The annotated tag, samba-4.14.8 has been created at b88740df312f4fcbd650dcb950ce61b4095170b7 (tag) tagging d1c9330fa69ba6942ab23843e21acc11767d54ee (commit) replaces samba-4.14.7 tagged by Jule Anger on Tue Oct 5 15:17:24 2021 +0200
- Log ----------------------------------------------------------------- samba: tag release samba-4.14.8 -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmFcUGQACgkQqplEL7aA tiA5TBAAhl4lBzgwUpjwOHxyXfJMmylJX5rN7sht/Xsy3OCo8CKFTWOo6peqcJk/ klumM4JjT7h24ptfOEQVEebvDujQ23b718YGnRJ0gZnYf0sitr3dRLULRL/qNwyF omW63gWjcs/xsNhBO7Hucp7ZUyWeJx0ZYZSbjQ+ZZvU7q4nmRxENMdK/gQpsdWjj diz/rYG2iLgwYQ7p42ScnSRGlSdCIaKtLcMbXXf8unIF4yfj+ePcxJCKrvucwZmf 349QIkUFboRswNTSfth+PoIlgHDLpOeqCop1tWA1hpU3H7t1pen3t8MyV4fjuiqU QhzSypg+mdhHGYgRVHGFt1mTrM3v5dNssx6hqx/KuKCDAB25dCFywhd8GuH3dIue kNI59G/uVishLhL0bFZg70nQL6pvCmZZ+ObJ+SDOfL1WaNwUQYfy/i8RwOm1AvVo /rNk9pHbmxfQBWaq1NbI+X2mhTFDg/mmglfw7XbMEuOYWyeCdb3NaiKNAwMLayxh iXpKYCaZavIoEg/dOWez7lBuvdUeDWso7ySsBkvjkkvP0dZ5J+dmXAIGodLTPcn7 mMFXocHvUoWxegeatOd1Do3irHZimd32b2ua4Z9yvG4q/5noD74vuuktDLVJEZaI YC1//IRHrQjkIcD9m3zKdVtVNVJX+VuMSeqUmuwPB4KyJ3jiGWc= =Hp4n -----END PGP SIGNATURE----- Andreas Schneider (3): selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() Andrew Bartlett (12): selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl selftest: Only run samba_tool_drs_showrepl test once dsdb: Be careful to avoid use of the expensive talloc_is_parent() selftest: Add a test for LookupSids3 and LookupNames4 in python s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes selftest: add space after --list in output of selftesthelpers.py selftest: Remove knownfail for no_etypes FAST tests tests/krb5: Remove harmful and a-typical return in as_req testcase tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) samldb: Address birthday paradox adding an RODC Gary Lockyer (2): tests python krb5: MS-KILE client principal look-up initial FAST tests Jeremy Allison (6): s3: smbd: Ensure all returns from OpenDir() correctly set errno. s3: smbd: Fix smbd crash on dangling symlink with posix connection calling several non-posix info levels. s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor. s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error. s3: smbd: Add fifo test for the DISABLE_OPATH case. s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem. Joseph Sutton (123): auth:creds: Remove unused variable auth:creds: Fix parameter in creds.set_named_ccache() pygensec: Fix method documentation Revert "s4-test: fixed ndrdump test for top level build" krb5ccache.idl: Add definition for a Kerberos credentials cache librpc: Test parsing a Kerberos 5 credentials cache with ndrdump krb5: Add Python functions to create a credentials cache containing a service ticket python: Add credentials cache test python: Add LDAP credentials cache test python: Add RPC credentials cache test Revert "libsmb: Use sid_parse()" libsmb: Remove overflow check libsmb: Avoid undefined behaviour when parsing whoami state libsmb: Check to see that whoami is not receiving more data than it requested libsmb: Ensure that whoami parses all the data provided to it pylibsmb: Add posix_whoami() python: Add SMB credentials cache test python: Ensure reference counts are properly incremented python: Fix erroneous increments of reference counts python: Fix ticket timestamp conversion when local timezone is not UTC python: Make credentials cache test run against Windows tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called tests/krb5/raw_testcase.py: Add get_admin_creds() tests/krb5/kdc_base_test.py: Create database connection only when needed tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute tests/krb5/kdc_base_test.py: Create loadparm only when needed tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS tests/krb5/raw_testcase.py: Make env_get_var() a standalone method tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds tests/krb5/raw_testcase.py: Cache obtained credentials tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function tests/krb5/raw_testcase.py: Simplify conditionals tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials tests/krb5/as_req_tests.py: Automatically obtain credentials tests/krb5/as_req_tests.py: Check the client kvno tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value tests/krb5: Deduplicate 'host' attribute initialisation tests/krb5/as_canonicalization_tests.py: Refactor account creation tests/krb5: Use admin creds for SamDB rather than user creds s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against pygensec: Fix memory leaks pygensec: Don't modify Python bytes objects tests/krb5: Fix ms_kile_client_principal_lookup_test errors tests/krb5: Fix comment typo tests/krb5: Fix method name typo tests/krb5: formatting tests/krb5: Remove unneeded statements tests/krb5: Use more compact dict lookup tests/krb5: Simplify Python syntax tests/krb5: Remove magic constants tests/krb5: Fix including enc-authorization-data tests/krb5: Fix callback_dict parameter tests/krb5: Fix encpart_decryption_key with MIT KDC tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC tests/krb5: Check Kerberos protocol version number tests/krb5: Use credentials kvno when creating password key tests/krb5: Allow cf2 to automatically use the enctype of the first key tests/krb5: Refactor get_pa_data() tests/krb5: Add get_enc_timestamp_pa_data_from_key() tests/krb5: Add method to return dict containing padata elements tests/krb5: Make _test_as_exchange() return value more consistent tests/krb5: Add get_EpochFromKerberosTime() tests/krb5: Use encryption with admin credentials tests/krb5: Allow specifying additional details when creating an account tests/krb5: Add more methods for obtaining machine and service credentials tests/krb5: Add method to calculate account salt tests/krb5: Add check_reply() method to check for AS or TGS reply tests/krb5: Always specify expected error code tests/krb5: Include kdc_options in kdc_exchange_dict tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn tests/krb5: Ensure in assertElementPresent() that container elements are not empty tests/krb5: Assert that more variables are not None tests/krb5: Check version number of obtained ticket tests/krb5: Make checking less strict tests/krb5: Check nonce in EncKDCRepPart tests/krb5: Add generate_ap_req() method tests/krb5: Ensure generated padata is not None tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() tests/krb5: Add more ASN1 definitions for FAST tests/krb5: Add more methods to create ASN1 objects for FAST tests/krb5: Add method to generate FAST encrypted challenge padata tests/krb5: Add methods to calculate keys for FAST tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() tests/krb5: Include authenticator_subkey in AS-REQ exchange dict tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ tests/krb5: Add FAST armor generation to _generic_kdc_exchange() tests/krb5: Allow specifying parameters specific to the outer request body tests/krb5: Add method to check PA-FX-FAST-REPLY tests/krb5: Add method to verify ticket checksum for FAST tests/krb5: Check FAST response tests/krb5: Add functions to get dicts of request padata tests/krb5: Add methods to determine whether elements were included in the request tests/krb5: Check encrypted-pa-data tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict tests/krb5: Include authdata in kdc_exchange_dict tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata tests/krb5: Add check_rep_padata() method to check padata in reply tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply tests/krb5: Remove unused variables tests/krb5: Add get_krbtgt_sname() method tests/krb5: Check sname is krbtgt for FAST generic error tests/krb5: Check reply FAST padata if request included FAST tests/krb5: Adjust reply padata checking depending on whether FAST was sent tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply tests/krb5: Check PADATA-FX-COOKIE in reply tests/krb5: Make check_rep_padata() also work for checking TGS replies tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies tests/krb5: Check PADATA-PAC-OPTIONS in reply tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors tests/krb5: Check PADATA-FX-ERROR in reply tests/krb5: Add FAST tests tests/krb5: Make e-data checking less strict tests/krb5: Make cname checking less strict CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request tests/krb5: Check e-data element for TGS-REP errors without FAST tests/krb5: Check PADATA-PW-SALT element in e-data tests/krb5: Add tests for omitting sname in request tests/krb5: Allow specifying parameters specific to the inner FAST request body tests/krb5: Allow expected_error_mode to be a container type pytest:segfault: Add test for ldb.msg_diff() ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL pyldb: Avoid use-after-free in msg_diff() Jule Anger (3): VERSION: Bump version up to 4.14.8... WHATSNEW: Add release notes for Samba 4.14.8. VERSION: Disable GIT_SNAPSHOT for the 4.14.8 release. Luke Howard (2): CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field Martin Schwenke (19): ctdb-recoverd: Add a helper variable ctdb-recoverd: Update the local node map before pushing out flags ctdb-recoverd: Push flags for a node if any remote node disagrees ctdb-protocol: Add new controls to disable and enable nodes ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE ctdb-daemon: Add a helper variable ctdb-daemon: Factor out a function to get node structure from PNN ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE ctdb-client: Add client code for disable/enable controls ctdb-tools: Use disable and enable controls in tool ctdb-daemon: Correct the condition for logging unchanged flags ctdb-daemon: Update logging for flag changes ctdb-daemon: Modernise remaining debug macro in this function ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete ctdb-daemon: Simplify ctdb_control_modflags() ctdb-daemon: Ignore flag changes for disconnected nodes ctdb-daemon: Don't mark a node as unhealthy when connecting to it Ralph Boehme (13): selftest: add a test for the "deadtime" parameter s3/rpc_server: track the number of policy handles with a talloc destructor s3/lib/dbwrap: check if global_messaging_context() succeeded registry: check for running as root in clustering mode vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x() vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes() vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes() winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send() winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() vfs_btrfs: fix btrfs_fget_compression() Stefan Metzmacher (17): vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat() auth/credentials: allow credentials.Credentials to act as base class Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future tests/krb5/raw_testcase.py: add assertElement*() tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() tests/krb5/raw_testcase.py: add methods to iterate over etype permutations tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol selftest: run new as_req_tests against fl2008r2dc and fl2003dc tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test Volker Lendecke (1): librpc: Add py_descriptor_richcmp() equality function ----------------------------------------------------------------------- -- Samba Shared Repository