[SCM] Samba Shared Repository - branch master updated

2022-12-15 Thread Andrew Bartlett 
The branch, master has been updated
   via  9189bd9c9c1 build: Convert winexe to use enabled= in wscript
  from  ddbb8f1999e lib: Move 448 bytes from R/W data segment to R/O text

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9189bd9c9c126b8983781a8de075efc9fe7fdfa5
Author: Andrew Bartlett 
Date:   Mon Dec 5 22:18:45 2022 +1300

build: Convert winexe to use enabled= in wscript

This also allows --without-winexe to stop building the .exe files even if
the compilers are present on the system.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15264

Signed-off-by: Andrew Bartlett 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Dec 16 07:41:38 UTC 2022 on sn-devel-184

---

Summary of changes:
 examples/winexe/wscript_build | 60 ---
 1 file changed, 34 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/examples/winexe/wscript_build b/examples/winexe/wscript_build
index 143739f3de0..364683405c2 100644
--- a/examples/winexe/wscript_build
+++ b/examples/winexe/wscript_build
@@ -65,36 +65,44 @@ const DATA_BLOB *%s(void)
 
 winexesvc_binaries = ''
 
+bld.SAMBA_GENERATOR(
+'winexesvc32_exe',
+source='winexesvc.c',
+target='winexesvc32.exe',
+rule='${WINEXE_CC_WIN32} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}',
+enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN32)
+
+vars = {"WINEXE_FN": "winexesvc32_exe_binary"}
+bld.SAMBA_GENERATOR(
+'winexesvc32_exe_binary',
+source='winexesvc32.exe',
+target='winexesvc32_exe_binary.c',
+group='build_source',
+vars=vars,
+rule=generate_winexesvc_c_from_exe,
+enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN32)
+
 if bld.env.WINEXE_CC_WIN32:
-bld.SAMBA_GENERATOR(
-'winexesvc32_exe',
-source='winexesvc.c',
-target='winexesvc32.exe',
-rule='${WINEXE_CC_WIN32} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}')
-vars = {"WINEXE_FN": "winexesvc32_exe_binary"}
-bld.SAMBA_GENERATOR(
-'winexesvc32_exe_binary',
-source='winexesvc32.exe',
-target='winexesvc32_exe_binary.c',
-group='build_source',
-vars=vars,
-rule=generate_winexesvc_c_from_exe)
 winexesvc_binaries += ' winexesvc32_exe_binary.c'
 
+bld.SAMBA_GENERATOR(
+'winexesvc64_exe',
+source='winexesvc.c',
+target='winexesvc64.exe',
+rule='${WINEXE_CC_WIN64} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}',
+enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN64)
+
+vars = {"WINEXE_FN": "winexesvc64_exe_binary"}
+bld.SAMBA_GENERATOR(
+'winexesvc64_exe_binary',
+source='winexesvc64.exe',
+target='winexesvc64_exe_binary.c',
+group='build_source',
+vars=vars,
+rule=generate_winexesvc_c_from_exe,
+enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN64)
+
 if bld.env.WINEXE_CC_WIN64:
-bld.SAMBA_GENERATOR(
-'winexesvc64_exe',
-source='winexesvc.c',
-target='winexesvc64.exe',
-rule='${WINEXE_CC_WIN64} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}')
-vars = {"WINEXE_FN": "winexesvc64_exe_binary"}
-bld.SAMBA_GENERATOR(
-'winexesvc64_exe_binary',
-source='winexesvc64.exe',
-target='winexesvc64_exe_binary.c',
-group='build_source',
-vars=vars,
-rule=generate_winexesvc_c_from_exe)
 winexesvc_binaries += ' winexesvc64_exe_binary.c'
 
 if winexesvc_binaries != '':


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

2022-12-15 Thread Jeremy Allison 
The branch, master has been updated
   via  ddbb8f1999e lib: Move 448 bytes from R/W data segment to R/O text
   via  c5bc9f732fe lib: Avoid an includes.h
   via  148b86b2ce0 lib: Align an integer type
   via  bb94ec26557 tdb: Move 160 bytes from R/W data segment to R/O text
   via  e2ccd822037 smbd: Remove a pointless NULL check from 
readlink_talloc()
   via  88848bc0732 smbd: Use direct struct initialization, avoid explicit 
ZERO_STRUCT()
   via  c26f7fcc625 smbd: Fix a debug message
   via  7fcbae4e494 libsmb: Don't mess up pathnames in 
cli_smb2_create_fnum_send()
  from  17bbd6ec4c2 smbd: Add "posix" flag to 
openat_pathref_dirfsp_nosymlink()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ddbb8f1999e9e949e3ef0db7cef94115feeb8148
Author: Volker Lendecke 
Date:   Mon Dec 12 21:20:07 2022 +0100

lib: Move 448 bytes from R/W data segment to R/O text

The linker has to relocate the pointers in the array at startup, save
that. I know we have bigger .data blobs, but every bit counts :-)

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Thu Dec 15 22:51:06 UTC 2022 on sn-devel-184

commit c5bc9f732fe45bc3a8099f57a1e771cda0036154
Author: Volker Lendecke 
Date:   Mon Dec 12 21:02:29 2022 +0100

lib: Avoid an includes.h

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 148b86b2ce0a844a8d497c227d998371fc72c339
Author: Volker Lendecke 
Date:   Mon Dec 12 21:02:17 2022 +0100

lib: Align an integer type

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit bb94ec26557f3d254ce3391d83c200ac3a05abdd
Author: Volker Lendecke 
Date:   Mon Dec 12 21:20:07 2022 +0100

tdb: Move 160 bytes from R/W data segment to R/O text

The linker has to relocate the pointers in the array at startup, save
that. I know we have bigger .data blobs, but every bit counts :-)

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit e2ccd822037ac14cdedd971fde3a315922c0d135
Author: Volker Lendecke 
Date:   Mon Dec 5 11:51:28 2022 +0100

smbd: Remove a pointless NULL check from readlink_talloc()

We should never call this without the place to put the target in.

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 88848bc07325cec651a57443f5998a411403774a
Author: Volker Lendecke 
Date:   Fri Dec 2 12:05:14 2022 +0100

smbd: Use direct struct initialization, avoid explicit ZERO_STRUCT()

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit c26f7fcc625a365cf943151437953d3dbb0d1159
Author: Volker Lendecke 
Date:   Mon Dec 5 16:33:37 2022 +0100

smbd: Fix a debug message

This used to be openat_pathref_nostream() at some point back

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

commit 7fcbae4e4940c8d89717c4fa4199d57d69c1d3a4
Author: Volker Lendecke 
Date:   Thu Dec 15 19:06:20 2022 +0100

libsmb: Don't mess up pathnames in cli_smb2_create_fnum_send()

Master-only bug introduced with dd9cdfb3b14: smb2_dfs_share_path() can
change the length of fname, and if it happens that the original length
hits a \ in the enlarged filename, we cut it off.

Found by accident, this really made me scratch my head when looking at
traces :-)

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

---

Summary of changes:
 lib/tdb/common/error.c |  53 ++--
 libds/common/flag_mapping.c| 140 -
 source3/libsmb/cli_smb2_fnum.c |   1 +
 source3/smbd/dosmode.c |   7 +--
 source3/smbd/files.c   |   6 +-
 5 files changed, 134 insertions(+), 73 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/tdb/common/error.c b/lib/tdb/common/error.c
index 478eb887ffd..c3ef8bd1438 100644
--- a/lib/tdb/common/error.c
+++ b/lib/tdb/common/error.c
@@ -32,26 +32,43 @@ _PUBLIC_ enum TDB_ERROR tdb_error(struct tdb_context *tdb)
return tdb->ecode;
 }
 
-static struct tdb_errname {
-   enum TDB_ERROR ecode; const char *estring;
-} emap[] = { {TDB_SUCCESS, "Success"},
-{TDB_ERR_CORRUPT, "Corrupt database"},
-{TDB_ERR_IO, "IO Error"},
-{TDB_ERR_LOCK, "Locking error"},
-{TDB_ERR_OOM, "Out of memory"},
-{TDB_ERR_EXISTS, "Record exists"},
-{TDB_ERR_NOLOCK, "Lock exists on other keys"},
-{TDB_ERR_EINVAL, "Invalid parameter"},
-{TDB_ERR_NOEXIST, "Record does not exist"},
-{TDB_ERR_RDONLY, "write not permitted"} };
-
-/* Error string for the last tdb error */
 _PUBLIC_ const char *tdb_errorstr(struct tdb_context *tdb)
 {
-

[SCM] Samba Website Repository - branch master updated

2022-12-15 Thread Jule Anger 
The branch, master has been updated
   via  53f2f82 NEWS[4.17.4]: Samba 4.17.4, 4.16.8 and 4.15.13 Security 
Releases are available for Download
   via  782d9c0 history/security: add missing 
  from  81dfaa6 news: html syntax error due to duplicate  tag, This 
breaks Feed Readers

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 53f2f82216254c6be5e813c514a5c8464841d2ba
Author: Jule Anger 
Date:   Thu Dec 15 17:11:24 2022 +0100

NEWS[4.17.4]: Samba 4.17.4, 4.16.8 and 4.15.13 Security Releases are 
available for Download

Signed-off-by: Jule Anger 

commit 782d9c0743c4ed1d495454f7b4b8e4bb3c6c598f
Author: Jule Anger 
Date:   Thu Dec 15 14:57:01 2022 +0100

history/security: add missing 

Signed-off-by: Jule Anger 

---

Summary of changes:
 history/header_history.html   |   3 +
 history/samba-4.15.13.html| 147 ++
 history/samba-4.16.8.html | 147 ++
 history/samba-4.17.4.html | 154 +++
 history/security.html |  28 ++-
 posted_news/20221215-161202.4.15.13.body.html |  34 
 posted_news/20221215-161202.4.15.13.headline.html |   3 +
 security/CVE-2022-37966.html  | 180 ++
 security/CVE-2022-37967.html  | 127 +
 security/CVE-2022-38023.html  | 221 ++
 security/CVE-2022-45141.html  |  95 ++
 11 files changed, 1138 insertions(+), 1 deletion(-)
 create mode 100644 history/samba-4.15.13.html
 create mode 100644 history/samba-4.16.8.html
 create mode 100644 history/samba-4.17.4.html
 create mode 100644 posted_news/20221215-161202.4.15.13.body.html
 create mode 100644 posted_news/20221215-161202.4.15.13.headline.html
 create mode 100644 security/CVE-2022-37966.html
 create mode 100644 security/CVE-2022-37967.html
 create mode 100644 security/CVE-2022-38023.html
 create mode 100644 security/CVE-2022-45141.html


Changeset truncated at 500 lines:

diff --git a/history/header_history.html b/history/header_history.html
index 945c471..0c748da 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,10 +9,12 @@
Release Notes


+   samba-4.17.4
samba-4.17.3
samba-4.17.2
samba-4.17.1
samba-4.17.0
+   samba-4.16.8
samba-4.16.7
samba-4.16.6
samba-4.16.5
@@ -21,6 +23,7 @@
samba-4.16.2
samba-4.16.1
samba-4.16.0
+   samba-4.15.13
samba-4.15.12
samba-4.15.11
samba-4.15.10
diff --git a/history/samba-4.15.13.html b/history/samba-4.15.13.html
new file mode 100644
index 000..fa2c68f
--- /dev/null
+++ b/history/samba-4.15.13.html
@@ -0,0 +1,147 @@
+http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;>
+http://www.w3.org/1999/xhtml;>
+
+Samba 4.15.13 - Release Notes
+
+
+Samba 4.15.13 Available for Download
+
+https://download.samba.org/pub/samba/stable/samba-4.15.13.tar.gz;>Samba 
4.15.13 (gzipped)
+https://download.samba.org/pub/samba/stable/samba-4.15.13.tar.asc;>Signature
+
+
+https://download.samba.org/pub/samba/patches/samba-4.15.12-4.15.13.diffs.gz;>Patch
 (gzipped) against Samba 4.15.12
+https://download.samba.org/pub/samba/patches/samba-4.15.12-4.15.13.diffs.asc;>Signature
+
+
+
+   ===
+   Release Notes for Samba 4.15.13
+  December 15, 2022
+   ===
+
+
+This is the latest stable release of the Samba 4.15 release series.
+It also contains security changes in order to address the following defects:
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+  RC4-HMAC Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A Samba Active Directory DC will issue weak rc4-hmac
+  session keys for use between modern clients and servers
+  despite all modern Kerberos implementations supporting
+  the aes256-cts-hmac-sha1-96 cipher.
+
+  On Samba Active Directory DCs and members
+  kerberos encryption types = legacy would force
+  rc4-hmac as a client even if the server supports
+  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+  htt

[SCM] Samba Shared Repository - branch v4-17-stable updated

2022-12-15 Thread Jule Anger 
The branch, v4-17-stable has been updated
   via  ab48448c650 VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
   via  f676c903ad5 WHATSNEW: Add release notes for Samba 4.17.4.
   via  1c7d60ee090 s4:libnet: correctly handle gnutls_pbkdf2() errors
   via  77fb5b47621 s4:libnet: fix error string for failing 
samr_ChangePasswordUser4()
   via  5048d63c92e CVE-2022-37966 python:/tests/krb5: call 
sys.path.insert(0, "bin/python") before any other imports
   via  701c98858c9 CVE-2022-37966 samba-tool: add 'domain trust modify' 
command
   via  dd4832f10a7 CVE-2022-37966 s4:kdc: apply restrictions of "kdc 
supported enctypes"
   via  17db57685f6 CVE-2022-37966 param: Add support for new option "kdc 
supported enctypes"
   via  428aa9b001d CVE-2022-37966 param: let "kdc default domain 
supportedenctypes = 0" mean the default
   via  91be2dbb305 CVE-2022-37966 param: don't explicitly initialize "kdc 
force enable rc4 weak session keys" to false/"no"
   via  2d1f56c67e6 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES 
like windows.
   via  82739352398 CVE-2022-37966 python:tests/krb5: test much more etype 
combinations
   via  c642bd9f2e9 CVE-2022-37966 python:tests/krb5: add better 
PADATA_SUPPORTED_ETYPES assert message
   via  afc05bec7ec CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' 
for account creation of KDCBaseTest
   via  d1b65794c8c CVE-2022-37966 python:tests/krb5: ignore empty 
supplementalCredentials attributes
   via  0f63356c8bb CVE-2022-37966 python:tests/krb5: allow 
ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
   via  6a4531ad9fb CVE-2022-37966 python:tests/krb5: fix some tests 
running against Windows 2022
   via  bf633c58114 CVE-2022-37966 s4:libnet: allow python bindings to 
force setting an nthash via SAMR level 18
   via  9c106afa804 CVE-2022-37966 s4:libnet: add support 
LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
   via  bf27c7ba92e CVE-2022-37966 s4:libnet: initialize 
libnet_SetPassword() arguments explicitly to zero by default.
   via  d7efa582a41 CVE-2022-37966 drsuapi.idl: add trustedDomain related 
ATTID values
   via  42c12b8c36d CVE-2022-37966 s4:kdc: use the strongest possible keys
   via  ceda758dd73 CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
   via  e741eac059f CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' 
pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
   via  96fcd2b2b1f CVE-2022-37966 s3:net_ads: no longer reference des 
encryption types
   via  8b9e670c5ce CVE-2022-37966 s3:libnet: no longer reference des 
encryption types
   via  edccbf1a637 CVE-2022-37966 s3:libads: no longer reference des 
encryption types
   via  c894010ae87 CVE-2022-37966 lib/krb5_wrap: no longer reference des 
encryption types
   via  e2e29876b69 CVE-2022-37966 s3:net_ads: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  b10529349fb CVE-2022-37966 s3:libnet: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  d022b9fa3ae CVE-2022-37966 s3:libads: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  91680bf61f5 CVE-2022-37966 lib/krb5_wrap: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  425dc5a2a09 CVE-2022-37966 system_mitkrb5: require support for aes 
enctypes
   via  4ad0303ece5 CVE-2022-37966 wafsamba: add support for 
CHECK_VARIABLE(mandatory=True)
   via  5f8854208d7 CVE-2022-37966 s4:kdc: also limit the krbtgt history to 
their strongest keys
   via  82f3c2876a8 CVE-2022-37966 kdc: Assume trust objects support AES by 
default
   via  71e538e7e03 CVE-2022-37966 kdc: Implement new Kerberos session key 
behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
   via  3d85ff9dd57 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
   via  64bfe0ef786 CVE-2022-37966 selftest: Add tests for Kerberos session 
key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
   via  123b3c056af CVE-2022-37966 tests/krb5: Test different preauth 
etypes with Protected Users group
   via  d8cef2fa342 CVE-2022-37966 samba-tool: Declare explicitly RC4 
support of trust objects
   via  42150ff93ba CVE-2022-37966 samba-tool: Fix 'domain trust create' 
documentation
   via  350a2e5fda5 CVE-2022-37966 third_party/heimdal: Fix error message 
typo
   via  ac8a4665a8d CVE-2022-37966 param: Add support for new option "kdc 
force enable rc4 weak session keys"
   via  3d276a19e30 CVE-2022-37966 param: Add support for new option "kdc 
default domain supportedenctypes"
   via  25918f9c16c CVE-2022-37967 Add new PAC checksum
   via  6ff9fc58cd3 CVE-2022-37966 HEIMDAL: Look up the server keys to 
combine with clients etype list to select a session key
   via  15835e21e84 CVE-2022-37966 tests/krb5: Add a test requesting 
tickets with various encryption types
   via  649854b0fad CVE-2022-37966 tests/krb5: Add 'etypes' parameter to 
_tgs_req()
   via  4870b9c8e57

[SCM] Samba Shared Repository - annotated tag samba-4.17.4 created

2022-12-15 Thread Jule Anger 
The annotated tag, samba-4.17.4 has been created
at  1f69e1cdbf2ac348c965617e3a5e58d530cca50d (tag)
   tagging  ab48448c650c96095fa183c3531a3dd244983664 (commit)
  replaces  samba-4.17.3
 tagged by  Jule Anger
on  Thu Dec 15 17:10:17 2022 +0100

- Log -
samba: tag release samba-4.17.4
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRukACgkQqplEL7aA
tiAgYhAArxRBMOO5bM+1LiTbqtktI6JtXZarhZkCZwLoNxnqIiHE0IES/GxSwsAM
SkWqjT8bzmhXoiNexl/I+HKskirJnQemZFAOzv+K+QT1Uzl5qhtuhO++QK+XqfxJ
Aj8OnGbBs9zxHDrNFWPe8ezOdIIDl7k2g0LrvCgYGMFN7dl2wr4Xi3aMUnwlOpSx
zMirI/qleexaM5N1QVEu3lpFVEsj17mzHGlUrSFOCl5VsuTyczEfAoXRaDP3Db8R
mcDJYkxcuwLM5H71FZS5DX+iJymQlpbnDZLAIV8jCrS5os8M8kurrxxbUDH9idsR
SPUK880NsUn958NJKvZfCZgWa+qoKtlArcLBdOASNgT48Ow8jwZOV0Q50GXLy8B5
h938smFmHxUHGWERBbmFZMCldKq0NJZqmIomVZQMsoS/R8+0JMhadfP5BAbdhgpm
JHvhpaahGAZP6T3toQ92TwB6pOV1S3VvDO/3d7UV+cPJ4aI/Lorqzp6Ftjv/uq57
qdRQVJO0WPV+/PhOA75SbHyVaGED6pdT20bfyBPrf6oVwaOJ1qiVL7KQZZ2yOPPE
FBt6rpTBxWEGvpUjuKxH3UkZqbmbJlhoIwDK8mqZXCV+FAc5QaZOCeAgJY5nmNiL
nSwy7Wx1L2SSYo8OA6r1fS4pkLDWq8piVr6/S8wodOR8+Ofp+3s=
=GmAE
-END PGP SIGNATURE-

Andreas Schneider (10):
  s3:librpc: Improve GSE error message
  s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES()
  s4:libnet: If we successfully changed the password we are done
  s3:tests: Add substitution test for include directive
  s3:tests: Add substitution test for listing shares
  s3:rpc_server: Fix include directive substitution when enumerating shares
  s3:utils: Fix stack smashing in net offlinejoin
  CVE-2022-37966 s3:param: Fix old-style function definition
  CVE-2022-37966 s3:client: Fix old-style function definition
  CVE-2022-37966 s3:utils: Fix old-style function definition

Andrew Bartlett (7):
  lib/tsocket: Add tests for loop on EAGAIN
  CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars 
test
  selftest: make filter-subunit much more efficient for large knownfail 
lists
  CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using 
the target_hostname binding string
  CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients 
etype list to select a session key
  CVE-2022-37966 param: Add support for new option "kdc force enable rc4 
weak session keys"
  CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since 
ENC_HMAC_SHA1_96_AES256_SK was added

Anoop C S (5):
  vfs_glusterfs: Simplify SMB_VFS_GET_REAL_FILENAME_AT implementation
  vfs_glusterfs: Do not use glfs_fgetxattr() for 
SMB_VFS_GET_REAL_FILENAME_AT
  vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FGETXATTR
  vfs_glusterfs: Simplify SMB_VFS_FDOPENDIR implementation
  vfs_glusterfs: Add path based fallback mechanism for SMB_VFS_FNTIMES

Daniel Kobras (2):
  s3: smbd: Consistently map EAs to user namespace
  docs-xml: ea support option restricted to user ns

Jeremy Allison (1):
  nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, 
not try and embedd it directly.

Joseph Sutton (14):
  third_party/heimdal: Introduce macro for common plugin structure elements
  CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
  CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
  CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
  CVE-2022-37966 tests/krb5: Add a test requesting tickets with various 
encryption types
  CVE-2022-37967 Add new PAC checksum
  CVE-2022-37966 param: Add support for new option "kdc default domain 
supportedenctypes"
  CVE-2022-37966 third_party/heimdal: Fix error message typo
  CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
  CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
  CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected 
Users group
  CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour 
since ENC_HMAC_SHA1_96_AES256_SK was added
  CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
  CVE-2022-37966 kdc: Assume trust objects support AES by default

Jule Anger (4):
  Merge tag 'samba-4.17.3' into v4-17-test
  VERSION: Bump version up to Samba 4.17.4...
  WHATSNEW: Add release notes for Samba 4.17.4.
  VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.

Nicolas Williams (1):
  CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec

Noel Power (3):
  s4/rpc_server/sambr: don't mutate the return of samdb_set_password_aes
  python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
  nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim

Ralph Boehme (4):
  torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
  smbd: reject FILE_ATTRIBUTE_TEMPORARY on

[SCM] Samba Shared Repository - branch v4-16-stable updated

2022-12-15 Thread Jule Anger 
The branch, v4-16-stable has been updated
   via  6cc6e233b5c VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.
   via  64d7270f282 WHATSNEW: Add release notes for Samba 4.16.8.
   via  d5a8e41313d CVE-2022-37966 python:/tests/krb5: call 
sys.path.insert(0, "bin/python") before any other imports
   via  160e566d590 CVE-2022-37966 samba-tool: add 'domain trust modify' 
command
   via  cdc71cfd273 CVE-2022-37966 s4:kdc: apply restrictions of "kdc 
supported enctypes"
   via  4477651a0de CVE-2022-37966 param: Add support for new option "kdc 
supported enctypes"
   via  be57176c3ab CVE-2022-37966 param: let "kdc default domain 
supportedenctypes = 0" mean the default
   via  e7d3998bcc8 CVE-2022-37966 param: don't explicitly initialize "kdc 
force enable rc4 weak session keys" to false/"no"
   via  906dbd0a4bd CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES 
like windows.
   via  c8afae7869a CVE-2022-37966 python:tests/krb5: test much more etype 
combinations
   via  8e6d2953ba1 CVE-2022-37966 python:tests/krb5: add better 
PADATA_SUPPORTED_ETYPES assert message
   via  f4dc5721be3 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' 
for account creation of KDCBaseTest
   via  aeb7c646bb0 CVE-2022-37966 python:tests/krb5: ignore empty 
supplementalCredentials attributes
   via  b20acd876c8 CVE-2022-37966 python:tests/krb5: allow 
ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
   via  3ea9946f652 CVE-2022-37966 python:tests/krb5: fix some tests 
running against Windows 2022
   via  dd69e432ee8 CVE-2022-37966 s4:libnet: allow python bindings to 
force setting an nthash via SAMR level 18
   via  55476d01ffc CVE-2022-37966 s4:libnet: add support 
LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
   via  f11edc1741e CVE-2022-37966 s4:libnet: initialize 
libnet_SetPassword() arguments explicitly to zero by default.
   via  b40b03d0601 CVE-2022-37966 drsuapi.idl: add trustedDomain related 
ATTID values
   via  ec1a2225a0f CVE-2022-37966 s4:kdc: use the strongest possible keys
   via  679904dc0df CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
   via  052cfe5a4a1 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' 
pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
   via  1d2318ec326 CVE-2022-37966 s3:net_ads: no longer reference des 
encryption types
   via  f8839f39f0a CVE-2022-37966 s3:libnet: no longer reference des 
encryption types
   via  3e4a521a2aa CVE-2022-37966 s3:libads: no longer reference des 
encryption types
   via  b2201628245 CVE-2022-37966 lib/krb5_wrap: no longer reference des 
encryption types
   via  0c7af9838fe CVE-2022-37966 s3:net_ads: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  c0bbcc442b8 CVE-2022-37966 s3:libnet: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  836646d4a02 CVE-2022-37966 s3:libads: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  911750da81a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  8842d0197d1 CVE-2022-37966 system_mitkrb5: require support for aes 
enctypes
   via  001ed425ea1 CVE-2022-37966 wafsamba: add support for 
CHECK_VARIABLE(mandatory=True)
   via  c13c60ffbf7 CVE-2022-37966 kdc: Assume trust objects support AES by 
default
   via  a836bcf22ce CVE-2022-37966 kdc: Implement new Kerberos session key 
behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
   via  da9da918f75 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
   via  f29efb011f6 CVE-2022-37966 selftest: Add tests for Kerberos session 
key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
   via  71fcd5366a0 CVE-2022-37966 samba-tool: Declare explicitly RC4 
support of trust objects
   via  b8996509387 CVE-2022-37966 samba-tool: Fix 'domain trust create' 
documentation
   via  31543f2902e CVE-2022-37966 third_party/heimdal: Fix error message 
typo
   via  545c20fd321 CVE-2022-37966 param: Add support for new option "kdc 
force enable rc4 weak session keys"
   via  4c2dc48598d CVE-2022-37966 param: Add support for new option "kdc 
default domain supportedenctypes"
   via  0601bb94c62 CVE-2022-37967 Add new PAC checksum
   via  a9c836d0442 CVE-2022-37966 HEIMDAL: Look up the server keys to 
combine with clients etype list to select a session key
   via  8d208ab0616 CVE-2022-37966 tests/krb5: Add a test requesting 
tickets with various encryption types
   via  9ed5a352ca1 CVE-2022-37966 tests/krb5: Add 'etypes' parameter to 
_tgs_req()
   via  cc2bea27a64 CVE-2022-37966 tests/krb5: Split out _tgs_req() into 
base class
   via  2408d405d31 CVE-2022-37966 selftest: Allow krb5 tests to run 
against an IP by using the target_hostname binding string
   via  91b74c701ac CVE-2022-37966 libcli/auth: let 
netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
   via  12e4e94853f CVE-2022-37966 testparm:

[SCM] Samba Shared Repository - annotated tag samba-4.16.8 created

2022-12-15 Thread Jule Anger 
The annotated tag, samba-4.16.8 has been created
at  f9306effc2e65cfe0e2646679db644e3ce76ee0f (tag)
   tagging  6cc6e233b5ceb2a579400f020b61c67ca7bbeb78 (commit)
  replaces  samba-4.16.7
 tagged by  Jule Anger
on  Thu Dec 15 17:09:57 2022 +0100

- Log -
samba: tag release samba-4.16.8
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRtUACgkQqplEL7aA
tiBGjQ//eupPXw2XUz8FgDJukC2FR8IdtFZO8OQ75BEfko7Y0Jek2KKaiylIGPmX
nekyY8TXwtO/9aQxGyqBRfTNIOK/SSPI++S5quaAIC+XhGL8/2QW9cWO+VKJXvdS
56Mn01Qxcc3T9ytaBMGxDA0an+1dhfikU6DpQannyloKUU5bydcnfgjJfviTKC8Z
M8yJJenf++YY81O8jHoafLTne5xmF0/qMmi0KOk3qEbshYpLeafk1LDlEaoC/T75
WslqYGUbn3FAdfz9TGk/Emuwgy1EeHa8B187sPJjitbge/cBuqMBlgx4NplP0ROe
p6gO9YxYDmf9/8Z8WLFtigmjUImBarkzay7cjBNl2Og6VWjGcu3UjN9FM3ywL5Kj
usNccB9vRMUry1cLnPSMNzLhgggNujE8w2GyEC3Zx0A0hD+rgcwhyrDLkE03EXBN
7Qcj2juT3neri/TpDQfQNScJKbAdfHwAU5V2JuH1uASVC7isIwb+cg3T0KA3hRfM
jIqkXre0tTe2zRTRajD5MgbhkTtA0J2kYd7+9mRFbPKZM01Lhz6wEQ2mqwUcrpbU
b+wwXg9guB0hu0gR9WQjafzcvUZE7OOSHZnyYtjA019P0knU6lrXhgXQunSttK/C
dXiYFcVY+2P9ajubtZz9VbE5r4E2oRdxyF/3FGJWmk6/gN2dBwI=
=+8J7
-END PGP SIGNATURE-

Andreas Schneider (12):
  third_party: Update socket_wrapper to version 1.3.4
  s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
  s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
  s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
  s3:auth: Flush the GETPWSID in memory cache for NTLM auth
  s3:tests: Add substitution test for include directive
  s3:tests: Add substitution test for listing shares
  s3:rpc_server: Fix include directive substitution when enumerating shares
  s3:utils: Fix stack smashing in net offlinejoin
  CVE-2022-37966 s3:param: Fix old-style function definition
  CVE-2022-37966 s3:client: Fix old-style function definition
  CVE-2022-37966 s3:utils: Fix old-style function definition

Andrew Bartlett (21):
  CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the 
user
  CVE-2021-20251 auth4: Reread the user record if a bad password is noticed.
  CVE-2021-20251 s4 auth: make bad password count increment atomic
  CVE-2021-20251 auth4: Add missing newline to debug message on PSO read 
failure
  CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() 
out
  CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in 
authsam_logon_success_accounting()
  CVE-2021-20251 auth4: Avoid reading the database twice by precaculating 
some variables
  selftest: Prepare for "old Samba" mode regarding getncchanges 
GET_ANC/GET_TGT
  selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs 
clone-dc-database
  s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
  selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT
  s4-libnet: Add messages to object count mismatch failures
  python-drs: Add client-side debug and fallback for GET_ANC
  lib/tsocket: Add tests for loop on EAGAIN
  CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars 
test
  selftest: make filter-subunit much more efficient for large knownfail 
lists
  CVE-2022-37966 s4:kdc: Move supported enc-type handling out of 
samba_kdc_message2entry_keys()
  CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using 
the target_hostname binding string
  CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients 
etype list to select a session key
  CVE-2022-37966 param: Add support for new option "kdc force enable rc4 
weak session keys"
  CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since 
ENC_HMAC_SHA1_96_AES256_SK was added

Douglas Bagnall (7):
  pytest: add file removal helpers for TestCaseInTempDir
  pytest/downgradedatabase: use TestCaseInTempDir.rm_files
  pytest/samdb_api: use TestCaseInTempDir.rm_files
  pytest/join: use TestCaseInTempDir.rm_files/dirs
  pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
  pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs
  pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs

Gary Lockyer (4):
  CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() 
out
  CVE-2021-20251 s4 auth: Prepare to make bad password count increment 
atomic
  CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c
  CVE-2021-20251 auth4: Return only the result message and free the 
surrounding result

Jeremy Allison (7):
  CVE-2021-20251 s3: ensure bad password count atomic updates
  s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().
  s4: smbtorture: Add fsync_resource_fork test to fruit tests.
  s3: VFS: fruit. Implement fsync_send()/fsync_recv().
  s4: torture: libsmbclient: Add a torture test to

[SCM] Samba Shared Repository - branch v4-15-stable updated

2022-12-15 Thread Jule Anger 
The branch, v4-15-stable has been updated
   via  861b4f9fde0 VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.
   via  00479fb662f WHATSNEW: Add release notes for Samba 4.15.13.
   via  2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY
   via  ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038
   via  fd3cdcc1800 tests/krb5: Add test requesting a service ticket 
expiring post-2038
   via  d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call 
sys.path.insert(0, "bin/python") before any other imports
   via  48d6042dddf CVE-2022-37966 samba-tool: add 'domain trust modify' 
command
   via  89b1c78b520 CVE-2022-37966 s4:kdc: apply restrictions of "kdc 
supported enctypes"
   via  18996e99712 CVE-2022-37966 param: Add support for new option "kdc 
supported enctypes"
   via  34fc0da7869 CVE-2022-37966 param: let "kdc default domain 
supportedenctypes = 0" mean the default
   via  693a247d3b2 CVE-2022-37966 param: don't explicitly initialize "kdc 
force enable rc4 weak session keys" to false/"no"
   via  ee9ffe50e99 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES 
like windows.
   via  1815d339417 CVE-2022-37966 python:tests/krb5: test much more etype 
combinations
   via  d6b9e8b3397 CVE-2022-37966 python:tests/krb5: add better 
PADATA_SUPPORTED_ETYPES assert message
   via  25d88118903 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' 
for account creation of KDCBaseTest
   via  c768a27bc13 CVE-2022-37966 python:tests/krb5: ignore empty 
supplementalCredentials attributes
   via  9049c5442aa CVE-2022-37966 python:tests/krb5: allow 
ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
   via  a1e91681158 CVE-2022-37966 python:tests/krb5: fix some tests 
running against Windows 2022
   via  1db952fab82 CVE-2022-37966 s4:libnet: allow python bindings to 
force setting an nthash via SAMR level 18
   via  91a030cbf58 CVE-2022-37966 s4:libnet: add support 
LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
   via  eed3d6a3962 CVE-2022-37966 s4:libnet: initialize 
libnet_SetPassword() arguments explicitly to zero by default.
   via  0d7dc04404d CVE-2022-37966 drsuapi.idl: add trustedDomain related 
ATTID values
   via  527a164b410 CVE-2022-37966 s4:kdc: use the strongest possible keys
   via  8b8835b09fa CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
   via  f644fc69971 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' 
pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
   via  716149ed2bc CVE-2022-37966 s3:net_ads: no longer reference des 
encryption types
   via  5f9e13ce20a CVE-2022-37966 s3:libnet: no longer reference des 
encryption types
   via  153e4a39142 CVE-2022-37966 s3:libads: no longer reference des 
encryption types
   via  ac6563e70ad CVE-2022-37966 lib/krb5_wrap: no longer reference des 
encryption types
   via  ece27efe594 CVE-2022-37966 s3:net_ads: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  c23c17a8d75 CVE-2022-37966 s3:libnet: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  6db1a9a9648 CVE-2022-37966 s3:libads: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  c0a367ad02a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef 
HAVE_ENCTYPE_AES*
   via  5127bcfded4 CVE-2022-37966 system_mitkrb5: require support for aes 
enctypes
   via  a4deabde39e CVE-2022-37966 wafsamba: add support for 
CHECK_VARIABLE(mandatory=True)
   via  a7e2f5d32e5 CVE-2022-37966 kdc: Assume trust objects support AES by 
default
   via  1e32bfc0fdd CVE-2022-37966 kdc: Implement new Kerberos session key 
behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
   via  701b2650d1b CVE-2022-37966 s4:torture: Expect referral ticket 
enc-part encrypted with AES256 rather than RC4
   via  590228fd72f CVE-2022-37966 auth/credentials: Allow specifying 
password to cli_credentials_get_aes256_key()
   via  eefa5532055 CVE-2022-37966 auth/credentials: Add 
cli_credentials_get_aes256_key()
   via  33e5f0b4a44 CVE-2022-37966 Fix enctype selection issues for PAC and 
other authz-data signatures
   via  cc6196fa005 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
   via  c273cb75625 CVE-2022-37966 selftest: Add tests for Kerberos session 
key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
   via  84c28b05a0a CVE-2022-37966 samba-tool: Declare explicitly RC4 
support of trust objects
   via  0ad59767324 CVE-2022-37966 samba-tool: Fix 'domain trust create' 
documentation
   via  1c06e8b08ca CVE-2022-37966 third_party/heimdal: Fix error message 
typo
   via  36d5770585a CVE-2022-37966 param: Add support for new option "kdc 
force enable rc4 weak session keys"
   via  1daea832104 CVE-2022-37966 param: Add support for new option "kdc 
default domain supportedenctypes"
   via  d775f1ed43a CVE-2022-37967 Add new PAC checksum
   via  4650ce1fa5c CVE-2022-37966 HEIMDAL: Look

[SCM] Samba Shared Repository - annotated tag samba-4.15.13 created

2022-12-15 Thread Jule Anger 
The annotated tag, samba-4.15.13 has been created
at  98d538ce7afc999a8198f839cd4cda97acb5bde1 (tag)
   tagging  861b4f9fde0128609abcb4eafce6192fbf0a959a (commit)
  replaces  samba-4.15.12
 tagged by  Jule Anger
on  Thu Dec 15 17:08:50 2022 +0100

- Log -
samba: tag release samba-4.15.13
-BEGIN PGP SIGNATURE-

iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmObRpIACgkQqplEL7aA
tiDeQg//XZIydI6R5nJmiTuxcEJam+BAgll0kXihX7UmNXyngBYAdJoHHwmaQTsJ
bhCq/+zTFX6Udb53yQVuXB2amxm1H0IzyzafjCvX+xnrJ6bO29WnFQGFB6fG4Pu5
H3YcuexusmkehpZXmjQJk8nKmUgslyilqXNBOU9I10XUS8n4ehNBrPvVEIV/D1UH
GMe1Vuct6rbSVH2nDZQwpkB0WYqxGOpBCBvAkcvXGaB2bDibYODYjtdzyyafHNk7
54yA7v4yL/6dDZoIyHeui7Dj2hK5iFE+Ik5oSNS20DXmODtX3EVsJsn5x9cfKln/
hbfEtI3rEBU5SW7u+ovbm+yeiRrN1GJn90CtoRdIBqpVEa3rc+URNR+62mp20bMA
LVLnnu1xnF9yZS0ivj+H/6MmMBPjc4zKexoT1/px9KGjMQC2APmyPhrM6mDcbr2Q
VagHQh7H6aid6sEODdu+J88q7INTOdkTdEwp89foZxd4b+KEPqLEw1RV6M2PoRl4
Tha/W9sCrt7dNu1aT433xFomtZtll3/O1HWQyYba5hNtoWf2oq0BRj3qdwLSZ4+u
Cu5oRQC6edYXEKn9C4SJKjglb7UOnPeChXg4QmmFwAEwJj/opmcaDNkBfPDYM+QH
doelZoQR1v+jwYZK7yMjGirLFTq2gRW5KSYK9lCOTQiUPijj9QM=
=ykFd
-END PGP SIGNATURE-

Andreas Schneider (3):
  CVE-2022-37966 s3:param: Fix old-style function definition
  CVE-2022-37966 s3:client: Fix old-style function definition
  CVE-2022-37966 s3:utils: Fix old-style function definition

Andrew Bartlett (6):
  selftest: make filter-subunit much more efficient for large knownfail 
lists
  CVE-2022-37966 s4:kdc: Move supported enc-type handling out of 
samba_kdc_message2entry_keys()
  CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using 
the target_hostname binding string
  CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients 
etype list to select a session key
  CVE-2022-37966 param: Add support for new option "kdc force enable rc4 
weak session keys"
  CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since 
ENC_HMAC_SHA1_96_AES256_SK was added

Joseph Sutton (22):
  CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding 
PA-ENC-TS-ENC
  CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
  CVE-2022-37966 tests/krb5: Update supported enctype checking
  CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
  CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
  CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
  CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
  CVE-2022-37966 tests/krb5: Add a test requesting tickets with various 
encryption types
  CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a 
TGT
  CVE-2022-37967 Add new PAC checksum
  CVE-2022-37966 param: Add support for new option "kdc default domain 
supportedenctypes"
  CVE-2022-37966 third_party/heimdal: Fix error message typo
  CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
  CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
  CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour 
since ENC_HMAC_SHA1_96_AES256_SK was added
  CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
  CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
  CVE-2022-37966 auth/credentials: Allow specifying password to 
cli_credentials_get_aes256_key()
  CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with 
AES256 rather than RC4
  CVE-2022-37966 kdc: Assume trust objects support AES by default
  tests/krb5: Add test requesting a service ticket expiring post-2038
  tests/krb5: Add test requesting a TGT expiring post-2038

Jule Anger (3):
  VERSION: Bump version up to Samba 4.15.13...
  WHATSNEW: Add release notes for Samba 4.15.13.
  VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.

Luke Howard (1):
  kdc: avoid re-encoding KDC-REQ-BODY

Nicolas Williams (4):
  CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
  CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
  CVE-2022-45141 source4/heimdal: Fix check-des
  CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data 
signatures

Ralph Boehme (2):
  CVE-2022-38023 docs-xml: improve wording for several options: "takes 
precedence" -> "overrides"
  CVE-2022-38023 docs-xml: improve wording for several options: "yields 
precedence" -> "is over-riden"

Stefan Metzmacher (61):
  CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 
'unsigned long' is just 32-bit
  CVE-2022-38023 libcli/auth: pass lp_ctx to 
netlogon_creds_cli_set_global_db()
  CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
  CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
  CVE-2022-38023 s3:winbindd: also allow per

[SCM] Samba Shared Repository - branch v4-17-test updated

2022-12-15 Thread Jule Anger 
The branch, v4-17-test has been updated
   via  72dcfb4773d VERSION: Bump version up to Samba 4.17.5...
   via  ab48448c650 VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.
   via  f676c903ad5 WHATSNEW: Add release notes for Samba 4.17.4.
  from  1c7d60ee090 s4:libnet: correctly handle gnutls_pbkdf2() errors

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test


- Log -
commit 72dcfb4773dadb1c3775c518fff274f96670a9dd
Author: Jule Anger 
Date:   Thu Dec 15 17:06:06 2022 +0100

VERSION: Bump version up to Samba 4.17.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit ab48448c650c96095fa183c3531a3dd244983664
Author: Jule Anger 
Date:   Thu Dec 15 17:05:36 2022 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.17.4 release.

Signed-off-by: Jule Anger 

commit f676c903ad5cfb052c3f32f88dc559279d06
Author: Jule Anger 
Date:   Thu Dec 15 17:05:11 2022 +0100

WHATSNEW: Add release notes for Samba 4.17.4.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |   2 +-
 WHATSNEW.txt | 159 ++-
 2 files changed, 158 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index be26434337c..d0dc22652d6 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6a9245050ee..40f99a45a90 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,159 @@
+   ==
+   Release Notes for Samba 4.17.4
+ December 15, 2022
+   ==
+
+
+This is the latest stable release of the Samba 4.17 release series.
+It also contains security changes in order to address the following defects:
+
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+  RC4-HMAC Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A Samba Active Directory DC will issue weak rc4-hmac
+  session keys for use between modern clients and servers
+  despite all modern Kerberos implementations supporting
+  the aes256-cts-hmac-sha1-96 cipher.
+
+  On Samba Active Directory DCs and members
+  'kerberos encryption types = legacy' would force
+  rc4-hmac as a client even if the server supports
+  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+  https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+  Kerberos Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A service account with the special constrained
+  delegation permission could forge a more powerful
+  ticket than the one it was presented with.
+
+  https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+  same algorithms as rc4-hmac cryptography in Kerberos,
+  and so must also be assumed to be weak.
+
+  https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+
+
+  Parameter Name   Description Default
+  --   --- ---
+  allow nt4 crypto Deprecated  no
+  allow nt4 crypto:COMPUTERACCOUNT New
+  kdc default domain supported enctypesNew (see manpage)
+  kdc supported enctypes   New (see manpage)
+  kdc force enable rc4 weak session keys   New

[SCM] Samba Shared Repository - branch v4-16-test updated

2022-12-15 Thread Jule Anger 
The branch, v4-16-test has been updated
   via  cb4cbfc83fc VERSION: Bump version up to Samba 4.16.9...
   via  6cc6e233b5c VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.
   via  64d7270f282 WHATSNEW: Add release notes for Samba 4.16.8.
  from  d5a8e41313d CVE-2022-37966 python:/tests/krb5: call 
sys.path.insert(0, "bin/python") before any other imports

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test


- Log -
commit cb4cbfc83fc6b69a4e47f382aac3e66d1bb851d1
Author: Jule Anger 
Date:   Thu Dec 15 17:04:23 2022 +0100

VERSION: Bump version up to Samba 4.16.9...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 6cc6e233b5ceb2a579400f020b61c67ca7bbeb78
Author: Jule Anger 
Date:   Thu Dec 15 17:03:50 2022 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.

Signed-off-by: Jule Anger 

commit 64d7270f282ffaa64d8f016b00f46cd4ac827020
Author: Jule Anger 
Date:   Thu Dec 15 17:03:15 2022 +0100

WHATSNEW: Add release notes for Samba 4.16.8.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |   2 +-
 WHATSNEW.txt | 152 ++-
 2 files changed, 151 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index f277d2b2850..1109ccfc4e4 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=16
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4f085269066..c2aeab4afbe 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,152 @@
+   ==
+   Release Notes for Samba 4.16.8
+ December 15, 2022
+   ==
+
+
+This is the latest stable release of the Samba 4.16 release series.
+It also contains security changes in order to address the following defects
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+  RC4-HMAC Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A Samba Active Directory DC will issue weak rc4-hmac
+  session keys for use between modern clients and servers
+  despite all modern Kerberos implementations supporting
+  the aes256-cts-hmac-sha1-96 cipher.
+
+  On Samba Active Directory DCs and members
+  'kerberos encryption types = legacy' would force
+  rc4-hmac as a client even if the server supports
+  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+  https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+  Kerberos Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A service account with the special constrained
+  delegation permission could forge a more powerful
+  ticket than the one it was presented with.
+
+  https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+  same algorithms as rc4-hmac cryptography in Kerberos,
+  and so must also be assumed to be weak.
+
+  https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+
+
+  Parameter Name   Description Default
+  --   --- ---
+  allow nt4 crypto Deprecated  no
+  allow nt4 crypto:COMPUTERACCOUNT New
+  kdc default domain supported enctypesNew (see manpage)
+  kdc supported enctypes   New (see manpage)
+  kdc force

[SCM] Samba Shared Repository - branch v4-15-test updated

2022-12-15 Thread Jule Anger 
The branch, v4-15-test has been updated
   via  c84fb834f6e VERSION: Bump version up to Samba 4.15.14...
   via  861b4f9fde0 VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.
   via  00479fb662f WHATSNEW: Add release notes for Samba 4.15.13.
  from  2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -
commit c84fb834f6e5c9836043707ccc2d24e060ea004c
Author: Jule Anger 
Date:   Thu Dec 15 17:00:33 2022 +0100

VERSION: Bump version up to Samba 4.15.14...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 861b4f9fde0128609abcb4eafce6192fbf0a959a
Author: Jule Anger 
Date:   Thu Dec 15 16:59:56 2022 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.

Signed-off-by: Jule Anger 

commit 00479fb662ffbb77e39b8dc87f2435b45f19906e
Author: Jule Anger 
Date:   Thu Dec 15 16:59:16 2022 +0100

WHATSNEW: Add release notes for Samba 4.15.13.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |   2 +-
 WHATSNEW.txt | 152 ++-
 2 files changed, 151 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 85392db92a0..cb4ae6ca65a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4c2a4bd596f..af861d8246d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,152 @@
+   ===
+   Release Notes for Samba 4.15.13
+  December 15, 2022
+   ===
+
+
+This is the latest stable release of the Samba 4.15 release series.
+It also contains security changes in order to address the following defects:
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+  RC4-HMAC Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A Samba Active Directory DC will issue weak rc4-hmac
+  session keys for use between modern clients and servers
+  despite all modern Kerberos implementations supporting
+  the aes256-cts-hmac-sha1-96 cipher.
+
+  On Samba Active Directory DCs and members
+  'kerberos encryption types = legacy' would force
+  rc4-hmac as a client even if the server supports
+  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+  https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+  Kerberos Elevation of Privilege Vulnerability
+  disclosed by Microsoft on Nov 8 2022.
+
+  A service account with the special constrained
+  delegation permission could forge a more powerful
+  ticket than the one it was presented with.
+
+  https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+  same algorithms as rc4-hmac cryptography in Kerberos,
+  and so must also be assumed to be weak.
+
+  https://www.samba.org/samba/security/CVE-2022-38023.html
+
+o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
+  Vulnerability was disclosed by Microsoft on Nov 8 2022
+  and per RFC8429 it is assumed that rc4-hmac is weak,
+
+  Vulnerable Samba Active Directory DCs will issue rc4-hmac
+  encrypted tickets despite the target server supporting
+  better encryption (eg aes256-cts-hmac-sha1-96).
+
+  https://www.samba.org/samba/security/CVE-2022-45141.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+

[SCM] Samba Shared Repository - branch master updated

2022-12-15 Thread Ralph Böhme 
The branch, master has been updated
   via  17bbd6ec4c2 smbd: Add "posix" flag to 
openat_pathref_dirfsp_nosymlink()
   via  612c8da01cf tests: Show that in smb1 posix we don't treat dirs as 
case sensitive
  from  897f08f7a03 testprogs: Use new kerberos options for samba-tool in 
test_kpasswd_mit.sh

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 17bbd6ec4c2607afeadd91a29c245054a6ca6828
Author: Volker Lendecke 
Date:   Wed Dec 14 17:35:17 2022 +0100

smbd: Add "posix" flag to openat_pathref_dirfsp_nosymlink()

Don't do the get_real_filename() retry if we're in posix context of if
the connection is case sensitive.

The whole concept of case sensivity blows my brain. In SMB1 without
posix extensions it's a per-request thing. In SMB2 without posix
extensions this should just depend on "case sensitive = yes/no", and
in future SMB2 posix extensions this will become a per-request thing
again, depending on the existence of the posix create context.

Then there are other semantics that are attached to posix-ness, which
have nothing to do with case sensivity. See for example merge request
2819 and bug 8776, or commit f0e1137425f. Also see
check_path_syntax_internal().

This patch uses the same flags as openat_pathref_fsp_case_insensitive()
does, but I am 100% certain this is wrong in a subtle way.

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Thu Dec 15 11:30:04 UTC 2022 on sn-devel-184

commit 612c8da01cf54be1268f2fe27fb187161cc2d0b3
Author: Volker Lendecke 
Date:   Wed Dec 14 18:05:04 2022 +0100

tests: Show that in smb1 posix we don't treat dirs as case sensitive

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 python/samba/tests/smb1posix.py | 52 +
 source3/selftest/tests.py   |  1 +
 source3/smbd/filename.c |  1 +
 source3/smbd/files.c|  8 ++-
 source3/smbd/proto.h|  1 +
 5 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 python/samba/tests/smb1posix.py


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/smb1posix.py b/python/samba/tests/smb1posix.py
new file mode 100644
index 000..52b0312ac8b
--- /dev/null
+++ b/python/samba/tests/smb1posix.py
@@ -0,0 +1,52 @@
+# Unix SMB/CIFS implementation.
+# Copyright Volker Lendecke  2022
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+from samba.samba3 import libsmb_samba_internal as libsmb
+from samba import (ntstatus,NTSTATUSError)
+from samba.dcerpc import security as sec
+import samba.tests.libsmb
+
+class Smb1PosixTests(samba.tests.libsmb.LibsmbTests):
+
+def test_directory_case_sensivity(self):
+"""Test that in smb1 posix dirs are case sensitive"""
+conn = libsmb.Conn(
+self.server_ip,
+"posix_share",
+self.lp,
+self.creds,
+force_smb1=True)
+conn.smb1_posix()
+
+try:
+conn.mkdir("lower")
+except NTSTATUSError as e:
+if e.args[0] != ntstatus.NT_STATUS_OBJECT_NAME_COLLISION:
+raise
+try:
+conn.mkdir("lower/second")
+except NTSTATUSError as e:
+if e.args[0] != ntstatus.NT_STATUS_OBJECT_NAME_COLLISION:
+raise
+
+self.assertFalse(conn.chkpath("Lower/second"))
+conn.rmdir("lower/second")
+conn.rmdir("lower")
+
+if __name__ == '__main__':
+import unittest
+unittest.main()
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 1630fdd2035..a1379e8080e 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1689,3 +1689,4 @@ for t in CLUSTERED_LOCAL_TESTS:
 planpythontestsuite("fileserver", "samba.tests.smb3unix")
 planpythontestsuite("fileserver", "samba.tests.reparsepoints")
 planpythontestsuite("fileserver_smb1", "samba.tests.smb2symlink")
+planpythontestsuite("fileserver_smb1", "samba.tests.smb1posix")
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index c66e8b4b24e..0859e6fd5c3

[SCM] Samba Shared Repository - branch v4-15-test updated

2022-12-15 Thread Stefan Metzmacher 
The branch, v4-15-test has been updated
   via  2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY
   via  ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038
   via  fd3cdcc1800 tests/krb5: Add test requesting a service ticket 
expiring post-2038
  from  d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call 
sys.path.insert(0, "bin/python") before any other imports

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test


- Log -
commit 2620bea3af8d9e4e1db195deba414a46e8c66b3d
Author: Luke Howard 
Date:   Thu Oct 20 13:27:31 2022 +1300

kdc: avoid re-encoding KDC-REQ-BODY

Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.

[abart...@samba.org adapted from Heimdal commit
 ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
 by removing references to FAST and GSS-pre-auth.

 This fixes the Windows 11 22H2 issue with TGS-REQ
 as seen at https://github.com/heimdal/heimdal/issues/1011 and so
 removes the knownfail file for this test]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

[me...@samba.org private autobuild passed]

commit ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0
Author: Joseph Sutton 
Date:   Thu Oct 20 12:36:44 2022 +1300

tests/krb5: Add test requesting a TGT expiring post-2038

This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year  date for a forever timetime in
tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184

(backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)

[abart...@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
 as the kerberos tests have changed parameters in newer versions
 breaking the context]

commit fd3cdcc1800a4185857494626de9ba1c368dbcdb
Author: Joseph Sutton 
Date:   Tue Oct 4 12:25:08 2022 +1300

tests/krb5: Add test requesting a service ticket expiring post-2038

Windows 11 22H2 performs such requests, with year .
The test fails with KDC_ERR_BAD_INTEGRITY on older
Heimdal versions, which are unable to verify a checksum
over the modified request body (due to a re-encoding failure).

REF: https://github.com/heimdal/heimdal/issues/1011

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

[abart...@samba.org Add knownfail for backport - as Samba
 4.15 and earlier fail this test, adapted commit
 67811e121fbef08337675d473390160793544719 to test
 paraemters in 4.15]

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 
(backported from commit 67811e121fbef08337675d473390160793544719)

---

Summary of changes:
 python/samba/tests/krb5/as_req_tests.py  | 13 +++--
 python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++
 source4/heimdal/kdc/krb5tgs.c| 24 ++--
 source4/heimdal/kdc/pkinit.c | 16 ++--
 source4/heimdal/lib/asn1/krb5.opt|  1 +
 5 files changed, 30 insertions(+), 38 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/as_req_tests.py 
b/python/samba/tests/krb5/as_req_tests.py
index da2c0b9d097..0d9a771b80d 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -42,7 +42,7 @@ global_hexdump = False
 
 class AsReqBaseTest(KDCBaseTest):
 def _run_as_req_enc_timestamp(self, client_creds, sname=None,
-  expected_error=None,
+  expected_error=None, till=None,
   expected_pa_error=None, 
expect_pa_edata=None):
 client_account = client_creds.get_username()
 client_as_etypes = self.get_default_enctypes()
@@ -63,7 +63,8 @@ class AsReqBaseTest(KDCBaseTest):
 expected_sname = sname
 expected_salt = client_creds.get_salt()
 
-till = self.get_KerberosTime(offset=36000)
+if till is None:
+till = self.get_KerberosTime(offset=36000)
 
 initial_etypes = client_as_etypes
 initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
@@ -252,6 +253,14 @@ class AsReqKerberosTests(AsReqBaseTest):
 sname=wrong_krbtgt_princ,
 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
 
+# Test that we can make a request for a ticket expiring post-2038.
+def test_future_till(self):
+client_creds = self.get_client_creds()
+
+