The annotated tag, tdb-1.4.6 has been created
at 294de0b8779c13cf2137cf3b70d1a5d0e11780c5 (tag)
tagging 1c776e54cf33b46b2ed73263f093d596a0cdbb2f (commit)
replaces tdb-1.4.5
tagged by Stefan Metzmacher
on Mon Jan 24 13:24:26 2022 +0100
- Log -----------------------------------------------------------------
tdb: tag release tdb-1.4.6
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumnoACgkQR5ORYRMI
QCWvEAgAvdd1Vov9LzJfNzbFgJELxlgZFjQ76MzuCKiUUi/70f6zIW79bv090qU4
dFOnQ6WnOUnQMBTKTOaXkDbLH+DgX8JF9rdg01XHr+oPeENKNHBv1Zn31KpW0N7j
AWn7Kdm3kBRrRR03Zs5c/AK58KbeTbjQB9Xd1yY9hcjxhOI3VKwJesdWOVpiq6c9
xJzz6aSNLXQ8x/WZPUnYR5ucHDmjWfQEmq0Jv3QkWkXEbD76YqLB003Hho57i2Bm
YFkeFpuXBXkQ7JU41rbPhgjNHEhw+SWPNXSXtcXg6yF+Iog/bovE2vBrLArw7G9h
tyan8b0aNzqUXJjHf1Xqv7uGCRpquA==
=frvx
-----END PGP SIGNATURE-----
Alenka Glukhovskaya (1):
Added russian translate file
Alex Richardson (8):
Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups()
charset_macosxfs.c: fix compilation on macOS
audit_logging.c: fix compilation on macOS
source3/printing/queue_process.c: fix build on macOS
sec_ctx.c: Fix -Wunused-function warning on macOS
source3/smbd/statcache.c: Fix -Wformat build error on macOS
vfs_preopen.c: Fix -Wformat error on macOS
Fix detection of rpc/xdr.h on macOS
Alexander Bokovoy (2):
CVE-2020-25717: Add FreeIPA domain controller role
IPA DC: add missing checks
Amitay Isaacs (2):
lib/tsocket: Fix build on Freebsd
ctdb-tests: Implement srvid_handler for dispatching messages
Andreas Schneider (106):
bootstrap: Install krb5-workstation on Fedora based distros
autobuild: Exclude fips envs from samba and samba-mitkrb5
s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
python:waf: Correctly check for python-dateutil
bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM
distros
lib:cmdline: Use lp_load_global() for servers
selftest: Re-format long lines in selftesthelpers.py
selftest: Add support for setting ENV variables in
plansmbtorture4testsuite()
selftest: Add support for setting ENV variables in plantestsuite()
s3:selftests: Pass env variables to fips tests
s4:selftests: Pass env variables to fips tests
selftest: Pass env variables to fips tests
selftest: Remove fips env variables from client env
auth:gensec: Use lpcfg_weak_crypto()
s4:rpc_server: Allow to set user password in FIPS mode
s4:libnet: Remove trailing whitespaces
s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
netlogon:schannel: If weak crypto is disabled, do not announce RC4
support.
selftest: Fix setting environ for plansmbtorture4testsuite()
s4:selftest: Pass environ to plansmbtorture4testsuite()
s4:torture: Remove trailing whitespaces in rpc.c
s4:torture: Add rpc netlogon fips test
configure: Do not put arguments into double quotes
s3:winbindd: Add a check for the path length of 'winbindd socket
directory'
gitlab: Use shorter names for Samba AD DC env with MIT KRB5
mit-samba: Define debug class for kdb module
mit-samba: Send the logging to the kdc log facility
mit-samba: Use talloc_get_type_abort() instead of casting
mit-samba: Only set the function opening bracket once
s3:winbind: Do not start if the priviliged socket path is too long
s3:winbindd: Pass the right variable to the debug message
lib:replace: Remove trailing spaces from testsuite.c
testsuite: Fix build with gcc >= 11.1.1
selftest: Add python path for compiled python modules like ldb
third_party: Add a script to update waf
third_party: Update waf to version 2.0.22
s3:utils: Fix format error
lib:fuzzing: Fix quoting of --fuzz-target-ldflags
docs-xml: Remove trailing spaces in smb.conf.5.xml
docs-xml: Use /var/tmp for spooling in smb.conf.5
waf: Allow building with MIT KRB5 >= 1.20
Revert "gp: Apply Firewalld Policy"
Revert "gp: Test Firewalld Group Policy Apply"
Revert "gp: Add Firewalld ADMX templates"
testprogs: Use new cmdline option for kerberos
lib:cmdline: Fix -k option which doesn't expect anything
third_party: Update pam_wrapper to version 1.1.4
editorconfig: Heimdal has mixed spaces and tabs with different width
waf: Fix resolv_wrapper with glibc 2.34
gitlab-ci: Add Fedora 35 and drop Fedora 33
CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
CVE-2020-25719 mit-samba: Add ks_free_principal()
CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db
entry
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
CVE-2020-25719 mit-samba: Rework PAC handling in
kdb_samba_db_sign_auth_data()
CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on
the server entry
CVE-2020-25719 mit_samba: Create the talloc context earlier
CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
auth:creds: Remove trailing spaces
auth:creds: Guess the username first via getpwuid(my_id)
docs-xml: Fix smbget manpage
mit-kdc: Use more strict KDC default settings
s4:mit-kdb: Reduce includes to only what's needed
s4:kdc: Remove trailing spaces in db-glue.c
s3:winbind: Fix possible NULL pointer dereference
testprogs: Add rpcclient schannel tests
s3:rpc_client: Remove trailing white spaces from cli_pipe.c
s3:rpcclient: Remove trailing white spaces in rpcclient.c
s3:libnet: Remove tailing whitespaces in libnet_join.c
s3:libsmb: Remove trailing white spaces from passchange.c
s3:rpc_client: Add remote name and socket to
cli_rpc_pipe_open_bind_schannel()
libcli:auth: Allow to connect to netlogon server offering only AES
s3:param: Remove trailing spaces in loadparm.c
s3:param: Only include smb_ldap.h for LDAP_* defines
s4:waf: Fix dependencies for TORTURE_UTIL
s3:waf: Fix dependendies for libads
wafsamba: Pass lib to CHECK_DECLS()
waf:mitkrb5: Detect com_err with pkgconfig first
waf:mitkrb5: Fix MIT KRB5 detection if not in default system location
waf:mitkrb5: Always define lib so we get the header include path
s3:torture: Initialize pointer with NULL
s4:mitkdc: Initilalize is_error with errno instead of EPERM(1)
s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
s4:mitkdc: Reset errno to 0 for com_err messages
s4:mitkdc: Add support for pac_attrs and requester_sid
s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
s3:lib: Fix memory leak in netapi examples
s3:lib: Do not close fd = -1 on fail in netapi example
lib:util: Check return value of tdb_parse_record()
s3:libnet: Initialize struct ODJ_POLICY_DNS_DOMAIN_INFO
ctdb:client: Initialize structs and pointers in
ctdb_ctrl_(en|dis)able_node()
s4:dns_server: Remove less-than-zero comparison of an unsigned value
s3:winbindd: Remove dead code from sam_rids_to_names()
lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str()
lib:util: Initialize pid
s3:winbind: Fix using normalized name in sam_name_to_sid()
python:tests: Don't require an emtpy 'authorization-data' to be present
python:tests: Don't require an emtpy 'authorization-data' to be present
s3:smbd: handle --build-options without parsing smb.conf
gitlab-ci: Use Fedora 34 for Coverity Scan
autobuild: Fix path for libwbclient ldd checks
Andrew Bartlett (135):
ktutil: Print the numeric enctype if krb5_enctype_to_string() fails
samba-tool domain backup offline: Use passed in samdb when backing up
sam.ldb
samba-tool: Rework transations/locks to hold a lock during mdb backup
samba-tool domain backup: Use tdbbackup on metadata.tdb
autobuild.py: Explain why each job is removed from the default set
gitlab-ci/autobuild: Add new build confirming behaviour on older MIT
Kerberos
gitlab-ci: Move MIT builds to current Fedora so we can test against a
current MIT KDC
autobuild.py: Do not build MIT builds by default (eg sn-devel)
build: Move minimum MIT krb5 version to 1.19 to align with what is tested
mit-kdc: Remove build time support for KDB_API < 10
selftest: Remove skip of samba4.rpc.unixinfo
selftest: Modernise user_account_control.py tests use a common self.OU
selftest: Use addCleanup rather than tearDown in user_account_control.py
pydsdb: Add API to return strings of known UF_ flags
selftest: Use @DynamicTestCase in user_account_control
test_uac_bits_unrelated_modify()
selftest: Replace internal loop in test_uac_bits_add() using
@DynamicTestClass
selftest: Replace internal loop in test_uac_bits_set() using
@DynamicTestClass
script/autobuild.py: Restore MIT ADDC tests against fl2008*
bootstrap: Update to get newer krb5 on Fedora 34
bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
Update common on currently supported Fedora versions
tests/krb5: Remove harmful and a-typical return in as_req testcase
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
selftest: Only run samba_tool_drs_showrepl test once
dsdb: Be careful to avoid use of the expensive talloc_is_parent()
selftest: Add a test for LookupSids3 and LookupNames4 in python
s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
selftest: Add prefix to new schema attributes to avoid flapping
dsdb_schema_attributes
docs: Ensure to rebuild manpages if samba.entities or samba.version
changes
docs: Document all the other ways to send a password to smbclient et al
docs: Avoid duplicate information on USER and PASSWD, reference the
common section
build: Make Python 3.6 the minimum to build now oss-fuzz is upgraded
heimdal: Remove lex.yy.c file left over from a bug in lexyacc.sh
bootstrap: Remove last references to Ubuntu 16.04
selftest: Update user_account_control tests to pass against Windows 2019
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
.gitlab-ci: Ignore errors from missing source files in code coverage
.gitlab-ci: Allow a 1 hour to build Samba
samldb: Address birthday paradox adding an RODC
selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
selftest: Use self.assertRaisesLdbError() in user_account_control.py test
Release ldb 2.4.1
Release ldb 2.50 for the future samba 4.16 series
.gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
.gitlab-ci.yml: Restore building most of our jobs
.gitlab-ci: Avoid duplicate CI on all merge requests
gitlab-ci: Do not retry for job_execution_timeout
gitlab-ci: Do not download artifacts of unrelated builds
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED
for servers
selftest: Remove duplicate setup of $base_dn and $ldbmodify
selftest: Improve error handling and perl style when setting up users in
Samba4.pm
dsdb: Allow special chars like "@" in samAccountName when generating the
salt
lib/krb5_wrap: Fix missing error check in new salt code
CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
CVE-2020-25722 dsdb: Move krbtgt password setup after the point of
checking if any passwords are changed
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during
LDAP add/modify
CVE-2020-25722 selftest: Extend priv_attrs test - work around
UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a
password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
CVE-2020-25722 selftest: Test combinations of account type and
objectclass for creating a user
CVE-2020-25722 selftest: allow for future failures in
BindTests.test_virtual_email_account_style_bind
CVE-2020-25722 selftest: Catch possible errors in
PasswordSettingsTestCase.test_pso_none_applied()
CVE-2020-25722 selftest: Catch errors from samdb.modify() in
user_account_control tests
CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by
default
CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for
objectclass/doller/UAC
CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and
objectclass.
CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK
(for now)
CVE-2020-25722 selftest: Adapt selftest to restriction on swapping
account types
CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD,
so remove indentation
CVE-2020-25722 dsdb: Add restrictions on computer accounts without a
trailing $
CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new
UF_WORKSTATION_TRUST_ACCOUNT default
CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type
change
CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
CVE-2020-25722 selftest: Adjust sam.py
test_userAccountControl_computer_add_trust to new reality
CVE-2020-25722 selftest: New objects of objectclass=computer are
workstations by default now
CVE-2020-25722 selftest: Adapt sam.py test to
userAccountControl/objectclass restrictions
CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new
default computer behaviour
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list
of errors to match with
CVE-2020-25722 selftest/user_account_control: Allow a broader set of
possible errors
CVE-2020-25722 selftest/user_account_control: more work to cope with
UAC/objectclass defaults and lock
CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
CVE-2020-25722 Check all elements in acl_check_spn() not just the first
one
CVE-2020-25722 Check for all errors from acl_check_extended_right() in
acl_check_spn()
CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a
array of struct dom_sid
CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a
single helper function
CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and
UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the
UF_PARTIAL_SECRETS_ACCOUNT bit
CVE-2020-25718 s4-rpc_server: Provide wrapper
samdb_confirm_rodc_allowed_to_repl_to()
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
CVE-2020-25718 s4-rpc_server: Explain why we use
DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular
ticket
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
CVE-2020-25722 Ensure the structural objectclass cannot be changed
CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in
our domain/realm) unless a DC
Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named
based lookup fails
CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb
filter processing
CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details
CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before
starting to modify it
CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
heimdal_build: Allow errors integer overflow errors in gen.c (only)
Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c
heimdal_build: Do not list hx509 files twice
heimdal_build: Remove memset_s from roken, already in libreplace
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
build: Only use embedded Heimdal include paths in an embedded Heimdal
build
build: Remove kdc_include except where needed
heimdal_build: Prepare for Heimdal upgrade by only building
HEIMDAL_ASN1_GEN_HOSTCC when needed.
lib/replace: For heimdal_build: Try to use the OS or compiler provided
atomic operators
heimdal_build: Do not build samba4kinit unless building embedded Heimdal
build: Add missing dependency on addns
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for
Heimdal
s4-auth: Remove unused headers
s4:heimdal_build: changes required to build after import
tests: Update latin1 list and ignored file list for new Heimdal import
s4:kdc: Update samba_wdc_check_client_access() to match updated Heimdal
s4:kdc: Adapt wamba_wdc_check_client_access() to modern Heimdal
s4:kdc: Adapt to use new combined windc interface in lorikeet-heimdal
s4:kdc: Update to match updated Heimdal's new HDB version
s4:kerberos: adjust smb_krb5_debug_wrapper() to embedded heimdal
s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal
behaviour
s4:kdc/hdb: Store and retrieve a FX-COOKIE value
s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytab
s4:kdc: Move calls using the samba4 name to be right after each other
s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]
s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
selftest: Update SimpleKerberosTests now that Samba supports FAST
selftest: knownfail updates after Heimdal Upgrade
Andrew Walker (1):
s3:modules:recycle - fix crash in recycle_unlink_internal
Anoop C S (1):
s3/rpc_server: Remove duplicate dependency listing for RPC_SERVICE
Bernd Kuhls (1):
lib/util: Add signal.h include
Bjoern Jacke (1):
util_sock: fix assignment of sa_socklen
Björn Jacke (4):
ntvfs: add missing COM/LPT ports that are also reserved names
mangle_hash2: add missing COM/LPT ports that are also reserved names
mangle_hash2: remove LOCK$ from list of reserved names
s4:librpc: raise log level for failed connection attempts
Christof Schmitt (30):
smbd: Update comment explaining streams and file-system sharemodes
vfs_gpfs: Update comment in vfs_gpfs_kernel_flock
vfs_gpfs: Remove call to kernel_flock
vfs_default: Return ENOTSUP for sharemodes flock call
system: Remove kernel_flock
wscript: Remove config check for LOCK_MAND
loadparm: Set default of "kernel share modes" to "no"
docs-xml: Update manpage for "kernel share modes" option
WHATSNEW: Document changes for "kernel share modes"
profile: Remove syscall_kernel_flock profiling
VFS: Rename kernel_flock to filesystem_sharemode
VFS: Increase VFS version for renamed function
examples/VFS/skel_transparent: Rename kernel_flock to filesystem_sharemode
examples/VFS/skel_opaque: Rename kernel_flock to filesystem_sharemode
s3: Remove definition of removed kernel_flock function
vfs_full_audit: Rename kernel_flock to filesystem_sharemode
docs-xml: Update vfs_full_audit manpage for renamed function
vfs_ceph: Rename kernel_flock to filesystem_sharemode
vfs_glusterfs: Rename kernel_flock to filesystem_sharemode
vfs_time_audit: Rename kernel_flock to filesystem_sharemode
vfs_time_audit: Fix message for fcntl VFS call
vfs_gpfs: Rename kernel_flock to filesystem_sharemode
vfs_streams_xattr: Rename kernel_flock to filesystem_sharemode
vfs_default: Rename kernel_flock to filesystem_sharemode
vfs_catia: Rename kernel_flock to filesystem_sharemode
VFS: Update tracking documents for renamed function
smbd: Update comment for durable handles
smbd: Rename return variable for requesting filesystem sharemode
smbd: Remove return variable for releasing filesystem sharemode
smbd: Update debug messages for failed sharemode release
David Disseldorp (3):
smbd: check lp_load_printers before reload via NetShareEnum
build: reduce fp.write calls for build_options.c generation
build: reduce printf() calls in generated build_options.c
David Gajewski (1):
s3: VFS: solarisacl: Fix compile error (missed variable rename).
David Mulder (26):
gpo: Ensure Network Device Enrollment Service if sscep fails
gpo: Warn when fetching the supported templates fails
gpo: Improve debug when extension fails to apply
gpo: Enable user policy application
gpo: Enable Scripts ADMX for User Policy
gpo: Test Group Policy User Scripts
gpo: Apply Group Policy User Scripts
gpo: Ignore symlink failure on sscep renew
gpo: Decode the bytes for cepces-submit failure
gpo: Print getcert message to debug
gpo: Test Group Policy Firefox Extension
gpo: Add Group Policy Firefox Extension
gpo: Test Chromium Group Policy
gpo: Add Chromium Group Policy
gp: Add Firewalld ADMX templates
gp: Test Firewalld Group Policy Apply
gp: Apply Firewalld Policy
samba-tool: Pick local host if calling samba-tool from DC
Revert "samba-tool: Pick local host if calling samba-tool from DC"
gp: Add Firewalld ADMX templates
gp: Test Firewalld Group Policy Apply
gp: Apply Firewalld Policy
samba-tool: Add domain member leave
samba-tool: Create DNS entries on member join
samba-tool: Test DNS record creation on member join
Remove stray reference to "ldap ssl ads"
Douglas Bagnall (56):
pytest/rodc_rwdc: try to avoid race.
pytest: dynamic tests optionally add __doc__
pytest: s3_net_join: avoid name clash
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're
lazy
CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
CVE-2020-25722 samba-tool spn: accept -H for database url
CVE-2020-25722 samba-tool spn add: remove --force option
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
CVE-2020-25722 s4/provision: add host/ SPNs at the start
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses
samldb_get_single_valued_attr()
CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks
all values
CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change()
checks all values
CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add
final value
CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all
values
CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change
checks values
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one
value
CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
pytests: check that we don't have bad format characters
test/bad_chars: ensure our tests could fail
s3/modules/vfs_acl_common.h: use utf-8
test/blackbox/test_samba-tool_ntacl: use utf-8
s4/auth/gensec/gensec_krb5_heimdal: use utf-8
lib/replace/timegm: use utf-8
third_party: remove pep8
pytest/source_chars: forget thirdparty/pep8 test file
third_party/update: forget pep8
py/dnsserver: add missing imports
py/dnsserver: add a missing exception variable
pytest/dns_aging: use correct variable names
pytest/dns_aging: remove duplicate tests
pytest/docs: set_smbconf_arbitrary_opposite() needs param_type
pytest/docs: better spelling of set_smbconf_arbitrary
samba-tool domain backup: cope better with dangling symlinks
samba-tool domain backup: backup but do not follow symlinks
pytest/source_char: check for mixed direction text
Gary Lockyer (3):
initial FAST tests
heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and
unused_result
s4:kdc: cope with upstream rename of configuration parameters.
Günther Deschner (9):
s3-torture: give torture test binaries their own wscript_build
s3-torture: Only install vfstest manpage when vfstest binary gets
installed.
s3-winexe: Fix winexe core dump (use-after-free)
s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
s3:rpc_client: Pass remote name and socket to
cli_rpc_pipe_open_noauth_transport()
s3:rpc_client: Pass remote name and socket to
cli_rpc_pipe_open_with_creds()
s3:rpc_client: Pass remote name and socket to
cli_rpc_pipe_open_schannel_with_creds()
pam_winbind: add new pwd_change_prompt option (defaults to off).
s4:kdc: Do not encode the NTSTATUS error into a PA-DATA, just linearlise
it
Isaac Boukris (6):
kdc: remove KRB5SignedPath, to be replaced with PAC
kdc: sign ticket using Windows PAC
krb5: allow NULL parameter to krb5_pac_free()
krb5: rework PAC validation loop
s4:mit-kdb: Force canonicalization for looking up principals
s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED
Jeremy Allison (184):
s3: smbd: Allow async dosmode to cope with ".." pathnames where we close
smb_fname->fsp to prevent meta-data leakage.
s3: smbd: Don't leak meta-data about the containing directory of the
share root.
s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in
this case.
s3: smbd: Split out smb2_ioctl_smbtorture() into a separate file.
s3: libcli: Add FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
s3: smbd: Add smbd_fsctl_torture_async_sleep() server-side code.
s3: smbd: Call smbd_fsctl_torture_async_sleep() when we get
FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
s4: torture: Add test for smb2.ioctl.bug14769.
s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs
to the aio list on the file handle.
s3: selftest: Add a test for vfs_streams_depot with the target path
outside of the share.
s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute
stream rootdir into a function.
s3: VFS: streams_depot: Allow "streams directory" outside of share path
to work again.
s3: smbd: Ensure all returns from OpenDir() correctly set errno.
s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx
destructor.
s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated
pointer on error.
s4: ntvfs: Missed comma in 24c09f913d82528ada14013e3d673d277cf04a93,
string would be concatenated.
s3: smbd: Add fifo test for the DISABLE_OPATH case.
s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.
s3: auth: Andrew noticed f585f01148ab2d8f84c96b12e018742f5f17bcb0 doesn't
keep the same logic.
s4: process_prefork: Make prefork_restart() use an asynchronous timer
event instead of calling sleep(X).
s3: selftest: Add regression test to show the $cwd cache is misbehaving
when we connect as a different user on a share.
s3: smbd: Ensure when we change security context we delete any $cwd cache.
s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for
getting/setting ZFS ACLs.
s3: smbspool. Remove last use of 'extern char **environ;'.
s3: smbd: Add two tests showing recursive directory delete of a directory
containing veto file and msdfs links over SMB2.
s3: smbd: Fix recursive directory delete of a directory containing veto
file and msdfs links.
s3: smbd: Add two tests showing the ability to delete a directory
containing a dangling symlink over SMB2 depends on "delete veto files" setting.
s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
s3: smbd: Fix rmdir_internals() to do an early return if
lp_delete_veto_files() is not set.
s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling
symlinks.
s3: docs-xml: Clarify the "delete veto files" paramter.
s3: smbd: dirfsp is being used uninitialized inside rmdir_internals().
s3: smbtorture3: Add test for setting delete on close on a directory,
then creating a file within to see if delete succeeds.
s3: smbd: Ensure in the directory scanning loops inside rmdir_internals()
we don't overwrite the 'ret' variable.
s3: smbd: get_real_filename() is actually static to filename.c
s3: smbd: Add ucf_flags parameter to normalize_filename_case().
s3: smbd: Ensure normalize_filename_case() doesn't modify posix names.
s3: smbd: Add case_sensitive, case_preserve, short_case_preserve to state
struct.
s3: smbd: Use state->case_sensitive instead of
state->conn->case_sensitive.
s3: smbd: Use state->case_preserve instead of state->conn->case_preserve.
s3: smbd: Use state->short_case_preserve instead of
state->conn->short_case_preserve.
s3: smbd: Turn on case sensitivity for a posix filename lookup.
s3: smbd: Add comment to unix_convert() explaining why posix never calls
into mangle_is_mangled() here.
s3: smbd: In unix_convert_step_search_fail() ensure posix names don't
call into name mangling functions.
s3: smbd: In unix_convert() component_was_mangled is always false for
posix.
s3: smbd: Add 'bool case_sensitive' to struct smbd_dirptr_lanman2_state.
s3: smbd: Use state->case_sensitive instead of
state->conn->case_sensitive.
s3: smbd: Add case_sensitive to struct smb_Dir.
s3: smbd: Use dir_hnd->case_sensitive instead of conn->case_sensitive.
s3: smbd: In OpenDir_fsp(), set dir_hnd->case_sensitive to true if
FSP_POSIX_FLAGS_OPEN is set.
s3: smbd: Add dptr_case_sensitive(). Not yet used.
s3: smbd: Use dptr_case_sensitive() in directory listing code.
s3: smbd: In open_file(), use a helper variable instead of always
checking sp->posix_flags & FSP_POSIX_FLAGS_OPEN.
s3: smbd: In open_file() use the helper variable to select correct
case_sensitive setting to is_in_path().
s3: smbd: Use a helper variable in smbd_smb2_query_directory_send().
s3: smbd: Add and use case_sensitive helper variable to
unlink_internals().
s3: smbd: Add and use helper variables case_sensitive, case_preserve in
rename_internals_fsp().
s3: smbd: Add and use helper variable posix_pathname in
rename_internals().
s3: smbd: Ensure we never call mangle_is_mangled() for a posix path.
s3: smbd: Add and use helper variables for case_sensitive, case_preserve,
short_case_preserve to rename_internals().
s3: smbd: In SMB1 reply_copy(), make req->posix_pathnames a helper
variable.
s3: smbd: SMB1 reply_copy(). Posix pathnames should never call into
mangle_is_mangled().
s3: smbd: SMB1 reply_copy(). Posix pathnames always means case_sensitive
= true.
s3: smbd: In unlink_internals() ensure we never call mangle_is_mangled
for a posix path.
s3: smbd: In SMB1 call_trans2findnext() add and use a helper variable to
ensure we don't call mangle_is_mangled() with a posix name.
s4: libcli: Add smbcli_unlink_wcard().
s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of
smbcli_unlink().
s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of
smbcli_unlink().
s4: torture: Use smbcli_unlink_wcard() to remove wildcards in
base.chkpath test.
s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
s4: torture: Use smbcli_unlink_wcard() in base.casetable test.
s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
s3: torture: Add torture_deltree() for setup and teardown.
s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree()
for setup and cleanup.
s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree()
for setup and cleanup.
s3: torture: In torture_utable(), use torture_deltree() for setup.
s3: torture: In torture_casetable(), use torture_deltree() for setup and
cleanup.
s3: torture: In torture_chkpath_test(), use torture_deltree() for setup
and cleanup.
s3: torture: In run_streamerror(), use torture_deltree() for setup.
s3: torture: In test_mask(), use torture_deltree() for setup.
s3: torture: In torture_mangle(), use torture_deltree() for setup and
cleanup.
s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname
for rename target.
s4: torture: Remove the wildcard unlink test code.
s4: torture: Remove the wildcard rename test code.
s3: torture: Remove the wildcard unlink test code.
s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
s3: smbd: In reply_unlink() remove the possibility of receiving a
wildcard name.
s3: smbd: Change unlink_internals() to ignore has_wild parameter.
s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname
processing in reply_mv().
s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION
info level) prevent destination wildcards.
s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP
flag for destination lookups.
s3: smbd: In reply_ntrename(), never set dest_has_wcard.
s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
s3: smbd: Prepare to remove wildcard matching from rename_internals().
s3: smbd: Remove dest_has_wild and all associated code from
rename_internals()
s3: smbd: Remove all wildcard code from rename_internals().
s3: smbd: Remove the commented out resolve_wildcards().
s3: smbd: Inside rename_internals() remove '{ ... }' block around
singleton rename code.
s3: smbd: Remove 'const char *src_original_lcomp' parameter from
rename_internals().
s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
Update WHATSNEW.txt with removal of wildcard copy, rename and unlink.
docs-xml: Add "rpc start on demand helpers", true by default.
WHATSNEW. Added section about samba-dcerpcd.
s3: smbd: Move setting of dirtype if FILE_ATTRIBUTE_NORMAL to do_unlink().
s3: smbd: Move to modern debug calls inside do_unlink().
s3: smbd: Comment out the old unlink_internals(). Rename do_unlink() ->
unlink_internals().
s3: smbd: Remove the old unlink_internals() implementation.
s3: smbd: Handling SMB_FILE_RENAME_INFORMATION, the destination name is a
single component.
s3: smbd: In rename_internals_fsp(), remove unneeded call to check_name().
s3: smbd: check_name() is now static to filename.c
s3: smbd: In rename_internals(), remove the name spliting and
re-combining code.
s3: smbd: Remove split_fname_dir_mask().
s3: smbd: In call_trans2findfirst() we don't need
filename_convert_with_privilege() anymore.
s3: smbd: Remove filename_convert_with_privilege(). No longer used.
s3: smbd: In filename_convert_internal(), remove call to
check_name_with_privilege().
s3: smbd: Remove unused check_name_with_privilege().
s3: smbd: Remove now unused check_reduced_name_with_privilege().
s3: smbd: filename_convert() is now a one-to-one wrapper around
filename_convert_internal().
s3: smbd: In dfs_path_lookup(). If we have a DFS path including a
@GMT-token, don't throw away the twrp value when parsing the path.
s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a
parsed pathname.
s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1
search pathnames.
s3: smbd: Convert reply_search() to use
filename_convert_smb1_search_path().
s3: smbd: Fix call_trans2findfirst() to use
filename_convert_smb1_search_path().
s3: smbd: dfs_path_lookup() no longer deals with wildcards.
s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
s3: smbd: parse_dfs_path() can ignore wildcards.
s3: smbd: filename_convert() no longer deals with wildcards.
s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
s3: smbd: We no longer need determine_path_error().
s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
s3: smbd: In unix_convert(), remove all references to
state->name_has_wildcard.
s3: smbd: In unix_convert() remove the now unneeded block indentation.
s3: smbd: In unix_convert_step() remove all use of
'state->name_was_wildcard'
s3: smbd: In unix_convert_step_stat() remove use of
state->name_was_wildcard.
s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
s4: torture: Fix raw.search:test_one_file() to use torture_result()
instead of printf.
s4: torture: In raw.search:test_one_file() remove the leading '\\' in the
test filenames.
s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX
was negotiated first.
s3: smbclient: Give a message if we try and use any POSIX command without
negotiating POSIX first.
s4: torture: In raw.search:test_one_file() add a second connection.
s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second
connection in test_one_file().
s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX
connection for POSIX info levels.
s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before
using POSIX calls.
s3: tests: Fix the samba3.blackbox.inherit_owner test to actually
negotiate SMB1+POSIX before using POSIX calls.
s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate
SMB1+POSIX before using POSIX calls.
s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX
before using POSIX calls.
s3: smbd: In check_parent_exists() use utility function vfs_stat().
s3: smbd: In setup_close_full_information() use vfs_stat() helper
function.
s3: smbd: In stat_cache_lookup(), use vfs_stat() utility function.
s3: smbd: In smbd_smb2_getinfo_send(), use vfs_stat() utility function.
s3: smbd: In vfs_stat_smb_basename() use vfs_stat() helper function.
s3: smbd: In parent_dirname_compatible_open(), use helper function
vfs_stat().
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QFILEINFO case, use
helper function vfs_stat().
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO on a named
stream case, use helper function vfs_stat().
s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO, use helper
function vfs_stat().
s3: smbd: call_trans2setfilepathinfo(), TRANSACT2_SETFILEINFO case, use
helper function vfs_stat().
s3: smbd: Inside call_trans2setfilepathinfo(), for the
TRANSACT2_SETPATHINFO case, ensure we have a VALID_STAT return from
filename_convert().
s3: smbd: Inside call_trans2setfilepathinfo(), for the
TRANSACT2_SETPATHINFO case, we don't need to re-stat.
s3: smbd: In call_trans2qfilepathinfo(), we must have an existing object
in the QPATHINFO case.
s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat().
s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat().
s3: selftest: Add two tests that show we try and send an SMB1 request
over an SMB2 connection to list servers if "-mSMB3" is selected.
s3: smbclient: In do_host_query(), if we need SMB1, ensure we select NT1
as the client max protocol" before continuing.
s3: smbd: Add "enum brl_flavour" to struct smbd_lock_element.
s3: smbd: Move implicit call to lp_posix_cifsu_locktype() out of
init_strict_lock_struct().
s3: smbd: Remove lock_flav parameter from smbd_do_locks_try().
s3: smbd: In smbd_smb1_do_locks_send() move access of lock_flav until
after we know we have locks in the array.
s3: smbd: Remove lock_flav argument from smbd_smb1_do_locks_send().
s3: smbd: Remove lock_flav argument from internal function
smbd_smb1_do_locks_check()
s3: smbd: Remove lock_flav argument from smbd_smb1_brl_finish_by_lock().
s3: smbd: Remove now redundent lock_flav parameter from
smbd_do_unlocking().
tests: Add 2 tests for unique fileid's with top bit set (generated from
itime) for files and directories.
lib: util: Add a function nt_time_to_unix_timespec_raw().
s3: smbd: Create and use a common function for generating a fileid -
create_clock_itime().
s3: lib: In create_clock_itime(), use timespec_current() ->
clock_gettime(CLOCK_REALTIME..).
lib: util: Make nt_time_to_unix_timespec() call
nt_time_to_unix_timespec_raw() for the conversion.
lib: util: Make nt_time_to_full_timespec() call
nt_time_to_unix_timespec_raw() for the conversion.
s3: smbd: Add missing pop_sec_ctx() in error code path of
close_directory()
Jones Syue (1):
s3: includes: Make the comments describing itime consistent. Always use
"invented" time.
Joseph Sutton (395):
pygensec: Fix memory leaks
pygensec: Don't modify Python bytes objects
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
tests/krb5: Fix comment typo
tests/krb5: Fix method name typo
tests/krb5: formatting
tests/krb5: Remove unneeded statements
tests/krb5: Use more compact dict lookup
tests/krb5: Simplify Python syntax
tests/krb5: Remove magic constants
tests/krb5: Fix including enc-authorization-data
tests/krb5: Fix callback_dict parameter
tests/krb5: Fix encpart_decryption_key with MIT KDC
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
tests/krb5: Check Kerberos protocol version number
tests/krb5: Use credentials kvno when creating password key
tests/krb5: Allow cf2 to automatically use the enctype of the first key
tests/krb5: Refactor get_pa_data()
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
tests/krb5: Add method to return dict containing padata elements
tests/krb5: Make _test_as_exchange() return value more consistent
tests/krb5: Add get_EpochFromKerberosTime()
tests/krb5: Use encryption with admin credentials
tests/krb5: Allow specifying additional details when creating an account
tests/krb5: Add more methods for obtaining machine and service credentials
tests/krb5: Add method to calculate account salt
tests/krb5: Add check_reply() method to check for AS or TGS reply
tests/krb5: Always specify expected error code
tests/krb5: Include kdc_options in kdc_exchange_dict
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
tests/krb5: Ensure in assertElementPresent() that container elements are
not empty
tests/krb5: Assert that more variables are not None
tests/krb5: Check version number of obtained ticket
tests/krb5: Make checking less strict
tests/krb5: Check nonce in EncKDCRepPart
tests/krb5: Add generate_ap_req() method
tests/krb5: Ensure generated padata is not None
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
tests/krb5: Add more ASN1 definitions for FAST
tests/krb5: Add more methods to create ASN1 objects for FAST
tests/krb5: Add method to generate FAST encrypted challenge padata
tests/krb5: Add methods to calculate keys for FAST
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
tests/krb5: Allow specifying parameters specific to the outer request body
tests/krb5: Add method to check PA-FX-FAST-REPLY
tests/krb5: Add method to verify ticket checksum for FAST
tests/krb5: Check FAST response
tests/krb5: Add functions to get dicts of request padata
tests/krb5: Add methods to determine whether elements were included in
the request
tests/krb5: Check encrypted-pa-data
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
tests/krb5: Include authdata in kdc_exchange_dict
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
tests/krb5: Add check_rep_padata() method to check padata in reply
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
tests/krb5: Remove unused variables
tests/krb5: Add get_krbtgt_sname() method
tests/krb5: Check sname is krbtgt for FAST generic error
tests/krb5: Check reply FAST padata if request included FAST
tests/krb5: Adjust reply padata checking depending on whether FAST was
sent
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
tests/krb5: Check PADATA-FX-COOKIE in reply
tests/krb5: Make check_rep_padata() also work for checking TGS replies
tests/krb5: Make generic_check_kdc_error() also work for checking TGS
replies
tests/krb5: Check PADATA-PAC-OPTIONS in reply
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
tests/krb5: Check PADATA-FX-ERROR in reply
tests/krb5: Add FAST tests
tests/krb5: Make e-data checking less strict
tests/krb5: Make cname checking less strict
tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
tests/krb5: Check e-data element for TGS-REP errors without FAST
tests/krb5: Check PADATA-PW-SALT element in e-data
tests/krb5: Add tests for omitting sname in request
tests/krb5: Allow specifying parameters specific to the inner FAST
request body
tests/krb5: Add tests for omitting sname in inner request
tests/krb5: Allow expected_error_mode to be a container type
dsdb/samdb/ldb_modules: Use correct member of union
s4/dnsserver: Don't call memcpy() with a NULL pointer
s4/dnsserver: Fix NULL check
libcli/smb: Don't call memcpy() with a NULL pointer
python: Fix usage strings
Fix Python docstrings
krb5pac.idl: Add ticket checksum PAC buffer type
security.idl: Add well-known SIDs for FAST
tests/krb5: Calculate expected salt if not given explicitly
tests/krb5: Add methods to obtain the length of checksum types
tests/krb5: Use signed integers to represent key version numbers in ASN.1
tests/krb5: Add KDCOptions flag for constrained delegation
tests/krb5: Use more compact dict lookup
tests/krb5: Replace expected_cname_private with expected_anon parameter
tests/krb5: Allow specifying an OU to create accounts in
tests/krb5: Allow specifying additional User Account Control flags for
account
tests/krb5: Keep track of account DN in credentials object
tests/krb5: Move padata generation methods to base class
tests/krb5: add options to kdc_exchange_dict to specify including
PAC-REQUEST or PAC-OPTIONS
tests/krb5: Don't create PAC request manually in as_req_tests
tests/krb5: Don't create PAC request or options manually in fast_tests
tests/krb5: Remove magic constants
tests/krb5: Allow specifying ticket flags expected to be set or reset
tests/krb5: Make time assertion less strict
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
tests/krb5: Check for presence of 'renew-till' element
tests/krb5: Check 'caddr' element
tests/krb5: Check for presence of 'key-expiration' element
tests/krb5: Create testing accounts in appropriate containers
tests/krb5: Allow specifying status code to be checked
tests/krb5: Get expected cname from TGT for TGS-REQ messages
tests/krb5: Get encpart decryption key from kdc_exchange_dict
tests/krb5: Add get_cached_creds() method to create persistent accounts
for testing
tests/krb5: Generate padata for FAST tests
pytest:segfault: Add test for ldb.msg_diff()
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
pyldb: Avoid use-after-free in msg_diff()
tests/krb5: Sign-extend kvno from 32-bit integer
tests/krb5: Add method to get RODC krbtgt credentials
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
tests/krb5: Allow replicating accounts to the RODC
tests/krb5: Create RODC account for testing
tests/krb5: Allow replicating accounts to the created RODC
python: Don't leak file handles
python/join: Check for correct msDS-KrbTgtLink attribute
tests/krb5: Add helper method for modifying PACs
tests/krb5: Check correct flags element
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
tests/krb5: Allow tgs_req() to send additional padata
tests/krb5: Allow tgs_req() to specify different kdc-options
tests/krb5: Allow tgs_req() to send requests to the RODC
tests/krb5: Allow as_req() to specify different kdc-options
tests/krb5: Use PAC buffer type constants from krb5pac.idl
tests/krb5: Don't manually create PAC request and options in fast_tests
tests/krb5: Set DN of created accounts to ldb.Dn type
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
tests/krb5: Allow get_tgt() to get tickets from the RODC
tests/krb5: Allow get_tgt() to specify different kdc-options
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
tests/krb5: Cache obtained tickets
tests/krb5: Add methods for creating zeroed checksums and verifying
checksums
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
tests/krb5: Add method to verify ticket PAC checksums
tests/krb5: Add method for modifying a ticket and creating PAC checksums
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
tests/krb5: Make get_default_enctypes() return a set of enctype constants
tests/krb5: Add methods to convert between enctypes and bitfields
tests/krb5: Get supported enctypes for credentials from database
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
tests/krb5: Set key version number for all accounts created with
create_account()
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
tests/krb5: Add method to get DC credentials
tests/krb5: Fix checking for presence of authorization data
tests/krb5: Provide ticket enc-part key to tgs_req()
tests/krb5: Simplify account creation
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
tests/krb5: Verify checksums of tickets obtained from the KDC
tests/krb5: Add method to determine if principal is krbtgt
tests/krb5: Add classes for testing invalid checksums
pytest:segfault: Add test for deleting an ldb.Message dn
pyldb: Fix deleting an ldb.Message dn
pytest:segfault: Add test for deleting an ldb.Control critical flag
pyldb: Fix deleting an ldb.Control critical flag
s4/torture/drs/python: Fix attribute existence check
pyldb: Add test for an invalid ldb.Message index type
pyldb: Raise TypeError for an invalid ldb.Message index
pyldb: Add tests for ldb.Message containment testing
pyldb: Make ldb.Message containment testing consistent with indexing
.gitlab-ci: Increase build timeout
tests/krb5: Rename method parameter
tests/krb5: Remove unused parameter
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
tests/krb5: Fix PA-PAC-OPTIONS checking
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
tests/krb5: Allow created accounts to use resource-based constrained
delegation
tests/krb5: Add assertion to make failures clearer
tests/krb5: Introduce helper method for creating invalid length checksums
tests/krb5: Fix method for creating invalid length zeroed checksum
tests/krb5: Fix checksum generation and verification
tests/krb5: Allow excluding the PAC server checksum
tests/krb5: Fix handling authdata with missing PAC
tests/krb5: Fix status code checking
tests/krb5: Make expected_sname checking more explicit
tests/krb5: Fix assertElementFlags()
tests/krb5: Remove unneeded parameters from ticket cache key
tests/krb5: Fix checking for presence of error data
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
heimdal:kdc: Only check for default salt for des-cbc-crc enctype
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
tests/krb5: Check constrained delegation PAC buffer
tests/krb5: Save account SPN
tests/krb5: Allow specifying options and expected flags when obtaining a
ticket
tests/krb5: Supply supported account enctypes in tgs_req()
tests/krb5: Add parameter to enforce presence of ticket checksums
tests/krb5: Add compatability tests for ticket checksums
tests/krb5: Use correct principal name type
tests/krb5: Clarify checksum type assertion message
tests/krb5: Fix padata checking at functional level 2003
tests/krb5: Add environment variable to specify KDC FAST support
tests/krb5: Check padata types when STRICT_CHECKING=0
tests/krb5: Check logon name in PAC
tests/krb5: Simplify padata checking
tests/krb5: Disable debugging output for tests
tests/krb5: Provide clearer assertion messages for test failures
tests/krb5: Fix sha1 checksum type
selftest/dbcheck: Fix up RODC one-way links
tests/krb5: Add TKT_SIG_SUPPORT environment variable
tests/krb5: Require ticket checksums if decryption key is available
tests/krb5: Verify tickets obtained with get_service_ticket()
tests/krb5: Add constrained delegation tests
tests/krb5: Don't include empty AD-IF-RELEVANT
tests/krb5: Allow bypassing cache when creating accounts
tests/krb5: Fix duplicate account creation
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as
parameter
s4:kdc: Fix debugging messages
s4/torture: Expect ticket checksum PAC buffer
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
s4:kdc: Check ticket signature
heimdal:kdc: Fix ticket signing without a PAC
tests/krb5: Allow get_tgt() to request including or omitting a PAC
tests/krb5: Allow specifying whether to expect a PAC with
_test_as_exchange()
tests/krb5: Add method to get the PAC from a ticket
tests/krb5: Add tests for requesting a service ticket without a PAC
tests/krb5: Ensure PAC is not present if expect_pac is false
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED
service
selftest: Increase account lockout windows to make test more realiable
selftest: krb5 account creation: clarify account type as an enum
tests/krb5: Decrease length of test account prefix
tests/krb5: Allow specifying prefix or suffix for test account names
tests/krb5: Allow creating machine accounts without a trailing dollar
tests/krb5: Allow specifying the UPN for test accounts
tests/krb5: Fix account salt calculation to match Windows
tests/krb5: Add tests for account salt calculation
tests/krb5: Check account name and SID in PAC for S4U tests
CVE-2020-25722 dsdb: Add tests for modifying objectClass,
userAccountControl and sAMAccountName
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to
use _generic_kdc_exchange()
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to
get_service_ticket()
CVE-2020-25722 tests/krb5: Allow creating server accounts
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
CVE-2020-25719 tests/krb5: Add method to get unique username for test
accounts
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature
checksum type is wrong
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor
create_ccache_with_user() to take credentials of target service
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user()
to return a ticket without a PAC
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request
without a PAC
CVE-2020-25719 tests/krb5: Add principal aliasing test
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC
buffer
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting
without a PAC to new error codes
CVE-2020-25722 Add test for SPN deletion followed by addition
CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass
restrictions
CVE-2020-25718 tests/krb5: Fix indentation
CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs
in get_tgt()
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is
not present
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new
PAC_ATTRIBUTES_INFO buffer
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user
tests
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for
S4U2Self no-PAC tests
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more
modifications to tickets
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already
obtained tickets
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC
buffer
CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC
buffer
CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect
pac from all TGS tickets
CVE-2020-25719 tests/krb5: Add expected parameters to cache key for
obtaining tickets
CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
CVE-2020-25719 tests/krb5: Add tests for mismatched names with
user-to-user
CVE-2020-25719 s4/torture: Expect additional PAC buffers
CVE-2020-25722 pytest: Raise an error when adding a dynamic test that
would overwrite an existing test
CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
CVE-2020-25719 heimdal:kdc: Require authdata to be present
CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
CVE-2020-25719 heimdal:kdc: Check return code
CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype
selection
CVE-2020-25719 heimdal:kdc: Use sname from request rather than
user-to-user TGT client name
CVE-2020-25719 heimdal:kdc: Check name in request against name in
user-to-user TGT
CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user
authentication
CVE-2020-25719 heimdal:kdc: Require PAC to be present
CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when
necessary
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed
account
CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users
not revealed to an RODC
CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on
an add operation
CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames
is not bypassed for an add operation
CVE-2020-25717: tests/krb5: Add method to automatically obtain server
credentials
CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room
for new accounts
CVE-2020-25717: selftest: turn ad_member_no_nss_wb into
ad_member_idmap_nss
CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
CVE-2021-3670 ldap_server: Set timeout on requests based on
MaxQueryDuration
CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater
than zero
selftest: Check received LDB error code when STRICT_CHECKING=0
tests/krb5: Remove unused variable
tests/krb5: Deduplicate AS-REQ tests
tests/krb5: Run test_rpc against member server
tests/krb5: Allow PasswordKey_create() to use s2kparams
tests/krb5: Split out methods to create renewable or invalid tickets
tests/krb5: Adjust error codes to better match Windows with
PacRequestorEnforcement=2
tests/krb5: Remove unnecessary expect_pac arguments
tests/krb5: Add tests for invalid TGTs
tests/krb5: Add tests for TGS requests with a non-TGT
tests/krb5: Add TGS-REQ tests with FAST
tests/krb5: Align PAC buffer checking to more closely match Windows with
PacRequestorEnforcement=2
tests/krb5: Add tests for validation with requester SID PAC buffer
tests/krb5: Add comments for tests that fail against Windows
heimdal:kdc: Fix error message for user-to-user
s4:torture: Fix typo
heimdal:kdc: Adjust no-PAC error code to match Windows
kdc: Adjust SID mismatch error code to match Windows
tests/krb5: Add test for S4U2Self with wrong sname
kdc: Match Windows error code for mismatching sname
kdc: Always add the PAC if the header TGT is from an RODC
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC
requests
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
kdc: Don't include extra PAC buffers in service tickets
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
tests/krb5: Add a test for S4U2Self with no authorization data required
heimdal:kdc: Always generate a PAC for S4U2Self
selftest: Properly check extra PAC buffers with Heimdal
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
tests/krb5: Only create testing accounts once per test run
tests/krb5: Check logon name in PAC for canonicalization tests
tests/krb5: Check ticket cname for Heimdal
tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption
types
tests/krb5: Add tests for AS-REQ with an SPN
tests/krb5: Add tests for enterprise principals with canonicalization
s4:torture: Remove AS_REQ_SELF test stage
s4:torture: Remove test combination with enterprise principal without
canonicalize flag
s4:torture: Remove pre-send and post-receive callbacks
kdc: Canonicalize realm for enterprise principals
tests/krb5: Adjust expected error codes for FAST tests
tests/krb5: Don't request renewable tickets
tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data
tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
tests/krb5: Make edata checking less strict
tests/krb5: Allow additional unexpected padata types
tests/krb5: Remove magic flag constants
tests/krb5: Add test for FAST with invalid ticket checksum
tests/krb5: Adjust unknown critical FAST option test
tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0
tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0
tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
hdb: Initialise HDB structure
tests/krb5: Add tests for PAC buffer alignment
Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
kdc: Pad UPN_DNS_INFO PAC buffer
s4:torture: Remove comments that are no longer relevant
s4:torture: Fix typo
tests/krb5: Generate unique UPNs for enterprise tests
tests/krb5: Correctly determine whether tickets are service tickets
tests/krb5: Add tests for AS-REQ to self with FAST
netlogon.idl: Add flags for indicating directory service versions
dsgetdcname: Display new flags in debug output
dsdb/netlogon: Indicate DC functional level support in samlogon response
s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1
DsrGetDcNameEx2
s4:torture: Make etype list variables static
s4:torture: Remove netbios realm and lowercase realm tests
tests/krb5: Generate unique UPNs for AS-REQ enterprise tests
tests/krb5: Adjust expected error codes
tests/krb5: Add FAST enc-pa-rep tests
tests/krb5: Check encrypted-pa-data if present
tests/krb5: Add AS-REQ PAC tests
tests/krb5: Update supported enctype checking
kdc: Fix leak
netlogon.idl: Add FAST support bits
s4:kdc: Fix build failure by including <heimbase.h>
s4:kdc: Adapt samba_wdc_check_client_access() to upstream Heimdal
s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal
s4:kdc: Set supported enctypes in KDC entry
s4:kdc: Return PA-SUPPORTED-ENCTYPES
tests/krb5: Add option to check reply padata
selftest: Expect FAST support for both MIT and Heimdal
s4:torture: Adapt LSA tests to newer Heimdal version
s4:torture: Fix Orpheus' Lyre tests
s4:torture: Remove PAC-REQUEST check for RESPONSE_TOO_BIG
s4:torture: Adapt KDC canon test to Heimdal upstream changes
Luke Howard (6):
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
kdc: use ticket client name when signing PAC
kdc: correctly generate PAC TGS signature
Martin Schwenke (105):
ctdb-recoverd: Add a helper variable
ctdb-recoverd: Update the local node map before pushing out flags
ctdb-recoverd: Push flags for a node if any remote node disagrees
ctdb-protocol: Add new controls to disable and enable nodes
ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
ctdb-daemon: Add a helper variable
ctdb-daemon: Factor out a function to get node structure from PNN
ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
ctdb-client: Add client code for disable/enable controls
ctdb-tools: Use disable and enable controls in tool
ctdb-daemon: Correct the condition for logging unchanged flags
ctdb-daemon: Update logging for flag changes
ctdb-daemon: Modernise remaining debug macro in this function
ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
ctdb-daemon: Simplify ctdb_control_modflags()
ctdb-daemon: Ignore flag changes for disconnected nodes
ctdb-daemon: Don't mark a node as unhealthy when connecting to it
ctdb-tests: Fix typo in ctdb stub comment matching
ctdb-tests: Drop unused function ctdb_get_all_public_addresses()
debug: Move header_str and hs_len to state
debug: Add a level of indirection to ring buffer logging
debug: Factor out function copy_no_nl()
debug: Avoid debug header being separated from debug text
debug: Add length argument to Debug1()
debug: Push message length argument down to backend log functions
debug: Rename variable for consistency
debug: Optimise construction of header_str_no_nl
debug: Optimise to avoid walking the header string
debug: Optimise early return when header string buffer is full
debug: Move msg_no_nl to state
debug: Optimise construction of msg_no_nl
bootstrap: Add Debian 11
bootstrap: Debian 11 has liburing-dev
debug: Add debug_syslog_format setting
debug: Add new smb.conf option "debug syslog format"
ctdb-tests: Add extra IPv6 socket parsing tests
ctdb-protocol: Print IPv6 sockets with RFC5952 "[2001:db8::1]:80" notation
ctdb-common: Switch initial debug type to DEBUG_DEFAULT_STDERR
ctdb-common: Use Samba's DEBUG_FILE logging
ctdb-common: Separate sock_daemon's SIGHUP and SIGUSR1 handling
ctdb-common: Add support for reopening logs
ctdb-daemon: Add basic top-level log reopening
ctdb-recoverd: Add basic log reopening
ctdb-daemon: Enable log reopening for recovery daemon
ctdb-event: Reopen logs on SIGHUP
ctdb-daemon: Enable log reopening for event daemon
ctdb-recoverd: Add log reopening on SIGHUP to helpers
ctdb-recoverd: Record helper PID in recovery daemon context
ctdb-recoverd: Pass SIGHUP to running helper
ctdb-recoverd: Factor out and use function this_node_is_leader()
ctdb-recoverd: Use this_node_is_leader() in an extra context
ctdb-recoverd: Add PNN to recovery daemon context
ctdb-recoverd: Simplify arguments to some election functions
ctdb-recoverd: Simplify arguments to do_recovery()
ctdb-recoverd: Simplify arguments to verify_local_ip_allocation()
ctdb-recoverd: Simplify arguments to ctdb_ban_node()
ctdb-recoverd: Change argument to srvid_disable_and_reply()
ctdb-recoverd: Use rec->pnn everywhere
ctdb-recoverd: Rename recmaster field to leader
ctdb-recoverd: Logging/comments: recovery master -> leader
ctdb-recoverd: Add and use function this_node_can_be_leader()
ctdb-recoverd: Only start election if node can be leader
ctdb-recoverd: Add an explicit flag for election in progress
ctdb-protocol: Add CTDB_SRVID_LEADER
ctdb-recoverd: Process leader broadcasts
ctdb-recoverd: Send leader broadcasts
ctdb-recoverd: Handle leader broadcast timeout
ctdb-recoverd: Drop special case for elected-before-connected
ctdb-recoverd: Drop leader validation
ctdb-tests: Setup cluster with expected arguments
ctdb-tests: Avoid a race
ctdb-recoverd: Factor out function cluster_lock_take()
ctdb-recoverd: Take cluster lock when election completes
ctdb-recoverd: Terminology change: recovery lock -> cluster lock
ctdb-recoverd: Add and use function cluster_lock_enabled()
ctdb-recoverd: No longer take cluster lock during recovery
ctdb-recoverd: Simplify some stopped/banned checks to inactive checks
ctdb-tests: Add leader broadcasts to fake_ctdbd
ctdb-tests: Factor out getting leader and waiting for leader change
ctdb-client: Factor out function ctdb_client_wait_func_timeout()
ctdb-tools: Print "UNKNOWN" when leader PNN is unknown
ctdb-tools: Handle leader broadcasts in ctdb tool
ctdb-tools: Factor out get_leader()
ctdb-tools: Use leader broadcast in get_leader()
ctdb-tools: recovery master -> leader
ctdb-recoverd: Drop recovery master verification
ctdb-recoverd: Drop calls to ctdb_ctrl_setrecmaster()
ctdb-daemon: Drop unused old client recmaster functions
ctdb-client: Drop unused recmaster functions
ctdb-protocol: Drop protocol client functions for recmaster controls
ctdb-daemon: Drop implementation of {GET,SET}_RECMASTER controls
ctdb-protocol: Drop marshalling for {GET,SET}_RECMASTER controls
ctdb-protocol: Mark {GET,SET}_RECMASTER controls obsolete
ctdb-recoverd: Use race for cluster lock as election when lock is enabled
ctdb-doc: Update documentation for leader and cluster lock
ctdb-config: [cluster] recovery lock -> [cluster] cluster lock
ctdb-config: [legacy] recmaster capability -> [cluster] leader capability
ctdb-config: Add configuration option [cluster] leader timeout
ctdb-tests: Support commenting out local daemons configuration options
ctdb-tests: Improve test coverage for leader role yield and elections
ctdb-doc: Update example configuration migration script
ctdb-doc: Remove documentation for recovery process
WHATSNEW: Document CTDB leader and cluster lock changes
Matthew Grant (4):
libcli/dns: dns forwarder port doc changes
lib/tsocket: new function to parse host port strs.
libcli/dns: smb.conf dns forwarder port support
libcli/dns.c: dns forwarder port test changes
Michael Adam (1):
lib:cmdline: fix a comment
Nadezhda Ivanova (2):
CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to
attribute
CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the
Applies-to attribute
Nicolas Williams (1):
krb5: Fix PAC signature leak affecting KDC
Noel Power (3):
s4: torture: CHECK ret value and fail if false
s3: smbd: In setup_close_full_information() the posix_open parameter is
not needed anymore.
s3: smbd: In stat_cache_lookup(), remove unused posix_paths param.
Pavel Filipenský (23):
krb5_wrap: remove unused code
s3:winbindd: Fix winbindd child logfile name handling
docs-xml: Update winbindd(8) manpage
s3:librpc: Improve calling of krb5_kt_end_seq_get()
s3:modules: VFS CAP symlinkat always fails
s3:modules: Fix the horrible vfs_crossrename module
s3:smbd: Fix trailing whitespaces in dosmode.c
s3:smbd: Fix dereferencing null pointer "fsp"
s3:rpc_server: Fix possible NULL dereference
ctdb:utils: Improve error handling of hex_decode()
s3:libnet: Fix dead code in libnet_join.c
s3:libnet: Fix dereference of NULL win7
s3:modules: Fix possible dereference of NULL for fio
s3:utils: set ads->auth.flags using krb5_state
s3:libads: Remove trailing spaces from sasl.c
s3:libads: Disable NTLMSSP for FIPS
s3:libads: Improve debug messages for SASL bind
s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
tests: Add test for disabling NTLMSSP for ldap client connections
s4:selftest: plan test suite
samba4.blackbox.test_weak_disable_ntlmssp_ldap
s3:winbindd: Remove trailing spaces from winbindd_ads.c
s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
Ralph Boehme (104):
smbd: drop requirement for full open for READ_CONTROL_ACCESS,
WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
smbd: only open full fd for directories if needed
selftest: add a test for the "deadtime" parameter
s3/rpc_server: track the number of policy handles with a talloc destructor
libreplace: properly give headers to conf.CHECK_CODE when checking for
copy_file_range_syscall
libreplace: properly execute SYS_copy_file_range check
vfs_default: detect EOPNOTSUPP and ENOSYS errors from copy_file_range()
libreplace: remove now unused USE_COPY_FILE_RANGE define
s3/lib/dbwrap: check if global_messaging_context() succeeded
registry: check for running as root in clustering mode
smbd: avoid calling creating a pathref in smb_set_file_dosmode()
vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module
initialization code
vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref
handles
vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
vfs_gpfs: add sys_proc_fd_path() fallback to
vfs_gpfs_fset_dos_attributes()
vfs_gpfs: deal with pathref fsps in vfs_gpfs_fntimes()
vfs_gpfs: pass fsp to smbd_gpfs_set_times()
vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fntimes()
lib/gpfswrap: add gpfs_set_times_path() wrapper
vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times()
winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
winbind: ensure wb_parent_idmap_setup_send() gets called in
winbindd_allocate_uid_send()
lib/cmdline: add POPT_COMMON_DAEMON daemon popt options
lib/cmdline: restore pre-4.15 logging behaviour for daemons
smbd: use POPT_COMMON_DAEMON
nmbd: use POPT_COMMON_DAEMON
winbindd: use POPT_COMMON_DAEMON
s4/samba: POPT_COMMON_DAEMON
lib/replace: drop runtime copy_file_range() check
selftest: fix ---configfile option
manpages: remove duplicate options from smbclient
lib/cmdline: restore s3 option name --max-protocol for MAXPROTOCOL from
4.14
selftest: remove unsupported smbcacls option --get
texpect: don't ignore unknown options
smbstatus: don't ignore unknown options
s4/smbclient: don't ignore unknown options
nmblookup: don't ignore unknown options
source3/lib/smbconf: don't ignore unknown options
s3/param: don't ignore unknown options
rpcclient: don't ignore unknown options
pdbtest: don't ignore unknown options
vfstest: don't ignore unknown options
s3/async-tracker: don't ignore unknown options
log2pcaphex: don't ignore unknown options
mvxattr: don't ignore unknown options
nmblookup: don't ignore unknown options
ntlm_auth: don't ignore unknown options
pdbedit: don't ignore unknown options
profiles: don't ignore unknown options
regedit: don't ignore unknown options
sharesec: don't ignore unknown options
smbcacls: don't ignore unknown options
smbcquotas: don't ignore unknown options
smbget: don't ignore unknown options
smbtree: don't ignore unknown options
split_tokens: don't ignore unknown options
testparm: don't ignore unknown options
s4/cifsdd: don't ignore unknown options
s4/regdiff: don't ignore unknown options
s4/regpatch: don't ignore unknown options
s4/regshell: don't ignore unknown options
s4/regtree: don't ignore unknown options
s4/torture/gentest: don't ignore unknown options
s4/torture/locktest: don't ignore unknown options
s4/torture/masktest: don't ignore unknown options
vfs_btrfs: fix btrfs_fget_compression()
smbd: fix "ea support = no"
registry: skip root check when running with uid-wrapper enabled
idl: declare token array of storage_offload_token as in-line
vfs: Add flags and xferlen args to SMB_VFS_OFFLOAD_READ_RECV
lib: add sys_block_align[_truncate]()
vfs: add and use a few SMB_VFS_ODX defines
ctdb-scripts: filter out comments in public_addresses file
ctdb-tests: add a comment to the generated public_addresses file used by
eventscript UNIT tests
selftest: add a test ignored spotlight/elasticsearch mapping failures
mdssvc: prepare for ignore attribute and type mapping errors
mdssvc: add options to allow ignoring attribute and type mapping errors
docs: document new Spotlight Elasticsearch options
lib: add NTTIME_THAW
lib: fix null_nttime() tests
lib: use NTTIME_FREEZE in a null_nttime() test
lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
lib: add a test for null_nttime(NTTIME_THAW)
torture: add a test for NTTIME_FREEZE and NTTIME_THAW
lib: handle NTTIME_THAW in nt_time_to_full_timespec()
vfs_fruit: remove a fsp check from ad_fset()
smbd: early out in is_visible_fsp()
CI: add a test for bug 14882
lib/dbwrap: reset deleted record to tdb_null
CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
source3: move lib/substitute.c functions out of proto.h
samba-bgqd: fix startup and logging
winbindd: remove is_default_dyn_LOGFILEBASE() logic
lib/debug: fix fd check before dup'ing to stderr
lib/debug: in debug_set_logfile() call reopen_logs_internal()
lib/cmdline: fix indentation
lib/cmdline: remember config_type in samba_cmdline_init()
lib/cmdline: setup default file logging for servers
smbd: get rid of get_file_handle_for_metadata()
CVE-2020-25717: s3-auth: fix MIT Realm regression
smbd: s3-dsgetdcname: handle num_ips == 0
docs: fix documentation for default of "fruit:zero_file_id"
Samuel Cabrero (8):
s3: rpc_server: Avoid creating new handles when received an empty
policy_handle
pidl:NDR/ServerCompat.pm: Do not register disabled services
librpc:core: Add a function to register an interface passing the binding
handle
s3:rpc_server: Do not use the default ncalrpc endpoint for external
services
CVE-2020-25717: loadparm: Add new parameter "min domain uid"
CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
CVE-2020-25717: selftest: Add a test for the new 'min domain uid'
parameter
CVE-2020-25717: s3:auth: Check minimum domain uid
Stefan Metzmacher (154):
gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
s4:torture/smb2: add tests to check all signing and encryption algorithms
s3:smbd: really support AES-256* in the server
winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
s3:libsmb: start encryption as soon as possible after the session setup
s3:libsmb: close the temporary IPC$ connection in cli_full_connection()
wafsamba: add support git worktree to vcs_dir_contents()
script/bisect-test.py: add support git worktree
wscript: fix installing pre-commit with 'git worktree'
wafsamba: always generate compile_commands.json again, but only when the
samba dependencies changed
vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
docs-xml: use upper case for "{client,server} smb3 {signing,encryption}
algorithms" values
lib/cmdline: fix --configfile handling of POPT_COMMON_CONFIG_ONLY used by
ntlm_auth
smbclient: don't ignore unknown options
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing
algorithms
netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't
ignore result
selftest/Samba3: remove unused close(USERMAP); calls
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with
(winbindd => "offline")
s3/libsmb: check for global parametric option "libsmb:client_guid"
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to
services anonymously and without a PAC
CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac"
settings
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative
= true
CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to
r->out.authoritative = true
CVE-2020-25717: s4:torture: start with authoritative = 1
CVE-2020-25717: s4:smb_server: start with authoritative = 1
CVE-2020-25717: s4:auth_simple: start with authoritative = 1
CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
CVE-2020-25717: s3:torture: start with authoritative = 1
CVE-2020-25717: s3:rpcclient: start with authoritative = 1
CVE-2020-25717: s3:auth: start with authoritative = 1
CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward
the low level errors
CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
CVE-2020-25717: s3:auth: no longer let check_account() autocreate local
users
CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to
is_allowed_domain()
CVE-2020-25717: s3:auth: don't let create_local_token depend on
!winbind_ping()
CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in
domain mode (DC or member)
CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused
auth_generate_session_info_principal()
CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
ntlm_auth_generate_session_info_pac()
CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac()
base the name on the PAC LOGON_INFO only
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate
everything to make_server_info_wbcAuthUserInfo()
CVE-2020-25717: selftest: configure 'ktest' env with winbindd and
idmap_autorid
CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a
PAC in standalone mode
CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by
removing the unused logon_info argument
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing
unused arguments
CVE-2020-25722 pytests: Give computer accounts unique (and valid)
sAMAccountNames and SPNs
CVE-2021-23192: dcesrv_core: add better debugging to
dcesrv_fault_disconnect()
CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips
DCERPC_PFC_FLAG_DID_NOT_EXECUTE
CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into
assertNotEqual()
CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use
g_auth_level in all places
CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
CVE-2021-23192: python/tests/dcerpc: add tests to check how security
contexts relate to fragmented requests
CVE-2021-23192: dcesrv_core: only the first fragment specifies the
auth_contexts
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego
authentication if we require kerberos
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if
we require kerberos
CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware
dcesrv_samdb_connect_as_{system,user}() helpers
CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware
dcesrv_samdb_connect_as_*() helpers
CVE-2021-3738 s4:rpc_server/dnsserver: make use of
dcesrv_samdb_connect_as_user() helper
CVE-2021-3738 s4:rpc_server/lsa: make use of
dcesrv_samdb_connect_as_user() helper
CVE-2021-3738 s4:rpc_server/netlogon: make use of
dcesrv_samdb_connect_as_*() helper
CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*()
helper
s3:winbindd: fix "allow trusted domains = no" regression
CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the
configured domain
script/autobuild.py: fix "nondevel" builds of 'samba-libs'
wafsamba: mark SAMBA_MODULE() with private_library=True
wafsamba: fix '--private-libraries' option when using 'ALL,!something'
wafsamba: SAMBA_GENERATOR() should not alter the callers dep_vars
wafsamba: remove unused private_library argument of PRIVATE_NAME()
wafsamba: use private extentions also for bundled public libraries
wafsamba: the symbol version string of private libraries should be based
on the toplevel project
wafsamba: assert for *.sigs source files in abi_build_vscript()
wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)
wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if
there are more than one
wafsamba: introduce
require_builtin_deps/provide_builtin_linking/builtin_cflags to
SAMBA_{SUBSYSTEM,LIBRARY}
wafsamba: introduce SAMBA[3]_PLUGIN()
wafsamba: allow SAMBA_LIBRARY() to get and use original
'version-script.map' for private libraries
heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()
heimdal_build: avoid using hardcoded vnum values passed to
HEIMDAL_LIBRARY()
heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()
libwbclient: fix strict-overflow warning in wbcSidToString()
s3:utils: remove notify_msg.c from smbstatus sources
s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of
winbindd_request_response()
s4:torture/winbind: use wbcRequestResponse() instead of
winbindd_request_response()
nsswitch: move winbindd_free_response() as inline function to
winbind_struct_protocol.h
nsswitch/wbinfo: use wbcRequestResponse() instead of
winbindd_request_response()
nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_
nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_
nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_
on Linux
nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD
nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
lib/replace: use dlsym(RTLD_DEFAULT,) for
{nss,nss_host,uid,socket}_wrapper_enabled()
nsswitch: reduce dependecies to private libraries and link static/builtin
if possible
script/autobuild.py: make sure nss and pam plugins don't link any samba
libraries
script/autobuild.py: make sure nss, pam and krb5 plugins don't provide
unexpected symbols
vfs_not_implemented: mark all functions with _PUBLIC_
s4:samba: split out a samba_service_init() helper function
heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()
libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
smb2_server: decouple IOCTL check from signing/encryption states
smb2_server: skip tcon check and chdir_current_service() for
FSCTL_VALIDATE_NEGOTIATE_INFO
s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with
BUFFER_TOO_SMALL
smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives
INVALID_PARAMETER with invalid file ids
smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file
ids
s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm
share
smb2_server: skip tcon check and chdir_current_service() for
FSCTL_QUERY_NETWORK_INTERFACE_INFO
auth/credentials: Handle ENOENT when obtaining ccache lifetime
auth/credentials: Fix cli_credentials_shallow_ccache error case
Revert "python:tests: Don't require an emtpy 'authorization-data' to be
present"
dsdb/common: add dsdb_dc_functional_level() helper
s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()
dsdb/netlogon: make use of dsdb_dc_functional_level() in
fill_netlogon_samlogon_response()
s4:rpc_server/netlogon: adjust the valid_flags based on
dsdb_dc_functional_level()
selftest/Samba3: enable SMB1 for maptoguest
s4:torture/libsmbclient: add libsmbclient.noanon_list test
s4:selftest: run libsmbclient.noanon_list against maptoguest
s3:libsmb: fix signing regression SMBC_server_internal()
Happy New Year 2022!
auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore
BUFFER_TOO_SMALL
libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid
netapp requests
s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test
auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE
parsing errors
s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack
s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
dsdb/schema/tests: let samba4.local.dsdb.syntax call the validate_dn()
hook
dsdb/schema: fix Object(OR-Name) syntax definition
dsdb/common: dsdb_dn_construct_internal() more strict checking
dsdb/schema: add no memory checks for
{ldb,dsdb}_dn_get_extended_linearized()
dsdb/schema: let dsdb_syntax_DN_BINARY_drsuapi_to_ldb return
WERR_DS_INVALID_ATTRIBUTE_SYNTAX
s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY()
s4:torture: check for pac_blob==NULL in test_generate_session_info_pac()
functions
s4:auth: debug make_user_info_dc_pac() failures in
kerberos_pac_to_user_info_dc()
s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
s4:heimdal_build: include heimdal headers relative to heimdal_build
s4:heimdal: import lorikeet-heimdal-202201172009 (commit
5a0b45cd723628b3690ea848548b05771c40f14e)
tests/auth_log: adjust expected authDescription for test_smb_bad_user
s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm
plugin interface
selftest: set [libdefaults] fcache_strict_checking = false
HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
s4:dsdb/paged_results: fix segfault in paged_results()
s4:dsdb/vlv_pagination: fix segfault in vlv_results()
bootstrap: use compat-gnutls37-devel for centos7
wafsamba: Remove clangdb code which doesn't work
wafsamba: Add our own implmentation to generate the clangdb
tdb: version 1.4.6
Uri Simchoni (11):
fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04
configure: allow configure script to accept parameters with spaces
fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era
fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04
fuzzing/oss-fuzz: strip RUNPATH from dependencies
gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image
selftest: add a unit test for tsocket_address_inet_from_strings
tsocket: set errno on some failures of tsocket_address_inet_from_strings
WHATSNEW: document dns forwarder change
selftest: add more tests for test_address_inet_from_strings
selftest: test tsocket_address_inet_from_hostport_strings
Viktor Dukhovni (1):
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Volker Lendecke (234):
samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
docs: Add vfs_expand_msdfs manpage
rpcclient: Align integer types
lib: Fix a potential error path memleak
lib;smbd: Fix the -Os build by initializing variables
samdb: Fix an uninitialized variable read
net3: Save a few lines with any_nt_status_not_ok()
net3: Simplify name_to_sid(): dom_sid_parse checks for "S-" prefix
net: Align some integer types
libnetapi: Save lines with any_nt_status_not_ok()
rpc_client: Simplify rpc_pipe_bind_step_one_done()
rpc_client: Replace ZERO_STRUCTP with struct assignment
rpc_client: Simplify create_rpc_bind_req()
rpc_client: Save 65 .text bytes with -Os
rpc_client: Avoid two casts with proper printf specifiers
lib: Use TALLOC_FREE() in data_blob_free()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_chmod_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_open_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_read_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_splice_ctx()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_attr_server()
libsmbclient: Avoid a call to SMBC_errno() in SMBC_notify_ctx()
net: Use dbwrap_do_locked() in wipedbs_delete_records()
smbd: Fix fetch_share_mode_send() error return
smbd: Simplify mark_share_mode_disconnected()
librpc: Simplify GUID_zero() with a direct struct return
librpc: Simplify GUID_string2() by using GUID_buf_string()
librpc: Simplify GUID_hexstring()
rpc_server: Simplify open_np_file()
rpc_server: Slightly simplify set_user_info_21()
rpc_server: Slightly simplify set_user_info_18()
rpc_server: Remove an unused function declaration
rpc_server: Align integer types
rpc_server: Simplify _samr_CreateUser2()
rpc_server: Fix a comment
lib: Improve comment wording
rpc_client: Slightly simplify rpc_transport_np_init_pipe_open()
libsmb: Fix a typo
rpc_client: Fix a small memleak
rpc_client: Early TALLOC_FREE() in prepare_verification_trailer()
rpc_client: Slightly simplify rpc_api_pipe_req_send()
rpc_client: Adapt rpc_api_pipe_req_send() to talloc_req conventions
rpc_client: Avoid ZERO_STRUCTP in prepare_verification_trailer()
rpc_client: Adapt rpc_pipe_bind_send() to talloc_req conventions
rpc_client: Use struct init/assignment
rpc_client: Use ndr_syntax_id_equal() in check_bind_response()
rpc_client: Adapt rpc_api_pipe_send() to recent coding conventions
rpc_client: Adapt rpc_write_send() to tevent_req conventions
winbind: Remove an unused include
rpc_client: Simplify rpccli_bh_disconnect_recv()
rpc_client: Use tevent_req_nterror() properly
rpc_client: Avoid casts
rpc_client: Simplify rpc_api_pipe_auth3_done()
rpc_client: Simplify get_complete_frag_got_rest()
rpc_client: Simplify get_complete_frag_got_header()
rpc_client: Simplify get_complete_frag_got_header()
rpc_client: Simplify get_complete_frag_send()
torture: Remove rpc_open_tcp test program
rpc_client: Make rpc_pipe_open_tcp() static
rpc_client: Use tevent_req_nterror() properly in cli_api_pipe
rpc_client: Align cli_api_pipe_send() with tevent_req() conventions
winbindd: NULL-initialize a pointer
rpcclient: Add unixinfo commands
rpc_server3: Include the right "dcerpc.h" from a SAMBA_SUBSYSTEM
auth: Simplify is_our_machine_account()
auth: Fix a typo
samba-tool: Fix a typo
samba_dnsupdate: Fix deprecation warnings
smbtorture: Fix epmapper.Map_full test
debug: Remove "override_logfile"
lib: Simplify sid_linearize()
samba-bgqd: Enable smbcontrol pool-usage
rpc_server4: Fix a typo
winbind: Fix a typo
lib: Add required #includes
lib: Give util_specialsids.c its own prototype header
lib: Avoid an "includes.h"
samba-bgqd: Convert closeall_*() to closefrom_*()
lib: Move closefrom_except*() to a separate file
libcli: Remove unused security_token_is_sid_string()
rpc_server: Move a type check in dcesrv_handle_lookup()
rpc_server: Simplify dcesrv_handle_lookup()
mdssvc: Use ndr_policy_handle_empty()
smbd: Make SID_SAMBA_SMB3 a static SID
rpc_server3: Avoid a literal number available as a constant
lsa_server3: Align integer types
smbd: Avoid ZERO_STRUCT() with a struct init
samba: Save a line with TALLOC_FREE
libcli: Remove unused security_token_has_sid_string()
libcli: Introduce a helper variable in security_session_user_level()
libcli: Simplify security_session_user_level()
lib: Avoid a cast in a DBG statement
lib: Simplify set_privileges with a struct initialization
lib: Fix a typo in a DEBUG fn prefix by using DBG_
idmap_script: Save a few lines with str_list_add_printf()
libcli: Avoid an includes.h
libcli: Align integer types
rpc_server3: Remove unused fields from struct dcerpc_ncacn_conn
winbind: Align an integer type
lib: Add talloc_asprintf_addbuf()
librpc: Use talloc_asprintf_addbuf() in dcerpc_binding_string()
lib: Use talloc_asprintf_addbuf() in utok_string()
winbind: Simplify winbindd_getsidaliases_recv()
winbind: Simplify winbindd_getusersids_recv()
winbind: Simplify winbindd_sids_to_xids_recv()
dsdb: Simplify schema_attribute_description() & friends
libcli: Simplify get_sec_mask_str()
rpc_server3: Remove "pipes_struct->call_id"
rpc_server3: Remove "pipes_struct->opnum"
rpc_server3: Remove an outdated comment
netlogon: Move netlogon_server_pipe_state to netlogon.idl
rpc_server3: Use dcesrv_iface_state in netlogon3
rpc_server3: Remove pipes_struct->private_data
smbd: reopen logs on SIGHUP for notifyd and cleanupd
smbd: Give smbXsrv_open.c its own header file
smbd: Remove unused "struct connections_key"
libsmb: Use cli_ntcreate in cli_chkpath
smbclient: Use cli_checkpath in "cd" command
libsmb: Remove "trans_oob()" macro
libcli: "smb_util.h" needs "ntstatus.h"
libsmb: Give reparse_symlink.c its own header
libsmb: Introduce "struct symlink_reparse_struct"
libsmb: Avoid a talloc_stackframe.c dependency
libsmb: move reparse_symlink to libcli/smb/
VFS: Fix a typo
libcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code
lib: Fix a debug typo in g_lock.c
dbwrap: Remove unused dbwrap_watched_wakeup()
libsmb: Move cli_qfilename() to its only user in torture.c
smb.conf.5: Fix a typo for "username map script"
smbd: Fix a typo
vfs: Fix a few typos
libcli4: Remove outdated README file
lib: Slightly tune cp_smb_filename_nostream()
smbd: Move "struct fd_handle" into fd_handle.c
vfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()
smbd: Fix typos
smbd: Avoid casts
smbd: Make sure we don't overwrite tmp_buf
lib: Use a direct struct initialization
smbd: Convert ret==false into !ret
selftest: Add reproducer for bug 14908
lib: Add required includes to source3/include/secrets.h
cmdline: Add a callback to set the machine account details
cmdline: Make -P work in clustered mode
named_pipe_auth: Bump info4 to info5
named_pipe_auth.idl: Add "need_idle_server"
librpc: Add named_pipe_auth_req_info5->transport
auth: Fix a typo in auth/gensec/ncalrpc.c
librpc: Get transport out of tstream_npa_accept_existing_recv()
rpc_server: Check info5->transport
test: Prime the kpasswd server
s3:services: Disable rcinit-based service control code
s3:rpc_server: Remove direct registry access from svcctl_init_winreg
s3:rpc_client: Bump debug level for ncalrpc connect error
dcesrv_core: Add dcesrv_context_set_callbacks()
backupkey.idl: Don't listen on \\pipe\ntsvcs
dcesrv_core: Add dcesrv_loop_next_packet()
idl: Define messages sent between samba-dcerpcd and rpcd's
s3:rpc_server: Add samba-dcerpcd
s3:rpc_client: Add local_np_connect()
s3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc
protocol
s3:rpc_client: Add rpc_pipe_open_local_np()
smbcontrol: Add rpc-dump-status
s3:printing: Move pcap_cache_loaded() to load.c
unittest: Remove test_sambafs_srv_pipe
s3:rpc_server: Make npa_state_init() public
s3:winbind: Close internal RPC pipes after 5 idle seconds
s3:rpc_server: Add samba-dcerpcd helper programs
s3:rpc_server: Activate samba-dcerpcd
printing: Remove "start_daemons" from printing_subsystem_init()
s3:rpc_server: Delete unused code and doc references
dcesrv_core: Remove unused dcesrv_reinit_context()
configure: Check for __atomic_add_fetch() and __atomic_load()
tdb: Use atomic operations for tdb_[increment|get]_seqnum
tdb: Raw performance torture to beat tdb_increment_seqnum
smbd: Fix a fd leak when closing a print file
pysmbd: Fix file descriptor leaks
vfs_commit: Reset fsp->fd->fd to -1 after SMB_VFS_CLOSE
smbd: Replace SMB_VFS_CLOSE() calls with fd_close()
smbd: Assert we don't leak fd's in struct fd_handle
smbd: Save a few lines by using cp_smb_filename_nostream()
smbd: Fix a few typos
smbd: Move fast_string_hash() to mangle_hash.c, the only user
smbd: Remove an unneeded anonymous struct declaration
smbd: Avoid some casts
lib: Avoid a cast
Remove some unused code
smbd: Avoid a DEBUGADD statement
rpc_server3: Inline make_internal_ncacn_conn() into rpc_worker.c
rpc_server3: Inline make_base_pipes_struct() into rpc_worker.c
rpc_server3: Remove pipes_struct->local_address
rpc_server3: Remove pipes_struct->remote_address
rpc_server3: Inline make_base_pipes_struct()
rpc_server3: Remove pipes_struct->pipe_bound
rpc_server3: Remove pipes_struct->session_info
rpc_server3: Remove pipes_struct->auth
rpc_server3: No linked list for pipes_struct anymore
winbind: Don't transfer a pointer that's NULL anyway
rpc_server3: dcerpc_ncacn_conn->ev_ctx was only set but never used
rpc_server3: Remove dcerpc_ncacn_conn->msg_ctx
rpc_server3: Remove dcerpc_ncacn_conn->dce_ctx
rpc_server3: Remove dcerpc_ncacn_conn->tstream
rpc_server3: Remove dcerpc_ncacn_conn->remote_client_addr
rpc_server3: Remove dcerpc_ncacn_conn->local_server_addr
rpc_server3: Remove dcerpc_ncacn_conn->session_info
rpc_server3: Inline pipes_struct into dcerpc_ncacn_conn
rpc_server3: Inline single-use rpcint_binding_handle_ex()
smbd: Modernize a DEBUG statement
vfs: Modernize a DEBUG statement
lib: Fix a typo
test: Test rpcclient ncacn_ip_tcp:<ip-address>
rpcclient: Fix ncacn_ip_tcp:<ip-address>
ctdb-protocol: rindex->strrchr
ctdb-protocol: Save 50 bytes .text segment
ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation
profile3: remove an unused include
printing: Save a few lines with str_list_add_printf()
smbd: Save a few lines with str_list_add_printf()
lib: Save a few lines with str_list_add_printf()
lib: Save a few lines with str_list_add_printf()
lib: Remove unused tstream_npa_socketpair()
rpc_host: We have tevent_req_oom() for ENOMEM
torture3: Align two integer types
smbd: Fix a typo
smbd: Align a few integer types
libsmb: Avoid a cast
net: Align a few integer types
libads: Convert sitename_key() to talloc
winbindd: Replace asprintf() with talloc_asprintf()
lib: Remove unused asprintf_strupper_m()
smbd: Remove a duplicate protoype
libcli/dns: Fix TCP fallback
build: Without getrandom() require gnutls 3.7.2
eaglegai (1):
fix undefined-shift in put_res_rec fuzz error:
../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16
places cannot be represented in type 'int'
-----------------------------------------------------------------------
--
Samba Shared Repository
