 98 --
third_party/heimdal/lib/krb5/get_cred.c| 76 +++
third_party/heimdal/lib/krb5/init_creds_pw.c | 1 -
third_party/heimdal/lib/krb5/krb5.conf.5 | 2 +
third_party/heimdal/lib/krb5/pac.c | 12 +-
third_party/heimdal/tests/gss/check-context.in | 4 -
23 files changed, 762 insertions(+), 54 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcenablefast.xml
create mode 100644 third_party/heimdal/.github/wo
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated via e79f04a3179 WHATSNEW for Heimdal upgrade via f4236271500 WHATSNEW: older SMB1 command removal/simpliciation and deprecation from 41054b61231 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log - commit e79f04a317906b1fbd9a53c831800088e2aab680 Author: Andrew Bartlett Date: Wed Mar 16 12:53:47 2022 +1300 WHATSNEW for Heimdal upgrade Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit f42362715008716ed8508645329a9b16995e7db9 Author: Andrew Bartlett Date: Thu Mar 17 07:53:37 2022 +1300 WHATSNEW: older SMB1 command removal/simpliciation and deprecation Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- Summary of changes: WHATSNEW.txt | 118 +++ 1 file changed, 103 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 83d77b5c028..31f656e4095 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -52,6 +52,46 @@ samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. +Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support +-- + +Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos +implementation. This snapshot has now been updated and will closely +match what will be released as Heimdal 8.0 shortly. + +This is a major update, previously we used a snapshot of Heimdal from +2011, and brings important new Kerberos security features such as +Kerberos request armoring, known as FAST. This tunnels ticket +requests and replies that might be encrypted with a weak password +inside a wrapper built with a stronger password, say from a machine +account. + +In Heimdal and MIT modes Samba's KDC now supports FAST, for the +support of non-Windows clients. + +Windows clients will not use this feature however, as they do not +attempt to do so against a server not advertising domain Functional +Level 2012. Samba users are of course free to modify how Samba +advertises itself, but use with Windows clients is not supported "out +of the box". + +Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of +the FAST protocol. A future version will align this more closely with +Microsoft AD behaviour. + +If FAST needs to be disabled on your Samba KDC, set + + kdc enable fast = no + +in the smb.conf. + +The Samba project wishes to thank the numerous developers who have put +in a massive effort to make this possible over many years. In +particular we thank Stefan Metzmacher, Joseph Sutton, Gary Lockyer, +Isaac Boukris and Andrew Bartlett. Samba's developers in turn thank +their employers and in turn their customers who have supported this +effort over many years. + Certificate Auto Enrollment --- @@ -135,21 +175,69 @@ CTDB changes REMOVED FEATURES -SMB1 CORE and LANMAN1 protocol wildcard copy, unlink and rename removed -=== - -In preparation for the removal of the SMB1 server, the unused -SMB1 command SMB_COM_COPY (SMB1 command number 0x29) has been -removed from the Samba smbd server. In addition, the ability -to process file name wildcards in requests using the SMB1 commands -SMB_COM_COPY (SMB1 command number 0x2A), SMB_COM_RENAME (SMB1 command -number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and -SMB_COM_DELETE (SMB1 command number 0x6) have been removed. - -This only affects clients using MS-DOS based versions of -SMB1, the last release of which was Windows 98. Users requiring -support for these features will need to use older versions -of Samba. +Older SMB1 protocol SMBCopy command removed +--- + +SMB is a nearly 30-year old protocol, and some protocol commands that +while supported in all versions, have not seen widespread use. + +One of those is SMBCopy, a feature for a server-side copy of a file. +This feature has been so unmaintained that Samba has no testsuite for +it. + +The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was +introduced in the LAN Manager 1.0 dialect and it was rendered obsolete +in the NT LAN Manager dialect. + +Therefore it has been removed from the Samba smbd server. + +We do note that a fully supported and tested server-side copy is +present in SMB2, and can be accessed with "scopy" subcommand in +smbclient) + +SMB
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated
via 9d91942913e s3:libads: Fix creating local krb5.conf
via 736df42fdf9 s3:libads: Check print_canonical_sockaddr_with_port()
for NULL in get_kdc_ip_string()
via 9319309ac1a s3:libads: Remove obsolete free's of kdc_str
via 3016f01d0c4 s3:libads: Allocate all memory on the talloc stackframe
via a76c64f86d8 s3:libads: Use talloc_asprintf_append() in
get_kdc_ip_string()
via 1f7b6fc56c5 s3:libads: Improve debug messages for
get_kdc_ip_string()
via 5608804f02d s3:libads: Leave early on error in get_kdc_ip_string()
via fd2373c6bcf s3:libads: Remove trailing spaces in kerberos.c
via 12c58adffe4 testprogs: Add test that local krb5.conf has been
created
via 9b6e8ae65e2 s3:libsmb: Fix errno for failed authentication in
SMBC_server_internal()
via 1f1d6d4e745 s4:auth: let authenticate_ldap_simple_bind() pass down
the mapped nt4names
via 54fd8eb1aac auth: let auth logging prefer
user_info->orig_client.{account,domain}_name if available
via 5e81cde9fae s4:auth: rename user_info->mapped_state to
user_info->cracknames_called
via 2c15a949f5d winbindd: don't set mapped_state in
winbindd_dual_auth_passdb()
via 2e41cbc8bec nsswitch: let test_wbinfo.sh also test wbinfo -a
$USERNAME@$DOMAIN
via 8cd57a22283 s3:auth: make_user_info_map() should not set
mapped_state
via 249b023f2b8 s4:auth: fix confusing DEBUG message in
authsam_want_check()
via a304052c4fc s4:auth: check for user_info->mapped.account_name if it
needs to be filled
via 070af6f1fa0 s4:rpc_server/samr: don't set mapped_state in
auth_usersupplied_info for audit logging
via 63a6fb82a77 s4:kdc: don't set mapped_state in
auth_usersupplied_info for audit logging
via c6bb5e62776 s4:dsdb: don't set mapped_state in
auth_usersupplied_info for audit logging
via dffebcba823 s4:smb_server: don't set mapped_state explicitly in
auth_usersupplied_info
via 240785f4e4f auth/ntlmssp: don't set mapped_state explicitly in
auth_usersupplied_info
via db17de0b611 s4:auth: encrypt_user_info() should set password_state
instead of mapped_state
via 2d425bb116a s4:auth: a simple bind uses the DCs name as workstation
via 02824c7942d s3:rpc_client: let rpccli_netlogon_network_logon()
fallback to workstation = lp_netbios_name()
via e6926484533 rodc: Add tests for simple BIND alongside NTLMSSP binds
via af30bd71cd3 s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as
inducation for an interactive logon
via 0fcbfd39583 s3:auth: let make_user_info_netlogon_interactive() set
USER_INFO_INTERACTIVE_LOGON
via 0da8b2b3683 dsdb/tests: add test_login_basics_simple()
via ec84a7acfcc dsdb/tests: prepare BasePasswordTestCase for simple
bind tests
via 72698f73949 dsdb/tests: introduce assertLoginSuccess
via 7b63119267a dsdb/tests: make use of assertLoginFailure helper
via 92da29a1136 dsdb/tests: let all BasePasswordTestCase tests provide
self.host_url[_ldaps]
via 84f7b94852a dsdb/tests: passwords.py don't need to import
BasePasswordTestCase
via 2bbb9a4298c python:tests: let insta_creds() also copy the bind_dn
from the template
from 39ae6f10fa6 VERSION: Bump version up to Samba 4.15.7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -
commit 9d91942913e0481cfb4af80eeb5a316f6c9d2c3f
Author: Andreas Schneider
Date: Tue Mar 15 13:10:06 2022 +0100
s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider
Reviewed-by: Guenther Deschner
Autobuild-User(master): Günther Deschner
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184
(cherry picked from commit 68d181ee676e17a5cdcfc12c5cc7eef242fdfa6c)
Autobuild-User(v4-15-test): Stefan Metzmacher
Autobuild-Date(v4-15-test): Thu Mar 17 10:35:11 UTC 2022 on sn-devel-184
commit 736df42fdf9b4f7977eb6857ff3ab91a5df62b65
Author: Andreas Schneider
Date: Tue Mar 15 13:02:05 2022 +0100
s3:libads: Check print_canonical_sockaddr_with_port() for NULL in
get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider
Reviewed-by: Guenther Deschner
(cherry picked from commit 12c843ad0a97fcbaaea738b82941533e5d2aec99)
commit 9319309ac1adf42765e9f3bf325000b92585cd3e
Author: Andreas Schneider
Date: Tue Mar 15 12:57:18 2022 +0100
s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!
BUG: ht
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via 1a1b789b2fe s4:kdc: redirect pre-authentication failured to an RWDC
via 68f55294eb0 HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in
HDB_ERR_NOT_FOUND_HERE
from 3ae7ead5fd5 s3:libsmb: Fix errno for failed authentication in
SMBC_server_internal()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit 1a1b789b2fe6672604f2e2f5c5e7a30f5a1c90a2
Author: Stefan Metzmacher
Date: Fri Feb 18 17:17:02 2022 +0100
s4:kdc: redirect pre-authentication failured to an RWDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher
(similar to commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be)
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Fri Mar 18 11:55:11 UTC 2022 on sn-devel-184
commit 68f55294eb0c37da3c4e3f76d5c3154e762d46ad
Author: Stefan Metzmacher
Date: Fri Feb 18 17:17:02 2022 +0100
HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE
On an RODC we need to redirect failing preauthentication to an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher
(similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216)
---
Summary of changes:
selftest/knownfail | 1 -
source4/dsdb/tests/python/rodc_rwdc.py | 3 +-
source4/heimdal/kdc/kerberos5.c| 10 -
source4/kdc/hdb-samba4.c | 79 +++---
4 files changed, 24 insertions(+), 69 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 2701fe4c5b3..c4c050403d0 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -374,7 +374,6 @@
^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\)
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
# NETLOGON is disabled in any non-DC environments
^samba.tests.netlogonsvc.python\(ad_member\)
^samba.tests.netlogonsvc.python\(simpleserver\)
diff --git a/source4/dsdb/tests/python/rodc_rwdc.py
b/source4/dsdb/tests/python/rodc_rwdc.py
index 21b7c05fcbe..6cd0e50e47b 100644
--- a/source4/dsdb/tests/python/rodc_rwdc.py
+++ b/source4/dsdb/tests/python/rodc_rwdc.py
@@ -1166,8 +1166,7 @@ class
RodcRwdcTests(password_lockout_base.BasePasswordTestCase):
creds2 = make_creds(username, password)
self.try_ldap_logon(RWDC, creds2)
-# We can forward WRONG_PASSWORD over NTLM.
-# This SHOULD succeed.
+# The RODC forward WRONG_PASSWORD to the RWDC
self.try_ldap_logon(RODC, creds2)
def test_change_password_reveal_on_demand_ntlm(self):
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c1d4cb1d4aa..9684364c519 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1357,13 +1357,19 @@ _kdc_as_rep(krb5_context context,
free_EncryptedData(&enc_data);
- if (clientdb->hdb_auth_status)
- (clientdb->hdb_auth_status)(context, clientdb, client,
+ if (clientdb->hdb_auth_status) {
+ ret = (clientdb->hdb_auth_status)(context, clientdb, client,
from_addr,
&_kdc_now,
client_name,
str ? str : "unknown enctype",
HDB_AUTH_WRONG_PASSWORD);
+ if (ret == HDB_ERR_NOT_FOUND_HERE) {
+ kdc_log(context, config, 5, "client %s
HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name);
+ free(str);
+ goto out;
+ }
+ }
free(str);
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 2ed7a5e0623..43e836f8360 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -311,60 +311,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX
*mem_ctx,
irpc_handle, &req);
}
-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
- struct samba_kdc_db_context *kdc_db_ctx,
- struct auth_usersupplied_info *user_info)
-{
- struct dcerpc_binding_handle
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via cf8048cd49a s4:rpc_server/samr: Use extended DN when searching for
user
via 7b710a05de4 samba-tool group: Add --special parameter to add
predefined special group
via 4f1b7684ed4 functionalprep.sh: Add test for samba-tool add group
--special
via bf509bf7df1 tests/sam: Ensure that Protected Users group cannot be
deleted
via 62cf7a4ad3e s4:rpc_server/samr: Simplify lp_ctx expression
via 16a7ce0cdfb s4:auth: Disable NTLM authentication for Protected Users
via 402d5f59bcb s4:kdc: Add KDC support for Protected Users group
via 233ce6b2b88 s4:kdc: Add function to get user_info_dc from database
via 831c245adb3 s4:kdc: simplify samba_kdc_message2entry by using
data_blob_string_const("computer")
via 3a8670c4ca2 dsdb/common: Add helper function for determining if
account is in Protected Users group
via fb0f65b0b5f s4:provision_users.ldif: Add Protected Users group
via 410b8b7e06b tests/passwords: Test that LDAP password changes work
for Protected Users
via fd765aaa5b3 tests/password_lockout: Test NTLM and SAMR password
changes with Protected Users
via 3e0c94a345d tests/krb5: Add tests for the Protected Users group
via eba1a9d964b auth/credentials: Add encrypt_samr_password()
via b308240cb4b selftest/dbcheck: Fix up msDS-RevealedUsers links with
deleted target DN
via ded5115f73d tests/krb5: Add helper function to modify ticket flags
via c80cd8c9570 tests/krb5: Remove unused import
via 042137f8fa5 tests/krb5: Add account to cleanup list before adding
it to database
via 539cdaa75ba tests/krb5: Add more encryption type constants
via 90e5802773a tests/krb5: Remove accounts in reverse order of addition
via 26334df74fa s4:kdc: Fix copy-paste typo
from c91af5f1a8b tests/krb5: Simplify logic
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit cf8048cd49abba5f3da297530219fca6c67f4da1
Author: Joseph Sutton
Date: Thu Mar 3 14:54:00 2022 +1300
s4:rpc_server/samr: Use extended DN when searching for user
Switch to dsdb_search() for looking up the user for changing the
password, and specify that we want extended DNs. Using the SID or GUID
avoids a race condition if the DN of the user changes.
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Mar 18 12:45:17 UTC 2022 on sn-devel-184
commit 7b710a05de4aa66b6b20ff399f7ef64c506353af
Author: Joseph Sutton
Date: Thu Feb 10 17:14:56 2022 +1300
samba-tool group: Add --special parameter to add predefined special group
This allows default security groups that have been added since Windows
Server 2008 R2, such as Protected Users, to be created in pre-existing
domains. An error message is generated if a group already exists with
the same name, DN, or SID.
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 4f1b7684ed437d1e4bf77a867ee0384bc939f312
Author: Joseph Sutton
Date: Thu Mar 3 20:59:48 2022 +1300
functionalprep.sh: Add test for samba-tool add group --special
Test that we can add the special Protected Users group, and that we get
an appropriate error message when attempting to add it a second time.
We add these tests here so that we can make use of an old provision that
does not already have the Protected Users group added.
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit bf509bf7df1348f4793a32dea99c9ec3384c9ad0
Author: Joseph Sutton
Date: Wed Feb 2 15:47:05 2022 +1300
tests/sam: Ensure that Protected Users group cannot be deleted
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 62cf7a4ad3eaad056604809880549ab7c8f4196c
Author: Joseph Sutton
Date: Thu Feb 3 15:17:40 2022 +1300
s4:rpc_server/samr: Simplify lp_ctx expression
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 16a7ce0cdfb8acba782436066cc8383900ef7e93
Author: Joseph Sutton
Date: Tue Feb 1 21:08:44 2022 +1300
s4:auth: Disable NTLM authentication for Protected Users
We also move the authentication to after checking whether the user is
protected, so that if a user in the Protected Users group tries to
authenticate with a wrong password, the bag password count is not
incremented and the account is not locked out. This does not match
MS-APDS, but matches the behaviour of Windows.
Signed-off-by: Joseph Sutton
Reviewed-by: Stefan Metzmacher
commit 402d5f59bcb1929cf3db5efb03edf2f62748e40e
Author: Joseph Sutton
Date: Wed Feb 2 17:08:41 2022 +1300
s4:kdc: Add KDC support for Protected Users group
Accounts in the
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated
via b4d5a906df8 s4:kdc: redirect pre-authentication failured to an RWDC
via 5aa5648cc4b HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in
HDB_ERR_NOT_FOUND_HERE
from 9d91942913e s3:libads: Fix creating local krb5.conf
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -
commit b4d5a906df8b23363365559e31887403bace1482
Author: Stefan Metzmacher
Date: Fri Feb 18 17:17:02 2022 +0100
s4:kdc: redirect pre-authentication failured to an RWDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher
(similar to commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be)
Autobuild-User(v4-15-test): Stefan Metzmacher
Autobuild-Date(v4-15-test): Sat Mar 19 02:38:24 UTC 2022 on sn-devel-184
commit 5aa5648cc4b0497a000c31e8b40cdaaa6c18769e
Author: Stefan Metzmacher
Date: Fri Feb 18 17:17:02 2022 +0100
HEIMDAL: allow HDB_AUTH_WRONG_PASSWORD to result in HDB_ERR_NOT_FOUND_HERE
On an RODC we need to redirect failing preauthentication to an RWDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher
(similar to commit heimdal commit df655cecd12712e7f7df5128b123eee0066a8216)
---
Summary of changes:
selftest/knownfail | 1 -
source4/dsdb/tests/python/rodc_rwdc.py | 3 +-
source4/heimdal/kdc/kerberos5.c| 10 -
source4/kdc/hdb-samba4.c | 79 +++---
4 files changed, 24 insertions(+), 69 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 9f362c02b47..b5e52753968 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -365,7 +365,6 @@
^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\)
# We currently don't send referrals for LDAP modify of non-replicated attrs
^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
# NETLOGON is disabled in any non-DC environments
^samba.tests.netlogonsvc.python\(ad_member\)
^samba.tests.netlogonsvc.python\(simpleserver\)
diff --git a/source4/dsdb/tests/python/rodc_rwdc.py
b/source4/dsdb/tests/python/rodc_rwdc.py
index d405cd0d5ec..53d54807a3d 100644
--- a/source4/dsdb/tests/python/rodc_rwdc.py
+++ b/source4/dsdb/tests/python/rodc_rwdc.py
@@ -1165,8 +1165,7 @@ class
RodcRwdcTests(password_lockout_base.BasePasswordTestCase):
creds2 = make_creds(username, password)
self.try_ldap_logon(RWDC, creds2)
-# We can forward WRONG_PASSWORD over NTLM.
-# This SHOULD succeed.
+# The RODC forward WRONG_PASSWORD to the RWDC
self.try_ldap_logon(RODC, creds2)
def test_change_password_reveal_on_demand_ntlm(self):
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index b8fec62333d..11b334e46fe 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1358,13 +1358,19 @@ _kdc_as_rep(krb5_context context,
free_EncryptedData(&enc_data);
- if (clientdb->hdb_auth_status)
- (clientdb->hdb_auth_status)(context, clientdb, client,
+ if (clientdb->hdb_auth_status) {
+ ret = (clientdb->hdb_auth_status)(context, clientdb, client,
from_addr,
&_kdc_now,
client_name,
str ? str : "unknown enctype",
HDB_AUTH_WRONG_PASSWORD);
+ if (ret == HDB_ERR_NOT_FOUND_HERE) {
+ kdc_log(context, config, 5, "client %s
HDB_AUTH_WRONG_PASSWORD at this KDC, forward to proxy", client_name);
+ free(str);
+ goto out;
+ }
+ }
free(str);
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 2ed7a5e0623..43e836f8360 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -311,60 +311,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX
*mem_ctx,
irpc_handle, &req);
}
-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
- struct samba_kdc_db_context *kdc_db_ctx,
- struct auth_usersupplied_info *user_info)
-{
- struct dcerpc_binding_handle *irpc_handle;
- struct winbi
[SCM] Samba Shared Repository - branch master updated
ia 829bb366f33 s4:kdc: let sdb_free_entry clear sdb_entry_ex at the end
via 6152db35a66 s4:kdc: let sdb_entry_ex_to_krb5_db_entry() initialize
'k' at the beginning
via ba6fccf4439 s4:kdc: let sdb_entry_to_hdb_entry() initialize *h at
the beginning
via 7312bca8c7a s4:kdc: remove unused mkvno from sdb_key
via ab0946a75d5 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
from 80d72b532f6 smbd: Make an if-statement in ReadDirName() a bit more
readable
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit d1d65d271ecda41dc13627bbca213181dac28c41
Author: Andrew Bartlett
Date: Tue Mar 8 22:49:31 2022 +1300
s4:kdc: Expose samba_kdc_message2entry_keys()
This allows the KDC to share the supplementalCredentials parsing code
with other parts of Samba that could use it.
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184
commit 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8
Author: Andrew Bartlett
Date: Wed Mar 23 13:07:29 2022 +1300
s4:kdc: Move supported enc-type handling out of
samba_kdc_message2entry_keys()
By putting this in the caller we potentially allow
samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
commit 2340a9a44f429f0b2e15668c1646b8efedece6c9
Author: Andrew Bartlett
Date: Wed Mar 23 10:13:54 2022 +1300
s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to
samba_kdc_message2entry()
This avoids making a call out in samba_kdc_message2entry_keys() and allows
for potential reuse of the key parsing code.
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
commit 2684856aac6a789ef13fbcfc631890d7447b53f8
Author: Andrew Bartlett
Date: Tue Mar 8 22:48:50 2022 +1300
s4:kdc: Add const to "msg" parameter in samba_kdc_message2entry_keys()
This will help with a future caller.
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
commit 548169a3e20cd6ee4a5d9320b85b2dea4ffe0eea
Author: Andrew Bartlett
Date: Wed Mar 23 09:47:53 2022 +1300
s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()
We should not supprise the callers by returning more keys than we asked to
filter by and avoids duplicating the protected_users logic within
samba_kdc_set_fixed_keys().
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
commit 2d9fd3855f3c50c17111a72f6247aabd02e575be
Author: Andrew Bartlett
Date: Wed Mar 23 09:47:53 2022 +1300
s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
commit 01e7425fab7fcd8887dbd25c7179bb6669853fae
Author: Stefan Metzmacher
Date: Fri Feb 11 21:42:06 2022 +0100
s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys
too
We return the requested kvno if given, otherwise we include the
old and older keys for CLIENT|FOR_AS_REQ or SDB_F_ADMIN_DATA lookups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 5f28a9481f45903d9d7a405f89ead314dbebd775
Author: Stefan Metzmacher
Date: Wed Mar 23 00:41:13 2022 +0100
s4:kdc: add old and older keys to sdb_entry
This is the first step to return the password history
in order to avoid badPwdCount updates for failing
pre-authentication with passwords from the recent history.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit d062225e25c85c942f79ce426a003d122b69ae9b
Author: Stefan Metzmacher
Date: Fri Jul 19 13:22:48 2019 +0200
s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys()
We need a ways to ask for a specific kvno if SDB_F_KVNO_SPECIFIED
is requested. And also include the old and older keys from
the password history in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit d05f2323d308fe4f3e88979f3ee5b41461c436f9
Author: Stefan Metzmacher
Date: Wed Mar 23 04:29:20 2022 +0100
s4:kdc: finally remove unused 'struct sdb_entry_ex'
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit 57bf97523150f2052bee2e
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 41c72ae9f95 examples: Update winbindd.stp and its generator script
via 3e747891a04 s3:winbind: Convert Ping parent/child call to NDR
via 0d668dfb751 s3:winbind: Return NTSTATUS from wbint_Ping() RPC
function
via 00ea654961a s3:winbind: Convert wcache_opnum_cacheable() to a
whitelist
from c788ed7b8b4 samba-gpupdate: Implement enhanced logging
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 41c72ae9f9530e04e249bbd73356bb44a7e945e4
Author: Samuel Cabrero
Date: Wed Mar 9 12:11:00 2022 +0100
examples: Update winbindd.stp and its generator script
Signed-off-by: Samuel Cabrero
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Mar 25 17:57:18 UTC 2022 on sn-devel-184
commit 3e747891a04a161b34e8be1aab03371632ede192
Author: Samuel Cabrero
Date: Wed Feb 16 13:41:05 2022 +0100
s3:winbind: Convert Ping parent/child call to NDR
Signed-off-by: Samuel Cabrero
Reviewed-by: Stefan Metzmacher
commit 0d668dfb75145af654eb779bdbbc0261d8f5bb15
Author: Samuel Cabrero
Date: Wed Mar 9 11:56:33 2022 +0100
s3:winbind: Return NTSTATUS from wbint_Ping() RPC function
There are no users of this function but the next commit will convert the
struct-based WINBINDD_PING call to a local RPC wbint_Ping() call.
Signed-off-by: Samuel Cabrero
Reviewed-by: Stefan Metzmacher
commit 00ea654961a790acd17e445b1eb0aec3296a60cc
Author: Samuel Cabrero
Date: Wed Mar 9 17:44:17 2022 +0100
s3:winbind: Convert wcache_opnum_cacheable() to a whitelist
It avoids having to explicitly blacklist new DCE/RPC calls.
This is the current list of non cacheable calls:
NDR_WBINT_PING
NDR_WBINT_QUERYSEQUENCENUMBER
NDR_WBINT_ALLOCATEUID
NDR_WBINT_ALLOCATEGID
NDR_WBINT_CHECKMACHINEACCOUNT
NDR_WBINT_CHANGEMACHINEACCOUNT
NDR_WBINT_PINGDC
NDR_WBINT_LISTTRUSTEDDOMAINS
It includes the ListTrustedDomains call recently converted to a local
RPC call.
Signed-off-by: Samuel Cabrero
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
examples/systemtap/generate-winbindd.stp.sh | 4 +--
examples/systemtap/winbindd.stp | 42 ++---
librpc/idl/winbind.idl | 2 +-
source3/winbindd/winbindd_async.c | 34 ---
source3/winbindd/winbindd_cache.c | 24 ++---
source3/winbindd/winbindd_domain.c | 4 ---
source3/winbindd/winbindd_domain_info.c | 38 --
source3/winbindd/winbindd_dual_srv.c| 3 ++-
source3/winbindd/winbindd_idmap.c | 4 ---
source3/winbindd/winbindd_locator.c | 4 ---
source3/winbindd/winbindd_proto.h | 3 ---
source3/winbindd/wscript_build | 1 -
12 files changed, 65 insertions(+), 98 deletions(-)
delete mode 100644 source3/winbindd/winbindd_async.c
Changeset truncated at 500 lines:
diff --git a/examples/systemtap/generate-winbindd.stp.sh
b/examples/systemtap/generate-winbindd.stp.sh
index ec8e3af2828..5a4507874e4 100755
--- a/examples/systemtap/generate-winbindd.stp.sh
+++ b/examples/systemtap/generate-winbindd.stp.sh
@@ -2,13 +2,13 @@
outfile="$(dirname $0)/winbindd.stp"
-child_funcs="winbindd_dual_ping
-winbindd_dual_init_connection
+child_funcs="winbindd_dual_init_connection
winbindd_dual_pam_auth
winbindd_dual_pam_auth_crap
winbindd_dual_pam_logoff
winbindd_dual_pam_chng_pswd_auth_crap
winbindd_dual_pam_chauthtok
+_wbint_Ping
_wbint_ListTrustedDomains
_wbint_LookupSid
_wbint_LookupSids
diff --git a/examples/systemtap/winbindd.stp b/examples/systemtap/winbindd.stp
index 60dd80a5c76..94f05596771 100644
--- a/examples/systemtap/winbindd.stp
+++ b/examples/systemtap/winbindd.stp
@@ -2,7 +2,7 @@
#
# Systemtap script to instrument winbindd
#
-# Generated by examples/systemtap/generate-winbindd.stp.sh on mar 15 feb 2022
17:45:48 CET, do not edit
+# Generated by examples/systemtap/generate-winbindd.stp.sh on mié 09 mar 2022
12:10:37 CET, do not edit
#
# Usage:
#
@@ -23,26 +23,6 @@ probe begin {
printf("Collecting data, press ctrl-C to stop... ")
}
-#
-# winbind domain child function winbindd_dual_ping
-#
-
-probe process("winbindd").function("winbindd_dual_ping") {
- dc_running[tid(), "winbindd_dual_ping"] = gettimeofday_us()
-}
-
-probe process("winbindd").function("winbindd_dual_ping").return {
- if (!([tid(), "winbindd_dual_ping"] in dc_running))
- next
-
- end = gettimeofday_us()
- begin = dc_running[tid(), "winbindd_dual_ping"]
-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 14e7112734b waf: Document the confusing --nonshared-binary,
--builtin-libraries, --private-libraries and --bundled-libraries
from 127f728d58e vfs_gpfs: Initialize litemask to 0
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 14e7112734bbb31db99e394323ef2cb31385ebf7
Author: Andrew Bartlett
Date: Mon Mar 28 11:16:51 2022 +1300
waf: Document the confusing --nonshared-binary, --builtin-libraries,
--private-libraries and --bundled-libraries
These options are confusing to all who encounter them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8731
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Mon Mar 28 10:06:01 UTC 2022 on sn-devel-184
---
Summary of changes:
buildtools/wafsamba/wscript | 67 -
1 file changed, 60 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 62b63fef145..a4d6f3e5c49 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -30,11 +30,37 @@ def options(opt):
gr = opt.option_group('library handling options')
gr.add_option('--bundled-libraries',
- help=("comma separated list of bundled libraries. May
include !LIBNAME to disable bundling a library. Can be 'NONE' or 'ALL' [auto]"),
+ help=(f'''comma separated list of bundled libraries.
+
+{Context.g_module.APPNAME} includes copies of externally maintained
+system libraries (such as popt, cmokca) as well as Samba-maintained
+libraries that can be found on the system already (such as talloc,
+tdb).
+
+This option, most useful for packagers, controls if each library
+should be forced to be obtained from inside Samba (bundled), forced to
+be obtained from the system (bundling disabled, ensuing that
+dependency errors are not silently missed) or if that choice should be
+automatic (best for end users).
+
+May include !LIBNAME to disable bundling a library.
+
+Can be 'NONE' or 'ALL' [auto]'''),
action="store", dest='BUNDLED_LIBS', default='')
gr.add_option('--private-libraries',
- help=("comma separated list of normally public libraries to
build instead as private libraries. May include !LIBNAME to disable making a
library private in order to limit the effect of 'ALL'"),
+ help=(f'''comma separated list of normally public libraries
to build instead as private libraries.
+
+By default {Context.g_module.APPNAME} will publish a number of public
+libraries for use by other software. For Samba this would include
+libwbclient, libsmbclient and others.
+
+This allows that to be disabled, to ensure that other software does
+not use these libraries and they are placed in a private filesystem
+prefix.
+
+May include !LIBNAME to disable making a library private in order to
+limit the effect of 'ALL' '''),
action="store", dest='PRIVATE_LIBS', default='')
extension_default = default_value('PRIVATE_EXTENSION_DEFAULT')
@@ -48,12 +74,33 @@ def options(opt):
action="store", dest='PRIVATE_EXTENSION_EXCEPTION',
default=extension_exception)
builtin_default = default_value('BUILTIN_LIBRARIES_DEFAULT')
-gr.add_option('--builtin-libraries',
- help=("command separated list of libraries to build
directly into binaries [%s]" % builtin_default),
- action="store", dest='BUILTIN_LIBRARIES',
default=builtin_default)
+gr.add_option('--builtin-libraries', help=(
+f'''comma separated list of libraries to build directly into binaries.
+
+By default {Context.g_module.APPNAME} will build a large number of
+shared libraries, to reduce binary size. This overrides this
+behaviour and essentially statically links the specified libraries into
+each binary [{builtin_default}]'''),
+ action="store",
+ dest='BUILTIN_LIBRARIES', default=builtin_default)
gr.add_option('--minimum-library-version',
- help=("list of minimum system library versions
(LIBNAME1:version,LIBNAME2:version)"),
+ help=(
+f'''list of minimum system library versions for otherwise bundled
+libraries.
+
+{Context.g_module.APPNAME} by def
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via f7f65ceb46d s4:dsdb/descriptor: skip duplicates in
descriptor_sd_propagation_object()
via bd1e667a62d s4:dsdb/descriptor: sort descriptor_changes tree based
via ce38b30cdcf s4:dsdb/descriptor: pass parent guid to
dsdb_module_schedule_sd_propagation()
via b812ade416f s4:dsdb/descriptor: skip duplicates in
descriptor_extended_sec_desc_propagation()
via 4c32f46a868 s4:dsdb/descriptor: add statistics for security
descriptor propagation
via 8597cc9d6c8 s4:dsdb/descriptor: split out struct
descriptor_transaction
via 36ccb98aba8 python/join: improve logging of join_replicate()
from 420bbb1d92f wafsamba: require PYTHONHASHSEED=1 to be exported
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit f7f65ceb46d04e48667e6cba8f3e9b9fd0cd290e
Author: Stefan Metzmacher
Date: Thu Feb 10 12:46:10 2022 +0100
s4:dsdb/descriptor: skip duplicates in descriptor_sd_propagation_object()
We're now sure that the security descriptor propagation happened
first for parent objects.
It means we can safely skip processing the same object twice in
descriptor_sd_propagation_object().
For the database with ~ 22000 objects it reduced the commit time
from 2m 50s down to 2m 24s.
The statistics are changed from:
descriptor_prepare_commit: changes: num_registrations=5
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=5200
descriptor_prepare_commit: objects: num_processed=68800
to:
descriptor_prepare_commit: changes: num_registrations=5
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=5200
descriptor_prepare_commit: objects: num_processed=22000
descriptor_prepare_commit: objects: num_skipped=41600
It means that we have "changes: num_registered" and
"objects: num_processed" exactly match the number
of replicated objects.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Mar 30 12:06:21 UTC 2022 on sn-devel-184
commit bd1e667a62d63c51a3b5e43660c7c23dd855785a
Author: Stefan Metzmacher
Date: Thu Feb 10 17:19:31 2022 +0100
s4:dsdb/descriptor: sort descriptor_changes tree based
For the hot code path, e.g. the commit after the initial replication,
we typically have one descriptor_changes for each object in the
database.
It means that we most likely have 5 naming contexts/partitions.
Except of their head/root object have a valid parent_guid,
so can move all of them into the tree structure.
Now we start the processing at the partition root objects,
which means that we also process all child objects in
the same run. While processing these objects we are most
likely able to mark their related descriptor_changes structure
as done removing it from the hierarchy.
With the 22000 object domain it reduces the time spend in
the commit stage from 3m 20s down to 2m 50s.
The statistics are changed from:
descriptor_prepare_commit: changes: num_registrations=5
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_processed=22000
descriptor_prepare_commit: objects: num_processed=80800
to:
descriptor_prepare_commit: changes: num_registrations=5
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_toplevel=5
descriptor_prepare_commit: changes: num_processed=5200
descriptor_prepare_commit: objects: num_processed=68800
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit ce38b30cdcf4a8d7225f830b8054c1df1d748da0
Author: Stefan Metzmacher
Date: Thu Feb 10 15:08:47 2022 +0100
s4:dsdb/descriptor: pass parent guid to
dsdb_module_schedule_sd_propagation()
This is preparation to optimize the security descriptor propagation
in the following commits.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
commit b812ade416faf6e41e9def5689f9b2e21d7f718f
Author: Stefan Metzmacher
Date: Thu Feb 10 14:36:28 2022 +0100
s4:dsdb/descriptor: skip duplicates in
descriptor_extended_sec_desc_propagation()
During replication we may need to fallback to using DRS_GET_TGT,
which means that we'll get a lot of objects more than once,
the most important one it the partition root object.
It means we'll also do the security descriptor propagation more than
once for
[SCM] Samba Shared Repository - annotated tag tevent-0.12.0 created
The annotated tag, tevent-0.12.0 has been created at 355edbaebad11d45987d21d9caea04917638bcdc (tag) tagging a20d41accdc999262da94531627c7e1e8ec7677f (commit) replaces samba-4.16.0rc1 tagged by Stefan Metzmacher on Tue Apr 12 01:59:10 2022 +0200 - Log - tevent: tag release tevent-0.12.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmJUwM4ACgkQR5ORYRMI QCVQcwf+Pzla6PjTpGPLth3+Ch62X+QhTg5JbDjgs5eYSw986RnLXs7pwqFZfNgJ kXe6T8cE8P4qe4MrwdTK2fZ/355E/kBS4OtBkLn62r2VvhaM+FBb8rjSsHRtz0Qb FD5SbsDWmsLMVcC16x/71Uvn2Cn4HoaKuzmJ6S7vNsJ3m6njyuVrgLS8ei8WDQ3d fmpeGV0VCe60Mi9tgrqt4xDheerokvdoDupbrHu1JE8JAHpbv9g8uaJzyFpYFzTR Cbi4fWV9DBlsrWpmCN5WytKUqR5pamPvCfdFYgDCF0v9VyrIEcLx9RptWkE4bgMs 3AMJlR8zYe/G4R2TPhjFyUSm5ElVIg== =nth+ -END PGP SIGNATURE- Andreas Schneider (107): s4:kdc: Add a HDB to SDB mask s4:kdc: Remove trailing spaces in hdb-samba4.c s4:kdc: Translate HDB flags to SDB flags bootstrap: Fix CentOS8 runner bootstrap: Migrate to CentOS8 Stream selftest: Do not force -d0 for smbd/nmbd/winbindd builtools: Make abi_gen.sh less prone to errors bootstrap: If the mold linker is available prefer it over gold bootstrap: Install mold linker on Fedora 35 s3:winbindd: Add a sanity check for the range s3:utils: Add a testparm check for idmap autorid docs-xml: Fix idmap_autorid documentation editorconfig: Final newlines are pycodestyle third_party:waf: Print the version of waf at the end of the update script third_party: Update waf to verison 2.0.23 s3:utils: Fix missing space in testparm output autobuild: Rewrite the symbol checking editorconfig: Change shell to tabs with tab width 8 configure: Reformat wrapper script buildtools: Reformat shell scripts docs-xml: Reformat shell scripts examples: Reformat shell scripts selftest: Add ad member with idmap_autorid backend s3:tests: Run test_idmap_rid.sh against admem_idmap_autorid autobuild: Run admem_idmap_autorid tests lib:fuzzing: Reformat shell scripts lib:ldb: Reformat shell scripts lib:replace: Reformat shell scripts lib:tdb: Reformat shell scripts lib:tevent: Reformat shell scripts nsswitch: Reformat shell scripts packaging: Reformat shell scripts editorconfig: We always inserted a new line so keep doing that python: Reformat shell scripts release-scripts: Reformat shell scripts script: Reformat shell scripts selftest: Reformat shell scripts s3:locale: Reformat shell scripts s3:script: Reformat shell scripts s4:kdc: Align sflags type s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization selftest: More tests are passing with MIT KRB5 >= 1.20 s4:mitkdc: Set KRB5_KDB_NO_AUTH_DATA_REQUIRED based on sdb no_auth_data_reqd s4:mitkdc: Add support for MIT Kerberos 1.20 s4:mitkdc: Add support for S4U2Self & S4U2Proxy s4:kdc: Implement new Microsoft forwardable flag behavior s4:auth: Remove trailing spaces in sam.c s4:auth: Also look up msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() s4:mitkdc: Implement mit_samba_check_allowed_to_delegate_from() for RBCD s4:mitkdc: Implement support for Resource Based Constrained Delegation (RBCD) gitlab-ci: Print the krb5 version gitlab-ci: Run krb5 tests also with MIT Kerberos 1.20 (prerelease) WHATSNEW: Bronze bit, S4U and RBDC support with MIT Kerberos 1.20 testprogs: Add test that local krb5.conf has been created s3:libads: Remove trailing spaces in kerberos.c s3:libads: Leave early on error in get_kdc_ip_string() s3:libads: Improve debug messages for get_kdc_ip_string() s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string() s3:libads: Allocate all memory on the talloc stackframe s3:libads: Remove obsolete free's of kdc_str s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string() s3:libads: Fix creating local krb5.conf python:tests: Fix type error in raw_testcase.py s4:kdc: Fix return code in mit_samba_update_pac() s4:kdc: Make sure ret is set if we goto bad_option s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy() auth: Add required headers to auth_sam_reply.h lib:krb5_wrap: Implement smb_krb5_principal_is_tgs() s4:kdc: Cleanup include files in pac-glue.c s4:kdc: Make pac parameter of samba_client_requested_pac() const s4:kdc: Implement common samba_kdc_update_pac() s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac() s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac() s4:kdc: Remove ks_is_tgs_principal() s4:kdc: Rem
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 07081d03da2 script/autobuild.py: allow to run from within git rebase -i from 922261d77ae smbd: Use filename_convert_dirfsp() in smbd_smb2_create_send() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 07081d03da2a49010fdc905a39e48dd589be47b2 Author: Stefan Metzmacher Date: Tue Apr 12 15:04:53 2022 + script/autobuild.py: allow to run from within git rebase -i The 'git clone' used by autobuild.py fails if GIT_DIR and GIT_WORK_TREE are already defined in the environment. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Apr 28 15:23:24 UTC 2022 on sn-devel-184 --- Summary of changes: script/autobuild.py | 5 + 1 file changed, 5 insertions(+) Changeset truncated at 500 lines: diff --git a/script/autobuild.py b/script/autobuild.py index d309fa0e97c..9f790d8a53e 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -31,6 +31,11 @@ os.environ["PYTHONUNBUFFERED"] = "1" # This speeds up testing remarkably. os.environ['TDB_NO_FSYNC'] = '1' +# allow autobuild to run within git rebase -i +if "GIT_DIR" in os.environ: +del os.environ["GIT_DIR"] +if "GIT_WORK_TREE" in os.environ: +del os.environ["GIT_WORK_TREE"] def find_git_root(): '''get to the top of the git repo''' -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-16-test updated
The branch, v4-16-test has been updated
via 82d86282ca6 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
from 6cbaa31fe0a s3:passdb: Also allow to handle UPNs in
lookup_name_smbconf()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -
commit 82d86282ca64177fe65cb5ab017a475a95d67cf3
Author: Stefan Metzmacher
Date: Wed Feb 16 14:11:10 2022 +0100
s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
Even if the msDS-KeyVersionNumber of the main krbtgt
account if larger than 65535, we need to have
the 16 upper bits all zero in order to avoid
mixing the keys with an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951
Signed-off-by: Stefan Metzmacher
Reviewed-by: Andrew Bartlett
(cherry picked from commit ab0946a75d51b8f4826d98c61c3ad503615009fe)
Autobuild-User(v4-16-test): Stefan Metzmacher
Autobuild-Date(v4-16-test): Thu Apr 28 15:42:38 UTC 2022 on sn-devel-184
---
Summary of changes:
source4/kdc/db-glue.c | 51 +++
1 file changed, 43 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bdadc1278c3..3e1f7a6b4dc 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -45,6 +45,9 @@
#define SAMBA_KVNO_GET_KRBTGT(kvno) \
((uint16_t)(((uint32_t)kvno) >> 16))
+#define SAMBA_KVNO_GET_VALUE(kvno) \
+ ((uint16_t)(((uint32_t)kvno) & 0x))
+
#define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \
((krb5_kvno)uint32_t)kvno) & 0x) | \
uint32_t)krbtgt) << 16) & 0x)))
@@ -427,6 +430,7 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
struct sdb_entry_ex
*entry_ex,
uint32_t
*supported_enctypes_out)
{
+ struct sdb_entry *entry = &entry_ex->entry;
krb5_error_code ret = 0;
enum ndr_err_code ndr_err;
struct samr_Password *hash;
@@ -437,10 +441,12 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
struct package_PrimaryKerberosBlob _pkb;
struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
+ bool is_krbtgt = false;
+ int krbtgt_number = 0;
+ uint32_t current_kvno;
+ uint32_t returned_kvno = 0;
uint16_t i;
uint16_t allocated_keys = 0;
- int rodc_krbtgt_number = 0;
- int kvno = 0;
uint32_t supported_enctypes
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
@@ -452,6 +458,7 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
/* KDCs (and KDCs on RODCs) use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 |
ENC_HMAC_SHA1_96_AES256;
+ is_krbtgt = true;
enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
if (enable_fast) {
@@ -481,9 +488,12 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
/* Is this the krbtgt or a RODC krbtgt */
if (is_rodc) {
- rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg,
"msDS-SecondaryKrbTgtNumber", -1);
+ krbtgt_number = ldb_msg_find_attr_as_int(msg,
"msDS-SecondaryKrbTgtNumber", -1);
- if (rodc_krbtgt_number == -1) {
+ if (krbtgt_number == -1) {
+ return EINVAL;
+ }
+ if (krbtgt_number == 0) {
return EINVAL;
}
}
@@ -503,11 +513,20 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
goto out;
}
- kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
- if (is_rodc) {
- kvno = SAMBA_KVNO_AND_KRBTGT(kvno, rodc_krbtgt_number);
+ current_kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber",
0);
+ if (is_krbtgt) {
+ /*
+* Even for the main krbtgt account
+* we have to strictly split the kvno into
+* two 16-bit parts and the upper 16-bit
+* need to be all zero, even if
+* the msDS-KeyVersionNumber has a value
+* larger than 65535.
+*
+* See https://bugzilla.samba.org/show_bug.cgi?id=14951
+*/
+ current_kvno = SAMBA_KVNO_GET_VALUE(current_kvno);
}
- entry_ex->entry.kvno = kvno;
/* Get keys fro
[SCM] Samba Shared Repository - branch v4-4-test updated
The branch, v4-4-test has been updated via 0708007 Merge tag 'samba-4.4.6' into v4-4-test via 99ced63 Revert "script/release.sh: use 8 byte gpg key ids" from 816c764 ctdb-daemon: Log when removing stale Unix domain socket https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test - Log - commit 0708007457141eb9ddb05966b9c03288e35eede0 Merge: 816c764 99ced63 Author: Stefan Metzmacher Date: Fri Sep 23 19:30:06 2016 +0200 Merge tag 'samba-4.4.6' into v4-4-test samba: tag release samba-4.4.6 --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 631e063 s3-lib: Do not set an empty string in split_domain_user()
via 0c4e132 s3-lib: Parse WORKGROUP\username in
set_cmdline_auth_info_username()
via 5328325 s3-lib: Do not create 'MACHINE$@' usernames
via 7f14776 nsswitch: Use own credential cache for wbinfo tests
via 2dac252 testprogs: Use own credential cache for
test_client_etypes.sh
via 7abda74 testprogs: Use better KRB5CCNAME in
test_password_settings.sh
via 9413e33 s3-script: Use unique krb5ccache name
via 3470dca s3-selftest: Rename samba3.ntlm_auth.krb5 old ccache test
from c60ea2c glusterfs: Avoid tevent_internal.h
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 631e063f6bb49da426ca7343b6987f7831078d7f
Author: Andreas Schneider
Date: Tue Sep 20 19:51:15 2016 +0200
s3-lib: Do not set an empty string in split_domain_user()
The function should also return if it failed or not.
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Sun Sep 25 12:56:17 CEST 2016 on sn-devel-144
commit 0c4e13243826871e0597fcd37bd90b184c296e21
Author: Andreas Schneider
Date: Thu Sep 15 12:08:24 2016 +0200
s3-lib: Parse WORKGROUP\username in set_cmdline_auth_info_username()
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
commit 5328325f94fc2b49f34cf5f2c699ec7440ef1ec9
Author: Andreas Schneider
Date: Thu Sep 15 12:54:42 2016 +0200
s3-lib: Do not create 'MACHINE$@' usernames
If there is no realm set we should not add it to the machine account.
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
commit 7f14776ba7704bdefcbd6ad71856b6efdeacf052
Author: Andreas Schneider
Date: Mon Sep 19 13:27:30 2016 +0200
nsswitch: Use own credential cache for wbinfo tests
If we do not set it will add the credentials to the system default
credential cache, which is e.g. FILE:/tmp/krb5cc_1000.
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
commit 2dac25249749734dfc2f27cb10088e97cecdc6ad
Author: Andreas Schneider
Date: Wed Sep 21 00:01:35 2016 +0200
testprogs: Use own credential cache for test_client_etypes.sh
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
commit 7abda740f5671ff6f1ef326cf80afb8b65a4e5e7
Author: Andreas Schneider
Date: Tue Sep 20 09:46:34 2016 +0200
testprogs: Use better KRB5CCNAME in test_password_settings.sh
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
commit 9413e337cee630d3357b9a3299a67a4160bbc495
Author: Andreas Schneider
Date: Mon Sep 19 12:18:31 2016 +0200
s3-script: Use unique krb5ccache name
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
commit 3470dca36df56aaf08589632462865154c9fa869
Author: Andreas Schneider
Date: Thu Sep 15 15:47:25 2016 +0200
s3-selftest: Rename samba3.ntlm_auth.krb5 old ccache test
This makes it easier to run only one of them.
Signed-off-by: Andreas Schneider
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
nsswitch/tests/test_wbinfo.sh | 10 +++-
nsswitch/tests/test_wbinfo_simple.sh | 10 +++-
source3/include/proto.h| 2 +-
source3/lib/util.c | 16 +-
source3/lib/util_cmdline.c | 61 +-
source3/libnet/libnet_join.c | 40 ++
source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 24 ++---
.../script/tests/test_smbclient_netbios_aliases.sh | 5 +-
source3/selftest/tests.py | 2 +-
testprogs/blackbox/test_client_etypes.sh | 8 +++
testprogs/blackbox/test_password_settings.sh | 8 ++-
11 files changed, 156 insertions(+), 30 deletions(-)
Changeset truncated at 500 lines:
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 1d14ca3..69cc437 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -51,6 +51,12 @@ knownfail() {
return $status
}
+KRB5CCNAME_PATH="$PREFIX/test_wbinfo_krb5ccache"
+rm -f $KRB5CCNAME_PATH
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
# List users
testit "wbinfo -u against $TARGET" $wbinfo -u || failed=`expr $failed + 1`
# List groups
@@ -244,8 +250,10 @@ testit "wbinfo --getdcname against $TARGET" $wbinfo
--getdcname=$DOMAIN
testit "wbinfo -p against $TARGET" $wbinfo -p || failed=`expr $failed + 1`
-testit "wbinfo -K against $TARGET with domain creds"
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via eb75553 s3-printing: fix migrate printer code (bug 8618)
from 402c3c4 tevent: version 0.9.31
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit eb7555397fd4e9f66e041179aadff59f2a39d14f
Author: Björn Baumbach
Date: Fri Nov 18 18:54:56 2011 +0100
s3-printing: fix migrate printer code (bug 8618)
Removed path from driver files.
We only need the basenames.
(cherry picked from commit d61993043fcb7676a58658476421f5f4ff1a3fea)
(cherry picked from commit 9f07ef2249dc21eab37cd5888623e6edc84b2b59)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8618
Reviewed-by: Stefan Metzmacher
Reviewed-by: Andreas Schneider
Reviewed-by: Günther Deschner
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Oct 5 19:19:39 CEST 2016 on sn-devel-144
---
Summary of changes:
source3/printing/nt_printing_migrate.c | 27 +++
1 file changed, 27 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/printing/nt_printing_migrate.c
b/source3/printing/nt_printing_migrate.c
index eacafa2..f56aa70 100644
--- a/source3/printing/nt_printing_migrate.c
+++ b/source3/printing/nt_printing_migrate.c
@@ -3,6 +3,7 @@
* RPC Pipe client / server routines
*
* Copyright (c) Andreas Schneider2010.
+ * Copyright (C) Bjoern Baumbach 2011
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -27,6 +28,20 @@
#include "librpc/gen_ndr/ndr_security.h"
#include "rpc_client/cli_winreg_spoolss.h"
+static const char *driver_file_basename(const char *file)
+{
+ const char *basefile;
+
+ basefile = strrchr(file, '\\');
+ if (basefile == NULL) {
+ basefile = file;
+ } else {
+ basefile++;
+ }
+
+ return basefile;
+}
+
NTSTATUS printing_tdb_migrate_form(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *winreg_pipe,
const char *key_name,
@@ -101,6 +116,7 @@ NTSTATUS printing_tdb_migrate_driver(TALLOC_CTX *mem_ctx,
WERROR result;
const char *driver_name;
uint32_t driver_version;
+ int i;
blob = data_blob_const(data, length);
@@ -123,8 +139,19 @@ NTSTATUS printing_tdb_migrate_driver(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(d3);
ZERO_STRUCT(a);
+ /* remove paths from file names */
+ if (r.dependent_files != NULL) {
+ for (i = 0 ; r.dependent_files[i] != NULL; i++) {
+ r.dependent_files[i] =
driver_file_basename(r.dependent_files[i]);
+ }
+ }
a.string = r.dependent_files;
+ r.driverpath = driver_file_basename(r.driverpath);
+ r.configfile = driver_file_basename(r.configfile);
+ r.datafile = driver_file_basename(r.datafile);
+ r.helpfile = driver_file_basename(r.helpfile);
+
d3.architecture = r.environment;
d3.config_file = r.configfile;
d3.data_file = r.datafile;
--
Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tevent-0.9.31 created
The annotated tag, tevent-0.9.31 has been created at c8e1bdcd6d1017092bcec8a59a879cf9f8903850 (tag) tagging 402c3c4062864df4a6da76df9ac1734c7bcbee8e (commit) replaces tdb-1.3.11 tagged by Stefan Metzmacher on Fri Oct 7 06:46:41 2016 +0200 - Log - tevent: tag release tevent-0.9.31 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJX9yixAAoJEEeTkWETCEAlIcYH/iFAYrfDqt6oBn/R5Q9lnDHZ Zfk9IvihKedZUJB9pB06KuwNqq+kmjRnrcFqq2K1dkqpNe+sbAfgvHQfVrsy7CAq ircJ2cDyPyJ+cs4hjE3wYI0RFTQFzwzm1vmUzmThegsHP1bmOeOgIiFxuEWxzkdZ wn8oEzIN6FIRBsx0QYI1D7SEjdlR8jNe+srK57Y9wySbNlBnnouGv8ZbNcH3dbmr ZD6zdhout8/i/nBTWe9o+sBC2LTfMYLmVNdnECikggxoqrMRV+bl6hik9smaUNuH NfAGjEF5d8pZQpWIgkT1y10uCmGo3HM7zo3FXZ6N50yI8kVKpntrKds6mcDk0UE= =N/Ki -END PGP SIGNATURE- Amitay Isaacs (12): ctdb-protocol: Fix marshalling for GET_DB_SEQNUM control request ctdb-common: Use correct db_id size in marshalling record buffer s3-ctdb: Use correct db_id size in marshalling record buffer ctdb-recoverd: Drop code to freeze databases from set_recovery_mode() ctdb-daemon: Remove NUM_DB_PRIORITIES ctdb-recovery-helper: Add missing initialisation of ban_credits ctdb-daemon: Avoid extra condition in tevent trace callback ctdb-daemon: Log a message when fork() takes long time ctdb-daemon: Log a message when vfork() takes long time ctdb-locking: Log if ctdb is unable to take db locks in INACTIVE state ctdb-locking: Restrict lock debugging to once per second ctdb-common: Add routines to manage PID file Andreas Schneider (115): mit_samba: Add missing argument passed to authsam_make_user_info_dc() mit_samba: Add missing copyright s4-kdc: pac-glue: Add support for MIT pkinit gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal gensec_krb5: Rename smb_rd_req_return_stuff() gensec_krb5: Use krb5_wrap setup_kaddr() to convert address gensec_krb5: Only set the event context with Heimdal gensec_krb5: Use kerberos_free_data_contents() to free krb5 data gensec_krb5: Use implementation idependent krb5_mk_req_extended() gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() krb5_wrap: Rename setup_kaddr() krb5_wrap: Rename get_kerberos_allowed_etypes() krb5_wrap: Rename kerberos_free_data_contents() krb5_wrap: Rename krb5_copy_data_contents() krb5_wrap: Move krb5_auth_con_setuseruserkey() to the top krb5_wrap: Move all ads function to the end krb5_wrap: Use consistent naming for setup_auth_context() krb5_wrap: Use consistent naming for create_gss_checksum() krb5_wrap: Fix formatting issues in ads_krb5_mk_req() krb5_wrap: Improve return value checks and debug messsages krb5_wrap: Rename cli_krb5_get_ticket() krb5_wrap: Fix ads_krb5_cli_get_ticket() return checks and debug messages krb5_wrap: Cleanup some code in ads_krb5_cli_get_ticket() krb5_wrap: Move krb5_free_unparsed_name() to the top krb5_wrap: Rename get_krb5_smb_session_key() krb5_wrap: Move krb5_princ_component() to the top krb5_wrap: Remove redundant comment krb5_wrap: Document smb_krb5_renew_ticket() krb5_wrap: Document smb_krb5_free_addresses() krb5_wrap: Document smb_krb5_gen_netbios_krb5_address() krb5_wrap: Remove unneded smb_krb5_free_error() krb5_wrap: Remove unused handle_krberror_packet() krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_alloc() krb5_wrap: Remove unneeded smb_krb5_get_init_creds_opt_free() krb5_wrap: Rename smb_get_enctype_from_kt_entry() krb5_wrap: Document smb_krb5_kt_get_enctype_from_entry() krb5_wrap: Document smb_krb5_kt_free_entry() krb5_wrap: Document smb_krb5_enctype_to_string() krb5_wrap: Rename smb_krb5_open_keytab_relative() krb5_wrap: Document smb_krb5_kt_open_relative() krb5_wrap: Fix whitespace issues in smb_krb5_kt_open_relative() krb5_wrap: Rename smb_krb5_open_keytab() krb5_wrap: Document smb_krb5_kt_open() krb5_wrap: Rename smb_krb5_keytab_name() krb5_wrap: Document smb_krb5_kt_get_name() krb5_wrap: Document smb_krb5_keyblock_init_contents() waf: Check for the correct function name krb5_wrap: Add MIT implmentation of smb_krb5_keyblock_init_contents() krb5_wrap: Rename kerberos_kinit_keyblock_cc() krb5_wrap: Improve smb_krb5_kinit_keyblock_cache() documentation krb5_wrap: Rename kerberos_kinit_password_cc() krb5_wrap: Document smb_krb5_kinit_password_ccache() krb5_wrap: Rename kerberos_kinit_s4u2_cc() krb5_wrap: Improve smb_krb5_kinit_s4u2_ccache() documentation krb5_wrap: Document smb_krb5_make_principal() krb5_wrap: Document smb_krb5_make_pac_checksum() krb5_wrap: Fix documentation of smb_krb5_principal_get_realm() krb5_wrap
[SCM] Samba Shared Repository - branch v4-3-test updated
The branch, v4-3-test has been updated
via 2014c08 s3-spoolss: fix winreg_printer_ver_to_qword
via e0c9067 gencache: Bail out of stabilize if we can not get the
allrecord lock
from 0b0574e lib: poll_funcs : poll_funcs_context_slot_find can select
the wrong slot to replace.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -
commit 2014c088d32daf5efe93fd9843c7a395907b4499
Author: Günther Deschner
Date: Mon Sep 12 17:55:37 2016 +0200
s3-spoolss: fix winreg_printer_ver_to_qword
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12285
We were reporting the OS minor number as the driver version number in all
GetDriver/EnumDriver calls.
Guenther
Signed-off-by: Guenther Deschner
Reviewed-by: Jeremy Allison
(cherry picked from commit a9a1a16cc8b87a84cdfa049ebd26bf4eac1b3618)
Autobuild-User(v4-3-test): Stefan Metzmacher
Autobuild-Date(v4-3-test): Thu Oct 13 20:12:54 CEST 2016 on sn-devel-104
commit e0c9067b4a46147057ec3454bb4d0a9e27bc854e
Author: Volker Lendecke
Date: Mon Sep 19 14:29:21 2016 -0700
gencache: Bail out of stabilize if we can not get the allrecord lock
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12045
Signed-off-by: Volker Lendecke
Reviewed-by: Jeremy Allison
Autobuild-User(master): Jeremy Allison
Autobuild-Date(master): Tue Sep 20 04:09:33 CEST 2016 on sn-devel-144
(cherry picked from commit b208499960eefef02d305a3bd59b03a7c2aafcac)
---
Summary of changes:
source3/lib/gencache.c | 2 +-
source3/rpc_client/cli_winreg_spoolss.c | 7 ---
2 files changed, 5 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index 90eafaa..7ac9eba 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -658,7 +658,7 @@ bool gencache_stabilize(void)
return false;
}
- res = tdb_lockall(cache_notrans->tdb);
+ res = tdb_lockall_nonblock(cache_notrans->tdb);
if (res != 0) {
tdb_transaction_cancel(cache->tdb);
DEBUG(10, ("Could not get allrecord lock on "
diff --git a/source3/rpc_client/cli_winreg_spoolss.c
b/source3/rpc_client/cli_winreg_spoolss.c
index ac4fe86..68ac053 100644
--- a/source3/rpc_client/cli_winreg_spoolss.c
+++ b/source3/rpc_client/cli_winreg_spoolss.c
@@ -529,8 +529,9 @@ static WERROR winreg_printer_write_ver(TALLOC_CTX *mem_ctx,
NTSTATUS status;
char *str;
- /* FIXME: check format is right,
-* this needs to be something like: 6.1.7600.16385 */
+ /*
+* this needs to be something like: 6.1.7600.16385
+*/
str = talloc_asprintf(mem_ctx, "%u.%u.%u.%u",
(unsigned)((data >> 48) & 0x),
(unsigned)((data >> 32) & 0x),
@@ -574,7 +575,7 @@ static WERROR winreg_printer_ver_to_dword(const char *str,
uint64_t *data)
*data = ((uint64_t)(v1 & 0x) << 48) +
((uint64_t)(v2 & 0x) << 32) +
((uint64_t)(v3 & 0x) << 16) +
- (uint64_t)(v2 & 0x);
+ (uint64_t)(v4 & 0x);
return WERR_OK;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via 416d062 ctdb-daemon: Log when removing stale Unix domain socket via 14313b0 ctdb-daemon: Drop attempt to connect to Unix domain socket via 8866233 ctdb-daemon: Don't try to reopen TDB files via 2ebed56 ctdb-daemon: Bind to Unix domain socket after PID file creation via 81d8f89 ctdb-daemon: Use PID file abstraction via a1a1fe4 ctdb-common: Add routines to manage PID file via aefc593 s3-spoolss: fix winreg_printer_ver_to_qword via a23ff4c nsswitch: Also set h_errnop for nss_wins functions via 568f9fb nsswitch: Add missing arguments to wins gethostbyname* via 62f4e3d s3/smbd: set FILE_ATTRIBUTE_DIRECTORY as necessary via 5bd28ff gencache: Bail out of stabilize if we can not get the allrecord lock from 68302ce ctdb-recovery-helper: Add missing initialisation of ban_credits https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit 416d062225f51edbb5461d90aceb211ded763582 Author: Martin Schwenke Date: Thu Sep 22 14:52:55 2016 +1000 ctdb-daemon: Log when removing stale Unix domain socket BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Thu Sep 22 12:28:12 CEST 2016 on sn-devel-144 (cherry picked from commit 0ec01826d32019b06dd10bb9b6ea5232786d5699) Autobuild-User(v4-5-test): Stefan Metzmacher Autobuild-Date(v4-5-test): Thu Oct 13 20:46:42 CEST 2016 on sn-devel-144 commit 14313b0d57edc027d2c3b375071daf4a70e01752 Author: Martin Schwenke Date: Thu Sep 22 14:47:02 2016 +1000 ctdb-daemon: Drop attempt to connect to Unix domain socket This was a weak attempt at exclusivity. PID file creation now does that properly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 8eff9e96037627b1e4adf3ccc8da94ef8f0bad2a) commit 8866233e5d3d4d14d7d1738b14bea2cb92e98652 Author: Martin Schwenke Date: Thu Sep 22 14:46:12 2016 +1000 ctdb-daemon: Don't try to reopen TDB files There aren't any open at this stage. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit d719a87fe021b0c704fc4b12ddfc0345fe3af146) commit 2ebed563e42000de8327797b76e446bab70102ad Author: Martin Schwenke Date: Thu Sep 22 14:43:58 2016 +1000 ctdb-daemon: Bind to Unix domain socket after PID file creation No use touching the socket if PID file creation fails. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 1e501c77492d25b760c7b10849460ee6490f39dc) commit 81d8f89385fcf1e79a3c9d7b1fbab1cd696a03ee Author: Martin Schwenke Date: Thu Sep 22 14:35:03 2016 +1000 ctdb-daemon: Use PID file abstraction BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 5148e02adb7b2ea34da9c826a682c1387773402b) commit a1a1fe45533edaee94923e6cf2978e186e612a14 Author: Amitay Isaacs Date: Mon Sep 19 16:30:12 2016 +1000 ctdb-common: Add routines to manage PID file BUG: https://bugzilla.samba.org/show_bug.cgi?id=12287 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 97b6ac7f662d8de316ed520e038779e79bcdb7bc) commit aefc59359d980ebb7ea4b75219dad0e62ff52ab0 Author: Günther Deschner Date: Mon Sep 12 17:55:37 2016 +0200 s3-spoolss: fix winreg_printer_ver_to_qword Bug: https://bugzilla.samba.org/show_bug.cgi?id=12285 We were reporting the OS minor number as the driver version number in all GetDriver/EnumDriver calls. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison (cherry picked from commit a9a1a16cc8b87a84cdfa049ebd26bf4eac1b3618) commit a23ff4c66c3dd45616da8beb40e4e9eda7f74a7d Author: Andreas Schneider Date: Tue Sep 20 13:26:52 2016 +0200 nsswitch: Also set h_errnop for nss_wins functions BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 Signed-off-by: Andreas Schneider Reviewed-by: Jim McDonough (cherry picked from commit 382345126c56e26d3dbc319f1c7c1dae3c4fafc9) commit 568f9fb5b0772b744ac9c6092dc7e35720e42cdf Author: Andreas Schneider Date: Mon Sep 19 16:17:11 2016 +0200 nsswitch: Add missing arguments to wins gethostbyname* The errno pointer argument is missing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 Signed-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 001e23f ntlmssp.idl: don't generate python bindings for
ntlmssp_NTLM_RESPONSE and ntlmssp_LM_RESPONSE
via 0f1859b spoolss.idl: use access mask defines from security.idl
via 63686a1 nfs4acl.idl: rename interface to nfs4acl.idl to avoid
naming clash in the python bindings
from caff670 libcli: Remove code clone
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 001e23fd6250f8426b0866370fb4fdcbe5b29147
Author: Stefan Metzmacher
Date: Tue Sep 13 07:25:38 2016 +0200
ntlmssp.idl: don't generate python bindings for ntlmssp_NTLM_RESPONSE and
ntlmssp_LM_RESPONSE
ntlmssp_NTLM_RESPONSE and NTLM_RESPONSE will both result in
"ntlmssp.NTLM_RESPONSE".
The same applies to ntlmssp_LM_RESPONSE and LM_RESPONSE.
Signed-off-by: Stefan Metzmacher
Reviewed-by: Günther Deschner
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Oct 13 21:56:27 CEST 2016 on sn-devel-144
commit 0f1859b85ec7b755c7a3f39ae57a250858cf8252
Author: Stefan Metzmacher
Date: Tue Sep 13 06:30:34 2016 +0200
spoolss.idl: use access mask defines from security.idl
Signed-off-by: Stefan Metzmacher
Reviewed-by: Günther Deschner
commit 63686a1c82126f0aa90317e4790d01b4bcf1a9e1
Author: Stefan Metzmacher
Date: Tue Sep 13 08:07:21 2016 +0200
nfs4acl.idl: rename interface to nfs4acl.idl to avoid naming clash in the
python bindings
Signed-off-by: Stefan Metzmacher
Reviewed-by: Günther Deschner
---
Summary of changes:
librpc/idl/nfs4acl.idl | 2 +-
librpc/idl/ntlmssp.idl | 4 ++--
librpc/idl/spoolss.idl | 6 +++---
3 files changed, 6 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/nfs4acl.idl b/librpc/idl/nfs4acl.idl
index aeab0a0..13a6d13 100644
--- a/librpc/idl/nfs4acl.idl
+++ b/librpc/idl/nfs4acl.idl
@@ -11,7 +11,7 @@ import "misc.idl", "security.idl";
version(1.0),
pointer_default(unique)
]
-interface nfs4acl
+interface nfs4acl_interface
{
const char *NFS4ACL_XATTR_NAME = "system.nfs4acl";
diff --git a/librpc/idl/ntlmssp.idl b/librpc/idl/ntlmssp.idl
index f041e32..6b22886 100644
--- a/librpc/idl/ntlmssp.idl
+++ b/librpc/idl/ntlmssp.idl
@@ -207,7 +207,7 @@ interface ntlmssp
uint8 ChallengeFromClient[8];
} LMv2_RESPONSE;
- typedef [nodiscriminant] union {
+ typedef [nopython,nodiscriminant] union {
[case(24)] LM_RESPONSE v1;
[default];
} ntlmssp_LM_RESPONSE;
@@ -238,7 +238,7 @@ interface ntlmssp
NTLMv2_CLIENT_CHALLENGE Challenge;
} NTLMv2_RESPONSE;
- typedef [public,nodiscriminant] union {
+ typedef [public,nopython,nodiscriminant] union {
[case(0)] ;
[case(0x18)] NTLM_RESPONSE v1;
[default] NTLMv2_RESPONSE v2;
diff --git a/librpc/idl/spoolss.idl b/librpc/idl/spoolss.idl
index 9010a95..df19bee 100644
--- a/librpc/idl/spoolss.idl
+++ b/librpc/idl/spoolss.idl
@@ -2867,10 +2867,10 @@ cpp_quote("#define spoolss_security_descriptor
security_descriptor")
PRINTER_ALL_ACCESS;
const int PRINTER_ACE_MANAGE_DOCUMENTS = SEC_GENERIC_ALL |
- READ_CONTROL_ACCESS;
+SEC_STD_READ_CONTROL;
- const int PRINTER_ACE_PRINT = GENERIC_EXECUTE_ACCESS |
- READ_CONTROL_ACCESS |
+ const int PRINTER_ACE_PRINT = SEC_GENERIC_EXECUTE |
+ SEC_STD_READ_CONTROL |
PRINTER_ACCESS_USE;
/**/
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-4-test updated
The branch, v4-4-test has been updated
via 5a0b28a lib: Fix bug 12291
via 46780e3 s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
"KRB5CCNAME"
via f2a0f86 s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set
"KRB5CCNAME"
via 3b98cde HEIMDAL:lib/krb5: destroy a memory ccache on reinit
via 60ffbab s3-printing: fix migrate printer code (bug 8618)
via cc3b76b s3: cldap: cldap_multi_netlogon_send() fails with one bad
IPv6 address.
via 9ecc6ac s3-utils: Fix loading smb.conf in smbcquotas
via ab1c3d4 ctdb-scripts: Fix incorrect variable reference
via bf7e0fb ctdb-scripts: Avoid dividing by zero in memory calculation
via 0fcbce8 s3/winbindd: using default domain with u...@domain.com
format fails
via 0790769 Add a blackbox tests for id & getent to test domain@realm
type credentials
via 6e12cac s3-lib: Fix %G substitution in AD member environment
via dba617a torture/ioctl: test compression responses when unsupported
via 3af480f smbd/ioctl: match WS2016 ReFS get compression behaviour
via 15a8ee6 vfs_glusterfs: Fix a memory leak in connect path
via 17e61a1 spoolss: Fix caching of printername->sharename
via 49d4c63 s4:samba_spnupdate: do not attempt to parse log level, use
parsed value
via 4c54612 python/join: do not attempt to parse log level, use parsed
value
via 430e9d2 python/drs_utils: do not attempt to parse log level, use
parsed value
via 4fe66b5 tests/param add a test for LoadParm.log_level
via cfa3e0f s4:param add log_level function to retrieve log level in
Python code
via ad96251 glusterfs: Avoid tevent_internal.h
via 3170f53 s3: events. Move events.c to util_event.c
via fc82907 s3: server: s3_tevent_context_init() ->
samba_tevent_context_init()
via a60c9ce s3: winbind: Remove dump_event_list() calls.
via ed6b8bc s3: nmbd: Final changeover to stock tevent for nmbd.
via 95401c5 s3: nmbd: Change over to using tevent functions from direct
poll.
via e9cf61d s3: nmbd: Add a talloc_stackframe().
via f8d8ed5 s3: nmbd: Add (currently unused) timeout and fd handlers.
via 1ccbb07 s3: nmbd: Now attrs array mirrors fd's array use it in
preference.
via b8ae31c s3: nmbd: Ensure attrs array mirrors fd's array for dns.
via 5d160ee s3: nmbd: Add fd, triggered elements to struct
socket_attributes.
via e4c48c9 s3:nmbd: fix talloc_zero_array() check in nmbd_packets.c
via 257644f s3: winbind: Ensure we store name2sid with the correct
cache sequence number.
via 47ab4a0 s3: winbind: Trust name2sid mappings from the PAC.
via 1d28a24 s3: winbind: refresh_sequence_number is only ever called
with 'false'.
via 275ae03 s3: auth: Use wbcAuthenticateUserEx to prime the caches.
via 2dfbdc5 s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the
name2sid cache.
via ba1356d ctdb-scripts: ctdbd_wrapper should never remove the PID file
from 0708007 Merge tag 'samba-4.4.6' into v4-4-test
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -
commit 5a0b28a30d8e4187e184e86ef7f1cf0abe625678
Author: Jeremy Allison
Date: Fri Oct 21 14:38:49 2016 -0700
lib: Fix bug 12291
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12291
Back-ported from f92590d10aaf9a289b5f6aac8ffc79129b83a517 in master.
Signed-off-by: Jeremy Allison
Autobuild-User(v4-4-test): Stefan Metzmacher
Autobuild-Date(v4-4-test): Mon Oct 24 14:24:42 CEST 2016 on sn-devel-144
commit 46780e34aa43e24f7354ee463f3b11891ffacdf9
Author: Stefan Metzmacher
Date: Mon Oct 10 17:07:12 2016 +0200
s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set "KRB5CCNAME"
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher
Reviewed-by: Günther Deschner
Reviewed-by: Uri Simchoni
Autobuild-User(master): Jeremy Allison
Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
(cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca)
commit f2a0f86b3facc22a9ce873e16e18106330d88ffb
Author: Stefan Metzmacher
Date: Mon Oct 10 17:07:12 2016 +0200
s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor set "KRB5CCNAME"
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher
Reviewed-by: Günther Deschner
Reviewed-by: Uri Simchoni
(cherry picked from commit 890b1bbdb8e965c4
[SCM] Samba Shared Repository - branch v4-5-stable updated
The branch, v4-5-stable has been updated
via 548e16c Revert "script/release.sh: use 8 byte gpg key ids"
from bc07150 VERSION: Disable git snapshots for the 4.5.1 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable
- Log -
commit 548e16ca617ca8d5ad2171907c2a2cc8bc15f85c
Author: Karolin Seeger
Date: Mon Oct 24 21:44:07 2016 +0200
Revert "script/release.sh: use 8 byte gpg key ids"
This reverts commit 181d05005e1e5887052887a58bb33a9adc98bd92.
---
Summary of changes:
script/release.sh | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/script/release.sh b/script/release.sh
index 769f742..7db4e53 100755
--- a/script/release.sh
+++ b/script/release.sh
@@ -662,7 +662,7 @@ announcement_samba_rc() {
echo ""
echo ""
echo "The uncompressed tarballs and patch files have been
signed"
- echo "using GnuPG (ID ${GPG_KEYID}). The source code can be
downloaded"
+ echo "using GnuPG (ID 6568B7EA). The source code can be
downloaded"
echo "from:"
echo ""
echo "${download_url}"
@@ -845,7 +845,7 @@ announcement_samba_stable() {
echo ""
echo ""
echo "The uncompressed tarballs and patch files have been
signed"
- echo "using GnuPG (ID ${GPG_KEYID}). The source code can be
downloaded"
+ echo "using GnuPG (ID 6568B7EA). The source code can be
downloaded"
echo "from:"
echo ""
echo "${release_url}"
@@ -1052,7 +1052,7 @@ talloc | tdb | tevent | ldb)
}
test -z "${GPG_KEYID-}" && {
- GPG_KEYID='4793916113084025'
+ GPG_KEYID='13084025'
}
productbase="${product}"
@@ -1071,7 +1071,7 @@ samba-rc)
}
test -z "${GPG_KEYID-}" && {
- GPG_KEYID='6F33915B6568B7EA'
+ GPG_KEYID='6568B7EA'
}
productbase="samba"
@@ -1092,7 +1092,7 @@ samba-stable)
}
test -z "${GPG_KEYID-}" && {
- GPG_KEYID='6F33915B6568B7EA'
+ GPG_KEYID='6568B7EA'
}
productbase="samba"
@@ -1114,7 +1114,7 @@ TODO-samba-security)
}
test -z "${GPG_KEYID-}" && {
- GPG_KEYID='6F33915B6568B7EA'
+ GPG_KEYID='6568B7EA'
}
productbase="samba"
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via e70b87b Merge tag 'samba-4.5.1' into v4-5-test via 548e16c Revert "script/release.sh: use 8 byte gpg key ids" from 670022c VERSION: Bump version up to 4.5.2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit e70b87bb227b0f9849745a8807a670b6858469d4 Merge: 670022c 548e16c Author: Stefan Metzmacher Date: Wed Oct 26 16:26:58 2016 +0200 Merge tag 'samba-4.5.1' into v4-5-test samba: tag release samba-4.5.1 --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 530c2c8 ldb: version 1.1.28
via e369d80 pyldb: protect PyErr_LDB_ERROR_IS_ERR_RAISE() with do {}
while(0)
from 28fbc5e s3-net: use SMB_SIGNING_DEFAULT in connect_to_service()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 530c2c8f976281be941c314090be7bc60e6b22ed
Author: Volker Lendecke
Date: Sat Nov 12 14:14:34 2016 +
ldb: version 1.1.28
* Fix the build with installed ldb-devel 1.1.27
We depend on LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC.
* Some build fixes.
* More performance improvements.
Signed-off-by: Volker Lendecke
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Nov 23 20:48:31 CET 2016 on sn-devel-144
commit e369d800ba64a4047787afd0b416f7d26cfd33f4
Author: Stefan Metzmacher
Date: Tue Nov 8 09:18:52 2016 +0100
pyldb: protect PyErr_LDB_ERROR_IS_ERR_RAISE() with do {} while(0)
This should avoid the following warning:
CID 1394274: Control flow issues (DEADCODE)
Execution cannot reach this statement: ";".
Signed-off-by: Stefan Metzmacher
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
lib/ldb/ABI/{ldb-1.1.27.sigs => ldb-1.1.28.sigs} | 0
lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.1.28.sigs} | 0
lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.1.28.sigs} | 0
lib/ldb/pyldb.h| 5 +++--
lib/ldb/wscript| 2 +-
5 files changed, 4 insertions(+), 3 deletions(-)
copy lib/ldb/ABI/{ldb-1.1.27.sigs => ldb-1.1.28.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.1.28.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.1.28.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ABI/ldb-1.1.27.sigs b/lib/ldb/ABI/ldb-1.1.28.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.1.27.sigs
copy to lib/ldb/ABI/ldb-1.1.28.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs
b/lib/ldb/ABI/pyldb-util-1.1.28.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.1.28.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs
b/lib/ldb/ABI/pyldb-util.py3-1.1.28.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.1.28.sigs
diff --git a/lib/ldb/pyldb.h b/lib/ldb/pyldb.h
index e0cce1e..4fc89ec 100644
--- a/lib/ldb/pyldb.h
+++ b/lib/ldb/pyldb.h
@@ -95,11 +95,12 @@ typedef struct {
struct ldb_control *data;
} PyLdbControlObject;
-#define PyErr_LDB_ERROR_IS_ERR_RAISE(err,ret,ldb) \
+#define PyErr_LDB_ERROR_IS_ERR_RAISE(err,ret,ldb) do { \
if (ret != LDB_SUCCESS) { \
PyErr_SetLdbError(err, ret, ldb); \
return NULL; \
- }
+ } \
+} while(0)
/* Picked out of thin air. To do this properly, we should probably have some
part of the
* errors in LDB be allocated to bindings ? */
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 13f1d93..1bab04d 100755
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.1.27'
+VERSION = '1.1.28'
blddir = 'bin'
--
Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-1.1.28 created
The annotated tag, ldb-1.1.28 has been created
at 7ba4a035dc202da08e2ddf41762f29b79527fe62 (tag)
tagging 530c2c8f976281be941c314090be7bc60e6b22ed (commit)
replaces tevent-0.9.31
tagged by Stefan Metzmacher
on Thu Nov 24 08:27:16 2016 +0100
- Log -
ldb: tag release ldb-1.1.28
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQEcBAABAgAGBQJYNpZUAAoJEEeTkWETCEAlLdkH/04LJj19/8sF4g2Nxjf68zn/
LM+eJjjY54D3xRGrtl/nGjimeEvNt+PMYawD9G75PznR9fXm0N/Xq/UE9tnGDVxP
8l1EGxibWlMBf2VsH0wt8OUd/62Y4nFS3AGzf26MnRONE8kjLGfm4eLECD+pfPnx
/Sd6Gq6mged+jL0YTCxd6RDTU6Bjq/KkvJ4VoRSlv4eghudkngPXtY+WWs9D9Pmv
tJJvljGxOSA152KGuTB2p9WrsT7BbdU4jQKO1gG9SnJGwZvc3Zy1HX4y0GE8pToN
Na2ZizDLFQRULgeZshFwliV3aSsy3t99ag4+GWvkGW/HgNfiUSuQKhh17d29AV4=
=v7Ok
-END PGP SIGNATURE-
Amitay Isaacs (19):
Revert "ctdb-common: Use SCHED_RESET_ON_FORK when setting SCHED_FIFO"
ctdb-common: Simplify code using local variables
ctdb-daemon: Simplify code using local variable
ctdb-common: Simplify code using tdb_storev
ctdb-daemon: Simplify code using tdb_storev
ctdb-client: Simplify using a local variable
ctdb-client: Simplify using tdb_storev
ctdb-tool: Simplify using tdb_storev
ctdb-tools: Simplify using tdb_storev
ctdb-tools: Simplify using a local variable
ctdb-packaging: Update required tdb version for tdb_storev()
dlz-bind: Fix preprocessor checks for BIND versions
dlz-bind: Fix initialization of DLZ_DLOPEN_AGE
dlz-bind: Set DNS_CLIENTINFO_VERSION based on BIND version
dlz-bind: Add support for BIND 9.11.x
provision: Add support for BIND 9.11.x
ctdb-scripts: Fix calculation of CTDB_BASE
ctdb-locking: Reset real-time priority in lock helper
ctdb-recovery: Avoid NULL dereference in failure case
Andreas Schneider (43):
s4-libnet: Use SetUserInfo2 to set the account flags
s3-libnet: Pass enum value names to dcerpc_samr_SetUserInfo2()
s3-utils: Fix loading smb.conf in smbcquotas
s3-param: Add comment to call lp_load_global() after popt processing
s3-rpcclient: Fix initializing rpcclient
selftest: Create AD users alice and bob
s3-lib: Fix %G substitution in AD member environment
selftest: Create a share with %D %U and %G substituion
s3-selftest: Add a substituions testcase
waf: Cleanup deps list for smbregistry
waf: Cleanup deps list for smbd
s4-rpc_server: Use DCERPC_NCA_S_UNKNOWN_IF for fault code
idl: Remove unused DCERPC_FAULT_UNK_IF
s3-winbind: Do not return NO_MEMORY if we have an empty user list
s3-printing: Improve debug message
s3-spoolss: Remove printer from registry if it is unpublished
s3-client: Sync in tool cmdline help with smbclient manpage
s3-printing: Correctly encode CUPS printer URIs
s3-printing: Allow printer names longer than 16 chars
s3-epmapper: Ignore epm_Map object guid
libcli/smb: add smb1cli_session_setup_lm21_send/recv()
s3:libsmb: handle the spnego as a first action in cli_session_setup_send()
s3:libsmb: split out a cli_session_creds_init() function
s3-winbind: Directly pass creds with cli_session_setup_creds()
s3:tests: Set missing directories for test_registry_upgrade.sh
lib:util: Don't print lstat warning on ERROR debug level
s3:rpcclient: Print a new line on exit
s3:messaging: Create an messaging_init_internal() returning NTSTATUS
s3:messaging: Add messaging_init_client() function
s3:rpcclient: Use messaging_init_client()
s3:net: Use messaging_init_client()
nss_wins: Fix errno values for HOST_NOT_FOUND
s4:torture: Strip trailing whitespaces in session_key.c
s4:torture: Normalizes names in session_key test
s4:torture: Fix cleanup of the secrets object in session_key test
Update .ycm_extra_conf.py
s3:spoolss: Set default OS Version to Windows Server 2003 R2 SP2
s3:spoolss: Return error when there is no driver assigned
s3:spoolss: Improve debug messages in construct_printer_driver
s3:spoolss: Add support for COPY_FROM_DIRECTORY in AddPrinterDriverEx
s3:spoolss: Add some useful debug messages on error
lib:torture: Make variables const
s4:torture: Add tortue test for AddPrinterDriverEx with
COPY_FROM_DIRECTORY
Andrew Bartlett (17):
build: Fix build with perl on debian sid.
dsdb: Add python hooks to allocate a RID set and allocate a RID pool
dbcheck: Correctly initialise keep_transaction in missing_parent test
dsdb: Create RID Set as SYSTEM
dsdb: Rework DSDB code to use WERROR
dsdb: Catch errors in extended operations (like allocating a RID Set)
python: create NTSTATUSError, HRESULTError and WERRORError
pyerrors: Add PyErr_Set{WERROR,HRESULT,NTSTATUS}_and_string()
python: Add DsExtendedError Excepti
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 78a77d4 tdb: version 1.3.12
from 6e95fd8 param: fix lp_parameter_value_is_valid() for parametric
options
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 78a77d468f4bef633d9039b155c4b2d66e70ac84
Author: Stefan Metzmacher
Date: Wed Nov 30 16:05:28 2016 +0100
tdb: version 1.3.12
* Bug 12455 - tdb mutexes don't work on FreeBSD
Signed-off-by: Stefan Metzmacher
Reviewed-by: Volker Lendecke
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Nov 30 20:02:28 CET 2016 on sn-devel-144
---
Summary of changes:
lib/tdb/ABI/{tdb-1.3.11.sigs => tdb-1.3.12.sigs} | 0
lib/tdb/wscript | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
copy lib/tdb/ABI/{tdb-1.3.11.sigs => tdb-1.3.12.sigs} (100%)
Changeset truncated at 500 lines:
diff --git a/lib/tdb/ABI/tdb-1.3.11.sigs b/lib/tdb/ABI/tdb-1.3.12.sigs
similarity index 100%
copy from lib/tdb/ABI/tdb-1.3.11.sigs
copy to lib/tdb/ABI/tdb-1.3.12.sigs
diff --git a/lib/tdb/wscript b/lib/tdb/wscript
index 4e52b6c..34058e4 100644
--- a/lib/tdb/wscript
+++ b/lib/tdb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'tdb'
-VERSION = '1.3.11'
+VERSION = '1.3.12'
blddir = 'bin'
--
Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.3.12 created
The annotated tag, tdb-1.3.12 has been created at c86fd21b598eb89a0f80ce3447c9462e5506703e (tag) tagging 78a77d468f4bef633d9039b155c4b2d66e70ac84 (commit) replaces ldb-1.1.28 tagged by Stefan Metzmacher on Thu Dec 1 14:13:37 2016 +0100 - Log - tdb: tag release tdb-1.3.12 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJYQCIBAAoJEEeTkWETCEAlU58IAJxSNan0P4T65ylX3+p/5npc cHvHnRKEy3Z6W2i0lLsD3qkV63XdtNuoZRKwKUfS7cZpnYHCfm1CowIxuaxmio7X JPxcOVXVkhzHNGFmCsxAh5B8z+h+mlAvbsT/PEAFosD+nvoVUYv0piFQs5dDA22w wbLx90n8iG6JtwMYw7rmnInV+OJ9ita8licZHHFzfr7LWThe7oZ+1IjZpv0WNUOf ifri/sPCF+7bDi65UV2VMXt7BNZM9sS0z4XFhrvJfd0GxMblQZJoqcKaIvtfS9bk f1HFtSCrn6tcH3U7hTR5idIttjpPIZRA0dKA4uNoa7AiABZDU9ve5GFtx6XD5hU= =I/bE -END PGP SIGNATURE- Amitay Isaacs (4): ctdb-tests: Remove unused test code ctdb-daemon: Consolidate command line options to ctdbd ctdb-daemon: Remove unused code cmdline.[ch] ctdb-daemon: Mark RecoverPDBBySeqNum tunable deprecated Anoop C S (1): s3/dump_core: Honour pipe symbol (|) in system-wide core_pattern under linux Günther Deschner (13): docs: fix funny typo in smb.conf manpage wrt Samba's FSRVP server. s3-rpc_cli: Support the use of the object_uuid in rpc_cli interfaces s3-rpcclient: Add rpcclient IRemoteWinspool commands s3-rpcclient: Add AsyncCorePrinterDriverInstalled command librpc: Introduce cab.idl librpc: Add autogenerated checksum calculation for Cabinet files librpc: Add autogenerated total cabinet size for Cabinet files librpc: Add autogenerated file offset calculation for Cabinet files librpc: Add ndr_cab_get_compression() for Cabinet compression evaluation s4-torture: Introduce Cabinet ndr testsuite s4-torture: Add a validation test for uncompressed Cabinet files s4-torture: Add MSZIP compressed cabinet test s4-torture: Add LZX compressed cabinet test Martin Schwenke (3): lib/util: Make sys_rw available to CTDB ctdb-lock-helper: Drop include of ctdb_private.h ctdb-common: Drop CTDB's copy of sys_read() and sys_write() Ralph Wuerthner (1): param: fix lp_parameter_value_is_valid() for parametric options Stefan Metzmacher (1): tdb: version 1.3.12 Uri Simchoni (2): WHATSNEW: document kerberos encryption types WHATSNEW: document new inherit owner option Volker Lendecke (5): selftest: Fix timestamps on FreeBSD 11 ntlm_auth4: Remove it tdb: NULL out tdb->mutexes in tdb_mutex_munmap tdb: Only mmap the mutex area if not already mmap'ed tdb: Fix mutexes on FreeBSD --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag ldb-1.1.29 created
The annotated tag, ldb-1.1.29 has been created at 1db0d5255605dc569839015862ea9dc56b0f0a99 (tag) tagging aa63600afb925715f7a24a3af5c0df433541bc12 (commit) replaces tdb-1.3.12 tagged by Stefan Metzmacher on Thu Dec 1 14:15:24 2016 +0100 - Log - ldb: tag release ldb-1.1.29 -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJYQCJsAAoJEEeTkWETCEAlMuoH/3nm9bycHDFCBAdz19sGBfxM o+D6OwdAss6VbTioTuSUAOS3xHQ3mhAdbaygo8sJIufVh46LveWi7/97xmKK0nk7 nynMVWl6puReRjMZVGWMtlFinvdReyad6STez7ZMP03KbLIe74HcpQ2HOWgz6wUz rF3FyFRvhClC/o0eAU3YIwEvRQXXysly3+0eT0vP+39K4/dyipKTrBlv9cSbGJ7q 0+34b/t3nzMkgXMIBLinxeaXJZ48rnaY3jjxspAao5HXUlSNGppcO1xbo7QFPwnL fzEpDLhZUBBurMXp4MB9J4K+P+W6RNGfSwto6mPHKmVa+YzFEIBAKdaxheqLurI= =ozU7 -END PGP SIGNATURE- Alexis La Goutte (1): Fix typo Andrew Bartlett (23): selftest: Rework child process cleanup selftest: Ensure vampiredc has a full copy of localdc before we start join.py: Attempt to allocate a RID Set during the join talloc: add ASCII art to describe parent/child arrangement talloc: clarify that talloc_magic never includes the bits in TALLOC_FLAG_MASK talloc: Add tests for talloc_parent() after realloc() of the parent s4/rpc_server: Show what RPC interfaces are listening on which TCP port torture: Remove access to LSARPC via \\pipe\netlogon in rpc.netlogon for ManyGetDCName test pidl: Use a static const initialised struct in dcerpc_server_$name_init(void) s4-rpc_server: Use a type-safe struct signature in dcerpc_register_ep_server s4-rpc_server: Use an initialised static const struct in dcerpc_server_remote_init pidl: Change *_get_pipe_fns() to return const struct api_struct * pidl: Make static struct api_struct also const dsdb: specify attributes when loading schema ldb: Avoid individual memory allocations when searching for indexlist ldb: Add helper function ldb_schema_attribute_remove_flagged() ldb: Reduce scope of allocation and de-allocation of @ATTRIBUTES ldb: Reduce per-attribute memory allocation during @ATTRIBUTES load ldb: Add helper function ldb_schema_attribute_fill_with_syntax() ldb: load @ATTRIBUTES faster by sorting once, not at each insertion ldb: Cope with a->name being * ldb: Add test for behaviour of rdn_name ldb: new ldb version 1.1.29 Douglas Bagnall (3): lib/registry/regf: better initialise nk_block smbd/service_stream: connection processing flag is not really bool smbclient: fix string formatting in print command Jeremy Allison (2): librpc: cab: Integer wrap protection for ndr_count_cfdata(). librpc: cab: Fix ndr_size_cab_file() to detect integer wrap. Lumir Balhar (3): python: wscript_build: Prepare build environment for Python 3 porting python: selftesthelpers: Add possibility for planning tests for python: samba.subunit.run: Fix Python 3 compatibility. Petr Viktorin (1): python: Add py3compat.h Stefan Metzmacher (4): selftest/gdb_*: make use of 'mktemp' ldb:controls: add LDB_CONTROL_RECALCULATE_RDN_OID ldb:rdn_name: normalize rdn_name in rdn_rename_callback() ldb:rdn_name: add support for LDB_CONTROL_RECALCULATE_RDN_OID on ldb_modify() Volker Lendecke (2): ldb: Fix typos ldb: Fix an unused variable warning --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-5-test updated
The branch, v4-5-test has been updated via 91a3133 Merge tag 'samba-4.5.2' into v4-5-test via 6ead525 VERSION: Disable git snapshots for the 4.5.2 release. via 2109236 WHATSNEW: Add release notes for Samba 4.5.2. via 1084656 printing: Fix building with CUPS version older than 1.7 from 343718c printing: Fix building with CUPS version older than 1.7 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test - Log - commit 91a3133747556c174a606aa97990b0e2b820f74e Merge: 343718c 6ead525 Author: Stefan Metzmacher Date: Wed Dec 7 10:31:23 2016 +0100 Merge tag 'samba-4.5.2' into v4-5-test samba: tag release samba-4.5.2 Signed-off-by: Stefan Metzmacher --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 50dff7e pidl: Make dcesrv\_$name\_interface "static const"
via 0e2f03f s4-rpc_server: Avoid extern reference to
dcesrv_mgmt_interface and memcpy()
from 52fad16 s3: torture: Regression test case for permissions check on
rename.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 50dff7e094d48793b432992a28571a6f7e5cc73c
Author: Andrew Bartlett
Date: Mon Nov 21 11:21:50 2016 +1300
pidl: Make dcesrv\_$name\_interface "static const"
This moves it out of the global namespace
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Thu Dec 8 13:25:57 CET 2016 on sn-devel-144
commit 0e2f03f9bd1cf91aa09e528d1a02c88262fdb2a9
Author: Andrew Bartlett
Date: Mon Nov 21 11:31:27 2016 +1300
s4-rpc_server: Avoid extern reference to dcesrv_mgmt_interface and memcpy()
Use a typesafe struct-returning function instead
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm | 2 +-
source4/rpc_server/dcerpc_server.c | 5 +
source4/rpc_server/dcesrv_mgmt.c | 6 ++
3 files changed, 8 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
index 7077864..7ca18a8 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
@@ -192,7 +192,7 @@ static NTSTATUS $name\__op_ndr_push(struct
dcesrv_call_state *dce_call, TALLOC_C
return NT_STATUS_OK;
}
-const struct dcesrv_interface dcesrv\_$name\_interface = {
+static const struct dcesrv_interface dcesrv\_$name\_interface = {
.name = \"$name\",
.syntax_id = {".print_uuid($uuid).",$if_version},
.bind = $name\__op_bind,
diff --git a/source4/rpc_server/dcerpc_server.c
b/source4/rpc_server/dcerpc_server.c
index 862127b..072e352 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -42,8 +42,6 @@
#include "lib/util/samba_modules.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
-extern const struct dcesrv_interface dcesrv_mgmt_interface;
-
static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
const struct dcerpc_bind *b,
struct dcerpc_ack_ctx *ack_ctx_list);
@@ -283,8 +281,7 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct
dcesrv_context *dce_ctx,
return NT_STATUS_NO_MEMORY;
}
- memcpy(&(ifl->iface), &dcesrv_mgmt_interface,
- sizeof(struct dcesrv_interface));
+ ifl->iface = dcesrv_get_mgmt_interface();
DLIST_ADD(ep->interface_list, ifl);
}
diff --git a/source4/rpc_server/dcesrv_mgmt.c b/source4/rpc_server/dcesrv_mgmt.c
index 4d3428d..577f0fb 100644
--- a/source4/rpc_server/dcesrv_mgmt.c
+++ b/source4/rpc_server/dcesrv_mgmt.c
@@ -21,6 +21,7 @@
#include "includes.h"
#include "rpc_server/dcerpc_server.h"
+#include "rpc_server/dcerpc_server_proto.h"
#include "librpc/gen_ndr/ndr_mgmt.h"
#define DCESRV_INTERFACE_MGMT_BIND(call, iface) \
@@ -107,3 +108,8 @@ static WERROR dcesrv_mgmt_inq_princ_name(struct
dcesrv_call_state *dce_call, TAL
/* include the generated boilerplate */
#include "librpc/gen_ndr/ndr_mgmt_s.c"
+
+const struct dcesrv_interface dcesrv_get_mgmt_interface(void)
+{
+ return dcesrv_mgmt_interface;
+}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cf536e3 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon via 5434bde torture: Add ServerReqChallengeReuse to rpc.netlogon via 568d250 torture: Add new test ServerReqChallengeReuseGlobal to rpc.netlogon via f55dc9c torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS via 380ec1b torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2 test via ecb1f56 torture: Add credentials downgrade and challenge reuse test to rpc.netlogon from 91d5ea2 librpc/ndr/uuid.c: improve speed and accuracy of GUID string parsing https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cf536e36fbb87a691b78bbea999497e3ce1049dc Author: Andrew Bartlett Date: Wed Dec 14 15:59:08 2016 +1300 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon This test ensures that when the per-pipe challenge is used, the tdb cache is wiped as well Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 14 15:56:37 CET 2016 on sn-devel-144 commit 5434bde87bb7fc7625642fd020c5835a6de10ce5 Author: Andrew Bartlett Date: Wed Dec 14 15:17:24 2016 +1300 torture: Add ServerReqChallengeReuse to rpc.netlogon This test covers credentials reuse on the same process. We test with direct re-use, and for the case where the challenge is reset to zeros. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 568d250bfb26edbf9ad8370f2e0ce470839301bc Author: Andrew Bartlett Date: Wed Dec 14 15:12:12 2016 +1300 torture: Add new test ServerReqChallengeReuseGlobal to rpc.netlogon This tests ensures we can not re-use the entries in global challenge table. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit f55dc9cf72d7d8a2a3754dd8901d50e5611d8f5d Author: Andrew Bartlett Date: Wed Dec 14 15:09:15 2016 +1300 torture/samba3rpc: Use NETLOGON_NEG_AUTH2_ADS_FLAGS This allows this test to pass after "allow nt4 crypto" is removed from the default environment. We now only set it in ad_dc Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 380ec1bb72378b7acfe52da25839633016367337 Author: Andrew Bartlett Date: Wed Dec 14 17:45:19 2016 +1300 torture: Use DCERPC_SCHANNEL_AUTO in rpc.schannel.schannel2 test This allows it to run against modern servers that do not permit NT4 crypto Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit ecb1f569d7a297dda6ff6ce040d3555a89404fd7 Author: Andrew Bartlett Date: Wed Dec 14 14:50:20 2016 +1300 torture: Add credentials downgrade and challenge reuse test to rpc.netlogon This test confirms that the challenge set up is available after the ServerAuthenticate has failed at the NT_STATUS_DOWNGRADE_DETECTED check. This is needed for NetApp ONTAP member servers. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: selftest/knownfail | 2 + selftest/target/Samba4.pm | 2 +- source4/torture/rpc/netlogon.c | 344 source4/torture/rpc/samba3rpc.c | 2 +- source4/torture/rpc/schannel.c | 2 +- 5 files changed, 349 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail b/selftest/knownfail index 97ec6ef..0e168ab 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -79,6 +79,8 @@ ^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx ^samba4.rpc.netlogon.*.GetPassword ^samba4.rpc.netlogon.*.DatabaseRedo +^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) # Broken by allowing NT4 crypto on this environment +^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs:local\) # Broken by allowing NT4 crypto on this environment ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*bigendian # should only work with seal ^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.validate # should only work with seal diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index da60c44..9e30475 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -860,7 +860,6 @@ sub provision($$) server max protocol = SMB2 host msdfs = $msdfs lanman auth = yes - allow nt4 crypto = yes # fruit:copyfile is a global option fruit:copyfile = yes @@ -1399,6 +1398,7 @@ sub provision_ad_dc_ntvfs($$) my $extra_conf_options = "
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a7598fb rpc_server:netlogon Move from memcache to a tdb cache
from cf536e3 torture: Add ServerReqChallengeReuseGlobal2 to rpc.netlogon
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a7598fb53b3a5238d49edbcbdfd218311ae73807
Author: Douglas Bagnall
Date: Wed Nov 9 15:17:00 2016 +1300
rpc_server:netlogon Move from memcache to a tdb cache
This allows the netlogon server to be moved into a multi-process model
while still supporting clients that use a challenge from a different
network connection.
Pair-Programmed-With: Andrew Bartlett
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Douglas Bagnall
Signed-off-by: Andrew Bartlett
Signed-off-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
---
Summary of changes:
libcli/auth/schannel_state.h | 12 ++
libcli/auth/schannel_state_tdb.c | 261 ++
librpc/idl/schannel.idl | 7 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 92 +
4 files changed, 325 insertions(+), 47 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h
index f9d02dd..a333098 100644
--- a/libcli/auth/schannel_state.h
+++ b/libcli/auth/schannel_state.h
@@ -39,4 +39,16 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
struct netr_Authenticator
*return_authenticator,
struct netlogon_creds_CredentialState
**creds_out);
+NTSTATUS schannel_get_challenge(struct loadparm_context *lp_ctx,
+ struct netr_Credential *client_challenge,
+ struct netr_Credential *server_challenge,
+ const char *computer_name);
+
+NTSTATUS schannel_save_challenge(struct loadparm_context *lp_ctx,
+const struct netr_Credential *client_challenge,
+const struct netr_Credential *server_challenge,
+const char *computer_name);
+
+NTSTATUS schannel_delete_challenge(struct loadparm_context *lp_ctx,
+ const char *computer_name);
#endif
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 2d3481d..d884279 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -272,6 +272,267 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
return status;
}
+
+/*
+ * Create a very lossy hash of the computer name.
+ *
+ * The idea here is to compress the computer name into small space so
+ * that malicious clients cannot fill the database with junk, as only a
+ * maximum of 16k of entries are possible.
+ *
+ * Collisions are certainly possible, and the design behaves in the
+ * same way as when the hostname is reused, but clients that use the
+ * same connection do not go via the cache, and the cache only needs
+ * to function between the ReqChallenge and ServerAuthenticate
+ * packets.
+ */
+static void hash_computer_name(const char *computer_name,
+ char keystr[16])
+{
+ unsigned int hash;
+ TDB_DATA computer_tdb_data = {
+ .dptr = (uint8_t *)discard_const_p(char, computer_name),
+ .dsize = strlen(computer_name)
+ };
+ hash = tdb_jenkins_hash(&computer_tdb_data);
+
+ /* we are using 14 bits of the digest to index our connections, so
+ that we use at most 16,384 buckets.*/
+ snprintf(keystr, 15, "CHALLENGE/%x%x", hash & 0xFF,
+(hash & 0xFF00 >> 8) & 0x3f);
+ return;
+}
+
+
+static
+NTSTATUS schannel_store_challenge_tdb(struct db_context *db_sc,
+ TALLOC_CTX *mem_ctx,
+ const struct netr_Credential
*client_challenge,
+ const struct netr_Credential
*server_challenge,
+ const char *computer_name)
+{
+ enum ndr_err_code ndr_err;
+ DATA_BLOB blob;
+ TDB_DATA value;
+ char *name_upper = NULL;
+ NTSTATUS status;
+ char keystr[16] = { 0, };
+ struct netlogon_cache_entry cache_entry;
+
+ if (strlen(computer_name) > 255) {
+ /*
+* We don't make this a limit at 15 chars as Samba has
+* a test showing this can be longer :-(
+*/
+ return STATUS_BUFFER_OVERFLOW;
+ }
+
+ name_upper = strupper_talloc(mem_ctx, comput
