The annotated tag, ldb-2.3.1 has been created
at 331ecebff59dadd17a413ef250e7535f96a54d7f (tag)
tagging c1d2a0570dfc697bbdda6047f10da4ea9cf261f8 (commit)
replaces samba-4.14.8
tagged by Stefan Metzmacher
on Wed Oct 27 13:19:17 2021 +0200
- Log -----------------------------------------------------------------
ldb: tag release ldb-2.3.1
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NbUACgkQR5ORYRMI
QCXKUAgAtgirh94Ney1p476sqZeCum0cvnptOvtrxQjBZk4fk6FTezhvD2JZ2XrB
poPt/XeOxJc5myzMV7SrXq/O9JEmtm2SV8aDvKMYyM74sQFCEzwhNigQbGXhTZQ+
r0zxS58MwhxC2kNuZXvqari+N2rZ6GqmDzWgu1H0Y9K/0zFXrWmTvhdmniwhwbAR
gnF7EQs/REFtrVDf2CQo0LybuMyqgYSeMd3rzCRWr/o0oUmOJUT/cyOLv1pRESF+
tNHHV31PsevUUVPISWdCxkCL8W1cgYtl6Bj+h9IpU8F1GHwlOUNayPj26V3DjwbA
9Uq1HcM6McY15tCMuyQp2Wyf+zqrHA==
=y5CZ
-----END PGP SIGNATURE-----
Andreas Schneider (1):
waf: Allow building with MIT KRB5 >= 1.20
Andrew Bartlett (8):
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED
for servers
selftest: Remove duplicate setup of $base_dn and $ldbmodify
selftest: Improve error handling and perl style when setting up users in
Samba4.pm
dsdb: Allow special chars like "@" in samAccountName when generating the
salt
lib/krb5_wrap: Fix missing error check in new salt code
ldb: Release ldb 2.3.1
Douglas Bagnall (2):
pytest/rodc_rwdc: try to avoid race.
pytest: dynamic tests optionally add __doc__
Isaac Boukris (4):
kdc: remove KRB5SignedPath, to be replaced with PAC
kdc: sign ticket using Windows PAC
krb5: allow NULL parameter to krb5_pac_free()
krb5: rework PAC validation loop
Jeremy Allison (2):
s3: selftest: Add regression test to show the $cwd cache is misbehaving
when we connect as a different user on a share.
s3: smbd: Ensure when we change security context we delete any $cwd cache.
Joseph Sutton (147):
krb5pac.idl: Add ticket checksum PAC buffer type
security.idl: Add well-known SIDs for FAST
tests/krb5: Calculate expected salt if not given explicitly
tests/krb5: Add methods to obtain the length of checksum types
tests/krb5: Use signed integers to represent key version numbers in ASN.1
tests/krb5: Add KDCOptions flag for constrained delegation
tests/krb5: Use more compact dict lookup
tests/krb5: Replace expected_cname_private with expected_anon parameter
tests/krb5: Allow specifying an OU to create accounts in
tests/krb5: Allow specifying additional User Account Control flags for
account
tests/krb5: Keep track of account DN in credentials object
tests/krb5: Move padata generation methods to base class
tests/krb5: add options to kdc_exchange_dict to specify including
PAC-REQUEST or PAC-OPTIONS
tests/krb5: Don't create PAC request manually in as_req_tests
tests/krb5: Don't create PAC request or options manually in fast_tests
tests/krb5: Remove magic constants
tests/krb5: Allow specifying ticket flags expected to be set or reset
tests/krb5: Make time assertion less strict
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
tests/krb5: Check for presence of 'renew-till' element
tests/krb5: Check 'caddr' element
tests/krb5: Check for presence of 'key-expiration' element
tests/krb5: Create testing accounts in appropriate containers
tests/krb5: Allow specifying status code to be checked
tests/krb5: Get expected cname from TGT for TGS-REQ messages
tests/krb5: Get encpart decryption key from kdc_exchange_dict
tests/krb5: Add get_cached_creds() method to create persistent accounts
for testing
tests/krb5: Generate padata for FAST tests
tests/krb5: Sign-extend kvno from 32-bit integer
tests/krb5: Add method to get RODC krbtgt credentials
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
tests/krb5: Allow replicating accounts to the RODC
tests/krb5: Create RODC account for testing
tests/krb5: Allow replicating accounts to the created RODC
python: Don't leak file handles
python/join: Check for correct msDS-KrbTgtLink attribute
tests/krb5: Add helper method for modifying PACs
tests/krb5: Check correct flags element
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
tests/krb5: Allow tgs_req() to send additional padata
tests/krb5: Allow tgs_req() to specify different kdc-options
tests/krb5: Allow tgs_req() to send requests to the RODC
tests/krb5: Allow as_req() to specify different kdc-options
tests/krb5: Use PAC buffer type constants from krb5pac.idl
tests/krb5: Don't manually create PAC request and options in fast_tests
tests/krb5: Set DN of created accounts to ldb.Dn type
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
tests/krb5: Allow get_tgt() to get tickets from the RODC
tests/krb5: Allow get_tgt() to specify different kdc-options
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
tests/krb5: Cache obtained tickets
tests/krb5: Add methods for creating zeroed checksums and verifying
checksums
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
tests/krb5: Add method to verify ticket PAC checksums
tests/krb5: Add method for modifying a ticket and creating PAC checksums
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
tests/krb5: Make get_default_enctypes() return a set of enctype constants
tests/krb5: Add methods to convert between enctypes and bitfields
tests/krb5: Get supported enctypes for credentials from database
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
tests/krb5: Set key version number for all accounts created with
create_account()
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
tests/krb5: Add method to get DC credentials
tests/krb5: Fix checking for presence of authorization data
tests/krb5: Provide ticket enc-part key to tgs_req()
tests/krb5: Simplify account creation
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
tests/krb5: Verify checksums of tickets obtained from the KDC
tests/krb5: Add method to determine if principal is krbtgt
tests/krb5: Add classes for testing invalid checksums
tests/krb5: Rename method parameter
tests/krb5: Remove unused parameter
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
tests/krb5: Fix PA-PAC-OPTIONS checking
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
tests/krb5: Allow created accounts to use resource-based constrained
delegation
tests/krb5: Add assertion to make failures clearer
tests/krb5: Introduce helper method for creating invalid length checksums
tests/krb5: Fix method for creating invalid length zeroed checksum
tests/krb5: Fix checksum generation and verification
tests/krb5: Allow excluding the PAC server checksum
tests/krb5: Fix handling authdata with missing PAC
tests/krb5: Fix status code checking
tests/krb5: Make expected_sname checking more explicit
tests/krb5: Fix assertElementFlags()
tests/krb5: Remove unneeded parameters from ticket cache key
tests/krb5: Fix checking for presence of error data
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
tests/krb5: Check constrained delegation PAC buffer
tests/krb5: Save account SPN
tests/krb5: Allow specifying options and expected flags when obtaining a
ticket
tests/krb5: Supply supported account enctypes in tgs_req()
tests/krb5: Add parameter to enforce presence of ticket checksums
tests/krb5: Add compatability tests for ticket checksums
tests/krb5: Use correct principal name type
tests/krb5: Clarify checksum type assertion message
tests/krb5: Fix padata checking at functional level 2003
tests/krb5: Add environment variable to specify KDC FAST support
tests/krb5: Check padata types when STRICT_CHECKING=0
tests/krb5: Check logon name in PAC
tests/krb5: Simplify padata checking
tests/krb5: Disable debugging output for tests
tests/krb5: Provide clearer assertion messages for test failures
tests/krb5: Fix sha1 checksum type
selftest/dbcheck: Fix up RODC one-way links
tests/krb5: Add TKT_SIG_SUPPORT environment variable
tests/krb5: Require ticket checksums if decryption key is available
tests/krb5: Verify tickets obtained with get_service_ticket()
tests/krb5: Add constrained delegation tests
tests/krb5: Don't include empty AD-IF-RELEVANT
tests/krb5: Allow bypassing cache when creating accounts
tests/krb5: Fix duplicate account creation
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as
parameter
s4:kdc: Fix debugging messages
s4/torture: Expect ticket checksum PAC buffer
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
s4:kdc: Check ticket signature
heimdal:kdc: Fix ticket signing without a PAC
tests/krb5: Allow get_tgt() to request including or omitting a PAC
tests/krb5: Allow specifying whether to expect a PAC with
_test_as_exchange()
tests/krb5: Add method to get the PAC from a ticket
tests/krb5: Add tests for requesting a service ticket without a PAC
tests/krb5: Ensure PAC is not present if expect_pac is false
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED
service
selftest: Increase account lockout windows to make test more realiable
selftest: krb5 account creation: clarify account type as an enum
tests/krb5: Decrease length of test account prefix
tests/krb5: Allow specifying prefix or suffix for test account names
tests/krb5: Allow creating machine accounts without a trailing dollar
tests/krb5: Allow specifying the UPN for test accounts
tests/krb5: Fix account salt calculation to match Windows
tests/krb5: Add tests for account salt calculation
Fix Python docstrings
pytest:segfault: Add test for deleting an ldb.Message dn
pyldb: Fix deleting an ldb.Message dn
pytest:segfault: Add test for deleting an ldb.Control critical flag
pyldb: Fix deleting an ldb.Control critical flag
s4/torture/drs/python: Fix attribute existence check
pyldb: Add test for an invalid ldb.Message index type
pyldb: Raise TypeError for an invalid ldb.Message index
pyldb: Add tests for ldb.Message containment testing
pyldb: Make ldb.Message containment testing consistent with indexing
Jule Anger (1):
VERSION: Bump version up to Samba 4.14.9...
Luke Howard (4):
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
kdc: use ticket client name when signing PAC
kdc: correctly generate PAC TGS signature
Martin Schwenke (1):
ctdb-tests: Fix typo in ctdb stub comment matching
Nicolas Williams (1):
krb5: Fix PAC signature leak affecting KDC
Ralph Boehme (2):
ctdb-scripts: filter out comments in public_addresses file
ctdb-tests: add a comment to the generated public_addresses file used by
eventscript UNIT tests
Stefan Metzmacher (2):
selftest/Samba3: remove unused close(USERMAP); calls
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with
(winbindd => "offline")
Viktor Dukhovni (1):
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
-----------------------------------------------------------------------
--
Samba Shared Repository
