The annotated tag, ldb-2.5.0 has been created
at 3e87034f37af8e68b85968b71fc65e60b891697e (tag)
tagging 1d5b155619bc532c46932965b215bd73a920e56f (commit)
replaces tdb-1.4.5
tagged by Stefan Metzmacher
on Mon Jan 24 13:25:10 2022 +0100
- Log -----------------------------------------------------------------
ldb: tag release ldb-2.5.0
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumqYACgkQR5ORYRMI
QCXB/gf/WgksmkBsIhXzSraUKKeraOEGLz/YAbG/zpLhVA7diV9B8HCr66f6R5i0
Tq5bUisLi7FrxdgLyqrHBUn00urjzApFmX/gfmyVAIeOuh8JPI5ArsP8DXztQXPD
ukP4G3RmUbs7TLl542xHjWcsm34gOzuzLSowfjtnRwCRaAgJjauAtRkY3z0eSR/r
YFnDXAG91IBxlVIVCdHTahhdigEroDnhhPA9ezea6YQSA8ILnXhZpbKus+sr5/dM
cti5Ytmfp5AkgXJZqChIbkt8L14LefKAnqnFS7Xn7ewfx+YnuoLWMg4B8cbyq4sG
DT+TFH/tYWIaHoHEeFhPbjiLs6hWxQ==
=LxmQ
-----END PGP SIGNATURE-----
Alenka Glukhovskaya (1):
Added russian translate file
Alex Richardson (8):
Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups()
charset_macosxfs.c: fix compilation on macOS
audit_logging.c: fix compilation on macOS
source3/printing/queue_process.c: fix build on macOS
sec_ctx.c: Fix -Wunused-function warning on macOS
source3/smbd/statcache.c: Fix -Wformat build error on macOS
vfs_preopen.c: Fix -Wformat error on macOS
Fix detection of rpc/xdr.h on macOS
Alexander Bokovoy (2):
CVE-2020-25717: Add FreeIPA domain controller role
IPA DC: add missing checks
Amitay Isaacs (1):
lib/tsocket: Fix build on Freebsd
Andreas Schneider (64):
bootstrap: Install krb5-workstation on Fedora based distros
autobuild: Exclude fips envs from samba and samba-mitkrb5
s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
python:waf: Correctly check for python-dateutil
bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM
distros
lib:cmdline: Use lp_load_global() for servers
selftest: Re-format long lines in selftesthelpers.py
selftest: Add support for setting ENV variables in
plansmbtorture4testsuite()
selftest: Add support for setting ENV variables in plantestsuite()
s3:selftests: Pass env variables to fips tests
s4:selftests: Pass env variables to fips tests
selftest: Pass env variables to fips tests
selftest: Remove fips env variables from client env
auth:gensec: Use lpcfg_weak_crypto()
s4:rpc_server: Allow to set user password in FIPS mode
s4:libnet: Remove trailing whitespaces
s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
netlogon:schannel: If weak crypto is disabled, do not announce RC4
support.
selftest: Fix setting environ for plansmbtorture4testsuite()
s4:selftest: Pass environ to plansmbtorture4testsuite()
s4:torture: Remove trailing whitespaces in rpc.c
s4:torture: Add rpc netlogon fips test
configure: Do not put arguments into double quotes
s3:winbindd: Add a check for the path length of 'winbindd socket
directory'
gitlab: Use shorter names for Samba AD DC env with MIT KRB5
mit-samba: Define debug class for kdb module
mit-samba: Send the logging to the kdc log facility
mit-samba: Use talloc_get_type_abort() instead of casting
mit-samba: Only set the function opening bracket once
s3:winbind: Do not start if the priviliged socket path is too long
s3:winbindd: Pass the right variable to the debug message
lib:replace: Remove trailing spaces from testsuite.c
testsuite: Fix build with gcc >= 11.1.1
selftest: Add python path for compiled python modules like ldb
third_party: Add a script to update waf
third_party: Update waf to version 2.0.22
s3:utils: Fix format error
lib:fuzzing: Fix quoting of --fuzz-target-ldflags
docs-xml: Remove trailing spaces in smb.conf.5.xml
docs-xml: Use /var/tmp for spooling in smb.conf.5
waf: Allow building with MIT KRB5 >= 1.20
Revert "gp: Apply Firewalld Policy"
Revert "gp: Test Firewalld Group Policy Apply"
Revert "gp: Add Firewalld ADMX templates"
testprogs: Use new cmdline option for kerberos
lib:cmdline: Fix -k option which doesn't expect anything
third_party: Update pam_wrapper to version 1.1.4
editorconfig: Heimdal has mixed spaces and tabs with different width
waf: Fix resolv_wrapper with glibc 2.34
gitlab-ci: Add Fedora 35 and drop Fedora 33
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
CVE-2020-25719 mit-samba: Add ks_free_principal()
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db
entry
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
CVE-2020-25719 mit-samba: Rework PAC handling in
kdb_samba_db_sign_auth_data()
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on
the server entry
CVE-2020-25719 mit_samba: Create the talloc context earlier
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
auth:creds: Remove trailing spaces
auth:creds: Guess the username first via getpwuid(my_id)
docs-xml: Fix smbget manpage
Andrew Bartlett (104):
ktutil: Print the numeric enctype if krb5_enctype_to_string() fails
samba-tool domain backup offline: Use passed in samdb when backing up
sam.ldb
samba-tool: Rework transations/locks to hold a lock during mdb backup
samba-tool domain backup: Use tdbbackup on metadata.tdb
autobuild.py: Explain why each job is removed from the default set
gitlab-ci/autobuild: Add new build confirming behaviour on older MIT
Kerberos
gitlab-ci: Move MIT builds to current Fedora so we can test against a
current MIT KDC
autobuild.py: Do not build MIT builds by default (eg sn-devel)
build: Move minimum MIT krb5 version to 1.19 to align with what is tested
mit-kdc: Remove build time support for KDB_API < 10
selftest: Remove skip of samba4.rpc.unixinfo
selftest: Modernise user_account_control.py tests use a common self.OU
selftest: Use addCleanup rather than tearDown in user_account_control.py
pydsdb: Add API to return strings of known UF_ flags
selftest: Use @DynamicTestCase in user_account_control
test_uac_bits_unrelated_modify()
selftest: Replace internal loop in test_uac_bits_add() using
@DynamicTestClass
selftest: Replace internal loop in test_uac_bits_set() using
@DynamicTestClass
script/autobuild.py: Restore MIT ADDC tests against fl2008*
bootstrap: Update to get newer krb5 on Fedora 34
bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
Update common on currently supported Fedora versions
tests/krb5: Remove harmful and a-typical return in as_req testcase
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
selftest: Only run samba_tool_drs_showrepl test once
dsdb: Be careful to avoid use of the expensive talloc_is_parent()
selftest: Add a test for LookupSids3 and LookupNames4 in python
s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
selftest: Add prefix to new schema attributes to avoid flapping
dsdb_schema_attributes
docs: Ensure to rebuild manpages if samba.entities or samba.version
changes
docs: Document all the other ways to send a password to smbclient et al
docs: Avoid duplicate information on USER and PASSWD, reference the
common section
build: Make Python 3.6 the minimum to build now oss-fuzz is upgraded
heimdal: Remove lex.yy.c file left over from a bug in lexyacc.sh
bootstrap: Remove last references to Ubuntu 16.04
selftest: Update user_account_control tests to pass against Windows 2019
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
.gitlab-ci: Ignore errors from missing source files in code coverage
.gitlab-ci: Allow a 1 hour to build Samba
samldb: Address birthday paradox adding an RODC
selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
selftest: Use self.assertRaisesLdbError() in user_account_control.py test
Release ldb 2.4.1
Release ldb 2.50 for the future samba 4.16 series
.gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
.gitlab-ci.yml: Restore building most of our jobs
.gitlab-ci: Avoid duplicate CI on all merge requests
gitlab-ci: Do not retry for job_execution_timeout
gitlab-ci: Do not download artifacts of unrelated builds
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED
for servers
selftest: Remove duplicate setup of $base_dn and $ldbmodify
selftest: Improve error handling and perl style when setting up users in
Samba4.pm
dsdb: Allow special chars like "@" in samAccountName when generating the
salt
lib/krb5_wrap: Fix missing error check in new salt code
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of
checking if any passwords are changed
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during
LDAP add/modify
CVE-2020-25722 selftest: Extend priv_attrs test - work around
UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a
password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
CVE-2020-25722 selftest: Test combinations of account type and
objectclass for creating a user
CVE-2020-25722 selftest: allow for future failures in
BindTests.test_virtual_email_account_style_bind
CVE-2020-25722 selftest: Catch possible errors in
PasswordSettingsTestCase.test_pso_none_applied()
CVE-2020-25722 selftest: Catch errors from samdb.modify() in
user_account_control tests
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by
default
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for
objectclass/doller/UAC
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and
objectclass.
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK
(for now)
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping
account types
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD,
so remove indentation
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a
trailing $
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new
UF_WORKSTATION_TRUST_ACCOUNT default
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type
change
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
CVE-2020-25722 selftest: Adjust sam.py
test_userAccountControl_computer_add_trust to new reality
CVE-2020-25722 selftest: New objects of objectclass=computer are
workstations by default now
CVE-2020-25722 selftest: Adapt sam.py test to
userAccountControl/objectclass restrictions
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new
default computer behaviour
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list
of errors to match with
CVE-2020-25722 selftest/user_account_control: Allow a broader set of
possible errors
CVE-2020-25722 selftest/user_account_control: more work to cope with
UAC/objectclass defaults and lock
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
CVE-2020-25722 Check all elements in acl_check_spn() not just the first
one
CVE-2020-25722 Check for all errors from acl_check_extended_right() in
acl_check_spn()
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a
array of struct dom_sid
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a
single helper function
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and
UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the
UF_PARTIAL_SECRETS_ACCOUNT bit
CVE-2020-25718 s4-rpc_server: Provide wrapper
samdb_confirm_rodc_allowed_to_repl_to()
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
CVE-2020-25718 s4-rpc_server: Explain why we use
DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular
ticket
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
CVE-2020-25722 Ensure the structural objectclass cannot be changed
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in
our domain/realm) unless a DC
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named
based lookup fails
CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb
filter processing
Andrew Walker (1):
s3:modules:recycle - fix crash in recycle_unlink_internal
Bjoern Jacke (1):
util_sock: fix assignment of sa_socklen
Björn Jacke (3):
ntvfs: add missing COM/LPT ports that are also reserved names
mangle_hash2: add missing COM/LPT ports that are also reserved names
mangle_hash2: remove LOCK$ from list of reserved names
Christof Schmitt (30):
smbd: Update comment explaining streams and file-system sharemodes
vfs_gpfs: Update comment in vfs_gpfs_kernel_flock
vfs_gpfs: Remove call to kernel_flock
vfs_default: Return ENOTSUP for sharemodes flock call
system: Remove kernel_flock
wscript: Remove config check for LOCK_MAND
loadparm: Set default of "kernel share modes" to "no"
docs-xml: Update manpage for "kernel share modes" option
WHATSNEW: Document changes for "kernel share modes"
profile: Remove syscall_kernel_flock profiling
VFS: Rename kernel_flock to filesystem_sharemode
VFS: Increase VFS version for renamed function
examples/VFS/skel_transparent: Rename kernel_flock to filesystem_sharemode
examples/VFS/skel_opaque: Rename kernel_flock to filesystem_sharemode
s3: Remove definition of removed kernel_flock function
vfs_full_audit: Rename kernel_flock to filesystem_sharemode
docs-xml: Update vfs_full_audit manpage for renamed function
vfs_ceph: Rename kernel_flock to filesystem_sharemode
vfs_glusterfs: Rename kernel_flock to filesystem_sharemode
vfs_time_audit: Rename kernel_flock to filesystem_sharemode
vfs_time_audit: Fix message for fcntl VFS call
vfs_gpfs: Rename kernel_flock to filesystem_sharemode
vfs_streams_xattr: Rename kernel_flock to filesystem_sharemode
vfs_default: Rename kernel_flock to filesystem_sharemode
vfs_catia: Rename kernel_flock to filesystem_sharemode
VFS: Update tracking documents for renamed function
smbd: Update comment for durable handles
smbd: Rename return variable for requesting filesystem sharemode
smbd: Remove return variable for releasing filesystem sharemode
smbd: Update debug messages for failed sharemode release
David Disseldorp (1):
smbd: check lp_load_printers before reload via NetShareEnum
David Gajewski (1):
s3: VFS: solarisacl: Fix compile error (missed variable rename).
David Mulder (23):
gpo: Ensure Network Device Enrollment Service if sscep fails
gpo: Warn when fetching the supported templates fails
gpo: Improve debug when extension fails to apply
gpo: Enable user policy application
gpo: Enable Scripts ADMX for User Policy
gpo: Test Group Policy User Scripts
gpo: Apply Group Policy User Scripts
gpo: Ignore symlink failure on sscep renew
gpo: Decode the bytes for cepces-submit failure
gpo: Print getcert message to debug
gpo: Test Group Policy Firefox Extension
gpo: Add Group Policy Firefox Extension
gpo: Test Chromium Group Policy
gpo: Add Chromium Group Policy
gp: Add Firewalld ADMX templates
gp: Test Firewalld Group Policy Apply
gp: Apply Firewalld Policy
samba-tool: Pick local host if calling samba-tool from DC
Revert "samba-tool: Pick local host if calling samba-tool from DC"
gp: Add Firewalld ADMX templates
gp: Test Firewalld Group Policy Apply
gp: Apply Firewalld Policy
samba-tool: Add domain member leave
Douglas Bagnall (53):
pytest/rodc_rwdc: try to avoid race.
pytest: dynamic tests optionally add __doc__
pytest: s3_net_join: avoid name clash
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're
lazy
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
CVE-2020-25722 samba-tool spn: accept -H for database url
CVE-2020-25722 samba-tool spn add: remove --force option
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
CVE-2020-25722 s4/provision: add host/ SPNs at the start
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses
samldb_get_single_valued_attr()
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change()
checks all values
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add
final value
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change
checks values
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one
value
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
pytests: check that we don't have bad format characters
test/bad_chars: ensure our tests could fail
s3/modules/vfs_acl_common.h: use utf-8
test/blackbox/test_samba-tool_ntacl: use utf-8
s4/auth/gensec/gensec_krb5_heimdal: use utf-8
lib/replace/timegm: use utf-8
third_party: remove pep8
pytest/source_chars: forget thirdparty/pep8 test file
third_party/update: forget pep8
py/dnsserver: add missing imports
py/dnsserver: add a missing exception variable
pytest/dns_aging: use correct variable names
pytest/dns_aging: remove duplicate tests
pytest/docs: set_smbconf_arbitrary_opposite() needs param_type
pytest/docs: better spelling of set_smbconf_arbitrary
Gary Lockyer (1):
initial FAST tests
Günther Deschner (3):
s3-torture: give torture test binaries their own wscript_build
s3-torture: Only install vfstest manpage when vfstest binary gets
installed.
s3-winexe: Fix winexe core dump (use-after-free)
Isaac Boukris (4):
kdc: remove KRB5SignedPath, to be replaced with PAC
kdc: sign ticket using Windows PAC
krb5: allow NULL parameter to krb5_pac_free()
krb5: rework PAC validation loop
Jeremy Allison (67):
s3: smbd: Allow async dosmode to cope with ".." pathnames where we close
smb_fname->fsp to prevent meta-data leakage.
s3: smbd: Don't leak meta-data about the containing directory of the
share root.
s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in
this case.
s3: smbd: Split out smb2_ioctl_smbtorture() into a separate file.
s3: libcli: Add FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
s3: smbd: Add smbd_fsctl_torture_async_sleep() server-side code.
s3: smbd: Call smbd_fsctl_torture_async_sleep() when we get
FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
s4: torture: Add test for smb2.ioctl.bug14769.
s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs
to the aio list on the file handle.
s3: selftest: Add a test for vfs_streams_depot with the target path
outside of the share.
s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute
stream rootdir into a function.
s3: VFS: streams_depot: Allow "streams directory" outside of share path
to work again.
s3: smbd: Ensure all returns from OpenDir() correctly set errno.
s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx
destructor.
s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated
pointer on error.
s4: ntvfs: Missed comma in 24c09f913d82528ada14013e3d673d277cf04a93,
string would be concatenated.
s3: smbd: Add fifo test for the DISABLE_OPATH case.
s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.
s3: auth: Andrew noticed f585f01148ab2d8f84c96b12e018742f5f17bcb0 doesn't
keep the same logic.
s4: process_prefork: Make prefork_restart() use an asynchronous timer
event instead of calling sleep(X).
s3: selftest: Add regression test to show the $cwd cache is misbehaving
when we connect as a different user on a share.
s3: smbd: Ensure when we change security context we delete any $cwd cache.
s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for
getting/setting ZFS ACLs.
s3: smbspool. Remove last use of 'extern char **environ;'.
s3: smbd: Add two tests showing recursive directory delete of a directory
containing veto file and msdfs links over SMB2.
s3: smbd: Fix recursive directory delete of a directory containing veto
file and msdfs links.
s3: smbd: Add two tests showing the ability to delete a directory
containing a dangling symlink over SMB2 depends on "delete veto files" setting.
s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
s3: smbd: Fix rmdir_internals() to do an early return if
lp_delete_veto_files() is not set.
s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling
symlinks.
s3: docs-xml: Clarify the "delete veto files" paramter.
s3: smbd: dirfsp is being used uninitialized inside rmdir_internals().
s3: smbtorture3: Add test for setting delete on close on a directory,
then creating a file within to see if delete succeeds.
s3: smbd: Ensure in the directory scanning loops inside rmdir_internals()
we don't overwrite the 'ret' variable.
s3: smbd: get_real_filename() is actually static to filename.c
s3: smbd: Add ucf_flags parameter to normalize_filename_case().
s3: smbd: Ensure normalize_filename_case() doesn't modify posix names.
s3: smbd: Add case_sensitive, case_preserve, short_case_preserve to state
struct.
s3: smbd: Use state->case_sensitive instead of
state->conn->case_sensitive.
s3: smbd: Use state->case_preserve instead of state->conn->case_preserve.
s3: smbd: Use state->short_case_preserve instead of
state->conn->short_case_preserve.
s3: smbd: Turn on case sensitivity for a posix filename lookup.
s3: smbd: Add comment to unix_convert() explaining why posix never calls
into mangle_is_mangled() here.
s3: smbd: In unix_convert_step_search_fail() ensure posix names don't
call into name mangling functions.
s3: smbd: In unix_convert() component_was_mangled is always false for
posix.
s3: smbd: Add 'bool case_sensitive' to struct smbd_dirptr_lanman2_state.
s3: smbd: Use state->case_sensitive instead of
state->conn->case_sensitive.
s3: smbd: Add case_sensitive to struct smb_Dir.
s3: smbd: Use dir_hnd->case_sensitive instead of conn->case_sensitive.
s3: smbd: In OpenDir_fsp(), set dir_hnd->case_sensitive to true if
FSP_POSIX_FLAGS_OPEN is set.
s3: smbd: Add dptr_case_sensitive(). Not yet used.
s3: smbd: Use dptr_case_sensitive() in directory listing code.
s3: smbd: In open_file(), use a helper variable instead of always
checking sp->posix_flags & FSP_POSIX_FLAGS_OPEN.
s3: smbd: In open_file() use the helper variable to select correct
case_sensitive setting to is_in_path().
s3: smbd: Use a helper variable in smbd_smb2_query_directory_send().
s3: smbd: Add and use case_sensitive helper variable to
unlink_internals().
s3: smbd: Add and use helper variables case_sensitive, case_preserve in
rename_internals_fsp().
s3: smbd: Add and use helper variable posix_pathname in
rename_internals().
s3: smbd: Ensure we never call mangle_is_mangled() for a posix path.
s3: smbd: Add and use helper variables for case_sensitive, case_preserve,
short_case_preserve to rename_internals().
s3: smbd: In SMB1 reply_copy(), make req->posix_pathnames a helper
variable.
s3: smbd: SMB1 reply_copy(). Posix pathnames should never call into
mangle_is_mangled().
s3: smbd: SMB1 reply_copy(). Posix pathnames always means case_sensitive
= true.
s3: smbd: In unlink_internals() ensure we never call mangle_is_mangled
for a posix path.
s3: smbd: In SMB1 call_trans2findnext() add and use a helper variable to
ensure we don't call mangle_is_mangled() with a posix name.
Joseph Sutton (309):
pygensec: Fix memory leaks
pygensec: Don't modify Python bytes objects
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
tests/krb5: Fix comment typo
tests/krb5: Fix method name typo
tests/krb5: formatting
tests/krb5: Remove unneeded statements
tests/krb5: Use more compact dict lookup
tests/krb5: Simplify Python syntax
tests/krb5: Remove magic constants
tests/krb5: Fix including enc-authorization-data
tests/krb5: Fix callback_dict parameter
tests/krb5: Fix encpart_decryption_key with MIT KDC
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
tests/krb5: Check Kerberos protocol version number
tests/krb5: Use credentials kvno when creating password key
tests/krb5: Allow cf2 to automatically use the enctype of the first key
tests/krb5: Refactor get_pa_data()
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
tests/krb5: Add method to return dict containing padata elements
tests/krb5: Make _test_as_exchange() return value more consistent
tests/krb5: Add get_EpochFromKerberosTime()
tests/krb5: Use encryption with admin credentials
tests/krb5: Allow specifying additional details when creating an account
tests/krb5: Add more methods for obtaining machine and service credentials
tests/krb5: Add method to calculate account salt
tests/krb5: Add check_reply() method to check for AS or TGS reply
tests/krb5: Always specify expected error code
tests/krb5: Include kdc_options in kdc_exchange_dict
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
tests/krb5: Ensure in assertElementPresent() that container elements are
not empty
tests/krb5: Assert that more variables are not None
tests/krb5: Check version number of obtained ticket
tests/krb5: Make checking less strict
tests/krb5: Check nonce in EncKDCRepPart
tests/krb5: Add generate_ap_req() method
tests/krb5: Ensure generated padata is not None
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
tests/krb5: Add more ASN1 definitions for FAST
tests/krb5: Add more methods to create ASN1 objects for FAST
tests/krb5: Add method to generate FAST encrypted challenge padata
tests/krb5: Add methods to calculate keys for FAST
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
tests/krb5: Allow specifying parameters specific to the outer request body
tests/krb5: Add method to check PA-FX-FAST-REPLY
tests/krb5: Add method to verify ticket checksum for FAST
tests/krb5: Check FAST response
tests/krb5: Add functions to get dicts of request padata
tests/krb5: Add methods to determine whether elements were included in
the request
tests/krb5: Check encrypted-pa-data
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
tests/krb5: Include authdata in kdc_exchange_dict
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
tests/krb5: Add check_rep_padata() method to check padata in reply
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
tests/krb5: Remove unused variables
tests/krb5: Add get_krbtgt_sname() method
tests/krb5: Check sname is krbtgt for FAST generic error
tests/krb5: Check reply FAST padata if request included FAST
tests/krb5: Adjust reply padata checking depending on whether FAST was
sent
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
tests/krb5: Check PADATA-FX-COOKIE in reply
tests/krb5: Make check_rep_padata() also work for checking TGS replies
tests/krb5: Make generic_check_kdc_error() also work for checking TGS
replies
tests/krb5: Check PADATA-PAC-OPTIONS in reply
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
tests/krb5: Check PADATA-FX-ERROR in reply
tests/krb5: Add FAST tests
tests/krb5: Make e-data checking less strict
tests/krb5: Make cname checking less strict
tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
tests/krb5: Check e-data element for TGS-REP errors without FAST
tests/krb5: Check PADATA-PW-SALT element in e-data
tests/krb5: Add tests for omitting sname in request
tests/krb5: Allow specifying parameters specific to the inner FAST
request body
tests/krb5: Add tests for omitting sname in inner request
tests/krb5: Allow expected_error_mode to be a container type
dsdb/samdb/ldb_modules: Use correct member of union
s4/dnsserver: Don't call memcpy() with a NULL pointer
s4/dnsserver: Fix NULL check
libcli/smb: Don't call memcpy() with a NULL pointer
python: Fix usage strings
Fix Python docstrings
krb5pac.idl: Add ticket checksum PAC buffer type
security.idl: Add well-known SIDs for FAST
tests/krb5: Calculate expected salt if not given explicitly
tests/krb5: Add methods to obtain the length of checksum types
tests/krb5: Use signed integers to represent key version numbers in ASN.1
tests/krb5: Add KDCOptions flag for constrained delegation
tests/krb5: Use more compact dict lookup
tests/krb5: Replace expected_cname_private with expected_anon parameter
tests/krb5: Allow specifying an OU to create accounts in
tests/krb5: Allow specifying additional User Account Control flags for
account
tests/krb5: Keep track of account DN in credentials object
tests/krb5: Move padata generation methods to base class
tests/krb5: add options to kdc_exchange_dict to specify including
PAC-REQUEST or PAC-OPTIONS
tests/krb5: Don't create PAC request manually in as_req_tests
tests/krb5: Don't create PAC request or options manually in fast_tests
tests/krb5: Remove magic constants
tests/krb5: Allow specifying ticket flags expected to be set or reset
tests/krb5: Make time assertion less strict
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
tests/krb5: Check for presence of 'renew-till' element
tests/krb5: Check 'caddr' element
tests/krb5: Check for presence of 'key-expiration' element
tests/krb5: Create testing accounts in appropriate containers
tests/krb5: Allow specifying status code to be checked
tests/krb5: Get expected cname from TGT for TGS-REQ messages
tests/krb5: Get encpart decryption key from kdc_exchange_dict
tests/krb5: Add get_cached_creds() method to create persistent accounts
for testing
tests/krb5: Generate padata for FAST tests
pytest:segfault: Add test for ldb.msg_diff()
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
pyldb: Avoid use-after-free in msg_diff()
tests/krb5: Sign-extend kvno from 32-bit integer
tests/krb5: Add method to get RODC krbtgt credentials
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
tests/krb5: Allow replicating accounts to the RODC
tests/krb5: Create RODC account for testing
tests/krb5: Allow replicating accounts to the created RODC
python: Don't leak file handles
python/join: Check for correct msDS-KrbTgtLink attribute
tests/krb5: Add helper method for modifying PACs
tests/krb5: Check correct flags element
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
tests/krb5: Allow tgs_req() to send additional padata
tests/krb5: Allow tgs_req() to specify different kdc-options
tests/krb5: Allow tgs_req() to send requests to the RODC
tests/krb5: Allow as_req() to specify different kdc-options
tests/krb5: Use PAC buffer type constants from krb5pac.idl
tests/krb5: Don't manually create PAC request and options in fast_tests
tests/krb5: Set DN of created accounts to ldb.Dn type
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
tests/krb5: Allow get_tgt() to get tickets from the RODC
tests/krb5: Allow get_tgt() to specify different kdc-options
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
tests/krb5: Cache obtained tickets
tests/krb5: Add methods for creating zeroed checksums and verifying
checksums
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
tests/krb5: Add method to verify ticket PAC checksums
tests/krb5: Add method for modifying a ticket and creating PAC checksums
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
tests/krb5: Make get_default_enctypes() return a set of enctype constants
tests/krb5: Add methods to convert between enctypes and bitfields
tests/krb5: Get supported enctypes for credentials from database
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
tests/krb5: Set key version number for all accounts created with
create_account()
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
tests/krb5: Add method to get DC credentials
tests/krb5: Fix checking for presence of authorization data
tests/krb5: Provide ticket enc-part key to tgs_req()
tests/krb5: Simplify account creation
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
tests/krb5: Verify checksums of tickets obtained from the KDC
tests/krb5: Add method to determine if principal is krbtgt
tests/krb5: Add classes for testing invalid checksums
pytest:segfault: Add test for deleting an ldb.Message dn
pyldb: Fix deleting an ldb.Message dn
pytest:segfault: Add test for deleting an ldb.Control critical flag
pyldb: Fix deleting an ldb.Control critical flag
s4/torture/drs/python: Fix attribute existence check
pyldb: Add test for an invalid ldb.Message index type
pyldb: Raise TypeError for an invalid ldb.Message index
pyldb: Add tests for ldb.Message containment testing
pyldb: Make ldb.Message containment testing consistent with indexing
.gitlab-ci: Increase build timeout
tests/krb5: Rename method parameter
tests/krb5: Remove unused parameter
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
tests/krb5: Fix PA-PAC-OPTIONS checking
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
tests/krb5: Allow created accounts to use resource-based constrained
delegation
tests/krb5: Add assertion to make failures clearer
tests/krb5: Introduce helper method for creating invalid length checksums
tests/krb5: Fix method for creating invalid length zeroed checksum
tests/krb5: Fix checksum generation and verification
tests/krb5: Allow excluding the PAC server checksum
tests/krb5: Fix handling authdata with missing PAC
tests/krb5: Fix status code checking
tests/krb5: Make expected_sname checking more explicit
tests/krb5: Fix assertElementFlags()
tests/krb5: Remove unneeded parameters from ticket cache key
tests/krb5: Fix checking for presence of error data
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
heimdal:kdc: Only check for default salt for des-cbc-crc enctype
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
tests/krb5: Check constrained delegation PAC buffer
tests/krb5: Save account SPN
tests/krb5: Allow specifying options and expected flags when obtaining a
ticket
tests/krb5: Supply supported account enctypes in tgs_req()
tests/krb5: Add parameter to enforce presence of ticket checksums
tests/krb5: Add compatability tests for ticket checksums
tests/krb5: Use correct principal name type
tests/krb5: Clarify checksum type assertion message
tests/krb5: Fix padata checking at functional level 2003
tests/krb5: Add environment variable to specify KDC FAST support
tests/krb5: Check padata types when STRICT_CHECKING=0
tests/krb5: Check logon name in PAC
tests/krb5: Simplify padata checking
tests/krb5: Disable debugging output for tests
tests/krb5: Provide clearer assertion messages for test failures
tests/krb5: Fix sha1 checksum type
selftest/dbcheck: Fix up RODC one-way links
tests/krb5: Add TKT_SIG_SUPPORT environment variable
tests/krb5: Require ticket checksums if decryption key is available
tests/krb5: Verify tickets obtained with get_service_ticket()
tests/krb5: Add constrained delegation tests
tests/krb5: Don't include empty AD-IF-RELEVANT
tests/krb5: Allow bypassing cache when creating accounts
tests/krb5: Fix duplicate account creation
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as
parameter
s4:kdc: Fix debugging messages
s4/torture: Expect ticket checksum PAC buffer
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
s4:kdc: Check ticket signature
heimdal:kdc: Fix ticket signing without a PAC
tests/krb5: Allow get_tgt() to request including or omitting a PAC
tests/krb5: Allow specifying whether to expect a PAC with
_test_as_exchange()
tests/krb5: Add method to get the PAC from a ticket
tests/krb5: Add tests for requesting a service ticket without a PAC
tests/krb5: Ensure PAC is not present if expect_pac is false
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED
service
selftest: Increase account lockout windows to make test more realiable
selftest: krb5 account creation: clarify account type as an enum
tests/krb5: Decrease length of test account prefix
tests/krb5: Allow specifying prefix or suffix for test account names
tests/krb5: Allow creating machine accounts without a trailing dollar
tests/krb5: Allow specifying the UPN for test accounts
tests/krb5: Fix account salt calculation to match Windows
tests/krb5: Add tests for account salt calculation
tests/krb5: Check account name and SID in PAC for S4U tests
CVE-2020-25722 dsdb: Add tests for modifying objectClass,
userAccountControl and sAMAccountName
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to
use _generic_kdc_exchange()
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to
get_service_ticket()
CVE-2020-25722 tests/krb5: Allow creating server accounts
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
CVE-2020-25719 tests/krb5: Add method to get unique username for test
accounts
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature
checksum type is wrong
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor
create_ccache_with_user() to take credentials of target service
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user()
to return a ticket without a PAC
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request
without a PAC
CVE-2020-25719 tests/krb5: Add principal aliasing test
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC
buffer
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting
without a PAC to new error codes
CVE-2020-25722 Add test for SPN deletion followed by addition
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass
restrictions
CVE-2020-25718 tests/krb5: Fix indentation
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs
in get_tgt()
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is
not present
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new
PAC_ATTRIBUTES_INFO buffer
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user
tests
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for
S4U2Self no-PAC tests
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more
modifications to tickets
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already
obtained tickets
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC
buffer
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC
buffer
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect
pac from all TGS tickets
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for
obtaining tickets
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
CVE-2020-25719 tests/krb5: Add tests for mismatched names with
user-to-user
CVE-2020-25719 s4/torture: Expect additional PAC buffers
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that
would overwrite an existing test
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
CVE-2020-25719 heimdal:kdc: Require authdata to be present
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
CVE-2020-25719 heimdal:kdc: Check return code
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype
selection
CVE-2020-25719 heimdal:kdc: Use sname from request rather than
user-to-user TGT client name
CVE-2020-25719 heimdal:kdc: Check name in request against name in
user-to-user TGT
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user
authentication
CVE-2020-25719 heimdal:kdc: Require PAC to be present
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when
necessary
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed
account
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users
not revealed to an RODC
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on
an add operation
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames
is not bypassed for an add operation
CVE-2020-25717: tests/krb5: Add method to automatically obtain server
credentials
CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room
for new accounts
CVE-2020-25717: selftest: turn ad_member_no_nss_wb into
ad_member_idmap_nss
CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
CVE-2021-3670 ldap_server: Set timeout on requests based on
MaxQueryDuration
CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater
than zero
Luke Howard (6):
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
kdc: use ticket client name when signing PAC
kdc: correctly generate PAC TGS signature
Martin Schwenke (37):
ctdb-recoverd: Add a helper variable
ctdb-recoverd: Update the local node map before pushing out flags
ctdb-recoverd: Push flags for a node if any remote node disagrees
ctdb-protocol: Add new controls to disable and enable nodes
ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
ctdb-daemon: Add a helper variable
ctdb-daemon: Factor out a function to get node structure from PNN
ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
ctdb-client: Add client code for disable/enable controls
ctdb-tools: Use disable and enable controls in tool
ctdb-daemon: Correct the condition for logging unchanged flags
ctdb-daemon: Update logging for flag changes
ctdb-daemon: Modernise remaining debug macro in this function
ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
ctdb-daemon: Simplify ctdb_control_modflags()
ctdb-daemon: Ignore flag changes for disconnected nodes
ctdb-daemon: Don't mark a node as unhealthy when connecting to it
ctdb-tests: Fix typo in ctdb stub comment matching
ctdb-tests: Drop unused function ctdb_get_all_public_addresses()
debug: Move header_str and hs_len to state
debug: Add a level of indirection to ring buffer logging
debug: Factor out function copy_no_nl()
debug: Avoid debug header being separated from debug text
debug: Add length argument to Debug1()
debug: Push message length argument down to backend log functions
debug: Rename variable for consistency
debug: Optimise construction of header_str_no_nl
debug: Optimise to avoid walking the header string
debug: Optimise early return when header string buffer is full
debug: Move msg_no_nl to state
debug: Optimise construction of msg_no_nl
bootstrap: Add Debian 11
bootstrap: Debian 11 has liburing-dev
debug: Add debug_syslog_format setting
debug: Add new smb.conf option "debug syslog format"
Matthew Grant (4):
libcli/dns: dns forwarder port doc changes
lib/tsocket: new function to parse host port strs.
libcli/dns: smb.conf dns forwarder port support
libcli/dns.c: dns forwarder port test changes
Michael Adam (1):
lib:cmdline: fix a comment
Nadezhda Ivanova (2):
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to
attribute
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the
Applies-to attribute
Nicolas Williams (1):
krb5: Fix PAC signature leak affecting KDC
Noel Power (1):
s4: torture: CHECK ret value and fail if false
Pavel Filipenský (4):
krb5_wrap: remove unused code
s3:winbindd: Fix winbindd child logfile name handling
docs-xml: Update winbindd(8) manpage
s3:librpc: Improve calling of krb5_kt_end_seq_get()
Ralph Boehme (101):
smbd: drop requirement for full open for READ_CONTROL_ACCESS,
WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
smbd: only open full fd for directories if needed
selftest: add a test for the "deadtime" parameter
s3/rpc_server: track the number of policy handles with a talloc destructor
libreplace: properly give headers to conf.CHECK_CODE when checking for
copy_file_range_syscall
libreplace: properly execute SYS_copy_file_range check
vfs_default: detect EOPNOTSUPP and ENOSYS errors from copy_file_range()
libreplace: remove now unused USE_COPY_FILE_RANGE define
s3/lib/dbwrap: check if global_messaging_context() succeeded
registry: check for running as root in clustering mode
smbd: avoid calling creating a pathref in smb_set_file_dosmode()
vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module
initialization code
vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref
handles
vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
vfs_gpfs: add sys_proc_fd_path() fallback to
vfs_gpfs_fset_dos_attributes()
vfs_gpfs: deal with pathref fsps in vfs_gpfs_fntimes()
vfs_gpfs: pass fsp to smbd_gpfs_set_times()
vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fntimes()
lib/gpfswrap: add gpfs_set_times_path() wrapper
vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times()
winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
winbind: ensure wb_parent_idmap_setup_send() gets called in
winbindd_allocate_uid_send()
lib/cmdline: add POPT_COMMON_DAEMON daemon popt options
lib/cmdline: restore pre-4.15 logging behaviour for daemons
smbd: use POPT_COMMON_DAEMON
nmbd: use POPT_COMMON_DAEMON
winbindd: use POPT_COMMON_DAEMON
s4/samba: POPT_COMMON_DAEMON
lib/replace: drop runtime copy_file_range() check
selftest: fix ---configfile option
manpages: remove duplicate options from smbclient
lib/cmdline: restore s3 option name --max-protocol for MAXPROTOCOL from
4.14
selftest: remove unsupported smbcacls option --get
texpect: don't ignore unknown options
smbstatus: don't ignore unknown options
s4/smbclient: don't ignore unknown options
nmblookup: don't ignore unknown options
source3/lib/smbconf: don't ignore unknown options
s3/param: don't ignore unknown options
rpcclient: don't ignore unknown options
pdbtest: don't ignore unknown options
vfstest: don't ignore unknown options
s3/async-tracker: don't ignore unknown options
log2pcaphex: don't ignore unknown options
mvxattr: don't ignore unknown options
nmblookup: don't ignore unknown options
ntlm_auth: don't ignore unknown options
pdbedit: don't ignore unknown options
profiles: don't ignore unknown options
regedit: don't ignore unknown options
sharesec: don't ignore unknown options
smbcacls: don't ignore unknown options
smbcquotas: don't ignore unknown options
smbget: don't ignore unknown options
smbtree: don't ignore unknown options
split_tokens: don't ignore unknown options
testparm: don't ignore unknown options
s4/cifsdd: don't ignore unknown options
s4/regdiff: don't ignore unknown options
s4/regpatch: don't ignore unknown options
s4/regshell: don't ignore unknown options
s4/regtree: don't ignore unknown options
s4/torture/gentest: don't ignore unknown options
s4/torture/locktest: don't ignore unknown options
s4/torture/masktest: don't ignore unknown options
vfs_btrfs: fix btrfs_fget_compression()
smbd: fix "ea support = no"
registry: skip root check when running with uid-wrapper enabled
idl: declare token array of storage_offload_token as in-line
vfs: Add flags and xferlen args to SMB_VFS_OFFLOAD_READ_RECV
lib: add sys_block_align[_truncate]()
vfs: add and use a few SMB_VFS_ODX defines
ctdb-scripts: filter out comments in public_addresses file
ctdb-tests: add a comment to the generated public_addresses file used by
eventscript UNIT tests
selftest: add a test ignored spotlight/elasticsearch mapping failures
mdssvc: prepare for ignore attribute and type mapping errors
mdssvc: add options to allow ignoring attribute and type mapping errors
docs: document new Spotlight Elasticsearch options
lib: add NTTIME_THAW
lib: fix null_nttime() tests
lib: use NTTIME_FREEZE in a null_nttime() test
lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
lib: add a test for null_nttime(NTTIME_THAW)
torture: add a test for NTTIME_FREEZE and NTTIME_THAW
lib: handle NTTIME_THAW in nt_time_to_full_timespec()
vfs_fruit: remove a fsp check from ad_fset()
smbd: early out in is_visible_fsp()
CI: add a test for bug 14882
lib/dbwrap: reset deleted record to tdb_null
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
source3: move lib/substitute.c functions out of proto.h
samba-bgqd: fix startup and logging
winbindd: remove is_default_dyn_LOGFILEBASE() logic
lib/debug: fix fd check before dup'ing to stderr
lib/debug: in debug_set_logfile() call reopen_logs_internal()
lib/cmdline: fix indentation
lib/cmdline: remember config_type in samba_cmdline_init()
lib/cmdline: setup default file logging for servers
smbd: get rid of get_file_handle_for_metadata()
Samuel Cabrero (8):
s3: rpc_server: Avoid creating new handles when received an empty
policy_handle
pidl:NDR/ServerCompat.pm: Do not register disabled services
librpc:core: Add a function to register an interface passing the binding
handle
s3:rpc_server: Do not use the default ncalrpc endpoint for external
services
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
CVE-2020-25717: selftest: Add a test for the new 'min domain uid'
parameter
CVE-2020-25717: s3:auth: Check minimum domain uid
Stefan Metzmacher (68):
gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
s4:torture/smb2: add tests to check all signing and encryption algorithms
s3:smbd: really support AES-256* in the server
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
s3:libsmb: start encryption as soon as possible after the session setup
s3:libsmb: close the temporary IPC$ connection in cli_full_connection()
wafsamba: add support git worktree to vcs_dir_contents()
script/bisect-test.py: add support git worktree
wscript: fix installing pre-commit with 'git worktree'
wafsamba: always generate compile_commands.json again, but only when the
samba dependencies changed
vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
docs-xml: use upper case for "{client,server} smb3 {signing,encryption}
algorithms" values
lib/cmdline: fix --configfile handling of POPT_COMMON_CONFIG_ONLY used by
ntlm_auth
smbclient: don't ignore unknown options
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing
algorithms
netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't
ignore result
selftest/Samba3: remove unused close(USERMAP); calls
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with
(winbindd => "offline")
s3/libsmb: check for global parametric option "libsmb:client_guid"
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to
services anonymously and without a PAC
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac"
settings
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative
= true
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to
r->out.authoritative = true
CVE-2020-25717: s4:torture: start with authoritative = 1
CVE-2020-25717: s4:smb_server: start with authoritative = 1
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
CVE-2020-25717: s3:torture: start with authoritative = 1
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
CVE-2020-25717: s3:auth: start with authoritative = 1
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward
the low level errors
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local
users
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to
is_allowed_domain()
CVE-2020-25717: s3:auth: don't let create_local_token depend on
!winbind_ping()
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in
domain mode (DC or member)
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused
auth_generate_session_info_principal()
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
ntlm_auth_generate_session_info_pac()
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac()
base the name on the PAC LOGON_INFO only
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate
everything to make_server_info_wbcAuthUserInfo()
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and
idmap_autorid
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a
PAC in standalone mode
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by
removing the unused logon_info argument
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing
unused arguments
CVE-2020-25722 pytests: Give computer accounts unique (and valid)
sAMAccountNames and SPNs
CVE-2021-23192: dcesrv_core: add better debugging to
dcesrv_fault_disconnect()
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips
DCERPC_PFC_FLAG_DID_NOT_EXECUTE
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into
assertNotEqual()
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use
g_auth_level in all places
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
CVE-2021-23192: python/tests/dcerpc: add tests to check how security
contexts relate to fragmented requests
CVE-2021-23192: dcesrv_core: only the first fragment specifies the
auth_contexts
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego
authentication if we require kerberos
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if
we require kerberos
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware
dcesrv_samdb_connect_as_{system,user}() helpers
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware
dcesrv_samdb_connect_as_*() helpers
CVE-2021-3738 s4:rpc_server/dnsserver: make use of
dcesrv_samdb_connect_as_user() helper
CVE-2021-3738 s4:rpc_server/lsa: make use of
dcesrv_samdb_connect_as_user() helper
CVE-2021-3738 s4:rpc_server/netlogon: make use of
dcesrv_samdb_connect_as_*() helper
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*()
helper
s3:winbindd: fix "allow trusted domains = no" regression
CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the
configured domain
Uri Simchoni (11):
fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04
configure: allow configure script to accept parameters with spaces
fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era
fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04
fuzzing/oss-fuzz: strip RUNPATH from dependencies
gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image
selftest: add a unit test for tsocket_address_inet_from_strings
tsocket: set errno on some failures of tsocket_address_inet_from_strings
WHATSNEW: document dns forwarder change
selftest: add more tests for test_address_inet_from_strings
selftest: test tsocket_address_inet_from_hostport_strings
Viktor Dukhovni (1):
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Volker Lendecke (145):
samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
docs: Add vfs_expand_msdfs manpage
rpcclient: Align integer types
lib: Fix a potential error path memleak
lib;smbd: Fix the -Os build by initializing variables
samdb: Fix an uninitialized variable read
net3: Save a few lines with any_nt_status_not_ok()
net3: Simplify name_to_sid(): dom_sid_parse checks for "S-" prefix
net: Align some integer types
libnetapi: Save lines with any_nt_status_not_ok()
rpc_client: Simplify rpc_pipe_bind_step_one_done()
rpc_client: Replace ZERO_STRUCTP with struct assignment
rpc_client: Simplify create_rpc_bind_req()
rpc_client: Save 65 .text bytes with -Os
rpc_client: Avoid two casts with proper printf specifiers
lib: Use TALLOC_FREE() in data_blob_free()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_chmod_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_open_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_read_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_splice_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_attr_server()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_notify_ctx()
net: Use dbwrap_do_locked() in wipedbs_delete_records()
smbd: Fix fetch_share_mode_send() error return
smbd: Simplify mark_share_mode_disconnected()
librpc: Simplify GUID_zero() with a direct struct return
librpc: Simplify GUID_string2() by using GUID_buf_string()
librpc: Simplify GUID_hexstring()
rpc_server: Simplify open_np_file()
rpc_server: Slightly simplify set_user_info_21()
rpc_server: Slightly simplify set_user_info_18()
rpc_server: Remove an unused function declaration
rpc_server: Align integer types
rpc_server: Simplify _samr_CreateUser2()
rpc_server: Fix a comment
lib: Improve comment wording
rpc_client: Slightly simplify rpc_transport_np_init_pipe_open()
libsmb: Fix a typo
rpc_client: Fix a small memleak
rpc_client: Early TALLOC_FREE() in prepare_verification_trailer()
rpc_client: Slightly simplify rpc_api_pipe_req_send()
rpc_client: Adapt rpc_api_pipe_req_send() to talloc_req conventions
rpc_client: Avoid ZERO_STRUCTP in prepare_verification_trailer()
rpc_client: Adapt rpc_pipe_bind_send() to talloc_req conventions
rpc_client: Use struct init/assignment
rpc_client: Use ndr_syntax_id_equal() in check_bind_response()
rpc_client: Adapt rpc_api_pipe_send() to recent coding conventions
rpc_client: Adapt rpc_write_send() to tevent_req conventions
winbind: Remove an unused include
rpc_client: Simplify rpccli_bh_disconnect_recv()
rpc_client: Use tevent_req_nterror() properly
rpc_client: Avoid casts
rpc_client: Simplify rpc_api_pipe_auth3_done()
rpc_client: Simplify get_complete_frag_got_rest()
rpc_client: Simplify get_complete_frag_got_header()
rpc_client: Simplify get_complete_frag_got_header()
rpc_client: Simplify get_complete_frag_send()
torture: Remove rpc_open_tcp test program
rpc_client: Make rpc_pipe_open_tcp() static
rpc_client: Use tevent_req_nterror() properly in cli_api_pipe
rpc_client: Align cli_api_pipe_send() with tevent_req() conventions
winbindd: NULL-initialize a pointer
rpcclient: Add unixinfo commands
rpc_server3: Include the right "dcerpc.h" from a SAMBA_SUBSYSTEM
auth: Simplify is_our_machine_account()
auth: Fix a typo
samba-tool: Fix a typo
samba_dnsupdate: Fix deprecation warnings
smbtorture: Fix epmapper.Map_full test
debug: Remove "override_logfile"
lib: Simplify sid_linearize()
samba-bgqd: Enable smbcontrol pool-usage
rpc_server4: Fix a typo
winbind: Fix a typo
lib: Add required #includes
lib: Give util_specialsids.c its own prototype header
lib: Avoid an "includes.h"
samba-bgqd: Convert closeall_*() to closefrom_*()
lib: Move closefrom_except*() to a separate file
libcli: Remove unused security_token_is_sid_string()
rpc_server: Move a type check in dcesrv_handle_lookup()
rpc_server: Simplify dcesrv_handle_lookup()
mdssvc: Use ndr_policy_handle_empty()
smbd: Make SID_SAMBA_SMB3 a static SID
rpc_server3: Avoid a literal number available as a constant
lsa_server3: Align integer types
smbd: Avoid ZERO_STRUCT() with a struct init
samba: Save a line with TALLOC_FREE
libcli: Remove unused security_token_has_sid_string()
libcli: Introduce a helper variable in security_session_user_level()
libcli: Simplify security_session_user_level()
lib: Avoid a cast in a DBG statement
lib: Simplify set_privileges with a struct initialization
lib: Fix a typo in a DEBUG fn prefix by using DBG_
idmap_script: Save a few lines with str_list_add_printf()
libcli: Avoid an includes.h
libcli: Align integer types
rpc_server3: Remove unused fields from struct dcerpc_ncacn_conn
winbind: Align an integer type
lib: Add talloc_asprintf_addbuf()
librpc: Use talloc_asprintf_addbuf() in dcerpc_binding_string()
lib: Use talloc_asprintf_addbuf() in utok_string()
winbind: Simplify winbindd_getsidaliases_recv()
winbind: Simplify winbindd_getusersids_recv()
winbind: Simplify winbindd_sids_to_xids_recv()
dsdb: Simplify schema_attribute_description() & friends
libcli: Simplify get_sec_mask_str()
rpc_server3: Remove "pipes_struct->call_id"
rpc_server3: Remove "pipes_struct->opnum"
rpc_server3: Remove an outdated comment
netlogon: Move netlogon_server_pipe_state to netlogon.idl
rpc_server3: Use dcesrv_iface_state in netlogon3
rpc_server3: Remove pipes_struct->private_data
smbd: reopen logs on SIGHUP for notifyd and cleanupd
smbd: Give smbXsrv_open.c its own header file
smbd: Remove unused "struct connections_key"
libsmb: Use cli_ntcreate in cli_chkpath
smbclient: Use cli_checkpath in "cd" command
libsmb: Remove "trans_oob()" macro
libcli: "smb_util.h" needs "ntstatus.h"
libsmb: Give reparse_symlink.c its own header
libsmb: Introduce "struct symlink_reparse_struct"
libsmb: Avoid a talloc_stackframe.c dependency
libsmb: move reparse_symlink to libcli/smb/
VFS: Fix a typo
libcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code
lib: Fix a debug typo in g_lock.c
dbwrap: Remove unused dbwrap_watched_wakeup()
libsmb: Move cli_qfilename() to its only user in torture.c
smb.conf.5: Fix a typo for "username map script"
smbd: Fix a typo
vfs: Fix a few typos
libcli4: Remove outdated README file
lib: Slightly tune cp_smb_filename_nostream()
smbd: Move "struct fd_handle" into fd_handle.c
vfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()
smbd: Fix typos
smbd: Avoid casts
smbd: Make sure we don't overwrite tmp_buf
lib: Use a direct struct initialization
smbd: Convert ret==false into !ret
selftest: Add reproducer for bug 14908
lib: Add required includes to source3/include/secrets.h
cmdline: Add a callback to set the machine account details
cmdline: Make -P work in clustered mode
eaglegai (1):
fix undefined-shift in put_res_rec fuzz error:
../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16
places cannot be represented in type 'int'
-----------------------------------------------------------------------
--
Samba Shared Repository
