[SCM] UID Wrapper Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  3916f98 uwrap: Fix syscall() with jemalloc to prevent a deadlock
   via  895197e gitlab-ci: Disable ASLR for TSAN
   via  a9b1ca6 gitlab-ci: Adapt config to gitlab changes
  from  c8bf3ae tests: Fix fake socket_wrapper_syscall_valid()

https://git.samba.org/?p=uid_wrapper.git;a=shortlog;h=master


- Log -
commit 3916f985e716c865269c1f0a437efdc1aa5cdc87
Author: Andreas Schneider 
Date:   Wed Jun 12 11:19:58 2024 +0200

uwrap: Fix syscall() with jemalloc to prevent a deadlock

This is a workaround to prevent a deadlock in jemalloc calling
malloc_init() twice. The first allocation call will trigger a
malloc_init() of jemalloc.  The functions calls syscall(SYS_open, ...)
so it goes to socket or uid wrapper. In this code path we need to avoid
any allocation calls. This will prevent the deadlock.

Pair-Programmed-With: Stefan Metzmacher 
Signed-off-by: Stefan Metzmacher 
Signed-off-by: Andreas Schneider 

commit 895197ece51df1b24ee163aaece1ed2f18812f79
Author: Andreas Schneider 
Date:   Wed Jun 12 11:22:41 2024 +0200

gitlab-ci: Disable ASLR for TSAN

This works around a TSAN issue with newer Linux Kernels (6.x).

See https://github.com/google/sanitizers/issues/1716

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit a9b1ca679a17d9d2d819f8099d7f51a63b2f1dfe
Author: Andreas Schneider 
Date:   Wed Jun 12 11:21:12 2024 +0200

gitlab-ci: Adapt config to gitlab changes

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci.yml| 27 ---
 src/uid_wrapper.c | 45 -
 2 files changed, 48 insertions(+), 24 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1a4a3b0..3a84a8e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,8 +22,6 @@ centos7/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -42,8 +40,6 @@ fedora/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure && make install
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -61,8 +57,6 @@ fedora/address-sanitizer:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -79,8 +73,6 @@ fedora/undefined-sanitizer:
   -DCMAKE_BUILD_TYPE=UndefinedSanitizer
   -DUNIT_TESTING=ON ..
   && make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -93,13 +85,14 @@ fedora/thread-sanitizer:
   stage: analysis
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
   script:
+# Workaround for TSAN with ASLR on newer kernel
+# https://github.com/google/sanitizers/issues/1716
 - mkdir -p obj && cd obj && cmake
   -DCMAKE_BUILD_TYPE=ThreadSanitizer
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
-  make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
+  make -j$(nproc) &&
+  setarch --addr-no-randomize -- ctest --output-on-failure
   except:
 - tags
   artifacts:
@@ -132,8 +125,6 @@ fedora/csbuild:
   --git-commit-range $CI_COMMIT_RANGE
   --color
   --print-current --print-fixed
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -174,8 +165,6 @@ tumbleweed/x86_64/gcc:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -194,8 +183,6 @@ tumbleweed/x86_64/gcc7:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -214,8 +201,6 @@ tumbleweed/x86_64/clang:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -236,8 +221,6 @@ tumbleweed/static-analysis:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   scan-build --status-bugs -o scan make -j$(nproc)
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -255,8 +238,6 @@ ubuntu/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
diff --git a/src/uid_wrapper.c b/src/uid_wrapper.c
index 5b6a82b..4a174e1 100644
--- a/src/uid_wrapper.c
+++ b/src/uid_wrapper.c
@@ -656,6 +656,9 @@ static void 

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  e57e35908d5 s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.
   via  f681ee3bac0 s3/torture: Add test for widelink case insensitivity on 
a MSDFS share.
  from  50d4451bd4b s3:smbcacls: fix ace_compare

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit e57e35908d53124d44d4c275a9f6b248516204ae
Author: Jeremy Allison 
Date:   Mon Jun 10 17:25:32 2024 -0700

s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224

(cherry picked from commit e535bcc698bd5eb31f5c5e0c144692988a044e79)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Jun 12 10:22:36 UTC 2024 on atb-devel-224

commit f681ee3bac0ebe86ea1e810aca13e0b5738c58e0
Author: Jeremy Allison 
Date:   Mon Jun 10 15:14:19 2024 -0700

s3/torture: Add test for widelink case insensitivity on a MSDFS share.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 
(cherry picked from commit e37e4f474935819c75c078e52715cf3212f77359)

---

Summary of changes:
 source3/modules/vfs_widelinks.c  | 13 -
 source3/script/tests/test_widelink_dfs_ci.sh | 72 
 source3/selftest/tests.py| 11 +
 3 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100755 source3/script/tests/test_widelink_dfs_ci.sh


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_widelinks.c b/source3/modules/vfs_widelinks.c
index c5b5084e108..4339f6de9e0 100644
--- a/source3/modules/vfs_widelinks.c
+++ b/source3/modules/vfs_widelinks.c
@@ -383,8 +383,17 @@ static int widelinks_openat(vfs_handle_struct *handle,
}
lstat_ret = SMB_VFS_NEXT_LSTAT(handle,
full_fname);
-   if (lstat_ret != -1 &&
-   VALID_STAT(full_fname->st) &&
+   if (lstat_ret == -1) {
+   /*
+* Path doesn't exist. We must
+* return errno from LSTAT.
+*/
+   int saved_errno = errno;
+   TALLOC_FREE(full_fname);
+   errno = saved_errno;
+   return -1;
+   }
+   if (VALID_STAT(full_fname->st) &&
S_ISLNK(full_fname->st.st_ex_mode)) {
fsp->fsp_name->st = full_fname->st;
}
diff --git a/source3/script/tests/test_widelink_dfs_ci.sh 
b/source3/script/tests/test_widelink_dfs_ci.sh
new file mode 100755
index 000..6ae5cf5bd7f
--- /dev/null
+++ b/source3/script/tests/test_widelink_dfs_ci.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# regression test for dfs access with wide links enabled on dfs share
+# Ensure we still maintain case insensitivity.
+
+if [ $# -lt 7 ]; then
+   cat <
+EOF
+   exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+SHARE="$3"
+USERNAME="$4"
+PASSWORD="$5"
+PREFIX="$6"
+SMBCLIENT="$7"
+shift 7
+ADDARGS="$@"
+
+incdir=$(dirname "$0")"/../../../testprogs/blackbox"
+. "$incdir/subunit.sh"
+. "$incdir/common_test_fns.inc"
+
+failed=0
+
+# Do not let deprecated option warnings muck this up
+SAMBA_DEPRECATED_SUPPRESS=1
+export SAMBA_DEPRECATED_SUPPRESS
+
+# Test chdir'ing into a lowercase directory with upper case.
+test_ci()
+{
+tmpfile="$PREFIX/smbclient_ci_commands"
+
+cat >"$tmpfile" <

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  43802f1bedd python: remove string_to_byte_array()
   via  982dab89326 samba-tool ldapcmp: remove a dodgy unused method
   via  6347b0c3736 pytest: simplify and fix HEXDUMP_FILTER used in hexdumps
   via  300bb809ab7 samba-tool domain trust: avoid useless use of 
string_to_byte_array
   via  f8fb9f19bca python:lsa_utils: avoid useless use of py2-compat 
string_to_byte_array
   via  3b349c29b59 python:join: avoid useless use of py2-compat 
string_to_byte_array
   via  46933bc25de py:emulate: remove py2 str/bytes workaround in 
traffic_packets
   via  25e6d7c6a33 py:emulate: remove py2 str/bytes workaround in traffic
   via  f0cf1879681 pytest: remove py2 str/bytes workaround in 
auth_log_samlogon
   via  bd3792005ba pytest: remove py2 str/bytes workaround in 
samr_change_password
   via  2dc111b4c18 pytest: remove py2 str/bytes workaround in lsa_utils
   via  b253b4e0eda pytest: remove py2 str/bytes workaround in dns_base
   via  5d2ea6908b1 pytest: remove py2 str/bytes workaround in 
py_credentials
   via  de19f4d6753 s4/pytest: remove py2 str/bytes workaround in getnc_exop
  from  788ef8f07c7 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 43802f1beddc875d1f4fc15babdbadf7615705c9
Author: Douglas Bagnall 
Date:   Wed Jun 12 12:16:46 2024 +1200

python: remove string_to_byte_array()

This was a useful function during the Python 2 -> 3 migration, but it
is not used any more. In all the cases it was used, we knew we already
had a bytes object, and this was just an inefficient way of confirming
that.

In cases where we actually want to cast a string into a mutable list
of byte-sized ints, the builtin bytearray() function will do a better
job than this, because it will encode high unicode characters as utf-8
bytes, rather than adding them as out-of-range values in the list.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun 12 09:16:39 UTC 2024 on atb-devel-224

commit 982dab893263b60609bf47a7138c91aefb41a038
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:42:27 2024 +1200

samba-tool ldapcmp: remove a dodgy unused method

We have bindings for stringifying GUIDs, so I intended to replace this
rather complicated code with that, but it turns out that this method
has been unused since 5d42260eecfd4f26cc82637ce1bc989083c9eb9d in 2013.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 6347b0c3736e1208d09f94e2b67f1b4234205374
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:34:36 2024 +1200

pytest: simplify and fix HEXDUMP_FILTER used in hexdumps

The old test

   x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.')

went through some contortions to see if the character was printable, and
it got it slightly wrong. The idea was that `repr(chr(97)` is "'a'",
while `repr(chr(167)` is "'\xa7'", which we can distinguish using the
length. But that miscategorised the backslash character, which is
represented as "'\\'", a string of length 4, so it was show as '.'
instead.

Instead we notice that the characters we want to print in a hexdump
are exactly those between 32 and 126, inclusive.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 300bb809ab7c06eb6abef91a313dbdb8edad7c83
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:21:59 2024 +1200

samba-tool domain trust: avoid useless use of string_to_byte_array

`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit f8fb9f19bca909fe4d29378f255bad33ccb1d778
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:21:09 2024 +1200

python:lsa_utils: avoid useless use of py2-compat string_to_byte_array

`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 3b349c29b59ebe7e1e389dc0d51b2063c657b210
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:19:55 2024 +1200

python:join: avoid useless use of py2-compat string_to_byte_array

This was a workaround for the migration to Python 3, but is now just
extra work for the computer and cognitive load for us.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 46933bc25de6515866c6b9d1ae76fad6701fb252
Author: Douglas Bagnall 
Date:   Wed Jun 12 11:17:22 2024 +1200

py:emulate: remove py2 str/bytes workaround in traffic_packets

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 25e6d7c6a339f389cd13628e30b09a892e1a4144
Author: Douglas Bagnall 
Date:   Wed 

[SCM] Socket Wrapper Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  03cea2e swrap: Fix syscall() with jemalloc to prevent a deadlock
   via  9b141c0 tests: Sleep less so that the test runs only for 60sec
   via  9658fec tests: Always link to cmocka library
   via  e3c2432 gitlab-ci: Disable ASLR for TSAN
   via  87f2b5a gitlab-ci: Adapt config to gitlab changes
  from  7af4f26 tests: Fix fake uid_wrapper_syscall_valid().

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit 03cea2ed18bc53bd0e658bc24be6913373d5f97e
Author: Andreas Schneider 
Date:   Fri Jun 7 09:39:20 2024 +0200

swrap: Fix syscall() with jemalloc to prevent a deadlock

This is a workaround to prevent a deadlock in jemalloc calling malloc_init()
twice. The first allocation call will trigger a malloc_init() of jemalloc.
The functions calls syscall(SYS_open, ...) so it goes to socket or uid
wrapper. In this code path we need to avoid any allocation calls. This will
prevent the eadlock.

Pair-Programmed-With: Stefan Metzmacher 
Signed-off-by: Stefan Metzmacher 
Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 9b141c06568bfba2b9fe63e7d43fb7d1cae12b55
Author: Andreas Schneider 
Date:   Tue Jun 11 08:05:09 2024 +0200

tests: Sleep less so that the test runs only for 60sec

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 9658fec68b9d20d280c70714d99bc76f23ec7a9a
Author: Andreas Schneider 
Date:   Tue Jun 11 09:41:55 2024 +0200

tests: Always link to cmocka library

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit e3c243237097750bbdf57bc2e4835ab5e89fcb0e
Author: Andreas Schneider 
Date:   Wed Jun 12 10:28:45 2024 +0200

gitlab-ci: Disable ASLR for TSAN

This works around a TSAN issue with newer Linux Kernels (6.x).

See https://github.com/google/sanitizers/issues/1716

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 87f2b5ae1c4b88639f76578c0463efe6ae1b051d
Author: Andreas Schneider 
Date:   Fri Jun 7 09:52:48 2024 +0200

gitlab-ci: Adapt config to gitlab changes

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 .gitlab-ci.yml | 33 -
 src/socket_wrapper.c   | 45 -
 tests/CMakeLists.txt   |  6 +++---
 tests/test_echo_tcp_poll.c |  2 +-
 4 files changed, 52 insertions(+), 34 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3643167..fdc11c3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,8 +22,6 @@ centos7/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -41,8 +39,6 @@ fedora/x86_64:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -60,8 +56,6 @@ fedora/address-sanitizer:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -78,8 +72,6 @@ fedora/undefined-sanitizer:
   -DCMAKE_BUILD_TYPE=UndefinedSanitizer
   -DUNIT_TESTING=ON ..
   && make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -95,13 +87,14 @@ tumbleweed/thread-sanitizer:
   stage: analysis
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$TUMBLEWEED_BUILD
   script:
+# Workaround for TSAN with ASLR on newer kernel
+# https://github.com/google/sanitizers/issues/1716
 - mkdir -p obj && cd obj && cmake
   -DCMAKE_BUILD_TYPE=ThreadSanitizer
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
-  make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
+  make -j$(nproc) &&
+  setarch --addr-no-randomize -- ctest --output-on-failure
   except:
 - tags
   artifacts:
@@ -133,8 +126,6 @@ fedora/csbuild:
   --git-commit-range $CI_COMMIT_RANGE
   --color
   --print-current --print-fixed
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -175,8 +166,6 @@ tumbleweed/x86_64/gcc:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -195,8 +184,6 @@ tumbleweed/x86_64/gcc7:
   -DPICKY_DEVELOPER=ON
   -DUNIT_TESTING=ON .. &&
   make -j$(nproc) && ctest --output-on-failure
-  tags:
-- shared
   except:
 - tags
   artifacts:
@@ -215,8 +202,6 @@ tumbleweed/x86_64/clang:
   

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  788ef8f07c7 s3/smbd: fix nested chdir into msdfs links on 
(widelinks = yes) share
   via  7f1de90f72d selftest: Add a python blackbox test for some misc 
(widelink) DFS tests
  from  e535bcc698b s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267
Author: Noel Power 
Date:   Fri Jun 7 19:35:47 2024 +0100

s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share

This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224

commit 7f1de90f72d6e8287aec6ab1d9f7776b7df624e5
Author: Noel Power 
Date:   Tue Jun 11 11:19:50 2024 +0100

selftest: Add a python blackbox test for some misc (widelink) DFS tests

On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
 cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

---

Summary of changes:
 python/samba/tests/blackbox/misc_dfs_widelink.py | 86 
 source3/smbd/files.c | 18 +
 source4/selftest/tests.py|  3 +
 3 files changed, 107 insertions(+)
 create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/misc_dfs_widelink.py 
b/python/samba/tests/blackbox/misc_dfs_widelink.py
new file mode 100644
index 000..7948590d710
--- /dev/null
+++ b/python/samba/tests/blackbox/misc_dfs_widelink.py
@@ -0,0 +1,86 @@
+# Blackbox tests for DFS (widelink)
+#
+# Copyright (C) Noel Power noel.po...@suse.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+from samba.tests import BlackboxTestCase, BlackboxProcessError
+from samba.samba3 import param as s3param
+
+from samba.credentials import Credentials
+
+import os
+
+class DfsWidelinkBlockboxTestBase(BlackboxTestCase):
+
+def setUp(self):
+super().setUp()
+self.lp = s3param.get_context()
+self.server = os.environ["SERVER"]
+self.user = os.environ["USER"]
+self.passwd = os.environ["PASSWORD"]
+self.creds = Credentials()
+self.creds.guess(self.lp)
+self.creds.set_username(self.user)
+self.creds.set_password(self.passwd)
+self.testdir = os.getenv("TESTDIR", "msdfs-share-wl")
+self.share = os.getenv("SHARE", "msdfs-share-wl")
+self.dirpath = os.path.join(os.environ["LOCAL_PATH"],self.testdir)
+# allow a custom teardown function to be defined
+self.cleanup = None
+self.cleanup_args = []
+
+def tearDown(self):
+try:
+if (self.cleanup):
+self.cleanup(self.cleanup_args)
+except Exception as e:
+print("remote remove failed: %s" % str(e))
+
+def build_test_cmd(self, cmd, args):
+cmd = [cmd, "-U%s%%%s" % (self.user, self.passwd)]
+cmd.extend(args)
+return cmd
+
+def test_ci_chdir(self):
+parent_dir = "msdfs-src1"
+dirs = [parent_dir, parent_dir.upper()]
+# try as named dir first then try upper-cased version
+for adir in dirs:
+smbclient_args = self.build_test_cmd("smbclient", ["//%s/%s" % 
(self.server, self.share), "-c", "cd %s" % (adir)])
+try:
+out_str = self.check_output(smbclient_args)
+except BlackboxProcessError as e:
+print(str(e))
+self.fail(str(e))
+
+def test_nested_chdir(self):
+parent_dir = "dfshop1"
+child_dir = 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  e535bcc698b s3: vfs_widelinks: Allow case insensitivity to work on 
DFS widelinks shares.
   via  e37e4f47493 s3/torture: Add test for widelink case insensitivity on 
a MSDFS share.
  from  db342d86a9c samba-tool user readpasswords: avoid `assert` for 
validation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e535bcc698bd5eb31f5c5e0c144692988a044e79
Author: Jeremy Allison 
Date:   Mon Jun 10 17:25:32 2024 -0700

s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224

commit e37e4f474935819c75c078e52715cf3212f77359
Author: Jeremy Allison 
Date:   Mon Jun 10 15:14:19 2024 -0700

s3/torture: Add test for widelink case insensitivity on a MSDFS share.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

---

Summary of changes:
 source3/modules/vfs_widelinks.c  | 13 -
 source3/script/tests/test_widelink_dfs_ci.sh | 72 
 source3/selftest/tests.py| 11 +
 3 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100755 source3/script/tests/test_widelink_dfs_ci.sh


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_widelinks.c b/source3/modules/vfs_widelinks.c
index c5b5084e108..4339f6de9e0 100644
--- a/source3/modules/vfs_widelinks.c
+++ b/source3/modules/vfs_widelinks.c
@@ -383,8 +383,17 @@ static int widelinks_openat(vfs_handle_struct *handle,
}
lstat_ret = SMB_VFS_NEXT_LSTAT(handle,
full_fname);
-   if (lstat_ret != -1 &&
-   VALID_STAT(full_fname->st) &&
+   if (lstat_ret == -1) {
+   /*
+* Path doesn't exist. We must
+* return errno from LSTAT.
+*/
+   int saved_errno = errno;
+   TALLOC_FREE(full_fname);
+   errno = saved_errno;
+   return -1;
+   }
+   if (VALID_STAT(full_fname->st) &&
S_ISLNK(full_fname->st.st_ex_mode)) {
fsp->fsp_name->st = full_fname->st;
}
diff --git a/source3/script/tests/test_widelink_dfs_ci.sh 
b/source3/script/tests/test_widelink_dfs_ci.sh
new file mode 100755
index 000..6ae5cf5bd7f
--- /dev/null
+++ b/source3/script/tests/test_widelink_dfs_ci.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# regression test for dfs access with wide links enabled on dfs share
+# Ensure we still maintain case insensitivity.
+
+if [ $# -lt 7 ]; then
+   cat <
+EOF
+   exit 1
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+SHARE="$3"
+USERNAME="$4"
+PASSWORD="$5"
+PREFIX="$6"
+SMBCLIENT="$7"
+shift 7
+ADDARGS="$@"
+
+incdir=$(dirname "$0")"/../../../testprogs/blackbox"
+. "$incdir/subunit.sh"
+. "$incdir/common_test_fns.inc"
+
+failed=0
+
+# Do not let deprecated option warnings muck this up
+SAMBA_DEPRECATED_SUPPRESS=1
+export SAMBA_DEPRECATED_SUPPRESS
+
+# Test chdir'ing into a lowercase directory with upper case.
+test_ci()
+{
+tmpfile="$PREFIX/smbclient_ci_commands"
+
+cat >"$tmpfile" <

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  db342d86a9c samba-tool user readpasswords: avoid `assert` for 
validation
   via  b42c4891804 s4:auth: Handle expired accounts in 
authsam_account_ok() (CID 1603594)
   via  facb418c99d s4:dsdb: Remove trailing whitespace
   via  5ffa7683295 s4:auth: Add temporary memory context to 
authsam_reread_user_logon_data()
   via  7ae10eb25f8 s4:auth: Add common out path to 
authsam_reread_user_logon_data()
   via  4e8ca6140af ldb: Attach appropriate ldb context to returned result
  from  225e6aeafc7 s4/torture: Remove already existing test_dir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit db342d86a9ccd15f764cb8e0a91774e1f8fd7858
Author: Douglas Bagnall 
Date:   Fri Feb 2 15:01:21 2024 +1300

samba-tool user readpasswords: avoid `assert` for validation

`assert` can be optimised away if python is run with `-O`.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224

commit b42c489180474627270e09408f84841baa175157
Author: Jo Sutton 
Date:   Tue Jun 11 14:58:11 2024 +1200

s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)

We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit facb418c99d5be62ae7e111539ca497a783b6a37
Author: Jo Sutton 
Date:   Fri May 24 13:05:58 2024 +1200

s4:dsdb: Remove trailing whitespace

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5ffa7683295ae7006a51dc8244918ed89f500184
Author: Jo Sutton 
Date:   Mon Apr 29 17:07:43 2024 +1200

s4:auth: Add temporary memory context to authsam_reread_user_logon_data()

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 7ae10eb25f821e617100cad113f751833b7c0893
Author: Jo Sutton 
Date:   Mon Apr 29 17:09:12 2024 +1200

s4:auth: Add common out path to authsam_reread_user_logon_data()

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 4e8ca6140aff0cac534d2ea2e370c1dc70a73b21
Author: Jo Sutton 
Date:   Wed May 1 16:54:01 2024 +1200

ldb: Attach appropriate ldb context to returned result

This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/ABI/ldb-2.10.0.sigs  |  1 +
 lib/ldb/common/ldb_dn.c  | 16 +
 lib/ldb/include/ldb.h|  3 +++
 lib/ldb/ldb_key_value/ldb_kv_search.c|  2 +-
 python/samba/netcmd/user/readpasswords/common.py |  5 +++-
 python/samba/tests/krb5/gmsa_tests.py|  2 +-
 source4/auth/sam.c   | 29 
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c  | 28 +++
 8 files changed, 59 insertions(+), 27 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ABI/ldb-2.10.0.sigs b/lib/ldb/ABI/ldb-2.10.0.sigs
index f23014ffaaa..bd9aa54a005 100644
--- a/lib/ldb/ABI/ldb-2.10.0.sigs
+++ b/lib/ldb/ABI/ldb-2.10.0.sigs
@@ -47,6 +47,7 @@ ldb_dn_check_special: bool (struct ldb_dn *, const char *)
 ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *)
 ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *)
 ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_copy_with_ldb_context: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *, 
struct ldb_context *)
 ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val)
 ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const 
struct ldb_dn_extended_syntax *)
 ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *)
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index cb4266dca91..e785a6d9e3d 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -1398,6 +1398,22 @@ struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct 
ldb_dn *dn)
return new_dn;
 }
 
+struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx,
+   struct ldb_dn *dn,
+   struct ldb_context *ldb)
+{
+   struct ldb_dn *new_dn = NULL;
+
+   new_dn = ldb_dn_copy(mem_ctx, dn);
+   if (new_dn == NULL) {
+   return NULL;
+   }
+
+   /* Set the ldb context. */
+   new_dn->ldb = ldb;

[Announce] Samba 4.19.7 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.6


o  Douglas Bagnall 
   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive 
compare

 function (ldb 2.8.1 is already released).
   * BUG 15625: Many qsort() comparison functions are non-transitive, 
which can
 lead to out-of-bounds access in some circumstances (ldb 2.8.1 is 
already

 released).

o  Andrew Bartlett 
   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to 
avoid CI

 bill.

o  Stefan Metzmacher 
   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
 SysvolReady=0.
   * BUG 15412: Anonymous smb3 signing/encryption should be allowed 
(similar to

 Windows Server 2022).
   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
   * BUG 15642: winbindd, net ads join and other things don't work on 
an ipv6

 only host.

o  Anna Popova 
   * BUG 15636: Smbcacls incorrectly propagates inheritance with 
Inherit-Only

 flag.

o  Noel Power 
   * BUG 15611: http library doesn't support  'chunked transfer encoding'.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.7.html


If you are building/using ldb from a system library, you'll
also need the related updated ldb tarball, otherwise you can ignore it.
The uncompressed ldb tarballs have been signed using GnuPG (ID 
4793916113084025).

The ldb source code can be downloaded from:


https://download.samba.org/pub/ldb/ldb-2.8.1.tar.gz


Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[SCM] Samba Shared Repository - branch v4-19-stable updated

[Jule Anger]

The branch, v4-19-stable has been updated
   via  bce5c475d12 VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.
   via  e71f7441c9e WHATSNEW: Add release notes for Samba 4.19.7.
   via  6ca4df63741 BUG 15569 ldb: Release LDB 2.8.1
   via  d4f9272b7e9 s3:smbcacls: fix ace_compare
   via  123f458dda6 ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  0382d17 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  ae8eb3d2b09 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  2a53574e07e s4:dsdb:mod: repl_md: make message_sort transitive
   via  92daa0a7801 ldb: avoid NULL deref in ldb_db_compare
   via  ca905ccbf1e ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  50bfb065e01 ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  5c5c652db7c ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  96f3db39522 ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  2b3416384ae ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  fae4e0b16aa ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  108f687cf22 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  5bf176b5692 s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  24d362e62d4 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  9314eaaba91 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  f0f9598d5d1 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  c1819217c0a gensec: sort_gensec uses NUMERIC_CMP
   via  4066451f6e8 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  16288b40eb9 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  069e651d4b8 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  f58d857d722 s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  13645e1131b s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  aa255148bbb ldb:dn: make ldb_dn_compare() self-consistent
   via  867dce05d21 ldb:sort: generalise both-NULL check to equality check
   via  87a6fe0058a ldb:sort: check that elements have values
   via  71d2c9093cf ldb:mod:sort: rearrange NULL checks
   via  d4477eab44a s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  075aae1d1a0 s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  32f4e0c7f5a s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  26e08f8fc7d s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  30f0a2fb131 s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  91dd5024010 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  0f8e25b897f s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  f14a1370f48 s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  622bf82fb32 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  6b07ce82a58 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  b7f581fb61f libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  60c318fc66b libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  23d792875f9 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  b2dbe57c977 ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  fe804401b9b util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  ad50158af05 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  9de4a5d3bbc ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  c85cb252af0 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  5847e53de2f lib/torture: add assert_int_{less,greater} macros
   via  12c6c305fb1 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  74befdb1387 s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  2557ab23014 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  120479e4e02 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  388b11b6dc1 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  59f6652aeee util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  3f8063530d2 torture:charset: test more of strcasecmp_m
   via  6b08f2ed860 torture:charset: use < and > assertions for 
strncasecmp_m
   via  5082378df18 torture:charset: use < and > assertions for strcasecmp_m
   via  1a45f172070 util:binsearch: user NUMERIC_CMP()
   via  ea27699bcd2 s4: use numeric_cmp in dns_common_sort_zones()
   via  792f8d40e1c s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  25e97cd7dba s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  6c9119371cd ldb:ldb_dn: use safe 

[SCM] Samba Website Repository - branch master updated

[Jule Anger]

The branch, master has been updated
   via  19e1100 NEWS[4.19.7]: Samba 4.19.7 Available for Download
  from  2ec8209 NEWS[4.20.1]: Samba 4.20.1 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 19e11008fca41dd540944dbf54f4cb1b36065cbc
Author: Jule Anger 
Date:   Mon Jun 10 17:29:25 2024 +0200

NEWS[4.19.7]: Samba 4.19.7 Available for Download

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html  |  1 +
 history/samba-4.19.7.html| 62 
 posted_news/20240610-153018.4.19.7.body.html | 13 +
 posted_news/20240610-153018.4.19.7.headline.html |  3 ++
 4 files changed, 79 insertions(+)
 create mode 100644 history/samba-4.19.7.html
 create mode 100644 posted_news/20240610-153018.4.19.7.body.html
 create mode 100644 posted_news/20240610-153018.4.19.7.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 984ad78..7ddf607 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -11,6 +11,7 @@

samba-4.20.1
samba-4.20.0
+   samba-4.19.7.
samba-4.19.6.
samba-4.19.5.
samba-4.19.4.
diff --git a/history/samba-4.19.7.html b/history/samba-4.19.7.html
new file mode 100644
index 000..d7d013c
--- /dev/null
+++ b/history/samba-4.19.7.html
@@ -0,0 +1,62 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.19.7 - Release Notes
+
+
+Samba 4.19.7 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.19.7.tar.gz;>Samba 
4.19.7 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.19.7.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.19.6-4.19.7.diffs.gz;>Patch
 (gzipped) against Samba 4.19.6
+https://download.samba.org/pub/samba/patches/samba-4.19.6-4.19.7.diffs.asc;>Signature
+
+
+
+   ==
+   Release Notes for Samba 4.19.7
+   June 10, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.6
+
+
+o  Douglas Bagnall douglas.bagn...@catalyst.net.nz
+   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function (ldb 2.8.1 is already released).
+   * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already
+ released).
+
+o  Andrew Bartlett abart...@samba.org
+   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+
+o  Stefan Metzmacher me...@samba.org
+   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+   * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+   * BUG 15642: winbindd, net ads join and other things dont work on an 
ipv6
+ only host.
+
+o  Anna Popova popova.anna...@gmail.com
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power noel.po...@suse.com
+   * BUG 15611: http library doesnt support  chunked transfer 
encoding.
+
+
+
+
+
+
diff --git a/posted_news/20240610-153018.4.19.7.body.html 
b/posted_news/20240610-153018.4.19.7.body.html
new file mode 100644
index 000..8b91043
--- /dev/null
+++ b/posted_news/20240610-153018.4.19.7.body.html
@@ -0,0 +1,13 @@
+
+10 June 2024
+Samba 4.19.7 Available for Download
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be https://download.samba.org/pub/samba/stable/samba-4.19.7.tar.gz;>downloaded
 now.
+A https://download.samba.org/pub/samba/patches/samba-4.19.6-4.19.7.diffs.gz;>patch
 against Samba 4.19.6 is also available.
+See https://www.samba.org/samba/history/samba-4.19.7.html;>the 
release notes for more info.
+
+
diff --git a/posted_news/20240610-153018.4.19.7.headline.html 
b/posted_news/20240610-153018.4.19.7.headline.html
new file mode 100644
index 000..e1b9b9e
--- /dev/null
+++ b/posted_news/20240610-153018.4.19.7.headline.html
@@ -0,0 +1,3 @@
+
+ 10 June 2024 Samba 4.19.7 Available for 
Download
+


-- 
Samba Website Repository

[SCM] Samba Shared Repository - annotated tag samba-4.19.7 created

[Jule Anger]

The annotated tag, samba-4.19.7 has been created
at  92be2654d0c65af6c71d2da5b32c443812092b0d (tag)
   tagging  bce5c475d12fb75619bc85d176bfd40420b4fce8 (commit)
  replaces  ldb-2.8.1
 tagged by  Jule Anger
on  Mon Jun 10 17:29:04 2024 +0200

- Log -
samba: tag release samba-4.19.7
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmZnG8EACgkQqplEL7aA
tiAAVBAAlTEpL4A0BBsRJr9zVBHyT038hOpVXY3no5tbUZIj4Wwm0jixjg3MzI5O
hrKxAVXrn/FuRKmCLorewRHP9O9/GQWeSEwsMe/X5A4VA+q1ip91eiEaqYIJ3wxK
DZGq9ODRqR0dpvEhnWmKPu1eRtBwPh61ZA/5lX9VQG0PLKdGuVb18nyw9d0kphyI
fsmCqFafKM05BezoIMxcwStUbwGj4Qy1cXlKOHcL6QmieDR8hUeIDatr9K99JjXS
IAD8yOjqd718Kwn5SJsej1wIWEEVB1bBEgev43tkd5jp32soJ98ki18shd4jHgtS
/BhDKQaitvHqpfFO7j2UZHBadgasJxvSHyTZLatG90y1zN4JMmho4KXKbZ7vHnVy
QHYZyXaCoZ2ue+lathz2QHwoZXG7ASJP0fbA/zXHe1xmcDqpc8kZ9MZIugBLrhuF
BSED4+8CMX3aOM8vkVJMOmP+OmQznGTFBj+sGB+UdQ4KMdeSYWY62bYa3gARZ+Fm
9yrSkMnxFDCyNEtgFIRXskLVebLcdwlPNcdmj0BT1BX8aKcFkbcjSqlq89L4191u
lmObq4XB3EBzo5v4gyreyjjQz21eti+pa300XppaSjo3SPJ0xGViprXuw+CQpGrE
jSitgiUoP7ns56XXOj+quQbG6KV650ND2N3V79AjGaoj41lP8QU=
=xh3A
-END PGP SIGNATURE-

Jule Anger (2):
  WHATSNEW: Add release notes for Samba 4.19.7.
  VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-19-test updated

[Jule Anger]

The branch, v4-19-test has been updated
   via  6875787d129 VERSION: Bump version up to Samba 4.19.8...
   via  bce5c475d12 VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.
   via  e71f7441c9e WHATSNEW: Add release notes for Samba 4.19.7.
   via  6ca4df63741 BUG 15569 ldb: Release LDB 2.8.1
  from  d4f9272b7e9 s3:smbcacls: fix ace_compare

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit 6875787d1294fc2cb0f6f0dce58b209c659ae871
Author: Jule Anger 
Date:   Mon Jun 10 17:26:01 2024 +0200

VERSION: Bump version up to Samba 4.19.8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit bce5c475d12fb75619bc85d176bfd40420b4fce8
Author: Jule Anger 
Date:   Mon Jun 10 17:25:44 2024 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.

Signed-off-by: Jule Anger 

commit e71f7441c9e2cf2ff895e1106506dec4632508b0
Author: Jule Anger 
Date:   Mon Jun 10 17:25:02 2024 +0200

WHATSNEW: Add release notes for Samba 4.19.7.

Signed-off-by: Jule Anger 

commit 6ca4df6374136d1d205de689618dc8fce5177d14
Author: Jule Anger 
Date:   Mon Jun 10 16:56:59 2024 +0200

BUG 15569 ldb: Release LDB 2.8.1

* BUG 15569: Many qsort() comparison functions are non-transitive, which
  can lead to out-of-bounds access in some circumstances.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION|  2 +-
 WHATSNEW.txt   | 66 +-
 lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.8.1.sigs} |  0
 lib/ldb/wscript|  2 +-
 4 files changed, 66 insertions(+), 4 deletions(-)
 copy lib/ldb/ABI/{ldb-2.8.0.sigs => ldb-2.8.1.sigs} (100%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 939e114840c..e0f2394cfa6 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2023"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index be2edfb6ac4..fa27ad5083b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,66 @@
+   ==
+   Release Notes for Samba 4.19.7
+   June 10, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.6
+
+
+o  Douglas Bagnall 
+   * BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
+ function (ldb 2.8.1 is already released).
+   * BUG 15625: Many qsort() comparison functions are non-transitive, which can
+ lead to out-of-bounds access in some circumstances (ldb 2.8.1 is already
+ released).
+
+o  Andrew Bartlett 
+   * BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
+ bill.
+
+o  Stefan Metzmacher 
+   * BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
+ SysvolReady=0.
+   * BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
+ Windows Server 2022).
+   * BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
+   * BUG 15642: winbindd, net ads join and other things don't work on an ipv6
+ only host.
+
+o  Anna Popova 
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power 
+   * BUG 15611: http library doesn't support  'chunked transfer encoding'.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
==
Release Notes for Samba 4.19.6
April 08, 2024
@@ -52,8 +115,7 @@ 

[SCM] Samba Shared Repository - annotated tag ldb-2.8.1 created

[Jule Anger]

The annotated tag, ldb-2.8.1 has been created
at  994b7debdcd5fdb4d9617f84c6fa4456cfdcf51c (tag)
   tagging  6ca4df6374136d1d205de689618dc8fce5177d14 (commit)
  replaces  samba-4.19.6
 tagged by  Jule Anger
on  Mon Jun 10 17:20:50 2024 +0200

- Log -
ldb: tag release ldb-2.8.1
-BEGIN PGP SIGNATURE-

iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmZnGdIACgkQR5ORYRMI
QCVIMQf/axqBK6HeRTyfvdLQg2vCehM7P+tNypDWB5QHr+kQrIgyGUCsdQ8rS27A
RexD5/HLT2VIvoP1ftE1y5jOvQR4tjV0S8fZki8bpYxgOUBqdBwtaM2MPPau3WVv
Lrw8uKBbt5Le/d3p/ORqyai+ZgGLq94Zg4knKE+wsZ2hipdGviiz9QPrrADhJLac
DZQhU5S+24asjZZLOKzitnPKVTGMPJsBF5BwifuX1rO7yOY3RYABXLJ/um6cesaZ
pFsFtZPr/Ksxc8934dJWcMM3sK2Te4NFjUbAIGmzqDaX3bR7SofO59xEB+3M7NSJ
MClJlSGFd05hozCdZRUSjuf6pwHUeA==
=fiNG
-END PGP SIGNATURE-

Andrew Bartlett (1):
  .gitlab-ci: Remove tags no longer provided by gitlab.com

Anna Popova (1):
  s3:utils: Fix Inherit-Only flag being automatically propagated to children

Douglas Bagnall (65):
  ldb: avoid out of bounds read and write in ldb_qsort()
  lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename
  util:tsort.h: add a macro for safely comparing numbers
  ldb: add NUMERIC_CMP macro to ldb.h
  ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base()
  ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
  s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
  s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
  s4: use numeric_cmp in dns_common_sort_zones()
  util:binsearch: user NUMERIC_CMP()
  torture:charset: use < and > assertions for strcasecmp_m
  torture:charset: use < and > assertions for strncasecmp_m
  torture:charset: test more of strcasecmp_m
  util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle
  util:test: test_ms_fn_match_protocol_no_wildcard: allow -1
  util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP()
  util:charset:codepoints: codepoint_cmpi warning about non-transitivity
  s3:libsmb:namequery: note intransitivity in addr_compare()
  s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
  lib/torture: add assert_int_{less,greater} macros
  util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle
  ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP()
  ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP()
  util:datablob: avoid non-transitive comparison in data_blob_cmp()
  ldb: avoid non-transitive comparison in ldb_val_cmp()
  ldb: reduce non-transitive comparisons in ldb_msg_element_compare()
  libcli/security: use NUMERIC_CMP in dom_sid_compare()
  libcli/security: use NUMERIC_CMP in dom_sid_compare_auth()
  s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
  s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
  s4:dns_server: use NUMERIC_CMP in rec_cmp()
  s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
  s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
  s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort()
  s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()
  s3:smbcacls: use NUMERIC_CMP in ace_compare
  s3:util:sharesec ace_compare() uses NUMERIC_CMP()
  s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
  ldb:mod:sort: rearrange NULL checks
  ldb:sort: check that elements have values
  ldb:sort: generalise both-NULL check to equality check
  ldb:dn: make ldb_dn_compare() self-consistent
  s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
  s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
  s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
  dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
  s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
  gensec: sort_gensec uses NUMERIC_CMP
  lib/socket: rearrange iface_comp() to use NUMERIC_CMP
  s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
  s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
  s4:rpcsrv:samr: improve a comment in compare_msgRid
  ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
  ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
  ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
  ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted 
objects
  ldb-samba:ldif_handlers: dn_link_comparison leaks less
  ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
  ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
  ldb: avoid NULL deref in ldb_db_compare
  s4:dsdb:mod: repl_md: make message_sort transitive
  s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
  ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold
  ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
  

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  50d4451bd4b s3:smbcacls: fix ace_compare
   via  e21251926ba ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  3f9d9f83448 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  d12f3cced61 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  7ae866c6ffa s4:dsdb:mod: repl_md: make message_sort transitive
   via  21a01b3bad4 ldb: avoid NULL deref in ldb_db_compare
   via  7d295cb6fe5 ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  3d62269dfbf ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  586c0f3dd00 ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  d819b21464c ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  ae770139f25 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  956bff1dc63 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  da5c625e641 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  dcf393af595 s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  8f0490150b4 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  d2aaed5d969 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  de865f6c8b7 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  1d527c49df5 gensec: sort_gensec uses NUMERIC_CMP
   via  2f6c5b6603f s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  835594dea0e dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  29b17d296c0 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  6893310bd79 s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  94f38553adf s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  f61aabdb1a3 ldb:dn: make ldb_dn_compare() self-consistent
   via  f3b6ec046a0 ldb:sort: generalise both-NULL check to equality check
   via  a0a83539c30 ldb:sort: check that elements have values
   via  5f52991b931 ldb:mod:sort: rearrange NULL checks
   via  faed55f4f88 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  4d6f0ad643c s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  e3f491e3193 s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  48494283a66 s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  27becb5a7fc s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  20648aaf7fe s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  7acee3ae13a s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  a326992c07d s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  c6ed9351f81 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  39505028672 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  886818f5abb libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  bd548a92d42 libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  c95b73014d3 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  e0468b5a9ed ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  7990f5a2841 util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  f7e192e82f7 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  4fa00be3083 ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  1c6f16cdca9 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  6a0daf6818b lib/torture: add assert_int_{less,greater} macros
   via  ccd94628b58 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  f9a7ded26d1 s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  77b78b45330 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  64d55301410 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  10c0087dac8 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  eb8fd60e10c util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  d18a62836c0 torture:charset: test more of strcasecmp_m
   via  94b574cde12 torture:charset: use < and > assertions for 
strncasecmp_m
   via  767344ee512 torture:charset: use < and > assertions for strcasecmp_m
   via  be4965c69c8 util:binsearch: user NUMERIC_CMP()
   via  51fa8c0168e s4: use numeric_cmp in dns_common_sort_zones()
   via  f94b87da1be s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  3071a4af9a5 s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  696cca23e3e ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
   via  1b8ccbf031b ldb:ldb_dn: use safe NUMERIC_CMP in 
ldb_dn_compare_base()
   via  9e19cc17117 ldb: add NUMERIC_CMP macro to ldb.h
   via  b46af17050b util:tsort.h: add 

[SCM] Samba Shared Repository - branch v4-19-test updated

[Jule Anger]

The branch, v4-19-test has been updated
   via  d4f9272b7e9 s3:smbcacls: fix ace_compare
   via  123f458dda6 ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  0382d17 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  ae8eb3d2b09 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  2a53574e07e s4:dsdb:mod: repl_md: make message_sort transitive
   via  92daa0a7801 ldb: avoid NULL deref in ldb_db_compare
   via  ca905ccbf1e ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  50bfb065e01 ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  5c5c652db7c ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  96f3db39522 ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  2b3416384ae ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  fae4e0b16aa ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  108f687cf22 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  5bf176b5692 s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  24d362e62d4 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  9314eaaba91 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  f0f9598d5d1 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  c1819217c0a gensec: sort_gensec uses NUMERIC_CMP
   via  4066451f6e8 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  16288b40eb9 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  069e651d4b8 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  f58d857d722 s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  13645e1131b s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  aa255148bbb ldb:dn: make ldb_dn_compare() self-consistent
   via  867dce05d21 ldb:sort: generalise both-NULL check to equality check
   via  87a6fe0058a ldb:sort: check that elements have values
   via  71d2c9093cf ldb:mod:sort: rearrange NULL checks
   via  d4477eab44a s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  075aae1d1a0 s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  32f4e0c7f5a s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  26e08f8fc7d s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  30f0a2fb131 s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  91dd5024010 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  0f8e25b897f s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  f14a1370f48 s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  622bf82fb32 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  6b07ce82a58 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  b7f581fb61f libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  60c318fc66b libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  23d792875f9 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  b2dbe57c977 ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  fe804401b9b util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  ad50158af05 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  9de4a5d3bbc ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  c85cb252af0 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  5847e53de2f lib/torture: add assert_int_{less,greater} macros
   via  12c6c305fb1 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  74befdb1387 s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  2557ab23014 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  120479e4e02 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  388b11b6dc1 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  59f6652aeee util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  3f8063530d2 torture:charset: test more of strcasecmp_m
   via  6b08f2ed860 torture:charset: use < and > assertions for 
strncasecmp_m
   via  5082378df18 torture:charset: use < and > assertions for strcasecmp_m
   via  1a45f172070 util:binsearch: user NUMERIC_CMP()
   via  ea27699bcd2 s4: use numeric_cmp in dns_common_sort_zones()
   via  792f8d40e1c s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  25e97cd7dba s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  6c9119371cd ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
   via  8a706fa32be ldb:ldb_dn: use safe NUMERIC_CMP in 
ldb_dn_compare_base()
   via  20a8eaa8b86 ldb: add NUMERIC_CMP macro to ldb.h
   via  d386c57d68b util:tsort.h: add 

[SCM] Samba Shared Repository - branch master updated

[Ralph Böhme]

The branch, master has been updated
   via  225e6aeafc7 s4/torture: Remove already existing test_dir
   via  3b230769b02 s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
  from  469b22b849a python/samba/tests/krb5: Allow 
PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 225e6aeafc78d0508881915b8406273c15966e63
Author: Anoop C S 
Date:   Wed May 29 18:52:10 2024 +0530

s4/torture: Remove already existing test_dir

In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224

commit 3b230769b02e7c9ecbe7eac05e0344b233b3ae39
Author: Anoop C S 
Date:   Wed May 29 18:41:32 2024 +0530

s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL

In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 source4/torture/smb2/delete-on-close.c | 32 +---
 1 file changed, 9 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/torture/smb2/delete-on-close.c 
b/source4/torture/smb2/delete-on-close.c
index 05242876dcb..33561516fa0 100644
--- a/source4/torture/smb2/delete-on-close.c
+++ b/source4/torture/smb2/delete-on-close.c
@@ -518,45 +518,28 @@ static bool test_doc_create_if_exist(struct 
torture_context *tctx, struct smb2_t
 
 static bool test_doc_find_and_set_doc(struct torture_context *tctx, struct 
smb2_tree *tree)
 {
-   struct smb2_create io;
+   struct smb2_handle dir_handle;
struct smb2_find find;
NTSTATUS status;
union smb_search_data *d;
union smb_setfileinfo sfinfo;
unsigned int count;
-   uint32_t perms = 0;
-
-   perms = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_STD_DELETE |
-   SEC_DIR_WRITE_ATTRIBUTE | SEC_DIR_READ_ATTRIBUTE |
-   SEC_DIR_WRITE_EA | SEC_FILE_APPEND_DATA |
-   SEC_FILE_WRITE_DATA | SEC_DIR_LIST;
 
/* File should not exist for this first test, so make sure */
set_dir_delete_perms(tctx, tree);
 
smb2_deltree(tree, DNAME);
 
-   create_dir(tctx, tree);
-
torture_comment(tctx, "FIND and delete directory\n");
torture_comment(tctx, "We expect NT_STATUS_OK\n");
 
-   /* open the directory first */
-   ZERO_STRUCT(io);
-   io.in.desired_access = perms;
-   io.in.file_attributes= FILE_ATTRIBUTE_DIRECTORY;
-   io.in.create_disposition = NTCREATEX_DISP_OPEN_IF;
-   io.in.share_access   = NTCREATEX_SHARE_ACCESS_READ |
-  NTCREATEX_SHARE_ACCESS_DELETE;
-   io.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
-   io.in.fname  = DNAME;
-
-   status = smb2_create(tree, tctx, );
+   /* create and open the directory first*/
+   status = torture_smb2_testdir(tree, DNAME, _handle);
CHECK_STATUS(status, NT_STATUS_OK);
 
/* list directory */
ZERO_STRUCT(find);
-   find.in.file.handle= io.out.file.handle;
+   find.in.file.handle= dir_handle;
find.in.pattern= "*";
find.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE;
find.in.max_response_size  = 0x100;
@@ -570,12 +553,12 @@ static bool test_doc_find_and_set_doc(struct 
torture_context *tctx, struct smb2_
ZERO_STRUCT(sfinfo);
sfinfo.generic.level = RAW_SFILEINFO_DISPOSITION_INFORMATION;
sfinfo.disposition_info.in.delete_on_close = 1;
-   sfinfo.generic.in.file.handle = io.out.file.handle;
+   sfinfo.generic.in.file.handle = dir_handle;
status = smb2_setinfo_file(tree, );
CHECK_STATUS(status, NT_STATUS_OK);
 
  

[SCM] Socket Wrapper Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  7af4f26 tests: Fix fake uid_wrapper_syscall_valid().
  from  c666ba4 tests: Define PATH_MAX for Hurd.

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit 7af4f26d9d6ec1d6c4c2ec08d0c52d42d47de881
Author: Simon Josefsson 
Date:   Sat Aug 19 09:34:14 2023 +0200

tests: Fix fake uid_wrapper_syscall_valid().

We want to return errno = ENOSYS in uid_wrapper_syscall_va(). However if we
do not handle __FAKE_SOCKET_WRAPPER_SYSCALL_NO+1 then we will call
libc_syscall() for __FAKE_SOCKET_WRAPPER_SYSCALL_NO+1.

Same problem as resolved for uid_wrapper, see:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15445
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15448

Signed-off-by: Simon Josefsson 
Reviewed-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 tests/swrap_fake_uid_wrapper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/tests/swrap_fake_uid_wrapper.c b/tests/swrap_fake_uid_wrapper.c
index 286d7ad..fc9cf46 100644
--- a/tests/swrap_fake_uid_wrapper.c
+++ b/tests/swrap_fake_uid_wrapper.c
@@ -23,7 +23,7 @@
 /* simulate uid_wrapper hooks */
 bool uid_wrapper_syscall_valid(long int sysno)
 {
-   if (sysno == __FAKE_UID_WRAPPER_SYSCALL_NO) {
+   if (sysno >= __FAKE_UID_WRAPPER_SYSCALL_NO) {
return true;
}
 


-- 
Socket Wrapper Repository

[SCM] Socket Wrapper Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  c666ba4 tests: Define PATH_MAX for Hurd.
  from  d07136e Bump version to 1.4.2

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit c666ba444b46d84c0c49f2c70c9b2c3cb1f6f974
Author: Simon Josefsson 
Date:   Sat Aug 19 11:25:56 2023 +0200

tests: Define PATH_MAX for Hurd.

Signed-off-by: Simon Josefsson 
Reviewed-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 tests/test_fcntl_lock.c | 4 
 tests/test_ioctl.c  | 4 
 2 files changed, 8 insertions(+)


Changeset truncated at 500 lines:

diff --git a/tests/test_fcntl_lock.c b/tests/test_fcntl_lock.c
index 0c172d6..5646f43 100644
--- a/tests/test_fcntl_lock.c
+++ b/tests/test_fcntl_lock.c
@@ -9,6 +9,10 @@
 #include 
 #include 
 
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
 static int setup(void **state)
 {
char test_tmpdir[256];
diff --git a/tests/test_ioctl.c b/tests/test_ioctl.c
index aebff91..25bec38 100644
--- a/tests/test_ioctl.c
+++ b/tests/test_ioctl.c
@@ -14,6 +14,10 @@
 #include 
 #include 
 
+#ifndef PATH_MAX
+#define PATH_MAX 4096
+#endif
+
 static int setup(void **state)
 {
char test_tmpdir[256];


-- 
Socket Wrapper Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  469b22b849a python/samba/tests/krb5: Allow 
PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal
   via  15686fec981 python/samba/tests/krb5: Expand test without 
UF_SMARTCARD_REQUIRED to show rotation is not done
   via  f3528808aba WHATSNEW: Mention 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour
   via  2854ef29b82 provision: Match Windows 2022 and set 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default
   via  dee3c7be584 selftest: Add test that 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set
   via  491b79d445d kdc: Rotate smart-card only underlying password in 2nd 
half of lifetime
   via  8afe27058b0 kdc: Track the pwdLastSet of expired 
UF_SMARTCARD_REQUIRED accounts
   via  1e1c80656f7 kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED 
accounts and rotate passwords
   via  d03b3faeb8e s4-auth: Use consistant externally-supplied time in 
auth stack
   via  1dcd8be8f06 kdc: Use a consistent, stable time throughout the 
Heimdal KDC
   via  fe61009002d kdc: Mark KDC sam.ldb as not to use ldb_wrap cache
   via  e178f6b0e96 ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
   via  9ba5ebf4af7 kdc: Remove confusing duplicate open of sam.ldb to find 
RODC status
   via  09ae48b415b dsdb: Prepare to handle smartcard password rollover
   via  1bcc9f00157 dsdb: Use dsdb_gmsa_current_time() in 
construct_msds_user_account_control_computed
   via  cc3ea4ed571 dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, 
if configured!
   via  3669479f22f dsdb: Reduce minimum maxPwdAge from 1 day to nil
   via  302619f66f9 dsdb: Change the magic smartcard_reset to set AES keys 
like the krbtgt mode
   via  7c79abbab46 python/samba/tests/krb5: PKINIT tests of passwords that 
are naturally expired
   via  044cc538605 python/test/krb5: Use assertAlmostEqual in 
check_ticket_times()
   via  68fa90754fd python/tests/krb5: Move check_ticket_times() to 
kdc_base_test.py
   via  48bff4b95f8 python/samba/krb5: Add test for password rotation on 
UF_SMARCARD_REQUIRED accounts
   via  a85f4c661b1 python/tests/krb5: Remove unused utf16pw variable
   via  504a47ecfd6 python/tests/krb5: Expect AES keys for 
UF_SMARTCARD_REQUIRED
   via  dc6c4b215e2 python/samba/tests/krb5: Extend PKINIT tests to show 
kpasswd still works
   via  4ec24a20764 python/samba/tests/krb5: Move get_kpasswd_sname() into 
raw_testcase() to allow broader use
   via  b664392208c s4-auth: Use msDS-User-Account-Control-Computed for PW 
expiry check
   via  737f2414062 s4-auth: Update comment to mention 60mins in the NTLM 
grace period
   via  e04eb9bb170 dsdb: Make argument order of 
dsdb_update_gmsa_{entry_,}keys() consistant with other uses
  from  a9b3522f53a smbd: Ensure we grant owner sid in 
check_parent_access_fsp()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 469b22b849aa6a76739dc21d8a2d80907cdf8d73
Author: Andrew Bartlett 
Date:   Tue Jun 4 13:26:18 2024 +1200

python/samba/tests/krb5: Allow 
PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal

This flexiblity in the tests avoids requiring Samba/Heimdal to omit an 
NTSTATUS error
return and just be consistent between the different authentication paths.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224

commit 15686fec9819267f69a600cff859e52f77a64cef
Author: Andrew Bartlett 
Date:   Tue Jun 4 11:36:53 2024 +1200

python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show 
rotation is not done

This makes sense as otherwise the user would suddenly not know their 
password
for use when they do not use their smartcard.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

commit f3528808aba9419c0895bdb709e1b0dc0bdced1e
Author: Andrew Bartlett 
Date:   Mon May 27 11:51:59 2024 +1200

WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

commit 2854ef29b82d89fb5b5c9d8414227988783120b9
Author: Andrew Bartlett 
Date:   Mon May 27 11:30:29 2024 +1200

provision: Match Windows 2022 and set 
msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default

We do this by telling the Domain Functional Level upgrade code that
this is a new install.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

commit dee3c7be5846ae7c0952b1ace94dee23241dc794
Author: Andrew Bartlett 
Date:   Mon May 27 11:53:15 2024 +1200

selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is 
set

This assures us that the new provision sets the value by default.
 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  a9b3522f53a smbd: Ensure we grant owner sid in 
check_parent_access_fsp()
  from  5d73bb4acd7 s3:utils: Use talloc instead of malloc functions

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a9b3522f53aa2e6151cf83f1eeb65e3adea2b1d0
Author: MikeLiu 
Date:   Fri May 31 15:31:46 2024 +0800

smbd: Ensure we grant owner sid in check_parent_access_fsp()

Grant owner sid to check for owner rights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15648

Signed-off-by: MikeLiu 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Fri Jun  7 18:30:34 UTC 2024 on atb-devel-224

---

Summary of changes:
 source3/smbd/open.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index f714b75d472..7d2227f9d9f 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -355,7 +355,7 @@ NTSTATUS check_parent_access_fsp(struct files_struct *fsp,
}
 
status = SMB_VFS_FGET_NT_ACL(fsp,
-   SECINFO_DACL,
+   (SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL),
frame,
_sd);
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  5d73bb4acd7 s3:utils: Use talloc instead of malloc functions
   via  b9d93eccbc0 s3:util: Use a talloc stackframe in 
rpc_trustdom_establish()
   via  e844f483bd8 s3:utils: Use a destructor in rpc_trustdom_establish()
   via  77a4ff5435b s3:utils: Remove overwrite of opt_workgroup in  
rpc_trustdom_establish()
   via  78f03c386c1 python: Add test for checking the SHA256SUM
   via  f5de1f8585e python:netcmd: Create a SHA256SUM file with checksums
   via  e584350a550 python:netcmd: Only put regular files into the tarball
   via  9fb57dab377 s3:utils: DNS_UTIL depends on libads headers so we need 
to depend on 'ads'
   via  1185410a0d7 s3:libsmb: we no longer need libads/kerberos_proto.h in 
namequery.c
  from  ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5d73bb4acd7cf062b9fd1a9ea6721e41a5e721fb
Author: Andreas Schneider 
Date:   Thu Jun 6 17:37:32 2024 +0200

s3:utils: Use talloc instead of malloc functions

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Jun  6 21:32:53 UTC 2024 on atb-devel-224

commit b9d93eccbc03f135ea14a8bd3a4f5b16ed0bbdc6
Author: Andreas Schneider 
Date:   Tue Apr 30 09:55:15 2024 +0200

s3:util: Use a talloc stackframe in rpc_trustdom_establish()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit e844f483bd825741d3532d3304c822ab02cf96b5
Author: Andreas Schneider 
Date:   Thu Jun 6 17:31:10 2024 +0200

s3:utils: Use a destructor in rpc_trustdom_establish()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 77a4ff5435be5b80e96d7f85e71aac1949c5cff9
Author: Andreas Schneider 
Date:   Tue Apr 30 09:46:33 2024 +0200

s3:utils: Remove overwrite of opt_workgroup in  rpc_trustdom_establish()

This is not used anywhere in that functions or the functions we are
calling. It was replaced by command line cli credentials stored in
c->creds. This fixes a memory leak.

Direct leak of 12 byte(s) in 1 object(s) allocated from:
#0 0x7f17fdaf5830 in strdup 
../../../../libsanitizer/asan/asan_interceptors.cpp:578
#1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752
#2 0x55f079bf0723 in rpc_trustdom_establish 
../../source3/utils/net_rpc.c:6591
#3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483
#5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413
#7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464
#8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436
#9 0x7f17f8a2a1ef in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 78f03c386c14b9e773763a8c41fdc1689a4f284d
Author: Andreas Schneider 
Date:   Thu Jun 6 10:12:08 2024 +0200

python: Add test for checking the SHA256SUM

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit f5de1f8585e1d4eda9530eee87046277a2c793e7
Author: Andreas Schneider 
Date:   Wed Feb 15 08:10:03 2023 +0100

python:netcmd: Create a SHA256SUM file with checksums

This allows to verify the backup tarball contents with:

  sha256sum -c SHA256SUM

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit e584350a550f7ec2008721ecafb254af92ed7525
Author: Andreas Schneider 
Date:   Wed Feb 15 08:05:42 2023 +0100

python:netcmd: Only put regular files into the tarball

We also have ldapi, other sockets or pipes around, we don't want to
add. This will be relevant for adding checksums later.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9fb57dab377e53c9bd8450dda51a164bc712dca3
Author: Stefan Metzmacher 
Date:   Thu Jun 6 10:39:33 2024 +0200

s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads'

Otherwise we don't get the correct header include paths and krb5.h in
a non default location won't be found.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 1185410a0d717e22b359e11a538a08c0352e8703
Author: Stefan Metzmacher 
Date:   Thu Jun 6 10:38:48 2024 +0200

s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/netcmd/domain/backup.py | 27 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED 
should be ignored
   via  76fec2668e7 s4:dns_server: correctly sign dns update responses with 
gss-tsig like Windows
   via  db350bc573b s4:dns_server: dns_verify_tsig should return REFUSED on 
error
   via  5906ed94f2c s4:dns_server: also search DNS_QTYPE_TKEY in the 
answers section if it's the last section
   via  ae7538af044 s4:dns_server: use tkey->algorithm if available in 
dns_sign_tsig()
   via  bd0235cd515 s4:dns_server: use the client provided algorithm for 
the fake TSIG structure
   via  3467d149149 s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TSIG
   via  fa0f23e69ea s4:dns_server: only allow gss-tsig and 
gss.microsoft.com for TKEY
   via  a56627b0d12 s4:dns_server: failed dns updates should result in 
REFUSED for ACCESS_DENIED
   via  708a6fae697 python:tests/dns_tkey: add 
test_update_tsig_record_access_denied()
   via  753428a3b6c s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to 
samba.tests.dns_tkey
   via  88457da00d4 python:tests/dns_base: add get_unpriv_creds() helper
   via  848318338b2 python:tests/dns_tkey: let test_update_tsig_windows() 
actually pass against windows 2022
   via  8324d0739df python:tests/dns_base: let verify_packet() work against 
Windows
   via  de4ed363d37 python:tests/dns_tkey: test bad and changing tsig 
algorithms
   via  b9b03ca503c python:tests/dns_tkey: add gss.microsoft.com tsig 
updates
   via  3c7cb85eaf8 python:tests/dns_tkey: let us have 
test_update_gss_tsig_tkey_req_{additional,answers}()
   via  740bda87a80 python:tests/dns_tkey: test TKEY with gss-tsig, 
gss.microsoft.com and invalid algorithms
   via  b0af60e7850 python:tests/dns_base: maintain a dict with tkey 
related state
   via  1b1e7e06cf6 python:tests/dns_base: let dns_transaction_udp() take 
allow_{remaining,truncated}=True
   via  27d92fa808c python:tests/dns_base: pass tkey_trans(expected_rcode)
   via  cd747307d84 python:tests/dns_base: let tkey_trans() take 
tkey_req_in_answers
   via  f8dfa9b33bd python:tests/dns_base: let tkey_trans() and 
sign_packet() take algorithm_name as argument
   via  6e997f93d53 python:tests/dns_tkey: make use of 
self.assert_echoed_dns_error()
   via  ce591464cb1 python:tests/dns_base: add 
self.assert_echoed_dns_error()
   via  c741d0f3969 python:tests/dns_base: let dns_transaction_tcp() handle 
short receives
   via  c594cbad4af python:tests/dns_base: use ndr_deepcopy() and 
ndr_pack() in verify_packet()
   via  ae23d512a72 python:tests/dns_base: generate a real signature in 
bad_sign_packet()
   via  319836ce9e6 lib/addns: remove unused kerberos/gssapi includes in 
dns.h
  from  096d3807b05 build: Make "samba4" public libraries provided (mostly) 
for OpenChange private

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ed61c57e02309b738e73fb12877a0a565b627724
Author: Stefan Metzmacher 
Date:   Thu May 30 14:52:22 2024 +0200

s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored

If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224

commit 76fec2668e73b9d15447abee551d5c04148aaf27
Author: Stefan Metzmacher 
Date:   Thu May 30 14:39:28 2024 +0200

s4:dns_server: correctly sign dns update responses with gss-tsig like 
Windows

This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit db350bc573b378fb0615bdd8592cc9c62f6db146
Author: Stefan Metzmacher 
Date:   Thu May 30 14:42:53 2024 +0200

s4:dns_server: dns_verify_tsig should return REFUSED on error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7
Author: Stefan Metzmacher 
Date:   Thu May 30 14:41:21 2024 +0200

s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's 
the last section

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  096d3807b05 build: Make "samba4" public libraries provided (mostly) 
for OpenChange private
   via  d11b281aefa build: Remove incorrect pyembed=True from samba-policy
   via  829b52f99d5 s4-libnet: Split up samba-net into samba-net and 
samba-net-join
  from  a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix 
flapping test

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 096d3807b0588ed4d03bd99bc96163a4821ec010
Author: Andrew Bartlett 
Date:   Mon May 27 09:24:13 2024 +1200

build: Make "samba4" public libraries provided (mostly) for OpenChange 
private

These libraries, mostly with ABI versions of 0.0.1 were made public in
the early development of Samba4 and have not been seriously considered
since.  Most are to allow OpenChange to build.

While the OpenChange server is no longer actively used, the MAPI
client is used and we need to allow packages to be built that will
allow the Evolution MAPI client to still work.

Some appear to be mistakes (dcerpc-samr), historical abberations
(tevent-util) or ideas that did not go very far (the samba-policy
library for example).

To allow any remaining users to access them, they are not made private
in the build system but are instead listed so that they can be made
public again via ./configure with the same --private-libraries='!LIB'
syntax introduced to make ldb private by default.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun  5 21:47:24 UTC 2024 on atb-devel-224

commit d11b281aefa98e6850053ccd6142253c6cf0d04f
Author: Andrew Bartlett 
Date:   Mon May 27 07:28:33 2024 +1200

build: Remove incorrect pyembed=True from samba-policy

This is a normal C library, used by python but does not use
any python itself (nor by dependencies any longer).

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

commit 829b52f99d5a9c9df19c9eb67611618095967edd
Author: Andrew Bartlett 
Date:   Mon May 27 19:44:38 2024 +1200

s4-libnet: Split up samba-net into samba-net and samba-net-join

samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

---

Summary of changes:
 WHATSNEW.txt | 21 +
 source4/lib/policy/wscript_build | 13 -
 source4/libnet/libnet_join.c |  1 +
 source4/libnet/libnet_vampire.c  |  1 +
 source4/libnet/py_net.c  |  1 +
 source4/libnet/wscript_build | 23 +++
 source4/torture/libnet/libnet_BecomeDC.c |  1 +
 source4/torture/rpc/testjoin.c   |  1 +
 source4/torture/wscript_build|  6 +++---
 wscript  | 20 +++-
 10 files changed, 67 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 67bdb963cca..6d1368c42b1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -69,6 +69,27 @@ never took into account later changes, and so has not worked 
for a
 number of years.  Samba 4.21 and LDB 2.10 removes this unused and
 broken feature.
 
+Some Samba public libraries made private by default
+---
+
+The following Samba C libraries are currently made public due to their
+use by OpenChange or for historical reasons that are no longer clear.
+
+ dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
+ samba-credentials, dcerpc_server, samdb
+
+The libraries used by the OpenChange client now private, but can be
+made public (like ldb above) with:
+
+ ./configure 
--private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
+
+The C libraries without any known user or used only for the OpenChange
+server (a dead project) may be made private entirely in a future Samba
+version.
+
+If you use a Samba library in this list, please be in touch with the
+samba-technical mailing list.
+
 Using ldaps from 'winbindd' and 'net ads'
 -
 
diff --git a/source4/lib/policy/wscript_build b/source4/lib/policy/wscript_build
index 027d4bef0b6..f7d9b555f6a 100644
--- a/source4/lib/policy/wscript_build
+++ b/source4/lib/policy/wscript_build
@@ -3,20 +3,15 @@
 
 
 pytalloc_util = bld.pyembed_libname('pytalloc-util')
-samba_policy = bld.pyembed_libname('samba-policy')
-samba_net = bld.pyembed_libname('samba-net')
-bld.SAMBA_LIBRARY(samba_policy,

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  65e781a30b2 s3:winbind: Fix idmap_ad creating an invalid local 
krb5.conf
   via  fb4c338f030 s3:libads: Do not fail if we don't get an IP passed down
   via  069729202c3 s3:libads: Allow get_kdc_ip_string() to lookup the KDCs 
IP
   via  1917b7f052d python: Fix NtVer check for site_dn_for_machine()
  from  9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected 
handling

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 65e781a30b247ab1056405322a8c9cbfb4bae03a
Author: Andreas Schneider 
Date:   Tue May 28 13:54:24 2024 +0200

s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Jun  5 15:01:54 UTC 2024 on atb-devel-224

commit fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f
Author: Andreas Schneider 
Date:   Tue May 28 13:53:51 2024 +0200

s3:libads: Do not fail if we don't get an IP passed down

The IP should be optional and we should look it up if not provided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2)

commit 069729202c3b287642e36c777e2b0863f593bca4
Author: Andreas Schneider 
Date:   Tue May 28 13:51:53 2024 +0200

s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP

Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb)

commit 1917b7f052dc7cb69f544e1f1ef94b48dd4212fb
Author: Andreas Schneider 
Date:   Mon Apr 15 07:32:02 2024 +0200

python: Fix NtVer check for site_dn_for_machine()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633

Signed-off-by: Andreas Schneider 
Reviewed-by: David Mulder 
(cherry picked from commit 7a5e7b821259890dd2978e6f113f4a3dad110ea4)

---

Summary of changes:
 python/samba/gp/gpclass.py  |  4 +---
 source3/libads/kerberos.c   | 32 
 source3/winbindd/idmap_ad.c | 11 +--
 3 files changed, 26 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 08be472e707..d86aacec138 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -805,9 +805,7 @@ def site_dn_for_machine(samdb, dc_hostname, lp, creds, 
hostname):
 
 samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response,
bytes(res.msgs[0]['Netlogon'][0]))
-if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX,
-   (nbt.NETLOGON_NT_VERSION_1
-| nbt.NETLOGON_NT_VERSION_5EX)]:
+if not (samlogon_response.ntver & nbt.NETLOGON_NT_VERSION_5EX):
 raise RuntimeError('site_dn_for_machine: Invalid NtVer in '
+ 'netlogon_samlogon_response')
 
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index f76c5665205..6c6d23c29da 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *kdc_str = NULL;
char *canon_sockaddr = NULL;
 
-   SMB_ASSERT(pss != NULL);
-
-   canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
-   if (canon_sockaddr == NULL) {
-   goto out;
-   }
+   if (pss != NULL) {
+   canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+   if (canon_sockaddr == NULL) {
+   goto out;
+   }
 
-   kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
- canon_sockaddr);
-   if (kdc_str == NULL) {
-   goto out;
-   }
+   kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+   

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix 
flapping test
   via  9c700f790ba tests/krb5: Reset local database time in a cleaner (and 
nearly equivalent) fashion
   via  5eac95652a8 s4:dsdb: Use talloc_get_type_abort()
   via  3256c6bfd6b tests/krb5: Make use of update_password() method
   via  38cfdb66231 ldb: Fix typo
   via  8989aa47b74 s3:winbind: Fix idmap_ad creating an invalid local 
krb5.conf
   via  9dcc52d2a57 s3:libads: Do not fail if we don't get an IP passed down
   via  28aa0b815ba s3:libads: Allow get_kdc_ip_string() to lookup the KDCs 
IP
  from  c005de07aee smbd: list reparse tag in QUERY_DIRECTORY

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a54dca4ea546c596740d1afab70b1cdd25e1721b
Author: Jo Sutton 
Date:   Tue May 28 16:59:30 2024 +1200

tests/krb5: Calculate correct gMSA password to fix flapping test

If this test happens to be run in the five minute window prior to the
next ten‐hour GKDI interval — about once every one hundred and twenty
runs — the ‘current’ password requested from LDAP will actually be the
future password, which won’t match what’s in the database.

Instead of taking the password from LDAP, calculate it ourselves with
expected_gmsa_password_blob().

[330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local)
UNEXPECTED(failure): 
samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
  File 
"/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py",
 line 1091, in test_retrieving_managed_password_triggers_keys_update
self.assertEqual(creds.get_nt_hash(), nt_hash)
AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != 
b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14'

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun  4 20:52:09 UTC 2024 on atb-devel-224

commit 9c700f790baa5155465cb8e1bcdb4dcbbd28bbfd
Author: Jo Sutton 
Date:   Tue May 28 16:53:22 2024 +1200

tests/krb5: Reset local database time in a cleaner (and nearly equivalent) 
fashion

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5eac95652a89b4edb1e82f00c93267172aaeda42
Author: Jo Sutton 
Date:   Tue May 28 14:24:51 2024 +1200

s4:dsdb: Use talloc_get_type_abort()

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 3256c6bfd6b48bf08a8724f5e5bd654b9c5379fb
Author: Jo Sutton 
Date:   Mon May 27 17:53:17 2024 +1200

tests/krb5: Make use of update_password() method

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 38cfdb662319085569cf4d96bcbceeb74ae1c5f9
Author: Jo Sutton 
Date:   Fri Apr 12 15:10:33 2024 +1200

ldb: Fix typo

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee
Author: Andreas Schneider 
Date:   Tue May 28 13:54:24 2024 +0200

s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2
Author: Andreas Schneider 
Date:   Tue May 28 13:53:51 2024 +0200

s3:libads: Do not fail if we don't get an IP passed down

The IP should be optional and we should look it up if not provided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 28aa0b815baf4668e3df01d52597c40fd430e2fb
Author: Andreas Schneider 
Date:   Tue May 28 13:51:53 2024 +0200

s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP

Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/common/attrib_handlers.c |  2 +-
 python/samba/tests/krb5/gmsa_tests.py| 22 +--
 source3/libads/kerberos.c| 32 ++--
 source3/winbindd/idmap_ad.c   

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  c005de07aee smbd: list reparse tag in QUERY_DIRECTORY
   via  1dba6d3cfc5 tests: Check that query_directory lists the reparse tag
  from  747a7fec01d s3:rpc_server: Check query level according to MS-NRPC

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c005de07aee30307c9d584130ec825bd7097961b
Author: Volker Lendecke 
Date:   Mon Jan 2 16:35:16 2023 +0100

smbd: list reparse tag in QUERY_DIRECTORY

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jun  4 17:39:21 UTC 2024 on atb-devel-224

commit 1dba6d3cfc53931d3c8968e12e0d9cde272824be
Author: Volker Lendecke 
Date:   Mon Jan 2 16:01:28 2023 +0100

tests: Check that query_directory lists the reparse tag

With the source3/ based clilist.c, we can't test all infolevels where
this matters (see callers of get_dirent_ea_size()). But porting the
source4 based all-infolevel search code into source3/libsmb or doing
this one the reparse point test in the source4 infrastructure to me
seems like a lot of effort for moderate gain.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 python/samba/tests/reparsepoints.py | 20 
 source3/smbd/smb2_trans2.c  | 12 
 2 files changed, 28 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/reparsepoints.py 
b/python/samba/tests/reparsepoints.py
index 1f74c61bc64..bf96def422d 100644
--- a/python/samba/tests/reparsepoints.py
+++ b/python/samba/tests/reparsepoints.py
@@ -170,6 +170,26 @@ class ReparsePoints(samba.tests.libsmb.LibsmbTests):
 conn.delete_on_close(fd, 1)
 conn.close(fd)
 
+def test_query_dir_reparse(self):
+conn = self.connection()
+filename = 'reparse'
+self.clean_file(conn, filename)
+
+fd = conn.create(
+filename,
+DesiredAccess=sec.SEC_FILE_WRITE_ATTRIBUTE,
+CreateDisposition=libsmb.FILE_CREATE)
+b = reparse_symlink.symlink_put("y", "y", 0, 0)
+conn.fsctl(fd, libsmb.FSCTL_SET_REPARSE_POINT, b, 0)
+conn.close(fd)
+
+dirents = conn.list("", filename)
+self.assertEqual(
+dirents[0]["reparse_tag"],
+libsmb.IO_REPARSE_TAG_SYMLINK)
+
+self.clean_file(conn, filename)
+
 # Show that directories can carry reparse points
 
 def test_create_reparse_directory(self):
diff --git a/source3/smbd/smb2_trans2.c b/source3/smbd/smb2_trans2.c
index 3c44a97d74c..65940295248 100644
--- a/source3/smbd/smb2_trans2.c
+++ b/source3/smbd/smb2_trans2.c
@@ -1064,11 +1064,15 @@ static bool smbd_dirptr_lanman2_match_fn(TALLOC_CTX 
*ctx,
 
 static uint32_t get_dirent_ea_size(uint32_t mode, files_struct *fsp)
 {
-   if (!(mode & FILE_ATTRIBUTE_REPARSE_POINT)) {
-   unsigned ea_size = estimate_ea_size(fsp);
-   return ea_size;
+   uint32_t ea_size = IO_REPARSE_TAG_DFS;
+
+   if (mode & FILE_ATTRIBUTE_REPARSE_POINT) {
+   (void)fsctl_get_reparse_tag(fsp, _size);
+   } else {
+   ea_size = estimate_ea_size(fsp);
}
-   return IO_REPARSE_TAG_DFS;
+
+   return ea_size;
 }
 
 static NTSTATUS smbd_marshall_dir_entry(TALLOC_CTX *ctx,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Noel Power]

The branch, master has been updated
   via  747a7fec01d s3:rpc_server: Check query level according to MS-NRPC
   via  8adbdbe50f7 s3:rpc_server: Check function code according to MS-NRPC
   via  0418b9fa929 s3/rpc_server: Fix dereference of client pointer
   via  a27525e555c s4/torture: Test with level 4 with 
NETLOGON_CONTROL_SET_DBFLAG function
   via  1297c7ca65b s4/torture: Prepare to handle Level 4 check with 
unknown func code
  from  6b3135078e0 lib: Align an integer type

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 747a7fec01d39453093ed48b167fa1d5d80aead4
Author: Jo Sutton 
Date:   Tue May 28 15:12:36 2024 +1200

s3:rpc_server: Check query level according to MS-NRPC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton 
Reviewed-by: Noel Power 

Autobuild-User(master): Noel Power 
Autobuild-Date(master): Tue Jun  4 09:39:42 UTC 2024 on atb-devel-224

commit 8adbdbe50f7ac69cb815794d1c3d214bbac7c848
Author: Jo Sutton 
Date:   Tue May 28 15:10:51 2024 +1200

s3:rpc_server: Check function code according to MS-NRPC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Jo Sutton 
Reviewed-by: Noel Power 

commit 0418b9fa929736a404b9ff976ff034009b913089
Author: Noel Power 
Date:   Mon Sep 25 09:58:33 2023 +0100

s3/rpc_server: Fix dereference of client pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power 
Reviewed-by: Jo Sutton 

commit a27525e555c2c88f3b3bbef17d6e803a3a231d2b
Author: Noel Power 
Date:   Sun Sep 24 01:03:37 2023 +0100

s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function

Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG

This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power 
Reviewed-by: Douglas Bagnall 

commit 1297c7ca65ba485febee4eabe32a8e1c793b187c
Author: Noel Power 
Date:   Mon Sep 25 10:30:30 2023 +0100

s4/torture: Prepare to handle Level 4 check with unknown func code

A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).

Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
  s3 server returns WERR_NOT_SUPPORTED and
  s4 server returns WERR_INVALID_PARAMETER.

For level 3 both return WERR_NOT_SUPPORTED.

MS-NRPC doesn't seem to specifically indicate the required response in
this case.

this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 source3/rpc_server/netlogon/srv_netlog_nt.c | 30 +++--
 source4/torture/rpc/netlogon.c  |  8 ++--
 2 files changed, 26 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c 
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index fa3e597fa8e..ccae62083cc 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -197,7 +197,6 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
struct netr_NETLOGON_INFO_1 *info1;
struct netr_NETLOGON_INFO_2 *info2;
struct netr_NETLOGON_INFO_3 *info3;
-   struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
NTSTATUS status;
struct netr_DsRGetDCNameInfo *dc_info;
@@ -264,10 +263,16 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
case NETLOGON_CONTROL_TRUNCATE_LOG:
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
case NETLOGON_CONTROL_FORCE_DNS_REG:
+   return WERR_NOT_SUPPORTED;
case NETLOGON_CONTROL_QUERY_DNS_REG:
+   if (r->in.level != 1) {
+   return WERR_INVALID_PARAMETER;
+   }
return WERR_NOT_SUPPORTED;
-
case NETLOGON_CONTROL_FIND_USER:
+   if (r->in.level != 4) {
+   return WERR_INVALID_PARAMETER;
+   }
if (!r->in.data || !r->in.data->user) {
return WERR_NOT_SUPPORTED;
}
@@ -278,6 +283,9 @@ WERROR 

[SCM] Samba Shared Repository - branch master updated

[Volker Lendecke]

The branch, master has been updated
   via  6b3135078e0 lib: Align an integer type
   via  5ae1605fc22 lib: Fix an error path memleak
   via  0321f31a8e1 lib: Use talloc_asprintf_addbufin 
_ber_read_OID_String_impl
   via  4313add2bf5 lib: Use unsigned long in ber_write_OID_String
   via  8f90ec12a56 lib: gensec.h references NTTIME, add time.h
   via  b317408591d wbclient: Fix a typo
   via  021dfe8f33b winbind: Modernize a few DEBUGs
   via  bc2b2350b94 smbd: Fix whitespace
   via  b29e408e140 libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3"
   via  5c736ffe354 gensec: Simplify gensec_security_by_fn()
   via  82c477b9807 gensec: Filter out disabled mechs in 
gensec_security_mechs()
   via  426c0847670 gensec: Refactor gensec_security_mechs()
   via  b28de27f6b8 gensec: Simplify gensec_security_by_*
   via  9445d8e06e8 torture: Remove some pointless local variables
   via  df30ec83c96 lib: Use cli_credentials_add_gensec_features in a few 
places
   via  b436f5fec11 creds: Add cli_credentials_add_gensec_features
   via  dc31a49830d libsmb: Slightly simplify cli_session_creds_init
  from  4cade04d1f1 vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for 
precise btime

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6b3135078e0f6c67566f4312998bc4032e387e19
Author: Volker Lendecke 
Date:   Thu May 23 16:13:58 2024 +0200

lib: Align an integer type

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Tue Jun  4 08:16:58 UTC 2024 on atb-devel-224

commit 5ae1605fc22acf672f46ba08f6b2ef4f675e92b8
Author: Volker Lendecke 
Date:   Thu May 23 16:12:53 2024 +0200

lib: Fix an error path memleak

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 0321f31a8e1364b32fad61e99856024eaed0b81e
Author: Volker Lendecke 
Date:   Thu May 23 16:06:37 2024 +0200

lib: Use talloc_asprintf_addbufin _ber_read_OID_String_impl

Just one NULL check required

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 4313add2bf5ee41a5cbcac79135da96d5424ec2d
Author: Volker Lendecke 
Date:   Thu May 23 16:04:52 2024 +0200

lib: Use unsigned long in ber_write_OID_String

This is what smb_strtoul returns, so use it.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 8f90ec12a560bfe08b0bf9ae447b789bbcc22dda
Author: Volker Lendecke 
Date:   Thu May 23 15:48:55 2024 +0200

lib: gensec.h references NTTIME, add time.h

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit b317408591da4cbb8facd1e9215fd204078722b7
Author: Volker Lendecke 
Date:   Fri May 24 18:34:05 2024 +0200

wbclient: Fix a typo

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 021dfe8f33b3d21ec16ac6e4a28f5a1d09b838a3
Author: Volker Lendecke 
Date:   Fri May 24 18:48:29 2024 +0200

winbind: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit bc2b2350b94cbfc53628852026f68f71f09607e6
Author: Volker Lendecke 
Date:   Sat May 25 12:17:46 2024 +0200

smbd: Fix whitespace

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit b29e408e140b74b82ba04391fd1ded43444c83b6
Author: Volker Lendecke 
Date:   Sat May 25 12:41:58 2024 +0200

libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3"

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 5c736ffe35408a6344e5c4c4ae57b89e09e51918
Author: Volker Lendecke 
Date:   Wed May 29 17:11:51 2024 +0200

gensec: Simplify gensec_security_by_fn()

We don't need that intermediate talloc ctx, we only allocate backends
and don't pass it anywhere else.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 82c477b98071346a0e4e9162d9a200d1755533a7
Author: Volker Lendecke 
Date:   Wed May 29 17:08:26 2024 +0200

gensec: Filter out disabled mechs in gensec_security_mechs()

Every single caller of gensec_security_mechs() had to manually filter
out disabled mechanisms. Don't offer them from the start.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 426c08476704f8ac574a18562719517c6084ed3f
Author: Volker Lendecke 
Date:   Tue May 28 18:49:41 2024 +0200

gensec: Refactor gensec_security_mechs()

The decision whether to offer a mechanism was split between
gensec_security_mechs() and gensec_use_kerberos_mechs() with two
booleans passed down. Consolidate that decision into one
gensec_offer_mech() function that queries all information on its own.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit b28de27f6b880962e9183d28d76f27ce0847bd36
Author: Volker 

[SCM] Samba Shared Repository - branch master updated

[Anoop C S]

The branch, master has been updated
   via  4cade04d1f1 vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for 
precise btime
   via  c36e79ef810 vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES
  from  98b443d9033 fuzzing: fix fuzz_stable_sort_r_unstable comparison

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 4cade04d1f1e7f1bbd99776bcf876a42488d0f78
Author: Anoop C S 
Date:   Fri May 17 11:57:26 2024 +0530

vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for precise btime

Previously we added an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES
so that the btime is always preserved unless explicitly changed using
SMB_VFS_FNTIMES. But there are situations with open file handle where
btime stored on dos attributes as create_time has to be precise for
comparison because a one-to-one conversion between timepsec and nttime
is not always guaranteed.

Accordingly preserve btime via SMB_VFS_FSET_DOS_ATTRIBUTES so that we
always compare the exact btime from fsp stat information while the file
handle is still open.

Signed-off-by: Anoop C S 
Reviewed-by: David Disseldorp 

Autobuild-User(master): Anoop C S 
Autobuild-Date(master): Mon Jun  3 11:10:11 UTC 2024 on atb-devel-224

commit c36e79ef8104b84c9df638cbec984ec3491d875b
Author: Anoop C S 
Date:   Sat May 18 12:37:44 2024 +0530

vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES

Signed-off-by: Anoop C S 
Reviewed-by: David Disseldorp 

---

Summary of changes:
 source3/modules/vfs_ceph.c | 26 ++
 1 file changed, 22 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 6dae8a5f9e8..bb1650446c9 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -1577,9 +1577,6 @@ static NTSTATUS cephwrap_fget_dos_attributes(struct 
vfs_handle_struct *handle,
NTSTATUS status;
 
status = fget_ea_dos_attribute(fsp, dosmode);
-   if (!NT_STATUS_IS_OK(status)) {
-   return status;
-   }
 
/*
 * Restore previously stored btime from statx timestamps as it should be
@@ -1589,7 +1586,27 @@ static NTSTATUS cephwrap_fget_dos_attributes(struct 
vfs_handle_struct *handle,
 */
fsp->fsp_name->st.st_ex_btime = saved_btime;
 
-   return NT_STATUS_OK;
+   return status;
+}
+
+static NTSTATUS cephwrap_fset_dos_attributes(struct vfs_handle_struct *handle,
+struct files_struct *fsp,
+uint32_t dosmode)
+{
+   struct timespec saved_btime = fsp->fsp_name->st.st_ex_btime;
+   NTSTATUS status;
+
+   status = set_ea_dos_attribute(handle->conn, fsp->fsp_name, dosmode);
+
+   /*
+* Restore previously stored btime from statx timestamps. This is done
+* to ensure that we have the exact btime in fsp stat information while
+* the file handle is still open since the create_time stored as part of
+* dos attributes can loose its precision when converted back to btime.
+*/
+   fsp->fsp_name->st.st_ex_btime = saved_btime;
+
+   return status;
 }
 
 /
@@ -1957,6 +1974,7 @@ static struct vfs_fn_pointers ceph_fns = {
.get_real_filename_at_fn = cephwrap_get_real_filename_at,
.connectpath_fn = cephwrap_connectpath,
.fget_dos_attributes_fn = cephwrap_fget_dos_attributes,
+   .fset_dos_attributes_fn = cephwrap_fset_dos_attributes,
 
/* EA operations. */
.getxattrat_send_fn = vfs_not_implemented_getxattrat_send,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Volker Lendecke]

The branch, master has been updated
   via  98b443d9033 fuzzing: fix fuzz_stable_sort_r_unstable comparison
   via  267f307689b s3/torture: local_rbtree: avoid birthday collisions
  from  3a7dbf8b77b examples:winexe: embed Samba version as exe timestamp

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 98b443d9033943c4fd2bde939985af125ccd9e73
Author: Douglas Bagnall 
Date:   Thu May 23 16:08:49 2024 +1200

fuzzing: fix fuzz_stable_sort_r_unstable comparison

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69176

Signed-off-by: Douglas Bagnall 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Fri May 31 05:29:08 UTC 2024 on atb-devel-224

commit 267f307689b92bc7e1e407fb7f1a9f556d7d8b90
Author: Douglas Bagnall 
Date:   Wed May 22 12:15:37 2024 +1200

s3/torture: local_rbtree: avoid birthday collisions

We insert 999 keys, but if two of them happen to be the same, we
don't find 1000 nodes, and that is upsetting for CI:

[130(1421)/303 at 4m46s] samba3.smbtorture_s3.LOCAL-RBTREE
UNEXPECTED(failure): samba3.smbtorture_s3.LOCAL-RBTREE.smbtorture(none)
REASON: Exception: Exception: using seed 1716333987
host=foo share=bar user= myname=runner-jlguopmm-project-6378020-concurrent-0
Running LOCAL-RBTREE
run_local_rbtree: read1: 999 999, NT_STATUS_OK
run_local_rbtree: delete: 999 999, NT_STATUS_OK
run_local_rbtree: read2: 0 0, NT_STATUS_OK
TEST LOCAL-RBTREE FAILED!
LOCAL-RBTREE took 0.002706 secs

This has been flapping very occasionally for a long time:
https://lists.samba.org/archive/samba-technical/2016-March/112861.html

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Volker Lendecke 

---

Summary of changes:
 lib/fuzzing/fuzz_stable_sort_r_unstable.c |  3 ++-
 source3/torture/torture.c | 10 +-
 2 files changed, 7 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/fuzzing/fuzz_stable_sort_r_unstable.c 
b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
index 68174ee460e..9338c75f7dc 100644
--- a/lib/fuzzing/fuzz_stable_sort_r_unstable.c
+++ b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
@@ -71,8 +71,9 @@ static int cmp_int8(int8_t *_a, int8_t *_b, int8_t *ctx)
 
 #define MAX_SIZE (1024 * 1024)
 
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+int LLVMFuzzerTestOneInput(const uint8_t *input, size_t len)
 {
+   const int8_t *buf = (const int8_t *)input;
int8_t buf2[MAX_SIZE];
int8_t aux[MAX_SIZE];
int8_t context;
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index e0cc39f732d..1f8621654ec 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -13634,17 +13634,17 @@ static bool run_local_rbtree(int dummy)
}
 
for (i = 0; i < 999; i++) {
-   char key[sizeof("key-9223372036854775807")];
-   char value[sizeof("value-9223372036854775807")];
+   char key[sizeof("key-9223372036854775807-1234")];
+   char value[sizeof("value-9223372036854775807-1234")];
 
-   snprintf(key, sizeof(key), "key%ld", random());
-   snprintf(value, sizeof(value) ,"value%ld", random());
+   snprintf(key, sizeof(key), "key%ld-%d", random(), i);
+   snprintf(value, sizeof(value) ,"value%ld-%d", random(), i);
 
if (!rbt_testval(db, key, value)) {
goto done;
}
 
-   snprintf(value, sizeof(value) ,"value%ld", random());
+   snprintf(value, sizeof(value) ,"value%ld-%d", random(), i + 1);
 
if (!rbt_testval(db, key, value)) {
goto done;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Douglas Bagnall]

The branch, master has been updated
   via  3a7dbf8b77b examples:winexe: embed Samba version as exe timestamp
   via  e604f757516 examples:winexe: reproducible builds with zero timestamp
   via  3c72f733f45 examples:winexe: more efficient C array generation, no 
py2
   via  068b366709d buildtools:pidl: avoid hash randomisation in pidl
   via  ea78a5ce830 pidl:python: Exception if unconvertable in 
ConvertObjectToPythonLevel
   via  f893c100c07 pidl:python: properly raise exception in 
ConvertObjectFromPythonData
   via  f3433f60b8e pidl:Typelist: resolveType(): don't mistake a reference 
for a name
   via  72112d4814e script/autobuild.py: Add test for --vendor-name and 
--vendor-patch-revision
   via  651fb94c374 build: Add --vendor-name --vendor-patch-revision 
options to ./configure
   via  8331475a183 python:smb tests: remove py2 compatibility code
   via  b4b8f18612a python/common: remove verbiage about old python versions
   via  5a317f7d8ef buildtools: remove Python2 compatibility
   via  564b0a21ceb tdb:pytests: remove unused Py2 test branches
   via  037e7ae9c59 ldb-samba:pytest: remove unused variable
   via  0fcba46957f talloc:pytest: remove tests that only test Python 2
   via  a0a025d9024 tdb:pytdb:_tdb_text: remove Py2 compatibility code
   via  87356b327b8 selftest:dnshub: remove py2 compatibility code
  from  e9eb5810438 ctdb-scripts: Protect against races when starting grace 
period

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 3a7dbf8b77b2a9e7cdc55bc5b339b9f501d037aa
Author: Douglas Bagnall 
Date:   Thu May 30 10:44:24 2024 +1200

examples:winexe: embed Samba version as exe timestamp

It turns out the timestamp doesn't need to be real, and it isn't used,
but it might as well tell you something. So let's make it tell you what
version of Samba it came from, which could be useful for people who have
lots of old winexes lying around, the poor souls.

0040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  
|!..L.!Th|
0050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program 
canno|
0060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in 
DOS |
0070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  
|mode$...|
0080  50 45 00 00 64 86 0a 00  00 15 04 00 00 00 00 00  
|PE..d...|
|  |  |
|  |  major  4.
|  minor 21.
release  0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13213

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Douglas Bagnall 
Autobuild-Date(master): Fri May 31 01:28:06 UTC 2024 on atb-devel-224

commit e604f7575167d3572e1b67c6e77ab7273508533d
Author: Douglas Bagnall 
Date:   Tue May 28 11:34:51 2024 +1200

examples:winexe: reproducible builds with zero timestamp

Windows Portable Executable files have a timestamp field and a
checksum field. By default the timestamp field is updated to the
current time, which consequently changes the checksum. This makes the
build nondeterministic. It looks like this:

  --- a/tmp/winexe-1/winexesvc64_exe_binary.c
  +++ b/tmp/winexe-2/winexesvc64_exe_binary.c
  @@ -23,7 +23,7 @@ const DATA_BLOB *winexesvc64_exe_binary(void)
0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A,
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x50, 0x45, 0x00, 0x00, 0x64, 0x86, 0x0A, 0x00,
  - 0xB2, 0x16, 0x55, 0x66, 0x00, 0x00, 0x00, 0x00,
  + 0xD3, 0x3B, 0x55, 0x66, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x2E, 0x02,
0x0B, 0x02, 0x02, 0x26, 0x00, 0x86, 0x00, 0x00,
0x00, 0xBA, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00,
  @@ -33,7 +33,7 @@ const DATA_BLOB *winexesvc64_exe_binary(void)
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x40, 0x01, 0x00, 0x00, 0x04, 0x00, 0x00,
  - 0x73, 0xD7, 0x00, 0x00, 0x03, 0x00, 0x60, 0x01,
  + 0x94, 0xFC, 0x00, 0x00, 0x03, 0x00, 0x60, 0x01,
0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,

https://learn.microsoft.com/en-us/windows/win32/debug/pe-format says
that a timestamp of zero can be used to represent a time that is not
"real or meaningful", so we do that.

As far as I can tell, the timestamp and 

[SCM] Samba Shared Repository - branch master updated

[Volker Lendecke]

The branch, master has been updated
   via  e9eb5810438 ctdb-scripts: Protect against races when starting grace 
period
   via  97c79a1 ctdb-scripts: Check NFS-Ganesha is running before 
attempting grace
   via  27c53880c2a ctdb-scripts: Improve service PID check
   via  bc10704aec6 ctdb-scripts: Improve NFS-Ganesha export path extraction
   via  944d9d308d5 ctdb-scripts: Add script option CTDB_NFS_EXPORTS_FILE
   via  1be5b1df1bd ctdb-scripts: Fix usage message
   via  2a3d7c09719 ctdb-scripts: Change NFS-Ganesha PID file location
   via  a534f713478 ctdb-scripts: Quote variable expansions
   via  6ffb73bb55e ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
   via  991d21d075c ctdb-scripts: No longer run statd-callout under sudo
   via  ecb9545b3fb ctdb-scripts: Use find_statd_sm_dir() in one more place
   via  50b3cebeb39 ctdb-scripts: Set ownership of statd-callout state 
directory
   via  608557c6ce3 ctdb-scripts: Avoid connecting to ctdbd in 
add-client/del-client
   via  5a4209b7132 ctdb-tests: Default PNN is 0
   via  ed3f041c309 ctdb-scripts: Add caching function for public IPs
   via  558cf280b22 ctdb-scripts: Move state directory creation to 
"startup" action
   via  d02fb20d793 ctdb-scripts: Avoid globally changing to queue directory
   via  b90d72c7b8f ctdb-scripts: Move ctdb.tdb attach to statd-callout
   via  c912e406c1c ctdb-scripts: Reformat with shfmt -w -p -i 0 -fn
   via  7b24cc032ea ctdb-scripts: Improve documentation
   via  5176b43da78 ctdb-scripts: Avoid ShellCheck warning SC2162
   via  54015223804 ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
  from  5a54c9b28ab s3:utils: let smbstatus report anonymous 
signing/encryption explicitly

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e9eb5810438c7de713a45f43af227798a6b5ec2f
Author: Martin Schwenke 
Date:   Fri May 10 18:00:18 2024 +1000

ctdb-scripts: Protect against races when starting grace period

While the PID check is worth it in relevant cases, NFS-Ganesha still
might go away after the check.  Unfortunately, neither grace command
fails an indicative exit code, so invent one by checking error
messages.  This can then be converted to success by the caller.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Thu May 30 12:50:01 UTC 2024 on atb-devel-224

commit 97c79a1c9a61a74aced8d87346dd25c8cce3
Author: Martin Schwenke 
Date:   Fri May 10 17:51:18 2024 +1000

ctdb-scripts: Check NFS-Ganesha is running before attempting grace

If monitoring has failed because it isn't running, then don't fail
"startipreallocate" or "relaseip" by trying to go into grace.

Don't check this for "takeip".  In that case NFS-Ganesha had better be
running.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

commit 27c53880c2a35a320bc31655ada3367d1be02b19
Author: Martin Schwenke 
Date:   Fri May 10 17:46:58 2024 +1000

ctdb-scripts: Improve service PID check

No need to grovel around in /proc.  ps will happily tell us the
command.

Factor out the actual check into a separate function that can be used
elsewhere.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

commit bc10704aec66e143b8c9e715a74ddb82f44a3204
Author: Martin Schwenke 
Date:   Tue Apr 30 15:00:34 2024 +1000

ctdb-scripts: Improve NFS-Ganesha export path extraction

Path values do not need to have quotes.  The current code fails if
there aren't any.

Instead, implement a 2 stage parser using 2 sed commands.  See
comments in the code for details.

Regexps are POSIX basic regular expressions, apart from \ (used
to ensure WORD is on word boundaries, and the 'i' flag for case
insensitivity.  The latter is supported in FreeBSD sed.

This code successfully parses Path values out of the following
monstrosity:

path = "/foo/bar1;a";
   Path = /foo/bar2;
Something = false;
Pseudo = "/foo/bar3x" ; Path = "/foo/bar3; y" ; Access_type = RO;
Pseudo = "/foo/bar4x" ; path=/foo/bar4; Access_type = RO;
Pseudo = "/foo/barNONONO" ; not_Path=/foo/barNONONO; Access_type = RO;
   Path = /foo/bar5
Pseudo = "/foo/bar6x Path=foo" ; Path=/foo/bar6; Access_type = RO

This is probably the best that can be done within a shell script.

Signed-off-by: Martin Schwenke 
Reviewed-by: Volker Lendecke 

commit 944d9d308d53598ba0aa2dc599fc1f5c78e78313
Author: Martin Schwenke 
Date:   Wed Mar 27 14:24:09 2024 +1100

ctdb-scripts: Add script option CTDB_NFS_EXPORTS_FILE

Exports may be contained in an include file rather than the top-level
ganesha.conf.

Signed-off-by: Martin 

[SCM] Samba Shared Repository - branch v4-20-test updated

[Stefan Metzmacher]

The branch, v4-20-test has been updated
   via  9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected 
handling
   via  6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw 
blobs
   via  82f73dc2312 s4:libcli/dgram: make use of socket_address_copy()
   via  40fe6480d0d s4:libcli/dgram: let the generic incoming handler also 
get unexpected mailslot messages
   via  cf37f9f5272 libcli/nbt: add nbt_name_send_raw()
   via  b440c11ea0f s3:libsmb/dsgetdcname: use 
NETLOGON_NT_VERSION_AVOID_NT4EMUL
   via  b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the 
callers of nb_packet_{server_create,reader_send}()
   via  234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async 
code
   via  2f73d251e0c s3:wscript: LIBNMB requires lp_ functions
   via  27e4297f4c7 s3:include: split out fstring.h
   via  260d1bbacf8 s3:include: let nameserv.h be useable on its own
   via  4257e3b8fef s3:libads: avoid changing ADS->server.workgroup
   via  ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
   via  0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
   via  2954489bd56 s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
   via  9530c418a38 s3:smbd: allow anonymous encryption after one 
authenticated session setup
   via  610e11af858 s3:utils: let smbstatus also report partial tcon 
signing/encryption
   via  6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
   via  c547e0c0ff7 s3:utils: let connections_forall_read() report if the 
session was authenticated
   via  fe91ed785ed s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
   via  716a0443c9f s3:utils: remove unused signing_flags in 
connections_forall()
   via  cd05e7ed937 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
   via  b945f645732 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
   via  b7606714959 smbXcli_base: add hacks to test anonymous signing and 
encryption
   via  dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
   via  1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the 
current runner
   via  d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com
  from  9b6bc91254c VERSION: Bump version up to Samba 4.20.2...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 9d80c928b0196839035c0272c0945aad8a3b461a
Author: Stefan Metzmacher 
Date:   Wed Feb 14 12:34:48 2024 +0100

s4:nbt_server: simulate nmbd and provide unexpected handling

This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)

Autobuild-User(v4-20-test): Stefan Metzmacher 
Autobuild-Date(v4-20-test): Thu May 30 10:57:04 UTC 2024 on atb-devel-224

commit 6a673a35ea0a5d79526b96ed462cd7d0d916abbb
Author: Stefan Metzmacher 
Date:   Wed Feb 14 13:49:21 2024 +0100

s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)

commit 82f73dc23127c033346604fdfc94d5bf94295375
Author: Stefan Metzmacher 
Date:   Thu Feb 15 17:47:45 2024 +0100

s4:libcli/dgram: make use of socket_address_copy()

This avoids talloc_reference...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)

commit 40fe6480d0d4c0dc00b05e8c52b234243c4e652b
Author: Stefan Metzmacher 
Date:   Thu Feb 15 16:42:16 2024 +0100

s4:libcli/dgram: let the generic incoming handler also get unexpected 
mailslot messages

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)

commit cf37f9f527269ac2d76577dc0df53f1d369f1817
Author: Stefan Metzmacher 
Date:   Thu Feb 15 17:47:13 2024 +0100

libcli/nbt: add nbt_name_send_raw()

BUG: 

[SCM] Samba Shared Repository - branch v4-19-test updated

[Stefan Metzmacher]

The branch, v4-19-test has been updated
   via  fab04efa325 s3:libads: avoid changing ADS->server.workgroup
   via  b6253028b30 s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
   via  3b922dd5759 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
   via  92a0533a9ea s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
   via  45b9b63283d s3:smbd: allow anonymous encryption after one 
authenticated session setup
   via  1925abda4c4 s3:utils: let smbstatus also report partial tcon 
signing/encryption
   via  70969d8da5a s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
   via  8cc6ccb54a3 s3:utils: let connections_forall_read() report if the 
session was authenticated
   via  8b6b837eb7d s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
   via  c9c83fb691f s3:utils: remove unused signing_flags in 
connections_forall()
   via  a6c549db3d8 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
   via  3f476fd8bf3 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
   via  7a75e6bdaf0 smbXcli_base: add hacks to test anonymous signing and 
encryption
   via  98adde991bf tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
   via  11edf47d3c3 .gitlab-ci-main.yml: debug kernel details of the 
current runner
   via  5502aa893cc .gitlab-ci: Remove tags no longer provided by gitlab.com
  from  b00c09bee3b s3:utils: Fix Inherit-Only flag being automatically 
propagated to children

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit fab04efa32564a47191c775d1b51362bf0c5658a
Author: Stefan Metzmacher 
Date:   Fri Oct 15 03:34:11 2021 +0200

s3:libads: avoid changing ADS->server.workgroup

ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().

The result are corrupted domain values in the debug output.

Valgrind shows this:

 Invalid read of size 1
at 0x483EF46: strlen (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
by 0x5D2ED3F: dbgtext (debug.c:1881)
by 0x4BFFB50: ads_find_dc (ldap.c:570)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
at 0x483CA3F: free (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4BFF0AF: ads_try_connect (ldap.c:299)
by 0x4BFF40E: cldap_ping_list (ldap.c:367)
by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
by 0x4BFFA91: ads_find_dc (ldap.c:556)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Block was alloc'd at
at 0x483B7F3: malloc (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x60B250E: strdup (strdup.c:42)
by 0x4FF1492: smb_xstrdup (util.c:743)
by 0x4C10E62: ads_init (ads_struct.c:148)
by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6)

Autobuild-User(v4-19-test): Stefan Metzmacher 
Autobuild-Date(v4-19-test): Wed May 29 19:25:10 UTC 2024 on atb-devel-224

commit b6253028b303f4bd59b399e43417c7b050969363
Author: Stefan Metzmacher 
Date:   Tue May 7 14:53:24 2024 +

s3:libsmb: allow store_cldap_reply() to work with a ipv6 response

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224

(cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2)

commit 3b922dd575919fd08c2b98249691ea11cb7ffe56
Author: Stefan Metzmacher 
Date:   Tue Feb 6 21:09:58 2024 +0100

s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()

I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  5a54c9b28ab s3:utils: let smbstatus report anonymous 
signing/encryption explicitly
   via  f3ddfb828e6 s3:smbd: allow anonymous encryption after one 
authenticated session setup
   via  551756abd2c s3:utils: let smbstatus also report partial tcon 
signing/encryption
   via  8119fd6d6a4 s3:utils: let smbstatus also report AES-256 encryption 
types for tcons
   via  5089d855064 s3:utils: let connections_forall_read() report if the 
session was authenticated
   via  596a10d1079 s3:lib: let sessionid_traverse_read() report if the 
session was authenticated
   via  a9f84593f44 s3:utils: remove unused signing_flags in 
connections_forall()
   via  6c5781b5f15 s4:torture/smb2: add 
smb2.session.anon-{encryption{1,2,},signing{1,2}}
   via  6a89615d781 s4:libcli/smb2: add hack to test anonymous signing and 
encryption
   via  14d6e267212 smbXcli_base: add hacks to test anonymous signing and 
encryption
  from  d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:14:38 2023 +0200

s3:utils: let smbstatus report anonymous signing/encryption explicitly

We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224

commit f3ddfb828e66738ca461c3284c423defb774547c
Author: Stefan Metzmacher 
Date:   Fri Jun 30 18:05:51 2023 +0200

s3:smbd: allow anonymous encryption after one authenticated session setup

I have captures where a client tries smb3 encryption on an anonymous 
session,
we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47
was released with samba-4.15.0rc1.

Testing against Windows Server 2022 revealed that anonymous signing is 
always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 551756abd2c9e4922075bc3037db645355542363
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:12:38 2023 +0200

s3:utils: let smbstatus also report partial tcon signing/encryption

We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 8119fd6d6a49b869bd9e8ff653b500e194b070de
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:12:38 2023 +0200

s3:utils: let smbstatus also report AES-256 encryption types for tcons

We already do that for sessions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:10:08 2023 +0200

s3:utils: let connections_forall_read() report if the session was 
authenticated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 596a10d1079f5c4a954108c81efc862c22a11f28
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:08:31 2023 +0200

s3:lib: let sessionid_traverse_read() report if the session was 
authenticated

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9
Author: Stefan Metzmacher 
Date:   Mon Jul 3 15:05:59 2023 +0200

s3:utils: remove unused signing_flags in connections_forall()

We never use the signing flags from the session, as the tcon
has its own signing flags.

https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Günther Deschner 

commit 6c5781b5f154857f1454f41133687fba8c4c9df9
Author: Stefan Metzmacher 
Date:   Wed May 15 10:02:00 2024 +0200

s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}

These 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h
   via  6dd68d89786 ldb: move struct ldb_utf8_fns to ldb_private.h
   via  a00c0ebd090 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
   via  b6974030e6a lib/fuzzing: add fuzz_strncasecmp_ldb
   via  b22e1d3207d ldb: don't cast to unsigned for ldb_ascii_toupper()
   via  e33a0dd70f0 ldb: ldb_set_utf8_functions follows README.Coding
   via  4a6a1d1f0af ldb: deprecate ldb_set_utf8_fns
   via  42ae85d70af ldb: remove old ldb_comparison_fold_utf8_broken()
   via  960724a06e4 ldb: ldb_comparison_fold always uses the casecmp 
function
   via  edabb9f4cb9 ldb-samba: use ldb_comparison_fold_utf8()
   via  0becc8a90cb ldb-samba: add ldb_comparison_fold_utf8, wrapping 
strncasecmp_ldb
   via  f9797950fd6 util:charset: strncasecmp_ldb avoids iconv for ASCII
   via  55397514db5 util:charset: strncasecmp_ldb degrades to ASCII 
strncasecmp
   via  eb91e3437b4 util:charset: add strncasecmp_ldb()
   via  7cc3c56293d ldb: ldb_set_utf8_default() sets comparison function
   via  6c27284f7e9 ldb: ldb_comparison_fold_ascii sorts unsigned
   via  92275e27947 ldb: add ldb_comparison_fold_ascii() for default 
comparisons
   via  947f977acb7 ldb: ldb_comparison_fold uses the utf-8 casecmp function
   via  ae7ca36830b ldb: add ldb_set_utf8_functions() for setting casefold 
functions
   via  1624ac7a987 ldb: move ldb_comparison_fold guts into a separate 
function
   via  278a3c7f7c6 ldb: add a utf-8 comparison fold callback
   via  f9fbc7a5067 lib/util/charset: be explicit about INVALID_CODEPOINT 
value
   via  023a7ce7d5a ldb: add test_ldb_comparison_fold
  from  589a9ea6767 s4:kdc: Add comment about possible interaction between 
the krbtgt account and Group Managed Service Accounts

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d6581d213d5f625da493f14620e1a12e79a8e195
Author: Douglas Bagnall 
Date:   Thu May 23 09:40:00 2024 +1200

ldb: move struct ldb_debug_ops to ldb_private.h

Only accessed through struct ldb_context -> debug_ops, which is already 
private.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224

commit 6dd68d897865bd2518a6a71753ca0bc76d51b37e
Author: Douglas Bagnall 
Date:   Thu May 23 09:36:57 2024 +1200

ldb: move struct ldb_utf8_fns to ldb_private.h

It is only accessed via ldb functions that find it on the already-private
struct ldb_context.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit a00c0ebd090f69f94ce6ba7774a9fc126d7de504
Author: Douglas Bagnall 
Date:   Mon May 13 11:08:35 2024 +1200

s4:dsdb:strcasecmp_with_ldb_val() avoids overflow

In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.

This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit b6974030e6a7ddb330894f46631c8da4359b2d18
Author: Douglas Bagnall 
Date:   Mon May 13 10:39:44 2024 +1200

lib/fuzzing: add fuzz_strncasecmp_ldb

As well as checking for the usual overflows, this asserts that
strncasecmp_ldb is always transitive, by splitting the input into 3
pieces and comparing all pairs.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit b22e1d3207d90f102247d690bfe31db55d7b681e
Author: Douglas Bagnall 
Date:   Fri May 17 11:38:10 2024 +1200

ldb: don't cast to unsigned for ldb_ascii_toupper()

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e33a0dd70f00481d1c3d9e2fdd227e26431402ef
Author: Douglas Bagnall 
Date:   Tue May 21 10:55:53 2024 +1200

ldb: ldb_set_utf8_functions follows README.Coding

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 4a6a1d1f0afa830a679781a522d724bd861a3601
Author: Douglas Bagnall 
Date:   Fri May 17 11:35:01 2024 +1200

ldb: deprecate ldb_set_utf8_fns

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 42ae85d70af8da1aecbf45f5fb6e7d7ee1c379fb
Author: Douglas Bagnall 
Date:   Fri May 10 15:43:36 2024 +1200

ldb: remove old ldb_comparison_fold_utf8_broken()

There are no callers.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 960724a06e4dcb793d606c71d6e79387761b3d42
Author: Douglas Bagnall 
Date:   Thu May 16 17:01:10 2024 +1200

ldb: ldb_comparison_fold always uses the casecmp function

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  589a9ea6767 s4:kdc: Add comment about possible interaction between 
the krbtgt account and Group Managed Service Accounts
   via  d8302e95326 s4:kdc: Merge current and previous gMSA keys during 
period when both are valid
   via  a0d639bfb82 tests/krb5: Test that previous keys are counted as 
current keys following a gMSA key rollover
   via  5ea07824655 s4:libnet: Allow simulating AS‐REQ flags combination 
for keytab export
   via  71899ceb40d s4:libnet: Update export_keytab() docstring
   via  048de3da01f s4:libnet: Pass SDB_F_ADMIN_DATA flag through to 
samba_kdc_message2entry()
   via  aa8aeeb655a python:tests: Extract keytab_as_set() function to be 
usable by other tests
   via  5682df15a09 python:tests: Manually raise AssertionError
   via  95e80bf1e05 python:tests: Rename ‘keytab_as_set’ variable to be 
distinct from keytab_as_set() method
   via  4597d314029 third_party/heimdal: Import 
lorikeet-heimdal-202405220400 (commit 8276d6311146b8ab5d57d092bc5d5fa28282a900)
   via  4de25061120 WHATSNEW: Add 'dns hostname'
   via  f64e728444b auth:ntlmssp: Use lpcfg_dns_hostname()
   via  78c2427d9b9 auth:ntlmssp: Remove trailing spaces
   via  26fd78040e5 s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c
   via  ad9198bb864 s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c
   via  6bd56a2c19d s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c
   via  cb9ff7b4c5b s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c
   via  8ae565a14b5 s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c
   via  f353ce5f965 s4:dfs_server: Use lpcfg_dns_hostname() in 
dfs_server_ad.c
   via  f3f8aa49641 s3:rpc_server: Use lpcfg_dns_hostname() in 
srv_witness_nt.c
   via  c00571a8b25 python:tests: Ignore case for group_name comparison
   via  c2d4fe11b4d s3:utils: Use lp_dnsdomain() in net_ads.c
   via  382c300acda s3:libnet: Convert myalias to lower case
   via  0e96092c189 s3:libnet: Use lp_dns_hostname() in libnet_join.c
   via  84989f2bf4a s3:lib: Remove obsolete name_to_fqdn()
   via  f6efc74670d s3:librpc: Use lp_dns_hostname() for creating the fqdn
   via  b93fef8e90d s3:utils: Use lp_dns_hostname() for 'net' dns updates
   via  758bb9aacd5 docs-xml: Add smb.conf option 'dns hostname'
  from  e0d9e285921 selftest/Samba4: make use of get_cmd_env_vars() to 
setup all relevant env variables

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 589a9ea6767a8112baf664dd18c4aa1667e57d76
Author: Jo Sutton 
Date:   Thu May 9 13:16:50 2024 +1200

s4:kdc: Add comment about possible interaction between the krbtgt account 
and Group Managed Service Accounts

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224

commit d8302e95326639c159fa46788cf645c11d56420c
Author: Jo Sutton 
Date:   Mon Apr 15 14:46:47 2024 +1200

s4:kdc: Merge current and previous gMSA keys during period when both are 
valid

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit a0d639bfb825c2ec0840c048b9b1b3d1474c1146
Author: Jo Sutton 
Date:   Fri Apr 26 13:43:57 2024 +1200

tests/krb5: Test that previous keys are counted as current keys following a 
gMSA key rollover

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5ea07824655170fb20bb0c6862d7697ca96b8697
Author: Jo Sutton 
Date:   Fri Apr 26 13:54:42 2024 +1200

s4:libnet: Allow simulating AS‐REQ flags combination for keytab export

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 71899ceb40dcea6a70102c7318c55cf9b3687379
Author: Jo Sutton 
Date:   Wed Apr 24 17:11:03 2024 +1200

s4:libnet: Update export_keytab() docstring

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 048de3da01f2f7c7210085a624e38d671b38aeda
Author: Jo Sutton 
Date:   Wed Apr 24 13:45:08 2024 +1200

s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry()

This will allow us to specify whether to specify this flag for a keytab
export.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit aa8aeeb655a5605b2ecbca89762f6a2402152116
Author: Jo Sutton 
Date:   Wed Apr 24 12:48:53 2024 +1200

python:tests: Extract keytab_as_set() function to be usable by other tests

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5682df15a098dcad7398d8dafdcbccac37371c1a
Author: Jo Sutton 
Date:   Wed Apr 24 13:38:53 2024 +1200

python:tests: Manually raise AssertionError

This removes the last dependency on ‘self’ in this method.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 95e80bf1e0533716a4a15dc2848b76bed2e28a2b
Author: Jo 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  e0d9e285921 selftest/Samba4: make use of get_cmd_env_vars() to 
setup all relevant env variables
   via  83030780285 s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()
   via  5abeb724d74 s3:smbcacls: fix ace_compare
   via  c7299556845 lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch 
overrun
   via  99d26221311 spelling: comments: synthax -> syntax
   via  64003d86778 spelling: fix spelling of privilege.ldb in comments
   via  94b8deffa2d libsmb: Remove file_info->[ug]id
   via  f2b692fb458 smbd: Simplify request_timed_out
   via  0fe1a6e9dac lib: Use struct initialization
   via  c443d377a0b libsmb: Remove a talloc_strdup()
   via  335877ec04c libsmb: Remove an unneeded NULL check
   via  5384244f760 libsmb: Remove unused cli_list_trans()
   via  e79698c4be6 libsmb: Use SMB2_0_INFO_ constants instead of magic 
numbers
   via  7ecf3b0e25c libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT
   via  27ac0beaa01 lib: Fix a typo
   via  0013105eb55 libsmb: Avoid pointless intermediate variables
   via  06a322a17f8 libsmb: Use the direct FSCC_ infolevels
   via  dd1dd65026e smbd: Remove an unused function parameter
   via  f69fe79189e smbd: Remove an unnecessary else
   via  ff43158c528 smbd: Remove a no-op call to init_strict_lock_struct
   via  661532c46c0 smbd: Remove an unnecessary else branch
   via  6f0628c8485 smbd: Return correct error for fallback sendfile
   via  9115836687f smbd: Use direct struct initialization
   via  979f3e23990 smbd: Remove the ZERO_ZERO define
   via  3542f938c53 smbd: Fix whitespace
   via  a8b9a8358e2 smbd: Move a DBG_DEBUG up
   via  477dec3770b smbd: Modernize a few DEBUGs
  from  bdfbf25255e test_kinit_export_keytab: reset pw of the test account 
and test --only-current-keys

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e0d9e285921ce841e4872aadc6e4750b2ad48973
Author: Stefan Metzmacher 
Date:   Tue May 14 16:55:58 2024 +0200

selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env 
variables

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May 22 05:26:48 UTC 2024 on atb-devel-224

commit 83030780285290ecf64b57c1744634379b68ea01
Author: Stefan Metzmacher 
Date:   Tue Feb 6 21:09:58 2024 +0100

s4:dsdb/repl: let drepl_out_helpers.c always go via 
dreplsrv_out_drsuapi_send()

I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 5abeb724d74af2b861f2ee6bc27762bb5bf07bca
Author: Douglas Bagnall 
Date:   Tue May 21 20:20:36 2024 +1200

s3:smbcacls: fix ace_compare

We got this wrong in commit 31101a9fa1503be9d8137e42466f57d85136a156.

In fact, we should probably not reorder the inherited ACLs, but that
is for another patch series.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit c7299556845a764c7ca6195ede3f273bc20ebfbb
Author: Douglas Bagnall 
Date:   Tue May 14 14:58:51 2024 +1200

lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 99d2622131161d7d597f5b0a9e2b509817483217
Author: Douglas Bagnall 
Date:   Wed Apr 10 21:25:12 2024 +1200

spelling: comments: synthax -> syntax

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 64003d867786231c130b13f6d84f9d248631d3be
Author: Douglas Bagnall 
Date:   Wed Apr 10 21:22:57 2024 +1200

spelling: fix spelling of privilege.ldb in comments

'privileges' is a word, but the ldb referred to is privilege.ldb

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 94b8deffa2d8af39309a94d94f4c0c97ea85265b
Author: Volker Lendecke 
Date:   Tue May 21 11:21:03 2024 +0200

libsmb: Remove file_info->[ug]id

These fields were never assigned

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit f2b692fb458f0253adcb8b7ae2b9eb99346559fb
Author: Volker Lendecke 
Date:   Tue May 21 08:38:19 2024 +0200

smbd: Simplify request_timed_out

timeval_expired does what we need here

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  bdfbf25255e test_kinit_export_keytab: reset pw of the test account 
and test --only-current-keys
   via  b4be5718d3d samba-tool: let 'samba-tool domain exportkeytab' take 
an --only-current-keys option
   via  2793ef3e163 samba.tests.dckeytab: add 
test_export_keytab_change3_update_only_current_keep()
   via  e2a5fbf5cf2 s4:libnet_export_keytab: add only_current_keys option
   via  7f1e89488a7 s4:kdc: also provide cross-realm keys via 
samba_kdc_seq()
   via  37292f8a60f s4:kdc: let samba_kdc_trust_message2entry() return all 
keys with SDB_F_ADMIN_DATA
   via  6ecc607edee s4:kdc: split out samba_kdc_fill_trust_keys() helper
   via  f5c8c212dcb s4:kdc: add available_enctypes to 
supported_session_etypes in samba_kdc_trust_message2entry()
   via  f48699641cf s4:kdc: add a returned_kvno helper variable in 
samba_kdc_trust_message2entry()
   via  d1efc396de4 s4:kdc: let samba_kdc_trust_message2entry() ignore 
KRB5_PROG_ETYPE_NOSUPP
   via  8cfebc36edc s4:kdc: split out samba_kdc_fill_trust_keys() helper
   via  83f03513fd5 s3:libnet: add a debug message to 
libnet_keytab_add_to_keytab_entries()
   via  888a785f476 s3:libnet: add support for trusted domains in 
libnet_dssync_keytab.c
   via  2b2cc544725 s3:libnet: split out store_or_fetch_attribute() from 
parse_user() in libnet_dssync_keytab.c
   via  feff15fc88b s3:libnet: split out parse_user() in 
libnet_dssync_keytab.c
   via  52df4063871 s3:libnet: let parse_user() in libnet_dssync_keytab.c 
work without nt hash
  from  01849ab1bca s4:kdc: Implement KDC plugin hardware authentication 
policy

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit bdfbf25255e457c3e5d5d75ee09fca3af461c5a7
Author: Stefan Metzmacher 
Date:   Wed Apr 17 16:15:17 2024 +0200

test_kinit_export_keytab: reset pw of the test account and test 
--only-current-keys

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May 22 04:07:02 UTC 2024 on atb-devel-224

commit b4be5718d3de3bc90d142cb53f79fe067d0a3e0a
Author: Stefan Metzmacher 
Date:   Fri Mar 15 16:14:18 2024 +0100

samba-tool: let 'samba-tool domain exportkeytab' take an 
--only-current-keys option

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 2793ef3e1632c735f9caac015503aab06f53d543
Author: Stefan Metzmacher 
Date:   Fri Mar 15 16:31:22 2024 +0100

samba.tests.dckeytab: add 
test_export_keytab_change3_update_only_current_keep()

This tests that only_current_keys=True works.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit e2a5fbf5cf2b65db77e7c5a859c896acca69f432
Author: Stefan Metzmacher 
Date:   Fri Mar 15 16:11:10 2024 +0100

s4:libnet_export_keytab: add only_current_keys option

By default we also export on the old and older passwords...

In order to do a kinit with a keytab it might we useful to
include only the current keys.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 7f1e89488a7212832819380a93fe137a6fa28c37
Author: Stefan Metzmacher 
Date:   Thu Feb 3 14:14:06 2022 +0100

s4:kdc: also provide cross-realm keys via samba_kdc_seq()

This means that 'samba-tool domain exportkeytab' is able to
export them.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 37292f8a60f8fa82faa7bde4314919dcae6fb7ab
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:23:46 2024 +0100

s4:kdc: let samba_kdc_trust_message2entry() return all keys with 
SDB_F_ADMIN_DATA

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 6ecc607edeeeb1877b5ecf02ba60d6c8799f583a
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:19:20 2024 +0100

s4:kdc: split out samba_kdc_fill_trust_keys() helper

This simplifies the logic in samba_kdc_trust_message2entry(),
is very similar to our samba_kdc_fill_user_keys() helper
and will make it trivial to provide the previous keys
in entry->old_keys in the next commit.

Review with: git show -p --patience

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit f5c8c212dcba48167d8ae8c555a5c4750cb763fd
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:19:20 2024 +0100

s4:kdc: add available_enctypes to supported_session_etypes in 
samba_kdc_trust_message2entry()

This aligns the logic of samba_kdc_trust_message2entry() with
samba_kdc_message2entry_keys().

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit f48699641cf95f1e2d197e0f8ea1ed4ce2c4fb41
Author: Stefan Metzmacher 
Date:   Fri Mar 15 19:19:20 2024 +0100

s4:kdc: add a returned_kvno helper variable in 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  01849ab1bca s4:kdc: Implement KDC plugin hardware authentication 
policy
   via  0582cf6077c s4:kdc: Remove trailing whitespace
   via  09bcd48f790 third_party/heimdal: Import 
lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f)
   via  d36bfbf632e tests/krb5: Adjust tests to pass against newer Windows 
versions that include ticket checksums in response to AS‐REQs
   via  f3ff4915adf s4:kdc: Initialize local variable just in case (CID 
1596759)
   via  3b90753b552 s4:kdc: Free target principal string to avoid memory 
leak (CID 1596760)
   via  7e7bb259a60 s4:kdc: Initialize pointer variable just in case (CID 
1596762)
   via  e1460c9e342 s4:dsdb: Make map containing default attribute values 
static
   via  927c672faff s4:dsdb: Do not set lockoutTime for trust accounts
   via  4c759c26752 s4:dsdb: Make use of userAccountControl helper function
   via  1b8b8550aaa s4:dsdb: Add userAccountControl helper function
   via  0e93456a66b s4:dsdb: Remove redundant user flags macro
   via  32199b9bcfd s4:auth: Accept previous gMSA password for NTLM 
authentication five minutes after a password change
   via  fbdeb4b0b47 lib:crypto: Add constant denoting maximum GKDI clock 
skew in minutes
   via  c167ac53016 s4:libnet: Remove unnecessary declarations
   via  33ed55ce8f5 s4:libnet: Remove trailing whitespace
   via  5c4f2623c52 tests/krb5: Add more tests for gMSAs
   via  6f094180106 tests/krb5: Test viewing gMSA passwords after 
performing simple binds
   via  f9cbda9cf0e tests/krb5: Test that computers (and, by extension, 
gMSAs) cannot perform interactive logons
   via  336a58473ad tests/krb5: Don’t pass gMSA as 
‘domain_joined_mach_creds’ parameter
   via  ad0740751e8 tests/krb5: Test performing NTLMSSP logons at different 
times
   via  e5357c75a60 s4:auth: Let dsdb gMSA time influence NTLM previous 
password allowed period
   via  92d010af2d0 s4:dsdb: Let dsdb gMSA time influence pwdLastSet
   via  9fac9b776e7 tests/krb5: Test that gMSA passwords cannot be viewed 
over an unsealed connection
   via  aa4347ff23e tests/krb5: Add ‘expect_success’ parameter to 
gensec_ntlmssp_logon()
   via  41e71406a14 tests/krb5: Make use of gmsa_series_for_account() method
   via  577aa790425 tests/krb5: Add quantized_time() method
   via  65fe09007f8 tests/krb5: Read current time from correct SamDB
   via  fdaa2943697 python:tests: Pass ServerPasswordSet2() parameters in 
correct order
   via  cb357a011b0 python:tests: Remove unnecessary ‘pass’ statement
   via  e875193c1ca python:tests: Remove unused netlogon connection 
parameter
   via  170dd47eae5 s4:libcli: Add more controls to our list of known 
controls
   via  526652d162f s4:libcli: Fix code spelling
   via  e4045cd5b15 s4:setup: Update name of dsdb password change control
   via  f5cbe497897 s4:dsdb: Fix code spelling
   via  cbebffd56da s4:dsdb: Remove trailing whitespace
   via  359b3b63213 lib:fuzzing: Fix undefined shift
   via  be076b30972 lib:fuzzing: Remove unused variable
   via  7b02221c4f5 auth:credentials: Check for NT hash being NULL
  from  2b495c44a2a smbd: Fix a typo in a few places

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 01849ab1bcaad9e96b388cad178182d6a77ac3cb
Author: Jo Sutton 
Date:   Mon May 13 10:58:51 2024 +1200

s4:kdc: Implement KDC plugin hardware authentication policy

NOTE: This commit finally works again!

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224

commit 0582cf6077c3f6866f38e85440c8ed464b303bdd
Author: Jo Sutton 
Date:   Wed May 15 16:28:12 2024 +1200

s4:kdc: Remove trailing whitespace

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 09bcd48f79043e54fdce840f70e370b9a507d0fc
Author: Jo Sutton 
Date:   Thu May 9 16:57:14 2024 +1200

third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 
49c8e97b7221db53355258059ef385c856e1385f)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit d36bfbf632ed0d3c53c9ef24eac682cb91274ec8
Author: Jo Sutton 
Date:   Tue May 14 13:05:31 2024 +1200

tests/krb5: Adjust tests to pass against newer Windows versions that 
include ticket checksums in response to AS‐REQs

A lot of these tests are going to start failing, so skip them until
we’ve implemented the corresponding behaviour for the KDC.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit f3ff4915adfd63f287147c73fd69050c5b7de580
Author: Jo Sutton 
Date:   Mon May 6 12:20:44 2024 +1200

s4:kdc: Initialize 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  2b495c44a2a smbd: Fix a typo in a few places
   via  a99f2f3ae39 smbd: Modernize a few DEBUGs
   via  df75ae65e63 g_lock: Fix buffer length check in g_lock_parse()
   via  aca70be7829 smbd: Simplify check_parent_access_fsp()
   via  c422002ce5e smbd: Remove an obsolete comment
  from  b71f729698f smbd: Add reparse tag to smb3_posix_cc_info

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2b495c44a2abcfa9b9c7f520e0989ff72f7b651f
Author: Volker Lendecke 
Date:   Wed May 15 16:43:31 2024 +0200

smbd: Fix a typo in a few places

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Wed May 15 17:56:24 UTC 2024 on atb-devel-224

commit a99f2f3ae390ddc4d80548a593a3edf50eeb76f3
Author: Volker Lendecke 
Date:   Tue May 14 16:20:03 2024 +0200

smbd: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit df75ae65e6347736c96707c57e736d15662a6846
Author: Volker Lendecke 
Date:   Sat Feb 10 11:15:58 2024 +0100

g_lock: Fix buffer length check in g_lock_parse()

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit aca70be7829b97729b18a9c2c5e3add894e323c1
Author: Volker Lendecke 
Date:   Tue May 14 16:30:21 2024 +0200

smbd: Simplify check_parent_access_fsp()

We don't need to explicitly call fetch_share_mode_unlocked,
get_file_infos does it for us behind the scenes

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit c422002ce5ef8ea4dcac69b7167dcf67d5c373d1
Author: Volker Lendecke 
Date:   Tue May 14 17:01:40 2024 +0200

smbd: Remove an obsolete comment

notify_fname only sends a message to the notify daemon. There is no
potential deadlock anymore.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 source3/lib/g_lock.c  |  9 +
 source3/locking/locking.c | 19 +++
 source3/smbd/close.c  | 41 +++--
 source3/smbd/open.c   | 16 +---
 4 files changed, 32 insertions(+), 53 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 33f088b2a43..77b8287273b 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -58,7 +58,8 @@ static bool g_lock_parse(uint8_t *buf, size_t buflen, struct 
g_lock *lck)
uint64_t unique_data_epoch;
 
if (buflen < (SERVER_ID_BUF_LENGTH + /* exclusive */
- sizeof(uint64_t) + /* seqnum */
+ sizeof(uint64_t) + /* unique_lock_epoch */
+ sizeof(uint64_t) + /* unique_data_epoch */
  sizeof(uint32_t))) {   /* num_shared */
struct g_lock ret = {
.exclusive.pid = 0,
@@ -360,7 +361,7 @@ NTSTATUS g_lock_lock_cb_dump(struct g_lock_lock_cb_state 
*cb_state,
 {
struct g_lock *lck = cb_state->lck;
 
-   /* We allow a cn_fn only for G_LOCK_WRITE for now... */
+   /* We allow a cb_fn only for G_LOCK_WRITE for now... */
SMB_ASSERT(lck->num_shared == 0);
 
fn(lck->exclusive,
@@ -1018,7 +1019,7 @@ struct tevent_req *g_lock_lock_send(TALLOC_CTX *mem_ctx,
};
 
/*
-* We allow a cn_fn only for G_LOCK_WRITE for now.
+* We allow a cb_fn only for G_LOCK_WRITE for now.
 *
 * It's all we currently need and it makes a few things
 * easier to implement.
@@ -1238,7 +1239,7 @@ NTSTATUS g_lock_lock(struct g_lock_ctx *ctx, TDB_DATA key,
SMB_ASSERT(!ctx->busy);
 
/*
-* We allow a cn_fn only for G_LOCK_WRITE for now.
+* We allow a cb_fn only for G_LOCK_WRITE for now.
 *
 * It's all we currently need and it makes a few things
 * easier to implement.
diff --git a/source3/locking/locking.c b/source3/locking/locking.c
index fa1c85afe91..25735a3083d 100644
--- a/source3/locking/locking.c
+++ b/source3/locking/locking.c
@@ -158,12 +158,14 @@ bool strict_lock_check_default(files_struct *fsp, struct 
lock_struct *plock)
TALLOC_FREE(br_lck);
}
 
-   DEBUG(10, ("strict_lock_default: flavour = %s brl start=%ju "
-  "len=%ju %s for fnum %ju file %s\n",
-  lock_flav_name(plock->lock_flav),
-  (uintmax_t)plock->start, (uintmax_t)plock->size,
-  ret ? "unlocked" : "locked",
-  (uintmax_t)plock->fnum, fsp_str_dbg(fsp)));
+   DBG_DEBUG("flavour = %s brl start=%" PRIu64 " "
+ "len=%" PRIu64 " %s for fnum %" PRIu64 " file %s\n",
+ lock_flav_name(plock->lock_flav),
+

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  b71f729698f smbd: Add reparse tag to smb3_posix_cc_info
   via  ecb17c12c54 smbd: Test reparse tag in smb3_posix_cc_info
   via  d0cdb4160b8 smbd: Use fsctl_get_reparse_tag in 
fsctl_del_reparse_point
   via  7b6dc319b53 smbd: Use fsctl_get_reparse_tag in 
fsctl_set_reparse_point
   via  3a387673662 smbd: Add fsctl_get_reparse_tag() helper function
   via  2743127a6e3 smbd: Modernize a few DEBUGs
   via  a85b1e57542 libsmb: Cap max_rdata at UINT16_MAX
   via  1776918c5bf libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define
   via  5e0fe4d91ce smbd: Add DEBUG message got get_reparse_point
   via  ee653577630 smbd: Return reparse tag as of MS-FSCC 2.4.6
   via  d884c2fb0d5 smbd: Fix a DBG
   via  44b3eadacb3 tests: get TAG_INFORMATION
   via  ba40d97087b pylibsmb: Add py_cli_qfileinfo
   via  c13ac1f1a76 pylibsmb: Add FSCC QUERY_INFO levels
   via  291a353b16a libsmb: Remove smb2 branch from cli_qfileinfo_basic_send
   via  893e4f6ebf6 libsmb: Add smb2 branch to cli_qfileinfo
   via  6e9c18ed821 libsmb: Add a tevent_req_received() where appropriate
   via  bec5920ec91 libsmb: Convert cli_qfileinfo to use FSCC levels
   via  af4bb5f75f7 libsmb: Use SMB2_0_INFO_FILE instead of the raw "1"
   via  4eac4014c03 libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3"
   via  072e4d030ae smbd: Modernize a DEBUG
   via  7c59f110560 test: Align integer types
  from  1092d4b0a8e s3:winbindd: Update non cache entries keys 
(non_centry_keys)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit b71f729698fba58543645e9ec40e95d57ea19e3b
Author: Volker Lendecke 
Date:   Mon May 13 15:44:52 2024 +0200

smbd: Add reparse tag to smb3_posix_cc_info

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue May 14 23:29:46 UTC 2024 on atb-devel-224

commit ecb17c12c54214694ecc240ae290646d341cd9a5
Author: Volker Lendecke 
Date:   Mon May 13 15:44:14 2024 +0200

smbd: Test reparse tag in smb3_posix_cc_info

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit d0cdb4160b84a5f4e9c120c951beb55ac41cf1b3
Author: Volker Lendecke 
Date:   Mon May 13 14:30:30 2024 +0200

smbd: Use fsctl_get_reparse_tag in fsctl_del_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 7b6dc319b53ad6df109517ae425d770b62136f7a
Author: Volker Lendecke 
Date:   Mon May 13 14:28:55 2024 +0200

smbd: Use fsctl_get_reparse_tag in fsctl_set_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 3a3876736627a5c218661ffc6845e96b97322dca
Author: Volker Lendecke 
Date:   Mon May 13 14:26:22 2024 +0200

smbd: Add fsctl_get_reparse_tag() helper function

There's a few places where we only care about the tag

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 2743127a6e3092e292f74e2b851dc41b8b67f825
Author: Volker Lendecke 
Date:   Mon May 13 14:16:48 2024 +0200

smbd: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit a85b1e57542831bd26afc985c9add740a063f856
Author: Volker Lendecke 
Date:   Mon May 13 11:16:21 2024 +0200

libsmb: Cap max_rdata at UINT16_MAX

The caller does not necessarily query max values for smb1 and smb2+.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 1776918c5bf2e6db4ab9072e09326b91fa211322
Author: Volker Lendecke 
Date:   Wed May 8 16:05:40 2024 +0200

libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define

(SMB_FILE_ALL_INFORMATION - 1000) looks a bit silly if you look at the
definition of SMB_FILE_ALL_INFORMATION...

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 5e0fe4d91cee3cc687b2b4bbfc778a7bf8f58d5e
Author: Volker Lendecke 
Date:   Thu Dec 22 11:36:21 2022 +0100

smbd: Add DEBUG message got get_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit ee653577630d4f68f82fa93c03e0a33b7b6ccdc1
Author: Volker Lendecke 
Date:   Wed May 8 16:03:29 2024 +0200

smbd: Return reparse tag as of MS-FSCC 2.4.6

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit d884c2fb0d5a3b72d550d72c2f263f7d80a5dc8a
Author: Volker Lendecke 
Date:   Wed May 8 15:48:11 2024 +0200

smbd: Fix a DBG

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 44b3eadacb3df92238b30c38abe4abf48c60a971
Author: Volker Lendecke 
Date:   Thu May 9 11:54:31 2024 +0200

tests: get TAG_INFORMATION

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit ba40d97087bed742eb6178b2e5e03a77e040f343
Author: Volker Lendecke 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  1092d4b0a8e s3:winbindd: Update non cache entries keys 
(non_centry_keys)
   via  26d87d1fefa s3:winbindd: Use TDB_REPLACE in tdb_store
  from  68a1200f66e Restore empty string default for conf.env['icu-libs']

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1092d4b0a8e6d988e6bcbbd5e7cce7e34fc1ed54
Author: Pavel Filipenský 
Date:   Fri Mar 22 13:51:06 2024 +0100

s3:winbindd: Update non cache entries keys (non_centry_keys)

This change does NOT affect WHAT and HOW is cached. It only avoids
undefined behavior for "NDR" and "TRUSTDOMCACHE" when processed in
wcache_flush_cache() and wbcache_upgrade_v1_to_v2().

winbindd_cache.tdb contains two types of entries:

1) cache entries (typed as 'struct cache_entry')
  - internal format is:   [ntstatus; sequence_number; timeout]

2) non cache entries (keys listed in non_centry_keys)
  - for "NDR" internal format is: [sequence_number; timeout]

Without this commit, "NDR" would be processed as the first type (instead
as the second type). E.g. in the stack below:

wcache_fetch_raw()
traverse_fn_cleanup()
wcache_flush_cache()

the triplet [ntstatus; sequence_number; timeout] would be initialized
from data containing only [sequence_number; timeout], leading to
mismatched values ('ntstatus' would be filled from 'sequence_number').

Anyway, current code is never calling wcache_flush_cache(), since
wcache_flush_cache() can be called only from get_cache() and get_cache()
will call it only if global/static wcache was not set yet. But wcache is
set very early in the main winbind (and all winbind children get it
after fork), sooner than any call of get_cache() can happen:

   #1 init_wcache + 0x19
   #2 initialize_winbindd_cache + 0x35
   #3 winbindd_cache_validate_and_initialize + 0x25
   #4 main + 0x806

Signed-off-by: Pavel Filipenský 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue May 14 21:04:57 UTC 2024 on atb-devel-224

commit 26d87d1fefa67b759bc369983b4c55fcd007dca9
Author: Pavel Filipenský 
Date:   Tue May 7 13:01:02 2024 +0200

s3:winbindd: Use TDB_REPLACE in tdb_store

tdb_store() should use as a flag TDB_REPLACE instead of undocumented 0

Signed-off-by: Pavel Filipenský 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 source3/winbindd/winbindd_cache.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_cache.c 
b/source3/winbindd/winbindd_cache.c
index ca2341ef456..833862ab99e 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -68,7 +68,9 @@ static bool opt_nocache = False;
  */
 
 static const char *non_centry_keys[] = {
+   "NDR/",
"SEQNUM/",
+   "TRUSTDOMCACHE/",
"WINBINDD_OFFLINE",
WINBINDD_CACHE_VERSION_KEYSTR,
NULL
@@ -4605,7 +4607,7 @@ static bool wcache_tdc_store_list( struct 
winbindd_tdc_domain *domains, size_t n
goto done;
}
 
-   ret = tdb_store( wcache->tdb, key, data, 0 );
+   ret = tdb_store(wcache->tdb, key, data, TDB_REPLACE);
 
  done:
SAFE_FREE( data.dptr );
@@ -4922,7 +4924,7 @@ void wcache_store_ndr(struct winbindd_domain *domain, 
uint32_t opnum,
SBVAL(data.dptr, 4, timeout);
memcpy(data.dptr + 12, resp->data, resp->length);
 
-   tdb_store(wcache->tdb, key, data, 0);
+   tdb_store(wcache->tdb, key, data, TDB_REPLACE);
 
 done:
TALLOC_FREE(key.dptr);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  68a1200f66e Restore empty string default for conf.env['icu-libs']
  from  833c3f26b47 python/tests: Fix nlink test in smb3unix on btrfs 
filesystem

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 68a1200f66e9008ca0a739b37b48c49453ca9d83
Author: Earl Chew 
Date:   Fri May 10 19:46:28 2024 -0700

Restore empty string default for conf.env['icu-libs']

The reworked ICU libraries configuration code used [] as
default for conf.env['icu-libs']. This breaks dependency analysis
in samba_deps.py because SAMBA_SUBSYSTEM() expects deps to be
a string.

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Tue May 14 14:44:06 UTC 2024 on atb-devel-224

---

Summary of changes:
 lib/util/charset/wscript_configure | 2 ++
 1 file changed, 2 insertions(+)


Changeset truncated at 500 lines:

diff --git a/lib/util/charset/wscript_configure 
b/lib/util/charset/wscript_configure
index c49b55a4fd4..adae44eab5e 100644
--- a/lib/util/charset/wscript_configure
+++ b/lib/util/charset/wscript_configure
@@ -46,3 +46,5 @@ if conf.CHECK_CFG(package='icu-i18n icu-uc',
 if not conf.CHECK_HEADERS('unicode/ustring.h', lib='icui18n'):
 conf.fatal('Found icui18n, but unicode/ustring.h is missing')
 conf.DEFINE('HAVE_UTF8_NORMALISATION', 1)
+else:
+conf.env['icu-libs'] = ''


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Pavel Filipensky]

The branch, master has been updated
   via  833c3f26b47 python/tests: Fix nlink test in smb3unix on btrfs 
filesystem
  from  1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no 
longer used directly

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 833c3f26b476c5f27d8dd000cfa423f0726cef1a
Author: Pavel Filipenský 
Date:   Mon May 13 12:13:38 2024 +0200

python/tests: Fix nlink test in smb3unix on btrfs filesystem

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Pavel Filipensky 
Autobuild-Date(master): Tue May 14 13:37:53 UTC 2024 on atb-devel-224

---

Summary of changes:
 python/samba/tests/smb3unix.py | 18 ++
 1 file changed, 14 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/smb3unix.py b/python/samba/tests/smb3unix.py
index d88bd432239..1962852349c 100644
--- a/python/samba/tests/smb3unix.py
+++ b/python/samba/tests/smb3unix.py
@@ -24,6 +24,7 @@ from samba.dcerpc import smb3posix
 from samba.ndr import ndr_unpack
 from samba.dcerpc.security import dom_sid
 import os
+import subprocess
 
 def posix_context(mode):
 return (libsmb.SMB2_CREATE_TAG_POSIX, mode.to_bytes(4, 'little'))
@@ -34,6 +35,9 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
 super().setUp()
 
 self.samsid = os.environ["SAMSID"]
+prefix_abs = os.environ["PREFIX_ABS"]
+p = subprocess.run(['stat', '-f', '-c', '%T', prefix_abs], 
capture_output=True, text=True)
+self.fstype = p.stdout.strip().lower()
 
 def connections(self, share1=None, posix1=False, share2=None, posix2=True):
 if not share1:
@@ -303,7 +307,11 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
 self.assertEqual(found_files[fname]['attrib'],
  libsmb.FILE_ATTRIBUTE_ARCHIVE)
 else:
-self.assertEqual(found_files[fname]['nlink'], 2)
+# Note: btrfs always reports the link count of directories 
as one.
+if self.fstype == "btrfs":
+self.assertEqual(found_files[fname]['nlink'], 1)
+else:
+self.assertEqual(found_files[fname]['nlink'], 2)
 self.assertEqual(found_files[fname]['attrib'],
  libsmb.FILE_ATTRIBUTE_DIRECTORY)
 
@@ -368,9 +376,11 @@ class Smb3UnixTests(samba.tests.libsmb.LibsmbTests):
 
 cc = ndr_unpack(smb3posix.smb3_posix_cc_info, cc_out[0][1])
 
-# Note: this fails on btrfs which always reports the link
-# count of directories as one.
-self.assertEqual(cc.nlinks, 2)
+# Note: btrfs always reports the link count of directories as one.
+if self.fstype == "btrfs":
+self.assertEqual(cc.nlinks, 1)
+else:
+self.assertEqual(cc.nlinks, 2)
 
 self.assertEqual(cc.reparse_tag, 
libsmb.IO_REPARSE_TAG_RESERVED_ZERO)
 self.assertEqual(cc.posix_perms, 0o700)


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  1ca6fb563b0 lib/replace: make sure krb5_cc_default[_name]() is no 
longer used directly
   via  afcd53b8d09 auth/credentials_krb5: let cli_credentials_set_ccache() 
use smb_force_krb5_cc_default()
   via  a5d46f69d12 auth/credentials_krb5: use system/{gssapi,kerberos}.h
   via  845a2aae6f0 smbspool: let kerberos_ccache_is_valid() use 
smb_force_krb5_cc_default_name()
   via  4514fb5f439 smbspool_krb5_wrapper: let 
kerberos_get_default_ccache() use smb_force_krb5_cc_default_name()
   via  a8da9de9f4a smbspool_krb5_wrapper: remove unused includes
   via  eb6dc35a704 krb5_wrap: let smb_krb5_renew_ticket() use 
smb_force_krb5_cc_default_name()
   via  f850bcfc0b4 krb5_wrap: add smb_force_krb5_cc_default[_name]() 
wrappers
   via  d49de777104 s3:libads: let kerberos_kinit_password_ext() require an 
explicit krb5 ccache
   via  70f9e3a0567 krb5_wrap: let ads_krb5_cli_get_ticket() require an 
explicit krb5 ccache
   via  fc92025ecb2 s3:libads: finally remove unused 
ads_connect[_user_creds]() and related code
   via  25806314dae s3:net: finally remove 
net_context->opt_{user_specified,user_name,password}
   via  a1ab1c8620c s3:net: remove unused net_context->smb_encrypt
   via  9620d2ecc18 s3:net: remove unused net_context->opt_kerberos
   via  2de585a9787 s3:include: remove unused krb5_env.h
   via  eb9ad5cc890 s3:net_ads: remove unused use_in_memory_ccache()
   via  e76fe56fdf6 s3:net_ads: make use of 
ads_connect_{cldap_only,creds}() in ads_startup_int()
   via  d59d957caba s3:libads: let ads_krb5_set_password() require an 
explicit krb5 ccache to operate on
   via  432273dd3ec s3:libads: kerberos_set_password() don't need to kinit 
before ads_krb5_chg_password()
   via  125db2ed815 s3:libads: remove unused kdc_host and time_offset 
arguments to kerberos_set_password()
   via  b641b35b028 s3:libads: remove unused kdc_host and time_offset 
arguments to ads_krb5_chg_password()
   via  3141423feb3 s3:libads: remove krb5_set_real_time() from 
ads_krb5_set_password()
   via  c85c084d69e s3:libads: remove unused kdc_host argument of 
ads_krb5_set_password()
   via  5f32f14ef58 s3:net_ads: require kerberos if we use 
ads_krb5_set_password() in ads_user_add()
   via  1eeeb76e6c5 s3:net_ads: use ADS_SASL_SEAL by default, so that we 
always get encryption
   via  612af29cef1 s3:net_ads: use cli_credentials_get_principal() in 
order to call kerberos functions
   via  55c9a6c0e3a s3:net: remove useless net_prompt_pass() wrapper
   via  d9082129f21 s3:net_rpc: make use of !c->explicit_credentials for 
NET_FLAGS_ANONYMOUS
   via  e690666fd10 s3:net: make use of c->explicit_credentials in order to 
check for valid credentials
   via  be1051f3792 s3:net: add net_context->explicit_credentials to check 
if credentials were passed
   via  a9beae36f0a s3:net: correctly implement --use-ccache as legacy for 
--use-winbind-ccache for 'net'
   via  579195769d6 s3:net_offlinejoin: we don't need to call 
libnetapi_set_use_kerberos() as we already passed cli_credentials
   via  f4f31236c4a s3:libnet_join: pass down cli_credentials 
*admin_credentials to libnet_{Join,Unjoin}Ctx()
   via  c0edd3406b9 s3:lib/netapi: make use of 
ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
   via  0470cc385d9 s3:lib/netapi: add libnetapi_get_creds()
   via  bd53e20764b libgpo/pygpo: make use of ads_connect_{creds,machine}()
   via  87e7a9488a0 s3:printing: make use of ads_connect_machine()
   via  f9496bfdf4e s3:libads: add ads_connect_machine() helper
   via  353abcb4d3e s3:libads: add ads_simple_creds() helper
   via  c36b0442244 s3:libads: make use of ads_connect_simple_anon() in 
ldap.c where possible
   via  7bfbea4c3c8 s3:libads: add ads_connect_simple_anon() helper
   via  c95a2785e20 lib/addns: rewrite signed dns update code to use gensec 
instead of plain gssapi
   via  5807689f968 s3:utils: let net_update_dns_internal() set status 
before goto done in all cases
   via  28af0829263 s3:winbindd: make use of 
winbindd_get_trust_credentials() in idmap_ad.c
   via  ed75331f525 s3:winbindd: make use of 
winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
   via  16bbb407fa5 s3:winbindd: make use of samba_sockaddr to avoid 
compiler warnings
   via  f903d80769b s3:winbindd: use 
winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
   via  8166642e1bd s3:winbindd: make winbindd_get_trust_credentials() 
public
   via  81a6c54fddc s3:libads: add ads_set_reconnect_fn() and only 
reconnect if we can get creds
   via  31e4614ee36 s3:libads: add ads_connect_creds() helper
   via  76e0d348ddd s3:libads: fix compiler warning in ads_mod_ber()
   via  bac243442a6 s3:libads: move ads->auth.time_offset to 
ads->config.time_offset
   via  ea97abd545e s3:libads: we 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a 
ipv6 response
   via  05807488fd3 Combine ICU libraries icu-i18n and icu-uc into a single 
dependency
   via  0c983bd0095 Improve CHECK_LIB interaction with CHECK_PKG
   via  363c3318577 Augment library_flags() to return libraries
   via  5aafd2fb404 selftest: add test for User.get_primary_group method
   via  8fe7f0a6d50 python: models: add get_primary_group method to User 
model
   via  1f47c0f6093 python: models: rename argument ldb to samdb
   via  237d9d0228c tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative
   via  380d9c5a739 .gitlab-ci-main.yml: debug kernel details of the 
current runner
  from  9844ac289be ldb-samba: ldif_read_objectSid avoids VLA

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2
Author: Stefan Metzmacher 
Date:   Tue May 7 14:53:24 2024 +

s3:libsmb: allow store_cldap_reply() to work with a ipv6 response

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224

commit 05807488fd340751ee976c5f8a367013ff94843e
Author: Earl Chew 
Date:   Sat Dec 16 08:48:36 2023 -0800

Combine ICU libraries icu-i18n and icu-uc into a single dependency

Rather than probing for icu-i18n, icu-uc, and icudata libraries
separately, only probe for icu-i18n, and icu-uc, as direct dependencies
This avoids overlinking with icudata, and allows the package
to build even when ICU is not installed as a system library.

RN: Only use icu-i18n and icu-uc to express ICU dependency

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 0c983bd0095d4fb20ef8b42f5efb740393073862
Author: Earl Chew 
Date:   Sat Dec 16 17:47:09 2023 -0800

Improve CHECK_LIB interaction with CHECK_PKG

When checking for shared libraries, only name the target library
if it was not previously discoverd by pkg-config --libs and now
available from uselib_store. This avoids using both sources of
information which results in the library being named twice on
the command line.

Once the library is confirmed by CHECK_LIB, append the library if
not already present, to avoid dropping libraries that were
previously discovered by CHECK_PKG.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 363c33185779141fdfbda695997d548939a0251f
Author: Earl Chew 
Date:   Sun Dec 17 08:37:33 2023 -0800

Augment library_flags() to return libraries

Extend library_flags() to return the libraries provided by
pkg-config --libs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623

Signed-off-by: Earl Chew 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 5aafd2fb4042a2f787dd6a7bc9584494d29c405f
Author: Rob van der Linde 
Date:   Tue Apr 30 23:54:13 2024 +1200

selftest: add test for User.get_primary_group method

Signed-off-by: Rob van der Linde 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 8fe7f0a6d507c4711c9edbc8eab86cf0a46facaf
Author: Rob van der Linde 
Date:   Tue Apr 30 23:43:30 2024 +1200

python: models: add get_primary_group method to User model

Signed-off-by: Rob van der Linde 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 1f47c0f609355aa469c04dafe6c4505f5823a6e3
Author: Rob van der Linde 
Date:   Tue Apr 30 23:42:05 2024 +1200

python: models: rename argument ldb to samdb

This argument is actually an instance of SamDB (which inherits from Ldb).

This should have been called samdb.

Signed-off-by: Rob van der Linde 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3
Author: Stefan Metzmacher 
Date:   Wed May 8 18:03:54 2024 +0200

tests/ntacls: unblock failing gitlab pipelines because 
test_setntacl_forcenative

This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 380d9c5a7392741ff2134ef1e83df45a29293db3
Author: Stefan Metzmacher 
Date:   Wed May 8 16:12:06 2024 +0200

.gitlab-ci-main.yml: debug kernel details of the current runner

Signed-off-by: Stefan Metzmacher 

[Announce] Samba 4.20.1 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.20 release series.


Changes since 4.20.0


o  Douglas Bagnall 
   * BUG 15630: dns update debug message is too noisy.

o  Alexander Bokovoy 
   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.

o  Pavel Filipenský 
   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.

o  Anna Popova 
   * BUG 15636: Smbcacls incorrectly propagates inheritance with 
Inherit-Only

 flag.

o  Noel Power 
   * BUG 15611: http library doesn't support 'chunked transfer encoding'.

o  Andreas Schneider 
   * BUG 15600: Provide a systemd service file for the background queue 
daemon.



###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.20.1.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[SCM] Samba Website Repository - branch master updated

[Jule Anger]

The branch, master has been updated
   via  2ec8209 NEWS[4.20.1]: Samba 4.20.1 Available for Download
  from  4728e21 NEWS[4.19.6]: Samba 4.19.6 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 2ec82090dff0576c8d451b444d01b9e8d2d44abf
Author: Jule Anger 
Date:   Wed May 8 10:05:24 2024 +0200

NEWS[4.20.1]: Samba 4.20.1 Available for Download

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html  |  1 +
 history/samba-4.20.1.html| 54 
 posted_news/20240508-080633.4.20.1.body.html | 13 ++
 posted_news/20240508-080633.4.20.1.headline.html |  3 ++
 4 files changed, 71 insertions(+)
 create mode 100644 history/samba-4.20.1.html
 create mode 100644 posted_news/20240508-080633.4.20.1.body.html
 create mode 100644 posted_news/20240508-080633.4.20.1.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 8f60ff2..984ad78 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
Release Notes


+   samba-4.20.1
samba-4.20.0
samba-4.19.6.
samba-4.19.5.
diff --git a/history/samba-4.20.1.html b/history/samba-4.20.1.html
new file mode 100644
index 000..1206074
--- /dev/null
+++ b/history/samba-4.20.1.html
@@ -0,0 +1,54 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.20.1 - Release Notes
+
+
+Samba 4.20.1 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz;>Samba 
4.20.1 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.gz;>Patch
 (gzipped) against Samba 4.20.0
+https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.asc;>Signature
+
+
+
+   ==
+   Release Notes for Samba 4.20.1
+May 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.0
+
+
+o  Douglas Bagnall douglas.bagn...@catalyst.net.nz
+   * BUG 15630: dns update debug message is too noisy.
+
+o  Alexander Bokovoy a...@samba.org
+   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
+
+o  Pavel Filipenský pfilipen...@samba.org
+   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
+
+o  Anna Popova popova.anna...@gmail.com
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power noel.po...@suse.com
+   * BUG 15611: http library doesnt support chunked transfer 
encoding.
+
+o  Andreas Schneider a...@samba.org
+   * BUG 15600: Provide a systemd service file for the background queue daemon.
+
+
+
+
+
+
diff --git a/posted_news/20240508-080633.4.20.1.body.html 
b/posted_news/20240508-080633.4.20.1.body.html
new file mode 100644
index 000..0aef412
--- /dev/null
+++ b/posted_news/20240508-080633.4.20.1.body.html
@@ -0,0 +1,13 @@
+
+08 May 2024
+Samba 4.20.1 Available for Download
+
+This is the first stable release of the Samba 4.20 release series.
+
+
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be https://download.samba.org/pub/samba/stable/samba-4.20.1.tar.gz;>downloaded
 now.
+A https://download.samba.org/pub/samba/patches/samba-4.20.0-4.20.1.diffs.gz;>patch
 against Samba 4.20.0 is also available.
+See https://www.samba.org/samba/history/samba-4.20.1.html;>the 
release notes for more info.
+
+
diff --git a/posted_news/20240508-080633.4.20.1.headline.html 
b/posted_news/20240508-080633.4.20.1.headline.html
new file mode 100644
index 000..143404a
--- /dev/null
+++ b/posted_news/20240508-080633.4.20.1.headline.html
@@ -0,0 +1,3 @@
+
+ 08 May 2024 Samba 4.20.1 Available for Download
+


-- 
Samba Website Repository

[SCM] Samba Shared Repository - branch v4-20-stable updated

[Jule Anger]

The branch, v4-20-stable has been updated
   via  0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.
   via  d01b50ec4f3 WHATSNEW: Add release notes for Samba 4.20.1.
   via  db658c40f5d s3:utils: Fix Inherit-Only flag being automatically 
propagated to children
   via  d28a889aed2 python/samba/tests/blackbox: Add tests for Inherit-only 
flag propagation
   via  83da49f3489 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh
   via  84f82a09ffd selftest: Add "winbind expand groups = 1" to 
setup_ad_member_idmap_ad
   via  83701298384 s3:winbindd: Improve performance of lookup_groupmem() 
in idmap_ad
   via  8857cf29979 docs-xml: Add parameter all_groupmem to idmap_ad
   via  215bb9bd48e Do not fail checksums for RFC8009 types
   via  db60a1947b8 s4:dns_server: less noisy, more informative debug 
messages
   via  9155d89a2ae packaging: Provide a systemd service file for samba-bgqd
   via  077f39baf7c libcli/http: Detect unsupported Transfer-encoding type
   via  2fb1bf0205f selftest: Add new test for testing non-chunk transfer 
encoding
   via  30bf3d1430f selftest: fix potential reference before assigned error
   via  a70e3a36c82 libcli/http: Handle http chunked transfer encoding
   via  7e17e4809d5 tests: add test for chunked encoding with http cli 
library
   via  26206392153 libcli/http: Optimise reading for content-length
   via  71eac5a065f selftest: Add basic content-lenght http tests
   via  19250e13ab6 Add simple http_client for use in black box tests (in 
following commits)
   via  eaefe50327d VERSION: Bump version up to Samba 4.20.1...
  from  8fdd82c8b9c VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable


- Log -
---

Summary of changes:
 VERSION|   2 +-
 WHATSNEW.txt   |  55 +++
 auth/kerberos/kerberos_pac.c   |  47 ++-
 docs-xml/manpages/idmap_ad.8.xml   |  10 +
 lib/krb5_wrap/krb5_samba.h |  28 ++
 libcli/http/http.c | 309 +++-
 libcli/http/http_internal.h|   4 +
 nsswitch/tests/test_idmap_ad.sh|  22 ++
 .../{samba.service.in => samba-bgqd.service.in}|   9 +-
 packaging/wscript_build|   3 +-
 python/samba/tests/blackbox/http_chunk.py  | 129 +++
 python/samba/tests/blackbox/http_content.py|  95 +
 .../blackbox/smbcacls_propagate_inhertance.py  | 108 ++
 selftest/target/Samba3.pm  |   1 +
 selftest/tests.py  |   2 +
 source3/utils/smbcacls.c   |   4 +
 source3/winbindd/winbindd_ads.c|  11 +-
 source4/client/http_test.c | 401 +
 source4/dns_server/dnsserver_common.c  |   9 +-
 source4/wscript_build  |   5 +
 20 files changed, 1200 insertions(+), 54 deletions(-)
 copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%)
 create mode 100644 python/samba/tests/blackbox/http_chunk.py
 create mode 100644 python/samba/tests/blackbox/http_content.py
 create mode 100644 source4/client/http_test.c


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 482360b7d68..cfa7539380b 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2024"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c97836d36f..8249e9326f9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+   ==
+   Release Notes for Samba 4.20.1
+May 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.0
+
+
+o  Douglas Bagnall 
+   * BUG 15630: dns update debug message is too noisy.
+
+o  Alexander Bokovoy 
+   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
+
+o  Pavel Filipenský 
+   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
+
+o  Anna Popova 
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power 
+   * BUG 15611: http library doesn't support 'chunked transfer encoding'.
+
+o  Andreas Schneider 

[SCM] Samba Shared Repository - annotated tag samba-4.20.1 created

[Jule Anger]

The annotated tag, samba-4.20.1 has been created
at  dc3912d4f21e57549c2062e03c9bf94afb9d8307 (tag)
   tagging  0ba948cba0b8b0dd4fddbc94999a61b883a3326d (commit)
  replaces  samba-4.20.0
 tagged by  Jule Anger
on  Wed May 8 10:05:04 2024 +0200

- Log -
samba: tag release samba-4.20.1
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmY7MjAACgkQqplEL7aA
tiDa3A//dCJ/HRwM2pK3vHtVoOVZ3FTDHRSDn+/ys4VDkby9nO78rosEmcUJhCfF
jX41DgU+j6s/Y47cHAtp2uVQOTws/tY8FbMxj84XbeDlOOCXo8UPcpqhxUGP5piL
LPXfENkirfAuS30G+B7tMqit+i/9fOTbKcjLfY1QPo06Cb8wle0twkVmOQzmm4rz
Mh2VjIESvVeo8CVNHpS7DANtJfh27/V4gRvusnmyip6HYqRMuzzJoqOPaCYd1/fj
/0E6iLFnfTfjEfqQcnLRJV5Z5UKuLgEowJ6PfUnsKIw28bFwKp5qh8Tn6n2z/sT8
kU8qO25ITAIItJy5tnrnIchvkBNxBt2MnO5OWIEbkWUhTIpcxrk69lxk0med+iDG
AovAw2hFsBhdsdmcp888HnGr1j9XcfD/55JK+ETgS39Nwbow1InvsFdc51wgUAAf
X39VkVLoL7W/WaFINRJS/PWkDYQ8esHXtqT7Zg/6+NNj4b2FKw6Z8yoj5r/Iwo44
TiqX+DUBWv70B0gXuRB65C++fiSJoPoCIOJR2HXV0OXFTL4Vyd0uwugiZznEd4AZ
g9ESUmt4DUzsENXHJaL1WaXa2rI8UBy3VMK6VIyLGfmH3YlhJFuvFTj/DkZpQHm1
kxXX3iZZmwPlfq/qste2Ig9RWuQth3Nwoong/1frR2Gjk1FEKp4=
=/YuZ
-END PGP SIGNATURE-

Alexander Bokovoy (1):
  Do not fail checksums for RFC8009 types

Andreas Schneider (1):
  packaging: Provide a systemd service file for samba-bgqd

Anna Popova (1):
  s3:utils: Fix Inherit-Only flag being automatically propagated to children

Douglas Bagnall (1):
  s4:dns_server: less noisy, more informative debug messages

Jule Anger (3):
  VERSION: Bump version up to Samba 4.20.1...
  WHATSNEW: Add release notes for Samba 4.20.1.
  VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.

Noel Power (8):
  Add simple http_client for use in black box tests (in following commits)
  selftest: Add basic content-lenght http tests
  libcli/http: Optimise reading for content-length
  tests: add test for chunked encoding with http cli library
  libcli/http: Handle http chunked transfer encoding
  selftest: fix potential reference before assigned error
  selftest: Add new test for testing non-chunk transfer encoding
  libcli/http: Detect unsupported Transfer-encoding type

Pavel Filipenský (4):
  docs-xml: Add parameter all_groupmem to idmap_ad
  s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad
  selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad
  tests: Add a test for "all_groups=no" to test_idmap_ad.sh

yuzu367 (1):
  python/samba/tests/blackbox: Add tests for Inherit-only flag propagation

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  9b6bc91254c VERSION: Bump version up to Samba 4.20.2...
   via  0ba948cba0b VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.
   via  d01b50ec4f3 WHATSNEW: Add release notes for Samba 4.20.1.
  from  db658c40f5d s3:utils: Fix Inherit-Only flag being automatically 
propagated to children

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 9b6bc91254c96a248047c01d68a074edea3f0e6a
Author: Jule Anger 
Date:   Wed May 8 10:00:33 2024 +0200

VERSION: Bump version up to Samba 4.20.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 0ba948cba0b8b0dd4fddbc94999a61b883a3326d
Author: Jule Anger 
Date:   Wed May 8 10:00:17 2024 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.20.1 release.

Signed-off-by: Jule Anger 

commit d01b50ec4f3cc3c91677703677e3b45cd1d94758
Author: Jule Anger 
Date:   Wed May 8 09:59:43 2024 +0200

WHATSNEW: Add release notes for Samba 4.20.1.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 55 +++
 2 files changed, 56 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 81c319ddc0c..e279f2933b8 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2024"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=20
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c97836d36f..8249e9326f9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+   ==
+   Release Notes for Samba 4.20.1
+May 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.20 release series.
+
+
+Changes since 4.20.0
+
+
+o  Douglas Bagnall 
+   * BUG 15630: dns update debug message is too noisy.
+
+o  Alexander Bokovoy 
+   * BUG 15635: Do not fail PAC validation for RFC8009 checksums types.
+
+o  Pavel Filipenský 
+   * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad.
+
+o  Anna Popova 
+   * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only
+ flag.
+
+o  Noel Power 
+   * BUG 15611: http library doesn't support 'chunked transfer encoding'.
+
+o  Andreas Schneider 
+   * BUG 15600: Provide a systemd service file for the background queue daemon.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
==
Release Notes for Samba 4.20.0
March 27, 2024


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  9844ac289be ldb-samba: ldif_read_objectSid avoids VLA
   via  bf4af1a28a3 ldb-samba: ldif_read_objectSid() short-circuits without 
'S'
   via  6c0bdf37187 lib/fuzzing: add fuzz_stable_sort_r_unstable
   via  59cbaa91348 ldb: note a transitivity problem in ldb_comparison_fold
   via  e2051eebd49 ldb:attrib_handlers: reduce non-transitive behaviour in 
ldb_comparison_fold
   via  f81b7c7eb20 ldb:attrib_handlers: use NUMERIC_CMP in 
ldb_comparison_fold
   via  3e899ef5bfa ldb-samba: remove unused 
ldif_comparision_objectSid_isString()
   via  8c702735641 ldb-samba: simplify extended_dn_read_SID()
   via  c6c7cb8d4ba ldb-samba: simplify ldif_canonicalise_objectSid()
   via  be5fd9a3a1b ldb-samba: simplify ldif_comparison_objectSid()
   via  d801ed8b111 pytest: sid_strings: Samba DN object refuses sub-auth 
overflow
   via  edf9b282ba6 pytest: sid_strings: adjust to match Windows 2016
   via  473502d1701 pytest: sid_strings: Windows does allow lowercase 
s-1-... SIDs
   via  fb724c61107 pytest: sid_strings: use more reliable well known SID
   via  ae4f095586e ldb-samba: ldif_write_schemaInfo() uses correct size
   via  13af2cb0217 lib:util: codepoint_cmpi: be transitive and 
case-insensitive
   via  310d59c7cc3 lib:util:tests: more tests for codepoint_cmpi
   via  827b0c39ed0 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
   via  c5c29f59fa6 s4:rpc_srv:getncchanges: USN sort uses qsort() instead 
of ldb_qsort()
   via  65df8ce05c1 s4:rpc_srv:getncchanges: 4.5 anc emulation uses 
qsort(), not ldb_qsort()
   via  5335f122fb5 s4:dsdb:mod: repl_md: make message_sort transitive
   via  7f995ab887a ldb:tools: ldbsearch doesn't need ldb_qsort()
   via  b37186cf917 s4:dsdb:util_trusts: simplify the NULL case in dns_cmp
   via  91b802941c1 s4:dsdb:util_trusts: describe dns_cmp return values
   via  8f080c0295d ldb:tests: add a test for dotted i uppercase
   via  af7654331fb ldb: avoid NULL deref in ldb_db_compare
  from  d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9844ac289be3430fd3f72c5e57fa00e012c5d417
Author: Douglas Bagnall 
Date:   Sat May 4 13:40:35 2024 +1200

ldb-samba: ldif_read_objectSid avoids VLA

I don't think this variable length array is any trouble, but people
complain about them (e.g. https://nullprogram.com/blog/2019/10/27/)
because they make things more complex at run-time, and this is a
somewhat performance sensitive path.

DOM_SID_STR_BUFLEN + 1 is 191 -- if that stack allocation is going to
cause trouble, then so was the VLA <= that.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed May  8 00:26:42 UTC 2024 on atb-devel-224

commit bf4af1a28a3580223fcc3a861c7fdd1b43f234d1
Author: Douglas Bagnall 
Date:   Sat May 4 13:32:39 2024 +1200

ldb-samba: ldif_read_objectSid() short-circuits without 'S'

This avoids a memcpy, and level 3 debug verbosity from
dom_sid_parse_endp().

In other places we have something like `|| in->data[1] != '-'`, but
that is not useful here -- the value is either a string SID, or a
binary SID that starts with '\1', or some awful value that we *do*
want to get messages about.

This replaces the work of ldif_comparision_objectSid_isString().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 6c0bdf371878eb1a3a1c3b1663379a89bd0ec2c0
Author: Douglas Bagnall 
Date:   Wed May 1 17:16:38 2024 +1200

lib/fuzzing: add fuzz_stable_sort_r_unstable

This should find out how well stable_sort copes with an unstable
non-transitive comparison function.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 59cbaa91348857c51854ee5e6bc8f78cdcde4e56
Author: Douglas Bagnall 
Date:   Tue Apr 30 12:41:25 2024 +1200

ldb: note a transitivity problem in ldb_comparison_fold

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e2051eebd492a419f840280336eb242d0b4a26ac
Author: Douglas Bagnall 
Date:   Fri Apr 26 15:58:44 2024 +1200

ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold

If two strings are invalid UTF-8, the string is first compared with
memcmp(), which compares as unsigned char.

If the strings are of different lengths and one is a substring of the
other, the memcmp() returns 0 and a second comparison is made which
assumes the next character in the shorter string is '\0' -- but this
comparison was done using SIGNED chars (on most systems). That leads
to 

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com
  from  87e31f88f28 s3:libsmb: let cli_session_creds_init() keep the value 
from 'client use kerberos'

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d58a72c572f63619111f43f6ea39ff84ae0df16e
Author: Andrew Bartlett 
Date:   Tue May 7 22:32:08 2024 +1200

.gitlab-ci: Remove tags no longer provided by gitlab.com

GitLab.com removed a number of tags from their hosted
runners and this meant our CI was being redirected to
our private runners at a larger cost to the Samba Team.

The new infrastructure is much larger than when we last
selected runners so we can just use the default, even for
the code coverage build.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Andrew Bartlett 
Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue May  7 13:40:55 UTC 2024 on atb-devel-224

---

Summary of changes:
 .gitlab-ci-coverage-runners.yml |  8 +---
 .gitlab-ci-default-runners.yml  | 44 +++--
 2 files changed, 12 insertions(+), 40 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml
index 0f6b2ec1581..331c5d2399c 100644
--- a/.gitlab-ci-coverage-runners.yml
+++ b/.gitlab-ci-coverage-runners.yml
@@ -1,10 +1,4 @@
 include:
   - /.gitlab-ci-default-runners.yml
 
-.shared_runner_test:
-  # We need the more powerful n1-standard-2 runners
-  # in order to handle the lcov overhead.
-  #
-  # See .gitlab-ci-default-runners.yml for more details
-  tags:
-- gitlab-org-docker
+# Currently we're happy with the defaults
diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml
index f73f868d39c..bdc504aff21 100644
--- a/.gitlab-ci-default-runners.yml
+++ b/.gitlab-ci-default-runners.yml
@@ -1,48 +1,26 @@
-# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners:
+# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html
 #
 #   ...
 #
-#   All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, 
CoreOS
-#   and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB 
of
-#   HDD disk space. The default region of the VMs is US East1. Each instance is
-#   used only for one job, this ensures any sensitive data left on the system 
can’t
-#   be accessed by other people their CI jobs.
-#
-#   The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are 
dedicated
-#   for GitLab projects as well as community forks of them. They use a slightly
-#   larger machine type (n1-standard-2) and have a bigger SSD disk size. They 
don’t
-#   run untagged jobs and unlike the general fleet of shared runners, the 
instances
-#   are re-used up to 40 times.
-#
-#   ...
-#
-# The n1-standard-1 runners seem to be tagged with 'docker' together with 
'gce'.
-#
-# The more powerful n1-standard-2 runners seem to be tagged with
-# 'gitlab-org-docker' or some with just 'gitlab-org'.
-#
+#   Runner Tag  vCPUs   Memory   Storage
+#   saas-linux-small-amd64  2   8 GB 25 GB
 #
 # Our current private runner 'docker', 'samba-ci-private', 'shared' and
 # 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an
-# ext4 filesystem and similar RAM as the n1-standard-2 runners.
+# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM.
 #
 
 .shared_runner_build:
-  # We use n1-standard-1 shared runners by default.
-  #
-  # There are currently 5 shared runners with 'docker' and 'gce',
-  # while there are only 2 provising 'docker' together with 'shared'.
+  # We use saas-linux-small-amd64 shared runners by default.
+  # We avoid adding explicit tags for them in order
+  # to work with potential changes in future
   #
-  # We used to fallback to our private runner if the docker+shared runners
-  # were busy, but now that we use the 5 docker+gce runners, we try to only
-  # use shared runners without a fallback to our private runner!
-  # Lets see how that will work out.
-  tags:
-- docker
-- gce
+  # In order to generate valid yaml, we define a dummy variable...
+  variables:
+SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build
 
 .shared_runner_test:
-  # Currently we're fine using the n1-standard-1 runners also for testing
+  # We use saas-linux-small-amd64 shared runners by default.
   extends: .shared_runner_build
 
 .private_runner_test:


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  87e31f88f28 s3:libsmb: let cli_session_creds_init() keep the value 
from 'client use kerberos'
   via  e6c693b7056 s3:winbindd: pass a NULL ccache to 
kerberos_return_pac() for a MEMORY ccache
   via  147565232dc s3:libads: use smb_krb5_cc_new_unique_memory() in 
kerberos_return_pac()
   via  16a5279e291 auth/credentials: use smb_krb5_cc_new_unique_memory() 
in cli_credentials_new_ccache()
   via  176c55efb20 auth/credentials: use smb_krb5_cc_new_unique_memory() 
in cli_credentials_shallow_ccache()
   via  5d385ab691f auth/credentials: use smb_krb5_cc_new_unique_memory() 
in smb_gss_krb5_copy_ccache()
   via  92bebeb58ef auth/credentials: use smb_krb5_cc_new_unique_memory() 
in krb5_cc_remove_cred_wrap()
   via  21b96f010a4 lib/krb5_wrap: make use of 
smb_krb5_cc_new_unique_memory() in smb_krb5_kinit_s4u2_ccache()
   via  48bcc218c98 lib/krb5_wrap: add smb_krb5_cc_new_unique_memory()
   via  e3f97f35b18 s3:gse: don't call krb5_cc_resolve() as server
   via  6ced3c6af22 s3:gse: avoid prompting for a password that we don't 
use in the end
   via  ce05fe3b718 s3:gse: make use of gensec_kerberos_possible()
   via  4dd2468d5bc s4:gensec_gssapi: make use of gensec_kerberos_possible()
   via  a3c87bf4404 auth/gensec: add gensec_get_unparsed_target_principal() 
helper
   via  996fd13949b auth/gensec: add gensec_kerberos_possible() helper
   via  1275e77933f s3:client: avoid cli_credentials_get_password() to 
check for a specified password
   via  b9cf6c8dd4d auth:creds: Add test for 
cli_credentials_get_username_obtained()
   via  f9afd24c907 auth/credentials: add 
cli_credentials_get_username_obtained()
   via  7f0aff46825 auth:creds: Add test for 
cli_credentials_get_password_obtained()
   via  c14366cce45 auth/credentials: add 
cli_credentials_get_password_obtained()
   via  a85f1b6facd lib/cmdline: skip the password prompt if we have a 
valid krb5 ccache
   via  c7d3946659f auth/credentials: add 
cli_credentials_get_ccache_name_obtained()
   via  4723d695608 auth:creds: Add test for 
cli_credentials_get_principal_obtained()
   via  1e5546748cd auth/credentials: add 
cli_credentials_get_principal_obtained()
  from  5edd1e7c3ee smbd: Implement FSCTL_DELETE_REPARSE_POINT

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 87e31f88f28210dc6b7033182435f55204098368
Author: Stefan Metzmacher 
Date:   Thu Mar 7 15:31:39 2024 +0100

s3:libsmb: let cli_session_creds_init() keep the value from 'client use 
kerberos'

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue May  7 12:33:29 UTC 2024 on atb-devel-224

commit e6c693b705686a590d2fa8f434ff015d8926a349
Author: Stefan Metzmacher 
Date:   Wed Feb 28 17:28:43 2024 +0100

s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache

It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory().

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 147565232dc7cc3127e09268000723c5a3eea62b
Author: Stefan Metzmacher 
Date:   Wed Feb 28 17:27:39 2024 +0100

s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 16a5279e2918e7348f1695629bf3fa61c9007424
Author: Stefan Metzmacher 
Date:   Tue Feb 27 16:38:42 2024 +0100

auth/credentials: use smb_krb5_cc_new_unique_memory() in 
cli_credentials_new_ccache()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 176c55efb202f1f218c6c4ddf69d2d357488e25f
Author: Stefan Metzmacher 
Date:   Tue Feb 27 16:21:02 2024 +0100

auth/credentials: use smb_krb5_cc_new_unique_memory() in 
cli_credentials_shallow_ccache()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 5d385ab691f21bdd4524c41560c7f53653cf179d
Author: Stefan Metzmacher 
Date:   Tue Feb 27 16:19:58 2024 +0100

auth/credentials: use smb_krb5_cc_new_unique_memory() in 
smb_gss_krb5_copy_ccache()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 92bebeb58ef5ab91937d29640bf7a3c7929518ca
Author: Stefan Metzmacher 
Date:   Tue Feb 27 15:49:09 2024 +0100

auth/credentials: use smb_krb5_cc_new_unique_memory() in 
krb5_cc_remove_cred_wrap()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 21b96f010a4f9472a03aca5f4c1ed5a658530f52
Author: Stefan Metzmacher 
Date:   Tue Feb 27 15:47:15 2024 +0100

lib/krb5_wrap: make use of smb_krb5_cc_new_unique_memory() in 
smb_krb5_kinit_s4u2_ccache()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 48bcc218c980e9478e2a3479e889766e6ca7f1dd

[SCM] Samba Shared Repository - branch v4-19-test updated

[Jule Anger]

The branch, v4-19-test has been updated
   via  b00c09bee3b s3:utils: Fix Inherit-Only flag being automatically 
propagated to children
   via  e703c0c3914 python/samba/tests/blackbox: Add tests for Inherit-only 
flag propagation
  from  2930a1955bf libcli/http: Detect unsupported Transfer-encoding type

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit b00c09bee3bc28e5637fd786122faeb6b200f2c5
Author: Anna Popova 
Date:   Fri Apr 12 17:32:37 2024 +0300

s3:utils: Fix Inherit-Only flag being automatically propagated to children

Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova 
Reviewed-by: Noel Power 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224

(cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901)

Autobuild-User(v4-19-test): Jule Anger 
Autobuild-Date(v4-19-test): Tue May  7 09:31:32 UTC 2024 on atb-devel-224

commit e703c0c3914d79f5ae4f42b3055e7a2005194927
Author: yuzu367 
Date:   Thu Apr 11 11:31:07 2024 +0300

python/samba/tests/blackbox: Add tests for Inherit-only flag propagation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova 
Reviewed-by: Noel Power 
Reviewed-by: Ralph Boehme 
(cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d)

---

Summary of changes:
 .../blackbox/smbcacls_propagate_inhertance.py  | 108 +
 selftest/knownfail.d/smbcacls  |   0
 source3/utils/smbcacls.c   |   4 +
 3 files changed, 112 insertions(+)
 delete mode 100644 selftest/knownfail.d/smbcacls


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py 
b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
index cfe7e0b0b96..2c21c83ccd4 100644
--- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
+++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
@@ -1288,3 +1288,111 @@ class 
InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase):
 
 except BlackboxProcessError as e:
 self.fail(str(e))
+
+def test_simple_iocioi_add(self):
+"""test smbcacls '--propagate-inheritance --add' which attempts to add 
the ACL
+for the file and additionally use inheritance rules to propagate 
appropriate
+changes to children
+
+This test adds an ACL with (IO)(CI)(OI)(READ)
+
+before:
+
++-tar_test_dir/(OI)(CI)(I)(F)
+  +-oi_dir/(OI)(CI)(I)(F)
+  | +-file.1(I)(F)
+  | +-nested/  (OI)(CI)(I)(F)
+  |   +-file.2  (I)(F)
+  |   +-nested_again/ (OI)(CI)(I)(F)
+  | +-file.3  (I)(F)
+
+after/expected:
+
++-tar_test_dir/(OI)(CI)(I)(F)
+  +-oi_dir/(OI)(CI)(I)(F), (IO)(CI)(OI)(READ)
+  | +-file.1(I)(F), (I)(READ)
+  | +-nested/  (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+  |   +-file.2  (I)(F), (I)(READ)
+  |   +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+  | +-file.3  (I)(F), (I)(READ)"""
+
+dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user
+obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user
+dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user
+
+try:
+
+self.smb_cacls(["--propagate-inheritance", "--add",
+dir_add_acl_str, self.oi_dir])
+
+# check top level container 'oi_dir' has IO|CI|OI/READ
+dir_ace = self.ace_parse_str(dir_add_acl_str)
+self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace))
+
+# file 'oi_dir/file-1' should  have inherited I/READ
+child_file_ace = self.ace_parse_str(obj_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.f1, child_file_ace))
+
+# nested dir  'oi_dir/nested/' should have I|CI|OI/READ
+child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.nested_dir, 
child_dir_ace))
+
+# nested file 'oi_dir/nested/file-2' should  have inherited I/READ
+self.assertTrue(self.file_ace_check(self.f2, child_file_ace))
+
+# nested_again dir  'oi_dir/nested/nested_again' should have 
I|CI|OI/READ
+child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.nested_again_dir, 

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  db658c40f5d s3:utils: Fix Inherit-Only flag being automatically 
propagated to children
   via  d28a889aed2 python/samba/tests/blackbox: Add tests for Inherit-only 
flag propagation
  from  83da49f3489 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit db658c40f5d8aeef9dcc190753b7d14b1fa3f5fb
Author: Anna Popova 
Date:   Fri Apr 12 17:32:37 2024 +0300

s3:utils: Fix Inherit-Only flag being automatically propagated to children

Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova 
Reviewed-by: Noel Power 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224

(cherry picked from commit 80159018e411c643fbfe7ef82bd33e30b6147901)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Tue May  7 08:52:48 UTC 2024 on atb-devel-224

commit d28a889aed25ac98ba4ef34b26190224e5ebe907
Author: yuzu367 
Date:   Thu Apr 11 11:31:07 2024 +0300

python/samba/tests/blackbox: Add tests for Inherit-only flag propagation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova 
Reviewed-by: Noel Power 
Reviewed-by: Ralph Boehme 
(cherry picked from commit eba2bfde347041a395f0fbd3c57235be63b1890d)

---

Summary of changes:
 .../blackbox/smbcacls_propagate_inhertance.py  | 108 +
 source3/utils/smbcacls.c   |   4 +
 2 files changed, 112 insertions(+)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py 
b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
index cc13727b8fb..5b3a27111d5 100644
--- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
+++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
@@ -1288,3 +1288,111 @@ class 
InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase):
 
 except BlackboxProcessError as e:
 self.fail(str(e))
+
+def test_simple_iocioi_add(self):
+"""test smbcacls '--propagate-inheritance --add' which attempts to add 
the ACL
+for the file and additionally use inheritance rules to propagate 
appropriate
+changes to children
+
+This test adds an ACL with (IO)(CI)(OI)(READ)
+
+before:
+
++-tar_test_dir/(OI)(CI)(I)(F)
+  +-oi_dir/(OI)(CI)(I)(F)
+  | +-file.1(I)(F)
+  | +-nested/  (OI)(CI)(I)(F)
+  |   +-file.2  (I)(F)
+  |   +-nested_again/ (OI)(CI)(I)(F)
+  | +-file.3  (I)(F)
+
+after/expected:
+
++-tar_test_dir/(OI)(CI)(I)(F)
+  +-oi_dir/(OI)(CI)(I)(F), (IO)(CI)(OI)(READ)
+  | +-file.1(I)(F), (I)(READ)
+  | +-nested/  (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+  |   +-file.2  (I)(F), (I)(READ)
+  |   +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+  | +-file.3  (I)(F), (I)(READ)"""
+
+dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user
+obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user
+dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user
+
+try:
+
+self.smb_cacls(["--propagate-inheritance", "--add",
+dir_add_acl_str, self.oi_dir])
+
+# check top level container 'oi_dir' has IO|CI|OI/READ
+dir_ace = self.ace_parse_str(dir_add_acl_str)
+self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace))
+
+# file 'oi_dir/file-1' should  have inherited I/READ
+child_file_ace = self.ace_parse_str(obj_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.f1, child_file_ace))
+
+# nested dir  'oi_dir/nested/' should have I|CI|OI/READ
+child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.nested_dir, 
child_dir_ace))
+
+# nested file 'oi_dir/nested/file-2' should  have inherited I/READ
+self.assertTrue(self.file_ace_check(self.f2, child_file_ace))
+
+# nested_again dir  'oi_dir/nested/nested_again' should have 
I|CI|OI/READ
+child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.nested_again_dir, 
child_dir_ace))
+# nested_again file 'oi_dir/nested/nested_again/file-3' should  
have 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  5edd1e7c3ee smbd: Implement FSCTL_DELETE_REPARSE_POINT
   via  97c79d47dd7 tests: Test FSCTL_DELETE_REPARSE_POINT
   via  d80a884f54c tests: Run reparse tests
   via  4fa6cffcfae tests: Expected failures in reparse point tests should 
not be errors
   via  8ace45e0da9 smbd: Implement fsctl_set_reparse_point
   via  6eba4b794f0 smbd: Implement fsctl_get_reparse_point
   via  7dc07710fbe tests: Clean up behind ourselves in test_create_reparse
   via  4536cfb1ec1 tests: Codify IO_REPARSE_TAG_MISMATCH behaviour
   via  fb74b3b5073 tests: Clarify a reparse point test
   via  6526f20e42b s3: smbd: smb2-posix: Add SAMBA_XATTR_REPARSE_ATTRIB 
"user.SmbReparse" name.
   via  deed7fab03d selftest: Default to "tmp" share in reparsepoints.py
   via  1fa7668ee82 smbd: Use reparse_buffer_check() in 
fsctl_set_reparse_point()
   via  4b98f993a25 smbd: Prepare to return the reparse tag from 
fsctl_get_reparse_point
   via  db5c23e4be7 smbd: Change the output of fsctl_get_reparse_point to 
uint8
   via  fafe29a2640 reparse: Tighten reparse point length check
   via  2defbc994de smbd: Return FILE_ATTRIBUTE_REPARSE_POINT from 
"user.DOSATTRIB"
  from  c5a1c8d45b9 s4:dsdb: Fix stack use after scope in 
gkdi_create_root_key()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5edd1e7c3ee8aa0e873b98285ddf2344cf96932c
Author: Volker Lendecke 
Date:   Mon May 6 16:59:44 2024 +0200

smbd: Implement FSCTL_DELETE_REPARSE_POINT

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon May  6 21:55:03 UTC 2024 on atb-devel-224

commit 97c79d47dd7294f4f78d9dbc799153afaf5fa03f
Author: Volker Lendecke 
Date:   Mon May 6 16:35:25 2024 +0200

tests: Test FSCTL_DELETE_REPARSE_POINT

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit d80a884f54c50e8c47c038cb8a7a120f3f142699
Author: Volker Lendecke 
Date:   Fri May 3 15:03:30 2024 +0200

tests: Run reparse tests

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 4fa6cffcfae68d816ddecb58003775b58b38cfd7
Author: Volker Lendecke 
Date:   Sun May 5 12:16:39 2024 +0200

tests: Expected failures in reparse point tests should not be errors

We need to put them into knownfail.d individually

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 8ace45e0da9dcfc660e83e9486646723b8eaa015
Author: Volker Lendecke 
Date:   Fri Dec 2 11:56:08 2022 +0100

smbd: Implement fsctl_set_reparse_point

Store the data in the "user.SmbReparse" xattr. Only allow this on
regular files. Windows does it for directories too, but we can not
allow this: Setting a symlink reparse point in a xattr on a directory
would go unnoticed by our openat2-optimization. If someone really
needs this, we could have a VFS module disallowing openat2 and doing
the appropriate checks on every openat-call.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 6eba4b794f0bfa9b85dc7ca754a12169d7b89bd5
Author: Volker Lendecke 
Date:   Sun May 5 11:14:45 2024 +0200

smbd: Implement fsctl_get_reparse_point

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 7dc07710fbede128d0b7064f78d86dfabd47cf5d
Author: Volker Lendecke 
Date:   Fri May 3 14:52:42 2024 +0200

tests: Clean up behind ourselves in test_create_reparse

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 4536cfb1ec1fdf7dcaf0989d04770512c208e241
Author: Volker Lendecke 
Date:   Fri May 3 14:49:46 2024 +0200

tests: Codify IO_REPARSE_TAG_MISMATCH behaviour

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit fb74b3b50734838c77a314bb37ef5d7b8dec7fb3
Author: Volker Lendecke 
Date:   Fri May 3 14:49:24 2024 +0200

tests: Clarify a reparse point test

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 6526f20e42bcc533ad5c8a4c402622dc0a5c0fd8
Author: Jeremy Allison 
Date:   Tue Sep 18 09:03:22 2018 -0700

s3: smbd: smb2-posix: Add SAMBA_XATTR_REPARSE_ATTRIB "user.SmbReparse" name.

Ensure it's prohibited for normal user access.

Signed-off-by: Jeremy Allison 
Reviewed-by: Volker Lendecke 

commit deed7fab03d2f2c7865cbdc9ef6c55353714d5a6
Author: Volker Lendecke 
Date:   Mon Jan 2 13:56:12 2023 +0100

selftest: Default to "tmp" share in reparsepoints.py

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 1fa7668ee827e0ccac4e15c257d73bf5de2ed701
Author: Volker Lendecke 
Date:   Thu May 2 16:34:43 2024 +0200

smbd: Use reparse_buffer_check() in fsctl_set_reparse_point()

check_reparse_data_buffer() was duplicated code

[SCM] Samba Shared Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  c5a1c8d45b9 s4:dsdb: Fix stack use after scope in 
gkdi_create_root_key()
  from  6bf51860a00 smbd: Remove unused [push_pull]_file_id_24

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c5a1c8d45b9e87ff4ab9785fe50b6efc8ffa396c
Author: Andreas Schneider 
Date:   Tue Apr 30 09:16:40 2024 +0200

s4:dsdb: Fix stack use after scope in gkdi_create_root_key()

==20978==ERROR: AddressSanitizer: stack-use-after-scope on address 
0x7f4f91ff51a0 at pc 0x7f4f94cf93d6 bp 0x7ffdb90fc510 sp 0x7ffdb90fbcd0
READ of size 64 at 0x7f4f91ff51a0 thread T0
#0 0x7f4f94cf93d5 in memcpy 
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
#1 0x7f4f933bdb67 in ldb_val_dup ../../lib/ldb/common/ldb_msg.c:325
#2 0x7f4f933c11d1 in ldb_msg_copy ../../lib/ldb/common/ldb_msg.c:1182
#3 0x7f4f933c13d2 in ldb_msg_normalize 
../../lib/ldb/common/ldb_msg.c:1235
#4 0x7f4f933ab556 in ldb_request ../../lib/ldb/common/ldb.c:1196
#5 0x7f4f8e82b1d4 in dsdb_autotransaction_request 
../../source4/dsdb/common/util.c:1220
#6 0x7f4f8e831c8a in dsdb_add ../../source4/dsdb/common/util.c:5354
#7 0x7f4f8e853a01 in gkdi_create_root_key 
../../source4/dsdb/gmsa/gkdi.c:493
#8 0x7f4f8e853a01 in gkdi_new_root_key 
../../source4/dsdb/gmsa/gkdi.c:551
#9 0x7f4f8cd4ca52 in py_dsdb_create_gkdi_root_key 
../../source4/dsdb/pydsdb.c:1388
#10 0x7f4f947ce01c  (/lib64/libpython3.11.so.1.0+0x1ce01c) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#11 0x7f4f947de4c0 in _PyObject_Call 
(/lib64/libpython3.11.so.1.0+0x1de4c0) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#12 0x7f4f947be6ca in _PyEval_EvalFrameDefault 
(/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#13 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#14 0x7f4f947de5d8  (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#15 0x7f4f947be6ca in _PyEval_EvalFrameDefault 
(/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#16 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#17 0x7f4f947edabb  (/lib64/libpython3.11.so.1.0+0x1edabb) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#18 0x7f4f947de5d8  (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#19 0x7f4f947be6ca in _PyEval_EvalFrameDefault 
(/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#20 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#21 0x7f4f947ed9fb  (/lib64/libpython3.11.so.1.0+0x1ed9fb) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#22 0x7f4f947be6ca in _PyEval_EvalFrameDefault 
(/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#23 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#24 0x7f4f947be6ca in _PyEval_EvalFrameDefault 
(/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#25 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#26 0x7f4f94839997 in PyEval_EvalCode 
(/lib64/libpython3.11.so.1.0+0x239997) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#27 0x7f4f94856862  (/lib64/libpython3.11.so.1.0+0x256862) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#28 0x7f4f94852e59  (/lib64/libpython3.11.so.1.0+0x252e59) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#29 0x7f4f94868fb1  (/lib64/libpython3.11.so.1.0+0x268fb1) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#30 0x7f4f948687a3 in _PyRun_SimpleFileObject 
(/lib64/libpython3.11.so.1.0+0x2687a3) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#31 0x7f4f94868453 in _PyRun_AnyFileObject 
(/lib64/libpython3.11.so.1.0+0x268453) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#32 0x7f4f94861c53 in Py_RunMain (/lib64/libpython3.11.so.1.0+0x261c53) 
(BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#33 0x7f4f94829996 in Py_BytesMain 
(/lib64/libpython3.11.so.1.0+0x229996) (BuildId: 
170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
#34 0x7f4f9422a1ef in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
#35 0x7f4f9422a2b8 in __libc_start_main_impl ../csu/libc-start.c:360
#36 0x5604497e3084 in _start (/usr/bin/python3.11+0x1084) (BuildId: 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  6bf51860a00 smbd: Remove unused [push_pull]_file_id_24
   via  5ef6a8a01f4 smbd: Use struct oplock_break_message for 
MSG_SMB_KERNEL_BREAK
   via  7d860a73ca4 smbd: Remove message_to_share_mode_entry and vice versa
   via  037b9dac21b smbd: Use struct oplock_break_message for MSG_CLOSE_FILE
   via  e2201a8dff3 smbd: Fix a typo
   via  8f1cc217a89 smbd: Simplify sending oplock_break_message
   via  4fe0808ebed lib: Convert push_file_id_16 to take uint8_t instead of 
char
   via  e889d76fad0 vfs: Convert return_data from char * to uint8_t
   via  6f2aa43a3fe passdb: Use getline(3) to read our old machine sid
   via  30b7cf9b3c0 pylibsmb: Avoid talloc()
   via  3f17f194294 pylibsmb: clang-format for the calls to Py_BuildValue()
   via  8ef24d670b7 pylibsmb: Return reparse_tag from directory listing
   via  ceea95af632 libsmb: Slightly simplify py_cli_list()
   via  5d51be58914 smbd: Fix a copy error in smbXsrv_client_remove()
   via  c2b80caf5ed smbd: Use direct struct initialization in smbXsrv_client
   via  60b724a7e59 smbd: Save a few lines in smbXsrv_client_global_init()
   via  7b4ab077c8d smbd: Do an early TALLOC_FREE in 
smbXsrv_client_global_init()
   via  45200770fe6 smbd: Simplify smbXsrv_open_clear_replay_cache()
   via  e5596cf4a6a smbd: Simplify smbXsrv_open_purge_replay_cache()
   via  647d2c6481c smbd: Simplify an if-condition
   via  56814d3ee25 smbd: Some README.Coding in smbXsrv_session
   via  1656cb19010 lib: Fix whitespace
   via  debb5894847 libsmb: Remove unused setup_stat_from_stat_ex()
   via  fba4e66df51 smbd: Save a few bytes of .text
  from  d650f884ec1 lib:ldb: Use correct integer types for sizes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6bf51860a0071b5834c68b463cbdc31d2c04a4c0
Author: Volker Lendecke 
Date:   Tue Apr 30 11:43:58 2024 +0200

smbd: Remove unused [push_pull]_file_id_24

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Apr 30 23:48:21 UTC 2024 on atb-devel-224

commit 5ef6a8a01f43c2d962086ce2bb6c4f34c44e42ae
Author: Volker Lendecke 
Date:   Tue Apr 30 11:41:50 2024 +0200

smbd: Use struct oplock_break_message for MSG_SMB_KERNEL_BREAK

Signed-off-by: Volker Lendecke 

commit 7d860a73ca48819e80fc8690ae8cfb5b628ace0a
Author: Volker Lendecke 
Date:   Tue Apr 30 10:37:06 2024 +0200

smbd: Remove message_to_share_mode_entry and vice versa

Used only for closing files from rpc srvsvc these days

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 037b9dac21b4aabcc56169b533cbed749e6fee6c
Author: Volker Lendecke 
Date:   Tue Apr 30 10:35:06 2024 +0200

smbd: Use struct oplock_break_message for MSG_CLOSE_FILE

We only need to transmit the file_id and share_file_id. Next patch
will show why :-)

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit e2201a8dff30666b5f8f9ca340039c3c6acd9bd4
Author: Volker Lendecke 
Date:   Tue Apr 30 10:31:37 2024 +0200

smbd: Fix a typo

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 8f1cc217a8909d56adc9279adf9e301a95b52716
Author: Volker Lendecke 
Date:   Mon Apr 29 11:38:18 2024 +0200

smbd: Simplify sending oplock_break_message

This is fixed length of 33 bytes, no need to talloc

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 4fe0808ebedd7812cf7097d4d6c3d697e8cebb68
Author: Volker Lendecke 
Date:   Sun Apr 28 19:51:25 2024 +0200

lib: Convert push_file_id_16 to take uint8_t instead of char

All callers had a cast from uint8_t to char, avoid those.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit e889d76fad07645b8279d149d1519f0d7feb25e6
Author: Volker Lendecke 
Date:   Sun Apr 28 19:43:36 2024 +0200

vfs: Convert return_data from char * to uint8_t

Prepares for a small simplification in the next patch

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 6f2aa43a3fe722b93eb68a5bb9ae6d4253a352df
Author: Volker Lendecke 
Date:   Wed Apr 10 14:45:56 2024 +0200

passdb: Use getline(3) to read our old machine sid

Don't read the whole file.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 30b7cf9b3c0c0968166811313aa48b1eedcad67a
Author: Volker Lendecke 
Date:   Sun Apr 28 16:29:23 2024 +0200

pylibsmb: Avoid talloc()

dom_sid_string() does an implicit talloc_strdup() which is not
necessary here.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 3f17f1942941d8c4dfc54a8d8ac62c77476194a1
Author: Volker Lendecke 
Date:   Sun Apr 28 16:24:31 2024 +0200

[SCM] Samba Shared Repository - branch master updated

[Volker Lendecke]

The branch, master has been updated
   via  d650f884ec1 lib:ldb: Use correct integer types for sizes
   via  17dd13bb4bc lib:ldb: Add missing overflow check in 
ldb_msg_normalize()
   via  82b07bd048e lib:tdb: Add missing overflow check for num_values in 
pytdb.c
   via  e9c4538e272 lib:tdb: Remove trailing spaces from pytdb.c
  from  80159018e41 s3:utils: Fix Inherit-Only flag being automatically 
propagated to children

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d650f884ec1be0745af93020366b9e115670b771
Author: Andreas Schneider 
Date:   Tue Apr 30 14:33:51 2024 +0200

lib:ldb: Use correct integer types for sizes

Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_ldif.c:84: tainted_data_return: Called function 
"read(f, buf, size)", and a possible return value may be less than zero.
ldb-2.9.0/common/ldb_ldif.c:84: cast_overflow: An assign that casts to a 
different type, which might trigger an overflow.
ldb-2.9.0/common/ldb_ldif.c:92: overflow: The expression "size" is 
considered to have possibly overflowed.
ldb-2.9.0/common/ldb_ldif.c:84: overflow_sink: "size", which might be 
negative, is passed to "read(f, buf, size)". [Note: The source code 
implementation of the function has been overridden by a builtin model.]
82|   buf = (char *)value->data;
83|   while (count < statbuf.st_size) {
84|-> bytes = read(f, buf, size);
85|   if (bytes == -1) {
86|   talloc_free(value->data);

Signed-off-by: Andreas Schneider 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Tue Apr 30 15:33:32 UTC 2024 on atb-devel-224

commit 17dd13bb4bc9bd38f663c376ee73de6598715da7
Author: Andreas Schneider 
Date:   Tue Apr 30 14:27:54 2024 +0200

lib:ldb: Add missing overflow check in ldb_msg_normalize()

Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < 
msg2->num_elements" contains the tainted expression "i" which causes 
"msg2->num_elements" to be considered tainted.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression 
"msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of 
its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * 
(msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of 
its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements 
- (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 
32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation 
of the function has been overridden by a builtin model.]
  1251|   talloc_free(discard_const_p(char, 
el2->name));
  1252|   if ((i+1) < msg2->num_elements) {
  1253|-> memmove(el2, el2+1, sizeof(struct 
ldb_message_element) *
  1254|   (msg2->num_elements - 
(i+1)));
  1255|   }

Signed-off-by: Andreas Schneider 
Reviewed-by: Volker Lendecke 

commit 82b07bd048e8039896be7edec6b83cbd6ff218d9
Author: Andreas Schneider 
Date:   Tue Apr 30 14:16:33 2024 +0200

lib:tdb: Add missing overflow check for num_values in pytdb.c

Error: INTEGER_OVERFLOW (CWE-190):
tdb-1.4.10/pytdb.c:401: cast_overflow: Truncation due to cast operation on 
"num_values" from 64 to 32 bits.
tdb-1.4.10/pytdb.c:401: overflow_sink: "num_values", which might have 
overflowed, is passed to "tdb_storev(self->ctx, key, values, num_values, flag)".
  399|   }
  400|
  401|-> ret = tdb_storev(self->ctx, key, values, num_values, flag);
  402|   free(values);
  403|   PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);

Signed-off-by: Andreas Schneider 
Reviewed-by: Volker Lendecke 

commit e9c4538e272a32f9fe4dcdabc6f44b95ddfda6e7
Author: Andreas Schneider 
Date:   Tue Apr 30 14:16:15 2024 +0200

lib:tdb: Remove trailing spaces from pytdb.c

Signed-off-by: Andreas Schneider 
Reviewed-by: Volker Lendecke 

---

Summary of changes:
 lib/ldb/common/ldb_ldif.c |  3 ++-
 lib/ldb/common/ldb_msg.c  |  2 +-
 lib/tdb/pytdb.c   | 22 +-
 3 files changed, 16 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c
index 96237dd0abf..24a0bcdefa5 100644
--- a/lib/ldb/common/ldb_ldif.c
+++ b/lib/ldb/common/ldb_ldif.c
@@ -45,7 +45,8 @@ static int ldb_read_data_file(TALLOC_CTX *mem_ctx, struct 
ldb_val 

[SCM] Samba Shared Repository - branch master updated

[Ralph Böhme]

The branch, master has been updated
   via  80159018e41 s3:utils: Fix Inherit-Only flag being automatically 
propagated to children
   via  eba2bfde347 python/samba/tests/blackbox: Add tests for Inherit-only 
flag propagation
  from  96b5cfe4e6c s3:libsmb: Pass a memory context to get_ipc_connect()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 80159018e411c643fbfe7ef82bd33e30b6147901
Author: Anna Popova 
Date:   Fri Apr 12 17:32:37 2024 +0300

s3:utils: Fix Inherit-Only flag being automatically propagated to children

Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova 
Reviewed-by: Noel Power 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224

commit eba2bfde347041a395f0fbd3c57235be63b1890d
Author: yuzu367 
Date:   Thu Apr 11 11:31:07 2024 +0300

python/samba/tests/blackbox: Add tests for Inherit-only flag propagation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636

Signed-off-by: Anna Popova 
Reviewed-by: Noel Power 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 .../blackbox/smbcacls_propagate_inhertance.py  | 108 +
 source3/utils/smbcacls.c   |   4 +
 2 files changed, 112 insertions(+)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py 
b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
index cc13727b8fb..5b3a27111d5 100644
--- a/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
+++ b/python/samba/tests/blackbox/smbcacls_propagate_inhertance.py
@@ -1288,3 +1288,111 @@ class 
InheritanceSmbCaclsTests(SmbCaclsBlockboxTestBase):
 
 except BlackboxProcessError as e:
 self.fail(str(e))
+
+def test_simple_iocioi_add(self):
+"""test smbcacls '--propagate-inheritance --add' which attempts to add 
the ACL
+for the file and additionally use inheritance rules to propagate 
appropriate
+changes to children
+
+This test adds an ACL with (IO)(CI)(OI)(READ)
+
+before:
+
++-tar_test_dir/(OI)(CI)(I)(F)
+  +-oi_dir/(OI)(CI)(I)(F)
+  | +-file.1(I)(F)
+  | +-nested/  (OI)(CI)(I)(F)
+  |   +-file.2  (I)(F)
+  |   +-nested_again/ (OI)(CI)(I)(F)
+  | +-file.3  (I)(F)
+
+after/expected:
+
++-tar_test_dir/(OI)(CI)(I)(F)
+  +-oi_dir/(OI)(CI)(I)(F), (IO)(CI)(OI)(READ)
+  | +-file.1(I)(F), (I)(READ)
+  | +-nested/  (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+  |   +-file.2  (I)(F), (I)(READ)
+  |   +-nested_again/ (OI)(CI)(I)(F), (I)(CI)(OI)(READ)
+  | +-file.3  (I)(F), (I)(READ)"""
+
+dir_add_acl_str = "ACL:%s:ALLOWED/OI|CI|IO/READ" % self.user
+obj_inherited_ace_str = "ACL:%s:ALLOWED/I/READ" % self.user
+dir_inherited_ace_str = "ACL:%s:ALLOWED/OI|CI|I/READ" % self.user
+
+try:
+
+self.smb_cacls(["--propagate-inheritance", "--add",
+dir_add_acl_str, self.oi_dir])
+
+# check top level container 'oi_dir' has IO|CI|OI/READ
+dir_ace = self.ace_parse_str(dir_add_acl_str)
+self.assertTrue(self.file_ace_check(self.oi_dir, dir_ace))
+
+# file 'oi_dir/file-1' should  have inherited I/READ
+child_file_ace = self.ace_parse_str(obj_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.f1, child_file_ace))
+
+# nested dir  'oi_dir/nested/' should have I|CI|OI/READ
+child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.nested_dir, 
child_dir_ace))
+
+# nested file 'oi_dir/nested/file-2' should  have inherited I/READ
+self.assertTrue(self.file_ace_check(self.f2, child_file_ace))
+
+# nested_again dir  'oi_dir/nested/nested_again' should have 
I|CI|OI/READ
+child_dir_ace = self.ace_parse_str(dir_inherited_ace_str)
+self.assertTrue(self.file_ace_check(self.nested_again_dir, 
child_dir_ace))
+# nested_again file 'oi_dir/nested/nested_again/file-3' should  
have inherited I/READ
+self.assertTrue(self.file_ace_check(self.f3, child_file_ace))
+except BlackboxProcessError as e:
+self.fail(str(e))
+
+def test_simple_ioci_add(self):
+"""test smbcacls '--propagate-inheritance --add' which attempts to add 
the ACL
+   

[SCM] Samba Shared Repository - branch master updated

[Volker Lendecke]

The branch, master has been updated
   via  96b5cfe4e6c s3:libsmb: Pass a memory context to get_ipc_connect()
   via  56426eda9bd s3:libsmb: Make get_ipc_connect() static
   via  bf688e0d2af s3:libnet: Fix memory leak in 
libnet_join_connect_dc_ipc()
   via  d2297b41a20 s3:libsmb: Pass memory context to 
cli_full_connection_creds()
   via  5c63d5bdab1 s3:libsmb: Pass memory context to 
cli_full_connection_creds_recv()
   via  f95947b s3:libsmb: Pass a memory context to 
cli_start_connection()
   via  f3fda1e440c s3:libsmb: Pass a memory context to 
cli_start_connection_recv()
   via  bbb21797bf6 s3:libsmb: Pass memory context to cli_connect_nb()
   via  4f62937dfab s3:torture: Remove trailing spaces in torture.c
   via  c8eabee18bd s3:nmbd: Remove trailing spaces in nmbd_synclists.c
   via  2154bd37e41 s3:libsmb: Pass a memory context to 
cli_connect_nb_recv()
  from  73e3ffb8418 python:tests: Store keys as bytes rather than as lists 
of ints

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 96b5cfe4e6c4b727c286b0856446c1d5a31b920b
Author: Andreas Schneider 
Date:   Thu Nov 23 15:53:29 2023 +0100

s3:libsmb: Pass a memory context to get_ipc_connect()

Indirect leak of 792 byte(s) in 1 object(s) allocated from: 

 #0 0x7f261b8dc03f in malloc 
(/lib64/libasan.so.8+0xdc03f) (BuildId: 
3e1694ad218c99a8b1b69231666a27df63cf19d0)
#1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 

 #2 0x7f261b2c473d in __talloc 
../../lib/talloc/talloc.c:825
#3 0x7f261b2c473d in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f261b2c473d in _talloc_zero ../../lib/talloc/talloc.c:2421

 #5 0x7f2618cb42bc in smbXcli_conn_create 
../../libcli/smb/smbXcli_base.c:350
#6 0x7f261a74acd3 in cli_state_create 
../../source3/libsmb/clientgen.c:196
   #7 
0x7f261a751f0d in cli_connect_nb_done ../../source3/libsmb/cliconnect.c:2715
#8 0x7f261a69bacf in _tevent_req_notify_callback 
../../lib/tevent/tevent_req.c:177   
#9 0x7f261a69bd06 in 
tevent_req_finish ../../lib/tevent/tevent_req.c:234
#10 0x7f261a69bd6e in _tevent_req_done 
../../lib/tevent/tevent_req.c:240   
  #11 
0x7f261a752dde in cli_connect_sock_done ../../source3/libsmb/cliconnect.c:2624
#12 0x7f261a69bacf in _tevent_req_notify_callback 
../../lib/tevent/tevent_req.c:177
#13 0x7f261a69bd06 in tevent_req_finish 
../../lib/tevent/tevent_req.c:234
#14 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#15 0x7f261a7ba2c4 in smbsock_any_connect_connected 
../../source3/libsmb/smbsock_connect.c:788
#16 0x7f261a69bacf in _tevent_req_notify_callback 
../../lib/tevent/tevent_req.c:177
#17 0x7f261a69bd06 in tevent_req_finish 
../../lib/tevent/tevent_req.c:234
#18 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#19 0x7f261a7b75ad in smbsock_connect_connected 
../../source3/libsmb/smbsock_connect.c:524
#20 0x7f261a69bacf in _tevent_req_notify_callback 
../../lib/tevent/tevent_req.c:177
#21 0x7f261a69bd06 in tevent_req_finish 
../../lib/tevent/tevent_req.c:234
#22 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240
#23 0x7f261b4b400a in open_socket_out_connected 
../../source3/lib/util_sock.c:484
#24 0x7f261a69bacf in _tevent_req_notify_callback 
../../lib/tevent/tevent_req.c:177
#25 0x7f261a69bd06 in tevent_req_finish 
../../lib/tevent/tevent_req.c:234
#26 0x7f261a69be3e in tevent_req_trigger 
../../lib/tevent/tevent_req.c:291
#27 0x7f261a699df4 in tevent_common_invoke_immediate_handler 
../../lib/tevent/tevent_immediate.c:190
#28 0x7f261a699e31 in tevent_common_loop_immediate 
../../lib/tevent/tevent_immediate.c:236
#29 0x7f261a6ad3ec in epoll_event_loop_once 
../../lib/tevent/tevent_epoll.c:905
#30 0x7f261a6a679e in std_event_loop_once 
../../lib/tevent/tevent_standard.c:110
#31 0x7f261a696538 in _tevent_loop_once ../../lib/tevent/tevent.c:820

Signed-off-by: Andreas Schneider 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Mon Apr 29 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  73e3ffb8418 python:tests: Store keys as bytes rather than as lists 
of ints
   via  6f12cf958f8 python:tests: Rewrite condition of while loop
   via  cb97e3f13df python:tests: Store keys as bytes rather than as tuples
   via  94e055b582e python:gkdi: Add helper methods returning previous and 
next GKIDs
   via  282e5784a03 s4:kdc: Add helper variable indicating whether we think 
we are performing a keytab export
   via  5a048ef0f81 s4:kdc: Pass ldb context into 
samba_kdc_message2entry_keys()
   via  1889e0aea38 python: Move get_admin_sid() to SamDB
   via  786eab65cef s4:auth: Export AES128 gMSA keys along with AES256 keys 
by default
   via  103ca0276fb tests/krb5: Check that updated NT hashes of gMSAs have 
the values we expect
   via  1171589e355 ldb: Remove unnecessary declaration
   via  46955bc7664 lib:crypto: Fix Coverity build
   via  82224fca78c ctdb: Report errors from getline()
   via  f9309c221b9 ctdb: Ensure ‘ret’ is always initialized
  from  1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 73e3ffb841842c748e0cda59ada0617dda035853
Author: Jo Sutton 
Date:   Wed Apr 24 13:34:27 2024 +1200

python:tests: Store keys as bytes rather than as lists of ints

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr 24 06:20:58 UTC 2024 on atb-devel-224

commit 6f12cf958f8ed92c3373372760564d95adcdfb94
Author: Jo Sutton 
Date:   Wed Apr 24 13:37:40 2024 +1200

python:tests: Rewrite condition of while loop

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit cb97e3f13dfa8e8f7512639389aaccf93d53959a
Author: Jo Sutton 
Date:   Wed Apr 24 13:36:28 2024 +1200

python:tests: Store keys as bytes rather than as tuples

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 94e055b582e3c4498b99d3997df3db614b3e94e8
Author: Jo Sutton 
Date:   Wed Apr 24 12:42:40 2024 +1200

python:gkdi: Add helper methods returning previous and next GKIDs

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 282e5784a03add45dc662b27da6f2d29e1ab80cb
Author: Jo Sutton 
Date:   Mon Apr 15 14:45:51 2024 +1200

s4:kdc: Add helper variable indicating whether we think we are performing a 
keytab export

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 5a048ef0f81d4f212019a9687a726eb0bfd67227
Author: Jo Sutton 
Date:   Mon Apr 15 14:39:45 2024 +1200

s4:kdc: Pass ldb context into samba_kdc_message2entry_keys()

This ldb context can be used to query the current gMSA time.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 1889e0aea389662a1e4111d7537f3c4e1c93d492
Author: Jo Sutton 
Date:   Mon Apr 15 13:23:15 2024 +1200

python: Move get_admin_sid() to SamDB

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 786eab65cefac69dfd38646437720f33994f8f47
Author: Jo Sutton 
Date:   Tue Apr 23 13:13:20 2024 +1200

s4:auth: Export AES128 gMSA keys along with AES256 keys by default

This is what an existing test expects.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 103ca0276fbda03592bfb4a460ba946218abfb16
Author: Jo Sutton 
Date:   Mon Apr 22 10:53:30 2024 +1200

tests/krb5: Check that updated NT hashes of gMSAs have the values we expect

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 1171589e355e55b5fa08ae7da0210ac9ca2c7107
Author: Jo Sutton 
Date:   Wed Apr 24 12:31:36 2024 +1200

ldb: Remove unnecessary declaration

This declaration is a hold‐over from the Python 2 module initialization
pattern.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 46955bc7664b8cf665c9bccf3b88d4afa26b9526
Author: Jo Sutton 
Date:   Mon Apr 22 11:10:00 2024 +1200

lib:crypto: Fix Coverity build

The Coverity build is failing with the following errors:

[1936/5164] Compiling lib/crypto/gkdi.c
In file included from 
/usr/lib64/gcc/x86_64-suse-linux/7/include/stdint.h:9:0,
 from /usr/include/inttypes.h:27,
 from ../../lib/crypto/../replace/replace.h:64,
 from ../../source4/include/includes.h:23,
 from ../../lib/crypto/gkdi.c:21:
../../lib/crypto/gkdi.c: In function ‘gkdi_get_key_start_time’:
../../lib/crypto/gkdi.c:197:4: error: initializer element is not constant
UINT64_MAX /
^
../../lib/crypto/gkdi.c:197:4: note: (near initialization for 
‘max_gkid.l0_idx’)
../../lib/crypto/gkdi.c:200:4: error: initializer element is not constant
UINT64_MAX /
^
../../lib/crypto/gkdi.c:200:4: 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes
   via  acaa24c65d9 smbdotconf: finally remove unused "client use spnego 
principal" option
   via  4ff1b321edb s4:selftest: remove useless 'client use spnego 
principal' tests
   via  5d350c1ecd1 auth/gensec: remove useless client_use_spnego_principal 
usage
   via  a34532cd9b1 s3:selftest/tests.py: run TLDAP tests with 
sasl-sign,sasl-seal,ldaps,starttls
   via  d189952f0ef s3:torture: add ldaps/starttls support to run_tldap()
   via  09647d1dc96 s3:torture: add '-T 'option=value' this is similar to 
'--option='=value'
   via  e6be6fa9488 blackbox/test_net_ads_search_server: also test 
ldaps/starttls
   via  9827055be3c s4:selftest: also test samba4.ldb.simple.ldap with 
starttls and SASL-BIND
   via  0122c0a6986 s4:libcli/ldap: add support for 
ADS_AUTH_SASL_{STARTTLS,LDAPS}
   via  0f8a7c9ef6e s3:idmap_ad: add support for 
ADS_AUTH_SASL_{STARTTLS,LDAPS}
   via  864ed28ce0e s3:libads: add support for 
ADS_AUTH_SASL_{STARTTLS,LDAPS}
   via  844e1bdc6d4 smbdotconf: add client ldap sasl wrapping = 
{starttls,ldaps}
   via  576ac69cbb3 s3:libads: call gensec_set_channel_bindings() for tls 
connections
   via  da87dbcea57 s3:libads: call 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
   via  6a84552d593 s3:libads: add tls_wrapping into openldap
   via  84b4551cdf6 s4:lib/tls: add tstream_tls_sync_setup()
   via  f1a83feb0ee s3:libads: always require ber_sockbuf_add_io() and 
LDAP_OPT_SOCKBUF
   via  86e03bd515e s3:libads: use the correct struct sockbuf_io_desc type 
for 'sbiod' pointer
   via  e6593c297e6 s3:libads: no longer pass "GSS-SPNEGO" to 
ads_sasl_spnego_gensec_bind()
   via  47758695898 s3:libads: remove dead code in 
ads_sasl_spnego_{gensec}_bind()
   via  aeed081fc81 s3:libads: directly use kerberos without asking the 
server
   via  09b69a12a64 s3:libads: use GSS-SPNEGO directly without asking for 
supportedSASLMechanisms
   via  29b77a34aa8 s3:tldap: add support for [START]TLS
   via  3798dc7aea6 s3:tldap: make tldap_gensec_bind_send/recv public
   via  eb29f28a29c s3:tldap: add tldap_extended*
   via  557de8f39e3 s3:tldap: store plain and gensec tstream
   via  3bf3d4d855d s3:tldap: let tldap_gensec_bind_send/recv use 
gensec_update_send/recv
   via  4b22fa01537 s3:tldap: don't use 'supportedSASLMechanisms' and force 
'GSS-SPNEGO' instead
   via  8c5b522682e s3:tldap: simplify tldap_gensec_bind.h
   via  30440e0ee38 s3:tldap: simplify read_ldap_more() by using 
asn1_peek_full_tag()
   via  ca936312910 s4:lib/tls: add support for 
gnutls_certificate_set_x509_{system_trust,trust_dir}()
   via  0b84c97cf39 docs-xml: add 'tls trust system cas' and 'tls ca 
directories' options
   via  8062d317932 s4:ldap_server: remove unused include of 
gensec_internal.h
   via  ded41b0946f s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code
   via  2e975ae9833 s3:libads: remove unused include of gensec_internal.h
   via  c7c5d3fb76c s3:libsmb: libcli/auth/spnego.h is not needed in 
cliconnect.c
   via  e1c4caed10d WHATSNEW: document ldap_server ldaps/tls channel 
binding support
   via  065da873296 s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND 
with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
   via  6794cc47624 selftest: split out 
selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
   via  7acb15a53c0 s4:libcli/ldap: add tls channel binding support for 
ldap_bind_sasl()
   via  6c17e3d2800 s4:ldap_server: add support for tls channel bindings
   via  811d04fea7d s3:crypto/gse: implement channel binding support
   via  1831006b777 s4:gensec_gssapi: implement channel binding support
   via  f1d34a430d2 auth/ntlmssp: implement channel binding support
   via  e912ba579b1 auth/gensec: add gensec_set_channel_bindings() function
   via  546e39a6fa1 wscript_configure_embedded_heimdal: define 
HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
   via  9b92cbacac1 third_party/heimdal: import 
lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
   via  cbd7ce44121 s4:lib/tls: add tstream_tls_channel_bindings()
   via  2f2af3aa8a0 lib/crypto: add legacy_gnutls_server_end_point_cb() if 
needed
   via  c200cf1b5f4 s4:libcli/ldap: make use of 
tstream_tls_params_client_lpcfg()
   via  493d35a6910 s4:librpc/rpc: make use of 
tstream_tls_params_client_lpcfg()
   via  b8b874ef5e4 s3:rpc_server/mdssvc: make use of 
tstream_tls_params_client_lpcfg()
   via  604413b98a2 s4:lib/tls: add tstream_tls_params_client_lpcfg()
   via  3186cdce85a s4:lib/tls: split out tstream_tls_verify_peer() helper
   via  15fb8fcc7b9 s4:lib/tls: include a TLS server name indication in the 
client handshake
   via  ecdd7691913 s4:lib/tls: we no longer need 

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  1cba9de1444 Fix a few "might be uninitialized" errors
   via  316579b5029 smbd: Slightly simplify notifyd_send_delete()
   via  190ae0796eb smbd: Simplify smb_set_file_unix_link()
   via  88921ac1774 smbd: Simplify smb_q_posix_symlink()
   via  e35b3af2e8b smbd: Simplify call_trans2qpathinfo()
  from  daf6d371f36 s3:rpc_client: implement bind time feature negotiation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1cba9de1933a51972b725e0f4852704d2a8c
Author: Volker Lendecke 
Date:   Mon Jan 22 21:33:05 2024 +0100

Fix a few "might be uninitialized" errors

I've seen them with clang

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Apr 23 19:02:10 UTC 2024 on atb-devel-224

commit 316579b5029823ba19eda2a131a3a2a5df7419a1
Author: Volker Lendecke 
Date:   Tue Feb 27 15:32:59 2024 +0100

smbd: Slightly simplify notifyd_send_delete()

Call messaging_send_iov() instead of messaging_send_iov_from().

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 190ae0796ebaaf4f2fc2479f81637207d1fa8934
Author: Volker Lendecke 
Date:   Mon Feb 12 10:26:28 2024 +0100

smbd: Simplify smb_set_file_unix_link()

Avoid a call to parent_pathref, use the dirfsp that already exists

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 88921ac177421c25827092df3f063baa80f9f4bf
Author: Volker Lendecke 
Date:   Sun Feb 11 13:10:01 2024 +0100

smbd: Simplify smb_q_posix_symlink()

Use the dirfsp from call_trans2qpathinfo(), avoid a call to parent_pathref()

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit e35b3af2e8b82678b2d77ea39a132f6ecaca9991
Author: Volker Lendecke 
Date:   Sat Feb 10 14:26:55 2024 +0100

smbd: Simplify call_trans2qpathinfo()

These days filename_convert_dirfsp() always returns a full fsp.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 source3/libsmb/libsmb_file.c  |   2 +-
 source3/smbd/notifyd/notifyd.c|  18 +++--
 source3/smbd/smb1_trans2.c| 147 +-
 source4/auth/sam.c|   2 +-
 source4/dsdb/common/rodc_helper.c |   2 +-
 5 files changed, 63 insertions(+), 108 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/libsmb_file.c b/source3/libsmb/libsmb_file.c
index ff18d569757..5861718d672 100644
--- a/source3/libsmb/libsmb_file.c
+++ b/source3/libsmb/libsmb_file.c
@@ -470,7 +470,7 @@ SMBC_getatr(SMBCCTX * context,
mode_t mode = S_IFREG;
struct cli_credentials *creds = NULL;
TALLOC_CTX *frame = talloc_stackframe();
-   NTSTATUS status;
+   NTSTATUS status = NT_STATUS_ACCESS_DENIED;
 
if (!context || !context->internal->initialized) {
TALLOC_FREE(frame);
diff --git a/source3/smbd/notifyd/notifyd.c b/source3/smbd/notifyd/notifyd.c
index 4af62a9a1f9..64dd26a7e11 100644
--- a/source3/smbd/notifyd/notifyd.c
+++ b/source3/smbd/notifyd/notifyd.c
@@ -790,7 +790,7 @@ static void notifyd_send_delete(struct messaging_context 
*msg_ctx,
};
uint8_t nul = 0;
struct iovec iov[3];
-   int ret;
+   NTSTATUS status;
 
/*
 * Send a rec_change to ourselves to delete a dead entry
@@ -802,13 +802,17 @@ static void notifyd_send_delete(struct messaging_context 
*msg_ctx,
iov[1] = (struct iovec) { .iov_base = key.dptr, .iov_len = key.dsize };
iov[2] = (struct iovec) { .iov_base = , .iov_len = sizeof(nul) };
 
-   ret = messaging_send_iov_from(
-   msg_ctx, instance->client, messaging_server_id(msg_ctx),
-   MSG_SMB_NOTIFY_REC_CHANGE, iov, ARRAY_SIZE(iov), NULL, 0);
+   status = messaging_send_iov(msg_ctx,
+   instance->client,
+   MSG_SMB_NOTIFY_REC_CHANGE,
+   iov,
+   ARRAY_SIZE(iov),
+   NULL,
+   0);
 
-   if (ret != 0) {
-   DBG_WARNING("messaging_send_iov_from returned %s\n",
-   strerror(ret));
+   if (!NT_STATUS_IS_OK(status)) {
+   DBG_WARNING("messaging_send_iov failed: %s\n",
+   nt_errstr(status));
}
 }
 
diff --git a/source3/smbd/smb1_trans2.c b/source3/smbd/smb1_trans2.c
index ae5fee7e2ff..e31bdf02fe8 100644
--- a/source3/smbd/smb1_trans2.c
+++ b/source3/smbd/smb1_trans2.c
@@ -2529,16 +2529,14 @@ static NTSTATUS smb_q_posix_acl(
 static NTSTATUS smb_q_posix_symlink(
struct 

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  daf6d371f36 s3:rpc_client: implement bind time feature negotiation
   via  713a8022573 s3:rpc_client: require 
DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
   via  6548ccb31bf s3:rpc_client: pass struct rpc_pipe_client to 
check_bind_response()
   via  0cc0970d359 dcesrv_reply: we don't need to call 
dcerpc_set_frag_length() in dcesrv_fault_with_flags()
  from  2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call 
cli_credentials_get_password() if needed

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit daf6d371f3639cbd64f9ac9f8a3be5b7d37393a7
Author: Stefan Metzmacher 
Date:   Fri Apr 19 01:22:17 2024 +0200

s3:rpc_client: implement bind time feature negotiation

This is not strictly needed as we don't use any of the
optional features yet.

But it will make it easier to add bind time features we'll
actually use later.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224

commit 713a8022573a1b917422d888e4bb901539d20a91
Author: Stefan Metzmacher 
Date:   Fri Apr 19 01:17:46 2024 +0200

s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated 
presentation context

We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.

It's also not needed to require a single array element.

We already checked above that we have at least one.

The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 6548ccb31bfefdfa5d4ddd14ced900c64a68224e
Author: Stefan Metzmacher 
Date:   Fri Apr 19 01:15:52 2024 +0200

s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()

This prepares adding bind time feature negotiation in the next commits.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 0cc0970d359f6521b1621c87149291c597f4b0d6
Author: Stefan Metzmacher 
Date:   Tue Oct 13 15:43:05 2015 +0200

dcesrv_reply: we don't need to call dcerpc_set_frag_length() in 
dcesrv_fault_with_flags()

dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 librpc/rpc/dcesrv_reply.c   |  2 --
 source3/rpc_client/cli_pipe.c   | 49 +++--
 source3/rpc_client/rpc_client.h |  7 ++
 3 files changed, 44 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/rpc/dcesrv_reply.c b/librpc/rpc/dcesrv_reply.c
index 6d605168176..4890169c98b 100644
--- a/librpc/rpc/dcesrv_reply.c
+++ b/librpc/rpc/dcesrv_reply.c
@@ -130,8 +130,6 @@ NTSTATUS dcesrv_fault_with_flags(struct dcesrv_call_state 
*call,
return status;
}
 
-   dcerpc_set_frag_length(>blob, rep->blob.length);
-
DLIST_ADD_END(call->replies, rep);
dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index b4289e9d35d..cf551f6f548 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1130,17 +1130,28 @@ static NTSTATUS 
create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
 {
uint16_t auth_len = auth_info->length;
NTSTATUS status;
-   struct dcerpc_ctx_list ctx_list = {
-   .context_id = 0,
-   .num_transfer_syntaxes = 1,
-   .abstract_syntax = *abstract,
-   .transfer_syntaxes = (struct ndr_syntax_id 
*)discard_const(transfer),
+   struct ndr_syntax_id bind_time_features = 
dcerpc_construct_bind_time_features(
+   DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING |
+   DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN);
+   struct dcerpc_ctx_list ctx_list[2] = {
+   [0] = {
+   .context_id = 0,
+   .num_transfer_syntaxes = 1,
+   .abstract_syntax = *abstract,
+   .transfer_syntaxes = (struct ndr_syntax_id 
*)discard_const(transfer),
+   },
+   [1] = {
+   .context_id = 1,
+   .num_transfer_syntaxes = 1,
+   .abstract_syntax = *abstract,
+   .transfer_syntaxes = _time_features,
+   },
};
union dcerpc_payload u = {
.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN,
.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN,
-   

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call 
cli_credentials_get_password() if needed
   via  aff2932c420 python/samba/getopt: don't prompt for a password for 
--use-krb5-ccache=...
   via  0ba9e5dacbb lib/cmdline: only call 
cli_credentials_get_password_and_obtained if needed
   via  994e12e8f7a lib/cmdline: move cli_credentials_set_cmdline_callbacks 
to the end of POPT_CALLBACK_REASON_POST
   via  e2170431f1d s3:auth_generic: fix talloc_unlink() in 
auth_generic_set_creds()
   via  5af5bf26457 auth/credentials: don't call talloc_free(ccache_name) 
on callers memory
   via  d221f930efc auth/credentials: a temporary MEMORY ccache needs 
krb5_cc_destroy()
   via  126357e2e73 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave 
more like the heimdal krb5_cc_get_lifetime
   via  e58f83d3958 s3:libads: don't dump securityIdentifier and 
msDS-TrustForestTrustInfo as strings
   via  e6f92edba69 s3:notify: don't log user_can_stat_name_under_fsp with 
level 0 for OBJECT_NAME_NOT_FOUND
  from  c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2674df4cc0e124d74eb9d764c29a07c9c84b94d6
Author: Stefan Metzmacher 
Date:   Thu Apr 14 15:36:51 2022 +0200

s3:libsmb: let cli_tree_connect_creds() only call 
cli_credentials_get_password() if needed

Only legacy protocols need a password for share level authentication,
so avoid triggering the password prompt for the common case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224

commit aff2932c420fd102c077063b8d1f66cdd8a777cb
Author: Stefan Metzmacher 
Date:   Fri Mar 8 14:14:34 2024 +0100

python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 0ba9e5dacbb4e5bf94600e0a4a1cbd9f7a9c5d9e
Author: Stefan Metzmacher 
Date:   Thu Apr 14 13:31:20 2022 +0200

lib/cmdline: only call cli_credentials_get_password_and_obtained if needed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 994e12e8f7a6b089342a32a6c3269048bfef1545
Author: Stefan Metzmacher 
Date:   Thu Apr 14 13:30:56 2022 +0200

lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of 
POPT_CALLBACK_REASON_POST

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit e2170431f1d4a6f4ce7e3e6949282d5bc60b5d08
Author: Stefan Metzmacher 
Date:   Thu Mar 7 00:11:26 2024 +0100

s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 5af5bf264571b732b5236e6db2061b523e603c05
Author: Stefan Metzmacher 
Date:   Tue Feb 27 16:22:14 2024 +0100

auth/credentials: don't call talloc_free(ccache_name) on callers memory

The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit d221f930efcff09a9b5dc18c5dfb6475ade1312a
Author: Stefan Metzmacher 
Date:   Tue Feb 27 16:07:22 2024 +0100

auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()

A simple krb5_cc_close() doesn't remove it from the global memory list.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit 126357e2e7302eb219fda80e3cfbef3da02c1d6d
Author: Stefan Metzmacher 
Date:   Fri Mar 8 11:39:35 2024 +0100

lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal 
krb5_cc_get_lifetime

If the ccache doesn't have a intial TGT the shortest lifetime of
service tickets should be returned.

This is needed in order to work with special ccaches used for
things like S2U4Self/S4U2Proxy tickets or other things
where the caller only wants to pass a single service ticket.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit e58f83d3958d7b6a16d7d75a7a266cead4befb48
Author: Stefan Metzmacher 
Date:   Wed Apr 3 16:00:41 2024 +0200

s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as 
strings

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

commit e6f92edba690923ec8ef427bc6d5b30d609c129a
Author: Stefan Metzmacher 
Date:   Wed Apr 3 16:35:35 2024 +0200

s3:notify: don't log 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper()
   via  dca6b2d2552 ldb:attrib_handlers: use ldb_ascii_toupper() in first 
loop
   via  078ecf486a6 ldb:pytests: test for Turkic i-dots in 
ldb_comparison_fold
   via  a75c98ad688 ldb:attrib_handlers: make ldb_comparison_Boolean more 
consistent
   via  7280c8e53f4 ldb-samba:ldif_handlers: dn_link_comparison: sort 
invalid DNs
   via  341b8fb60e2 ldb-samba:ldif_handlers: dn_link_comparison leaks less
   via  70356592563 ldb-samba:ldif_handlers: dn_link_comparison correctly 
sorts deleted objects
   via  11d5a809325 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
invalid DNs
   via  db963b1674e ldb-samba:ldif_handlers: dn_link_comparison semi-sorts 
deleted objects
   via  2d3b917d0a0 ldb-samba:ldif_handlers: extended_dn_read_Sid(): free 
on failure
   via  42f2d96f82a ldb-samba:ldif_handlers: ldif_read_objectSid(): free a 
thing on failure
   via  6722e80d1b3 ldb-samba: ldif-handlers: make 
ldif_comparison_objectSid() accurate
   via  4af670384a1 s4:dsdb: fix spelling in comment
   via  a9eaf8a3abe ldb: comment for ldb_dn_compare_base
   via  6229feab74a s4:rpcsrv:samr: improve a comment in compare_msgRid
   via  7be535315a5 s4:rpcsrv:dnsserver: make dns_name_compare transitive 
with NULLs
   via  31c322874b8 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
   via  7ba6fcb9365 lib/socket: rearrange iface_comp() to use NUMERIC_CMP
   via  acaa1323d03 gensec: sort_gensec uses NUMERIC_CMP
   via  75682e397b9 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
   via  8317a617364 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
   via  386216d4a15 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
   via  8b2605a5d9c s3:mod:posixacl_xattr: use NUMERIC_CMP in 
posixacl_xattr_entry_compare
   via  9b73235d495 s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
   via  5fe488d515a ldb:dn: make ldb_dn_compare() self-consistent
   via  531f31df993 ldb:sort: generalise both-NULL check to equality check
   via  d4e69734c65 ldb:sort: check that elements have values
   via  d785c1991c9 ldb:mod:sort: rearrange NULL checks
  from  20ce68f1594 tests/krb5: Test retrieving a denied gMSA password over 
an unsealed connection

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c49c48afe09a1a78989628bbffd49dd3efc154dd
Author: Douglas Bagnall 
Date:   Sat Apr 20 09:57:15 2024 +1200

ldb:utf8: ldb_ascii_toupper() avoids real toupper()

If a non-lowercase ASCII character has an uppercase counterpart in
some locale, toupper() will convert it to an int codepoint. Probably
that codepoint is too big to fit in our char return type, so we would
truncate it to 8 bit. So it becomes an arbitrary mapping.

It would also behave strangely with a byte with the top bit set, say
0xE2. If char is unsigned on this system, that is 'â', which
uppercases to 'Â', with the codepoint 0xC2. That seems fine in
isolation, but remember this is ldb_utf8.c, and that byte was not a
codepoint but a piece of a long utf-8 encoding. In the more likely
case where char is signed, toupper() is being passed a negative
number, the result of which is undefined.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224

commit dca6b2d25529288eaf7b31baf37ca4f6de4f4b9d
Author: Douglas Bagnall 
Date:   Thu Apr 11 13:46:28 2024 +1200

ldb:attrib_handlers: use ldb_ascii_toupper() in first loop

In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.

Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 078ecf486a62dc3aaa2842ada96456ac9870dad7
Author: Douglas Bagnall 
Date:   Wed Apr 17 11:42:30 2024 +1200

ldb:pytests: test for Turkic i-dots in ldb_comparison_fold

In tr_TR and some other locales where the letter 'i' uppercases to
'İ', which is not ideal for LDB as we need certain strings like 'guid'
to casefold in the ASCII way.

In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved
this problem in many cases, but for unindexed searches where the 'i'
is not the last character in the string. This test shows that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 

[SCM] Samba Shared Repository - branch master updated

[Jo Sutton]

The branch, master has been updated
   via  20ce68f1594 tests/krb5: Test retrieving a denied gMSA password over 
an unsealed connection
   via  7ba61811592 s4:ldap_server: Update gMSA keys when 
DSDB_CONTROL_GMSA_UPDATE_OID control is specified
   via  24f109c59ff s4:dsdb:tests: Make use of ‘ldb’ parameter
   via  02d7ab13ee2 lib:crypto: Add more unit tests for GKDI functions
   via  b2d777a1ed2 s4:dsdb: Make use of 
DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
   via  118f3ba78fd s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS 
search flag
   via  9149d1d338f s4:kdc: Correctly extract older NT hash
   via  c6fec5156fe tests/krb5: Note that lockout tests use password checks
   via  ed371ff0fa1 tests/krb5: Fix malapropism
   via  a916928acaf s4:kdc: Remove unnecessary cast
   via  8dca32eba2c pyglue: Remove unnecessary declaration
   via  460b1935b96 s4:kdc: Fix grammar
   via  faba757175f auth:credentials: Remove unnecessary declaration
   via  b6b8f9539b8 auth:credentials: Fix code spelling
   via  56dd910b837 python: Reformat code
   via  e25c6a21208 s4-gmsa: Do not attempt password set on remote LDAP 
connections
   via  977f5753fc8 s4:dsdb: Add dsdb_update_gmsa_keys()
   via  245dc1f0f2b s4:dsdb: Move the responsibility for determining 
whether an account is a gMSA out of gmsa_recalculate_managed_pwd()
   via  2f2d3b7cf28 s4:dsdb: Indicate to the LDAP server physical passwords 
that need to be refreshed
   via  99071bbcf4b s4:dsdb: Store found managed password ID as part of 
gMSA update structure
   via  8bcefaaa5c4 s4:dsdb: Store account DN as part of gMSA update 
structure
   via  6613aeca93a s4:dsdb: Only reuse the current password ID as the 
previous password ID when appropriate
   via  dcc5724ed75 s4:dsdb: Add a note that administrators should not set 
the clock too far in the future
   via  a397029813f s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to 
dsdb_search_dn()
   via  cdc63fa68d8 s4:dsdb: Explicitly return success error code
   via  1b765edbc95 tests/krb5: Add tests that gMSA keys are updated in the 
database when appropriate
   via  47c519af8e9 tests/krb5: Import MAX_CLOCK_SKEW more directly
   via  21d46f3ece3 tests/krb5: Extract method to unpack 
supplementalCredentials blob
   via  502070cd9a5 tests/krb5: Skip loop iteration if attribute has no 
values
   via  5eea17a71bd ldb: Check result of py_ldb_msg_keys()
  from  0159c48e897 ctdb-scripts: Do not de-duplicate the interfaces list

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 20ce68f15940b3e8d4d53c10a71729b16cfb3908
Author: Jo Sutton 
Date:   Fri Apr 19 14:16:03 2024 +1200

tests/krb5: Test retrieving a denied gMSA password over an unsealed 
connection

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Jo Sutton 
Autobuild-Date(master): Sun Apr 21 23:17:53 UTC 2024 on atb-devel-224

commit 7ba6181159215e99d8a0f2f3974ee0d46d146f35
Author: Jo Sutton 
Date:   Mon Apr 15 15:13:45 2024 +1200

s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control 
is specified

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 24f109c59ff22a8a1f22ba4cdc118795e7b4d512
Author: Jo Sutton 
Date:   Mon Apr 15 13:21:10 2024 +1200

s4:dsdb:tests: Make use of ‘ldb’ parameter

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 02d7ab13ee271448efe5715bdaaf5e6907d32e08
Author: Jo Sutton 
Date:   Mon Apr 15 12:19:12 2024 +1200

lib:crypto: Add more unit tests for GKDI functions

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit b2d777a1ed23dfb968057411f43e92334f55705b
Author: Jo Sutton 
Date:   Mon Apr 15 11:42:50 2024 +1200

s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 118f3ba78fd1135fb7b254d1a2bb152eb5759923
Author: Jo Sutton 
Date:   Tue Apr 9 16:24:43 2024 +1200

s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag

View with ‘git show -b’.

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 9149d1d338f109f2220f6408418a6db6f3c43a11
Author: Jo Sutton 
Date:   Thu Apr 11 17:17:54 2024 +1200

s4:kdc: Correctly extract older NT hash

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit c6fec5156fe20da6a424d7239ee234aed0aa96c0
Author: Jo Sutton 
Date:   Tue Apr 16 16:01:44 2024 +1200

tests/krb5: Note that lockout tests use password checks

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit ed371ff0fa1bf3f67ad72ee206b67a693266f4b2
Author: Jo Sutton 
Date:   Thu Apr 11 16:31:51 2024 +1200

tests/krb5: Fix malapropism

Signed-off-by: Jo Sutton 

[SCM] Samba Shared Repository - branch master updated

[Martin Schwenke]

The branch, master has been updated
   via  0159c48e897 ctdb-scripts: Do not de-duplicate the interfaces list
  from  7a5e7b82125 python: Fix NtVer check for site_dn_for_machine()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0159c48e897a7c07c399767f5ffddbb11d80ab5d
Author: Martin Schwenke 
Date:   Thu Apr 18 14:13:11 2024 +1000

ctdb-scripts: Do not de-duplicate the interfaces list

Using xargs with sort -u to de-duplicate this list was my idea and
causes a couple of things to go wrong.  The use of xargs causes
double-quotes to be lost.  The resulting $public_ifaces value also
contains newlines.  The newlines could be removed with an additional
xargs at the end of the pipeline... but that would add an extra level
of quote stripping.

I have unsuccessfully tried to find an alternative, but still elegant,
command pipeline that de-duplicates the list, while maintaining
quoting.

So, just drop the de-duplication.

This might make interface_ifindex_exists_with_options() slightly less
efficient.  However, that function walks the whole list, only
terminating early when a match is found on both interface and options,
so at least it will be correct.

Include an extra testcase.

Signed-off-by: Martin Schwenke 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224

---

Summary of changes:
 ctdb/config/events/legacy/50.samba.script  |  1 -
 .../UNIT/eventscripts/50.samba.startup.012.sh  | 25 ++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100755 ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh


Changeset truncated at 500 lines:

diff --git a/ctdb/config/events/legacy/50.samba.script 
b/ctdb/config/events/legacy/50.samba.script
index 90de6a3f31b..c9d34cd2245 100755
--- a/ctdb/config/events/legacy/50.samba.script
+++ b/ctdb/config/events/legacy/50.samba.script
@@ -40,7 +40,6 @@ generate_smb_interfaces_config()
if [ -n "$CTDB_SAMBA_INTERFACES_EXTRA" ]; then
public_ifaces="$public_ifaces $CTDB_SAMBA_INTERFACES_EXTRA"
fi
-   public_ifaces=$(echo "$public_ifaces" | xargs -n 1 | sort -u)
 
 cat < "$CTDB_SAMBA_INTERFACES_FILE"
 bind interfaces only = yes
diff --git a/ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh 
b/ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh
new file mode 100755
index 000..fb7627c5898
--- /dev/null
+++ b/ctdb/tests/UNIT/eventscripts/50.samba.startup.012.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "startup, with interfaces list generation"
+
+setup
+
+interfaces_file="${CTDB_TEST_TMP_DIR}/interfaces.conf"
+
+setup_script_options <

[SCM] Samba Shared Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  7a5e7b82125 python: Fix NtVer check for site_dn_for_machine()
  from  cc7c12e5d5c lib: Remove an obsolete comment

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7a5e7b821259890dd2978e6f113f4a3dad110ea4
Author: Andreas Schneider 
Date:   Mon Apr 15 07:32:02 2024 +0200

python: Fix NtVer check for site_dn_for_machine()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633

Signed-off-by: Andreas Schneider 
Reviewed-by: David Mulder 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224

---

Summary of changes:
 python/samba/gp/gpclass.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 08be472e707..d86aacec138 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -805,9 +805,7 @@ def site_dn_for_machine(samdb, dc_hostname, lp, creds, 
hostname):
 
 samlogon_response = ndr_unpack(nbt.netlogon_samlogon_response,
bytes(res.msgs[0]['Netlogon'][0]))
-if samlogon_response.ntver not in [nbt.NETLOGON_NT_VERSION_5EX,
-   (nbt.NETLOGON_NT_VERSION_1
-| nbt.NETLOGON_NT_VERSION_5EX)]:
+if not (samlogon_response.ntver & nbt.NETLOGON_NT_VERSION_5EX):
 raise RuntimeError('site_dn_for_machine: Invalid NtVer in '
+ 'netlogon_samlogon_response')
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  83da49f3489 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh
   via  84f82a09ffd selftest: Add "winbind expand groups = 1" to 
setup_ad_member_idmap_ad
   via  83701298384 s3:winbindd: Improve performance of lookup_groupmem() 
in idmap_ad
   via  8857cf29979 docs-xml: Add parameter all_groupmem to idmap_ad
  from  215bb9bd48e Do not fail checksums for RFC8009 types

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 83da49f348921a21a22ff93ffecbd638ff004541
Author: Pavel Filipenský 
Date:   Thu Mar 14 15:24:21 2024 +0100

tests: Add a test for "all_groups=no" to test_idmap_ad.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Pavel Filipensky 
Autobuild-Date(master): Tue Apr  2 13:25:39 UTC 2024 on atb-devel-224

(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Wed Apr 17 14:38:42 UTC 2024 on atb-devel-224

commit 84f82a09ffd1336bf79cffbe4caa3045aedbd16e
Author: Pavel Filipenský 
Date:   Mon Mar 25 22:38:18 2024 +0100

selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)

commit 837012983840d10488404fac2ebad07dd75a6f1c
Author: Pavel Filipenský 
Date:   Tue Mar 12 13:20:24 2024 +0100

s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad

The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber.  Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.

'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.

Without this fix:

$ time id test_user

real1m5.946s
user0m0.019s
sys 0m0.012s

With this fix:

$ time id test_user

real0m3.544s
user0m0.004s
sys 0m0.007s

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf)

commit 8857cf299792f50e5917319a38d450c068fa07f4
Author: Pavel Filipenský 
Date:   Wed Mar 13 13:55:41 2024 +0100

docs-xml: Add parameter all_groupmem to idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 
(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c)

---

Summary of changes:
 docs-xml/manpages/idmap_ad.8.xml | 10 ++
 nsswitch/tests/test_idmap_ad.sh  | 22 ++
 selftest/target/Samba3.pm|  1 +
 source3/winbindd/winbindd_ads.c  | 11 +++
 4 files changed, 40 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 32df8d066c2..c7fcc65d763 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -105,6 +105,16 @@



+   all_groupmem = yes/no
+   
+ If set to yes winbind will retrieve all
+ group members for getgrnam(3), getgrgid(3) and getgrent(3) 
calls,
+ including those with missing uidNumber.
+   
+   Default: no
+   
+   
+   
deny ous
This parameter is a list of OUs from
which objects will not be mapped via the ad idmap
diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 7ae112ada71..1d4bd395ba9 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -94,6 +94,14 @@ gidNumber: 201
 unixHomeDirectory: /home/forbidden
 loginShell: /bin/tcsh
 gecos: User in forbidden OU
+
+dn: CN=no_posix_id,CN=Users,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: no_posix_id
+unixHomeDirectory: /home/no_posix_id
+loginShell: /bin/sh
+gecos: User without uidNumber and gidNumber
 EOF
 
 #
@@ -171,6 +179,17 @@ then
failed=$(($failed + 1))
 fi
 
+#
+# Test 6: Make sure that with the default "all_groups=no"
+# the group "domain users" will not show user "no_posix_id"
+# but will show "SAMBA2008R2/administrator"
+#
+
+dom_users="$DOMAIN/domain users"  # Extra step to make sure that all is 

[SCM] Samba Shared Repository - branch master updated

[Martin Schwenke]

The branch, master has been updated
   via  cc7c12e5d5c lib: Remove an obsolete comment
   via  80cd127b20f smbd: Remove sconn->using_smb2
   via  59d7850ffaf smbd: Add conn_using_smb2()
   via  f1bb46ad4e8 smbd: Change protocol selection to not use 
"sconn->using_smb2"
  from  7e621b1b530 ctdb: Modernize a few DEBUGs

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit cc7c12e5d5c74812e089b7f4bc5b0c78553ccf24
Author: Volker Lendecke 
Date:   Tue Mar 12 15:06:33 2024 +0100

lib: Remove an obsolete comment

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Wed Apr 17 09:01:34 UTC 2024 on atb-devel-224

commit 80cd127b20f46bfece91316171958a054a78cb00
Author: Volker Lendecke 
Date:   Tue Feb 13 13:05:42 2024 +0100

smbd: Remove sconn->using_smb2

We have the same information available via conn_using_smb2()

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit 59d7850ffaf03ad00a9850683fab1b6e64be3e39
Author: Volker Lendecke 
Date:   Tue Feb 13 12:28:06 2024 +0100

smbd: Add conn_using_smb2()

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit f1bb46ad4e8b0b43ead60c70a463709892fd1779
Author: Volker Lendecke 
Date:   Tue Feb 13 12:56:17 2024 +0100

smbd: Change protocol selection to not use "sconn->using_smb2"

To me this is pretty confusing, it seems to overload this struct
element.

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

---

Summary of changes:
 lib/async_req/async_sock.c  |  7 ---
 source3/smbd/close.c|  2 +-
 source3/smbd/conn.c |  6 ++
 source3/smbd/conn_idle.c|  2 +-
 source3/smbd/dir.c  |  4 ++--
 source3/smbd/filename.c |  2 +-
 source3/smbd/globals.h  |  1 -
 source3/smbd/open.c |  4 ++--
 source3/smbd/proto.h|  1 +
 source3/smbd/smb1_process.c |  4 ++--
 source3/smbd/smb2_negprot.c |  2 --
 source3/smbd/smb2_nttrans.c |  2 +-
 source3/smbd/smb2_oplock.c  |  4 ++--
 source3/smbd/smb2_process.c | 27 ++-
 source3/smbd/smb2_service.c |  2 +-
 source3/smbd/smb2_trans2.c  | 15 ---
 16 files changed, 34 insertions(+), 51 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index bdbefd162ac..795a2c63dba 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -144,13 +144,6 @@ struct tevent_req *async_connect_send(
return tevent_req_post(req, ev);
}
 
-   /*
-* Note for historic reasons TEVENT_FD_WRITE is not enough
-* to get notified for POLLERR or EPOLLHUP even if they
-* come together with POLLOUT. That means we need to
-* use TEVENT_FD_READ in addition until we have
-* TEVENT_FD_ERROR.
-*/
state->fde = tevent_add_fd(ev, state, fd,
   TEVENT_FD_ERROR|TEVENT_FD_WRITE,
   async_connect_connected, req);
diff --git a/source3/smbd/close.c b/source3/smbd/close.c
index bbca474a28a..987a0ed5183 100644
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -1480,7 +1480,7 @@ static NTSTATUS close_directory(struct smb_request *req, 
files_struct *fsp,
 
SMB_ASSERT(fsp->fsp_flags.is_fsa);
 
-   if (fsp->conn->sconn->using_smb2) {
+   if (conn_using_smb2(fsp->conn->sconn)) {
notify_status = NT_STATUS_NOTIFY_CLEANUP;
} else {
notify_status = NT_STATUS_OK;
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index e6c1fa72dcb..b7a745a951e 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -84,6 +84,12 @@ enum protocol_types conn_protocol(struct 
smbd_server_connection *sconn)
return PROTOCOL_COREPLUS;
 }
 
+bool conn_using_smb2(struct smbd_server_connection *sconn)
+{
+   enum protocol_types proto = conn_protocol(sconn);
+   return (proto >= PROTOCOL_SMB2_02);
+}
+
 /
  Find first available connection slot, starting from a random position.
  The randomisation stops problems with the server dying and clients
diff --git a/source3/smbd/conn_idle.c b/source3/smbd/conn_idle.c
index 870b2b717df..6eebdd363b1 100644
--- a/source3/smbd/conn_idle.c
+++ b/source3/smbd/conn_idle.c
@@ -238,7 +238,7 @@ static void conn_force_tdis_done(struct tevent_req *req)
return;
}
 
-   if (conn->sconn->using_smb2) {
+   if (conn_using_smb2(conn->sconn)) {
vuid = conn->vuid;
}
 
diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
index 49c37cbb4d9..76eb5756dc8 100644
--- a/source3/smbd/dir.c
+++ 

[SCM] Samba Shared Repository - branch master updated

[Martin Schwenke]

The branch, master has been updated
   via  7e621b1b530 ctdb: Modernize a few DEBUGs
   via  73e806c559d ctdb: Remove common/line.[ch]
   via  ba8f8ef33cd ctdb: Use stdio's getline() in 
ctdb_connection_list_read()
   via  4de14e27231 lib: Use fdopen_keepfd()
   via  b6f4acb9b46 rpc_server3: Use fdopen_keepfd()
   via  28335cdb5d7 lib: Add fdopen_keepfd()
   via  0baae61e423 lib: Give lib/util/util_file.c its own header file
   via  f42c5802faf ctdb-scripts: Add options to generate smb.conf 
interfaces include file
   via  56eeb058d2d ctdb-scripts: Rename and relocate function 
get_all_interfaces()
   via  ff3b92ffaed smbd-server: Process ip add/drop events for 
options:dynamic only
   via  c60fe03ef7d lib-interface: Change API for interface 'options'
   via  3edeb2bdce4 lib-interface: Add parsing for interface 'options'
   via  cfa846fa292 lib-interface: Add extra parameter 'options' to 
interface definition
   via  9fcb62cf22d param: Add additional key 'options' for interfaces
   via  916fabe7e83 smbd-server: Use MSG_SMB_IP_DROPPED
   via  644b50b05b2 messaging: Add new SMBD message
   via  4ef1eb92edc smbd-server: Handle ip drop event and close listening 
socket
   via  bca01b501cb smbd-server: Open socket for additional ip address
   via  961104262c6 lib-interface: Add new API to validate interface info 
for given interface index
   via  6f18422aadc lib-addrchange: Change API to fill up if_index value 
from netlink msg
   via  02a99126abf smbd-server: Set event callback for interface change 
notification
  from  7532c798d13 docs: Document new tdbdump -x option

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7e621b1b530f740bce8d2de084c0f710f1ddb437
Author: Volker Lendecke 
Date:   Thu Feb 29 16:11:16 2024 +0100

ctdb: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Wed Apr 17 00:54:55 UTC 2024 on atb-devel-224

commit 73e806c559d8889026b2b14a8d22145bd1a2b430
Author: Volker Lendecke 
Date:   Fri Mar 1 21:19:51 2024 +0100

ctdb: Remove common/line.[ch]

This was an implementation of getline(3), use that instead.

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit ba8f8ef33cd99ea60fc2682727a5497995b5f569
Author: Volker Lendecke 
Date:   Fri Mar 1 21:16:57 2024 +0100

ctdb: Use stdio's getline() in ctdb_connection_list_read()

This is the only user of common/line.[ch], which can go next.

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit 4de14e2723139b488e69251e500f022f50f983e1
Author: Volker Lendecke 
Date:   Wed Apr 10 13:11:11 2024 +0200

lib: Use fdopen_keepfd()

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit b6f4acb9b46773d61aaea242b67af90d40bc4c9c
Author: Volker Lendecke 
Date:   Wed Apr 10 13:08:06 2024 +0200

rpc_server3: Use fdopen_keepfd()

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit 28335cdb5d72c63d52c83fe00a67b8aa28558677
Author: Volker Lendecke 
Date:   Wed Apr 10 13:07:56 2024 +0200

lib: Add fdopen_keepfd()

Capture the dup/fdopen pattern

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit 0baae61e4233bc812c65c3646b1acf15ef7bc22f
Author: Volker Lendecke 
Date:   Wed Apr 10 13:02:39 2024 +0200

lib: Give lib/util/util_file.c its own header file

Signed-off-by: Volker Lendecke 
Reviewed-by: Martin Schwenke 

commit f42c5802fafa61fe29a0b78c0247eb5a5c386c15
Author: Vinit Agnihotri 
Date:   Tue Jan 30 01:50:20 2024 -0800

ctdb-scripts: Add options to generate smb.conf interfaces include file

Signed-off-by: Vinit Agnihotri 
Reviewed-by: Martin Schwenke 
Reviewed-by: Andrew Bartlett 

commit 56eeb058d2d5fde17c461afe7fac2f0832993a8c
Author: Vinit Agnihotri 
Date:   Tue Jan 30 01:25:37 2024 -0800

ctdb-scripts: Rename and relocate function get_all_interfaces()

get_all_interfaces() functions gets all names for all public interfaces.
However name is misleading. Thus renamed it to get_public_ifaces() and
moved it under functions.

Signed-off-by: Vinit Agnihotri 
Reviewed-by: Martin Schwenke 
Reviewed-by: Andrew Bartlett 

commit ff3b92ffaed64e8ecb250f0ad160210f511a39e2
Author: Vinit Agnihotri 
Date:   Tue Mar 5 03:03:25 2024 -0800

smbd-server: Process ip add/drop events for options:dynamic only

Signed-off-by: Vinit Agnihotri 
Reviewed-by: Martin Schwenke 
Reviewed-by: Andrew Bartlett 

commit c60fe03ef7d09f98b2c91669e0ecbd880c72fa0e
Author: Vinit Agnihotri 
Date:   Tue Mar 5 02:32:23 2024 -0800

lib-interface: Change API for interface 'options'

Signed-off-by: Vinit Agnihotri 

[SCM] Samba Shared Repository - branch master updated

[Christof Schmitt]

The branch, master has been updated
   via  7532c798d13 docs: Document new tdbdump -x option
   via  1a55ee1107b tdb: Add test for tdbdump -x
   via  5f5290c2714 tdb: Add tdbdump option to output all data as hex values
   via  f6a47de2dbd tdb: Add test for tdbdump command
   via  3d290e31523 tdb: Return failure as exit status from 
test_tdbbackup.sh
  from  48493735e2d s3: winbindd: winbindd_pam: fix leak in 
extract_pac_vrfy_sigs

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7532c798d137daa28bd2f9b440cd44af96275787
Author: Christof Schmitt 
Date:   Thu Mar 7 16:41:11 2024 -0700

docs: Document new tdbdump -x option

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Christof Schmitt 
Autobuild-Date(master): Tue Apr 16 18:37:17 UTC 2024 on atb-devel-224

commit 1a55ee1107bf76d49eaef7545c6f88511bf1d34e
Author: Christof Schmitt 
Date:   Fri Apr 12 15:48:02 2024 -0700

tdb: Add test for tdbdump -x

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

commit 5f5290c27140cbea2b9ab9b080a69ff691653b52
Author: Christof Schmitt 
Date:   Thu Mar 7 16:38:53 2024 -0700

tdb: Add tdbdump option to output all data as hex values

This can be useful for debugging tdb databases, the hex output of the
key can be used for "net tdb" or ctdb commands.

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

commit f6a47de2dbdb04096cf4bf147d149317cec3a235
Author: Christof Schmitt 
Date:   Fri Apr 12 15:44:38 2024 -0700

tdb: Add test for tdbdump command

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

commit 3d290e31523b5d6c6b6c05cbda2e42983b3bdbb0
Author: Christof Schmitt 
Date:   Fri Apr 12 15:22:06 2024 -0700

tdb: Return failure as exit status from test_tdbbackup.sh

When this test is called from wscript, only the exit code is checked.
Track failures and return as non-zero exit code.

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/tdb/man/tdbdump.8.xml  |  8 ++
 lib/tdb/test/sample_tdb.txt| 12 +
 lib/tdb/test/sample_tdb_x.txt  | 12 +
 lib/tdb/test/test_tdbbackup.sh | 15 ---
 lib/tdb/test/test_tdbdump.sh   | 58 ++
 lib/tdb/tools/tdbdump.c| 51 +
 lib/tdb/wscript|  3 ++-
 7 files changed, 138 insertions(+), 21 deletions(-)
 create mode 100644 lib/tdb/test/sample_tdb.txt
 create mode 100644 lib/tdb/test/sample_tdb_x.txt
 create mode 100755 lib/tdb/test/test_tdbdump.sh


Changeset truncated at 500 lines:

diff --git a/lib/tdb/man/tdbdump.8.xml b/lib/tdb/man/tdbdump.8.xml
index 31e662e..442f36fbcd6 100644
--- a/lib/tdb/man/tdbdump.8.xml
+++ b/lib/tdb/man/tdbdump.8.xml
@@ -23,6 +23,7 @@
-k keyname
-e
-h
+   -x
filename

 
@@ -69,6 +70,13 @@


 
+   
+   -x
+   
+   The -x changes the output data to a hex 
dump, from the default mix of ASCII and hex dump.
+   
+   
+

 
 
diff --git a/lib/tdb/test/sample_tdb.txt b/lib/tdb/test/sample_tdb.txt
new file mode 100644
index 000..b9e028353e2
--- /dev/null
+++ b/lib/tdb/test/sample_tdb.txt
@@ -0,0 +1,12 @@
+{
+key(11) = "nbt_server\00"
+data(35) = "972.2147483648/1085706313786795392\00"
+}
+{
+key(15) = "winbind_server\00"
+data(25) = "977/12826542715097898407\00"
+}
+{
+key(14) = "notify-daemon\00"
+data(24) = "992/6389638235474936598\00"
+}
diff --git a/lib/tdb/test/sample_tdb_x.txt b/lib/tdb/test/sample_tdb_x.txt
new file mode 100644
index 000..dbba20b4813
--- /dev/null
+++ b/lib/tdb/test/sample_tdb_x.txt
@@ -0,0 +1,12 @@
+{
+key(11) = "6E62745F73657276657200"
+data(35) = 
"3937322E323134373438333634382F3130383537303633313337383637393533393200"
+}
+{
+key(15) = "77696E62696E645F73657276657200"
+data(25) = "3937372F313238323635343237313530393738393834303700"
+}
+{
+key(14) = "6E6F746966792D6461656D6F6E00"
+data(24) = "3939322F3633383936333832333534373439333635393800"
+}
diff --git a/lib/tdb/test/test_tdbbackup.sh b/lib/tdb/test/test_tdbbackup.sh
index 8552ea1029b..7bc025ca42b 100755
--- a/lib/tdb/test/test_tdbbackup.sh
+++ b/lib/tdb/test/test_tdbbackup.sh
@@ -8,6 +8,7 @@ if [ $# -lt 1 ]; then
 fi
 
 LDBFILE=$1
+failed=0
 
 timestamp()
 {
@@ -42,16 +43,22 @@ testit()
 
 $BINDIR/tdbdump $LDBFILE | sort >orig_dump
 
-testit "normal tdbbackup on tdb file" $BINDIR/tdbbackup $LDBFILE -s .bak
+testit "normal tdbbackup on tdb file" $BINDIR/tdbbackup $LDBFILE -s .bak  \
+   || failed=$((failed + 1))
 $BINDIR/tdbdump $LDBFILE.bak | sort 

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  215bb9bd48e Do not fail checksums for RFC8009 types
   via  db60a1947b8 s4:dns_server: less noisy, more informative debug 
messages
   via  9155d89a2ae packaging: Provide a systemd service file for samba-bgqd
  from  077f39baf7c libcli/http: Detect unsupported Transfer-encoding type

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 215bb9bd48e9aae04ff39633f6dd9255a989bf98
Author: Alexander Bokovoy 
Date:   Thu Jun 22 09:56:12 2023 +0300

Do not fail checksums for RFC8009 types

While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635

Signed-off-by: Alexander Bokovoy 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 8e931fce126e8c1128da893c806702731c08758a)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224

commit db60a1947b88a8ddb289f63ac22a6d7b1500f0df
Author: Douglas Bagnall 
Date:   Thu Apr 11 11:52:14 2024 +1200

s4:dns_server: less noisy, more informative debug messages

This shouldn't have been DBG_ERR, and it might as well say something
about the tombstone.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224

(cherry picked from commit dde973d170e479632d1a411279f4f0fad6608539)

commit 9155d89a2ae04f45d809c46129687c6f5a510a0d
Author: Andreas Schneider 
Date:   Mon Mar 4 10:58:23 2024 +0100

packaging: Provide a systemd service file for samba-bgqd

There might be scenarios where the background queue daemon should be
running all the time instead of being started on demand. This makes
especially sense for bigger printing servers with a lot of printers. It
takes ~1 sec to get a printer from cups, so a print server with 100
printers needs 100 seconds to update the printer_list.tdb. The service
will be killed because of idle in the meantime.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600

Signed-off-by: Andreas Schneider 
Reviewed-by: Guenther Deschner 
(cherry picked from commit c97071726e163b40f0e391af70e81b3e6c1ab0eb)

---

Summary of changes:
 auth/kerberos/kerberos_pac.c   | 47 +-
 lib/krb5_wrap/krb5_samba.h | 28 +
 .../{samba.service.in => samba-bgqd.service.in}|  9 ++---
 packaging/wscript_build|  3 +-
 source4/dns_server/dnsserver_common.c  |  9 +++--
 5 files changed, 67 insertions(+), 29 deletions(-)
 copy packaging/systemd/{samba.service.in => samba-bgqd.service.in} (50%)


Changeset truncated at 500 lines:

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index ae4557bbd6f..b6272ac15eb 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -33,6 +33,7 @@
 #include "librpc/gen_ndr/auth.h"
 #include "auth/common_auth.h"
 #include "auth/kerberos/pac_utils.h"
+#include "lib/krb5_wrap/krb5_samba.h"
 
 krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
  struct PAC_SIGNATURE_DATA *sig,
@@ -44,26 +45,34 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_keyusage usage = 0;
krb5_boolean checksum_valid = false;
krb5_data input;
-
-   switch (sig->type) {
-   case CKSUMTYPE_HMAC_MD5:
-   /* ignores the key type */
-   break;
-   case CKSUMTYPE_HMAC_SHA1_96_AES_256:
-   if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) 
{
-   return EINVAL;
-   }
-   /* ok */
-   break;

[SCM] Samba Shared Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  48493735e2d s3: winbindd: winbindd_pam: fix leak in 
extract_pac_vrfy_sigs
  from  532789b4f3f s4:dsdb: Implement msDS-ManagedPassword attribute

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 48493735e2d2091740fe784cf07a4258dfc0b512
Author: Shaleen Bathla 
Date:   Wed Apr 10 18:31:39 2024 +0530

s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs

Add missing free for entry variable and its members : key and principal
Found definite memory leaks via valgrind as shown below.

Leak 1 :
==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 
432 of 433
==1686==at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686==by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
==1686==by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
==1686==by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686==by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686==by 0x17ED21: winbindd_pam_auth_crap_send 
(winbindd_pam_auth_crap.c:68)
==1686==by 0x127F45: process_request_send (winbindd.c:502)
==1686==by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686==by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686==by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686==by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686==by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686==by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686==by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686==by 0x1232F3: main (winbindd.c:1718)

Leak 2 :
==1686==at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686==by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
==1686==by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
==1686==by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686==by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686==by 0x17ED21: winbindd_pam_auth_crap_send 
(winbindd_pam_auth_crap.c:68)
==1686==by 0x127F45: process_request_send (winbindd.c:502)
==1686==by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686==by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686==by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686==by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686==by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686==by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686==by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686==by 0x1232F3: main (winbindd.c:1718)

Signed-off-by: Shaleen Bathla 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224

---

Summary of changes:
 source3/winbindd/winbindd_pam.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 6c890c8acd5..e7d64189b7e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3433,12 +3433,17 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX 
*mem_ctx, DATA_BLOB pac_blob,
 NULL, /* client_principal */
 0, /* tgs_authtime */
 p_pac_data);
+   (void)smb_krb5_kt_free_entry(krbctx, );
if (NT_STATUS_IS_OK(status)) {
break;
}
-   k5ret = smb_krb5_kt_free_entry(krbctx, );
k5ret = krb5_kt_next_entry(krbctx, keytab, , );
}
+   if (k5ret != 0 && k5ret != KRB5_KT_END) {
+   DEBUG(1, ("Failed to get next entry: %s\n",
+ error_message(k5ret)));
+   (void)smb_krb5_kt_free_entry(krbctx, );
+   }
 
k5ret = krb5_kt_end_seq_get(krbctx, keytab, );
if (k5ret) {


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  532789b4f3f s4:dsdb: Implement msDS-ManagedPassword attribute
   via  ddcf20b518c s4:dsdb: Add extra attrs to search request even if 
replacement attribute is NULL
   via  be0029cff4a python:tests: Catch failures to authenticate with gMSA 
managed passwords
   via  a52239af9df selftest: Expand out knownfails for gMSA getpassword 
tests
   via  6f9281b028c s4:dsdb: Set up passwords and password IDs of new gMSAs
   via  85fbdcd048f s4:dsdb: Add functions for Group Managed Service 
Accounts implementation
   via  85d34934e13 s4:dsdb: Factor out a function to remove all password 
related attributes
   via  7b7fdfbce3c lib:crypto: Reformat source code
   via  bb5ca9f466f tests/krb5: Add tests for gMSAs
   via  42710f0455c python:nt_time: Add NT_TIME_MAX constant
   via  c6ed19ad1a7 python:gkdi: Reformat code with ‘ruff’
   via  5aaebb537e3 python:gkdi: Add Gkdi.from_key_envelope() method
   via  0c0a25d0b2d python:gkdi: Add notes on GKDI time periods
   via  13815813341 tests/gkdi: Change ‘current_gkid’ parameter to 
‘current_time’
   via  b64a02d5b5a tests/gkdi: Remove implicit clock skew offset
   via  13dcf7f74c2 tests/gkdi: Allow current time to be overridden
   via  6d20d436dee tests/krb5: Make use of ‘expect_edata’ parameter
   via  1f4e1c026d9 tests/krb5: Remove unused variable
   via  586c4ec718c tests/krb5: Fix code spelling
   via  5656fd2ff2b tests/krb5: Remove unused import
   via  4b6f65a4a25 python:tests: Fix typo
   via  5379956bd44 python:tests: Reformat code
   via  ae39a15b518 python:tests: Fix set declaration
   via  ea83bb84b98 python:tests: Replace deprecated method 
assertRaisesRegexp()
   via  ff8e98daf1c s4:ldap_server: Consider ldapi connections to be 
encrypted
   via  c63cabf1e09 s4:ldap_server: Store whether an LDAP connection is 
over ldapi
   via  c2378d0c6f3 s4:ldap_server: Add copy of non‐privileged ops 
specifically for ldapi connections
   via  ec6579829f9 s4:ldap_server: Rename privileged ops to indicate they 
are used for ldapi
   via  7df4bdd0fe7 s4:ldap_server: Fix code spelling
   via  1a6dbcfb105 s4:ldap_server: Remove trailing whitespace
   via  c9370d3ced2 selftest: Move some KDS root key tests around to 
prepare for gMSA server side
   via  bd60c605ca1 selftest: Remove duplicate setup of "spn/upn 
namespaces" in the customdc testenv
   via  aa6795b32ff s3:auth: Add support standalone server with MIT Keberos 
1.21
   via  b58395e5c37 s3:auth: Split auth3_generate_session_info_pac() into 
functions
   via  20c546f928d s3:auth: Re-format auth3_generate_session_info_pac()
   via  cdb31d7e45b s3:auth: Remove trailing spaces
  from  75a4fbbf6a3 smbdotconf: Enable "winbind debug traceid" by default

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 532789b4f3f0efe5350089391a97f24296f3be90
Author: Jo Sutton 
Date:   Tue Feb 13 15:45:21 2024 +1300

s4:dsdb: Implement msDS-ManagedPassword attribute

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224

commit ddcf20b518c676140d83052bf0b79628a9299012
Author: Jo Sutton 
Date:   Tue Apr 9 16:15:48 2024 +1200

s4:dsdb: Add extra attrs to search request even if replacement attribute is 
NULL

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit be0029cff4af5c7ef0fb54bdf18fbcb7165572eb
Author: Jo Sutton 
Date:   Tue Apr 9 14:09:17 2024 +1200

python:tests: Catch failures to authenticate with gMSA managed passwords

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit a52239af9dff958fb26c7bf5242a3f9e9b4fc3a2
Author: Jo Sutton 
Date:   Tue Apr 9 13:55:58 2024 +1200

selftest: Expand out knownfails for gMSA getpassword tests

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 6f9281b028ca6a8f392a1c0fff02ba9af5c0072f
Author: Jo Sutton 
Date:   Fri Apr 5 13:23:18 2024 +1300

s4:dsdb: Set up passwords and password IDs of new gMSAs

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 85fbdcd048fefc5c7edca709855e7510f3085a9a
Author: Jo Sutton 
Date:   Tue Feb 13 16:09:57 2024 +1300

s4:dsdb: Add functions for Group Managed Service Accounts implementation

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 85d34934e1348e4b09591499f6080b2867b9c99d
Author: Jo Sutton 
Date:   Tue Apr 9 12:15:00 2024 +1200

s4:dsdb: Factor out a function to remove all password related attributes

Signed-off-by: Jo Sutton 
Reviewed-by: Andrew Bartlett 

commit 7b7fdfbce3c2b6f86399fb585e334a78fe696423
Author: Jo Sutton 
Date:   Tue Apr 2 10:33:27 2024 +1300

lib:crypto: Reformat source code

[SCM] Samba Shared Repository - branch master updated

[Pavel Filipensky]

The branch, master has been updated
   via  75a4fbbf6a3 smbdotconf: Enable "winbind debug traceid" by default
  from  eb59d7c9b04 s3:libsmb: Fix panic in cliconnect.c

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 75a4fbbf6a340defc884861bc71c5103f16e8d9e
Author: Pavel Filipenský 
Date:   Thu Apr 11 13:01:28 2024 +0200

smbdotconf: Enable "winbind debug traceid" by default

The traceid debug header field is a useful feature, let's make it
default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15631

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Pavel Filipensky 
Autobuild-Date(master): Mon Apr 15 18:47:41 UTC 2024 on atb-devel-224

---

Summary of changes:
 docs-xml/smbdotconf/logging/debugtraceid.xml | 2 +-
 lib/param/loadparm.c | 1 +
 source3/param/loadparm.c | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/logging/debugtraceid.xml 
b/docs-xml/smbdotconf/logging/debugtraceid.xml
index 61a451da3e7..7646208af48 100644
--- a/docs-xml/smbdotconf/logging/debugtraceid.xml
+++ b/docs-xml/smbdotconf/logging/debugtraceid.xml
@@ -9,5 +9,5 @@
 
 
 
-no
+yes
 
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 6ef29ed9656..0984ca7195b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2707,6 +2707,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX 
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "debug pid", "No");
lpcfg_do_global_parameter(lp_ctx, "debug uid", "No");
lpcfg_do_global_parameter(lp_ctx, "debug class", "No");
+   lpcfg_do_global_parameter(lp_ctx, "winbind debug traceid", "Yes");
 
lpcfg_do_global_parameter(lp_ctx, "server role", "auto");
lpcfg_do_global_parameter(lp_ctx, "domain logons", "No");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 797baa66309..a67fc8cf51e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -952,6 +952,8 @@ void loadparm_s3_init_globals(struct loadparm_context 
*lp_ctx,
 
Globals.kdc_enable_fast = true;
 
+   Globals.winbind_debug_traceid = true;
+
Globals.aio_max_threads = 100;
 
lpcfg_string_set(Globals.ctx,


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Pavel Filipensky]

The branch, master has been updated
   via  eb59d7c9b04 s3:libsmb: Fix panic in cliconnect.c
  from  dde973d170e s4:dns_server: less noisy, more informative debug 
messages

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit eb59d7c9b04275574deab3e5489dc2e5d05e4bbb
Author: Pavel Filipenský 
Date:   Fri Apr 12 14:57:11 2024 +0200

s3:libsmb: Fix panic in cliconnect.c

This command line panics:

$ bin/rpcclient ncacn_np: -c epmlookup

0  __pthread_kill_implementation (threadid=, 
signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
1  0x764ae8a3 in __pthread_kill_internal (signo=6, 
threadid=) at pthread_kill.c:78
2  0x7645c8ee in __GI_raise (sig=sig@entry=6) at 
../sysdeps/posix/raise.c:26
3  0x764448ff in __GI_abort () at abort.c:79
4  0x77b01524 in tevent_req_is_nterror (req=0x55728610, 
status=0x7fff9bb4) at ../../lib/util/tevent_ntstatus.c:66
5  0x77b9fd91 in cli_connect_nb_recv (req=0x55728610, 
pcli=0x556fcb18) at ../../source3/libsmb/cliconnect.c:2731
6  0x77ba02a8 in cli_start_connection_connected 
(subreq=0x55728610) at ../../source3/libsmb/cliconnect.c:2882
7  0x77aecb1a in _tevent_req_notify_callback (req=0x55728610, 
location=0x77bde0e0 "../../source3/libsmb/cliconnect.c:2686") at 
../../lib/tevent/tevent_req.c:177
8  0x77aeccab in tevent_req_finish (req=0x55728610, 
state=TEVENT_REQ_USER_ERROR, location=0x77bde0e0 
"../../source3/libsmb/cliconnect.c:2686") at ../../lib/tevent/tevent_req.c:234
9  0x77aecdda in tevent_req_trigger (ev=0x557182e0, 
im=0x55728720, private_data=0x55728610) at 
../../lib/tevent/tevent_req.c:291
10 0x77aeb513 in tevent_common_invoke_immediate_handler 
(im=0x55728720, removed=0x0) at ../../lib/tevent/tevent_immediate.c:190
11 0x77aeb685 in tevent_common_loop_immediate (ev=0x557182e0) 
at ../../lib/tevent/tevent_immediate.c:236
12 0x77af7502 in epoll_event_loop_once (ev=0x557182e0, 
location=0x77af8ac0 "../../lib/tevent/tevent_req.c:342") at 
../../lib/tevent/tevent_epoll.c:905
13 0x77af2d22 in std_event_loop_once (ev=0x557182e0, 
location=0x77af8ac0 "../../lib/tevent/tevent_req.c:342") at 
../../lib/tevent/tevent_standard.c:110
14 0x77ae93ab in _tevent_loop_once (ev=0x557182e0, 
location=0x77af8ac0 "../../lib/tevent/tevent_req.c:342") at 
../../lib/tevent/tevent.c:820
15 0x77aecf9e in tevent_req_poll (req=0x55728290, 
ev=0x557182e0) at ../../lib/tevent/tevent_req.c:342
16 0x77b01647 in tevent_req_poll_ntstatus (req=0x55728290, 
ev=0x557182e0, status=0x7fff9f4c) at 
../../lib/util/tevent_ntstatus.c:109
17 0x77ba246a in cli_full_connection_creds 
(output_cli=0x7fffa220, my_name=0x55701990 "CLUSTEREDMEMBER", 
dest_host=0x0, dest_ss=0x0, port=0, service=0x556981d1 "IPC$", 
service_type=0x556981d6 "IPC", creds=0x556fa410, flags=4096) at 
../../source3/libsmb/cliconnect.c:3807
18 0x55619ae9 in main (argc=4, argv=0x7fffa3e8) at 
../../source3/rpcclient/rpcclient.c:1308

tevent_req_is_nterror() expects error set by tevent_req_nterror()
- to have TEVENT_NTERROR_MAGIC, otherwise it calls abort().

Signed-off-by: Pavel Filipenský 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Pavel Filipensky 
Autobuild-Date(master): Mon Apr 15 14:55:21 UTC 2024 on atb-devel-224

---

Summary of changes:
 source3/libsmb/cliconnect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 61e35042586..d42f08fbb1a 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2683,7 +2683,7 @@ static struct tevent_req *cli_connect_nb_send(
}
} else {
/* No host or dest_ss given. Error out. */
-   tevent_req_error(req, EINVAL);
+   tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
}
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  dde973d170e s4:dns_server: less noisy, more informative debug 
messages
  from  81598b42455 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit dde973d170e479632d1a411279f4f0fad6608539
Author: Douglas Bagnall 
Date:   Thu Apr 11 11:52:14 2024 +1200

s4:dns_server: less noisy, more informative debug messages

This shouldn't have been DBG_ERR, and it might as well say something
about the tombstone.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224

---

Summary of changes:
 source4/dns_server/dnsserver_common.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dns_server/dnsserver_common.c 
b/source4/dns_server/dnsserver_common.c
index d82e309f982..1cbd7d94593 100644
--- a/source4/dns_server/dnsserver_common.c
+++ b/source4/dns_server/dnsserver_common.c
@@ -1034,10 +1034,11 @@ WERROR dns_common_replace(struct ldb_context *samdb,
 * record.
 */
if (records[i].data.EntombedTime != 0) {
-   if (rec_count != 1) {
-   DBG_ERR("tombstone record has %u 
neighbour "
-   "records.\n",
-   rec_count - 1);
+   if (rec_count != 1 && DEBUGLVL(DBGLVL_NOTICE)) {
+   DBG_NOTICE("tombstone record [%u] has "
+  "%u neighbour records.\n",
+  i, rec_count - 1);
+   NDR_PRINT_DEBUG(dnsp_DnssrvRpcRecord, 
[i]);
}
was_tombstoned = true;
}


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-20-test updated

[Jule Anger]

The branch, v4-20-test has been updated
   via  077f39baf7c libcli/http: Detect unsupported Transfer-encoding type
   via  2fb1bf0205f selftest: Add new test for testing non-chunk transfer 
encoding
   via  30bf3d1430f selftest: fix potential reference before assigned error
   via  a70e3a36c82 libcli/http: Handle http chunked transfer encoding
   via  7e17e4809d5 tests: add test for chunked encoding with http cli 
library
   via  26206392153 libcli/http: Optimise reading for content-length
   via  71eac5a065f selftest: Add basic content-lenght http tests
   via  19250e13ab6 Add simple http_client for use in black box tests (in 
following commits)
  from  eaefe50327d VERSION: Bump version up to Samba 4.20.1...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test


- Log -
commit 077f39baf7cc7f4e4ee8709d48b1cb23b8736c1c
Author: Noel Power 
Date:   Thu Mar 28 10:48:58 2024 +

libcli/http: Detect unsupported Transfer-encoding type

Also removes knownfail for test that now passes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137)

Autobuild-User(v4-20-test): Jule Anger 
Autobuild-Date(v4-20-test): Thu Apr 11 12:24:08 UTC 2024 on atb-devel-224

commit 2fb1bf0205f9b5f72d8e1f51e55cf86997639a46
Author: Noel Power 
Date:   Thu Mar 28 09:16:33 2024 +

selftest: Add new test for testing non-chunk transfer encoding

And add a known fail because there is a bug :-(

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 93709d31590d4ca25fbac813b9e499755b81ddb5)

commit 30bf3d1430f96a42c7b90ef215daa33b427da8b9
Author: Noel Power 
Date:   Thu Mar 28 09:09:02 2024 +

selftest: fix potential reference before assigned error

This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit efdbf0511e0a89f865210170001fbebf17a45278)

commit a70e3a36c8244a324f5e8fa7b138dae5684055e0
Author: Noel Power 
Date:   Mon Mar 25 19:44:10 2024 +

libcli/http: Handle http chunked transfer encoding

Also removes the knownfail for the chunked transfer test

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348)

commit 7e17e4809d593e1ce2d51583a351b38300a20e2a
Author: Noel Power 
Date:   Thu Sep 23 12:18:22 2021 +0100

tests: add test for chunked encoding with http cli library

Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest

also adds a knownfail for the test

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 30acd609f560352d3edb0c931b9a864110025b2c)

commit 26206392153248fb2be1ec95a2e3ac14f9356125
Author: Noel Power 
Date:   Fri Mar 22 08:55:49 2024 +

libcli/http: Optimise reading for content-length

Instead of reading byte-by-byte we know the content length we
want to read so lets use it.

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7)

commit 71eac5a065fac4023601b067b850d209a7dec149
Author: Noel Power 
Date:   Mon Mar 25 16:25:55 2024 +

selftest: Add basic content-lenght http tests

very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10)

commit 19250e13ab6c654405baf7c7d9c18f514ceade0f
Author: Noel Power 
Date:   Mon Mar 25 19:21:54 2024 +

Add simple http_client for use in black box tests (in following commits)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9)

---

Summary of changes:
 libcli/http/http.c  | 309 +++--
 libcli/http/http_internal.h |   4 +
 

[SCM] Samba Shared Repository - branch v4-19-test updated

[Jule Anger]

The branch, v4-19-test has been updated
   via  2930a1955bf libcli/http: Detect unsupported Transfer-encoding type
   via  65bb329e166 selftest: Add new test for testing non-chunk transfer 
encoding
   via  a269412c71e selftest: fix potential reference before assigned error
   via  cbd4a6633c6 libcli/http: Handle http chunked transfer encoding
   via  57757be4dfd tests: add test for chunked encoding with http cli 
library
   via  a05d96e4b96 libcli/http: Optimise reading for content-length
   via  c27ad381b39 selftest: Add basic content-lenght http tests
   via  6636ec3bb2a Add simple http_client for use in black box tests (in 
following commits)
  from  4b7785226ad VERSION: Bump version up to Samba 4.19.7...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit 2930a1955bfac736754783ef54a0c1083d8ea161
Author: Noel Power 
Date:   Thu Mar 28 10:48:58 2024 +

libcli/http: Detect unsupported Transfer-encoding type

Also removes knownfail for test that now passes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137)

Autobuild-User(v4-19-test): Jule Anger 
Autobuild-Date(v4-19-test): Thu Apr 11 10:50:52 UTC 2024 on atb-devel-224

commit 65bb329e1668499e1d58b2fca69908990293dd16
Author: Noel Power 
Date:   Thu Mar 28 09:16:33 2024 +

selftest: Add new test for testing non-chunk transfer encoding

And add a known fail because there is a bug :-(

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 93709d31590d4ca25fbac813b9e499755b81ddb5)

commit a269412c71ee05019b3ab8a38bcea727963ae22b
Author: Noel Power 
Date:   Thu Mar 28 09:09:02 2024 +

selftest: fix potential reference before assigned error

This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit efdbf0511e0a89f865210170001fbebf17a45278)

commit cbd4a6633c6e88bb2e5d6b5162016c7f9fb94332
Author: Noel Power 
Date:   Mon Mar 25 19:44:10 2024 +

libcli/http: Handle http chunked transfer encoding

Also removes the knownfail for the chunked transfer test

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348)

commit 57757be4dfd50d640c20ef91f3e4f425f72067d4
Author: Noel Power 
Date:   Thu Sep 23 12:18:22 2021 +0100

tests: add test for chunked encoding with http cli library

Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest

also adds a knownfail for the test

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 30acd609f560352d3edb0c931b9a864110025b2c)

commit a05d96e4b967e26c92b1f175a1e9d11b54b339c7
Author: Noel Power 
Date:   Fri Mar 22 08:55:49 2024 +

libcli/http: Optimise reading for content-length

Instead of reading byte-by-byte we know the content length we
want to read so lets use it.

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
(cherry picked from commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7)

commit c27ad381b393a437fd241405f7156997d343650c
Author: Noel Power 
Date:   Mon Mar 25 16:25:55 2024 +

selftest: Add basic content-lenght http tests

very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10)

commit 6636ec3bb2aa6e7b2fb86787f814a934d545adfb
Author: Noel Power 
Date:   Mon Mar 25 19:21:54 2024 +

Add simple http_client for use in black box tests (in following commits)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9)

---

Summary of changes:
 libcli/http/http.c  | 309 +++--
 libcli/http/http_internal.h |   4 +
 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  81598b42455 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
   via  e35d54fd4d3 s3:util:sharesec ace_compare() uses NUMERIC_CMP()
   via  31101a9fa15 s3:smbcacls: use NUMERIC_CMP in ace_compare
   via  5e99262aaf5 s3:util:net_registry: registry_value_cmp() uses 
NUMERIC_CMP()
   via  a197be2003d s4:wins: use NUMERIC_CMP in 
nbtd_wins_randomize1Clist_sort()
   via  d8b97649ef4 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
   via  66d47537e42 s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
   via  42ead213484 s4:dns_server: use NUMERIC_CMP in rec_cmp()
   via  ed3ab87bdb0 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
   via  dd4a0c27681 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
   via  4641a971517 libcli/security: use NUMERIC_CMP in 
dom_sid_compare_auth()
   via  cb94202c1cf libcli/security: use NUMERIC_CMP in dom_sid_compare()
   via  21a071e4864 ldb: reduce non-transitive comparisons in 
ldb_msg_element_compare()
   via  5c36bc82415 ldb: avoid non-transitive comparison in ldb_val_cmp()
   via  e1519c36678 util:datablob: avoid non-transitive comparison in 
data_blob_cmp()
   via  838c6847029 ldb:attrib_handlers: ldb_comparison_binary uses 
NUMERIC_CMP()
   via  f78b964cd81 ldb:attrib_handlers: ldb_comparison_Boolean uses 
NUMERIC_CMP()
   via  997b72d79e6 util: charset:util_str: use NUMERIC_CMP in 
strncasecmp_m_handle
   via  6159b098cf3 lib/torture: add assert_int_{less,greater} macros
   via  3414a894ad6 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
   via  4a9d274d43b s3:libsmb:namequery: note intransitivity in 
addr_compare()
   via  f07ae699070 util:charset:codepoints: codepoint_cmpi warning about 
non-transitivity
   via  675fdeee3d6 util:charset:codepoints: condepoint_cmpi uses 
NUMERIC_CMP()
   via  d4ce8231f98 util:test: test_ms_fn_match_protocol_no_wildcard: allow 
-1
   via  f788a36 util:charset:util_str: use NUMERIC_CMP in 
strcasecmp_m_handle
   via  a512759d7b2 torture:charset: test more of strcasecmp_m
   via  dda0bb6fc71 torture:charset: use < and > assertions for 
strncasecmp_m
   via  ac0a8cd92ca torture:charset: use < and > assertions for strcasecmp_m
   via  09c98ff1263 util:binsearch: user NUMERIC_CMP()
   via  ee4ebcccd7d s4: use numeric_cmp in dns_common_sort_zones()
   via  623adcf4aae s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
   via  a6d76d6ee9f s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
   via  75e51bd99b7 ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
   via  5150b318f48 ldb:ldb_dn: use safe NUMERIC_CMP in 
ldb_dn_compare_base()
   via  de1b94f79ea ldb: add NUMERIC_CMP macro to ldb.h
   via  5ab93f48c57 util:tsort.h: add a macro for safely comparing numbers
   via  8b6a584170e lib/fuzzing/decode_ndr_X_crash: guess the pipe from 
filename
   via  73e4f6026ad ldb: avoid out of bounds read and write in ldb_qsort()
  from  60df2a09a43 selftest: move some more expected failures to 
expectedfail.d

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 81598b42455d6758941da532c668b6d4e969cc40
Author: Douglas Bagnall 
Date:   Thu Apr 4 14:33:47 2024 +1300

s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()

the access_mask is the easiest to overflow with subtraction -- other
fields are 8 or 16 bit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr 10 23:58:12 UTC 2024 on atb-devel-224

commit e35d54fd4d381df67ab9b4f8390e2109b2142678
Author: Douglas Bagnall 
Date:   Thu Apr 4 14:08:02 2024 +1300

s3:util:sharesec ace_compare() uses NUMERIC_CMP()

ace->access_mask is uint32_t, so can overflow a signed int.
This would be easy to trigger, as it is a flags field rather than an
allocation count.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 31101a9fa1503be9d8137e42466f57d85136a156
Author: Douglas Bagnall 
Date:   Wed Apr 3 12:56:48 2024 +1300

s3:smbcacls: use NUMERIC_CMP in ace_compare

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 5e99262aaf5fc6601f3859c8b060b680b11bf6ea
Author: Douglas Bagnall 
Date:   Thu Apr 4 14:25:54 2024 +1300

s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()

v->type is an int-sized enum, so overflow might be possible if it could
be arbitrarily set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  60df2a09a43 selftest: move some more expected failures to 
expectedfail.d
   via  bda4e1233a1 ldb: Add more segfault tests DN handling
   via  8ac18495ba2 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb
   via  d38a9e93cf3 python:upgrade/upgradeprovision: use dn.copy to align 
ldbs
   via  345eb854c3b pyldb: add dn.copy() python method.
   via  fa9a32139ff s4:samba_upgradeprovision: align DN ownership
   via  ed6d151c1b7 pyldb: add Message.ldb accessor
   via  8b6df2d0bca pyldb: add Dn.ldb accessor
   via  a95e6aa5667 pyldb: add PyErr_internal_LDB_DN_OR_RAISE
   via  d712c8d2edd pyldb: normalise name of pyldb_Message_Check
   via  72ad126ab74 ldb:pyldb: reorder structs for possible type-punning
   via  c39021a494f pyldb: py_ldb_msg_set_dn checks dn ldb equality
   via  61ba0cc17df pyldb: py_ldb_msg_elements uses 
PyErr_LDB_MESSAGE_OR_RAISE
   via  9cadc61cd4c pyldb: py_ldb_msg_items checks for more errors
   via  6a2e6139ad0 pldb: py_ldb_msg_items uses PyErr_LDB_MESSAGE_OR_RAISE
   via  b5fcc55b5ec pyldb: py_ldb_msg_contains() checks ldb equality
   via  acba42b126c pyldb: py_ldb_msg_keys() uses PyErr_LDB_MESSAGE_OR_RAISE
   via  d05ae6872b1 pyldb: py_ldb_msg_richcmp() uses 
PyErr_LDB_MESSAGE_OR_RAISE()
   via  bc45a258d2a pyldb: use PyErr_LDB_MESSAGE_OR_RAISE() in various 
functions
   via  f0e665f4a9a pyldb: add PyErr_LDB_MESSAGE_OR_RAISE() macro
   via  b81b2578ad1 pyldb: catch up with README.Coding for some 
`PyArg_ParseTuple`s
   via  13545ed1390 pyldb: py_ldb_dn_concat() uses PyErr_LDB_DN_OR_RAISE
   via  1bbca1e3b42 pyldb: py_ldb_dn_len checks dn and ldb validity
   via  f8b92e52811 pyldb: make py_ldb_dn_add_base() a bit less leaky
   via  b83ea997e75 pyldb: py_ldb_dn_add_base() uses PyErr_LDB_DN_OR_RAISE
   via  67a9e573b00 pyldb: make py_ldb_dn_add_child() a bit less leaky
   via  310624ead50 pyldb: py_ldb_dn_add_child() uses PyErr_LDB_DN_OR_RAISE
   via  1eeb0e36516 pyldb: py_ldb_dn_get_parent() uses PyErr_LDB_DN_OR_RAISE
   via  8830149ef96 pyldb: py_ldb_dn_richcmp() uses PyErr_LDB_DN_OR_RAISE
   via  982a87cedfc pyldb: py_ldb_dn_get_extended_component() uses 
PyErr_LDB_DN_OR_RAISE
   via  5154c8c996f pyldb: py_ldb_dn_extended_str() uses 
PyErr_LDB_DN_OR_RAISE()
   via  0ce3f355022 pyldb: py_ldb_dn_get_casefold() uses 
PyErr_LDB_DN_OR_RAISE()
   via  85ba5d2c8f2 pyldb: py_ldb_dn_get_extended_component uses 
PyErr_LDB_DN_OR_RAISE()
   via  087d43ac615 pyldb: adapt some simple dn methods to use 
LDB_DN_OR_RAISE()
   via  f98035a2a31 ldb:pyldb: PyErr_LDB_DN_OR_RAISE makes more rigourous 
checks
   via  8bb6287c3ba pytest:segfault: some more ldb crashes
   via  0bf80c10ca5 samba-tool domain backup: Use new ldb.disconnect() 
method to force-close files during backup
   via  8612b3e38b3 ldb:pytests: test ldb.connect() works after 
.disconnect()
   via  fdc3212275b pyldb: Add ldb.disconnect() method to ensure DB handles 
are closed
   via  784ee21616a pyldb: Include a reference to the Ldb in objects that 
use
   via  ffbe623963a selftest: Add tests that demonstrate the issues with 
ldb use after free
   via  3ffc6c139b0 pytest:krb5/lockout: associate user DN with the ldb it 
is used with
  from  dbba6c22a41 auth/credentials: Read 
managed_password.passwords.query_interval only after parsing

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 60df2a09a4394d2b494224ad3d33314079e73066
Author: Douglas Bagnall 
Date:   Fri Mar 22 16:20:18 2024 +1300

selftest: move some more expected failures to expectedfail.d

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224

commit bda4e1233a145f11aa92b89a5658d94cd9252267
Author: Andrew Bartlett 
Date:   Mon Mar 25 22:21:19 2024 +1300

ldb: Add more segfault tests DN handling

- from_dict DN use-after-free
- check for the same directly creating the ldb.Message

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 8ac18495ba238985a82dbe5a3c95c78c3c51f4b6
Author: Douglas Bagnall 
Date:   Mon Mar 18 12:24:53 2024 +1300

pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit d38a9e93cf3444d7fe3939728673a637a03eb819
Author: Douglas Bagnall 
Date:   Sun Mar 17 18:07:44 2024 +1300

python:upgrade/upgradeprovision: use dn.copy to align ldbs

We need to do this when the dn is on a message from another ldb.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 345eb854c3b03a3c8e0e19fba0edb9eafd055ab9
Author: Douglas Bagnall 
Date:   Sun Mar 17 17:56:09 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  dbba6c22a41 auth/credentials: Read 
managed_password.passwords.query_interval only after parsing
   via  811c184bbb3 smbd: Simplify an if-condition
   via  51c950c1629 smbd: Save 3 lines
   via  f573a513415 smbd: Remove an obsolete comment
   via  798826d4f1a smbXsrv_session: Remove a "can't happen" NULL check
   via  89981987379 smbXsrv_session: Use talloc_tos() for pushing 
smbXsrv_session_globalB
   via  292c2645468 smbXsrv_session: Remove two implicit NULL 
initializations
   via  c5f98c0d95c smbXsrv_session: Use struct initialization
   via  005ce15aab3 python/samba/tests: Fix gMSA blackbox test to expect 
failure to get password after membership change
   via  50f424e8d35 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3()
   via  8df1728e124 s3:rpc_server: Implement 
lsa_CreateTrustedDomain_common()
   via  3385c2fe44a s3:rpc_server: Implement and use 
lsa_CreateTrustedDomain_precheck()
   via  8f52b649799 s3:rpc_server: Log error in 
_lsa_CreateTrustedDomainEx2()
   via  56e1051ad7e s3:rpc_client: Implement createtrustdomex3 command
   via  bb4d8de9a80 s3:rpc_client: Implement createtrustdomex2 command
   via  d078ee6af61 s3:rpc_client: Implement 
rpc_lsa_encrypt_trustdom_info_aes()
   via  97499a47550 s4:torture: Add test for lsa_CreateTrustedDomainEx3
   via  f390981c1a7 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3()
   via  933ba496073 s4:rpc_server: Implement 
dcesrv_lsa_CreateTrustedDomainEx3()
   via  87595140c34 s4:rpc_server: Implement get_trustdom_auth_blob_aes() 
for LSA
   via  0177cd898ef s4:rpc_server: Use 
dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain
   via  b957cb34d44 s4:rpc_server: Use 
dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx
   via  1790828bc5f s4:rpc_server: Use 
dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2
   via  6d90397ff28 s4:rpc_server: Implement 
dcesrv_lsa_CreateTrustedDomain_common()
   via  dad8c78edc7 s4:rpc_server: Implement 
dcesrv_lsa_CreateTrustedDomain_precheck()
   via  18af510bd50 s4:rpc_server: Use talloc_zero in 
dcesrv_lsa_CreateTrustedDomain()
   via  8b1c0bd718b s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c
   via  354f61d868d s4:torture: Use dcerpc_lsa_OpenPolicy3_r()
   via  8e35e5f5675 s4:torture: Use rpc_lsa_encrypt_trustdom_info()
   via  05e9cb36b77 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info()
   via  dbe9e9a8393 s4:torture: Use init_lsa_String() from init_lsa.h
   via  84d51503630 librpc:rpc: Add dcerpc_lsa.h
   via  2d60d1b96aa python: Use OpenPolicyFallback() in trust.py
   via  859e7f8c5f1 python: Implement CreateTrustedDomainFallback()
   via  812d4e0d6cc python: Add aead_aes_256_cbc_hmac_sha512()
   via  23e61d2cebc python: Use secrets.token_bytes instead of random
   via  decacb0e7e1 python: Set parameter types for 
CreateTrustedDomainRelax()
   via  9e5fc815644 python:tests: Clean lsa_utils.py code according to 
Python standards
   via  e32be2ade4f python:tests: Rename createtrustrelax.py to lsa_utils.py
   via  00ed209e483 python: Implement OpenPolicyFallback()
   via  85d0ab38f7c python:samba: Rename trust_utils.py to lsa_utils.py
   via  01940ae7afa buildtools: Fix PYTHONPATH and print it
  from  be2ade2d88b netcmd: fix broken shell command missing Model

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit dbba6c22a41ab12bd9804f10a878c965100ac7c0
Author: Andrew Bartlett 
Date:   Tue Apr 9 16:11:16 2024 +1200

auth/credentials: Read managed_password.passwords.query_interval only after 
parsing

The code previously read the uninitialised stack not the parsed
structure, and so could segfault if the stack was not zero.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jo Sutton 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Apr  9 23:59:54 UTC 2024 on atb-devel-224

commit 811c184bbb30f8364a6c2f1835732d0c25e1b9c7
Author: Volker Lendecke 
Date:   Fri Feb 9 12:37:53 2024 +0100

smbd: Simplify an if-condition

current_sid == NULL is true if and only if we could not assign current_sid
because num_sids was too small. Make that more explicit.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit 51c950c16297ce45aeec85dff53af04f7f3b620f
Author: Volker Lendecke 
Date:   Fri Feb 9 12:47:48 2024 +0100

smbd: Save 3 lines

Just cosmetic

Signed-off-by: Volker Lendecke 
Reviewed-by: Andrew Bartlett 

commit f573a5134151e029329f19f292e6d6a324e291b8
Author: Volker Lendecke 
Date:   Thu Feb 8 18:16:39 2024 +0100

smbd: Remove an obsolete comment

This looks like a cut from other smbXsrv files.

Signed-off-by: 

[Announce] Samba 4.19.6 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the latest stable release of the Samba 4.19 release series.


Changes since 4.19.5


o  Ralph Boehme 
   * BUG 15527: fd_handle_destructor() panics within an 
smbd_smb2_close() if

 vfs_stat_fsp() fails in fd_close().

o  Guenther Deschner 
   * BUG 15588: samba-gpupdate: Correctly implement site support.

o  Noel Power 
   * BUG 15527: fd_handle_destructor() panics within an 
smbd_smb2_close() if

 vfs_stat_fsp() fails in fd_close().

o  Andreas Schneider 
   * BUG 15588: samba-gpupdate: Correctly implement site support.
   * BUG 15599: libgpo: Segfault in python bindings.

o  Martin Schwenke 
   * BUG 15580: Packet marshalling push support missing for
 CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
 CTDB_CONTROL_TCP_CLIENT_PASSED.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

    https://download.samba.org/pub/samba/stable/

The release notes are available online at:

    https://www.samba.org/samba/history/samba-4.19.6.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

    --Enjoy
    The Samba Team

[SCM] Samba Shared Repository - branch v4-19-stable updated

[Jule Anger]

The branch, v4-19-stable has been updated
   via  b400092dd0a VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release.
   via  8333c396015 WHATSNEW: Add release notes for Samba 4.19.6.
   via  0ac741b5705 s3/smbd: If we fail to close file_handle ensure we 
should reset the fd
   via  3634df5d59e smbd: simplify handling of failing fstat() after 
unlinking file
   via  a58338ec926 libgpo: Do not segfault if we don't have a valid 
security descriptor
   via  51a3797f57e libgpo: Fix trailing spaces in pygpo.c
   via  8ea3973ad40 python:gp: Implement client site lookup in 
site_dn_for_machine()
   via  111e85a589c librpc:idl: Make netlogon_samlogon_response public
   via  eebe6d8c890 ctdb-protocol: Add missing push support for new controls
   via  19e7ea8ffa8 VERSION: Bump version up to Samba 4.19.6...
  from  7bef2f7f1c8 VERSION: Disable GIT_SNAPSHOT for the 4.19.5 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable


- Log -
---

Summary of changes:
 VERSION   |  2 +-
 WHATSNEW.txt  | 59 --
 ctdb/protocol/protocol_control.c  |  8 +
 ctdb/tests/src/protocol_common_ctdb.c | 33 +
 ctdb/tests/src/protocol_ctdb_test.c   |  2 +-
 libgpo/pygpo.c|  7 +++-
 librpc/idl/nbt.idl|  2 +-
 librpc/ndr/ndr_nbt.c  |  2 +-
 librpc/ndr/ndr_nbt.h  |  2 +-
 python/samba/gp/gpclass.py| 68 +++
 source3/smbd/close.c  |  1 +
 source3/smbd/open.c   | 27 +-
 12 files changed, 163 insertions(+), 50 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 9151d8de1ce..066af506941 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2023"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 79abe2da103..be2edfb6ac4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,59 @@
+   ==
+   Release Notes for Samba 4.19.6
+   April 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.5
+
+
+o  Ralph Boehme 
+   * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o  Guenther Deschner 
+   * BUG 15588: samba-gpupdate: Correctly implement site support.
+
+o  Noel Power 
+   * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o  Andreas Schneider 
+   * BUG 15588: samba-gpupdate: Correctly implement site support.
+   * BUG 15599: libgpo: Segfault in python bindings.
+
+o  Martin Schwenke 
+   * BUG 15580: Packet marshalling push support missing for
+ CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
+ CTDB_CONTROL_TCP_CLIENT_PASSED.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
==
Release Notes for Samba 4.19.5
  February 19, 2024
@@ -59,8 +115,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
==
Release Notes for Samba 4.19.4

[SCM] Samba Website Repository - branch master updated

[Jule Anger]

The branch, master has been updated
   via  4728e21 NEWS[4.19.6]: Samba 4.19.6 Available for Download
  from  f8e7137 NEWS[4.20.0]: Samba 4.20.0 Available for Download

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 4728e210013ff2ce9b41a06dacb0e08c7dd08bd3
Author: Jule Anger 
Date:   Mon Apr 8 09:31:53 2024 +0200

NEWS[4.19.6]: Samba 4.19.6 Available for Download

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html  |  1 +
 history/samba-4.19.6.html| 55 
 posted_news/20240408-073243.4.19.6.body.html | 13 ++
 posted_news/20240408-073243.4.19.6.headline.html |  3 ++
 4 files changed, 72 insertions(+)
 create mode 100644 history/samba-4.19.6.html
 create mode 100644 posted_news/20240408-073243.4.19.6.body.html
 create mode 100644 posted_news/20240408-073243.4.19.6.headline.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index eb8f7b6..8f60ff2 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -10,6 +10,7 @@


samba-4.20.0
+   samba-4.19.6.
samba-4.19.5.
samba-4.19.4.
samba-4.19.3.
diff --git a/history/samba-4.19.6.html b/history/samba-4.19.6.html
new file mode 100644
index 000..af5d5eb
--- /dev/null
+++ b/history/samba-4.19.6.html
@@ -0,0 +1,55 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.19.6 - Release Notes
+
+
+Samba 4.19.6 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.19.6.tar.gz;>Samba 
4.19.6 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.19.6.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.19.5-4.19.6.diffs.gz;>Patch
 (gzipped) against Samba 4.19.5
+https://download.samba.org/pub/samba/patches/samba-4.19.5-4.19.6.diffs.asc;>Signature
+
+
+
+   ==
+   Release Notes for Samba 4.19.6
+   April 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.5
+
+
+o  Ralph Boehme s...@samba.org
+   * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o  Guenther Deschner g...@samba.org
+   * BUG 15588: samba-gpupdate: Correctly implement site support.
+
+o  Noel Power noel.po...@suse.com
+   * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o  Andreas Schneider a...@samba.org
+   * BUG 15588: samba-gpupdate: Correctly implement site support.
+   * BUG 15599: libgpo: Segfault in python bindings.
+
+o  Martin Schwenke mschwe...@ddn.com
+   * BUG 15580: Packet marshalling push support missing for
+ CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
+ CTDB_CONTROL_TCP_CLIENT_PASSED.
+
+
+
+
+
+
diff --git a/posted_news/20240408-073243.4.19.6.body.html 
b/posted_news/20240408-073243.4.19.6.body.html
new file mode 100644
index 000..ece27a0
--- /dev/null
+++ b/posted_news/20240408-073243.4.19.6.body.html
@@ -0,0 +1,13 @@
+
+08 April 2024
+Samba 4.19.6 Available for Download
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be https://download.samba.org/pub/samba/stable/samba-4.19.6.tar.gz;>downloaded
 now.
+A https://download.samba.org/pub/samba/patches/samba-4.19.5-4.19.6.diffs.gz;>patch
 against Samba 4.19.5 is also available.
+See https://www.samba.org/samba/history/samba-4.19.6.html;>the 
release notes for more info.
+
+
diff --git a/posted_news/20240408-073243.4.19.6.headline.html 
b/posted_news/20240408-073243.4.19.6.headline.html
new file mode 100644
index 000..dde472d
--- /dev/null
+++ b/posted_news/20240408-073243.4.19.6.headline.html
@@ -0,0 +1,3 @@
+
+ 08 April 2024 Samba 4.19.6 Available for 
Download
+


-- 
Samba Website Repository

[SCM] Samba Shared Repository - annotated tag samba-4.19.6 created

[Jule Anger]

The annotated tag, samba-4.19.6 has been created
at  4826796513729aad06646b9ab838910737d52d09 (tag)
   tagging  b400092dd0a5248544f6e05fc4f85bcc0efb6a3c (commit)
  replaces  samba-4.19.5
 tagged by  Jule Anger
on  Mon Apr 8 09:30:50 2024 +0200

- Log -
samba: tag release samba-4.19.6
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmYTnSoACgkQqplEL7aA
tiAumg/9FioMDXlmSrJx2YOxD0FBQHERghr5REFLKiCK0g+b9Cq6tg9rZXC6YkWI
Ihm8+0LsGiKq4ZAMauI4v1ud1gWgPwQfdQppTwI+4HFTCoK2b6hkJhKUtPs0JNt2
QdjU7TyXz3edzliYWuQrAu2MZRZX9IIb4K9WzTlf5rT+bfBwnTsvBAU+tpKqJTmj
1wdZ2q0jq4rNbOuR/t5NJZsMes2CIEyvHTBzVY1cf/VOosjsfhdUQkDtZWsr12W7
KoMb7ziLQimniLUSIMWMTVGd9mjBFD0xB9uC7/8HbuDiGMfQk2bDHULn6JSGc1g4
nMXDkzOJ1DIMlSpNvWzXLtA8961Dsaf++x66wR/1c3aJM+0m11sMt5ZA8Aff189L
NMIIEahMp1BxAPFFj0CTNcTyXQArLQxnZP2VnpvbBBn3v8A+tIv+zvBe8T1jDfKz
0aSqNmHwbwoFpqH7siAEKS5DlFpsKAnLfpsVR7bOO4U+JOJJw+1Vvrk1aW77eSQL
jCXpyD0AZcOhWuoSv7/q94tVzamrvi8Se+4+JEybeULwk/DPqMT6jcBamXNx1PyX
OoF4Ic79QsM6A14skvfhLoSmYAS4iBkWjFEWobwb8SFHXZk61dMgSMkB+nF5nQA3
zQDSatoULkn3TWXKFYTN3BjYFfpv9DP54PWNhFzhprEddGMfuII=
=KcC5
-END PGP SIGNATURE-

Andreas Schneider (4):
  librpc:idl: Make netlogon_samlogon_response public
  python:gp: Implement client site lookup in site_dn_for_machine()
  libgpo: Fix trailing spaces in pygpo.c
  libgpo: Do not segfault if we don't have a valid security descriptor

Jule Anger (3):
  VERSION: Bump version up to Samba 4.19.6...
  WHATSNEW: Add release notes for Samba 4.19.6.
  VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release.

Martin Schwenke (1):
  ctdb-protocol: Add missing push support for new controls

Noel Power (1):
  s3/smbd: If we fail to close file_handle ensure we should reset the fd

Ralph Boehme (1):
  smbd: simplify handling of failing fstat() after unlinking file

---


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-19-test updated

[Jule Anger]

The branch, v4-19-test has been updated
   via  4b7785226ad VERSION: Bump version up to Samba 4.19.7...
   via  b400092dd0a VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release.
   via  8333c396015 WHATSNEW: Add release notes for Samba 4.19.6.
  from  0ac741b5705 s3/smbd: If we fail to close file_handle ensure we 
should reset the fd

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test


- Log -
commit 4b7785226ad4ffe77f308188c4b1a229d9bba4a3
Author: Jule Anger 
Date:   Mon Apr 8 09:25:07 2024 +0200

VERSION: Bump version up to Samba 4.19.7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit b400092dd0a5248544f6e05fc4f85bcc0efb6a3c
Author: Jule Anger 
Date:   Mon Apr 8 09:24:50 2024 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.19.6 release.

Signed-off-by: Jule Anger 

commit 8333c3960154fc582213b90dbf32b956cea08245
Author: Jule Anger 
Date:   Mon Apr 8 09:20:40 2024 +0200

WHATSNEW: Add release notes for Samba 4.19.6.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 59 +--
 2 files changed, 58 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index aeede60164d..939e114840c 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the 
Samba Team 1992-2023"
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 79abe2da103..be2edfb6ac4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,59 @@
+   ==
+   Release Notes for Samba 4.19.6
+   April 08, 2024
+   ==
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.5
+
+
+o  Ralph Boehme 
+   * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o  Guenther Deschner 
+   * BUG 15588: samba-gpupdate: Correctly implement site support.
+
+o  Noel Power 
+   * BUG 15527: fd_handle_destructor() panics within an smbd_smb2_close() if
+ vfs_stat_fsp() fails in fd_close().
+
+o  Andreas Schneider 
+   * BUG 15588: samba-gpupdate: Correctly implement site support.
+   * BUG 15599: libgpo: Segfault in python bindings.
+
+o  Martin Schwenke 
+   * BUG 15580: Packet marshalling push support missing for
+ CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
+ CTDB_CONTROL_TCP_CLIENT_PASSED.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
==
Release Notes for Samba 4.19.5
  February 19, 2024
@@ -59,8 +115,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
==
Release Notes for Samba 4.19.4
   January 08, 2024


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  be2ade2d88b netcmd: fix broken shell command missing Model
   via  bcae4c2dbea python: lint: fix pylint R1720 unnecessary "raise" 
after "else"
   via  3dd49b9f567 python: lint: remove unused imports in claims and gmsa 
commands
   via  8f7ff1c7ef4 python: tests: type check should always use "is" or "is 
not"
   via  e388bf4b4a2 python: tests: fix closing quote in docstring example
   via  a18c53a9b98 libcli/http: Detect unsupported Transfer-encoding type
   via  93709d31590 selftest: Add new test for testing non-chunk transfer 
encoding
   via  efdbf0511e0 selftest: fix potential reference before assigned error
   via  8e931fce126 Do not fail checksums for RFC8009 types
   via  2ecb69d9b7f python:tests: Improve keytab comparison of dckeytab
  from  814ae222ca1 s3:winbindd: use better debug messages than 
'talloc_strdup failed'

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit be2ade2d88bb89763fce2a34f8f68941424ad9ee
Author: Rob van der Linde 
Date:   Thu Mar 28 16:06:05 2024 +1300

netcmd: fix broken shell command missing Model

This is already in MODELS which is populated in ModelMeta

Signed-off-by: Rob van der Linde 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Apr  8 04:07:22 UTC 2024 on atb-devel-224

commit bcae4c2dbea7067932e931456998b1ada20d615c
Author: Rob van der Linde 
Date:   Thu Mar 28 16:15:06 2024 +1300

python: lint: fix pylint R1720 unnecessary "raise" after "else"

Signed-off-by: Rob van der Linde 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 3dd49b9f567fdf14e7a616351805d1aac9a3083a
Author: Rob van der Linde 
Date:   Thu Mar 28 16:09:44 2024 +1300

python: lint: remove unused imports in claims and gmsa commands

Signed-off-by: Rob van der Linde 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 8f7ff1c7ef4a570193faa2e3181a757bc98c3e08
Author: Rob van der Linde 
Date:   Thu Mar 28 15:59:33 2024 +1300

python: tests: type check should always use "is" or "is not"

Signed-off-by: Rob van der Linde 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e388bf4b4a2012bd1fdde7e63b957b32c1a69c75
Author: Rob van der Linde 
Date:   Thu Mar 28 15:58:34 2024 +1300

python: tests: fix closing quote in docstring example

Signed-off-by: Rob van der Linde 
Reviewed-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137
Author: Noel Power 
Date:   Thu Mar 28 10:48:58 2024 +

libcli/http: Detect unsupported Transfer-encoding type

Also removes knownfail for test that now passes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit 93709d31590d4ca25fbac813b9e499755b81ddb5
Author: Noel Power 
Date:   Thu Mar 28 09:16:33 2024 +

selftest: Add new test for testing non-chunk transfer encoding

And add a known fail because there is a bug :-(

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit efdbf0511e0a89f865210170001fbebf17a45278
Author: Noel Power 
Date:   Thu Mar 28 09:09:02 2024 +

selftest: fix potential reference before assigned error

This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit 8e931fce126e8c1128da893c806702731c08758a
Author: Alexander Bokovoy 
Date:   Thu Jun 22 09:56:12 2023 +0300

Do not fail checksums for RFC8009 types

While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

Signed-off-by: Alexander Bokovoy 

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  814ae222ca1 s3:winbindd: use better debug messages than 
'talloc_strdup failed'
   via  72a4d3ad5a9 s3:passdb: use DBG_ERR() for 'talloc_strdup failed' 
messages
   via  ca859e55d28 s3:libads: avoid changing ADS->server.workgroup
   via  796f33c05a0 s4:nbt_server: simulate nmbd and provide unexpected 
handling
   via  bfb10774b65 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw 
blobs
   via  77f4f1c7dba s4:libcli/dgram: make use of socket_address_copy()
   via  11861bcfc30 s4:libcli/dgram: let the generic incoming handler also 
get unexpected mailslot messages
   via  cca373b806e libcli/nbt: add nbt_name_send_raw()
   via  2b3c75c s3:libsmb/dsgetdcname: use 
NETLOGON_NT_VERSION_AVOID_NT4EMUL
   via  696505a1efb s3:libsmb/unexpected: pass nmbd_socket_dir from the 
callers of nb_packet_{server_create,reader_send}()
   via  f90cf0822d6 s3:libsmb/unexpected: don't use talloc_tos() in async 
code
   via  011f68ae5dd s3:wscript: LIBNMB requires lp_ functions
   via  105247c9000 s3:include: split out fstring.h
   via  7f96c21029e s3:include: let nameserv.h be useable on its own
  from  f8b72aa1f72 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 814ae222ca15ff7093a71639cdcc97b9937670ce
Author: Stefan Metzmacher 
Date:   Fri Jan 26 09:25:11 2024 +0100

s3:winbindd: use better debug messages than 'talloc_strdup failed'

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Fri Apr  5 13:28:42 UTC 2024 on atb-devel-224

commit 72a4d3ad5a9d1ea5cd0b2a940893727f0283879a
Author: Stefan Metzmacher 
Date:   Fri Jan 26 09:21:03 2024 +0100

s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages

Otherwise it's completely unclear where the messages come from

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit ca859e55d28f421196bc2660cfa84595ec5b57c6
Author: Stefan Metzmacher 
Date:   Fri Oct 15 03:34:11 2021 +0200

s3:libads: avoid changing ADS->server.workgroup

ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().

The result are corrupted domain values in the debug output.

Valgrind shows this:

 Invalid read of size 1
at 0x483EF46: strlen (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
by 0x5D2ED3F: dbgtext (debug.c:1881)
by 0x4BFFB50: ads_find_dc (ldap.c:570)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
at 0x483CA3F: free (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4BFF0AF: ads_try_connect (ldap.c:299)
by 0x4BFF40E: cldap_ping_list (ldap.c:367)
by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
by 0x4BFFA91: ads_find_dc (ldap.c:556)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
  Block was alloc'd at
at 0x483B7F3: malloc (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x60B250E: strdup (strdup.c:42)
by 0x4FF1492: smb_xstrdup (util.c:743)
by 0x4C10E62: ads_init (ads_struct.c:148)
by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 796f33c05a0ca337b675b5d4d127f7c53b22528f
Author: Stefan Metzmacher 
Date:   Wed Feb 14 12:34:48 2024 +0100

s4:nbt_server: simulate nmbd and provide unexpected handling

This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1
Author: Stefan Metzmacher 
Date:   Wed Feb 14 13:49:21 2024 +0100

s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher 
   

[SCM] Samba Shared Repository - branch master updated

[Pavel Filipensky]

The branch, master has been updated
   via  f8b72aa1f72 tests: Add a test for "all_groups=no" to 
test_idmap_ad.sh
   via  2dab3a331b5 selftest: Add "winbind expand groups = 1" to 
setup_ad_member_idmap_ad
   via  5d475d26a3d s3:winbindd: Improve performance of lookup_groupmem() 
in idmap_ad
   via  a485d9de2f2 docs-xml: Add parameter all_groupmem to idmap_ad
  from  dd2289eb3ae vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to 
preserve create_time

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit f8b72aa1f72881989990fabc9f4888968bb81967
Author: Pavel Filipenský 
Date:   Thu Mar 14 15:24:21 2024 +0100

tests: Add a test for "all_groups=no" to test_idmap_ad.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Pavel Filipensky 
Autobuild-Date(master): Tue Apr  2 13:25:39 UTC 2024 on atb-devel-224

commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a
Author: Pavel Filipenský 
Date:   Mon Mar 25 22:38:18 2024 +0100

selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 

commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf
Author: Pavel Filipenský 
Date:   Tue Mar 12 13:20:24 2024 +0100

s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad

The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber.  Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.

'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.

Without this fix:

$ time id test_user

real1m5.946s
user0m0.019s
sys 0m0.012s

With this fix:

$ time id test_user

real0m3.544s
user0m0.004s
sys 0m0.007s

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 

commit a485d9de2f2d6a9815dcac6addb988a8987e111c
Author: Pavel Filipenský 
Date:   Wed Mar 13 13:55:41 2024 +0100

docs-xml: Add parameter all_groupmem to idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 docs-xml/manpages/idmap_ad.8.xml | 10 ++
 nsswitch/tests/test_idmap_ad.sh  | 22 ++
 selftest/target/Samba3.pm|  1 +
 source3/winbindd/winbindd_ads.c  | 11 +++
 4 files changed, 40 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 32df8d066c2..c7fcc65d763 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -105,6 +105,16 @@



+   all_groupmem = yes/no
+   
+ If set to yes winbind will retrieve all
+ group members for getgrnam(3), getgrgid(3) and getgrent(3) 
calls,
+ including those with missing uidNumber.
+   
+   Default: no
+   
+   
+   
deny ous
This parameter is a list of OUs from
which objects will not be mapped via the ad idmap
diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 7ae112ada71..1d4bd395ba9 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -94,6 +94,14 @@ gidNumber: 201
 unixHomeDirectory: /home/forbidden
 loginShell: /bin/tcsh
 gecos: User in forbidden OU
+
+dn: CN=no_posix_id,CN=Users,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: no_posix_id
+unixHomeDirectory: /home/no_posix_id
+loginShell: /bin/sh
+gecos: User without uidNumber and gidNumber
 EOF
 
 #
@@ -171,6 +179,17 @@ then
failed=$(($failed + 1))
 fi
 
+#
+# Test 6: Make sure that with the default "all_groups=no"
+# the group "domain users" will not show user "no_posix_id"
+# but will show "SAMBA2008R2/administrator"
+#
+
+dom_users="$DOMAIN/domain users"  # Extra step to make sure that all is one 
word
+out="$($wbinfo --group-info "$dom_users")"
+testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr 
$failed + 1)
+testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || 
failed=$(expr $failed + 1)
+
 #
 # Trusted domain test 1: Test uid of Administrator, should be 250
 #
@@ -241,6 +260,9 @@ gidNumber: 202
 dn: cn=forbidden,ou=sub,$BASE_DN
 

[SCM] Samba Shared Repository - branch master updated

[Anoop C S]

The branch, master has been updated
   via  dd2289eb3ae vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to 
preserve create_time
   via  f3c185a6294 source3/smbd: Update timestamps after a successful 
SMB_VFS_FNTIMES
  from  a3126ebfe57 lib: Use struct initialization in 
imessaging_client_init()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit dd2289eb3ae83b6586493a14098a7e7eddc1ec63
Author: Anoop C S 
Date:   Thu Mar 21 16:49:04 2024 +0530

vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to preserve create_time

In order to avoid the dependency on dos attribute for create_time we now
preserve the btime before parsing dos attribute which may update btime
from its value with an old one unless we explicitly reset dos attribute
with new create_time in SMB_VFS_FNTIMES implementation. Therefore have
an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES to save and restore
updated create_time.

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Anoop C S 
Autobuild-Date(master): Mon Apr  1 15:24:39 UTC 2024 on atb-devel-224

commit f3c185a6294d4d92c43687a0ebe64f9cf59a4a2a
Author: Anoop C S 
Date:   Fri Mar 22 11:38:08 2024 +0530

source3/smbd: Update timestamps after a successful SMB_VFS_FNTIMES

When an open file handle is used to change timestamps we fail to return
updated values to clients until next open is issued. Unless we fill in
the timestamps subsequent calls like GETINFO cannot see the latest value
causing incorrect results. Therefore copy those timestamp values as soon
as it is set on the backend.

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 source3/include/proto.h|  1 +
 source3/lib/system.c   | 19 +++
 source3/modules/vfs_ceph.c | 24 
 source3/smbd/dosmode.c |  8 +++-
 4 files changed, 51 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 389bb2fc935..d98bd3c09cb 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -173,6 +173,7 @@ void update_stat_ex_mtime(struct stat_ex *dst, struct 
timespec write_ts);
 void update_stat_ex_create_time(struct stat_ex *dst, struct timespec 
create_time);
 void update_stat_ex_from_saved_stat(struct stat_ex *dst,
const struct stat_ex *src);
+void copy_stat_ex_timestamps(files_struct *fsp, const struct smb_file_time 
*ft);
 int sys_stat(const char *fname, SMB_STRUCT_STAT *sbuf,
 bool fake_dir_create_times);
 int sys_fstat(int fd, SMB_STRUCT_STAT *sbuf,
diff --git a/source3/lib/system.c b/source3/lib/system.c
index 1ec0ae9b1d5..2006edbed65 100644
--- a/source3/lib/system.c
+++ b/source3/lib/system.c
@@ -249,6 +249,25 @@ void update_stat_ex_from_saved_stat(struct stat_ex *dst,
}
 }
 
+void copy_stat_ex_timestamps(files_struct *fsp, const struct smb_file_time *ft)
+{
+   if (!is_omit_timespec(>atime)) {
+   fsp->fsp_name->st.st_ex_atime = ft->atime;
+   }
+
+   if (!is_omit_timespec(>create_time)) {
+   fsp->fsp_name->st.st_ex_btime = ft->create_time;
+   }
+
+   if (!is_omit_timespec(>ctime)) {
+   fsp->fsp_name->st.st_ex_ctime = ft->ctime;
+   }
+
+   if (!is_omit_timespec(>mtime)) {
+   fsp->fsp_name->st.st_ex_mtime = ft->mtime;
+   }
+}
+
 void init_stat_ex_from_stat (struct stat_ex *dst,
const struct stat *src,
bool fake_dir_create_times)
diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index c9ee5414f03..6dae8a5f9e8 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -1569,6 +1569,29 @@ static const char *cephwrap_connectpath(
return handle->conn->connectpath;
 }
 
+static NTSTATUS cephwrap_fget_dos_attributes(struct vfs_handle_struct *handle,
+struct files_struct *fsp,
+uint32_t *dosmode)
+{
+   struct timespec saved_btime = fsp->fsp_name->st.st_ex_btime;
+   NTSTATUS status;
+
+   status = fget_ea_dos_attribute(fsp, dosmode);
+   if (!NT_STATUS_IS_OK(status)) {
+   return status;
+   }
+
+   /*
+* Restore previously stored btime from statx timestamps as it should be
+* the only source of truth. create_time from dos attribute, if any, may
+* have older values which isn't trustworthy to be looked at for other
+* open file handle operations.
+*/
+   fsp->fsp_name->st.st_ex_btime = saved_btime;
+
+   return NT_STATUS_OK;
+}
+
 

[SCM] Samba Shared Repository - branch master updated

[Andreas Schneider]

The branch, master has been updated
   via  a3126ebfe57 lib: Use struct initialization in 
imessaging_client_init()
   via  2d4aa599943 lib: Fix whitespace
   via  ff747f691ec lib: Fix dbwrap_tdb.h prerequisites
   via  b1b5d32c540 lib: Give tallocmsg.c its own header
   via  b8e409e755b lib: Fix whitespace
   via  00141ca4704 smbd: Remove an outdated comment
   via  18d9b1b17cf smbd: Remove struct open_symlink_err
   via  adca0ffd712 smbd: Remove "unparsed" from struct open_symlink_err
   via  8ca649025ae smbd: Remove "st" from struct open_symlink_err
   via  331a49ca394 smbd: Fix returning symlink stat info in the NO_OPATH 
case
   via  a2a77842a13 smbd: Make read_symlink_reparse() return a 
reparse_data_buffer
   via  57e548841f9 smbd: Simplify users of fsp_fullbasepath()
  from  06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover 
UF_SMARTCARD_REQUIRED

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a3126ebfe5736f5e8af9bff3a6e8d7db1929e377
Author: Volker Lendecke 
Date:   Tue Feb 27 15:39:30 2024 +0100

lib: Use struct initialization in imessaging_client_init()

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224

commit 2d4aa599943a5860ebc0cc54d85012b360453bdc
Author: Volker Lendecke 
Date:   Tue Feb 27 15:39:16 2024 +0100

lib: Fix whitespace

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit ff747f691ec30c964094550e6a9a0fc1f19fb0ff
Author: Volker Lendecke 
Date:   Wed Feb 21 10:55:55 2024 +0100

lib: Fix dbwrap_tdb.h prerequisites

It uses enum dbwrap_lock_order, so include dbwrap.h

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit b1b5d32c54099e4a1c61d0a81ceaab986b62ce52
Author: Volker Lendecke 
Date:   Tue Feb 20 13:04:28 2024 +0100

lib: Give tallocmsg.c its own header

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit b8e409e755baf77184995f72d640f0de7ed6808e
Author: Volker Lendecke 
Date:   Wed Feb 28 16:45:57 2024 +0100

lib: Fix whitespace

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 00141ca4704698028fa0137d4eecb37ba2385e8b
Author: Volker Lendecke 
Date:   Sat Feb 10 14:27:38 2024 +0100

smbd: Remove an outdated comment

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 18d9b1b17cfee79b8d2b78ac99ca31600b002a6e
Author: Volker Lendecke 
Date:   Sun Feb 4 18:07:19 2024 +0100

smbd: Remove struct open_symlink_err

This was just a wrapper for a single pointer, remove it

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit adca0ffd712ecfa26f2255f86e3882a9c124c429
Author: Volker Lendecke 
Date:   Sun Feb 4 17:42:28 2024 +0100

smbd: Remove "unparsed" from struct open_symlink_err

We have the reserved field unparsed_path_length as part of struct
symlink_reparse_struct.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 8ca649025aee31b4a3a0f5f8fb62861d4a41b864
Author: Volker Lendecke 
Date:   Sun Feb 4 17:27:50 2024 +0100

smbd: Remove "st" from struct open_symlink_err

Since c96010a2a9f nobody reads it anymore

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 331a49ca394f185473d0b5ba1c566a32ab01b6ff
Author: Volker Lendecke 
Date:   Sun Feb 4 18:50:47 2024 +0100

smbd: Fix returning symlink stat info in the NO_OPATH case

Our callers don't look at symlink_err's struct stat anymore, they look
at the fname's one since we return them properly even for symlinks. So
don't bother filling in symlink_err->st, nobody reads it anyways.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit a2a77842a13c3c4a561ec8d5d298bbab60fafd1a
Author: Volker Lendecke 
Date:   Sun Feb 4 16:07:22 2024 +0100

smbd: Make read_symlink_reparse() return a reparse_data_buffer

Will make generalized handling of reparse point error returns easier
once we will also allow creating symlink reparse point files over smb.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

commit 57e548841f9b560e7caf84965e3ca4d36997bf17
Author: Volker Lendecke 
Date:   Sun Feb 4 11:10:18 2024 +0100

smbd: Simplify users of fsp_fullbasepath()

All three users had to strip a trailing "/.". Centralize this.

Signed-off-by: Volker Lendecke 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 lib/dbwrap/dbwrap_tdb.h|   2 +-
 source3/include/proto.h|   5 -
 

[SCM] Samba Shared Repository - branch master updated

[Andrew Bartlett]

The branch, master has been updated
   via  06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover 
UF_SMARTCARD_REQUIRED
   via  f29693d1311 python/tests/krb5: Prepare to allow tests that use the 
PAC returned NT hash
   via  2fd5166a8c1 python/tests/krb5: Allow getting a TGT in pkinit tests
   via  b2fe1ea1c6a python/tests/krb5: Prepare for PKINIT tests with 
UF_SMARTCARD_REQUIRED
   via  7cc8f455191 tests/krb5: Fix PK-INIT test framework to allow expired 
password keys
   via  46263c5c202 python/samba/krb5: Allow client address (caddr) to be 
missing or empty
   via  3d1ec5dc676 auth/credentials: Remove use of pytalloc_get_type() of 
NDR types in pycredentials
   via  93f4be16471 netcmd: docs: update documentation for new auth policy 
command structure
   via  6e02c97193c netcmd: auth policy: remove old 
service-allowed-to-authenticate-from-silo and group
   via  dcb6a14fa23 netcmd: auth policy: add 
service-allowed-to-authenticate-from subcommands
   via  97c2ff19daa netcmd: auth policy: remove old 
user-allowed-to-authenticate-from-silo and group
   via  e88be1aed97 netcmd: auth policy: add 
user-allowed-to-authenticate-from subcommands
   via  2cbacad82d6 netcmd: auth policy: remove old 
service-allowed-to-authenticate-to-silo and group
   via  316a84a5975 netcmd: auth policy: add 
service-allowed-to-authenticate-to subcommands
   via  5db2a1581d3 netcmd: auth policy: remove old 
user-allowed-to-authenticate-to-silo and group
   via  4ba087f8187 netcmd: auth policy: add 
user-allowed-to-authenticate-to subcommands
   via  49c3bca8033 netcmd: auth policy: remove old 
computer-allowed-to-authenticate-to-silo and group
   via  86d3706bd26 netcmd: auth policy: add 
computer-allowed-to-authenticate-to subcommands
   via  96f00738cec netcmd: auth policy: extract policy base commands into 
policy.py
   via  c0e748f0117 netcmd: auth policy: turn policy.py into module
   via  13d53ee3e25 netcmd: auth silo: extract silo base commands into 
silo.py
   via  a2e9529ee63 netcmd: auth silo: move silo_member.py into silo module
   via  4d2c8ea9578 netcmd: auth silo: turn silo.py into module
   via  2af65446cfd netcmd: docs: add section headings for auth policies 
and silos
   via  7fbe5156096 netcmd: docs: consistently put  around GROUP 
and SILO
   via  4e1d12835ff netcmd: docs: 
--user-allowed-to-authenticate-from-device-group was missing
   via  26feb09fd10 netcmd: docs: 
--user-allowed-to-authenticate-from-device-silo missing "device"
   via  a7edd5b5367 netcmd: docs: add documentation for service-account 
group-msa-membership commands
   via  03a6740a90b netcmd: docs: add documentation for service-account 
base command
   via  cf60e3cad6b netcmd: gmsa: improve descriptions of --dns-host-name 
and match docs
   via  828420b4f09 python: domain: models: add OrganizationalUnit 
container model
   via  5ac4b6969be python: domain: models: move OrganizationalPerson to 
org.py
   via  3c0833ead51 python: domain: models: move MODELS to registry.py 
because it's not really a constant
   via  bfd1f8cd467 python: domain: models: MODELS lookup does need to 
include base Model for shell command
   via  0c5d09ae143 python: domain: models: add children method to return a 
models direct children
   via  cca0cfe421c python: tests: write a test for the Model.as_dict method
   via  917e2a73538 python: tests: computer model tests should clean up
   via  ed07dee8649 python: domain: models: as_dict() should also exclude 
empty list fields
   via  fc982e550f4 s4-dsdb: Create KdfParameters at runtime
   via  d316e5f0869 s4-dsdb: Indent DH parameters table in 
gkdi_create_root_key()
   via  3687bf22aa1 s4-dsdb: Populate new GKDI root keys from the server 
configuration object
   via  565314f4482 pyldb: Improve search for error string in 
PyErr_SetLdbError
   via  06912de3b2a dsdb: Add API tests for new_gkdi_root_key()
   via  f379ea8b812 pyldb: Consolidate PyErr_SetLdbError() using the pyldb 
version
   via  287cf82682c plydb: Keep talloc_reference() to the DN in 
PyDict_AsMessage
   via  37327afd0aa pyldb: Fix documentation comment on Message.from_dict() 
method
  from  f0a8d832683 s4/torture: Fix misplaced positional arguments for u64 
comparison

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 06c589aaa1a30e5577d9de4532246949f30809e5
Author: Andrew Bartlett 
Date:   Wed Mar 20 14:56:47 2024 +1300

python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED

This in particular tests the returned NTLM password buffers as well as
the password rotation on expired accounts described at

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection

 

[Announce] Samba 4.20.0 Available for Download

[Jule Anger via samba-announce]

Release Announcements
-

This is the first stable release of the Samba 4.20 release series.
Please read the release notes carefully before upgrading.


NEW FEATURES/CHANGES


New Minimum MIT Krb5 version for Samba AD Domain Controller
---

Samba now requires MIT 1.21 when built against a system MIT Krb5 and
acting as an Active Directory DC.  This addresses the issues that were
fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that
Samba builds against the MIT version that allows us to avoid that
attack.

Removed dependency on Perl JSON module
--

Distributions are advised that the Perl JSON package is no longer
required by Samba builds that use the imported Heimdal.  The build
instead uses Perl's JSON::PP built into recent perl5 versions.

Current lists of packages required by Samba for major distributions
are found in the bootstrap/generated-dists/ directory of a Samba
source tree.  While there will be some differences - due to features
chosen by packagers - comparing these lists with the build dependencies
in a package may locate other dependencies we no longer require.

samba-tool user getpassword / syncpasswords ;rounds= change
---

The password access tool "samba-tool user getpassword" and the
password sync tool "samba-tool user syncpasswords" allow attributes to
be chosen for output, and accept parameters like
pwdLastSet;format=GeneralizedTime

These attributes then appear, in the same format, as the attributes in
the LDIF output.  This was not the case for the ;rounds= parameter of
virtualCryptSHA256 and virtualCryptSHA512, for example as
--attributes="virtualCryptSHA256;rounds=5"

This release makes the behaviour consistent between these two
features.  Installations using GPG-encrypted passwords (or plaintext
storage) and the rounds= option, will find the output has changed

from:
virtualCryptSHA256: {CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF

to:
virtualCryptSHA256;rounds=2561: 
{CRYPT}$5$rounds=2561$hXem.M9onhM9Vuix$dFdSBwF


Group Managed service account client-side features
--

samba-tool has been extended to provide client-side support for Group
Managed Service accounts.  These accounts have passwords that change
automatically, giving the advantages of service isolation without risk
of poor, unchanging passwords.

Where possible, Samba's existing samba-tool password handling
commands, which in the past have only operated against the local
sam.ldb have been extended to permit operation against a remote server
with authenticated access to "-H ldap://$DCNAME;

Supported operations include:
 - reading the current and previous gMSA password via
   "samba-tool user getpassword"
 - writing a Kerberos Ticket Granting Ticket (TGT) to a local
   credentials cache with a new command
   "samba-tool user get-kerberos-ticket"

New Windows Search Protocol Client
--

Samba now by default builds new experimental Windows Search Protocol (WSP)
command line client "wspsearch"

The "wspsearch" cmd-line utility allows a WSP search request to be sent
to a server (such as a windows server) that has the (WSP)
Windows Search Protocol service configured and enabled.

For more details see the wspsearch man page.

Allow 'smbcacls' to save/restore DACLs to file


'smbcacls' has been extended to allow DACLs to be saved and restored
to/from a file. This feature mimics the functionality that windows cmd
line tool 'icacls.exe' provides. Additionally files created either
by 'smbcalcs' or 'icacls.exe' are interchangeable and can be used by
either tool as the same file format is used.

New options added are:
 - '--save savefile'    Saves DACLs in sddl format to file
 - '--recurse'  Performs the '--save' operation above on directory
    and all files/directories below.
 - '--restore savefile' Restores the stored DACLS to files in directory

Samba-tool extensions for AD Claims, Authentication Policies and Silos
--

samba-tool now allows users to be associated with claims.  In the
Samba AD DC, claims derive from Active Directory attributes mapped
into specific names.  These claims can be used in rules, which are
conditional ACEs in a security descriptor, that decide if a user is
restricted by an authentication policy.

samba-tool also allows the creation and management of authentication
policies, which are rules about where a user may authenticate from,
if NTLM is permitted, and what services a user may authenticate to.

Finally, support is added for the creation and management of
authentication silos, which are helpful in defining network boundaries
by grouping users and the services they connect to.

Please 

[SCM] Samba Shared Repository - branch v4-20-stable updated

[Jule Anger]

The branch, v4-20-stable has been updated
   via  8fdd82c8b9c VERSION: Disable GIT_SNAPSHOT for the 4.20.0 release.
   via  797464b7624 WHATSNEW: Add release notes for Samba 4.20.0.
   via  5cedf3b5eb0 Revert "token_util.c: prefer capabilities over 
become_root"
   via  f7491b29941 Revert "dosmode.c: prefer use of capabilities at two 
places over become_root"
   via  6ca9461a1db Revert "nfs4_acls.c: prefer capabilities over 
become_root"
   via  52b1d9d7cb8 Revert "vfs_acl_common.c: prefer capabilities over 
become_root"
   via  6e0986b2c30 Revert "vfs_default.c: prefer capabilities over 
become_root"
   via  f6d549de47c Revert "vfs_posix_eadb.c: prefer capabilities over 
become_root"
   via  d0c295e5344 Revert "vfs_recycle.c: prefer capabilities over 
become_root"
   via  4f38859f5d8 Revert "open.c: prefer capabilities over become_root"
   via  dc161626303 Revert "posix_acls.c: prefer capabilities over 
become_root"
   via  bb68b730290 Revert "dosmode: prefer capabilities over become_root"
   via  aee05f11670 s3/smbd: If we fail to close file_handle ensure we 
should reset the fd
   via  72f70868257 smbd: simplify handling of failing fstat() after 
unlinking file
   via  3be368ff2bc ndr: always attempt ACE coda pull if ACE type suggests 
a coda
   via  1273cb7e10b tests/krb5: Add tests for AllowedToAuthenticateTo with 
an AS-REQ
   via  28fc1850e5c libcli/security: check again for NULL values
   via  ce78896e262 libcli/security: claims_conversions: check for NULL in 
claims array
   via  99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] 
and related options
   via  69b69bb2085 libgpo: Do not segfault if we don't have a valid 
security descriptor
   via  72bd247c97d libgpo: Fix trailing spaces in pygpo.c
   via  4d1536f86b9 VERSION: Bump version up to Samba 4.20.0rc5...
  from  964c0e97e7a VERSION: Disable GIT_SNAPSHOT for the 4.20.0rc4 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-stable


- Log -
---

Summary of changes:
 VERSION   |   2 +-
 WHATSNEW.txt  | 112 +++-
 libcli/security/claims-conversions.c  |  13 +
 libgpo/pygpo.c|   7 +-
 librpc/ndr/ndr_sec_helper.c   |   5 +-
 python/samba/tests/krb5/authn_policy_tests.py | 372 ++
 selftest/knownfail_mit_kdc|   8 +
 source3/auth/token_util.c |   4 +-
 source3/modules/nfs4_acls.c   |   4 +-
 source3/modules/vfs_acl_common.c  |   8 +-
 source3/modules/vfs_default.c |   4 +-
 source3/modules/vfs_posix_eadb.c  |   4 +-
 source3/modules/vfs_recycle.c |   4 +-
 source3/smbd/close.c  |   1 +
 source3/smbd/dosmode.c|  16 +-
 source3/smbd/open.c   |  39 +--
 source3/smbd/posix_acls.c |  40 +--
 17 files changed, 559 insertions(+), 84 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index fcee8581107..482360b7d68 100644
--- a/VERSION
+++ b/VERSION
@@ -89,7 +89,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=
 
 
 # To mark SVN snapshots this should be set to 'yes'#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index dd80f116a10..5c97836d36f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,16 +1,11 @@
-Release Announcements
-=
+   ==
+   Release Notes for Samba 4.20.0
+   March 27, 2024
+   ==
 
-This is the fourth release candidate of Samba 4.20.  This is *not*
-intended for production environments and is designed for testing
-purposes only.  Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
 
-Samba 4.20 will be the next version of the Samba suite.
-
-
-UPGRADING
-=
+This is the first stable release of the Samba 4.20 release series.
+Please read the release notes carefully before upgrading.
 
 
 NEW FEATURES/CHANGES
@@ -191,6 +186,68 @@ The Security Descriptor Definition Language has extensions 
for
 conditional ACEs and resource attribute ACEs; these are now supported
 by Samba.
 
+Service Witness Protocol [MS-SWN]
+-
+
+In a ctdb cluster it is now possible to provide
+the SMB witness service that allows clients to
+monitor their current