[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bb6fecd9ac5 netcmd: sites: add sites and subnet list and view commands to manpage via 7f7d68573c3 netcmd: sites: add missing subnet commands to samba-tool manpage via 5e4a6cd75a1 netcmd: sites: tests for list and view sites and subnet via 3cf81e98f36 netcmd: sites: make use of ldb_connect from base class via 752eae68c2a netcmd: add list and view commands for sites and subnets via b9d01c64207 netcmd: add Subnet and Site models via 5f69220f0af WHATSNEW: Update minimum GnuTLS version via f050124a96c lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds via 9ea606dad11 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant via 89b02bad3e2 lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant via eb2bed3899b lib/fuzzing: add fuzzer for arbitrary token/sd access checks via 5ad28bd7605 lib/fuzzing: add fuzz_sddl_access_check via 3ed1ba6fedd s4:provision: use better values for operatingSystem[Version] via 9a79bed41e2 s4:pydsdb: add dc_operatingSystemVersion() helper via b058b39f38b s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version] via 16865d6d439 upgradeprovision: handle operatingSystem similar to operatingSystemVersion via 85080ba9ea0 ldapcmp: also ignore operatingSystem similar to operatingSystemVersion via 56ee153cae3 netlogon.idl: add some comments to netr_OsVersionInfoEx from 81058c60136 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bb6fecd9ac5ff803e2c74e2a5cc6596c9eb5107c Author: Rob van der Linde Date: Thu Jul 13 00:42:56 2023 +1200 netcmd: sites: add sites and subnet list and view commands to manpage Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jul 19 04:29:15 UTC 2023 on atb-devel-224 commit 7f7d68573c3c39825be89e127f6de37764200319 Author: Rob van der Linde Date: Thu Jul 13 00:42:03 2023 +1200 netcmd: sites: add missing subnet commands to samba-tool manpage Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5e4a6cd75a144a8232e3b7302ca74ecb67fc5efd Author: Rob van der Linde Date: Wed Jul 5 17:40:48 2023 +1200 netcmd: sites: tests for list and view sites and subnet Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 3cf81e98f3677a45c3cf12319668262345515a3b Author: Rob van der Linde Date: Tue Jul 4 22:02:01 2023 +1200 netcmd: sites: make use of ldb_connect from base class Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 752eae68c2ae1d64cee9452df7b4f87d35458090 Author: Rob van der Linde Date: Tue Jul 4 21:47:46 2023 +1200 netcmd: add list and view commands for sites and subnets * samba-tool sites list * samba-tool sites view * samba-tool sites subnet list * samba-tool sites subnet view Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b9d01c6420760e65012af8beaf46f2bfb5a7b33e Author: Rob van der Linde Date: Tue Jul 4 21:34:38 2023 +1200 netcmd: add Subnet and Site models Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5f69220f0afc578a49e7049d6ffba1ef12bc2fe5 Author: Andrew Bartlett Date: Tue Jul 18 10:29:50 2023 +1200 WHATSNEW: Update minimum GnuTLS version Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit f050124a96cbd0e3ab73255834126df150ff8525 Author: Douglas Bagnall Date: Tue Jul 18 12:54:40 2023 +1200 lib/fuzzing: patch for collecting fuzz_security_token_vs_descriptor seeds If this patch is applied, and an environment variable is set, all access_check calls will be recorded as seeds for fuzz_security_token_vs_descriptor. See the patch for details. You probably will never want to apply this patch, but it is here just in case. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9ea606dad1147734c1877dd054dc769c4df4e005 Author: Douglas Bagnall Date: Tue Jul 18 08:56:40 2023 +1200 lib/fuzzing: adapt fuzz_sddl_access_check for AD variant Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 89b02bad3e2db7a9a3aceed7122c1d680cef728d Author: Douglas Bagnall Date: Mon Jul 17 16:20:58 2023 +1200 lib/fuzzing: adapt fuzz_security_token_vs_descriptor for AD variant
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 81058c60136 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) via 90b240be086 tests/krb5: Add a test for PK-INIT with a revoked certificate via 2ab15cf1172 tests/krb5: Allow passing a pre-created certificate into _pkinit_req() via b73a01eefd2 tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key via 01196cc741d tests/krb5: Factor out a method to fetch the CA certificate and private key via ce9786748b7 tests/krb5: Factor out a method to create a certificate via db64b2762c4 s4:kdc: Add auth_data_reqd flag to SDBFlags via 7340351097a third_party/heimdal_build: Make Heimdal version strings const via a25f549e9a0 third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde) via 5bfccbb7643 tests/krb5: Test Windows 2000 variant of PK-INIT via af97579f161 tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT via ecc62bc1207 tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070) via f7393da2c07 tests/krb5: Remove unused methods via 97ead77767c tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer via 3ea1c559213 tests/krb5: Add PK-INIT testing framework via 699d211084f tests/krb5: Allow KerberosCredentials to have associated RSA private key via 7584e7a3a13 tests/krb5: Add helper methods for PK-INIT testing via 7f9547fda79 tests/krb5: Refactor encryption type selection via ef9ffbacb9c tests/krb5: Add PK-INIT ASN1 definitions and include licence via 477fbd7bb4c tests/krb5: Add PKINIT pre-authentication types via 8a0bde46a25 tests/krb5: Add PKINIT typed data errors via d818ed644a5 tests/krb5: Add PKINIT error codes via 7d2c267ae1a s4:kdc: Fix wrong debug message via 97cde6f97b4 tests/krb5: Remove unused variables from 7d2c68f2e25 s3:nmbd: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 81058c60136fba9af2dd7de8f15baef5e7e97bde Author: Joseph Sutton Date: Wed Jul 5 16:21:07 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202307050413 (commit e0597fe1d01b109e64d9c2a5bcada664ac199498) BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jul 19 02:41:25 UTC 2023 on atb-devel-224 commit 90b240be08629ab6cad7651c59df1d9f533797c0 Author: Joseph Sutton Date: Mon Jul 3 14:31:03 2023 +1200 tests/krb5: Add a test for PK-INIT with a revoked certificate BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2ab15cf11721eaec95950b634b4782d7cae0d311 Author: Joseph Sutton Date: Wed Jul 5 16:12:42 2023 +1200 tests/krb5: Allow passing a pre-created certificate into _pkinit_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b73a01eefd2a526936f11e08a5a32dd2f1106359 Author: Joseph Sutton Date: Wed Jul 5 12:55:41 2023 +1200 tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key These are useful to keep around for other purposes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 01196cc741ddf611794ba6eb1b5f3a0bcff2f0da Author: Joseph Sutton Date: Wed Jul 5 12:53:45 2023 +1200 tests/krb5: Factor out a method to fetch the CA certificate and private key BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ce9786748b7b594ca0864158ba49ca4def1b593c Author: Joseph Sutton Date: Wed Jul 5 12:43:52 2023 +1200 tests/krb5: Factor out a method to create a certificate BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit db64b2762c49ce4f155e6a98b2ea868578503d58 Author: Joseph Sutton Date: Mon Jun 26 13:07:44 2023 +1200 s4:kdc: Add auth_data_reqd flag to SDBFlags This is to adapt to Heimdal: commit 3c4548025c0a239ff580e7974939185eadf1856b Author: Nicolas Williams Date: Sun Jun 4 22:54:03 2023 -0500 hdb: Add auth-data-reqd flag NOTE: This commit finally works again! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7340351097a95f8e52d48365d4619c32080ebd30 Author: Joseph Sutton Date: Thu Jun 22 16:46:09 2023 +1200 third_party/heimdal_build
[SCM] Samba Shared Repository - branch master updated
ecff09d75df52df8bd062e55e75d42d76e25d66e Author: Andrew Bartlett Date: Mon Jun 26 11:03:14 2023 +1200 Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const declarations in the header, this brings them back in alignnment as is Samba's normal practice. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224 commit b1006c773be1d28a15eeab37c7e49675d3a1dedd Author: Joseph Sutton Date: Fri Jun 16 15:02:35 2023 +1200 s4:kdc: Use talloc_get_type_abort() We subsequently dereference the result without performing a NULL check. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ad1234d5ee80d157573681a0d60fc2a7a399c5ae Author: Joseph Sutton Date: Fri Jun 16 15:00:29 2023 +1200 s4:kdc: Create a temporary talloc context on which to allocate ‘client->context’ is too long-lived to use for allocating short-term data. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cf139d14218ab1423949fbc952ae056943858dc8 Author: Joseph Sutton Date: Fri Jun 16 14:49:11 2023 +1200 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d0d52262f781b8acddc4f50e09e2daa1198b8a3e Author: Joseph Sutton Date: Fri Jun 16 14:32:09 2023 +1200 s4:kdc: Flip sense of condition A negative condition incurs more cognitive load. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f49ebef003587a89e7ce1698c53bc53243ff2d53 Author: Joseph Sutton Date: Fri Jun 16 14:30:00 2023 +1200 s4:kdc: Unify common code paths Perhaps view with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6bb7aad16316d3f55b9af30a69b2d6b27f34e262 Author: Joseph Sutton Date: Fri Jun 16 14:04:43 2023 +1200 s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case This will help to reduce code duplication and the number of branching code paths. View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7485638e0266a9a46c4ceb719a0a38abe5c8cd81 Author: Joseph Sutton Date: Fri Jun 16 13:40:20 2023 +1200 s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc() We may not always want this SID to be present. For example, to enforce authentication policies as Windows does, we’ll want the client’s security token without this SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6be1a397dacea1e31d9c1b24a07d3e91a715fc59 Author: Joseph Sutton Date: Fri Jun 16 13:13:58 2023 +1200 s4:kdc: Have samba_kdc_update_pac_blob() do less Previously this function obtained the auth_user_info_dc structure, then used it to update the PAC blob. Now it does only one thing: fetch the auth_user_info_dc info and return it to the caller, who can then call samba_get_logon_info_pac_blob(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e6c442224095352ff11fc936207022298a08d57d Author: Joseph Sutton Date: Fri Jun 16 13:06:24 2023 +1200 s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8c10776398030c1bab32a195a3c7f5ee4c9623a3 Author: Joseph Sutton Date: Fri Jun 16 13:04:17 2023 +1200 s4:kdc: Log errors in samba_kdc_update_pac_blob() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ea007ef718889245e923efcd29ee3560ab744961 Author: Joseph Sutton Date: Fri Jun 16 12:57:38 2023 +1200 s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code This gives it more control over the final Kerberos error code, so that we won’t always get ERR_GENERIC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit baf03e3f11442b94a3c4b3ecb93847d1d4bc50ff Author: Joseph Sutton Date: Fri Jun 16 12:53:07 2023 +1200 s4:kdc: Add singular out path to samba_kdc_update_pac_blob() This ensures that we always clean up resources. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d2a6c69940cf28c2ea901cc0d8d8d317c32db986 Author: Joseph Sutton Date: Fri Jun 16 12:17:50 2023 +1200 s4:kdc: Make krb5_principal parameters const The ‘const’ is entirely unnecessary in a function declaration, but we add it just to be consistent. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f857967427f78cce6ffda117e9afab572707286d Author: Joseph Sutton Date: Fri Jun
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a75378e3542 s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key() via d4007b0ef9f s4:dsdb/tests: also verify too old, older password interaction with badPwdCount via 28cf6c70676 s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0) via 370ba4ad527 s4:kdc: handle passwords from the history in hdb_samba4_auth_status() from 4a8cfe1650a vfs: Remove "sbuf" from readdir_fn() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a75378e354286d095d82f644d645768345cd00fb Author: Stefan Metzmacher Date: Mon Feb 7 19:32:08 2022 +0100 s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key() It means that using the old or older password no longer changes badPwdCount for Kerberos authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224 commit d4007b0ef9f745a4881588ef1b8185d6b53025ee Author: Stefan Metzmacher Date: Fri Jun 23 13:42:31 2023 +0200 s4:dsdb/tests: also verify too old, older password interaction with badPwdCount BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 28cf6c706760894b7c0c65d4f5307d333d194154 Author: Stefan Metzmacher Date: Fri Feb 25 05:16:36 2022 +0100 s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0) This demonstrates the pre-authentication failures with passwords from the password history don't incremend badPwdCount, similar to the NTLMSSP and simple bind cases. But it's still an interactive logon, which doesn't use 'old password allowed period'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 370ba4ad527b67555f69c2bc4b92effe0cc7169d Author: Stefan Metzmacher Date: Thu Feb 17 07:12:10 2022 +0100 s4:kdc: handle passwords from the history in hdb_samba4_auth_status() This is important in order to prevent ACCOUNT_LOCKED_OUT with cached credentials. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: selftest/knownfail_mit_kdc| 5 ++ source4/dsdb/tests/python/login_basics.py | 97 --- source4/kdc/hdb-samba4.c | 11 source4/kdc/sdb_to_hdb.c | 45 ++ 4 files changed, 149 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 9c5b76cac5a..8196f4f4d6b 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -2221,3 +2221,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_bad_pwd_allowed_from_user_deny.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_denied_no_fast.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc +# +# MIT does not support password history in order to avoid badPwdCount changes +# with the last password, see https://bugzilla.samba.org/show_bug.cgi?id=14054 +# +^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5 diff --git a/source4/dsdb/tests/python/login_basics.py b/source4/dsdb/tests/python/login_basics.py index b186e723f39..babe04879b1 100755 --- a/source4/dsdb/tests/python/login_basics.py +++ b/source4/dsdb/tests/python/login_basics.py @@ -122,7 +122,7 @@ class BasicUserAuthTests(BasePasswordTestCase): lastLogon = int(res[0]["lastLogon"][0]) # check that the user can change its password -new_password = "thatsAcomplPASS2" +too_old_password = "thatsAcomplTooOldPass1!" user_ldb.modify_ldif(""" dn: %s changetype: modify @@ -130,28 +130,74 @@ delete: userPassword userPassword: %s add: userPassword userPassword: %s -""" % (userdn, userpass, new_password)) +""" % (userdn, userpass, too_old_password)) + +# change the password again +older_password = "thatsAcomplOlderPass1!" +user_ldb.modify_ldif(""" +dn: %s +changetype: modify +delete: userPassword +userPass
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 91eb3f1d223 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh via 11741791cc6 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh via 619f097b7d4 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh via 16b9b508af4 samba-tool/ntacl: implement set --recursive via 27b29cfa766 samba-tool/ntacl: add set --verbose and print out the file/directory name via 6327fd9cdba samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all via 4ca5b78f5b7 samba-tool/ntacl: let changedomsid ignore symlinks via 3694f2ce620 vfs_aio_pthread: don't crash without a pthreadpool via 0e9f1eec5a2 samba-tool: print default (domain) for --dns-directory-partition option in help message via b26dcfba10e tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime via 489cdefa6ab tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() from 0ef8083cca0 WHATSNEW: Mention new default schema and Functional Level prep https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 91eb3f1d2236ad88eb3cf6ad036ae16ea2eac6b8 Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: add --recursive tests to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 22 00:22:47 UTC 2023 on atb-devel-224 commit 11741791cc6ae339efd71b122ea9313b710bf1ac Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: move 'ntacl get' out of test_changedomsid() in test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 619f097b7d4c0fa4614ab12042292c1e9a8fe234 Author: Stefan Metzmacher Date: Wed May 17 11:26:48 2023 +0200 testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 16b9b508af4432abe5717da129b1be921c0227c6 Author: Stefan Metzmacher Date: Tue May 2 16:18:51 2023 +0200 samba-tool/ntacl: implement set --recursive Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 27b29cfa766099252b417da06599aee585a228bc Author: Stefan Metzmacher Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: add set --verbose and print out the file/directory name Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6327fd9cdbaf3dad4b09ce291de1f42259e11d2b Author: Stefan Metzmacher Date: Tue May 2 16:18:26 2023 +0200 samba-tool/ntacl: don't announce -q,--quiet in --help as it's not used at all Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 4ca5b78f5b7c35e6276d92f7948334dad7a59456 Author: Stefan Metzmacher Date: Tue May 16 13:57:51 2023 +0200 samba-tool/ntacl: let changedomsid ignore symlinks Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 3694f2ce6205a647eb5dab2115785fb45decaf0b Author: Stefan Metzmacher Date: Tue May 2 15:15:16 2023 +0200 vfs_aio_pthread: don't crash without a pthreadpool During 'samba-tool ntacl sysvolreset' and similar. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0e9f1eec5a2e484d947a433cc854d9903de8537f Author: Björn Baumbach Date: Wed Jun 21 20:52:03 2023 +0200 samba-tool: print default (domain) for --dns-directory-partition option in help message Signed-off-by: Björn Baumbach Reviewed-by: Andrew Bartlett commit b26dcfba10e3e38c04f3fe20dbf49e7e6ef4f0ed Author: Stefan Metzmacher Date: Thu Mar 24 00:12:47 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime This demonstrates that we use the correct authtime when doing constrained delegation. The actual fix for the problem is already in place via commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) The related patch is: 006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 489cdefa6ab1bf7bd5cf3ea0ea64c03dc08fa8bd Author: Stefan Metzmacher Date: Thu Mar 17 14:46:55 2022 +0100 tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey() This demonstrates that we use the correct key for EncAuthorizationData together with constrained
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0ef8083cca0 WHATSNEW: Mention new default schema and Functional Level prep via a9d543cdfce s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs via c95813374a4 testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh via d2777d47d1e testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh via 205ee77c2fe samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction via 3724ae3e108 samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions via e92988ec946 samba-tool: move some parts of 'domain level [show|raise]' in to try/except via ea2712336b2 samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn via f9f9771a55f samba-tool: check for invalid 'domain level' subcommands first via 1b1895a0d84 samba-tool: Fix missing import for "domain level raise --forest-level=2016" via 48cc2862c28 docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc functional level' from ad98643fbd9 s4:kdc: Replace FAST cookie with dummy string https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0ef8083cca0ffdf20d98545fb7e3aa576e661222 Author: Andrew Bartlett Date: Wed Jun 14 16:14:51 2023 +1200 WHATSNEW: Mention new default schema and Functional Level prep Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jun 21 20:01:06 UTC 2023 on atb-devel-224 commit a9d543cdfce1d0ff2976a20bb8f15f68d9de0a41 Author: Joseph Sutton Date: Mon Apr 3 16:49:50 2023 +1200 s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs Samba security features like AD claims, Authentication Policies and Authentication Silos are enabled once the DC is at the required functional level. We comment at the callers of of dsdb_dc_functional_level() to explain why we do this. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit c95813374a4fa92b446041696baf617d7b19a7f2 Author: Stefan Metzmacher Date: Wed Jun 21 10:21:32 2023 +0200 testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d2777d47d1e3beda4295ece6d1c438fab2621925 Author: Stefan Metzmacher Date: Wed Jun 21 10:21:32 2023 +0200 testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 205ee77c2fe812b71138bbf72ce5b17f238696f1 Author: Stefan Metzmacher Date: Wed Jun 21 12:07:08 2023 +0200 samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction This makes it possible to raise the levels without starting 'samba' first, which is very useful for blackbox tests. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 3724ae3e1089136e7d3d3f111ab3420be71a7730 Author: Stefan Metzmacher Date: Wed Jun 21 12:07:08 2023 +0200 samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions This will make it easier to use transactions in the following changes... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit e92988ec9467e603e5c1aa7f8d337deebbf282dd Author: Stefan Metzmacher Date: Wed Jun 21 12:07:08 2023 +0200 samba-tool: move some parts of 'domain level [show|raise]' in to try/except This just adds indentation for now, the following changes will add transactions... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit ea2712336b28ffda938b4d0b1b17d8eaafb7714d Author: Stefan Metzmacher Date: Wed Jun 21 11:57:12 2023 +0200 samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn We should not rely on lp.get('workgroup')... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f9f9771a55ffa5cd99b8c3d9228bae6f73938b5d Author: Stefan Metzmacher Date: Wed Jun 21 11:07:17 2023 +0200 samba-tool: check for invalid 'domain level' subcommands first This will simplify further changes... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 1b1895a0d84fb9fc07411adc648527180476bacd Author: Andrew Bartlett Date: Wed Jun 21 11:43:01 2023 +1200 samba-tool: Fix missing import for "domain level raise --forest-level=2016" Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 48cc2862c289f2b3cf027037fe071fe2e5d81202 Author: Stefan Metzmacher Date: Wed Jun 21
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6640cf5e32f samba-tool: add new --dns-directory-partition option to dns zonecreate command via 3a9e0b318db s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_cross_node.sh via 3799074b30e s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_dead_rec.sh via 9cbd4a3abdd s3:tests: Do not export UID_WRAPPER_ROOT in test_net_machine_account via e013d70e8ed testprogs: Do not export UID_WRAPPER_ROOT in test_net_rpc_oldjoin.sh via 457a83e7abc testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_heimdal.sh via b41ff81a783 testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_mit.sh via ea566a825a0 testprogs: Do not export UID_WRAPPER_ROOT in test_pdbtest.sh via 579182372a1 testprogs: Do not export UID_WRAPPER_ROOT in test_net_ads_dns.sh via 1fb0b3684ea testprogs: Do not export UID_WRAPPER_ROOT in test_samba-tool_ntacl.sh via 3b612dc64a6 testprogs:subunit: Fix integer comparisons via e4b77dc38bf testprogs:subunit: Fix assigning an array to a string via 8fb833fc759 vfs_default.c: use DBG* macros instead of static log level numbers via 5c37615efa2 smbXsrv_tcon.c: use DBG* macros instead of static log level numbers via 659e88544aa dcesrv_drsuapi.c:use DBG* macros instead of static log level numbers via c257b0a2e1c smb2_service.c: use DBG* macros instread of static log level numbers via 6003090d5f8 smbXsrv_session.c: use DBG* macros instead of static log level numbers via fa700369a96 dns_update.c: use DBG* macros instead of static log level numbers via a33df1250cb oplock_linux.c: use DBG macros instead of static log level via 1186ec227da nmbd_become_lmb.c: use DBG* macros instead of static log level numbers via 2fbd773a515 nmbd/asyncdns.c: use DBG* macros instead of static log level numbers via 5181b1c8cb6 nmbd_sendannounce.c: use DBG* macros instead of static log level numbers via b6049a30127 nmbd: use DBG_ macros and raise some log levels from 96a64fb smbd: smbd_dirptr_lanman2_match_fn(): Remove "exact_match" handling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6640cf5e32fd8c0561aa8bb4a48fe0fc73740403 Author: Björn Baumbach Date: Thu Jun 15 18:24:50 2023 +0200 samba-tool: add new --dns-directory-partition option to dns zonecreate command The new --dns-directory-partition chooses the directory partition for the new zone - "domain" or "forest". Defaults to the current default "domain". Signed-off-by: Björn Baumbach Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jun 16 21:23:28 UTC 2023 on atb-devel-224 commit 3a9e0b318db7a3888e9b5c60f2748edd704630a1 Author: Andreas Schneider Date: Tue Apr 11 15:30:23 2023 +0200 s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_cross_node.sh Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 3799074b30e1791c68efb50ccb4519b365d0e7fc Author: Andreas Schneider Date: Tue Apr 11 15:29:41 2023 +0200 s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_dead_rec.sh Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9cbd4a3abdd7d4065da312b6ce7bbb5ff4615a61 Author: Andreas Schneider Date: Tue Apr 11 15:29:01 2023 +0200 s3:tests: Do not export UID_WRAPPER_ROOT in test_net_machine_account Just set it for the test. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit e013d70e8ed5cbdd8b1ea357d1f9ba7b23d91816 Author: Andreas Schneider Date: Tue Apr 11 15:27:31 2023 +0200 testprogs: Do not export UID_WRAPPER_ROOT in test_net_rpc_oldjoin.sh This is already set for smbpasswd. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 457a83e7abc8cd179eda38ddf3a24b5129a9ba3d Author: Andreas Schneider Date: Tue Apr 11 15:26:52 2023 +0200 testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_heimdal.sh Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit b41ff81a783339ef0d68c70916ef800d5dec421b Author: Andreas Schneider Date: Tue Apr 11 15:26:21 2023 +0200 testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_mit.sh Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ea566a825a0e13dd5cff54370b6769f9f644d0cf Author: Andreas Schneider Date: Mon Mar 27 10:17:39 2023 +0200 testprogs: Do not export UID_WRAPPER_ROOT in test_pdbtest.sh We already set root for smbpasswd. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 579182372a106044c138c784cd7df6012dccf87
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 32fdc764efb s4:auth: Remove unneeded ‘sam_ctx’ parameter via 6c9c7c5b698 s4:auth: Enforce machine authentication policy for NTLM authentication via 7a7dbdb7736 s4:auth: Enforce device restrictions for NTLM authentication via 63fe9863572 s4:kdc: Log TGS-REQs in the Heimdal KDC via ba2e54d5c5f tests/auth_log: Ensure tests continue to pass when new log types are added via 7f771070535 tests/auth_log: Add support for new ‘KDC Authorization’ log type via e2d925f5a57 auth: Add new ‘KDC Authorization’ log type via 9325c14b7e1 lib:audit_logging: Add function to create JSON object containing auditing information via 3f3c017a268 s4:kdc: Add function to perform an access check to a service via 5bd6ce29def s4:kdc: Generate auditing infomation for NTLM device restrictions via 6dce6318e4f s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’ via b5506d5ee38 s4:kdc: Add function to perform an authentication policy access check with a device via f47631b3605 s4:kdc: Add getter functions for authn_audit_info via a3063fb4f59 s4:kdc: Add functions to create structures of auditing information for authentication policies via 9585bf9bb72 s4:kdc: Add helper functions to create optional int64 values via b1429830699 s4:kdc: Add structure containing authentication policy auditing information via a2ff8c4e434 s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds via a1364c205ff s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw via b3a85655825 auth: Move authn_policy code into auth subsystem from 9b0a71bd308 tests/auth_log: Refactor waitForMessages() to use nextMessage() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 32fdc764efb5edbbaca9c1e5a6b5f896da411e52 Author: Joseph Sutton Date: Thu Jun 15 12:31:03 2023 +1200 s4:auth: Remove unneeded ‘sam_ctx’ parameter Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 15 06:30:35 UTC 2023 on atb-devel-224 commit 6c9c7c5b698e4bc726cbe76629720f6e02ade7ad Author: Joseph Sutton Date: Thu May 4 16:43:47 2023 +1200 s4:auth: Enforce machine authentication policy for NTLM authentication Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7a7dbdb7736018018bb9459b79b95ae63d9e6e7d Author: Joseph Sutton Date: Thu May 4 16:39:55 2023 +1200 s4:auth: Enforce device restrictions for NTLM authentication Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 63fe9863572357bf55c6446c90830fd2e6372b4b Author: Joseph Sutton Date: Thu Jun 15 11:24:27 2023 +1200 s4:kdc: Log TGS-REQs in the Heimdal KDC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ba2e54d5c5fe22a3ba1481c890fc49bcdfa38781 Author: Joseph Sutton Date: Thu Jun 15 14:33:37 2023 +1200 tests/auth_log: Ensure tests continue to pass when new log types are added Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7f771070535bd12d5ad0644893607f5c47c615e9 Author: Joseph Sutton Date: Wed Jun 14 16:35:26 2023 +1200 tests/auth_log: Add support for new ‘KDC Authorization’ log type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e2d925f5a57a94c6e28372756f1bf15d9e4db628 Author: Joseph Sutton Date: Thu Jun 15 11:18:45 2023 +1200 auth: Add new ‘KDC Authorization’ log type This is similar, but not identical, to the existing ‘Authorization’ event. It will be used to log Kerberos TGS-REQs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9325c14b7e10d79a130f6633f6bfd59680f4b756 Author: Joseph Sutton Date: Thu Jun 15 11:12:22 2023 +1200 lib:audit_logging: Add function to create JSON object containing auditing information This can be included in logged authentications and authorizations. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3f3c017a2686a823012c1d6f6c6639f40837b0d8 Author: Joseph Sutton Date: Thu Jun 15 11:03:00 2023 +1200 s4:kdc: Add function to perform an access check to a service If the ‘server_audit_info_out’ parameter is non-NULL, auditing information will be returned so that it might be logged. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5bd6ce29def85cbf2864a06447cc7daf9b2d1990 Author: Joseph Sutton Date: Thu Jun 15 11:00:38 2023 +1200 s4:kdc: Generate auditing infomation for NTLM device restrictions This will provide more detail to be logged. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9b0a71bd308 tests/auth_log: Refactor waitForMessages() to use nextMessage() via 67da91ef166 tests/auth_log: Add method to fetch the next relevant message from the messaging bus via 7c6dbe31950 tests/krb5: Test authentication with policy restrictions and a wrong password via a9534e7be08 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies via 94e7a550db4 tests/krb5: Remove unneeded ‘dn’ parameter via 21d1f1ca996 s4:kdc: Fix typo via fb260e1f467 tests/krb5: Make use of KerberosCredentials.get_sid() via 490c451a797 tests/krb5: Keep track of account SIDs via 0ec229e7b93 tests/krb5: Fix overlong lines via 117bba98a11 tests/krb5: Add a couple of authentication policy tests via f1c24f4bc98 tests/krb5: Test authentication logging of TGT lifetimes via 9d8ee6a4222 tests/krb5: Cache created authentication policies via 01643b35273 tests/krb5: Keep track of the type of each created account via 359e820404e librpc/idl: Add authentication policy event IDs via b859b3b67d2 s4:kdc: Consolidate assignments to r->error_code and final_ret via 868e1146600 s4:kdc: Don’t log authentication failures as successes via d1fcecd1214 tests/auth_log: Properly expect authentication failures via 11671a743fe tests/auth_log: Make samba.tests.auth_log test executable via efb85e3d6dd s4/scripting/bin: Add NT_STATUS_OK to list of definitions via 7c66cd4dfde selftest: Remove duplicate knownfails via 60f76b9ec82 selftest: Fix typo via f8f0ee53548 param: Remove reference to unrecognized parameter ‘directory name cache size’ via 234be6b0dd8 samba-tool ou: Remove unused variables via d93e340b80e samba-tool ou: Remove unused import via 0743e11d465 samba-tool: Fix typo via 2eda24663f8 pyldb: Check for allocation failure in py_ldb_dn_get_parent() via 5905a63307f pyldb: Raise an exception if ldb_dn_get_parent() fails via 49592b80f75 selftest: Assert trust realm is not None via 97a5ee4bbb7 tests/auth_log: Factor out isRemote() via 1f74f9f366d python:safe_tarfile: Improve safe extract() via 431f7698e48 python:safe_tarfile: Implement safer extractall() via 8c90c66a9a4 python:safe_tarfile: Set extraction_filter for pythons providing it via ebaa0081625 python:tests: Adopt safe_tarfile for extraction_filter raises via 4952cb88e4c s4-server: Call dsdb_check_and_update_fl() during startup transaction. via c28e719bb0e selftest: Add unit tests of the DC startup FL check/update code via ae7f2b417b7 python/tests: Make helpful, stateless methods @classmethod and @staticmethod via b8a613b4b15 dsdb: Add routine to check the DB vs lp functional levels via 4919e8d8088 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used via 8e895fc5d62 selftest: Split up tests in dsdb.py to avoid creating a user when not required via f83baa2723f selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable from 585e4cdd6c9 docs-xml: remove completely outdated Samba-Developers-Guide https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9b0a71bd3085b7c67a72bf498870c69cf6b3baa5 Author: Joseph Sutton Date: Wed Jun 14 16:29:27 2023 +1200 tests/auth_log: Refactor waitForMessages() to use nextMessage() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224 commit 67da91ef1665a15d93233c5a74a63926f5a2ef7e Author: Joseph Sutton Date: Wed Jun 14 16:30:30 2023 +1200 tests/auth_log: Add method to fetch the next relevant message from the messaging bus Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7c6dbe31950894c8092a100aeece238ae6f0c8ab Author: Joseph Sutton Date: Tue Jun 13 17:23:41 2023 +1200 tests/krb5: Test authentication with policy restrictions and a wrong password Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a9534e7be08a3a72593f34e10ed46d8062ddaf79 Author: Joseph Sutton Date: Thu May 18 12:00:29 2023 +1200 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 94e7a550db47735581f58f6602c8d04b92b6489f Author: Joseph Sutton Date: Wed Jun 14 11:26:25 2023 +1200 tests/krb5: Remove unneeded ‘dn’ parameter Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 21d1f1ca996c0d31992a6f5cca0c63068ae6e7f5 Author: Joseph Sutton Date: Wed Jun 14 15:51:09 2023 +1200 s4:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e40c86e970e gp: Fix user apply failure when droping privs via cd0f9fc7a3a bootstrap: make sure we have gnutls-cli from gnutls-bin/gnutls-utils via 62e189825ec bootstrap: force use of LANGUAGE=en_US via 666a78a41f0 selftest: run tests with LANGUAGE=en_US via 75ec66c729f third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) from 23ca540abfd smbd: Remove unused dptr_fill() and dptr_fetch_fsp() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e40c86e970e3e8e76d16d12dcdb334b347d7b438 Author: David Mulder Date: Wed Jun 7 08:29:31 2023 -0600 gp: Fix user apply failure when droping privs When dropping privileges, gpupdate errored: gpclass.py:1167: KeyError: "getpwnam(): name not found: apply_gp was incorrectly passing the hostname instead of the username. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sat Jun 10 10:46:28 UTC 2023 on atb-devel-224 commit cd0f9fc7a3aedc772dc98c91d75760c9e17c9ceb Author: Stefan Metzmacher Date: Fri Jun 9 14:07:06 2023 +0200 bootstrap: make sure we have gnutls-cli from gnutls-bin/gnutls-utils We'll use it in some upcoming tests... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 62e189825ec44ed7c021d92e6fea0dd5ab16edfb Author: Stefan Metzmacher Date: Fri Jun 9 14:02:48 2023 +0200 bootstrap: force use of LANGUAGE=en_US Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 666a78a41f01fca831956b153d7ce0e997b90117 Author: Stefan Metzmacher Date: Fri Jun 9 13:51:56 2023 +0200 selftest: run tests with LANGUAGE=en_US This is important in order to run /usr/bin/kpasswd from MIT... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 75ec66c729faad60fa18b9504ba4053b3e2f47bc Author: Stefan Metzmacher Date: Fri Jun 9 15:14:50 2023 +0200 third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de) Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: .gitlab-ci-main.yml| 2 +- bootstrap/config.py| 5 +- bootstrap/generated-dists/centos7/Dockerfile | 2 +- bootstrap/generated-dists/centos7/bootstrap.sh | 1 + bootstrap/generated-dists/centos7/packages.yml | 1 + bootstrap/generated-dists/centos8s/Dockerfile | 2 +- bootstrap/generated-dists/centos8s/bootstrap.sh| 1 + bootstrap/generated-dists/centos8s/packages.yml| 1 + bootstrap/generated-dists/debian11/Dockerfile | 2 +- bootstrap/generated-dists/debian11/bootstrap.sh| 1 + bootstrap/generated-dists/debian11/packages.yml| 1 + bootstrap/generated-dists/fedora38/Dockerfile | 2 +- bootstrap/generated-dists/fedora38/bootstrap.sh| 1 + bootstrap/generated-dists/fedora38/packages.yml| 1 + bootstrap/generated-dists/opensuse154/Dockerfile | 2 +- bootstrap/generated-dists/opensuse154/bootstrap.sh | 1 + bootstrap/generated-dists/opensuse154/packages.yml | 1 + .../generated-dists/ubuntu1804-32bit/Dockerfile| 2 +- .../generated-dists/ubuntu1804-32bit/bootstrap.sh | 1 + .../generated-dists/ubuntu1804-32bit/packages.yml | 1 + bootstrap/generated-dists/ubuntu1804/Dockerfile| 2 +- bootstrap/generated-dists/ubuntu1804/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu1804/packages.yml | 1 + bootstrap/generated-dists/ubuntu2004/Dockerfile| 2 +- bootstrap/generated-dists/ubuntu2004/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu2004/packages.yml | 1 + bootstrap/generated-dists/ubuntu2204/Dockerfile| 2 +- bootstrap/generated-dists/ubuntu2204/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu2204/packages.yml | 1 + bootstrap/sha1sum.txt | 2 +- python/samba/gp/gpclass.py | 2 +- selftest/selftest.pl | 1 + third_party/heimdal/.github/workflows/coverity.yml | 4 +- .../.github/workflows/linux-mit-interop.yml| 4 +- third_party/heimdal/.github/workflows/linux.yml| 6 +- third_party/heimdal/.github/workflows/osx.yml | 2 +- .../heimdal/.github/workflows/scanbuild.yml| 4 +- third_party/heimdal/.github/workflows/ubsan.yml| 6 +- third_party/heimdal/.github/workflows/valgrind.yml | 4 +- third_party/heimdal/admin/ktutil.1 | 51 +++ third_party/heimdal/cf/crypto.m4 | 33 +- third_party/heimdal/doc/setup
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9aa440d52d7 s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly via 0f3abb291fd s3-libads: Also handle the DS_WEB_SERVICE_REQUIRED flag in check_cldap_reply_required_flags() via 63e2db8206e s4-libads: Confirm newer functional levels in check_cldap_reply_required_flags() via ff310caabd5 librpc: No longer consider the DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED bits as invalid via 6f30eca3bbb sefltest: Improve getdcname test by confirming the _REQUIRED flag behaviours via 3c25ddb1ce9 selftest: Fix remaining incorrect references to 2012 -> 2012R2 FL in GetDCNameEx test via 49537a41709 selftest: Change self.assertTrue(x is not None) -> self.assertIsNotNone(x) from 2a0e53374dd selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9aa440d52d78d5f91607b4cb5816ae99d75d0838 Author: Andrew Bartlett Date: Tue May 30 18:03:13 2023 +1200 s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly Otherwise, punt to winbindd to see if another DC has this capability. This allows a FL2008-emulating DC to forward a request to a 2012R2-emlating DC, particularly in another domain. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 31 04:59:01 UTC 2023 on atb-devel-224 commit 0f3abb291fd58f83c2a3f765aa5e50771e8ba9ab Author: Andrew Bartlett Date: Tue May 30 16:38:22 2023 +1200 s3-libads: Also handle the DS_WEB_SERVICE_REQUIRED flag in check_cldap_reply_required_flags() Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 63e2db8206e683293d4b347ffc9ac8ce344b Author: Andrew Bartlett Date: Tue May 30 14:28:42 2023 +1200 s4-libads: Confirm newer functional levels in check_cldap_reply_required_flags() This will allow us to require that the target DC has FL 2008, 2012, 2012R2 or 2016. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ff310caabd5547b7d098ea7770869d04a58a11db Author: Andrew Bartlett Date: Tue May 30 14:08:47 2023 +1200 librpc: No longer consider the DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED bits as invalid Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6f30eca3bbbc147825bf32bb1f194d275b383a92 Author: Andrew Bartlett Date: Tue May 30 16:06:04 2023 +1200 sefltest: Improve getdcname test by confirming the _REQUIRED flag behaviours We do this by checking what the underlying CLDAP netlogon call returns. This also validates that behaviour. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 3c25ddb1ce9932c0fd71965f690228ce6084560a Author: Andrew Bartlett Date: Tue May 30 15:11:31 2023 +1200 selftest: Fix remaining incorrect references to 2012 -> 2012R2 FL in GetDCNameEx test Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 49537a41709a09ed73c65bfff2241ec3aa3e2ca8 Author: Andrew Bartlett Date: Wed May 31 09:08:59 2023 +1200 selftest: Change self.assertTrue(x is not None) -> self.assertIsNotNone(x) Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: librpc/idl/netlogon.idl | 10 +- python/samba/tests/getdcname.py | 243 ++ selftest/knownfail.d/getdcname| 3 - source3/libads/cldap.c| 16 ++ source4/rpc_server/netlogon/dcerpc_netlogon.c | 51 -- 5 files changed, 264 insertions(+), 59 deletions(-) delete mode 100644 selftest/knownfail.d/getdcname Changeset truncated at 500 lines: diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl index 3a821c0a905..95487638bbb 100644 --- a/librpc/idl/netlogon.idl +++ b/librpc/idl/netlogon.idl @@ -1174,13 +1174,9 @@ interface netlogon DS_TRY_NEXTCLOSEST_SITE | DS_DIRECTORY_SERVICE_6_REQUIRED | DS_WEB_SERVICE_REQUIRED | -/* - * For now we skip these until - * we have test for them: - * DS_DIRECTORY_SERVICE_8_REQUIRED | - * DS_DIRECTORY_SERVICE_9_REQUIRED | - * DS_DIRECTORY_SERVICE
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2a0e53374dd selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work via 920e1a5bae3 selftest: Rework samba.tests.getdcname not to use ncalrpc via 1593c9e6588 selftest: Assert that we have a trust in samba.tests.getdcname via 7f692601c5c libcli: Don’t call memcpy() with a NULL pointer via fb759809f89 python:tests: Ensure that we don’t overwrite tests via 7390eb12547 python:tests: Make script executable via d308136a5e5 python:tests: Initialize global variable via 2009166efd4 python:tests: Remove unused imports via c51bffa8fdc python:tests: Exclude Python test directories via 63c228f89f3 python:tests: Fix f-strings via 5dfb090d9cd s4:rpc_server/samr: Log correct authentication description for samr_ChangePasswordUser2() via 838cdd16808 s4:torture: Consistently use NBT_SERVER_* flags via f75b980fff9 s4:torture: Handle new NBT_SERVER_* flags via e14b5974c67 net_ads: Handle new NBT_SERVER_* flags via 2641b4a20e4 samba-tool domain: Handle new NBT_SERVER_* flags via 642079771b5 librpc/idl: Fix indentation via 20ba6e487b0 tests/auth_log: Remove debugging code via de4ce89e0a5 tests/auth_log: Add missing call to tearDownClass() via 76e87c6262d tests/audit_log: Add missing call to tearDown() via a05a9a3e780 tests/auth_log: Remove unnecessary check via 6d68ef23b32 tests/audit_log: Remove unnecessary checks via 4cb869dce44 tests/auth_log: Call discardMessages() on class via 47a0b9a4cbc tests/auth_log: Make discardMessages() more reliable via 5c1ea54cea9 tests/auth_log: Expect no messages when changing a non-existent user’s password via e1884e8038f tests/audit_log: Make discardMessages() more reliable via e2e8c86988a tests/auth_log: Correctly get lp_ctx via af9d1a3d909 tests/auth_log: Remove unneeded len() call via a7ad25a7811 tests/audit_log: Remove unneeded len() call via 40425672fe9 tests/auth_log: Rename ‘self’ parameter to ‘cls’ via 1923abe7e4c tests/auth_log: Rename ‘self’ parameter to ‘cls’ via 1c17d56cc53 tests/auth_log: Correctly check for GUID via ffda69f2d9d tests/audit_log: Correctly check for GUID via 72d5a5a33bc tests/auth_log: Pre-compile GUID regex via b1b7d7561ac tests/krb5: Don’t cache accounts with an assigned policy or silo via dc0d96b058b tests/krb5: Move TestCaseInTempDir to more appropriate place in class hierarchy from 035f6d914d1 vfs_fruit: add fruit:convert_adouble parameter https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2a0e53374dd8ae26f7f180fb6218363da7d17fec Author: Andrew Bartlett Date: Thu May 25 16:59:52 2023 +1200 selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work We need to confirm this both for forwarded requests, and also for requests direct to the possible DC. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon May 29 23:29:50 UTC 2023 on atb-devel-224 commit 920e1a5bae33391615cd8b66f2f34d7837845aa0 Author: Andrew Bartlett Date: Thu May 25 16:57:55 2023 +1200 selftest: Rework samba.tests.getdcname not to use ncalrpc This test is able to operate over the network, which aids testing against a comparative windows DC. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 1593c9e6588cd15b88793d43bee17c060718c134 Author: Andrew Bartlett Date: Wed May 24 16:28:20 2023 +1200 selftest: Assert that we have a trust in samba.tests.getdcname We must ensure this test cannot became inoperative because the environment it was run against has no trust. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 7f692601c5ca5f2b846f7ff270044f97d849d7d0 Author: Joseph Sutton Date: Fri May 26 16:05:43 2023 +1200 libcli: Don’t call memcpy() with a NULL pointer Doing so is undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fb759809f89d8277542b1106d39939f32a04778e Author: Joseph Sutton Date: Thu May 25 17:03:48 2023 +1200 python:tests: Ensure that we don’t overwrite tests If the file iterator returns two entries with the same name, one may overwrite the other. script_iterator() currently ensures this won’t happen, but it pays to be safe. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7390eb12547fff6964af97916ec3914259d607a2 Author: Joseph Sutton Date: Thu May 25 16:28:45 2023 +1200 python:tests: Make script executable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a5235a9d05b librpc/idl: Alias the DS_ constants in netlogon.idl to the NBT_SERVER equivilants via 4caab32f08f librpc/idl: Use nbt_server_type instead of netr_DsR_DcFlags netlogon.idl via 089f555eb73 librpc/idl: Merge missing bits into nbt_server_type in nbt.idl via 22d0aa53bfb s4-dsdb:large_ldap: Call setUpClass() method of base class via e77c249dd54 pytest: dcerpc/dnsserver: Call setUpClass() method of base class via d2892010e6c pytest: dcerpc/dnsserver: Remove unused import via c9e12a8d982 pyldb: Fix leak via 715c45da6ec tests/auth_log: Simplify isRemote() via 59378dddbfa tests/auth_log: Rename ‘self’ parameter to ‘cls’ via ea7b82ad93d tests/auth_log: Call setUpClass() method of base class via 781990577a5 tests/auth_log: Don’t silently override remoteAddress via b421d2d5cf6 tests/auth_log_winbind: Expect an empty remote address via f89b0cdbbc4 tests/audit_log: Pre-compile GUID regex via 8dea2a43456 s4:kdc: Move parameter comments adjacent to parameters via 200117f5edf audit_tests: Check return value of json_new_array() via 80b3752052a s3:utils: Check return value of json_new_object() via 3ce2803f6dd lib:audit_logging:tests: Check return value of json_new_{object,array}() via 281b616ac74 lib:audit_logging: Check return value of json_new_object() via 65923be91e4 s4:kdc: Use talloc_steal() rather than talloc_reference() via e843e590760 s4:kdc: Make parameters const via fc212116dcb s4:kdc: Make functions static via 46677077203 s4:auth: Allocate user_info_dc->sids on correct talloc context via f0ec5763e6d s4:kdc: Allocate user_info_dc->sids on correct talloc context via 480060ecd34 selftest: Report better error message if environment is unknown via a1a1adb7b72 s4/messaging/py: Fix typo via ca987dcb417 s4/messaging/py: Fix leaks via 3ce96c9ebd0 s4/messaging/py: Fix leak of p_server_id via 4c67cac68b7 s4/messaging/py: Check py_return_ndr_struct() return value via 28536f32daf s4/messaging/py: Fix callback return value leak via cfd80303f19 s4/messaging/py: Fix leak via b22c2179952 s4/messaging/py: Fix leaks via 77d8b6762f9 s4/messaging: Return the number of previously-registered functions that are removed via e29c3374bcf s4/messaging/py: Fix typo via 48602b0e298 s4/messaging/py: Add more helpful error message for a wrongly-sized tuple via f6b1307a852 s4/messaging/py: Document lp_ctx parameter of messaging.Messaging() via f320b73ba6a s4/messaging/py: Remove incorrect function names in messaging.Messaging() via a57b1cc05dd pyglue: Raise an exception on error via d5df0b463ee pyglue: Check generate_random_str() return value via 98fcd47451b pyglue: Fix typo via 7e32c7655df s4:kdc: Note correct constant from f1a204d3154 gp: sshd policy correctly sort policy https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a5235a9d05be3e2247534beb3cd8e49a64394bf5 Author: Andrew Bartlett Date: Tue May 23 15:22:49 2023 +1200 librpc/idl: Alias the DS_ constants in netlogon.idl to the NBT_SERVER equivilants Both the NBT_SERVER versions (in python scripts) and DS_ constants are in use in freeIPA so we can not just drop one for the other without discussion. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 24 01:52:28 UTC 2023 on atb-devel-224 commit 4caab32f08fba897c01ae35855d5d5380d02b0e5 Author: Andrew Bartlett Date: Tue May 23 14:57:07 2023 +1200 librpc/idl: Use nbt_server_type instead of netr_DsR_DcFlags netlogon.idl We should not keep two idential bitfield tables in two nearby IDL files. However a number of python files in Samba and in freeIPA use the nbt.NBT_SERVER_* constants, so these are the better names to keep. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 089f555eb735522e30207398837d657b8aa1988b Author: Andrew Bartlett Date: Tue May 23 14:45:39 2023 +1200 librpc/idl: Merge missing bits into nbt_server_type in nbt.idl These bits are defined in netr_DsR_DcFlags in netlogon.idl already. We need these new bits to announce FL 2012R2 and 2016 support. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 22d0aa53bfba3e0e95a0ec7ff53d28d91dec98f9 Author: Joseph Sutton Date: Tue May 23 14:59:24 2023 +1200 s4-dsdb:large_ldap: Call setUpClass() method of base class Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e77c249dd54088607d54a65b583f4585755712db Author: Joseph Sutton Date:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f1a204d3154 gp: sshd policy correctly sort policy via de009c194c1 tests: Replace iconv(1) UTF-16LE conversion with a python3 call via ce31acf28d3 selftest: Report "unknown environment" if setup returns "UNKNOWN" via e480868509e build:waf: Check value of GNU_TLS_* with detected env via 25b2c07a9d7 build:wafsamba: Allow lib for CHECK_VALUEOF() from 303d2109f63 s4:kdc: Check lifetime of correct ticket https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f1a204d315473f5d87363259004358e2c0c5f450 Author: David Mulder Date: Thu May 18 11:28:46 2023 +0200 gp: sshd policy correctly sort policy The sshd_config man page says that key value pairs 'the first obtained value will be used'. So we need to sort policies from last to first. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 19 01:23:19 UTC 2023 on atb-devel-224 commit de009c194c148ab0d38b6b82e0b4e8c900a6627c Author: SATOH Fumiyasu Date: Fri May 12 14:53:10 2023 +0900 tests: Replace iconv(1) UTF-16LE conversion with a python3 call GNU libiconv and its iconv(1) do NOT define 'utf16le' as an alias of 'UTF-16LE' encoding. Signed-off-by: SATOH Fumiyasu Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ce31acf28d3c4474b21aa2d8a2b7acc3d751ad92 Author: SATOH Fumiyasu Date: Sat May 13 22:30:04 2023 +0900 selftest: Report "unknown environment" if setup returns "UNKNOWN" Samba*::setup_*() may return the string "UNKNOWN". ``` $ ./configure --with-ads ... ... $ make ... $ make test ... Can't use string ("UNKNOWN") as a HASH ref while "strict refs" in use at /.../samba-4.18.2/selftest/target/Samba.pm line 131. ``` Signed-off-by: SATOH Fumiyasu Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit e480868509ead997f954d939225bc0219397293a Author: SATOH Fumiyasu Date: Tue May 9 16:54:16 2023 +0900 build:waf: Check value of GNU_TLS_* with detected env Signed-off-by: SATOH Fumiyasu Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 25b2c07a9d7fd921dcae0b4e94d9f735d076f303 Author: SATOH Fumiyasu Date: Tue May 9 16:52:04 2023 +0900 build:wafsamba: Allow lib for CHECK_VALUEOF() Signed-off-by: SATOH Fumiyasu Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: buildtools/wafsamba/samba_autoconf.py | 3 ++- python/samba/gp/vgp_openssh_ext.py| 18 +- selftest/target/Samba.pm | 4 source3/script/tests/test_rpcclient_pw_nt_hash.sh | 2 +- wscript_configure_system_gnutls | 4 ++-- 5 files changed, 22 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py index 75d5f4acbcc..8541d003e2a 100644 --- a/buildtools/wafsamba/samba_autoconf.py +++ b/buildtools/wafsamba/samba_autoconf.py @@ -364,7 +364,7 @@ def CHECK_SIGN(conf, v, headers=None): return False @conf -def CHECK_VALUEOF(conf, v, headers=None, define=None): +def CHECK_VALUEOF(conf, v, headers=None, define=None, lib=None): '''check the value of a variable/define''' ret = True v_define = define @@ -376,6 +376,7 @@ def CHECK_VALUEOF(conf, v, headers=None, define=None): execute=True, define_ret=True, quote=False, + lib=lib, headers=headers, local_include=False, msg="Checking value of %s" % v): diff --git a/python/samba/gp/vgp_openssh_ext.py b/python/samba/gp/vgp_openssh_ext.py index be9139d5be8..bf865e78375 100644 --- a/python/samba/gp/vgp_openssh_ext.py +++ b/python/samba/gp/vgp_openssh_ext.py @@ -31,6 +31,16 @@ intro = b''' ''' +# For each key value pair in sshd_config, the first obtained value will be +# used. We must insert config files in reverse, so that the last applied policy +# takes precedence. +def select_next_conf(directory): +configs = [re.match(r'(\d+)', f) for f in os.listdir(directory)] +conf_ids = [int(m.group(1)) for m in configs if m] +conf_ids.append(90) # The starting node +conf_id = min(conf_ids)-1 +return os.path.join(directory, '%010d_gp.conf' % conf_id) + class vgp_openssh_ext(gp_xml_ext, gp_file_applier): def __str__(self): return 'VGP/Unix Settings/OpenSSH' @@ -72,13 +82,11 @@ class vgp_openssh_ext
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 303d2109f63 s4:kdc: Check lifetime of correct ticket via 99f31cabf5f third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0) via 53c47698f01 tests/krb5: Add tests presenting short-lived ticket in various scenarios via 9b1bd267f01 tests/krb5: Rename modify_requester_sid_time() to modify_lifetime() via 748fa19a26a tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter via 787b701e68f tests/krb5: Use consistent time between get_KerberosTime() calls via e1109fbfef9 tests/krb5: Move modify_requester_sid_time() to RawKerberosTest via 0e176d856fe s4:kdc: Remove manual addition of error data via 637fd961bd3 s4:kdc: Add NTSTATUS e-data to KDC reply via 90436389b81 third_party/heimdal: Import lorikeet-heimdal-202305170245 (commit 9c903d03c31ec96af79e2723e3ae41890dd83122) via 041f70055cf s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure via 28cffae4b2c s4:kdc: Use more suitable type for final_ret via d211d700ab9 tests/krb5: Set expected_status even if expect_status is not true via 4a3f764f7fa tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests via 9d3c3f06ab6 tests/krb5: Be less particular about expected status codes for S4U tests via 7266924b3d6 s4:kdc: Use talloc_get_type_abort() from 6ee5c80ea96 s4:kdc: Add support for constructed claims (for authentication silos) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 303d2109f637b553c550183e9406b468ee7e2837 Author: Joseph Sutton Date: Tue Apr 18 14:28:01 2023 +1200 s4:kdc: Check lifetime of correct ticket The ticket returned by kdc_request_get_ticket() is the main TGT presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a user-to-user ticket, make sure we check the lifetime of that ticket instead. To do this we need to pass the appropriate ticket into the plugin function. NOTE: This commit finally works again! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224 commit 99f31cabf5fe3ce7afe01148f311f45e4740794e Author: Joseph Sutton Date: Thu May 18 09:54:12 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 53c47698f01b9b948cbb565c1cc808d9cfd423f8 Author: Joseph Sutton Date: Thu May 18 10:59:53 2023 +1200 tests/krb5: Add tests presenting short-lived ticket in various scenarios With the Heimdal KDC, we erroneously accept short-lived FAST and user-to-user tickets. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9b1bd267f01e49f134663f42329c606f5483a3cb Author: Joseph Sutton Date: Thu May 18 11:07:36 2023 +1200 tests/krb5: Rename modify_requester_sid_time() to modify_lifetime() ...now that the requester SID parameter is optional. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 748fa19a26ae61888c5951cc0163a214f751589f Author: Joseph Sutton Date: Thu May 18 11:05:56 2023 +1200 tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter This is so callers can modify the lifetime of a ticket without necessarily changing the requester SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 787b701e68fc031f28045150d2b603e6a15f644e Author: Joseph Sutton Date: Thu May 18 11:03:40 2023 +1200 tests/krb5: Use consistent time between get_KerberosTime() calls Otherwise get_KerberosTime() calls time.time() itself, the value of which can change between calls. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e1109fbfef9ab840b3c6cf1e626fb99de7771cd4 Author: Joseph Sutton Date: Thu May 18 11:01:47 2023 +1200 tests/krb5: Move modify_requester_sid_time() to RawKerberosTest We shall make use of it in KdcTgsTests. Also move add_requester_sid(), which this function depends upon. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0e176d856fea22973efe6db3ebea3b1fce36d87f Author: Joseph Sutton Date: Wed May 17 15:49:09 2023 +1200 s4:kdc: Remove manual addition of error data This is now handled by the hdb_samba4_set_ntstatus() call above. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 637fd961bd359c3ca30e21ebae731ead5cfbc673 Author: Joseph Sutton Date: Wed May 17 15:47
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6ee5c80ea96 s4:kdc: Add support for constructed claims (for authentication silos) via 420fae5dcbe s4:kdc: Make use of dsdb_search_one() via e1f8cb063dd s4:kdc: Don’t perform unnecessary search to get account objectClass via 10d6d77a272 s4:kdc: Have get_claims_for_principal() take the entire principal via 3d9863cfdc4 s4:kdc: Enforce TGT lifetime authentication policy via 1fdff371051 s4:kdc: Look up authentication policies for Kerberos clients and servers via f1212ffe4e4 s4:kdc: Make maximum lifetime and renew time signed via 9eaff7e852b s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag via eeebd488f2a third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) via f547cf1db86 s4:kdc: Add helper functions for authentication policies via 633ebe1b3ef s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure via 8cc0b76509b s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure via 9ff7d6c5c55 s4:kdc: Add NTSTATUS strings to log messages via 32b49d8a56e lib:audit_logging: Fix typo in log message via d7b68236ecf lib:audit_logging: Add function to add a formatted time value to a JSON message via 0080148483c lib:audit_logging: Add function to add an optional boolean value to a JSON message via 4440f1db54b lib:audit_logging: Add function to add flags to a JSON message via 89d30cdfe16 s4:auth: Remove superfluous semicolon via 34080e8839a s4:auth: Fix leak via 263deae7e2b auth: Fix leaks via 1de2feef90c auth: Correct parameter order in header via 6d8a7e1655c s4:kdc: Fix diagnostic messages via ad14287dd7c s4:kdc: Fix error messages via 451f221bf35 s4:kdc: Check ldb_dn_new() return value via 8f7f55da1e4 s4:kdc: Remove double-free via 96a64b0522e s4:kdc: Remove double-free via 02e6970ad65 s4:kdc: Fix leaks via 2a9d057e828 s4:kdc: Make use of auth_generate_security_token() via 9aaedb152ca s4:auth: Fix typos via e2e752b5461 s4:auth: Split out new function to generate a security token via 024e5f7e92a auth: Remove unnecessary return statements via f948f9cb66f s3:utils: Fix typo via 798be592f90 s4:kdc: Fix debugging strings via 60803ea8c81 s4:kdc: Fix typos via bbdb3bf8a63 s4:kdc: Factor out PAC blob functions into new source file via 9a78a8b3f21 s4:kdc: Add missing includes and declarations via c782dd2ffea libcli: Add missing include via cdb1047bdc5 s4:kdc: Include missing headers via 12fd8274fff s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant via 84a7ae8e0c7 tests/krb5: Add tests for authentication policies via f9b666297cb tests/krb5: Allow specifying whether PA-DATA types are to be checked via 53b62429f89 tests/krb5: Allow server and workstation accounts to perform a SamLogon via c1ab6036bb0 tests/krb5: Allow specifying machine credentials to _test_samlogon() via 031f1c7632e tests/krb5: Rename ‘server’ to ‘dc_server’ via 78cca1411ff netlogon:schannel: Fix NULL pointer dereference via 3424c6d20fe tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data via 18b24f95728 tests/krb5: Improve edata checking via 3063abbfb0a tests/krb5: Remove unused import via 0d609ee5ed3 samba-tool domain: Clean up code via 56d98e974c3 samba-tool domain: Remove unused variables from e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6ee5c80ea9610adf4e4624d2e1953e3fc3e91b71 Author: Joseph Sutton Date: Tue Mar 28 15:10:50 2023 +1300 s4:kdc: Add support for constructed claims (for authentication silos) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224 commit 420fae5dcbe886b7e66928e88d031c8569aacd5c Author: Joseph Sutton Date: Wed May 17 12:02:47 2023 +1200 s4:kdc: Make use of dsdb_search_one() Ensure we get exactly one object back, or an error. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e1f8cb063ddc3753ab8673416fa70fa616138f30 Author: Joseph Sutton Date: Wed May 17 12:07:44 2023 +1200 s4:kdc: Don’t perform unnecessary search to get account objectClass We now have this information in the ldb_message. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 10d6d77a2720577e51bc93c51c85261c1e3d37b8 Author: Joseph Sutton Date: Wed May 17 11:55:16 2023 +1200 s4:kdc: Have
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8296b6884df s4:torture: Replace calls to deprecated function via ce176425f8c s4:dsdb: Check return value of allocation functions via 92ad2c7b9b9 s4:dsdb: Fix leaks via 2d9a2c31389 s4:dsdb: Check ldb_binary_encode_string() return value via b5bd55fe85f s4:auth: Check ldb_binary_encode_string() return value via 07e53939dc0 s4-auth: Log correct function name via 21b23a7d5a0 netlogon:schannel: Fix typo via f1281b80c1a samba-tool domain: Run in interactive mode if no args are supplied via f573177c352 python: Safely clear structure members via 8d6e4473409 python:tests: Remove unused variables via 2a8db072934 auth: Return status code if configuration prohibits NTLM via 23a67d59c82 s4-dsdb:large_ldap: Remove unused variables via db5ef4e2bac s4-dsdb:large_ldap: Remove unused imports via 2d1d3b73142 pytest/password_lockout: Remove unused variables via 2b598a4b2e6 pytest/password_lockout: Use correct variable via b5ff0859521 pytest/password_lockout: Use more specific assertion methods via 2236daa7ca7 pytest/password_lockout: Remove unused imports via f9501f2ae4e samba-tool domain: Remove unnecessary variable via 5a2b187819f samba-tool domain: Use result of setup_local_server() instead of object field via 3eb95c8791a s4:dsdb:tests: Refactor security descriptor test via 2e5d08c908b s4:dsdb:tests: Refactor confidential attributes test via 76b15ec145d s4:dsdb:tests: Refactor ACL test via 80431fe7cf5 pyglue: use Py_ssize_t in random data generation functions via cea9b25571f lib:util: prefer size_t for random data generation functions via 72335e742e0 selftest: Change ad_dc environment to be 2016 functional level via 0252941bb36 selftest: Allow provision_ad_dc() to take functional_level as an argument via 287405862b7 selftest: Return fl2008dc to being an alias for ad_dc_ntvfs via cbfcbfb057a Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008 via 8de7d28f3c6 selftest: Move linked_attributes test to ad_dc selftest environment via 9f3dcf0e693 samba-tool domain join: Allow "ad dc functional level" to change which level we claim to be during an AD join via f94f174db45 samba-tool domain provision: Use "ad dc functional level" to control max functional level via 5d5fd0129ac python: Add function to get the functional level as a python intger from smb.conf via e5c3e076c8f param: Add new parameter "ad dc functional level" via 7953a9ba71b samba-tool domain provision: Use common functional_level.string_to_level() via 844eb073767 python: Move helper functions for functional levels into a new file from 59694ad0a4c rpc_server3: Pass winbind_env_set() state through to rpcd_* https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8296b6884dfcc2b3e94f60b0479ef92a5b50f53e Author: Joseph Sutton Date: Wed May 10 13:06:18 2023 +1200 s4:torture: Replace calls to deprecated function Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 17 00:24:38 UTC 2023 on atb-devel-224 commit ce176425f8c66539cf7788902fa116657d2b6448 Author: Joseph Sutton Date: Tue May 9 16:12:03 2023 +1200 s4:dsdb: Check return value of allocation functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 92ad2c7b9b9e0b7d49ccbb9bf18b3e5dfed2d299 Author: Joseph Sutton Date: Tue May 9 16:11:37 2023 +1200 s4:dsdb: Fix leaks Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2d9a2c3138907e789a1fa9b25c8636ad871314fd Author: Joseph Sutton Date: Tue May 9 16:10:59 2023 +1200 s4:dsdb: Check ldb_binary_encode_string() return value Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b5bd55fe85f9a089b4b8242d73240c6521d3090e Author: Joseph Sutton Date: Tue May 9 15:51:06 2023 +1200 s4:auth: Check ldb_binary_encode_string() return value Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 07e53939dc0e6207c8348cf7c76d34339cb1ce67 Author: Joseph Sutton Date: Tue May 2 12:59:22 2023 +1200 s4-auth: Log correct function name Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 21b23a7d5a08a65fc13da1dbd1a948fe08648cbb Author: Joseph Sutton Date: Tue May 2 12:51:52 2023 +1200 netlogon:schannel: Fix typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f1281b80c1ad68d380ce91c13076f6a60fbc627e Author: Joseph Sutton Date: Wed Apr 26 10:31:51 2023 +1200 samba-tool domain: Run in interactiv
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6206e15b4de winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users via f633389f36e winbind: Test wbinfo -u with more than 1000 users via 5ac65fdf9ac build:wafsamba: Fix TypeError in read_submodule_status() via 1dbdeaa8d7f gp: get_gpo() should re-raise the Exception, not return via 9755206f6dd s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list() via 46ae5568fa7 lib:ldb: do not offset against NULL pointer in ldb_ldif_read() from 5fcb675a8b0 s4/scripting: fix % len(res) was in the wrong place https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6206e15b4de0ba67d713124c2be353dabf3878c8 Author: Volker Lendecke Date: Wed Apr 26 17:19:29 2023 +0200 winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366 Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue May 9 02:58:45 UTC 2023 on atb-devel-224 commit f633389f36e79d3e772777ad7ca13012e3616273 Author: Volker Lendecke Date: Thu Apr 27 12:25:24 2023 +0200 winbind: Test wbinfo -u with more than 1000 users winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has NTSTATUS samr_LookupRids( [in,ref] policy_handle *domain_handle, [in,range(0,1000)] uint32 num_rids, [in,size_is(1000),length_is(num_rids)] uint32 rids[], [out,ref] lsa_Strings *names, [out,ref] samr_Ids *types ); limiting num_rids to 1000 entries. Test this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366 Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 5ac65fdf9acb286a152032cc8913b5ce28fe30fc Author: Joseph Sutton Date: Thu May 4 15:25:31 2023 +1200 build:wafsamba: Fix TypeError in read_submodule_status() parts = l.split(" ") TypeError: a bytes-like object is required, not 'str' Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1dbdeaa8d7fcfa4b620bbd24e457ee7f2e6c132d Author: David Mulder Date: Fri Apr 28 07:37:31 2023 -0600 gp: get_gpo() should re-raise the Exception, not return If we return from this failure, then `new_gpo` is set to `None` and we will fail in some obscure way within a CSE later (since we append `None` to the GPO list). Instead, re-raise the Exception so we see that an error happened when fetching the GPO. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 9755206f6dde7ee4f9852bbd81cb79f4457faf86 Author: Dmitry Antipov Date: Tue May 2 13:45:01 2023 +0300 s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list() Strictly speaking, this is not a bug because parsing loop will just skip an empty ({NULL}, 0) blob. But it's better to avoid this case because UBSan (as of clang-17 at least) may complain on such a parsing attempt: source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer #0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56 #1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178 #2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64 #3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507) [... a lot of Python calls skipped...] Signed-off-by: Dmitry Antipov Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 46ae5568fa7b9a96018d0eedadee6400632112ba Author: Dmitry Antipov Date: Tue May 2 13:43:54 2023 +0300 lib:ldb: do not offset against NULL pointer in ldb_ldif_read() Fix the following error observed running samba.test.registry compiled with clang-17 and UBsan: lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset 137438953440 to null pointer #0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881 #1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004 #2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113 #3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929 #4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507) [... a lot of Python calls skipped...] I.e. number of elements should be checked against zero before making an attempt to access an element by index. Signed-off-by: Dmitry Antipov Reviewed-by: Joseph Sutt
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5fcb675a8b0 s4/scripting: fix % len(res) was in the wrong place via 3eccaf5d1eb s4/dsdb: fix unnecessary backslash via 8c19775a27c s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py via 18cbec4ba07 s4/scripting: fix a few invalid docstring args via bb34d93277f dsdb/tests: fix assignment to for loop variable from 6258173a62e s4:kdc: Don’t call memcpy() with a NULL pointer https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5fcb675a8b064aa6b2a2529703ed7911bff3bb04 Author: Rob van der Linde Date: Fri Feb 24 12:58:29 2023 +1300 s4/scripting: fix % len(res) was in the wrong place Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 5 05:54:11 UTC 2023 on atb-devel-224 commit 3eccaf5d1ebf397f4900d4126765f7a21a951f10 Author: Rob van der Linde Date: Fri Feb 24 12:57:57 2023 +1300 s4/dsdb: fix unnecessary backslash Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8c19775a27c596024c4351b90fb063c1c1c27c14 Author: Rob van der Linde Date: Fri Feb 24 12:54:16 2023 +1300 s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 18cbec4ba07c2f29e684f207a3bd2cbe51b3e852 Author: Rob van der Linde Date: Fri Feb 24 12:48:23 2023 +1300 s4/scripting: fix a few invalid docstring args One arg "dn" was removed, the others just had a typo. Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bb34d93277f375e718788d8e42399e23cf371ab0 Author: Rob van der Linde Date: Fri Feb 24 12:43:50 2023 +1300 dsdb/tests: fix assignment to for loop variable because the loop variables are all called 'k' and the inner and outer loop both use 'k'. Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: source4/dsdb/tests/python/priv_attrs.py | 8 source4/dsdb/tests/python/user_account_control.py | 4 ++-- source4/dsdb/tests/python/vlv.py | 10 +- source4/scripting/bin/gen_hresult.py | 8 source4/scripting/bin/gen_ntstatus.py | 14 +++--- source4/scripting/bin/gen_werror.py | 12 ++-- source4/scripting/bin/samba_upgradeprovision | 13 ++--- 7 files changed, 34 insertions(+), 35 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/tests/python/priv_attrs.py b/source4/dsdb/tests/python/priv_attrs.py index 4dfdfb9cbb8..0450cc561db 100644 --- a/source4/dsdb/tests/python/priv_attrs.py +++ b/source4/dsdb/tests/python/priv_attrs.py @@ -329,11 +329,11 @@ class PrivAttrsTests(samba.tests.TestCase): except LdbError as e5: (enum, estr) = e5.args if "unpriv-add-error" in attrs[test_name]: - self.assertGotLdbError(attrs[test_name]["unpriv-add-error"], \ - enum) + self.assertGotLdbError(attrs[test_name]["unpriv-add-error"], + enum) else: - self.assertGotLdbError(attrs[test_name]["unpriv-error"], \ - enum) + self.assertGotLdbError(attrs[test_name]["unpriv-error"], + enum) elif "only-2" in attrs[test_name] and \ attrs[test_name]["only-2"] != objectclass: try: diff --git a/source4/dsdb/tests/python/user_account_control.py b/source4/dsdb/tests/python/user_account_control.py index b54b33678dc..ca99ce3fba1 100755 --- a/source4/dsdb/tests/python/user_account_control.py +++ b/source4/dsdb/tests/python/user_account_control.py @@ -96,7 +96,7 @@ class UserAccountControlTests(samba.tests.TestCase): UF_SERVER_TRUST_ACCOUNT]: account_type_str = dsdb.user_account_control_flag_bit_to_string(account_type) for objectclass in ["computer", "user"]: -for name in [("oc_uac_lock$", "withdollar"), \ +for name in [("oc_uac_lock$", "withdollar"), ("oc_uac_lock", "
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6258173a62e s4:kdc: Don’t call memcpy() with a NULL pointer via 2eb458118c3 lib:addns: Don’t call memcpy() with a NULL pointer via f60249eed58 tests/krb5: Improve _test_samr_change_password() method via e959485550e tests/krb5: Don’t delete silo until all tests have finished via 0e27b297a29 tests/krb5: Add remove_attribute() helper function via 98e23d7eed6 tests/krb5: Have set_forced_key() also set the NT hash via 1a53d3514f8 auth/credentials: Add set_nt_hash() via 506c2d1b8a3 s3:lib: Fix typos via 6f1852c9538 s4:kdc: Remove unused parameter via 87f7bd60071 tests/krb5: Make _tgs_req() more configurable via 9d206948c9c tests/krb5: Make use of check_tgs_reply() via ab8a3e87bbe tests/krb5: Allow specifying an encoded security descriptor via 9d84f3384e6 tests/krb5: Rename ‘objectclass’ to use correct case via 0a7cbe1e953 tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’ via 2f993306408 s4/scripting/bin: Remove unused imports via 2727e33dbdb s4/scripting/bin: Fix resource leak via 37450ec3c2c s4:kdc: Fix typo via 3ae3499b70b tests/krb5: Create account cache key only if needed via 4dc9abc777b tests/krb5: Delete non-resuable accounts as soon as possible via 9c4a71de472 s4:kdc: Use correct target principal name in log message via 86f07cad945 docs-xml: Fix typos via db889249abb auth/credentials: Fix NULL dereference via bd9eb63450f tests/krb5: Refactor _test_samlogon() via 443d70ee58f lib:util: Fix undefined bitshift via dd88d7a89f2 param: Fix resource leak via d497829bf1a python/samba: Fix invalid escape sequence via 2e41c73e98e lib/http: Remove unused structure via c6f29f0039c tests/krb5: Allow setting a servicePrincipalName on a user account via 4ae9fe48aa8 tests/krb5: Fix parameter default via 57d73b24b2e tests/krb5: Remove unused parameter via 1a90a94ff1d tests/krb5: Test that the salt for a managed service account is computed correctly via 762e184216f tests/krb5: Allow creating managed service accounts via c7295b1dc54 pydsdb: Add Managed Service Accounts GUID constant via 2f5cebfef92 libds: Add Managed Service Accounts well-known GUID via 8a3dacd39ec tests/krb5: Always heed the add_dollar parameter via 1ba0953d65b tests/krb5: Remove unused import via 07f3dbbf38e s4:dsdb: Fix leak via 722bbf0544a tests/krb5: Remove unneeded assertions via eb4b46d326e tests/krb5: Allow creating an account with an assigned policy or silo via e7b2cd7d831 tests/krb5: Add method to create an authentication policy via c4972272227 tests/krb5: Generify protected users test methods via 6f3b7f95f3c tests/krb5: Handle NT hashes being disabled via e4ec3d6f3d3 tests/krb5: Pass client credentials down into kdc_exchange_dict via c07ac154627 tests/krb5: Remove test for OemChangePasswordUser2() via 58bf53c973d tests/krb5: Split out functions for testing logons and password changes via 34f378f4809 auth/credentials: Allow resetting bind DN on Credentials object via 963688b3a5a librpc: Always call ndr_push_compression_state_init() for compression via ff2de50aa4b librpc: Fix talloc hierarchy for ndr_compression_state via 7dab9edca86 python:descriptor: add missing schema 2019 aces in builtin and dns partition from 6752bcaf4de s3:utils: Move error-handling code into more suitable spot (CID 1524680) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6258173a62e3fbb9cd103b72175874e8346571ea Author: Joseph Sutton Date: Mon May 1 13:04:58 2023 +1200 s4:kdc: Don’t call memcpy() with a NULL pointer Doing so is undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 5 03:52:30 UTC 2023 on atb-devel-224 commit 2eb458118c3de09cea42749098df1f93dc0e9eca Author: Joseph Sutton Date: Mon May 1 11:22:02 2023 +1200 lib:addns: Don’t call memcpy() with a NULL pointer Doing so is undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f60249eed58d9c282b21fd83dcb0654f310ac8db Author: Joseph Sutton Date: Mon May 1 09:48:15 2023 +1200 tests/krb5: Improve _test_samr_change_password() method Instead of using anonymous credentials, we now connect using the passed-in credentials. We now correctly construct nt_password and nt_verifier so as to successfully change the password, instead of having to distinguish between a WRONG_PASSWORD error and an error caused by the password change being disallowed
[SCM] Samba Shared Repository - branch master updated
test the strings with local parsing via fa04c387403 pytest:sid_strings: separate out expected_sid formatting via cb356a8d909 pytest:sid_strings: add explicit S-1-* sid tests via 4380b4694f5 pytest:sid_strings: allow other errors to be specified via 5805dcf3ebf pytest:sid_strings: add a superclass, allowing for derivatives via 5c4f4dc9ead pytest:sid_strings: use hashed instead of random unique numbers via 708d9896aa3 pytest:sid_strings: same timestamp for all tests in the run via 489cdc42c43 librpc/py_security: exception message blames the bad SID via aa378b4bd51 pytest:upgradeprovision: don't use misleading SDDL in tests via 9abdd675650 librpc/ndr/pysecurity: use better exceptions via 9ab0d65fc0e lib/fuzzing: add fuzzer for sddl_parse from dc96e9cfd5d libcli:smb: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4486d686f5c9404acc6fff7bc67432f14cac5800 Author: David Mulder Date: Wed Apr 19 14:11:05 2023 -0600 gp: Add site-dn fallback when rpc call fails In testing I noticed that the rpc call for the site name is failing when joined via SSSD. This commit adds a fallback to check using the old style method found in ads_site_dn_for_machine() (which works, but doesn't obey the Group Policy spec) if the rpc call fails. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Apr 28 03:14:25 UTC 2023 on atb-devel-224 commit c80affe0f192db9f851b5ed0617586783a02a82d Author: David Mulder Date: Wed Mar 15 13:46:58 2023 -0600 Add a WHATSNEW entry indicating libgpo py deprecation BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit ee04bafc25c7b09e53fe2036c5188531b58526a8 Author: David Mulder Date: Tue Mar 14 15:35:01 2023 -0600 gpo: Group Policy tests require a s3 loadparam BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit ac4726106c6d99794f03591fc0b526d91b947fad Author: David Mulder Date: Tue Mar 14 12:37:54 2023 -0600 gpupdate: Deprecate libgpo.get_gpo_list This is no longer used by gpupdate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit a8bad5d5b859a2a76ce18919fbe2bf42f8ef7562 Author: David Mulder Date: Tue Mar 14 11:21:02 2023 -0600 gpupdate: Implement get_gpo_list in python The ADS code in libgpo is buggy. Rewrite get_gpo_list in python using SamDB. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 848bce061afa514a2cc340f1b8895f83129ebd1a Author: Douglas Bagnall Date: Sun Apr 16 18:13:55 2023 +1200 libcli/security/tests: test strings for windows and samba SDDL tests These are produced by editing `python/samba/test/sddl.py to enable `test_write_test_strings`, the running `make test TESTS='sddl\\b'`. The windows executable from the C file added in a recent commit can run these tests using the `-i` flag. The Samba sddl.py tests can be induced to use them too, but that is only useful for showing they are still in sync. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d36bab52d0fd68a8d28238dbba7e7ea35b936e6c Author: Noel Power Date: Thu Aug 25 14:29:09 2022 +0100 s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rights prior to this patch rights matching "FA", "FR", "FW", "FX" were outputted as the hex string representing the bit value. While outputting the hex string is perfectly fine, it makes it harder to compare icacls output (which always uses the special string values) Additionally adjust various tests to deal with use of shortcut access masks as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead of hex representation of the bit mask. adjust samba4.blackbox.samba-tool_ntacl samba3.blackbox.large_acl samba.tests.samba_tool.ntacl samba.tests.ntacls samba.tests.posixacl so various string comparisons of the sddl format now pass Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall [abart...@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex numbers, eg 0x001] commit 0a153c1d58d8ae22432e990779afa0bb8fc9f9c9 Author: Noel Power Date: Thu Aug 25 13:52:56 2022 +0100 s3/utils: value for ace_f
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 112faff82f9 dsdb: modify unicodePwd requires encrypted connection via 928de1d61c8 dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection via 5abda27f0e2 dsdb: fix spelling in password_hash.c via 479634e4cd6 dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test via e1c0c2066c2 dsdb/tests: Move SD modification on class-created objects to classSetUp from b74b9f4b06c CVE-2023-0922 set default ldap client sasl wrapping to seal https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 112faff82f93f9b16f67905c5cbdd5806bd7c214 Author: Rob van der Linde Date: Mon Feb 20 11:50:36 2023 +1300 dsdb: modify unicodePwd requires encrypted connection Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Apr 6 01:33:05 UTC 2023 on atb-devel-224 commit 928de1d61c884c7691b57fbe5fffa8f792ce68fd Author: Rob van der Linde Date: Wed Apr 5 12:30:03 2023 +1200 dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection This demonstrates that the server did not detect CVE-2023-0922 Signed-off-by: Andrew Bartlett Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton commit 5abda27f0e2db9738f81c86a25929462ed6189ce Author: Rob van der Linde Date: Thu Feb 16 13:23:42 2023 +1300 dsdb: fix spelling in password_hash.c Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 479634e4cd6543d489eb4700aebde1a479b94fe5 Author: Andrew Bartlett Date: Thu Apr 6 08:59:17 2023 +1200 dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test By slowing the filter down more this makes the test reliable on the autobuild host. This is not a long-term solution, but is a quick tweak that can be done today to address current issues with getting commits past the host-based (compared with cloud-based) autobuild. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit e1c0c2066c2f29bb614e3386b796eec3cb289aea Author: Andrew Bartlett Date: Thu Apr 6 08:54:02 2023 +1200 dsdb/tests: Move SD modification on class-created objects to classSetUp These modifications persist, so should be done at the class level, not in the test. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: source4/dsdb/samdb/ldb_modules/password_hash.c| 24 +++- source4/dsdb/samdb/samdb.h| 5 + source4/dsdb/tests/python/large_ldap.py | 20 ++- source4/dsdb/tests/python/unicodepwd_encrypted.py | 151 ++ source4/ldap_server/ldap_backend.c| 23 source4/selftest/tests.py | 1 + 6 files changed, 211 insertions(+), 13 deletions(-) create mode 100644 source4/dsdb/tests/python/unicodepwd_encrypted.py Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 6a713b86736..417e34b79e6 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -252,7 +252,7 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r GET_VALUES(nte, "unicodePwd"); /* -* Even as Samba contiuues to ignore the LM hash, and reset it +* Even as Samba continues to ignore the LM hash, and reset it * when practical, we keep the constraint that it must be a 16 * byte value if specified. */ @@ -2869,6 +2869,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context); + struct dsdb_encrypted_connection_state *opaque_connection_state = + ldb_get_opaque(ldb,DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME); *werror = WERR_INVALID_PARAMETER; @@ -2876,10 +2878,28 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR return LDB_SUCCESS; } + /* +* Prevent update password on an insecure connection. +* The opaque is added in the ldap backend init. +*/ + if (opaque_connection_state != NULL && + !opaque_connection_state
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b74b9f4b06c CVE-2023-0922 set default ldap client sasl wrapping to seal via c33e78a27fb CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values via 62cc4302b67 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user via 8b4e6f7b3fb s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG via 82d2ec786f7 dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL via d2bbb47a7ce ldb: Use correct member of union via dfe7b057304 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN via 9b8dd83fd02 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes via f6e93e2b3d9 CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests via f188b6a978f CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED via 15eac7676b2 CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed via 449c2e99e27 CVE-2023-0614 ldb: Filter on search base before redacting message via 9f31e4139c1 CVE-2023-0614 ldb: Centralise checking for inaccessible matches via 197633cc2ad CVE-2023-0614 ldb: Use binary search to check whether attribute is secret via 3a70c6464de CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it via d5d0e712797 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes via 748bbbe70d2 CVE-2023-0614 s4-acl: Split out function to set up access checking variables via da8138c50e6 CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf() via 5c334918a22 CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes via fdeb6ea15c7 CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr() via f995c3805dd CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences via 16487691c02 CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID via d3fa2cb5ddd CVE-2023-0614 s4:dsdb:tests: Fix search in confidential attributes test via f154fad3c1b CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own via fffea590017 CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place() via f25b1756aac CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place via 131d4176044 CVE-2023-0614 ldb: Add function to filter message in place via 784a342785f CVE-2023-0614 ldb: Add function to add distinguishedName to message via 721493f4bde CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message via b18ed9ae975 CVE-2023-0614 ldb: Add function to take ownership of an ldb message via 294a4f6e286 CVE-2023-0614 ldb:tests: Ensure all tests are accounted for via 1debb6584e4 CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated via a43977499c0 CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements via ca9c467e413 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements via 17feef18bf5 CVE-2023-0614 s4-acl: Make some parameters const via a7222faade7 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently via 6d2d1e7df43 CVE-2023-0614 libcli/security: Make some parameters const via 5fd0811ffac CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects from f5d04a43cf6 python:join: fix reused variable name in provision func https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b74b9f4b06c24b16bf3daac96127e62b75f5b9ed Author: Rob van der Linde Date: Mon Feb 27 14:06:23 2023 +1300 CVE-2023-0922 set default ldap client sasl wrapping to seal This avoids sending new or reset passwords in the clear (integrity protected only) from samba-tool in particular. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315 Signed-off-by: Rob van der Linde Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 5 03:08:51 UTC 2023 on atb-devel-224 commit c33e78a27fbeb913b08ef7f74343c1f652d1aa41 Author: Joseph Sutton Date: Mon Jan 9 11:22:34 2023 +1300 CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values This early return would mistakenly allow an unprivileged user to delete the dNSHostName attribute by making an LDAP modify request with no values. We should no longer allow this. Add or replace operations with no values and no privileges are disallowed. BUG: https
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f5d04a43cf6 python:join: fix reused variable name in provision func via e258ea12b01 s4:kdc: Allocate claim value on values context via 3b72dde2027 tests/krb5: Add tests for constructed (authentication silo) claims via 75aecbe6203 tests/krb5: Add method to create authentication silo claim via dc4c51f353a tests/krb5: Add method to create an authentication silo via 8855b525ce1 tests/krb5: Add methods to get authentication policy DNs via 9b96855f370 tests/krb5: Check only for the canonical representation of a security descriptor via f1174c6e0c4 librpc/ndr: Fix NULL pointer dereference via d0d588558d9 Update WHATSNEW.txt via 960fe1ca273 s3:utils: s3:utils: Correctly wire winbind ccache support for smbget via e22eccbe889 s3:utils: Correctly wire NT hash support for smbget via 61424dd2218 auth: Add cli_credentials_is_password_nt_hash() via 97c0982bad9 auth: Remove trailing white spaces in credentials_ntlm.c via 96914246d36 auth: Remove trailing white spaces in credentials.h via de702cb5b18 s3:tests: Add test with testdenied_...@realm.upn via 3fa25a77ca9 s3:tests: Add a kerberos trust test for smbget via 9392a581dbb s3:tests: Add kerberos test for smbget via 267ea547129 s3:utils: Correctly wire Kerberos support for smbget via a2ba787780c s3:tests: Add encryption test for smbget via ada8cd6a627 s3:utils: Correctly wire encryption for smbget via f531dd19826 docs-xml: Remove smbgetrc manpage via 7f8a814c7ad docs-xml: Update smbget manpage via 20b5d98ce58 s3:utils: Use common command line parser for smbget via 42b47e20e71 s3:tests: Use long options for smbget in test_smbget.sh via 0e07d0ac220 s3:utils: Add support for parsing domain/UPN in username for smbget via 34d4ac9907c s3:utils: Always cleanup when leaving smbget main() via 1f3f88603a4 s3:tests: Add smbget msdfs link test with domain and UPN via d81acef3924 s3:tests: Add domain and UPN test for smbget via 1104916d227 s3:tests: Also clear the download area in smbget msdfs_link test via 9c76563ba24 s3:selftest: Pass REALM to samba.blackbox.smbget via badbbceb76f s3:selftest: Move samba3.blackbox.smbget to ad_member via acf259c7e0b s3:selftest: Move the smbget share to the provision function from 925b026a235 lib:ldb:tests: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f5d04a43cf6b32aa8ea443bc5ac485581d77d200 Author: John Mulligan Date: Fri Mar 24 15:11:59 2023 -0400 python:join: fix reused variable name in provision func Recent updates to run adprep during the provision function re-used a variable name that was already in use as a string. This reassignment changed the type of the referenced object. This variable name is later used to setup the mit krb5 kdc conf and expects the var to contain a string. When executed with default cli options on a mit krb5 based build samba tool fails with a traceback: ``` INFO 2023-03-23 21:22:50,399 pid:6 /usr/lib64/python3.10/site-packages/samba/provision/__init__.py #2021: Fixing provision GUIDs ERROR(): uncaught exception - 'DomainUpdate' object has no attribute 'upper' File "/usr/lib64/python3.10/site-packages/samba/netcmd/__init__.py", line 230, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.10/site-packages/samba/netcmd/domain.py", line 555, in run result = provision(self.logger, File "/usr/lib64/python3.10/site-packages/samba/provision/__init__.py", line 2408, in provision create_kdc_conf(paths.kdcconf, realm, domain, os.path.dirname(lp.get("log file"))) File "/usr/lib64/python3.10/site-packages/samba/provision/kerberos.py", line 43, in create_kdc_conf domain = domain.upper() ``` This change removes the re-use of the existing var name by chaining the calls. Fixes: 4bba26579d1 Signed-off-by: John Mulligan Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 5 02:02:29 UTC 2023 on atb-devel-224 commit e258ea12b01c2f01f049f95c9c7e4c7ec0ada6d6 Author: Joseph Sutton Date: Mon Apr 3 13:07:30 2023 +1200 s4:kdc: Allocate claim value on values context Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3b72dde2027fe7bffa03f6022fd2a5aef26845fa Author: Joseph Sutton Date: Mon Apr 3 13:24:12 2023 +1200 tests/krb5: Add tests for constructed (authentication silo) claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4b1d2051383 lib:krb5_wrap: Fix code spelling via 1bfa2c29387 lib:fuzzing: Fix code spelling via 3289e7349ae lib:dbwrap: Fix code spelling via 2b712191a84 lib:crypto: Improve comment about weak crypto via 3d409c16ee7 lib:compression: Fix code spelling via 4d39558c71f lib:cmdline: Fix code spelling via 8e3bac473fe lib:audit_logging: Fix code spelling via 1f2858eadaa lib:addns: Fix code spelling via f59e813c760 lib:addns: Rename additionals to additional via 8720a25d578 s4:libnet: cleanup py_net_time() via 9b6f49d4b94 s3:modules: call rpcgen only if vfs_nfs4acl_xattr is enabled from c66f6c58c7b torture/smb2: do not use client time in delayed timestamp updates test https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4b1d2051383a7bccc46dc34dba9be40a98892391 Author: Andreas Schneider Date: Fri Mar 31 11:14:11 2023 +0200 lib:krb5_wrap: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Apr 3 04:53:05 UTC 2023 on atb-devel-224 commit 1bfa2c29387fb234a0ede244be54b9d13c9af11e Author: Andreas Schneider Date: Fri Mar 31 11:11:34 2023 +0200 lib:fuzzing: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 3289e7349ae2523016abed890df1c5fc15a8a9b9 Author: Andreas Schneider Date: Fri Mar 31 11:10:03 2023 +0200 lib:dbwrap: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 2b712191a849a66d7362887647928067c2938f7d Author: Andreas Schneider Date: Fri Mar 31 11:07:46 2023 +0200 lib:crypto: Improve comment about weak crypto Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 3d409c16ee7d00012f954e8e819f0f9d48aedb73 Author: Andreas Schneider Date: Fri Mar 31 11:04:54 2023 +0200 lib:compression: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 4d39558c71f4c4715694c93ad69308bde6d18031 Author: Andreas Schneider Date: Fri Mar 31 11:04:22 2023 +0200 lib:cmdline: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 8e3bac473fe600df9e7c154264b04f681b774d6d Author: Andreas Schneider Date: Fri Mar 31 11:03:08 2023 +0200 lib:audit_logging: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1f2858eadaad200a08522d4a0492ad7f12f3da43 Author: Andreas Schneider Date: Fri Mar 31 11:01:47 2023 +0200 lib:addns: Fix code spelling Best reviewed with: `git show --word-diff`. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit f59e813c76027184b9d57420e5fb73582505b857 Author: Andreas Schneider Date: Fri Mar 31 11:00:50 2023 +0200 lib:addns: Rename additionals to additional Fixes code spelling. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 8720a25d57819ea51c304c9f76f84c6aa18fb2ae Author: Dmitry Antipov Date: Fri Mar 31 08:06:44 2023 +0300 s4:libnet: cleanup py_net_time() Fix size of buffer passed to and always check the value returned from strftime(), raise PyErr_NoMemory() and return NULL if zero, or use it with PyUnicode_FromStringAndSize() (thus avoiding extra internal call to strlen()) otherwise. Signed-off-by: Dmitry Antipov Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9b6f49d4b946ae436ee4d5f20613508b368f14b0 Author: David Disseldorp Date: Tue Mar 28 17:00:24 2023 +0200 s3:modules: call rpcgen only if vfs_nfs4acl_xattr is enabled rpcgen may be missing, so wrap all of the vfs_nfs4acl_xattr associated calls in an appropriate if bld.SAMBA3_IS_ENABLED_MODULE() check. Signed-off-by: David Disseldorp Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: lib/addns/dns.h | 4 +- lib/addns/dnsgss.c | 4 +- lib/addns/dnsmarshall.c | 10 ++-- lib/addns/dnsquery.c| 4 +- lib/addns/dnsquery_srv.c| 2 +- lib/audit_logging/audit_logging.c | 2 +- lib/cmdline/cmdline.h | 4 +- lib/cmdline
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 874e10ef79a s4:kdc: Add support for AD device claims via e446e5816bd s4:kdc: Add support for AD client claims via c9ff6542006 selftest: Account for have_fast_support in determining whether FAST is supported via 2f53dd59a2c s4-dsdb: Account for Claims Valid SID in tokenGroups via 149a515f054 s4:torture: Make use of torture_assert_sid_equal() via e17892b7eb4 s4:torture: Assert that SID parsing succeeds via 58f93271906 tests/krb5: Don't expect client claims to be missing via a205568e98a libcli/security: Add dom_sid_has_account_domain() to confirm a S-1-5-21 prefix via 3afac3f8f75 s4:kdc: Add utility functions for AD claims via 652c10a5a3e s4:dsdb/schema: Add dsdb_attribute_by_cn_ldb_val() via f41f9880389 ldb: Add ldb_val -> bool,uint64,int64 parsing functions via 570a3ac866d ldb: Split out ldb_val_as_dn() helper function from 619caa1ba40 docs: update manpage for samba-tool https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 874e10ef79a592933ba097bf78ad3e3446b82e24 Author: Joseph Sutton Date: Wed Mar 29 10:56:22 2023 +1300 s4:kdc: Add support for AD device claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224 commit e446e5816bdaa3a9ef9d7d78e4b09728c740615f Author: Joseph Sutton Date: Mon Mar 20 16:58:47 2023 +1300 s4:kdc: Add support for AD client claims We now create a client claims blob and add it to the PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c9ff6542006fa999201a90694bff3b0aaff79089 Author: Joseph Sutton Date: Fri Mar 31 08:38:09 2023 +1300 selftest: Account for have_fast_support in determining whether FAST is supported have_fast_support is unconditionally set to 1, so this doesn't change any behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2f53dd59a2c2774b3c26cb06a924504727a09df9 Author: Joseph Sutton Date: Wed Mar 29 15:54:26 2023 +1300 s4-dsdb: Account for Claims Valid SID in tokenGroups More of these tests now pass against Windows. They still don't quite all pass, but that's something to fix for another day. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 149a515f0541dbebb7321d91d86f5a6974720376 Author: Joseph Sutton Date: Wed Mar 29 14:34:57 2023 +1300 s4:torture: Make use of torture_assert_sid_equal() This gives a more helpful diagnostic message. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e17892b7eb4dd0ba149cadcef74685fc5891896f Author: Joseph Sutton Date: Wed Mar 29 14:24:11 2023 +1300 s4:torture: Assert that SID parsing succeeds Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 58f93271906c98695043a2bd3afa84b7799226a7 Author: Joseph Sutton Date: Wed Mar 29 11:27:33 2023 +1300 tests/krb5: Don't expect client claims to be missing For this particular test, we don't care whether they're present or not. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a205568e98ae4eb8a76a94b4a6a4bf0c7190c1e9 Author: Joseph Sutton Date: Thu Mar 16 11:25:57 2023 +1300 libcli/security: Add dom_sid_has_account_domain() to confirm a S-1-5-21 prefix Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3afac3f8f75bfae68ffa230fbbc67565717f7e48 Author: Joseph Sutton Date: Fri Mar 3 09:17:39 2023 +1300 s4:kdc: Add utility functions for AD claims get_claims_for_principal() is a new function that creates a claims blob for a principal based on attributes in the database. It's not hooked into the KDC yet, so this entails no change in behaviour. Constructed claims and certificate claims are not supported yet. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 652c10a5a3e2e8ac707df7ca4bf474b5ad3be158 Author: Joseph Sutton Date: Thu Mar 30 16:00:59 2023 +1300 s4:dsdb/schema: Add dsdb_attribute_by_cn_ldb_val() This looks up a schema attribute by its CN, similar to dsdb_class_by_cn_ldb_val(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f41f988038920bc19e8d9f2502ff0d3f2aaa2196 Author: Joseph Sutton Date: Thu Mar 16 11:42:04 2023 +1300 ldb: Add ldb_val -> bool,uint64,int64 parsing functions These functions allow us to parse any value of a message element, not only the first. They also unambiguously indicate whether an error has occurred. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 619caa1ba40 docs: update manpage for samba-tool via d5a0d7aa8be netcmd: tests for claims client tool via cf0a3a8c60b netcmd: add claim sub-commands to samba-tool domain via 5a4f4b39486 sd_utils: fix typo in get_sd_as_sddl docstring via 01c6bc55c7e netcmd: simplify boolean check via 44f881fd349 netcmd: domain: move trust command to domain/trust.py via 2a71bade849 netcmd: domain: move tombstones command to domain/tombstones.py via 75e7935b503 netcmd: domain: move schemaupgrade command to domain/schemaupgrade.py via dff87f051f1 netcmd: domain: move samba3upgrade command to domain/samba3upgrade.py via 5986937d12c netcmd: domain: move provision command to domain/provision.py via 49bc6a478b6 netcmd: domain: move paswordsettings command to domain/passwordsettings.py via 8d4f6761b26 netcmd: domain: move level command to domain/level.py via e7ad2364a5e netcmd: domain: move leave command to domain/leave.py via 12d5ea7f588 netcmd: domain: move keytab command to domain/keytab.py via 8001e07746d netcmd: domain: move join command to domain/join.py via fefa5e74d19 netcmd: domain: move info command to domain/info.py via 908f7ff5537 netcmd: domain: move functional_prep command to domain/functional_prep.py via c22b8dc1c58 netcmd: domain: move demote command to domain/demote.py via 72f6f7a79cf netcmd: domain: move dcpromo command to domain/dcpromo.py via d26054d7da7 netcmd: domain: move classicupgrade command to domain/classicupgrade.py via 6cecd7d08b1 netcmd: domain: move domain_backup.py to domain/backup.py via 4d6a2b01674 netcmd: domain: fix unused imports via 2534aba94d2 netcmd: domain: turn domain.py into a module from 360b7394644 s3: smbd: Fix dumb typos that meant smb1.SMB1-DFS-* tests were running against an SMB2-only fileserver. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 619caa1ba40f28be77b4f068fc18fada9d4b3597 Author: Rob van der Linde Date: Thu Mar 23 16:13:55 2023 +1300 docs: update manpage for samba-tool Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 31 08:25:11 UTC 2023 on atb-devel-224 commit d5a0d7aa8be2ed953658faba21c1c53990b83e6c Author: Rob van der Linde Date: Thu Mar 23 13:51:51 2023 +1300 netcmd: tests for claims client tool Added delete protected test to known fail as Samba doesn't seem to enforce this yet. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit cf0a3a8c60b24a0d311b116a24727d9b7293cb48 Author: Rob van der Linde Date: Mon Mar 20 13:48:56 2023 +1300 netcmd: add claim sub-commands to samba-tool domain Claim Type: * samba-tool domain claim claim-type list * samba-tool domain claim claim-type create * samba-tool domain claim claim-type delete * samba-tool domain claim claim-type modify * samba-tool domain claim claim-type view Claim Value Type: * samba-tool domain claim value-type list * samba-tool domain claim value-type view To add a claim type use the attribute name, it will look up the attribute in the attribute schema and use that data type and description. Claim types can be protected from accidental deletion just like Windows, use --protect To delete protected claim types use --force. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 5a4f4b39486facd1323fd7d5c22ea90d5d32ad30 Author: Rob van der Linde Date: Mon Mar 20 13:35:24 2023 +1300 sd_utils: fix typo in get_sd_as_sddl docstring Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 01c6bc55c7ea285608a4056782afb415ed5a66ed Author: Rob van der Linde Date: Wed Mar 1 14:19:15 2023 +1300 netcmd: simplify boolean check Should use "is" for checking booleans rather than "==" in Python, however these can also be simplified. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 44f881fd3493be93a7d956119d572a946fafd95b Author: Rob van der Linde Date: Fri Mar 31 13:41:49 2023 +1300 netcmd: domain: move trust command to domain/trust.py Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2a71bade8492a9a6c39ab98662eae7e18897349a Author: Rob van der Linde Date: Fri Mar 31 13:37:01 2023 +1300 netcmd: domain: move tombstones command to domain/tombstones.py
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ea4be00361e selftest: Add test parsing krb5 PAC claims via ndrdump via f951c3b35dc sefltest: Extend python NDR parsing tests to compressed and uncompressed claims via 2d2f68236e6 librpc/ndr: Use libndr compression for claims via c6981f60549 librpc/ndr: Make ndr_push_compression_state_free() a talloc destructor via 0ef71cf1524 pidl: Automatically manage creating and freeing the compression state in generated code via 327c84cf870 librpc/ndr: Implement lzxpress_huffman() compression in libndr for Kerberos Claims via c85cadf1952 librpc/ndr: Add a "NONE" compression format to libndr via b95117dc56e libndr/ndr: Remove unused argument from ndr_push_compression_{start,end}() via 8c58da347c2 libndr/ndr: Add NDR_COMPRESSION_INVALID via 937bf4b8365 librpc/ndr: Unimplement DRSUAPI_COMPRESSION_TYPE_XPRESS and rename via 1dedffab8b7 librpc/ndr: Remove incorrect comment that ndr_compression.h is autogenerated via 4e32ea15199 librpc: Remove incorrect NDR_COMPRESSION dependency from NDR_KRB5CCACHE via 053aa516538 ndrdump: Allow a long string of hexidecimal digits as well as a hex dump for --hex-input via e37f20fb36a lib/compression: Fix documentation of lzxpress_huffman_compress() via 0ab5552c8c3 lib/compression: Add helper function lzxpress_huffman_max_compressed_size() via 976dfc7585f pidl: Allow variable expansion (eg of a value() attribute) in compression_alg argument via 2cba54ba30e selftest: Add python test that verifies that we can parse a PAC via 03d9b7b8b64 librpc/idl: Explain why PAC_TYPE_CLIENT_CLAIMS_INFO is not directly decoded via 6bd3b4528d4 s4:kdc: Split verifying a PAC out of updating it via c0a2e8db677 third_party/heimdal_build: Remove MD2 via a87aae5292d third_party/heimdal: Import lorikeet-heimdal-202303200103 (commit 2ee541b5e963f7cffb1ec4acd1a8cc45426a9f28) from f448a1649cf pyldb: Fix a copy error, CID 1524512 DEADCODE https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ea4be00361e5e532f6dfcbf46d90378995cb62d8 Author: Andrew Bartlett Date: Wed Mar 29 15:01:15 2023 +1300 selftest: Add test parsing krb5 PAC claims via ndrdump Including * compressed claims * plain (uncompressed) claims Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 31 02:50:30 UTC 2023 on atb-devel-224 commit f951c3b35dc048408ed72938db00eb157d5f7e57 Author: Andrew Bartlett Date: Thu Mar 30 10:56:49 2023 +1300 sefltest: Extend python NDR parsing tests to compressed and uncompressed claims This confirms that the compression is transparent and that the values from a PAC with claims provided by MS Windows are parsed correctly. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 2d2f68236e6d34d96dc6bdceb13ff54bedde46fb Author: Andrew Bartlett Date: Thu Mar 16 19:06:04 2023 +1300 librpc/ndr: Use libndr compression for claims This ensures our python layer and C layer (in the KDC, when implementated) use the same compression logic and so allows us to test the production compression via the IDL-generated interfaces. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c6981f60549c497d401c4c4173dc362f083791d7 Author: Andrew Bartlett Date: Wed Mar 29 11:49:43 2023 +1300 librpc/ndr: Make ndr_push_compression_state_free() a talloc destructor This means that the generic_mszip_free() will still be called on failure. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0ef71cf1524e855b0ae17051b054ef27d1c95717 Author: Andrew Bartlett Date: Wed Mar 29 11:43:10 2023 +1300 pidl: Automatically manage creating and freeing the compression state in generated code Manually written code will handle this differently, but for generated code this will create and free the context. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 327c84cf8701437324410068ab8e9a6efba24345 Author: Andrew Bartlett Date: Tue Mar 28 18:26:13 2023 +1300 librpc/ndr: Implement lzxpress_huffman() compression in libndr for Kerberos Claims Rather than just pick the next value we re-arrange compression values in libndr to be memnonic to values in MS Windows ntifs.h This helps avoid confusing developers who compare these algorithms with local the MS Windows interface. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c85cadf195208adb9bc204fdbc15f665cdb3d65d Author: Andrew Bartlett Date: Thu Mar 16 19:05:39 2023 +1300 librpc/ndr: Add a "NONE"
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e7ef43cead4 s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default via ad3694c491a s4:dsdb/extended_dn_out: use dsdb_dn_val_rmd_flags() instead of dsdb_dn_is_deleted_val() via 06fb5cdffdd s4:dsdb/extended_dn_out: make use of the existing have_reveal_control variable via ea4f2b9f544 s4:dsdb/objectclass_attrs: allow all backlinks even if not allowed by the schema via 732bf8164df s4:dsdb/repl_meta_data: let replmd_process_backlink() set DSDB_RMD_FLAG_HIDDEN_BL is needed via 8ee7d232b10 s4:dsdb/common: rename DSDB_RMD_FLAG_INVISIBLE to DSDB_RMD_FLAG_HIDDEN_BL via 2340443c3be s4:dsdb/repl_meta_data: let replmd_process_backlink() use the source_dn variable via c9fac2e912a s4:dsdb/repl_meta_data: let replmd_process_backlink() use dsdb_module_obj_by_guid() via 36bd0287ea7 s4:dsdb/util: split out dsdb_module_obj_by_guid() from dsdb_module_dn_by_guid() via e519416e995 s4:dsdb/repl_meta_data: check replmd_add_backlink() result in replmd_modify_la_add() via f9391ec448b s3:dsdb/repl_meta_data: fix possible memleak on error in replmd_modify_la_add() via bd3596233f2 s4:dsdb/schema: remember if a backlink attribute is not allowed on class 'top' via 21f4317acb9 s4:dsdb/tests: let a test to demonstrate the behavior of invisible backlinks via d43f6fb3004 s4:dsdb/tests: let linked_attributes.py use a container as testbase via c6e1e5aae6b script/autobuild: Use logger.debug() for debug messages (visible with --verbose) via 0b29e12dc7a script/autobuild: Use --verbose to control python logger verbosity via fdb7ec64432 script/autobuild: Use python logger to print times on log lines to aid in debugging. from 86b6353644d python:join: run domain adprep as part of join_provision_own_domain() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e7ef43cead4ddab85e96b176c7c9123c28a033d2 Author: Stefan Metzmacher Date: Thu Feb 9 15:04:26 2023 +0100 s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default Backlinks which are not allowed by the schema are hidden by default, so we already set DSDB_RMD_FLAG_HIDDEN_BL on store, so we have a cheap way to hide the backlinks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 23 08:19:20 UTC 2023 on atb-devel-224 commit ad3694c491a6822cb5c571b5017b650a9d1e86c1 Author: Stefan Metzmacher Date: Thu Feb 9 15:04:26 2023 +0100 s4:dsdb/extended_dn_out: use dsdb_dn_val_rmd_flags() instead of dsdb_dn_is_deleted_val() We now check for DSDB_RMD_FLAG_DELETED, as we'll check for DSDB_RMD_FLAG_HIDDEN_BL in the next step and it's better to call dsdb_dn_val_rmd_flags() just once. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 06fb5cdffdd1c5d7ac85746fd67cd8c30eb5ace4 Author: Stefan Metzmacher Date: Thu Feb 9 15:03:58 2023 +0100 s4:dsdb/extended_dn_out: make use of the existing have_reveal_control variable BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit ea4f2b9f544324d917d901e427b8629807ea9af1 Author: Stefan Metzmacher Date: Thu Feb 9 15:02:15 2023 +0100 s4:dsdb/objectclass_attrs: allow all backlinks even if not allowed by the schema This only verifies internals store operations, adding invalid forward links is already checked in other places. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 732bf8164dff8fd3b5892a7858d8baedae6ed46e Author: Stefan Metzmacher Date: Wed Mar 1 01:10:37 2023 +0100 s4:dsdb/repl_meta_data: let replmd_process_backlink() set DSDB_RMD_FLAG_HIDDEN_BL is needed If we find that the backlink should not be visible on the given objectClass by default, we now set DSDB_RMD_FLAG_HIDDEN_BL. We'll evaluate that in the next commits in order to hide the backlink by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 8ee7d232b1088f027b5f9d2bb4c11b15c3e9b0be Author: Stefan Metzmacher Date: Wed Mar 15 15:02:29 2023 +0100 s4:dsdb/common: rename DSDB_RMD_FLAG_INVISIBLE to DSDB_RMD_FLAG_HIDDEN_BL DSDB_RMD_FLAG_INVISIBLE was introduced in commit 00b39c70f57882a453a8d2e6b0f1f37fd39a2d2a, but never used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 86b6353644d python:join: run domain adprep as part of join_provision_own_domain() via 4bba26579d1 python:provision: run adprep as part of provision via f6d9f3760f7 samba-tool: let 'domain provision' to use the 2019 schema by default via 90faa58e7fb samba-tool: let 'domain schemaupgrade' to use the 2019 schema by default via 245a8aaf41f samba-tool: let 'domain functionalprep' to use functional level 2016 by default via da74c3fde10 samba-tool: allow 'domain level raise' to support level 2016 via e855fe20681 python/samba: let get_domain_descriptor() include adprep 2016 ACEs via 1e024f6568e domain_update: implement updates 82-89 in order to reach the latest w2016 level via c8f8efb31e9 forest_update: behave more like a Windows 2022 server via c405f211760 setup/adprep: import the latest {Domain-Wide,Forest-Wide,Read-Only-Domain-Controller,Schema}-Updates.md via c4b87dd50de setup/ad-schema: add the latest v1803 and v1903 schema files from Microsoft via dcce25ae8a7 python/samba: adapt ms_schema[_markdown].py to the latest schema definitions via b2fbfa0ff1c python/samba: adapt ms_forest_updates_markdown.py to the latest Forest-Wide-Updates.md via 17ce8beac3f python/samba: add support for LDB_CHANGETYPE_MODRDN to modify_ldif() via 167f0235865 lib/ldb: add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() via 5011221996f python/samba: add support for LDB_CHANGETYPE_DELETE to modify_ldif() via 7055ec0a0b9 lib/ldb: add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() via 3ad3c1a69d0 python/samba: let modify_ldif() verify the changetype value via e24e7b96338 lib/ldb: re-order code in ldb_ldif_to_pyobject() via cc5df80152d lib/ldb: let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix via f860e19c846 domain_update: make use of self.sd_utils.update_aces_in_dacl() via a3dac8efe4b domain_update: remove useless searches to '(objectClass=samDomain)' via c87f2606ae3 domain_update: make use of '"CN"' in sddl instead of using an explicit SID via a10f4f7cd25 domain_update: be more verbose about updates via a8c0e82f928 forest_update: be more verbose about updates via 65275acf058 forest_update: make use of self.sd_utils.update_aces_in_dacl() via a89b158d3f1 forest_update: we don't need any controls to update sddl attributes via f1f79a2e4b1 forest_update: only update SDDL for schema objects via 838a36c743c forest_update: ignore ldb.ERR_ATTRIBUTE_OR_VALUE_EXISTS in operation_ldif() via 7fe87d3c8de functional_prep: fix error handling in order to stop on the first error via 65653bb02c2 schema_upgrade: add support for ntdsschemamodrdn and ntdsschemadelete via 65294d56bdf python/tests: use changetype: modify in order to delete a single attribute via c35ae5a77d5 s4:dsdb/tests: use changetype: modify in order to delete a single attribute via 01400b59803 blackbox/dbcheck: also run currently unused dbcheck_reset_well_known_acls via bb09c06d6d5 libcli/security: rewrite calculate_inherited_from_parent() via a0217c50e92 s4:dsdb/tests: add more detailed tests to sec_descriptor.py via 731c85add11 s4:dsdb/tests: allow sec_descriptor.py to run against Windows 2022 via 6de4849f9ca s4:dsdb/tests: convert sec_descriptor.py to use assert[Not]In() via 2436d621d19 s4:dsdb/tests: let AclUndeleteTests.test_undelete() remove the temporary ACE again via e0a8e043d33 s4:dsdb/tests: let OwnerGroupDescriptorTests() remove temporary ACEs on cleanup via 7b0d5285361 s4:dsdb/tests: let OwnerGroupDescriptorTests.test_141() set the required ACE explicitly from 7e3cbc2c641 s4:kdc: Fix typo https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 86b6353644dc9e32d250efffab13ebde7009477d Author: Stefan Metzmacher Date: Fri Mar 17 16:48:26 2023 +0100 python:join: run domain adprep as part of join_provision_own_domain() This is currently unused as we don't support more than one domain per forest, but it will help it future. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224 commit 4bba26579d124af6c0767bb98bee67357001e1e7 Author: Stefan Metzmacher Date: Fri Mar 17 16:48:26 2023 +0100 python:provision: run adprep as part of provision With the default of base_schema=2019 we'll adprep to 2016. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f6d9f3760f7df8595a3882b3ad526326abbba1ca Author: Stefan Metzmacher Date: Thu Feb 23 15:05:01
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7e3cbc2c641 s4:kdc: Fix typo via 9d59e42a2ba s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions via c7b00ccc76f s4:kdc: Rename claims_blob to client_claims_blob via fbed57b86bc s4:kdc: Fix leak via 9c4f7e4b339 s4:kdc: Don't modify cached user_info_dc SIDs via c62937822d8 s4:kdc: Don't check PAC-OPTIONS claims-supported bit via 3e97ea3f35e s4:kdc: Have samba_kdc_update_pac() take device parameters via a326aec4c04 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() via 1a625702e81 libcli/security: Correctly handle ACL deletion via 545b40a70b0 s4/dsdb/repl_meta_data: Pass NULL into ldb_msg_add_empty via 211d19a04c3 ldb: Don't create error string if there is no error from 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7e3cbc2c6418a876ab4770f1fd5ff12e8c8dae9d Author: Joseph Sutton Date: Tue Mar 21 09:43:01 2023 +1300 s4:kdc: Fix typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224 commit 9d59e42a2bacf53eda99f0a3d96f9ce4088b1ddc Author: Joseph Sutton Date: Mon Mar 20 15:16:21 2023 +1300 s4:kdc: Split samba_kdc_get_pac_blobs() into smaller functions Instead of having one large function that returns every PAC blob, we now have a more manageable assortment of smaller functions that each return one blob. That gives us more fine-grained handling of PAC blobs, with callers now able to procure only the specific blobs that they need. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c7b00ccc76f4a055dd761c929c23b014b214c4f5 Author: Joseph Sutton Date: Mon Mar 20 15:13:39 2023 +1300 s4:kdc: Rename claims_blob to client_claims_blob This will not be the only claims blob. Later there will also be a device_claims_blob. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fbed57b86bc5b358a7373c134ce26a012b4280ef Author: Joseph Sutton Date: Mon Mar 20 15:11:54 2023 +1300 s4:kdc: Fix leak Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9c4f7e4b339d6ed5ed1030f87c9a871b06987265 Author: Joseph Sutton Date: Mon Mar 20 15:02:53 2023 +1300 s4:kdc: Don't modify cached user_info_dc SIDs samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure obtained from samba_kdc_get_user_info_from_db() into samba_add_asserted_identity(). The latter function modifies the SIDs of the user_info_dc structure in order to add the Asserted Identity SID, but samba_kdc_get_user_info_from_db() actually caches that structure internally, meaning that subsequent calls will return the modified structure. We should not modify cached SIDs, so have samba_kdc_get_user_info_from_db() return a pointer to constant data, and copy the returned array of SIDs before adding the Asserted Identity SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c62937822d8d814a70d32efab93be721791c57f0 Author: Joseph Sutton Date: Fri Mar 17 11:57:09 2023 +1300 s4:kdc: Don't check PAC-OPTIONS claims-supported bit Windows only consults the PAC-OPTIONS claims bit to find out whether or not to add claims to the PAC if the ClaimsCompIdFASTSupport option is set to 1. If this option is set to 2 or 3, the bit is ignored and claims are always added. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3e97ea3f35e3d147b491bb2da959b0f8a6207835 Author: Joseph Sutton Date: Fri Mar 17 11:14:15 2023 +1300 s4:kdc: Have samba_kdc_update_pac() take device parameters These will be used later when we add support for compound authentication. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a326aec4c0495200d05ab8b2310f23199058167a Author: Joseph Sutton Date: Fri Mar 17 11:07:11 2023 +1300 s4:kdc: Don't pass a NULL pointer to krb5_pac_add_buffer() Heimdal contains an assertion that the data pointer is not NULL. We need to pass in a pointer to some dummy data instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1a625702e81ef2a6bd38c486e3056ce61da800e8 Author: Joseph Sutton Date: Mon Mar 13 10:09:15 2023 +1300 libcli/security: Correctly handle ACL deletion If there were two consecutive occurrences of an ACL to be deleted, we would miss the second one. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 545b40a70b02141ed292ddd3ff63d1f62070bb85 Author: Joseph Sutton Date
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3e2eb1b0236 s4:kdc: Add client claims blob if it is present via 2e8e93fdd19 s4:kdc: Refactor PAC handling via fa901e7346d s4:kdc: Avoid copying data if not needed via 47ef49fd91f s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer() via ca8b8d1d4af s4:kdc: Fix typo via dfaae871fd2 s4:kdc: Make some parameters const via 218db60ea92 s4:kdc: Comment parameter names via 6fd5afd0424 s4:kdc: Replace 'is_untrusted' with 'is_trusted' via eb74be91bbd auth: Clear EXTRA_SIDS flag if no Extra SIDs are present via 19c871bf6e0 dsdb periodic: DNS: Add missing newlines to debug messages via 3c5296d9aea winbindd: Show warning message on tc connection errors too via ed0b850e3dc wafsamba: Remove unused configure check via 0f244bd1145 selftest: Clean up socket when finished via dfe759c1fd9 selftest: Don't use invalid escape sequences via 5c8fbeb61e6 tests/krb5: Test that denied attributes are still issued in claims via fd64bae7b4e tests/krb5: Add functions to fetch the schemaIDGUID of an attribute or class via 1b5c57c3059 tests/krb5: Check that test parameters are not going unseen via a85d26fd741 tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set via 223ef8b7850 tests/krb5: Test that RODC-issued device groups are regenerated via e1a573a6595 tests/krb5: Test that RODC-issued claims are regenerated via 9d759472920 tests/krb5: Add tests for RODC-issued armor tickets via ee43e004e9e tests/krb5: Add tests for constrained delegation with RODC-issued tickets via 883d2642848 tests/krb5: Add remove_client_claims_tgt_from_rodc() via 7a5562f2824 tests/krb5: Let ticket_with_sids() create RODC-issued tickets via 04b6f769d16 tests/krb5: Add signed_by_rodc() via a9f127e6e27 tests/krb5: Move issued_by_rodc() to base class via 3a6e2a283c3 tests/krb5: Fix additional_details account creation caching via 9a2f6cdc00d tests/krb5: Add simple resource-based constrained delegation test via addfef3d582 tests/krb5: Only add AES enctype bits at domain functional level 2008 and above via 12a1fabd121 tests/krb5: Cache drsuapi connection via f90a46765a0 tests/krb5: Generate full ticket signatures with trailing RODC id via 7e7c692adbc python:ndr: Use f-string to format exception message from 795bab56291 lib:ldb: Correctly cast pointers for assert_string_equal() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3e2eb1b02366c380f1ca4d112f10e2663c1b2fef Author: Joseph Sutton Date: Fri Mar 17 09:04:51 2023 +1300 s4:kdc: Add client claims blob if it is present Until we support claims we just return an empty blob, that matches what Windows is doing without defined claims. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 20 01:25:07 UTC 2023 on atb-devel-224 commit 2e8e93fdd196f885b1811457e3a6d2d9c5c63f05 Author: Joseph Sutton Date: Fri Mar 17 08:02:24 2023 +1300 s4:kdc: Refactor PAC handling It's getting unwieldy adding new PAC buffer types when each one has to have its own handling. It also makes the possibility of mistakes more likely. Add a new container, 'struct pac_blobs', containing the types of PAC buffers in a given PAC, with an index for quick access to the types we support specifically. We can add new blobs (overriding existing ones) by calling pac_blobs_add_blob(), and override certain blobs that must be present with pac_blobs_replace_existing(). This removes the need to have a complicated 'switch' statement with different logic for each PAC buffer type, or a dozen index variables. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fa901e7346d36ae64a7ceab5dcf76bc210a67c93 Author: Joseph Sutton Date: Fri Mar 17 09:16:17 2023 +1300 s4:kdc: Avoid copying data if not needed krb5_pac_add_buffer() makes its own copy of the data we pass in. We don't need to make yet another copy. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 47ef49fd91f050ce4a79a8471b3e66c808f48752 Author: Joseph Sutton Date: Fri Mar 17 09:25:52 2023 +1300 s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer() Heimdal contains an assertion that the data pointer is not NULL. We need to pass in a pointer to some dummy data instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ca8b8d1d4af0a2445efef723eaa4160399e87162 Author: Joseph Sutton Date: Thu Mar 16 16:47:15 2023 +1300 s4:kdc: Fix typo Signed-off-by: Joseph
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b4a6c054ec6 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time via cad96f59a08 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate via 4fa0242b9d3 python:netcmd: Decode return value of find_netbios() from bytes into string via bfc33b47bb4 dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join via 2d41bcce83a selftest/drs: Demonstrate ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join via 5a7a28cc458 tsocket: Increase tcp_user_timeout max_loops from 7ee725f2860 idmap_hash: remember new domain sids in idmap_hash_sid_to_id() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b4a6c054ec6acefacd22cb7230a783d20cb07c05 Author: Andrew Bartlett Date: Mon Mar 13 17:20:00 2023 +1300 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time This reduces the elapsed time to 6m from 20m on my laptop. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224 commit cad96f59a08192df927fb1df4e9787c7f70991a2 Author: Andrew Bartlett Date: Mon Mar 13 14:25:56 2023 +1300 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate The value can be quite large, the allocation will take much longer than the actual match and is repeated per candidate record. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 4fa0242b9d34decd8dbd813be40655a593df3db9 Author: Andreas Schneider Date: Fri Mar 10 09:08:48 2023 +0100 python:netcmd: Decode return value of find_netbios() from bytes into string ERROR(): uncaught exception - replace() argument 1 must be str, not bytes File "bin/python/samba/netcmd/__init__.py", line 230, in _run return self.run(*args, **kwargs) ^ File "bin/python/samba/netcmd/ldapcmp.py", line 966, in run if b1.diff(b2): ^^^ File "bin/python/samba/netcmd/ldapcmp.py", line 790, in diff if object1 == object2: ^^ File "bin/python/samba/netcmd/ldapcmp.py", line 557, in __eq__ return self.cmp_attrs(other) ^ File "bin/python/samba/netcmd/ldapcmp.py", line 656, in cmp_attrs p = [self.fix_domain_netbios(j) for j in m] ^^^ File "bin/python/samba/netcmd/ldapcmp.py", line 656, in p = [self.fix_domain_netbios(j) for j in m] ^^ File "bin/python/samba/netcmd/ldapcmp.py", line 542, in fix_domain_netbios res = res.replace(self.con.domain_netbios.lower(), self.con.domain_netbios.upper()) ^ BUGS: https://bugzilla.samba.org/show_bug.cgi?id=15330 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit bfc33b47bb428233e100f75e7a725ac52179f823 Author: Andrew Bartlett Date: Thu Mar 9 20:25:06 2023 +1300 dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join "samba-tool domain join" uses the replication API in a strange way, perhaps no longer required, except that we often still have folks upgrading from very old Samba versions. When deferring the writing out to the DB of link replication to the very end, there is a greater opportunity for the deletion of an object to have been sent with the other objects, and have the link applied later. This tells the repl_meta_data code to behave as if GET_TGT had been sent at the time the link was returned, allowing a link to a deleted object to be silently discarded. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 2d41bcce83a976b85636c92d6fc38c63fdde5431 Author: Andrew Bartlett Date: Thu Mar 9 17:02:35 2023 +1300 selftest/drs: Demonstrate ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join "samba-tool domain join" uses the replication API in a strange way, perhaps no longer required, except that we often still have folks upgrading from very old Samba versions. By deferring the writing out to the DB of link replication to the very end, we have a better chance that
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 78635d55fb8 audit_logging: Use `json_int_t` instead of `int` for `json_add_int` value type via 35aa7db6414 audit_logging:tests: Add big_int test for `json_add_int` via b3146763a45 lib:util: prefer mallinfo2() over mallinfo() if available from f55a357c6b9 dsgetdcname: do not assume local system uses IPv4 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 78635d55fb819d422d0c4c32bb63aab95f735e4b Author: Li Yuxuan Date: Thu Mar 9 11:11:28 2023 +0800 audit_logging: Use `json_int_t` instead of `int` for `json_add_int` value type Functions like `add_lock_to_json` and `add_profile_item_to_json` pass some values to `json_add_int` with `intmax_t` types. This may cause arithmetic overflow when the value grows very fast, such as the read_bytes profiling data. Use `json_add_int` instead of `int` to avoid the overflow. RN: Make json output show intmax_t value properly Signed-off-by: Li Yuxuan Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 9 21:33:43 UTC 2023 on atb-devel-224 commit 35aa7db641484b33ff55a7d8fe2d21c6b411f847 Author: Li Yuxuan Date: Tue Mar 7 10:52:47 2023 +0800 audit_logging:tests: Add big_int test for `json_add_int` Show that `json_add_int` can't handle value larger than int32 due to overflow. Add knownfail. Signed-off-by: Li Yuxuan Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b3146763a45d3a52ae1f669ad1b37155f67a16e6 Author: Dmitry Antipov Date: Tue Feb 7 18:09:15 2023 +0300 lib:util: prefer mallinfo2() over mallinfo() if available Prefer mallinfo2() with 'size_t' fields over deprecated mallinfo() (with 'int' fields which may wrap around zero and so be inaccurate on a 64-bit system) and move relevant checks to lib/util/wscript_configure because mallinfo() is not used beyond 'samba-util'. Suggested-by: Andreas Schneider Signed-off-by: Dmitry Antipov Reviewed-by: Volker Lendecke Reviewed-by: Andrew Bartlett --- Summary of changes: lib/audit_logging/audit_logging.c| 14 +++- lib/audit_logging/audit_logging.h| 2 +- lib/audit_logging/tests/audit_logging_test.c | 11 +- lib/util/talloc_report_printf.c | 33 lib/util/wscript_configure | 12 ++ source3/wscript | 12 -- 6 files changed, 60 insertions(+), 24 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c index 43acf9512c9..3ab14b2a187 100644 --- a/lib/audit_logging/audit_logging.c +++ b/lib/audit_logging/audit_logging.c @@ -385,31 +385,33 @@ bool json_is_invalid(const struct json_object *object) *-1 the operation failed * */ -int json_add_int(struct json_object *object, const char *name, const int value) +int json_add_int(struct json_object *object, const char *name, const json_int_t value) { int ret = 0; json_t *integer = NULL; if (json_is_invalid(object)) { - DBG_ERR("Unable to add int [%s] value [%d], " + DBG_ERR("Unable to add int [%s] value [%jd], " "target object is invalid\n", name, - value); + (intmax_t)value); return JSON_ERROR; } integer = json_integer(value); if (integer == NULL) { - DBG_ERR("Unable to create integer value [%s] value [%d]\n", + DBG_ERR("Unable to create integer value [%s] value [%jd]\n", name, - value); + (intmax_t)value); return JSON_ERROR; } ret = json_object_set_new(object->root, name, integer); if (ret != 0) { json_decref(integer); - DBG_ERR("Unable to add int [%s] value [%d]\n", name, value); + DBG_ERR("Unable to add int [%s] value [%jd]\n", + name, + (intmax_t)value); } return ret; } diff --git a/lib/audit_logging/audit_logging.h b/lib/audit_logging/audit_logging.h index 49576ece68d..eb7c103944d 100644 --- a/lib/audit_logging/audit_logging.h +++ b/lib/audit_logging/audit_logging.h @@ -58,7 +58,7 @@ _WARN_UNUSED_RESULT_ bool json_is_invalid(const struct json_object *object); _WARN_UNUSED_RESULT_ int json_add_int(struct json_object *object,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 403598b3076 s4-dsdb:tests: Correctly handle LdbError via 38468aa6e8f s4-dsdb:tests: Fix AD DC performance tests via d5f053711bd ldb: Make ldb_msg_remove_attr O(n) via 598eaa34741 tests/krb5: Remove old device info and device claims tests via 0153f6c1f4d tests/krb5: Add tests for device claims via 0ac800d0081 tests/krb5: Add tests for device info via 24ee602acb2 tests/krb5: Overhaul check_device_info() via fa3d693b28f tests/krb5: Allow creating a target server account with or without compound ID support via 53400a6dfeb tests/krb5: Don't specify extra enctypes for the krbtgt via 77188f48824 tests/krb5: Allow adding members to a group and changing its type in a single operation via 75154702d2f tests/krb5: Add test for compressed claim via 5c744ff9f79 tests/krb5: Test we get correct values for integer syntax claims via 3550173c804 tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid() via d95b4303ea3 tests/krb5: Allow group_setup to be None in setup_groups() via 98393d7bfa0 tests/krb5: Test more descriptive security descriptor via 567f30c5740 tests/krb5: Document and tidy up existing claims tests via 23ce6f30e28 tests/krb5: Allow creating accounts supporting claims or compound identity separately via ad19dd100f6 tests/krb5: Make arguments to get_target() keyword arguments via 644c4ae8d0f tests/krb5: Split out device info checking into new method via 60c07a49d76 tests/krb5: Fix typo via 662639e8ee3 tests/krb5: Move some claims tests around via cbd0955bbd7 tests/krb5: Add type to expect a value is one of a set of possible types via 2c6ff2ad07d tests/krb5: Allow comparing UnorderedLists only with one another via 3c333037cd2 tests/krb5: Unconditionally check compressed claims via 04fd475b434 tests/krb5: Remove unused import from a1780ed8d1b rpcd: With npa->need_idle_server we can have more than 256 servers https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 403598b3076896287c84059a93569f0e0f3efb80 Author: Joseph Sutton Date: Fri Feb 17 16:32:42 2023 +1300 s4-dsdb:tests: Correctly handle LdbError Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 8 05:37:08 UTC 2023 on atb-devel-224 commit 38468aa6e8fd8db3aec9c860ab5c8edf1be83e3c Author: Joseph Sutton Date: Fri Feb 17 11:46:09 2023 +1300 s4-dsdb:tests: Fix AD DC performance tests Calling cmd._run() directly would fail due to the 'command_name' attribute being absent, so these tests would fail to run. Fix this by using the samba.netcmd.main.samba_tool helper function. Check the return code as well for good measure. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d5f053711bd5b78f2eff035b4b287995ae286901 Author: Joseph Sutton Date: Fri Jan 27 08:06:47 2023 +1300 ldb: Make ldb_msg_remove_attr O(n) Previously it was O(n²). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 598eaa3474191d29ab2f1a356a26e479a441a198 Author: Joseph Sutton Date: Fri Mar 3 11:33:15 2023 +1300 tests/krb5: Remove old device info and device claims tests They have been made superfluous by newer declarative tests in claims_tests.py and device_tests.py. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0153f6c1f4dfc56608e767ec4a8ad25c0f1b1867 Author: Joseph Sutton Date: Fri Mar 3 12:20:38 2023 +1300 tests/krb5: Add tests for device claims These test the interaction between claims and groups in the PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0ac800d0081fb893effaa555d3117102556a7b75 Author: Joseph Sutton Date: Fri Mar 3 11:48:22 2023 +1300 tests/krb5: Add tests for device info These tests verify that the groups in the device info structure in the PAC are exactly as expected under various scenarios. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 24ee602acb2ec5aea1c52edce8740a1982fb12be Author: Joseph Sutton Date: Fri Mar 3 13:41:19 2023 +1300 tests/krb5: Overhaul check_device_info() With expected_device_groups, tests can now specify particular group arrangements they expect to see. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fa3d693b28f3079e1f813dcbcd74007f238df56f Author: Joseph Sutton Date: Fri Mar 3 13:24:17 2023 +1300 tests/krb5: Allow creating a target server account with or without compound ID support Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartl
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c28f61b6bbd Add a git-blame-ignore-revs file via 8e830d76083 samba-tool: Clarify cse register command file dest via 1fa162a13b4 librpc: Fix compile error for libnet_join.idl via f2416493c0c s4: remove unused lib/com/* via d128d401f0a s3:rpc_server/netlogon: Fix typo via a470394f588 torture/backupkey: Fix possibly wrong typo'd array index via aa90354e242 torture/backupkey: Fix flapping test via 264351f5c35 pytest/delete_object: Remove unused variables via 1f5e34bdaca pytest/getnc_exop: Remove unused variable via e2df264e7c5 pytest/repl_move: Remove unused variables via 44f05afe82a pytest/repl_rodc: Remove unused variable via bf2daf79d68 pytest/replica_sync: Remove unused variable via 13f386d7d77 pytest/ridalloc_exop: Remove unused variables via c6f1b83e97d pytest/samba_tool_drs_critical: Remove unused variables via 8042e3250d8 pytest/samba_tool_drs_no_dns: Remove unused variables via 72a93e66a82 pytest/samba_tool_drs: Remove unused variables via 7bf6fa05b02 pytest/samba_tool_drs: Convert bytes to UTF-8 string via d2063568ceb lib:cmdline: Fix typo via 16e6435b082 auth/credentials: Fix typos via 4c6bd559ff2 python/schema: Fix conversion to UTF-8 string via 9e6f3df5d82 python/samba/common: Fix typos via 262b40d8330 auth/credentials: Fix off-by-one buffer write via 1312b2d1699 samba-tool: Don't use invalid escape sequences via 65ab33dffab gp: Don't use invalid escape sequences via 5badc3f gp: Avoid shadowing import via 8c06c7e2f7a s4:samba_spnupdate: Fix typo via f4e4816fcd6 selftest: Fix typo via fdc5f6ee995 s4:samba_dnsupdate: Avoid resource leaks via 0d8836482a1 s4:samba_spnupdate: Avoid resource leak via 60682e2aee4 python/samba: Avoid resource leak via 8d48ca46980 selftest: Don't use invalid escape sequences via fa4ddb887ab samba_version.py: Avoid resource leak via d8d872e0950 wscript: Fix invalid escape sequences via 433247a792a s3:modules: Fix invalid escape sequences via 374a03eddd1 selftest: Fix invalid escape sequences via 474674ac7db lib:pyldb: Throw error on invalid controls via 207a212948f lib:ldb: Fix typo via f414bead52d s4:dnsserver: Check all records, not just one via a34e245bb28 nsswitch: Fix CID 1518966 Resource leaks (RESOURCE_LEAK) via e7baac45a9d s4-dsdb: Make array static via e8514527bed tests: Fix old-style function definitions via b73622bf53f source3/wscript: Fix configure-time checks via fb781f426b7 tests/krb5: Fix typo via 533fb8fa0db tests/krb5: Add tests adding a user to a group prior to a TGS-REQ via 646b62f7604 tests/krb5: Permit modifying claim attributes mid-test via fe9aa394258 tests/krb5: Split out setup_claims() via 5cc48da43ee tests/krb5: Generate more readable string representation via abe36c2c716 tests/krb5: Add map_to_dn() via 991958c9588 tests/krb5: Refactor out map_to_sid() via 033e79d40c0 tests/krb5: Avoid duplicate group members via 285f042e2ff tests/krb5: Move ticket_with_sids() to base class via e94b4e8c77b tests/krb5: Support nested SID structures in map_sids() via 61cc949a5e7 tests/krb5: Move some utility functions from group_tests to base class via 3eac35212ec tests/krb5: Remove unused constant via b4da5eaa2fc tests/krb5: Refactor setup_groups() to admit multiple preexisting principals and primary groups via 6d19f78cdd5 tests/krb5: Fix typo via c00813b94b7 tests/krb5: Fix typo via 9bec86229fd tests/krb5: Refactor claims tests to use get_target() via 49605b5e89a tests/krb5: Move get_target() to base class via 4ae7f1cb987 tests/krb5: Remove client_as_etypes parameter via 3b522e23524 tests/krb5: Request only supported encryption types in get_tgt() via d4d3f93470f tests/krb5: Lazily fetch SamDB in get_default_enctypes() via 3861d7e09eb tests/krb5: Refactor decode_service_ticket() from 682c77be74b s4:torture:basic: use milliseconds granularity in delayed_write_update7 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c28f61b6bbd5cc1caefcba4b00a6898c91403904 Author: Jelmer Vernooij Date: Sat Jan 28 20:30:24 2023 + Add a git-blame-ignore-revs file 'git blame' can ignore certain revisions when annotating, e.g. revisions that just reformatting. Signed-off-by: Jelmer Vernooij Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 3 02:02:51 UTC 2023 on atb-devel-224 commit 8e830d760839eb16c2f6edc9d5395966d2f02f6f Author: David Mulder Date
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5cb8805811e python: fix mutable default arguments via e7c87b1d9bd selftest: source3: fix mutable default arguments via c9535526f08 selftest: source4: fix mutable default arguments via 92732858860 buildtools: fix mutable default arguments via 4717a58f6ce selftest: fix mutable default arguments via f582caad831 selftest: fix typo in test comment via 70fe6020b5b selftest: fix scope and attrs not passed to search via 8a7a779df5d selftest: fix invalid loop variables uid and gid via 3687ab318a9 selftest: fix flapping samba-tool drs showrepl test via 1368e359b2a selftest: make two samba-tool drs tests generic via 2388db932bb selftest: specify env rather than picking it up from loop via ecb628dd485 selftest: remove unused import via 739ebf46c4c selftest: pep8: too many blank lines via e9db5297673 selftest: Fix some typos in selftest tests.py from 5c051eacd42 selftests: Make sure print queue is empty before printing_var_exp test ends https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5cb8805811ee5e5a880c1c2d42f4fd9b195abe75 Author: Rob van der Linde Date: Thu Feb 23 15:54:37 2023 +1300 python: fix mutable default arguments Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Feb 23 23:33:46 UTC 2023 on atb-devel-224 commit e7c87b1d9bd10280bff69f1acaf292364b79d496 Author: Rob van der Linde Date: Thu Feb 23 15:54:21 2023 +1300 selftest: source3: fix mutable default arguments Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit c9535526f08141fc5853f5a198bc76f0184e66fe Author: Rob van der Linde Date: Thu Feb 23 15:53:58 2023 +1300 selftest: source4: fix mutable default arguments Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 92732858860072f98d358bb89ace00856b469bfa Author: Rob van der Linde Date: Thu Feb 23 15:52:21 2023 +1300 buildtools: fix mutable default arguments Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 4717a58f6ceb40f2fb3d990191f86d18283146b8 Author: Rob van der Linde Date: Thu Feb 23 15:51:48 2023 +1300 selftest: fix mutable default arguments Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit f582caad83119b8c928cb3b26e907d889af30923 Author: Rob van der Linde Date: Thu Feb 23 15:50:53 2023 +1300 selftest: fix typo in test comment Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 70fe6020b5b6669de6cd12572a18c5ab49537d65 Author: Rob van der Linde Date: Thu Feb 23 15:49:11 2023 +1300 selftest: fix scope and attrs not passed to search Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 8a7a779df5df40cd4b8003b9082cb2e3f22545c9 Author: Rob van der Linde Date: Thu Feb 23 15:46:43 2023 +1300 selftest: fix invalid loop variables uid and gid Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 3687ab318a9553883d8c0d1214e2d49b83ec91ba Author: Rob van der Linde Date: Thu Feb 23 16:56:30 2023 +1300 selftest: fix flapping samba-tool drs showrepl test Test should have been using "schema_pair_dc", it was picking this up from the variable env in the loop above it. However, it was hardcoded to use promoted_dc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316 Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 1368e359b2a75b6b683aff274b2b2084f3cd469b Author: Rob van der Linde Date: Thu Feb 23 16:56:07 2023 +1300 selftest: make two samba-tool drs tests generic BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316 Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 2388db932bb5a356a070f8f2f8550434e2d68730 Author: Rob van der Linde Date: Thu Feb 23 16:18:42 2023 +1300 selftest: specify env rather than picking it up from loop Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit ecb628dd4855132850d6972333c7d56c9fcaa363 Author: Rob van der Linde Date: Thu Feb 23 11:54:16 2023 +1300 selftest: remove unused import Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 739ebf46c4c7585525c4f03b78e864
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5c051eacd42 selftests: Make sure print queue is empty before printing_var_exp test ends via a0996ef86fd Skip running a C program during cross compilation via a4307072d6e python:tests: Make sure we delete the OU for movetest via 69442ae1072 python:tests: Add missing result checks for samba_tool.gpo tests via c4dba61e369 python:tests: Tell dns.resolver to not read /etc/resolv.conf via 804fb07259b python:tests: Fix domain_backup test with Python 3.11 via af27b1d3757 python:tests: Make sure we do not run into issues with already existing users via ae315397a65 python:tests: Use a random machine name for computer_edit.sh test via 8ff1ccc6d6d python:tests: Correctly escape $ in computer_edit.sh via e846a9df603 python:tests: Use a random username for contact_edit.sh test via af1324e3be2 python:tests: Correctly escape $ in contact_edit.sh via 0bcdba952ec python:tests: Use a random username for user_edit.sh tests via a78c38e1f11 python:tests: Correctly escape $ in user_edit.sh via a3b80b656f1 testprogs: Use random user names for kpasswd tests via 5595765d4e5 testprogs: Use random usernames for export keytab tests via 93c7bbf4d2d testprogs: Use random usernames for kinit tests from 0eb459edd8a talloc: remove Python 2 #if clauses https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5c051eacd425f322995ab53fce74028e44109046 Author: Samuel Cabrero Date: Fri Feb 17 17:22:39 2023 +0100 selftests: Make sure print queue is empty before printing_var_exp test ends Although "lpq cache time" is 0 in the test environment the "print_queue_length()" function can still return cached results. This is because the print_queue_length() function calls print_queue_update(), which just sends MSG_PRINTER_UPDATE to the samba-bgqd daemon and returns without waiting for the daemon to update it. This behavior causes problems in the selftests between samba3.blackbox.printing_var_exp and samba3.rpc.spoolss.printserver because when the later enumerates the printers at different levels and compares the results the number of jobs can differ depending if samba-bgqd updates the cache in between print_queue_update() and get_queue_status() in the print_queue_length() function: test: samba3.rpc.spoolss.printserver.printserver.enum_printers(nt4_dc) time: 2023-02-17 13:07:34.043842Z Testing EnumPrinters level 0 Testing EnumPrinters level 1 Testing EnumPrinters level 2 Checking EnumPrinters level 0 printer print_var_exp (ref print_var_exp) time: 2023-02-17 13:07:34.285992Z failure: samba3.rpc.spoolss.printserver.printserver.enum_printers(nt4_dc) [ Exception: Exception: ../../source4/torture/rpc/spoolss.c:1132: cur->info0.cjobs was 1 (0x1), expected 0 (0x0): invalid value To fix it, make sure the queue is empty before printing_var_exp test ends. Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Feb 20 22:58:44 UTC 2023 on atb-devel-224 commit a0996ef86fddea45b53e197f520ab8111a10e5c0 Author: Helmut Grohne Date: Sun Feb 5 21:18:13 2023 + Skip running a C program during cross compilation When passing --cross-compile, one has to specify a --cross-answers file and this test cannot be performed anyway, so skip it already. Signed-off-by: Helmut Grohne Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a4307072d6ea5ddef5b37aa361e9e9f16f7254e7 Author: Andreas Schneider Date: Wed Feb 8 15:44:43 2023 +0100 python:tests: Make sure we delete the OU for movetest UNEXPECTED(failure): samba.tests.samba_tool.group.samba.tests.samba_tool.group.GroupCmdTestCase.test_move(ad_dc_default:local) REASON: Exception: Exception: Traceback (most recent call last): File "python/samba/tests/samba_tool/group.py", line 341, in test_move self.assertCmdSuccess(result, out, err) File "python/samba/tests/samba_tool/base.py", line 97, in assertCmdSuccess self.assertIsNone(exit, msg=msg.replace("\n]\n", "\n] \n")) AssertionError: -1 is not None : exit[-1] stdout[] stderr[ERROR(ldb): Failed to add ou "OU=movetest,DC=addom,DC=samba,DC=example,DC=com" - Entry OU=movetest,DC=addom,DC=samba,DC=example,DC=com already exists BUG: https://bugzilla.samba.org/show_bug.cgi?id=15308 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 69442ae1072eb6dc4c9903122d613c1756ca57c7 Author: Andreas Schneider Date: Thu Feb 9 18:32:59 2023 +0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 075bd6b9f15 s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc() via 6f09f06adca auth: Free empty SID arrays via 77036bba013 tests/krb5: Use consistent ordering for etypes via e5a6b001fd2 auth: Discard non-base SIDs when creating SamInfo2 via 690748412ec tests/krb5: Test groups returned by SamLogon via 718da90414d tests/krb5: Return validation structure from _test_samlogon() via f38d4a33a6f tests/krb5: Allow tests to set SamLogon validation level via f44943b2bae tests/krb5: Move _test_samlogon() to base class via d2dc8370dd1 s4/dsdb/samldb: Disallow setting a domain-local group as a primary group via 4f2f3162138 selftest: Expect setting domain-local group as primary group to fail via 1c3a8fa20c7 auth: Correct primary group handling via 4e213629356 s4-dsdb: Use correct primary group SID in token group test via 39e2413585f s4:torture: Remove assertion that primary group is not duplicated in user_info_dc via 96485d8e164 tests/krb5: Add tests for the primary group via e00eeed9d2b auth: Align integer types via 24512accc7a s4-dsdb: Simplify search expression via c17e46a2311 ldap: Make use of LDB_OID_COMPARATOR constants via 618d95822ed ldap: Cut down on string substitution via e20067c52d6 auth: Make more liberal use of SID index constants via 5147f011d9b auth: Shorten long SID flags combinations via e3fdb2d0015 s4:kdc: Add resource SID compression via 14d94460ca1 auth: Pass through entire PAC flags value in auth_user_info via 8aef16bbbc1 named_pipe_auth: Bump info5 to info6 via 5043bbed999 s4:torture: Make use of torture_assert_sid_equal() via 61e4ad691b9 tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling via 9a362f99e0e tests/krb5: Allow setting or resetting PAC flags via 0245a588f4f tests/krb5: Add group tests simulating PACs from a trusted domain via bd4af42130c tests/krb5: Allow changing the SID of a user's PAC via 11aa940fb34 tests/krb5: Add some more test cases for PAC group handling via 7831634be37 tests/krb5: Improve assertion failure message via 4ec34d297d0 tests/krb5: Remove tests of KDCs without resource SID compression support via c21d5bf6740 s4: Add 'const' to some parameters via c00fe707937 s4-dsdb: Make sid_list_match() static via 6dab2ecddf6 s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups() via 3d846db42db auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set via c7b76764dc1 auth: Remove early return from make_user_info_dc_pac() via 94cda2dfd58 auth: Exclude resource groups from a TGT via 673ee782d97 s4:torture: Assert that group attributes match via 7050e057429 auth: Store group attributes in auth_user_info_dc via 53d72c87e63 s4-dsdb: Add samdb_result_dom_sid_attrs() via 8ef6e7dba7f libcli/security: Add auth_SidAttr utility functions via c0011bcdc8d auth.idl: Add auth_SidAttr type via 2debc394001 s4:torture: Skip over asserted identity SIDs when comparing groups via c7104fd8ecf s4:torture: Zero-initialise netr_NetworkInfo structure via 449163b21d3 tests/krb5: Declare supported encryption types of service account from 024571a7a85 waf: Add support for MemorySanitizer https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 075bd6b9f1572c539dbed0d790059a9c6b882137 Author: Andrew Bartlett Date: Wed Feb 8 10:59:56 2023 +1300 s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc() It is up to the caller to choose if it wants to clean up the user_info_dc memory early, we do so only in the KDC as was allocated on a context provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses a locally managed tevent state as the memory context. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Feb 8 01:05:47 UTC 2023 on atb-devel-224 commit 6f09f06adcae036a7197cb1bffaac86ab0c72945 Author: Joseph Sutton Date: Thu Dec 22 12:50:26 2022 +1300 auth: Free empty SID arrays In the unlikely event that these arrays are empty, they can be freed early. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 77036bba013751021f7229f0d78011298b634501 Author: Joseph Sutton Date: Mon Dec 19 13:43:08 2022 +1300 tests/krb5: Use consistent ordering for etypes The 'etype' field in a Kerberos request is ordered. Make this fact clearer by using a tuple or an array to represent etypes rather than a set. get_default_enctypes() now
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e26a01a48c4 pidl: avoid py compile issues with --pidl-developer via b2a2eeb6f99 tevent/pytevent: remove no-op define via 8f2f3b00c2f tevent/pytevent: remove py2 ifdefs via c0ef6ca98bb tdb/pytdb: remove useless HAVE_ITER non-flag via fe0ee4c tdb/pytdb: remove py ifdefs via 310eafdb7b3 s4/ndr/py_security: remove python 2 ifdefs via ddbe69afbd1 s4/ndr/py_misc: remove python 2 ifdefs via 38d0147f6a5 ldb/pyldb: remove py2 ifdefs via 5723737ebb1 gp: Test samba-tool gpo cse register/unregister/list via 3eee4415bca gp: samba-tool gpo cse register/unregister/list from 851127f5c9a Python: remove pydoctor https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e26a01a48c4a6ca6f9424ced72eda68e6eb1e7e3 Author: Douglas Bagnall Date: Fri Dec 9 10:36:30 2022 +1300 pidl: avoid py compile issues with --pidl-developer We get these warnings-as-errors: librpc/gen_ndr/py_netlogon.c:61903:53: error: stray ‘\’ in program 61903 |PyErr_Format(PyExc_TypeError, "Expected type %s",\ // Parse::Pidl::Samba4::Python::ConvertObjectFromPythonData lib/Parse/Pidl/Samba4/Python.pm:2005 but the '\' is unnecessary and unconventional anyway, since we're in a function argument list. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Feb 3 03:27:54 UTC 2023 on atb-devel-224 commit b2a2eeb6f99a7e10412317964de1d50802f4ddf4 Author: Douglas Bagnall Date: Wed Feb 1 13:19:56 2023 +1300 tevent/pytevent: remove no-op define Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8f2f3b00c2fb3aade9f136d758e76d4ce9601ae2 Author: Douglas Bagnall Date: Wed Feb 1 13:17:21 2023 +1300 tevent/pytevent: remove py2 ifdefs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c0ef6ca98bb9d494c5810313d8ab30b149e82953 Author: Douglas Bagnall Date: Wed Feb 1 13:08:27 2023 +1300 tdb/pytdb: remove useless HAVE_ITER non-flag Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit fe0ee4cdc1ee50788d5d727f50cb8abde476 Author: Douglas Bagnall Date: Wed Feb 1 13:06:24 2023 +1300 tdb/pytdb: remove py ifdefs This already would not compile with Python 2, because Py_TPFLAGS_HAVE_ITER is not defined Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 310eafdb7b3b594c3e2340520b4eadd1fa813497 Author: Douglas Bagnall Date: Wed Feb 1 12:55:18 2023 +1300 s4/ndr/py_security: remove python 2 ifdefs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ddbe69afbd1b93f69d8ed21b08ad03925de1db73 Author: Douglas Bagnall Date: Wed Feb 1 12:54:49 2023 +1300 s4/ndr/py_misc: remove python 2 ifdefs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 38d0147f6a535b09a5b59f0aba8af23c9e0d2115 Author: Douglas Bagnall Date: Wed Feb 1 12:52:59 2023 +1300 ldb/pyldb: remove py2 ifdefs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 5723737ebb12d1f6d13863b685bbbd362026dc69 Author: David Mulder Date: Fri Jan 13 09:07:38 2023 -0700 gp: Test samba-tool gpo cse register/unregister/list Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 3eee4415bca6645e35da93d15d399ac85db9c126 Author: David Mulder Date: Fri Jan 13 09:05:26 2023 -0700 gp: samba-tool gpo cse register/unregister/list Add samba-tool commands for managing registration of Client Side Extensions. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett --- Summary of changes: lib/ldb/pyldb.c | 22 --- lib/tdb/pytdb.c | 48 +-- lib/tevent/pytevent.c| 17 -- pidl/lib/Parse/Pidl/Samba4/Python.pm | 8 +-- python/samba/netcmd/gpo.py | 110 +++ python/samba/tests/samba_tool/gpo.py | 35 +++ source4/librpc/ndr/py_misc.c | 24 source4/librpc/ndr/py_security.c | 24 8 files changed, 150 insertions(+), 138 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 238a7550deb..7a95a58fa67 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -84,8 +84,6 @@ static struct ldb_message_element *PyObject_AsMessageElement( const char *attr_name); static PyTypeObject PyLdbBytesType; -#if PY_MAJOR_VERSION >= 3 - #define PYARG_STR_UNI "es" static PyObject *PyLdbBytes_FromStringAndSize(const char *m
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f6712c70986 script:autobuild: Make sure we can send a failure mail via 41aa379abb3 python: Replace calls to deprecated methods via a15208f60bb samba-tool: Use ntstatus constants in gpo commands via a4530c153e3 samba-tool: Test gpo show/load handling of utf-16-le strings via 3b0d78a3fdc samba-tool: gpo show/load handle utf-16-le strings via e6032703606 samba-tool: gpo load provide option for replace vs merge via 6f373603720 samba-tool: gpo load set ntacl with SYSVOL file creation via e7737d6bb27 samba-tool: gpo load add Registry ext by default via a3452147129 samba-tool: gpo load extension names via 00e40f9f924 samba-tool: gpo load/remove increment GPT.INI via ea619d704e4 samba-tool: gpo load/remove bytes via dc6725336ad samba-tool: Test gpo load/remove commands via ee37e3cd32e samba-tool: gpo load/remove commands via a0f8d7ca05e samba-tool: Move smb_connection to a common file via d6194600c19 samba-tool: Move create_directory_hier to a common file via e40faf7a750 samba-tool: gpo show command list policies from 7e0eb0f31a2 s3:lib: Change file_modtime() to return an error code and a struct timespec. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f6712c709868bf87dfd3d92bec1f306d2a98116e Author: Andreas Schneider Date: Wed Jan 25 17:08:58 2023 +0100 script:autobuild: Make sure we can send a failure mail We should not run into an exception if the file doesn't exist. Traceback (most recent call last): File "script/autobuild.py", line 1781, in email_failure(-1, 'rebase', 'rebase', 'rebase', File "script/autobuild.py", line 1677, in email_failure f = open("%s/%s.stdout" % (gitroot, failed_tag), 'r') FileNotFoundError: [Errno 2] No such file or directory: 'samba-autobuild/rebase.stdout' Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jan 30 10:00:27 UTC 2023 on atb-devel-224 commit 41aa379abb391ffab77238d65ee5ba11b9ab8538 Author: Joseph Sutton Date: Thu Jan 19 08:37:03 2023 +1300 python: Replace calls to deprecated methods These aliases are deprecated and have been removed in Python 3.12. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a15208f60bbace89d99acbe8e3a8325740f5d6ab Author: David Mulder Date: Wed Dec 7 10:56:54 2022 -0700 samba-tool: Use ntstatus constants in gpo commands Replace all the hard coded instances of ntstatus codes in the samba-tool gpo commands with constants from samba.ntstatus. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit a4530c153e38b205f0ffa7f30e06d2a4469fa58b Author: David Mulder Date: Thu Mar 24 11:35:02 2022 -0600 samba-tool: Test gpo show/load handling of utf-16-le strings Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit 3b0d78a3fdcd2df1d6ee63f41e2d56688ccd83f1 Author: David Mulder Date: Thu Mar 24 17:05:13 2022 + samba-tool: gpo show/load handle utf-16-le strings Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit e60327036067d1b3141ec40200efeeb057aa93ff Author: David Mulder Date: Thu Feb 17 10:38:46 2022 -0700 samba-tool: gpo load provide option for replace vs merge Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit 6f3736037203f21b8508f134dde6bd25867f5613 Author: David Mulder Date: Wed Feb 16 03:11:34 2022 -0700 samba-tool: gpo load set ntacl with SYSVOL file creation Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit e7737d6bb27dd4b70782635eafa75f4d01450aa7 Author: David Mulder Date: Tue Feb 15 14:45:41 2022 -0700 samba-tool: gpo load add Registry ext by default Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit a3452147129a0eea6a578c3d57aa828642986d89 Author: David Mulder Date: Tue Feb 15 11:09:12 2022 -0700 samba-tool: gpo load extension names Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit 00e40f9f924f6354e5e8e9e0d0ee7077243a4b26 Author: David Mulder Date: Mon Feb 14 13:34:39 2022 -0700 samba-tool: gpo load/remove increment GPT.INI Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Tested-by: Kees van Vloten commit ea619d704e4d9f498104b20bb1c8a98a1a6df9d6 Author: David Mulder Date: Mon Jan 24 09:21:47 2022 -0700 samba-tool: gpo load/remove bytes
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9189bd9c9c1 build: Convert winexe to use enabled= in wscript from ddbb8f1999e lib: Move 448 bytes from R/W data segment to R/O text https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9189bd9c9c126b8983781a8de075efc9fe7fdfa5 Author: Andrew Bartlett Date: Mon Dec 5 22:18:45 2022 +1300 build: Convert winexe to use enabled= in wscript This also allows --without-winexe to stop building the .exe files even if the compilers are present on the system. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15264 Signed-off-by: Andrew Bartlett Reviewed-by: Volker Lendecke Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 16 07:41:38 UTC 2022 on sn-devel-184 --- Summary of changes: examples/winexe/wscript_build | 60 --- 1 file changed, 34 insertions(+), 26 deletions(-) Changeset truncated at 500 lines: diff --git a/examples/winexe/wscript_build b/examples/winexe/wscript_build index 143739f3de0..364683405c2 100644 --- a/examples/winexe/wscript_build +++ b/examples/winexe/wscript_build @@ -65,36 +65,44 @@ const DATA_BLOB *%s(void) winexesvc_binaries = '' +bld.SAMBA_GENERATOR( +'winexesvc32_exe', +source='winexesvc.c', +target='winexesvc32.exe', +rule='${WINEXE_CC_WIN32} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}', +enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN32) + +vars = {"WINEXE_FN": "winexesvc32_exe_binary"} +bld.SAMBA_GENERATOR( +'winexesvc32_exe_binary', +source='winexesvc32.exe', +target='winexesvc32_exe_binary.c', +group='build_source', +vars=vars, +rule=generate_winexesvc_c_from_exe, +enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN32) + if bld.env.WINEXE_CC_WIN32: -bld.SAMBA_GENERATOR( -'winexesvc32_exe', -source='winexesvc.c', -target='winexesvc32.exe', -rule='${WINEXE_CC_WIN32} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}') -vars = {"WINEXE_FN": "winexesvc32_exe_binary"} -bld.SAMBA_GENERATOR( -'winexesvc32_exe_binary', -source='winexesvc32.exe', -target='winexesvc32_exe_binary.c', -group='build_source', -vars=vars, -rule=generate_winexesvc_c_from_exe) winexesvc_binaries += ' winexesvc32_exe_binary.c' +bld.SAMBA_GENERATOR( +'winexesvc64_exe', +source='winexesvc.c', +target='winexesvc64.exe', +rule='${WINEXE_CC_WIN64} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}', +enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN64) + +vars = {"WINEXE_FN": "winexesvc64_exe_binary"} +bld.SAMBA_GENERATOR( +'winexesvc64_exe_binary', +source='winexesvc64.exe', +target='winexesvc64_exe_binary.c', +group='build_source', +vars=vars, +rule=generate_winexesvc_c_from_exe, +enabled=bld.env.build_winexe and bld.env.WINEXE_CC_WIN64) + if bld.env.WINEXE_CC_WIN64: -bld.SAMBA_GENERATOR( -'winexesvc64_exe', -source='winexesvc.c', -target='winexesvc64.exe', -rule='${WINEXE_CC_WIN64} ${SRC} -o ${TGT} ${WINEXE_LDFLAGS}') -vars = {"WINEXE_FN": "winexesvc64_exe_binary"} -bld.SAMBA_GENERATOR( -'winexesvc64_exe_binary', -source='winexesvc64.exe', -target='winexesvc64_exe_binary.c', -group='build_source', -vars=vars, -rule=generate_winexesvc_c_from_exe) winexesvc_binaries += ' winexesvc64_exe_binary.c' if winexesvc_binaries != '': -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 612eeff2704 tests/krb5: Add tests of PAC group handling via 53f9ac4b6fc tests/krb5: Allow checking domain SID in PAC via 8556576d8df tests/krb5: Overhaul PAC logon info group checking via 5a613db6f51 tests/krb5: Add (un)expected group parameters to get_service_ticket() and get_tgt() via f59f6968003 tests/krb5: Allow creating accounts without Resource SID compression support via 29723765b31 tests/krb5: Allow adding multiple members to a group via 3a13e3b6667 tests/krb5: Allow creating groups with a specified type via 6674f67537d tests/krb5: Fix bits_to_etypes() to not fail on Resource SID compression bit via 90f39b69591 tests/krb5: Remember to pass in expected_groups parameter via 0161d375746 tests/krb5: Remove unused copy-and-paste remnant via bdbe5c5a324 s4:kdc: add initial support for compound claims via f96fbe6eb1f s4:kdc: fetch client_claims_blob from samba_kdc_get_pac_blobs() via 03250eefaaf s4:kdc: pass client_claims, device_info, device_claims into samba_make_krb5_pac() via aa62775eb4f s4-auth: Make PAC parameters const via 7d3416e8cb6 krb5: Detect support for krb5_const_pac type via 6fe6992258d wafsamba: Have CHECK_C_PROTOTYPE() pass through 'lib' into CHECK_CODE() via a3ee0ce255c wscript: Correctly determine dependencies for system Heimdal build via 77bb72d6720 build: Remove unused dependencies from be1431a8930 smbd: Don't hide directories with "hide new files timeout" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 612eeff2704bf6705b2ccce4006f7d9c6f0ee06a Author: Joseph Sutton Date: Thu Nov 3 14:49:17 2022 +1300 tests/krb5: Add tests of PAC group handling In which we make AS and TGS requests and verify the SIDs we expect are returned in the PAC. Example command to test against Windows Server 2019 functional level 2016 with FAST enabled: ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 DC_SERVER=ADDC.EXAMPLE.COM \ DOMAIN=EXAMPLE EXPECT_PAC=1 FAST_SUPPORT=1 KRB5_CONFIG=krb5.conf \ PYTHONPATH=bin/python REALM=EXAMPLE.COM SERVER=ADDC.EXAMPLE.COM \ SKIP_INVALID=1 SMB_CONF_PATH=smb.conf STRICT_CHECKING=1 \ TKT_SIG_SUPPORT=1 python3 python/samba/tests/krb5/group_tests.py Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Nov 8 03:37:37 UTC 2022 on sn-devel-184 commit 53f9ac4b6fc41cef4966b1f5eca0485be621f786 Author: Joseph Sutton Date: Thu Nov 3 14:55:36 2022 +1300 tests/krb5: Allow checking domain SID in PAC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8556576d8df47710757ff4e32b04668fa5045daf Author: Joseph Sutton Date: Thu Nov 3 14:54:23 2022 +1300 tests/krb5: Overhaul PAC logon info group checking We can now verify attributes of SIDs and the PAC locations in which SIDs are placed. We also gain the ability to assert that no SIDs are present in the PAC other than the ones we expect. We lighten somewhat the requirement that no duplicates are present among the SIDs, as such a situation may arise even with Windows, especially if group types are changed. For example, if a Universal group containing a user is changed to a Domain-Local group in between an AS-REQ and a TGS-REQ, the group's SID will be added to the PAC once for each request. We only verify that there are no exact duplicates (SID, attributes, and PAC location all being identical). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5a613db6f511cfe3739cfe04cefa84e4f6681c99 Author: Joseph Sutton Date: Thu Nov 3 14:51:26 2022 +1300 tests/krb5: Add (un)expected group parameters to get_service_ticket() and get_tgt() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f59f6968003a3b314fb21ca84548806c03ae0b0a Author: Joseph Sutton Date: Thu Nov 3 14:48:09 2022 +1300 tests/krb5: Allow creating accounts without Resource SID compression support Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 29723765b31866524b7db5c37600b8f6c9c0a2e7 Author: Joseph Sutton Date: Thu Nov 3 14:47:51 2022 +1300 tests/krb5: Allow adding multiple members to a group As well as passing in a single 'str', we can now choose to pass a collection of member DN strings. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3a13e3b6667909fbdafaf95be88106d138013f9c Author: Joseph Sutton Date: Thu Nov 3 14:46:53 2022 +1300 tests/krb5: Allow creating groups with a specified type This will be useful for testing th
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bf446bcf612 third_party/heimdal_build: Update fallthrough macro for switch statements via ef28247f3bb third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222) via ab4c7bda8da heimdal: Fix the 32-bit build on FreeBSD via 074e9284971 third_party/heimdal: Introduce macro for common plugin structure elements via 6353f9e9c47 Add Heimdal test file test_base.c to bi-directional encoding ignore list from bdbb38d16c8 s3: libsmbclient: Fix smbc_getxattr() to return 0 on success. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bf446bcf612791c7fcf8284cca4061b651b7d4f6 Author: Joseph Sutton Date: Wed Sep 28 14:34:31 2022 +1300 third_party/heimdal_build: Update fallthrough macro for switch statements This is an adaptation to Heimdal: commit 133f5174820b34e2a12c3f3412bf554cae2ee22f Author: Daria Phoebe Brashear Date: Fri Sep 16 09:57:24 2022 -0400 rewrite fallthrough to HEIM_FALLTHROUGH to deal with new Apple SDKs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 2 05:21:29 UTC 2022 on sn-devel-184 commit ef28247f3bbbd7cf9daed7a4dba28855496ce38e Author: Andrew Bartlett Date: Mon Oct 31 14:33:09 2022 +1300 third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222) This commit won't compile on it's own, as we need to fix the build system to cope in the next commit. The purpose of this commit is to update to a new lorikeet-heimdal tree that includes the previous two patches and is rebased on a current Heimdal master snapshot. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit ab4c7bda8daccdb99adaf6ec7fddf8b5f84be09a Author: Volker Lendecke Date: Fri Jul 22 18:38:21 2022 +0200 heimdal: Fix the 32-bit build on FreeBSD REF: https://github.com/heimdal/heimdal/pull/1004 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220 Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 074e92849715ed3485703cfbba3771d405e4e78a Author: Joseph Sutton Date: Sat Oct 22 10:11:53 2022 +1300 third_party/heimdal: Introduce macro for common plugin structure elements Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon it, doesn't work on 32-bit builds due to structure fields being arranged in the wrong order. This problem presents itself in the form of segmentation faults on 32-bit systems, but goes unnoticed on 64-bit builds thanks to extra structure padding absorbing the errant fields. This commit reorders the HDB plugin structure fields to prevent crashes and introduces a common macro to ensure every plugin presents a consistent interface. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6353f9e9c47d02dc0e18585bfaad48b2ce85441d Author: Andrew Bartlett Date: Thu Oct 27 13:07:34 2022 +1300 Add Heimdal test file test_base.c to bi-directional encoding ignore list Heimdal commit c6a46f0c96dde73ef4f3a247a1e904d4cf15aeb2 introduces test data that triggers our LTR and RTL detection code. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: python/samba/tests/source_chars.py |1 + third_party/heimdal/.github/workflows/osx.yml |6 +- third_party/heimdal/.github/workflows/windows.yml |2 + third_party/heimdal/admin/Makefile.am |1 + third_party/heimdal/admin/add.c| 178 +++- third_party/heimdal/admin/copy.c | 19 +- third_party/heimdal/admin/get.c| 38 +- third_party/heimdal/admin/ktutil-commands.in | 33 +- third_party/heimdal/admin/ktutil.1 | 72 +- third_party/heimdal/admin/list.c | 139 ++- third_party/heimdal/apply_heimdal.sh |6 +- third_party/heimdal/configure.ac | 20 +- third_party/heimdal/doc/Makefile.am|3 +- third_party/heimdal/doc/NTMakefile |1 - third_party/heimdal/doc/apps.texi | 201 +--- third_party/heimdal/doc/copyright.texi |2 - third_party/heimdal/doc/heimdal.texi | 21 +- third_party/heimdal/doc/hx509.texi |6 +- third_party/heimdal/doc/kerberos4.texi | 173 third_party/heimdal/doc/migration.texi | 12 +- third_party/heimdal/doc/misc.texi
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 50cbdecf2e2 tests/krb5: Add test requesting a TGT expiring post-2038 via 67811e121fb tests/krb5: Add test requesting a service ticket expiring post-2038 from eb2f3526032 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 Author: Joseph Sutton Date: Thu Oct 20 12:36:44 2022 +1300 tests/krb5: Add test requesting a TGT expiring post-2038 This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 commit 67811e121fbef08337675d473390160793544719 Author: Joseph Sutton Date: Tue Oct 4 12:25:08 2022 +1300 tests/krb5: Add test requesting a service ticket expiring post-2038 Windows 11 22H2 performs such requests, with year . The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton Reviewed-by: Douglas Bagnall --- Summary of changes: python/samba/tests/krb5/as_req_tests.py | 13 +++-- python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++ 2 files changed, 25 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 6a573947067..6b3b5ad4a22 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -47,7 +47,7 @@ class AsReqBaseTest(KDCBaseTest): expected_cname=None, sname=None, name_type=NT_PRINCIPAL, etypes=None, expected_error=None, expect_edata=None, - kdc_options=None): + kdc_options=None, till=None): user_name = client_creds.get_username() if client_account is None: client_account = user_name @@ -71,7 +71,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() -till = self.get_KerberosTime(offset=36000) +if till is None: +till = self.get_KerberosTime(offset=36000) if etypes is None: etypes = client_as_etypes @@ -516,6 +517,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) +# Test that we can make a request for a ticket expiring post-2038. +def test_future_till(self): +client_creds = self.get_client_creds() + +self._run_as_req_enc_timestamp( +client_creds, +till='0913024805Z') + if __name__ == "__main__": global_asn1_print = False diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index f57df85bfcd..e64135249db 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -2334,6 +2334,18 @@ class KdcTgsTests(KDCBaseTest): self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, KDC_ERR_C_PRINCIPAL_UNKNOWN)) +# Test making a TGS request for a ticket expiring post-2038. +def test_tgs_req_future_till(self): +creds = self._get_creds() +tgt = self._get_tgt(creds) + +target_creds = self.get_service_creds() +self._tgs_req( +tgt=tgt, +expected_error=0, +target_creds=target_creds, +till='0913024805Z') + def _modify_renewable(self, enc_part): # Set the renewable flag. enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) @@ -2704,6 +2716,7 @@ class KdcTgsTests(KDCBaseTest): sname=None, srealm=None, use_fast=False, + till=None, expect_pac=True, expect_pac_attrs=None, expect_pac_attrs_pac_request=None, @@ -2813,6 +2826,7 @@ class KdcTgsTests(KDCBaseTest): cname=None, re
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3ad0fa69255 pyldb: Fix typos in function names via b32a3d715bc s4:kdc: Don't copy data for empty PAC buffer via d4ce0a0e982 s4:kdc: Make use of smb_krb5_data_from_blob() helper function via f86404b7ab8 s4:kdc: Refactor samba_make_krb5_pac() via 84796220965 lib:krb5_wrap: Add helper functions to make krb5_data structure via 27a2ee0d1d9 dbcheck: Fix truncation of warning messages via b346a369117 docs-xml: Remove nested calls to translate() via 2344af97406 docs-xml: Remove reference to invalid 'user' parameter via ffdf0177b52 docs-xml: 'security = auto' is now the default parameter via 534bc646d7e docs-xml: Fix references to 'encrypt passwords' parameter via 2a26dd3aab3 docs-xml: Fix reference to 'wide links' parameter via 112e43fcb3f docs-xml: Fix reference to 'read only' parameter via 728fabea683 docs-xml: Remove references to obsolete 'write cache size' parameter via e9f4528d727 docs-xml: Fix reference to obsolete 'lock spin count' parameter via de23fd66e46 docs-xml: Fix section links via 90c371d6cd1 pytest: samba-tool: Fix undefined escape sequence via 352064979be pyldb: Fix tests going unused via c52f5ee84ba lib:crypto: Change error return to SMB_ASSERT() via 01b6c87c4fa lib:krb5_wrap: Use case-sensitive comparison against 'krbtgt' via d2c5a297f25 s4-auth: Add missing newlines to log messages via ccbce565ebf tests/krb5: Add create_ccache_with_ticket() via 0c78480837f tests/krb5: Make use of client_opts for TGS-REQs via 12677ff65e9 python: Handle LdbError thrown from functions operating on DNs via a68428a9510 pyldb: Have functions operating on DNs raise LdbError via 0c19fca3f9d python/samba: Fix typos in error messages via 8f3cbf30a9f pdb_samba_dsdb: Handle dsdb_search_one() errors via ab7b16428d1 selftest: Simplify krb5 test environments from 37406b9d97f CVE-2007-4559 python: ensure sanity in our tarfiles https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3ad0fa692556b5544307110b179626bfb4b4381f Author: Joseph Sutton Date: Fri Sep 23 10:41:32 2022 +1200 pyldb: Fix typos in function names Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Oct 5 05:23:50 UTC 2022 on sn-devel-184 commit b32a3d715bcf1ffc8078eba06ebded02049251d6 Author: Joseph Sutton Date: Sat Sep 24 12:25:10 2022 +1200 s4:kdc: Don't copy data for empty PAC buffer Heimdal's 'data->length > 0' assertion in krb5_pac_add_buffer() is gone as of f33f73f82fb2d5d96928ce5910e2d0d939c2ff57, so we no longer need to specify a non-zero length. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d4ce0a0e982ed6b2cf1a0980270196c80c8eecb9 Author: Joseph Sutton Date: Wed Sep 21 10:42:54 2022 +1200 s4:kdc: Make use of smb_krb5_data_from_blob() helper function Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f86404b7ab8a557cd3d3366b6567867065c2e28e Author: Joseph Sutton Date: Wed Sep 21 10:26:38 2022 +1200 s4:kdc: Refactor samba_make_krb5_pac() This function is longwinded and needlessly allocates intermediary buffers. Simplify it. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 84796220965527a56ac492d04f220b39ce279cf4 Author: Joseph Sutton Date: Sat Sep 24 12:36:25 2022 +1200 lib:krb5_wrap: Add helper functions to make krb5_data structure These will be used in following commits. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 27a2ee0d1d9a7f3360537a0a806e827272242823 Author: Joseph Sutton Date: Tue Sep 20 09:28:27 2022 +1200 dbcheck: Fix truncation of warning messages We are stripping off one too many characters. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b346a3691173e70d560a69539cc89dabcd14bbbf Author: Joseph Sutton Date: Sat Sep 24 11:53:08 2022 +1200 docs-xml: Remove nested calls to translate() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2344af97406c9f56bdadf8957f7e2da3e4694b35 Author: Joseph Sutton Date: Sat Sep 24 11:52:31 2022 +1200 docs-xml: Remove reference to invalid 'user' parameter Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ffdf0177b5202dc7aad5ae0d98e70e1f21c07775 Author: Joseph Sutton Date: Sat Sep 24 11:52:12 2022 +1200 docs-xml: 'security = auto' is now the default parameter Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 534bc646d7e6f46d29c5d2bb653d6e7f6e56bf31 Author: Joseph Sutton Date: Sat Sep 24
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 37406b9d97f CVE-2007-4559 python: ensure sanity in our tarfiles via 6a5d03e2f7b samba-tool: Use authentication file to pass credentials via bff2bc9c7d6 python-drs: Add client-side debug and fallback for GET_ANC via 483c48f52d6 s4-libnet: Add messages to object count mismatch failures via b0bbc94d412 selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT via 314bc44fa9b s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT via 7ff743d65dc selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database via 62b426243f4 selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT from a91fa70ad56 tevent: Fix flag clearing https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 37406b9d97f123576c811b9fe22b39b02af62f83 Author: Douglas Bagnall Date: Fri Sep 23 12:32:25 2022 +1200 CVE-2007-4559 python: ensure sanity in our tarfiles Python's tarfile module is not very careful about paths that step out of the target directory. We can be a bit better at little cost. This was reported in 2007[1], and has recently been publicised [2, for example]. We were informed of this bug in December 2021 by Luis Alberto López Alvar, but decided then that there were no circumstances under which this was a security concern. That is, if you can alter the backup files, you can already do worse things. But there is a case to guard against an administrator being tricked into trying to restore a file that isn't based on a real backup. [1] https://nvd.nist.gov/vuln/detail/CVE-2007-4559 [2] https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15185 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 4 03:48:43 UTC 2022 on sn-devel-184 commit 6a5d03e2f7bfa84eea1f1c44604ab70b1257d349 Author: Nikola Radovanovic Date: Fri Sep 30 09:38:12 2022 +0200 samba-tool: Use authentication file to pass credentials In order not to pass credentials in clear-text directly over command line, this is a patch to store username/password/domain in a file and use it during domain join for example. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15031 Signed-off-by: Nikola Radovanovic Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit bff2bc9c7d69ec2fbe9339c2353a0a846182f1ea Author: Andrew Bartlett Date: Thu Sep 15 17:10:24 2022 +1200 python-drs: Add client-side debug and fallback for GET_ANC Samba 4.5 and earlier will fail to do GET_ANC correctly and will not replicate non-critical parents of objects with isCriticalSystemObject=TRUE when DRSUAPI_DRS_CRITICAL_ONLY is set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 483c48f52d6ff5e8149ed12bfeb2b6608c946f01 Author: Andrew Bartlett Date: Tue Sep 20 13:37:30 2022 +1200 s4-libnet: Add messages to object count mismatch failures This helps explain these better than WERR_GEN_FAILURE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b0bbc94d4124d63b1d5a35ccbc88ffd51d520ba0 Author: Andrew Bartlett Date: Thu Sep 29 14:54:14 2022 +1300 selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT The chgdcpass server now emulates older verions of Samba that fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support DRSUAPI_DRS_GET_TGT. We now show this is in effect by the fact that tests now fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 314bc44fa9b8fc99c80bfcfff71f2cec67bbda36 Author: Andrew Bartlett Date: Thu Sep 29 14:53:38 2022 +1300 s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT This emulates older verions of Samba that fail to implement DRSUAPI_DRS_GET_ANC correctly and totally fails to support DRSUAPI_DRS_GET_TGT. This will allow testing of a client-side fallback, allowing migration from sites that run very old Samba versions over DRSUAPI (currently the only option is to attempt an in-place upgrade). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 7ff743d65dcf27ffe0c6861720e8ce531bfa378d Author: Andrew Bartlett Date: Thu Sep 29 03:05:03 20
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 063976fca37 WHATSNEW: samba-tool: fewer tracebacks, more colour via dad0c9a52eb docs/man/samba-tool explain --color via 98c7af03945 py/dbcheck: improve 'please --fix' message via 10bcf2bb08e dbcheck: don't recommend --fix for errors we can't fix via d71258b4550 dbcheck: do not crash on empty DN via 2b039eb8c52 samba-tool dbcheck: use colour if wanted via 318eb65cb8d py/dbchecker: dbcheck prints bits of colour if asked from 6e5d79ff408 shadow_copy2: Remove an intermediate if-statement https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 063976fca375be367fa6b471389a3d7258b73460 Author: Douglas Bagnall Date: Thu Sep 15 16:48:31 2022 +1200 WHATSNEW: samba-tool: fewer tracebacks, more colour Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Sep 19 07:14:31 UTC 2022 on sn-devel-184 commit dad0c9a52eb142ea105231ab1e8df75ff00da210 Author: Douglas Bagnall Date: Thu Sep 15 12:41:13 2022 +1200 docs/man/samba-tool explain --color Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 98c7af03945e9af7fa032dc2d8682838b0b2d5fc Author: Douglas Bagnall Date: Sat Sep 17 18:18:25 2022 +1200 py/dbcheck: improve 'please --fix' message The dbcheck module is used in places other than samba-tool (backup, provision) where the old 'use --fix' message made no sense. Also, now that we're not necessarily claiming to fix all errors, we say how many we think we can. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 10bcf2bb08ee742023325bcbb3005d6a9e8295b6 Author: Douglas Bagnall Date: Fri Sep 16 16:26:41 2022 +1200 dbcheck: don't recommend --fix for errors we can't fix and/or won't fix. I think there are others that should be here. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d71258b45502a5552cf3540c854b925be3194b8c Author: Douglas Bagnall Date: Thu Sep 15 11:20:25 2022 +1200 dbcheck: do not crash on empty DN we had $ bin/samba-tool dbcheck -H st/rpc_proxy/private/sam.ldb Checking 202 objects ERROR(): uncaught exception - unable to parse dn string File "/home/douglasb/src/samba/bin/python/samba/netcmd/__init__.py", line 230, in _run return self.run(*args, **kwargs) File "/home/douglasb/src/samba/bin/python/samba/netcmd/dbcheck.py", line 173, in run error_count = chk.check_database(DN=DN, scope=search_scope, File "/home/douglasb/src/samba/bin/python/samba/dbchecker.py", line 255, in check_database error_count += self.check_object(object.dn, requested_attrs=attrs) File "/home/douglasb/src/samba/bin/python/samba/dbchecker.py", line 2616, in check_object expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn)) Now we have: $ bin/samba-tool dbcheck -H st/rpc_proxy/private/sam.ldb Checking 202 objects ERROR: could not handle parent DN '': skipping RDN checks Please use --fix to fix these errors Checked 202 objects (1 errors) which is still not really right, since --fix won't help. (same with st/s4member/private/sam.ldb). Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2b039eb8c52a491c3d7b5bcae952e826b3ac1b21 Author: Douglas Bagnall Date: Thu Sep 15 10:17:16 2022 +1200 samba-tool dbcheck: use colour if wanted Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 318eb65cb8d777651861266818c646246f82e1a1 Author: Douglas Bagnall Date: Thu Sep 15 11:13:30 2022 +1200 py/dbchecker: dbcheck prints bits of colour if asked Prefixes like ERROR, WARNING, and INFO are given interpretive colours. This won't change anything until samba-tool decides to ask for colour, which, who knows, might even be in the next commit. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: WHATSNEW.txt | 60 ++ docs-xml/manpages/samba-tool.8.xml | 23 ++ python/samba/dbchecker.py | 86 ++ python/samba/netcmd/dbcheck.py | 9 +++- 4 files changed, 151 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c9cd84faa26..94ced206dbb 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -16,6 +16,66 @@ UPGRADING NEW FEATURES/CHANGES +More succinct samba-tool error messages +--- + +Historically samb
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3e95c677f24 pytests:s4/dsdb/passwords: avoid unused imports via 884f1052149 pytests:s4/drs/getnc_schema: avoid unused imports via 1cf48a588fc pytests:s4/drs/repl_move: avoid unused and star imports via 7283fed0b35 pytests:s4/drs/repl_rodc: avoid unused imports via 7f9fedd744c pytests:s4/drs/linked_attributes_drs: avoid unused imports via b1ff59fb8b7 pytests:s4/drs/ridalloc_exop: avoid unused imports via 3c5cb27885a pytests: remove backwards compat workaround for python 2.6 via 2775d6b5d1c pytest: samba-tool visualize: improve a message via ed72ec76313 samba-tool: no stack trace on missing ldb tdb via b350a9c37c9 samba-tool: write ERROR in red if colour is wanted via a64e6c9639c samba-tool visualize: simplify --color-scheme calculations via 07cbb10dc07 samba-tool visualise: use global --color via adf8b8b4a16 py:colour: is_colour_wanted() can take filenames via c0d0c13670a samba-tool: --color=auto looks at stderr and stdout via 7d4387d15df samba-tool drs showrepl: use global --color option via baf7c5c585d samba-tool: save --color choice for subcommands via 5dd4696fb79 samba-tool: make --color a general option via 4c623356ce5 py:colour: colour_if_wanted() returns the result via 4f30d06a365 pytest: samba-tool visualize: fix filename via 3119349a3f1 libcli/auth/proto.h: remove unneeded path details. via 53f6dbe03f7 ldb: ldb_build_search_req() check for a talloc failure via 9983ea0ed26 s4/server: stop suggesting ntvfs in error message via 1f60e881973 libaddns: remove duplicate declaration via eab89c8e29d pytest/password_lockout: be less verbose by default via 7af1326a58e samba-tool: simplify and clarify SuperCommand._run() a little from 4f5b4bd9dfb ctdb-tests: Reformat remaining test stubs with "shfmt -w -p -i 0 -fn" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3e95c677f242b28eaa031ed402a28dbdc0958d9f Author: Douglas Bagnall Date: Fri Sep 16 11:42:48 2022 +1200 pytests:s4/dsdb/passwords: avoid unused imports Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 16 06:47:43 UTC 2022 on sn-devel-184 commit 884f105214973d0b414fdf2b3be6eaff4c75512c Author: Douglas Bagnall Date: Fri Sep 16 11:42:14 2022 +1200 pytests:s4/drs/getnc_schema: avoid unused imports Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1cf48a588fc440eba665b27cf5d8f56264d2ca51 Author: Douglas Bagnall Date: Fri Sep 16 11:41:39 2022 +1200 pytests:s4/drs/repl_move: avoid unused and star imports Found the names using something like: flake8 repl_move.py | \ grep -oP "(?<=F405 ')[\w.]+" /tmp/repl_move | sort | uniq Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7283fed0b3524cd00d256eb1a9292685e0f9b43a Author: Douglas Bagnall Date: Fri Sep 16 11:38:40 2022 +1200 pytests:s4/drs/repl_rodc: avoid unused imports Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7f9fedd744c1f5144518efbe975330ea0df1cfd0 Author: Douglas Bagnall Date: Fri Sep 16 11:38:08 2022 +1200 pytests:s4/drs/linked_attributes_drs: avoid unused imports Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b1ff59fb8b729f07836c4953a77eb710dc361f4c Author: Douglas Bagnall Date: Fri Sep 16 11:37:14 2022 +1200 pytests:s4/drs/ridalloc_exop: avoid unused imports Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3c5cb27885a542e0c0ba80e6c9b776859a29d2ff Author: Douglas Bagnall Date: Fri Sep 16 11:36:28 2022 +1200 pytests: remove backwards compat workaround for python 2.6 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2775d6b5d1c92aa72d02bde617927020cd8a79a2 Author: Douglas Bagnall Date: Wed Sep 14 21:12:47 2022 +1200 pytest: samba-tool visualize: improve a message Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ed72ec763133b3ed17a9f75bf4ae0bf0782c2967 Author: Douglas Bagnall Date: Fri Sep 9 16:13:12 2022 +1200 samba-tool: no stack trace on missing ldb tdb Now, in a testenv, if you forget to use '-s st/ad_dc/etc/smb.conf', you only see this: $ bin/samba-tool user rename dsadsa ldb: Unable to open tdb '$HERE/st/client/private/secrets.ldb': No such file or directory ldb: Failed to connect to '$HERE/st/client/private/secrets.ldb' with backend 'tdb': Unable to open tdb '$HERE/st/client/private/secrets.ldb': No such file or directory Could not find machine account in s
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cc64ea24daa CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check via 95fe9659574 CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors via acca08f CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless all rights are granted via 5073d5997cb CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL via 72b8e98252b CVE-2020-25720 s4:ntvfs: Use se_file_access_check() to check file access rights via 6dc6ca56bd5 CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior via 08187833fee CVE-2020-25720: s4-acl: Change behavior of Create Children check via 0e1d8929f87 CVE-2020-25720: s4-acl: Move definition of acl_check_self_membership() via c2761a47fd1 CVE-2020-25720 s4-acl: Test Create Child permission should not allow full write to all attributes via 2563f85237b CVE-2020-25720 pydsdb: Add AD schema GUID constants via cc709077822 CVE-2020-25720 pydsdb: Add dsHeuristics constant definitions via 0af5706b559 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29 via 890d2c5cf5d CVE-2020-25720 python:tests: Ensure that access checks don't succeed via cbbf3fd7412 CVE-2020-25720 s4:tests/sec_descriptor: Add missing security descriptor modify from b4455f04879 s3: libsmb: In cli_posix_open_internal_send() (SMBtrans2:TRANSACT2_SETPATHINFO) check for DFS pathname. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cc64ea24daa649dc8de4a212c7abfbe111095655 Author: Andrew Bartlett Date: Fri Sep 16 14:18:37 2022 +1200 CVE-2020-25720 s4:dsdb/descriptor: explain lack of dSHeuristics check It is strange that sDRightsEffective pays no attention to the dSHeuristics flags. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Reviewed-by: Joseph Sutton Signed-off-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 16 03:31:42 UTC 2022 on sn-devel-184 commit 95fe9659574337234616625fc32d5f00035ae7c9 Author: Joseph Sutton Date: Thu May 5 17:21:42 2022 +1200 CVE-2020-25720 s4:dsdb/descriptor: Validate owner SIDs written to security descriptors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit acca08f12d5bff6edb631a9515fe7e5087c3 Author: Joseph Sutton Date: Thu May 5 19:30:13 2022 +1200 CVE-2020-25720 s4-acl: Omit sDRightsEffective for computers unless all rights are granted BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5073d5997cb1d7f654423655e0d1eeb117bdab38 Author: Nadezhda Ivanova Date: Fri Oct 22 21:33:03 2021 +0300 CVE-2020-25720: s4-acl: Owner no longer has implicit Write DACL The implicit right of an object's owner to modify its security descriptor no longer exists, according to the new access rules. However, we continue to grant this implicit right for fileserver access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova Reviewed-by: Andrew Bartlett commit 72b8e98252b0231868f04d40456459057126980c Author: Joseph Sutton Date: Mon Sep 5 14:53:26 2022 +1200 CVE-2020-25720 s4:ntvfs: Use se_file_access_check() to check file access rights se_access_check() will be changed in a following commit to remove the implicit WRITE_DAC right that comes with being the owner of an object. We want to keep this implicit right for file access, and by using se_file_access_check() we can preserve the existing behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8 Author: Nadezhda Ivanova Date: Fri Oct 22 21:10:35 2021 +0300 CVE-2020-25720: s4-acl: Adjusted some tests to work with the new behavior Test using non-priviledged accounts now need to make sure they have WP access on the prvided attributes, or Write-DACL Some test create organizational units with a specific SD, and those now need the user to have WD or else they give errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810 Signed-off-by: Nadezhda Ivanova Reviewed-by: Andrew Bartlett commit 08187833fee57a8dba6c67546dfca516cd1f9d7a Author: Nadezhda Ivanova Date: Mon Oct 25 13:10:56 2021 +0300 CVE-2020-25720: s4-acl: Change behavior of Create Children check Up to now, the rights to modify an attribute were not checked during an LDAP add operation. This means that even if a user has no right to modify
[SCM] Samba Shared Repository - branch master updated
if the password is wrong, which we did not previously do. Derived from a similar patch to source3/auth/check_samsec.c by Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 13 00:08:07 UTC 2022 on sn-devel-184 commit 1d869a2a666cfada1495d891021de6c2b8567a96 Author: Joseph Sutton Date: Tue Aug 2 14:43:09 2022 +1200 CVE-2021-20251 s3:rpc_server: Split change_oem_password() call out of samr_set_password_aes() Now samr_set_password_aes() just returns the new password in a similar manner to check_oem_password(). This simplifies the logic for the following change to recheck whether the account is locked out, and to update the bad password count. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 7981cba87e3a7256b12bfc5fdd89b136c12979ff Author: Joseph Sutton Date: Tue Aug 2 14:40:01 2022 +1200 CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password() All of its callers, where necessary, take out a transaction covering the entire password set or change operation, so a transaction is no longer needed here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit fcabcb326d385c1e1daaa8dae9820e33a3868f56 Author: Joseph Sutton Date: Tue Aug 2 14:39:43 2022 +1200 CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3 Now the initial account search is performed under the transaction, ensuring the overall password change is atomic. We set DSDB_SESSION_INFO to drop our privileges to those of the user before we perform the actual password change, and restore them afterwards if we need to update the bad password count. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit f74f92aea164af40d9177b332778a76d7ecabcbd Author: Joseph Sutton Date: Tue Aug 2 14:39:06 2022 +1200 CVE-2021-20251 s4-rpc_server: Use user privileges for SAMR password change We don't (and shouldn't) need system prvileges to perform the password change, so drop to the privileges of the user by setting DSDB_SESSION_INFO. We need to reuse the same sam_ctx: creating a new one with only user privileges would not work, because any database modifications would be blocked by the transaction taken out on the original context. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit fabbea25310a31c0409b1c11eaced39bd8cde8dd Author: Joseph Sutton Date: Tue Aug 2 14:37:52 2022 +1200 CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user This helps the bad password and audit log handling code as it allows assumptions to be made about the attributes found in the variable "msg", such as that DSDB_SEARCH_SHOW_EXTENDED_DN was used. This ensures we can re-search on the DN via the embedded GUID, which in in turn rename-proof. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1258746ba85b8702628f95a19aba9afea96eab8b Author: Joseph Sutton Date: Tue Sep 6 14:54:08 2022 +1200 s3:rpc_server: Use BURN_STR() to zero password This ensures these calls are not optimised away. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 6edf88f5c40421b9881666a2e78038ea9c547c24 Author: Joseph Sutton Date: Tue Aug 2 14:35:50 2022 +1200 libcli:auth: Keep passwords from convert_string_talloc() secret Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 03a50d8f7d872b6ef701d1207061c88b73d171bb Author: Joseph Sutton Date: Tue Aug 2 14:35:33 2022 +1200 lib:util: Check memset_s() error code in talloc_keep_secret_destructor() Panic if memset_s() fails. Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 65c473d4a53fc8a22a0d531aff45203ea3a4d99b Author: Joseph Sutton Date: Tue Jul 5 20:17:33 2022 +1200 CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR password change The bad password count is supposed to limit the number of failed login attempt
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 66289ab678e s4:kdc: Set Kerberos debug class for all KDC files via 534b88dea21 docs-xml: some fixes and updates for ea and acl docs in smb.conf from 3ce1d2fde5d Fix spelling mistakes. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 66289ab678ebe998673e7cec510702ef40bbcd79 Author: Andreas Schneider Date: Fri Sep 9 12:32:57 2022 +0200 s4:kdc: Set Kerberos debug class for all KDC files Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Sep 12 03:27:55 UTC 2022 on sn-devel-184 commit 534b88dea210f5a35c16031d1c3a97bf182dd5a8 Author: Björn Jacke Date: Sun Sep 11 21:35:07 2022 +0200 docs-xml: some fixes and updates for ea and acl docs in smb.conf Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett --- Summary of changes: docs-xml/smbdotconf/protocol/easupport.xml | 9 +++-- docs-xml/smbdotconf/protocol/mapaclinherit.xml | 18 +++--- docs-xml/smbdotconf/security/inheritacls.xml | 7 +-- source4/kdc/db-glue.c | 3 +++ source4/kdc/hdb-samba4.c | 3 +++ source4/kdc/kdc-glue.c | 3 +++ source4/kdc/kdc-heimdal.c | 3 +++ source4/kdc/kdc-proxy.c| 2 ++ source4/kdc/kdc-server.c | 3 +++ source4/kdc/kpasswd-helper.c | 3 +++ source4/kdc/kpasswd-service-heimdal.c | 3 +++ source4/kdc/kpasswd-service-mit.c | 3 +++ source4/kdc/kpasswd-service.c | 3 +++ source4/kdc/kpasswd_glue.c | 3 +++ source4/kdc/mit_kdc_irpc.c | 3 +++ source4/kdc/sdb.c | 3 +++ source4/kdc/sdb_to_hdb.c | 3 +++ source4/kdc/sdb_to_kdb.c | 3 +++ source4/kdc/wdc-samba4.c | 3 +++ 19 files changed, 66 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/protocol/easupport.xml b/docs-xml/smbdotconf/protocol/easupport.xml index 403e48f5a89..fd425e8b514 100644 --- a/docs-xml/smbdotconf/protocol/easupport.xml +++ b/docs-xml/smbdotconf/protocol/easupport.xml @@ -18,12 +18,9 @@ Note that the SMB protocol allows setting attributes whose value is 64K bytes long, and that on NTFS, the maximum storage space for extended attributes per file is 64K. -On most UNIX systems (Solaris and ZFS file system being the exception), the limits -are much lower - typically 4K. Worse, the same 4K space is often used to store -system metadata such as POSIX ACLs, or Samba's NT ACLs. Giving clients -access to this tight space via extended attribute support could consume all -of it by unsuspecting client applications, which would prevent changing -system metadata due to lack of space. +On some filesystem the limits may be lower. Filesystems with too limited EA +space may experience unexpected weird effects. + The default has changed to yes in Samba release 4.9.0 and above to allow better Windows fileserver compatibility in a default install. diff --git a/docs-xml/smbdotconf/protocol/mapaclinherit.xml b/docs-xml/smbdotconf/protocol/mapaclinherit.xml index 28271f9d66b..c248a333b5c 100644 --- a/docs-xml/smbdotconf/protocol/mapaclinherit.xml +++ b/docs-xml/smbdotconf/protocol/mapaclinherit.xml @@ -3,13 +3,17 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc;> -This boolean parameter controls whether smbd -8 will attempt to map the 'inherit' and 'protected' -access control entry flags stored in Windows ACLs into an extended attribute -called user.SAMBA_PAI (POSIX ACL Inheritance). This parameter requires -supports for extended attributes on the filesystem and -allows the Windows ACL editor to store inheritance information while -NT ACLs are mapped best-effort to the POSIX ACLs. +This boolean parameter is only relevant for systems that do not support +standardized NFS4 ACLs but only a POSIX draft implementation of ACLs. Linux +is the only common UNIX system which does still not offer standardized NFS4 +ACLs actually. On such systems this parameter controls whether +smbd +8 will attempt to map the 'protected' +(don't inherit) flags of the Windows ACLs into an extended attribute called +user.SAMBA_PAI (POSIX draft ACL Inheritance). This parameter requires +support for extended attributes on the filesystem and allows the Windows +ACL editor to store (non-)inher
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dadd3223882 tests/krb5: Add claims tests via 8b8a268084b tests/krb5: Allow specifying sname for getting service ticket via 6170d46cdd7 tests/krb5: Check claims buffers via fa90633b810 tests/krb5: Add xpress (de)compression functions via 20082340433 tests/krb5: Add function for creating claims via 88c9e2af205 krb5pac.idl: Add definitions for claims PAC buffers via e53455497c9 claims.idl: Add claim type definitions from 761ce8cfe41 s4:kdc: Set kerberos debug class for kdc service https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dadd32238822c6f2ee10cd55442c88e2034fb11a Author: Joseph Sutton Date: Fri Mar 4 16:23:32 2022 +1300 tests/krb5: Add claims tests Based on tests originally written by Stefan Metzmacher Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 9 01:11:05 UTC 2022 on sn-devel-184 commit 8b8a268084b494e61a8e41e0ee11916474cc3bbd Author: Joseph Sutton Date: Mon Mar 7 17:07:03 2022 +1300 tests/krb5: Allow specifying sname for getting service ticket Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6170d46cdd77da1ed2ae6f19b893fad74cd21196 Author: Joseph Sutton Date: Fri Mar 4 16:22:07 2022 +1300 tests/krb5: Check claims buffers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fa90633b8109696c923e4559a17b82761f4dc486 Author: Joseph Sutton Date: Fri Mar 4 16:21:19 2022 +1300 tests/krb5: Add xpress (de)compression functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 200823404335cb781b18e5be25934a2625018dd1 Author: Joseph Sutton Date: Fri Mar 4 16:20:18 2022 +1300 tests/krb5: Add function for creating claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 88c9e2af205cc8327d4977b9ca0ea626b6a3c1e1 Author: Joseph Sutton Date: Fri Mar 4 16:17:40 2022 +1300 krb5pac.idl: Add definitions for claims PAC buffers The PAC device info definition comes from [MS-PAC] 2.12. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit e53455497c90be9665905fa878efb40872efa09b Author: Joseph Sutton Date: Fri Sep 9 11:02:01 2022 +1200 claims.idl: Add claim type definitions Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: librpc/idl/IDL_LICENSE.txt | 76 ++ librpc/idl/claims.idl| 118 +++ librpc/idl/krb5pac.idl | 23 + librpc/idl/wscript_build |1 + librpc/wscript_build |8 +- python/samba/tests/krb5/claims_tests.py | 1319 ++ python/samba/tests/krb5/kdc_base_test.py | 196 - python/samba/tests/krb5/kdc_tgs_tests.py |6 +- python/samba/tests/krb5/raw_testcase.py | 329 +++- python/samba/tests/krb5/s4u_tests.py |4 +- python/samba/tests/krb5/xpress.py| 128 +++ python/samba/tests/usage.py |1 + selftest/knownfail_heimdal_kdc | 88 ++ selftest/knownfail_mit_kdc | 89 ++ selftest/knownfail_mit_kdc_1_20 |4 + source4/librpc/wscript_build |7 + source4/selftest/tests.py|4 + 17 files changed, 2363 insertions(+), 38 deletions(-) create mode 100644 librpc/idl/claims.idl create mode 100755 python/samba/tests/krb5/claims_tests.py create mode 100644 python/samba/tests/krb5/xpress.py Changeset truncated at 500 lines: diff --git a/librpc/idl/IDL_LICENSE.txt b/librpc/idl/IDL_LICENSE.txt index 01ae670b69b..a2d87ecb044 100644 --- a/librpc/idl/IDL_LICENSE.txt +++ b/librpc/idl/IDL_LICENSE.txt @@ -7,3 +7,79 @@ under the following license: This work is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + +The following relates to IDL obtained from Open Specifications Documentation + + Intellectual Property Rights Notice for Open Specifications Documentation + + * Technical Documentation. Microsoft publishes Open Specifications +documentation (“this documentation”) for protocols, file formats, +data portability, computer languages, and standards +support. Additionally, overview documents cover inter-protocol +relationships and interactions. + + * Copyrights. This documentation is covered by Microsoft +copyrights. Regardless of any other terms that are contained in +the terms of use for the Microsoft website that hosts
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 761ce8cfe41 s4:kdc: Set kerberos debug class for kdc service via a88bb04ca23 selftest: Add Address Sanitizer suppressions via 7800097af4e selftest: Create asan_options variable via 1591d7bdbf0 selftest: Fix address sanitizer with python3 via 08dda9cefdd selftest: Remove tailing whitspaces in selftest.pl via 6b9018d3c98 waf: Do not use as-needed if we build with Address Sanitizer via b475e020664 s4:gensec: Do not link subsystems against dlopen() modules! via b5013634175 pytest samba-tool forest: use runcmd via 098886946fa make runcmd, runsubcmd, exact aliases via 273797d8cf9 pytest: samba-tool: coalesce run*cmd functions via 4bfcd16a3c6 samba-tool: binary uses samba_tool function via a1c615f87de pytest/samba-tool: entry function follows too logic via 8b23ef30032 pytest/password-lockout: fix using samba_tool function via 202182e0fdc pytest/samba_dnsupdate: fix using samba-tool function via c41887d903f pytest/netcmd: fix for new samba-tool api via 5247c87cc2c samba-tool: add a convenience function that does it all via 153ad8fc3a9 samba-tool: command that has exception, shows exception via 304ac5bb777 samba-tool: _resolve() can set outf, errf via ed787869897 samba-tool: more conventional usage of parser.parse_args via 9ec0863ff24 samba-tool: separate ._run() from command resolution via 8b403ab7c55 samba-tool: do not crash on unimplemented .run() from 8132edf1197 s3:libads: let cldap_ping_list() use cldap_multi_netlogon() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 761ce8cfe41139ab5656dec5cc05f2f576095216 Author: Andreas Schneider Date: Tue Sep 6 10:19:54 2022 +0200 s4:kdc: Set kerberos debug class for kdc service Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 8 23:34:15 UTC 2022 on sn-devel-184 commit a88bb04ca233cbe19aa9bae1cc5078274785cb4d Author: Andreas Schneider Date: Tue Sep 6 10:06:37 2022 +0200 selftest: Add Address Sanitizer suppressions Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7800097af4e8ba071b31cecaf19a76b0e4b8a053 Author: Andreas Schneider Date: Tue Sep 6 10:06:05 2022 +0200 selftest: Create asan_options variable Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1591d7bdbf045bee45e7e2775a7be464fe236d1c Author: Andreas Schneider Date: Tue Sep 6 08:59:56 2022 +0200 selftest: Fix address sanitizer with python3 ==9542==AddressSanitizer: failed to intercept 'crypt' ==9542==AddressSanitizer: failed to intercept 'crypt_r' [..] AddressSanitizer:DEADLYSIGNAL = ==29768==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x bp 0x7ffcec4bf3c0 sp 0x7ffcec4beb58 T0) ==29768==Hint: pc points to the zero page. ==29768==The signal is caused by a READ memory access. ==29768==Hint: address points to the zero page. #0 0x0 () #1 0x7f052cca4129 in crypt_crypt_impl /usr/src/debug/python310-core-3.10.6-3.1.x86_64/Modules/_cryptmodule.c:44 We would need to build python without --as-needed as we can't so that we need to preload the library to avoid a segfault. See also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 08dda9cefdddf6953ac54b282e8b0e434426d1d6 Author: Andreas Schneider Date: Tue Sep 6 08:48:49 2022 +0200 selftest: Remove tailing whitspaces in selftest.pl Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6b9018d3c98113c6984a1fe65cce42771ccb4600 Author: Andreas Schneider Date: Tue Sep 6 08:47:47 2022 +0200 waf: Do not use as-needed if we build with Address Sanitizer https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669 Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b475e02066437920b671bdd0f91602f4f5b7c5f0 Author: Andreas Schneider Date: Thu Sep 8 10:32:38 2022 +0200 s4:gensec: Do not link subsystems against dlopen() modules! This is not a shared library. This only worked because we use '--as-needed' as linker option. Signed-off-by: Andreas Schneider Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b5013634175ef4b0a32e120e8b5806ad7283623b Author: Douglas Bagnall
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f06b40a9196 bootstrap: Use quay.io to download fedora images via e8517ee7c70 WHATSNEW: Announce support for dropping the NT hash via e6957c1d479 samba-tool user: Accomodate missing unicodePwd in getpassword command via aa9136ab742 samba-tool user: When possible, obtain AES256 key and salt via f33aa94c9ee auth/credentials: Add get_aes256_key() via 0d9835e1e49 auth/credentials: Add cli_credentials_get_aes256_key() via d2a473a7b74 dsdb: Allow password history and password changes without an NT hash via 6029e2250c4 s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored via 18f2a6b231f s4:kdc: Add helper function to extract AES256 key and salt via 68c57d9f78d tests/krb5: Add test for presence of NT hash from cd09d4f470f third_party: Update nss_wraper to version 1.1.12 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f06b40a91966c521cd7f4ce4afc4e2f76c00a045 Author: Andreas Schneider Date: Mon Jun 20 18:48:56 2022 +0200 bootstrap: Use quay.io to download fedora images The docker registry is rate limited now. This often leads to errors, so use the Red Hat registry. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Jun 26 23:08:03 UTC 2022 on sn-devel-184 commit e8517ee7c700e351901bed1739ff21492854fc9b Author: Andrew Bartlett Date: Fri Mar 25 12:50:26 2022 +1300 WHATSNEW: Announce support for dropping the NT hash Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit e6957c1d47996a98e905211f62ee1f3897700ecc Author: Joseph Sutton Date: Mon Apr 11 11:54:24 2022 +1200 samba-tool user: Accomodate missing unicodePwd in getpassword command To allow for the NT hash not being stored when NTLM authentication is disabled, we use the AES256 key instead for verification against the other packages if the unicodePwd attribute is not present. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit aa9136ab7427a89917a9d0ca7896348c49890b3f Author: Joseph Sutton Date: Mon May 9 14:50:15 2022 +1200 samba-tool user: When possible, obtain AES256 key and salt We will make use of these in the next commit to check that the supplemental packages are up-to-date with the current password. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f33aa94c9ee26a44132feca8fc4c460f88a48ee2 Author: Joseph Sutton Date: Mon May 9 14:37:58 2022 +1200 auth/credentials: Add get_aes256_key() This makes it possible to generate AES256 keys in Python from a given password and salt. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0d9835e1e497d667ce49f00d5127d2231055793f Author: Joseph Sutton Date: Mon May 9 14:35:05 2022 +1200 auth/credentials: Add cli_credentials_get_aes256_key() This allows us to generate AES256 keys from a given password and salt. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d2a473a7b7471937d1098a11258b875134ad702a Author: Andrew Bartlett Date: Mon Jan 31 14:08:13 2022 +1300 dsdb: Allow password history and password changes without an NT hash We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead which allows us to decouple Samba from the unsalted NT hash for organisations that are willing to take this step (for user accounts). (History checking is limited to the last three passwords only, as ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4 package only stores three sets of keys.) Since we don't store a salt per-key, but only a single salt, the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Stefan Metzmacher commit 6029e2250c4dc837ed4f6b4613f988ae6dff49e3 Author: Andrew Bartlett Date: Fri Jun 10 12:47:01 2022 +1200 s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored Since we don't store a salt per-key, but only a single salt, when we do not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eaf829ad0bf s4/torture/unix_info2: return NULL on failure via 8261545a0f6 bind_dlz: some commentary for b9_format via f1017c6f2dd dns/dlz: remember old timestamp for dynamic records via 590d2e169c4 dlz_bind9: call dns_name_is_static before adding space for record via aae68994536 tortures/dlz: more DNS update tests via d0d18934fa0 torture: add torture_assertf() via 937c2cd38a6 torture/bind_dlz: return the right kind of failure via 5d89c90ab45 torture/dlz: minor reformatting for README.Coding via 9b47d818d04 torture/dlz: reserve test_ prefix for actual tests via 247a39bba04 torture/dlz: putrr callback recognises more than A records via c7254de6fda util/debug: share classname table with tests via 1a6890a94d2 debug: add DBG_DEV() via b94c805783e debug: drop an '#if _SAMBA_BUILD_ == 3' via dfc9cf384de tests: rename logging test source via ab949131b5f tests: adapt logging test for s3. via c668b5caa92 tests: test source4 cmdline/smb.conf log level via 66cabb8fd1c s3/smbd: stdin fstat failure is a failure via 25ad724c014 s3:tests: Reformat test_symlink_traversal_smb2.sh via fcedbfbbc61 s3:tests: Reformat test_symlink_traversal_smb1_posix.sh via 0714a6b435b s3:tests: Reformat test_symlink_traversal_smb1.sh via 8722450d09c s3:tests: Reformat test_symlink_rename_smb1_posix.sh via b86936063ca s3:tests: Reformat test_success.sh via 1f94e871985 s3:tests: Reformat test_substitutions.sh via ce6a31d2188 s3:tests: Reformat test_smbtorture_s3.sh via 7731fd6e3fa s3:tests: Reformat test_smbstatus.sh via 2eea4409b5c s3:tests: Reformat test_smbspool.sh via 627934bc2f0 s3:tests: Reformat test_smbpasswd.sh via 8b039153846 s3:tests: Reformat test_smbget.sh via a1520e4e581 s3:tests: Reformat test_smbd_no_krb5.sh via 0754d46cd1a s3:tests: Reformat test_smbd_error.sh via 42e96b64b33 s3:tests: Reformat test_smbcquota.sh via 6368b82f976 s3:tests: Reformat test_smbclient_tarmode.sh via 69bb8853f61 s3: VFS: full_audit. Ensure the module doesn't load if an operation name is miss-spelled or otherwise unknown. via ec91a583708 s3: VFS: full_audit: Use correct DBG_ print messages in init_bitmap(). via fe78d3c014d s3: test: Add tests to show we still connect to a full_audit share with a bad success or fail VFS names. from e752f841e68 ctdb-daemon: Use DEBUG() macro for child logging https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eaf829ad0bf4bddf84da2dee0e375e36b13ad76d Author: Douglas Bagnall Date: Thu Apr 14 11:47:57 2022 +1200 s4/torture/unix_info2: return NULL on failure false is also NULL, but NULL is NULLer. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jun 17 02:18:32 UTC 2022 on sn-devel-184 commit 8261545a0f68bb24911d3f734b803a13d90f0acf Author: Douglas Bagnall Date: Wed Apr 13 12:09:08 2022 +1200 bind_dlz: some commentary for b9_format Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit f1017c6f2dd136d1654a8ed3734721fc8f3c5b82 Author: Douglas Bagnall Date: Wed Apr 13 15:20:50 2022 +1200 dns/dlz: remember old timestamp for dynamic records If we don't tell dns_common_replace() the old timestamp, it will think the node is static because the timestamp is 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15040 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 590d2e169c4538a41ed1cd99f5cf72f4b6e6e424 Author: Michael Saxl Date: Mon Apr 4 15:33:45 2022 +0200 dlz_bind9: call dns_name_is_static before adding space for record dns_name_is_static is called after adding a uninitialized element to recs. There is a chance that the uninizialized memory reads a element with dwTimeStamp=0 and wType!=0. In that case dns_name_is_static will return true BUG: https://bugzilla.samba.org/show_bug.cgi?id=15040 Signed-off-by: Michael Saxl Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit aae689945369cc47574a7cf90faa0e2f20b5b504 Author: Douglas Bagnall Date: Fri Apr 16 16:45:01 2021 +1200 tortures/dlz: more DNS update tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15040 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d0d18934fa0660f85225f6a9387a4583f77bb780 Author: Douglas Bagnall Date: Thu Apr 14 11:25:26 2022 +1200 torture: add torture_assertf() Often we go 'torture_assert(tctx, expr, talloc_asprintf(tctx, "foo %s", foo));' which is just a pain.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e67845a73c9 ci-images: install diffutils prior to building images via aec2076fa79 lib/util: Delegate constant time memcmp to gnutls_memcmp() via 222e1afc6f9 lib/util: Add test of mem_equal_const_time() via a80d783a341 lib/util: Add test of data_blob_equal_const_time() via 8d7a091adcb lib/util: Reduce sum variable to uint8_t via feb36dbebf1 lib/util: Change function to mem_equal_const_time() via a554e2ce53c lib/util: Change function to data_blob_equal_const_time() via ae6634c7877 auth: Use constant-time memcmp when comparing sensitive buffers via 87f68500ed6 lib/util: Move memcmp_const_time() to util.c via ee29c601b25 tests/krb5/test_ldap.py: Increase maximum threshold for LDAP timeout via 14feb93d481 lib/util: Prefer backtrace_symbols() for internal backtraces via bd09537e219 build: Possibly link against libexecinfo for backtrace_symbols() via df11826a3b3 build: Make build with --disable-fault-hanlding work under --enable-developer from ef1d04762af s3:smbd: Free allocated strings before leaving user_in_netgroup() function https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e67845a73c96db885b9724d52857955b51b74632 Author: Uri Simchoni Date: Wed Jun 8 22:20:03 2022 +0300 ci-images: install diffutils prior to building images Ensure the podman image used for generating Samba CI images includes 'diff' utility Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 9 23:48:42 UTC 2022 on sn-devel-184 commit aec2076fa79b853e26b1fe606570f1c4ae94c79b Author: Joseph Sutton Date: Wed Jun 8 15:19:58 2022 +1200 lib/util: Delegate constant time memcmp to gnutls_memcmp() gnutls_memcmp() is mostly identical to our own implementation, except that ours will not break if supplied with 4 GiB or more of data. However, using an external function permits us to disclaim responsibility if some CPU/compiler combination happens to invalidate our constant-time guarantee. For reference, gnutls_memcmp() implementation: https://gitlab.com/gnutls/gnutls/-/blob/78d9820de0d2eb2f8088e359779ee7342f5f089e/lib/safe-memfuncs.c#L41-67 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 222e1afc6f9a49e99ae767d7572dfd16c236148d Author: Joseph Sutton Date: Wed May 11 14:06:22 2022 +1200 lib/util: Add test of mem_equal_const_time() Ensure that it gives the correct results for comparing two memory regions. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a80d783a341fd8b88d73e04bf831b91984f87b73 Author: Joseph Sutton Date: Wed May 11 14:05:34 2022 +1200 lib/util: Add test of data_blob_equal_const_time() Ensure that it gives the correct results for comparing two data blobs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8d7a091adcbd4eaa9e5e736413a179c322f6869d Author: Joseph Sutton Date: Wed May 11 14:04:25 2022 +1200 lib/util: Reduce sum variable to uint8_t Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit feb36dbebf1f0f48f4d9f2549471d355b4ead788 Author: Joseph Sutton Date: Wed May 11 12:07:43 2022 +1200 lib/util: Change function to mem_equal_const_time() Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a554e2ce53cbee584bf3c0944d466cbdf73dd3b2 Author: Joseph Sutton Date: Wed May 11 11:39:14 2022 +1200 lib/util: Change function to data_blob_equal_const_time() Since data_blob_cmp_const_time() doesn't act as an exact replacement for data_blob_cmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ae6634c78774d2368e815dea650ba71650dd1861 Author: Joseph Sutton Date: Thu Feb 17 15:35:42 2022 +1300 auth: Use constant-time memcmp when comparing sensitive buffers This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 87f68500ed651f393e2fc6c514ab08b561a60a9b Author: Joseph Sutton Date: Tue May 10 15:57:40 2022 +1200 lib/util: Move memcmp_const_time() to util.c This allows it to be used in more places without needing to introduce more dependencies
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c4e576052fa s4-samr: Fix missing check for GnuTLS errors from E_old_pw_hash() via 8a91ffa6bd6 fuzz: add lzxpress compress/decompress round-trip via 6c9fd8fbdbe fuzz: add fuzz_lzxpress_compress via 505d2879fa8 compression:tests: align test names with functions via 05c760165bf compression: add a few comments, including MS-XCA pointers. via 383a7cfed98 compression: remove always false constant comparison via e36cb10b162 compression: lzxpress decompress empty string as empty string via 1ca44492941 compression: fix lzxpress decompress with trailing flags via d8a90d2a8fc compression:tests: test lzxpress in some edge cases via 075df819cce compression: Move maximum length calculation out of inner loop via 877f007f32d compression: Use correct values for max len and offset via fe5fa7e1974 compression: Replace divisions with shifts via 131eb752699 compression: Remove unneeded loop variable via 5b1f8ea8d3e compression: Reduce scope of variables via 1a964210d24 compression: Use PUSH_LE_U32 for first output buffer write via 41b88d35ce6 compression: Add bounds check for first output buffer write via 0c813ee5637 compression: Remove helper variables str1 and str2 via 430bcd7a083 compression: Fix writing output flags via bb9115e023b compression: Remove byte_left variable via 417e0c914fd compression: Remove redundant bounds check via 6f3f1ba5b4d compression: Add range check for indic_pos via b62fbc4a535 compression: Remove redundant nibble_index check via 52982c01a59 compression: Make use of PUSH_LE_Uxx macros via f2ea8d4c056 compression: Simplify code by making indic_pos an index via b1534457982 compression: Make use of CHECK_{IN,OUT}PUT_BYTES macros via ea42717ccae compression: Simplify code by removing metadata_size variable via 69244b52ed4 compression: Use correct value for indic_pos via 7fab9f90e8a compression: Use correct value for nibble_index via f8feac11cbb compression: Simplify redundant branches via d368fa61cfc compression: Consistently use PUSH_LE_Uxx macros via 9516b268458 compression: Use explicit data sizes via eb7f139dec0 compression tests: Add additional compression tests via 3c2f1f03c19 compression: fix lzxpress-compress via 8f7fbc5c8fd compression: lzxpress_compress: fix no-op shift of 0 via a8fb45247ba compression: fix lzxpress_decompress via f67ff611e96 compression tests: add test for legacy compressed data via 4bcdc3bf30a compression tests: add LZXpress tests based on [MS-XCA] via eddefe3c62a util/base64: decode_data_blob_talloc catches talloc error from be2e2044b8e s3: libsmbclient: Cope with SMB2 servers that return STATUS_USER_SESSION_DELETED on a SMB2_ECHO (SMB2_OP_KEEPALIVE) call with a NULL session. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c4e576052fa9bc57d288bed69abb599e1f9bb27b Author: Andrew Bartlett Date: Thu May 12 10:54:22 2022 +1200 s4-samr: Fix missing check for GnuTLS errors from E_old_pw_hash() Not likely to be an issue in the real world as the earlier calls will have failed if weak crypto was disabled, but this was missed in dce944e8a1119034f184336f6b71a28080152a0a. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 12 03:18:42 UTC 2022 on sn-devel-184 commit 8a91ffa6bd64746358faf8661649c33f683759ef Author: Douglas Bagnall Date: Wed May 11 12:08:54 2022 +1200 fuzz: add lzxpress compress/decompress round-trip We say it is an error to end up at a different result. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6c9fd8fbdbecc47e0595d3606bccf7d143b01b61 Author: Douglas Bagnall Date: Wed May 11 12:08:06 2022 +1200 fuzz: add fuzz_lzxpress_compress Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 505d2879fa813796bf16af27615f0984bc71ad36 Author: Douglas Bagnall Date: Wed May 11 17:21:46 2022 +1200 compression:tests: align test names with functions You'll thank me if you're ever debugging these and wondering why 'lzxpress4' calls 'lzxpress2' (or is it the other way round?). Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 05c760165bffa246b724d1471e307c488171b749 Author: Douglas Bagnall Date: Wed May 11 16:20:46 2022 +1200 compression: add a few comments, including MS-XCA pointers. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 383a7cfed9856b9057f2e56a1a26b8d4247ebbb6 Author: Douglas Bagnall Date: Wed May 11 10:25:13 2022
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0b214d666a9 gitignore: Add .ropeproject for pylsp-rope plugin via ede2fcb5fe8 tests/user_check_password_script: Don't try to delete user after failed add via 187635ff6ff tests/user_check_password_script: Remove unused imports via e6712751dd9 samdb: Avoid half-created accounts via e6b61869772 tests/samba-tool user: Add test for adding a user over LDAP via 9b0f25ec498 tests/samba-tool user_wdigest: Check command results via c87ec2d3315 tests/samba-tool user_wdigest: Add accounts to local database via 05a7092fdaf tests/samba-tool user_wdigest: Fix flapping test via a71c62404ab tests/samba-tool user_wdigest: Remove unused imports via 7244a64478a bootstrap: matplotlib is not a real Samba dep via c771d197eee bootstrap: chown the whole cloned repo, not just the subfolders via dd568490089 .gitlab-ci: Work around new git restrictions arising from CVE-2022-24765 from 17ba8120ed6 gpo: Add Centrify Compatible Crontab Extensions https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0b214d666a973e9ede9fd70f92b6874cb7fa8ccb Author: Andreas Schneider Date: Tue May 10 08:38:33 2022 +0200 gitignore: Add .ropeproject for pylsp-rope plugin Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 11 00:04:55 UTC 2022 on sn-devel-184 commit ede2fcb5fe855ceb81b8f7f40975334f52c811b5 Author: Joseph Sutton Date: Tue May 10 16:18:14 2022 +1200 tests/user_check_password_script: Don't try to delete user after failed add The user account should not exist if account creation failed. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 187635ff6ff1d62a9c5630d3969e65867cb3bb4a Author: Joseph Sutton Date: Wed May 11 08:47:40 2022 +1200 tests/user_check_password_script: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e6712751dd9df5f4a7f2531ee0069d3958cc3b3b Author: Joseph Sutton Date: Tue May 10 13:02:30 2022 +1200 samdb: Avoid half-created accounts If newuser() or newcomputer() create an account over LDAP, and an attempt to modify it (e.g. to change the password) fails, ensure that we properly clean up the account. If we are connected over LDAP, we won't have transactions to clean things up for us. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e6b6186977220530a2a05319a4a121fc582170c9 Author: Joseph Sutton Date: Tue May 10 13:01:43 2022 +1200 tests/samba-tool user: Add test for adding a user over LDAP Ensure that we do not end up with half-created accounts. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9b0f25ec498a318111a5f4fdbba3e1ce82bc0124 Author: Joseph Sutton Date: Tue May 10 12:59:59 2022 +1200 tests/samba-tool user_wdigest: Check command results Ensure that the commands to create and delete the user execute successfully. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c87ec2d331521569a88bfdbfabd936187963c822 Author: Joseph Sutton Date: Tue May 10 12:59:06 2022 +1200 tests/samba-tool user_wdigest: Add accounts to local database Adding accounts over LDAP means transactions cannot be used, potentially leading to problems. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 05a7092fdaf31b9264318208eeba3f306712f638 Author: Joseph Sutton Date: Tue May 10 12:49:50 2022 +1200 tests/samba-tool user_wdigest: Fix flapping test The randomly-generated password for the user account may be too weak, causing account creation to fail. This leads to further problems, as the result of the command is not checked, and connecting over LDAP means transactions cannot be used, leading to a half-created account and failing tests. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a71c62404ab1e669841cc40f98a5f1b51aba2c65 Author: Joseph Sutton Date: Wed May 11 08:45:24 2022 +1200 tests/samba-tool user_wdigest: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7244a64478a6425ee720c752b6cf73a576bbb6c8 Author: Andrew Bartlett Date: Thu May 5 15:44:05 2022 +1200 bootstrap: matplotlib is not a real Samba dep This came in via the original list of packages used at Catalyst when building Samba for testing, in particular related to an example LDB module to trace LDB requests. There is no testing need for this even in make test. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit c771d197eeebf2b01d46451cc51b698a99502935
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cc606c7c786 s3:tests: Reformat test_durable_handle_reconnect.sh via 7366bd11783 s3:tests: Reformat test_dropbox.sh via 4d79f8e1582 s3:tests: Reformat test_dfree_quota.sh via fcbcfc8653a s3:tests: Reformat test_dfree_command.sh via cdecce9c073 s3:tests: Reformat test_delete_veto_files_only_rmdir.sh from 7a36b018889 dsdb: Do not reuse "ret" variable as return code and for memcmp() comparison https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cc606c7c786d38672c7472aa68441197014e6de2 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_durable_handle_reconnect.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 5 03:42:13 UTC 2022 on sn-devel-184 commit 7366bd117831c1043b986dd08ec3a0c7b8486cca Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_dropbox.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 4d79f8e15821152bb2c8f33d270432be70cea577 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_dfree_quota.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit fcbcfc8653a00fe148f436b6c3a31aa700e13f8a Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_dfree_command.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit cdecce9c073eb7730d103d4420e50512d668d334 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_delete_veto_files_only_rmdir.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: .../tests/test_delete_veto_files_only_rmdir.sh | 217 ++-- source3/script/tests/test_dfree_command.sh | 29 +-- source3/script/tests/test_dfree_quota.sh | 222 +++-- source3/script/tests/test_dropbox.sh | 94 - .../script/tests/test_durable_handle_reconnect.sh | 14 +- 5 files changed, 290 insertions(+), 286 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/script/tests/test_delete_veto_files_only_rmdir.sh b/source3/script/tests/test_delete_veto_files_only_rmdir.sh index d2c3b2198f7..08f257ff8a6 100755 --- a/source3/script/tests/test_delete_veto_files_only_rmdir.sh +++ b/source3/script/tests/test_delete_veto_files_only_rmdir.sh @@ -5,10 +5,10 @@ # if [ $# -lt 6 ]; then -cat < "$tmpfile" <"$tmpfile" < "$tmpfile" <"$tmpfile" < "$tmpfile" <"$tmpfile" < "$tmpfile" <"$tmpfile" <&1) status=$? @@ -50,17 +51,17 @@ test_smbclient_dfree() { } if [ $protocol = "SMB3" ]; then - test_smbclient_dfree "Test dfree command share root SMB3" dfree "l" "2000 1024. 20" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=SMB3 || failed=`expr $failed + 1` - test_smbclient_dfree "Test dfree command subdir1 SMB3" dfree "cd subdir1; l" "8000 1024. 80" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=SMB3 || failed=`expr $failed + 1` - test_smbclient_dfree "Test dfree command subdir2 SMB3" dfree "cd subdir2; l" "32000 1024. 320" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=SMB3 || failed=`expr $failed + 1` + test_smbclient_dfree "Test dfree command share root SMB3" dfree "l" "2000 1024. 20" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=SMB3 || failed=$(expr $failed + 1) + test_smbclient_dfree "Test dfree command subdir1 SMB3" dfree "cd subdir1; l" "8000 1024. 80" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=SMB3 || failed=$(expr $failed + 1) + test_smbclient_dfree "Test dfree command subdir2 SMB3" dfree "cd subdir2; l" "32000 1024. 320" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=SMB3 || failed=$(expr $failed + 1) elif [ $protocol = "NT1" ]; then - test_smbclient_dfree "Test dfree command share root NT1" dfree "l" "2000 1024. 20" -U$USERNAME%$PASSWORD --option=clientmaxprotocol=NT1 || failed=`expr $
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7a36b018889 dsdb: Do not reuse "ret" variable as return code and for memcmp() comparison via 2f17cbf3b29 tests/krb5: Allow passing expected etypes to get_keys() via c294f729110 tests/passwords: Add tests for password history with simple binds via 08904752bba tests/passwords: Remove unused imports via 127fe361b83 selftest: Run some tests in the ad_dc_no_ntlm environment to show expected behaviour via a9caf760b6f selftest: Rework password_lockout_base.py to allow logon_basics test to be run in ad_dc_no_ntlm via f85f6f89f12 samba-tool user: Consistently return a tuple via c3b2dae027e samba-tool user: Remove unused imports via 332b874a166 samba-tool tests: Remove unused variable via 5348bd80035 dsdb: Clarify that most errors in make_error_and_update_badPwdCount() are not returned from ddeedcb6b2a gpo: Add Cert Auto Enroll Advanced Config https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7a36b01888995031d00dbdba208fc9f522658f86 Author: Andrew Bartlett Date: Thu Mar 31 21:22:08 2022 +1300 dsdb: Do not reuse "ret" variable as return code and for memcmp() comparison Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 5 01:19:54 UTC 2022 on sn-devel-184 commit 2f17cbf3b295663a91e4facb0dc8f09ef4a77f4a Author: Joseph Sutton Date: Mon Apr 11 15:43:00 2022 +1200 tests/krb5: Allow passing expected etypes to get_keys() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c294f729110f59b68c567bfe2b6da3a297a829a9 Author: Joseph Sutton Date: Mon Apr 11 16:43:42 2022 +1200 tests/passwords: Add tests for password history with simple binds Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 08904752bba49039cf90534e6285defa17d23a0b Author: Joseph Sutton Date: Mon Apr 11 16:37:10 2022 +1200 tests/passwords: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 127fe361b83326d351944f9d641d75a5cee9deaa Author: Andrew Bartlett Date: Thu Mar 31 21:16:03 2022 +1300 selftest: Run some tests in the ad_dc_no_ntlm environment to show expected behaviour Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit a9caf760b6f952461ecd4894b0cab1c2648f1e96 Author: Andrew Bartlett Date: Thu Mar 31 22:45:40 2022 +1300 selftest: Rework password_lockout_base.py to allow logon_basics test to be run in ad_dc_no_ntlm We need to ensure that even if NTLM is disabled, that the test can still bootstrap and fail normally. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit f85f6f89f128882d96ba0613dc7647f00100e8d3 Author: Joseph Sutton Date: Mon Apr 11 11:50:53 2022 +1200 samba-tool user: Consistently return a tuple We would get an error when get_userPassword_hash() returned None, as get_virtual_crypt_value() would try to unpack the result as a 2-element tuple. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c3b2dae027eeb980227160ab7ded7fe108b0ea14 Author: Joseph Sutton Date: Mon Apr 11 11:50:25 2022 +1200 samba-tool user: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 332b874a1665c0f3003bacfb3a3b28d55677cf74 Author: Joseph Sutton Date: Mon Apr 11 13:15:23 2022 +1200 samba-tool tests: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5348bd80035025e91158088db8efdea971b70557 Author: Andrew Bartlett Date: Fri Apr 1 12:06:45 2022 +1300 dsdb: Clarify that most errors in make_error_and_update_badPwdCount() are not returned This is mainly just to be clear, and was done while failing to work around compiler warnings. For the curious it was gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (CentOS 7) build with -O3, which gave with other, later patches: ../../source4/dsdb/samdb/ldb_modules/password_hash.c: In function ‘check_password_restrictions_and_log’: ../../source4/dsdb/samdb/ldb_modules/password_hash.c:3231:5: error: assuming signed overflow does not occur when simplifying conditional to constant [-Werror=strict-overflow] if (ret == LDB_SUCCESS) { ^ Regardless, we make it clear that all values assigned to "ret" are local small constants. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: python/samba/netcmd/user.py| 8 +- python/samba/tests/krb5/kdc_base_test.py |
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 45b648486b9 s3:tests: Reformat test_deadtime.sh via 0d29cbf0413 s3:tests: Reformat test_close_denied_share.sh via 9d32559fb11 s3:tests: Reformat test_chdir_cache.sh via a3d0655ee09 s3:tests: Reformat test_async_req.sh via 6aaf527fc8a s3:tests: Reformat test_aio_outstanding.sh via facc2c002c7 s3:tests: Reformat test_acl_xattr.sh via b4ee11d083d s3:tests: Reformat printing_var_exp_lpr_cmd.sh via bfbae4f94c9 s3:tests: Reformat dlopen.sh via e93d73b6187 docs: Explain the impact of "ntlm auth = disabled" on simple bind forwarding from 54c6cf8666b libcli/smb: allow SMB2 Negotiate responses with security_offset = 0 and security_length = 0 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 45b648486b9751beba7500c25294b4f7671caf44 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_deadtime.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue May 3 00:10:53 UTC 2022 on sn-devel-184 commit 0d29cbf041392bd922ad18b900069d05a541e412 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_close_denied_share.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9d32559fb11eaae6bba5c8e96af6814b8b0a1be2 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_chdir_cache.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a3d0655ee09d9954dd901730372968d5a22e6ccd Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_async_req.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 6aaf527fc8a9f7125efd16b104b3261bad291ca5 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_aio_outstanding.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit facc2c002c7451d7d371f8fd1f73dc14a8085ff7 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat test_acl_xattr.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit b4ee11d083da33ec68bd5e95af3c481656b57d51 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat printing_var_exp_lpr_cmd.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit bfbae4f94c96270f1e50d104d96e0d5952a01bb1 Author: Andreas Schneider Date: Fri Apr 22 15:34:08 2022 +0200 s3:tests: Reformat dlopen.sh shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit e93d73b618797565dec66b31de961dc062264bd2 Author: Andrew Bartlett Date: Tue Apr 12 12:23:54 2022 +1200 docs: Explain the impact of "ntlm auth = disabled" on simple bind forwarding An RODC will forward an LDAP Simple bind, just like any other authentication, when the password is not present locally. If the full DC does not support NTLMv2 authentication this forwarded password will be rejected. A future Samba version should prefer Kerberos or send the plaintext, but we can not change the MS Windows behaviour, so we document this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider --- Summary of changes: docs-xml/smbdotconf/security/ntlmauth.xml | 7 + source3/script/tests/dlopen.sh | 20 +- .../tests/printing/printing_var_exp_lpr_cmd.sh | 4 +- source3/script/tests/test_acl_xattr.sh | 211 +++-- source3/script/tests/test_aio_outstanding.sh | 19 +- source3/script/tests/test_async_req.sh | 4 +- source3/script/tests/test_chdir_cache.sh | 38 ++-- source3/script/tests/test_close_denied_share.sh| 33 ++-- source3/script/tests/test_deadtime.sh | 14 +- 9 files changed, 185 insertions(+), 165 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.x
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 420bbb1d92f wafsamba: require PYTHONHASHSEED=1 to be exported via aa02cf3c444 ctdb/packaging/RPM: don't use waf directly via 22c46d9f418 configure/Makefile: export PYTHONHASHSEED=1 in all 'configure/Makefile' scripts via a6b1e4b5766 wafsamba: let test_duplicate_symbol.sh export PYTHONHASHSEED=1 via 0be4f567233 s4:selftest/provisions: make use of 'make testenv' and avoid direct waf via 10d69da1d34 lib/fuzzing/README.md: don't use waf directly via 42eeed05f1a buildtools: remove unused testwaf.sh from 825dcc6a13d smbd: Don't NULL out "::$DATA" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 420bbb1d92fd2a28725b53f425ba3d214831b660 Author: Stefan Metzmacher Date: Mon Mar 28 13:00:03 2022 +0200 wafsamba: require PYTHONHASHSEED=1 to be exported This avoids a lot of trouble with random build failures, if people try to use waf directly. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Mar 29 23:31:38 UTC 2022 on sn-devel-184 commit aa02cf3c4449cb0a22da8f359f0b3edc4f1d9bb7 Author: Stefan Metzmacher Date: Mon Mar 28 12:38:36 2022 +0200 ctdb/packaging/RPM: don't use waf directly ./configure && make && make install is will always work. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 22c46d9f41876d9ec7187148e658d1692bf37cdd Author: Stefan Metzmacher Date: Mon Mar 28 12:59:12 2022 +0200 configure/Makefile: export PYTHONHASHSEED=1 in all 'configure/Makefile' scripts Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit a6b1e4b5766205b7337e0e4b00944184289bfc36 Author: Stefan Metzmacher Date: Mon Mar 28 12:50:55 2022 +0200 wafsamba: let test_duplicate_symbol.sh export PYTHONHASHSEED=1 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0be4f5672338802042b06308c5cf0ea04bcaf48e Author: Stefan Metzmacher Date: Mon Mar 28 12:49:50 2022 +0200 s4:selftest/provisions: make use of 'make testenv' and avoid direct waf Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 10d69da1d34b2b11920d9bf051f5a26dbbcadf02 Author: Stefan Metzmacher Date: Mon Mar 28 12:49:24 2022 +0200 lib/fuzzing/README.md: don't use waf directly Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 42eeed05f1aed10b48f7008a18e47cf15ac2c010 Author: Stefan Metzmacher Date: Mon Mar 28 12:38:02 2022 +0200 buildtools: remove unused testwaf.sh Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: buildtools/scripts/Makefile.waf| 4 +- buildtools/scripts/configure.waf | 11 +++- buildtools/testwaf.sh | 70 -- buildtools/wafsamba/test_duplicate_symbol.sh | 3 + buildtools/wafsamba/wscript| 4 ++ configure | 4 ++ ctdb/Makefile | 2 +- ctdb/configure | 7 +++ ctdb/packaging/RPM/ctdb.spec.in| 6 +- lib/fuzzing/README.md | 12 ++-- lib/ldb/configure | 7 +++ lib/replace/configure | 7 +++ lib/talloc/configure | 7 +++ lib/tdb/configure | 7 +++ lib/tevent/configure | 7 +++ .../release-4-1-0rc3/steps-to-reproduce.txt| 2 +- 16 files changed, 75 insertions(+), 85 deletions(-) delete mode 100755 buildtools/testwaf.sh Changeset truncated at 500 lines: diff --git a/buildtools/scripts/Makefile.waf b/buildtools/scripts/Makefile.waf index 5fc939c99e0..a15a5f87607 100644 --- a/buildtools/scripts/Makefile.waf +++ b/buildtools/scripts/Makefile.waf @@ -1,7 +1,7 @@ # simple makefile wrapper to run waf -WAF_BINARY=BUILDTOOLS/bin/waf -WAF=WAF_MAKE=1 $(WAF_BINARY) +WAF_BINARY=$(PYTHON) BUILDTOOLS/bin/waf +WAF=PYTHONHASHSEED=1 WAF_MAKE=1 $(WAF_BINARY) all: $(WAF) build diff --git a/buildtools/scripts/configure.waf b/buildtools/scripts/configure.waf index a7d8d1dbd64..ccb62849a54 100755 --- a/buildtools/scripts/configure.waf +++ b/buildtools/scripts/configure.waf @@ -1,6 +1,6 @@ #!/bin/sh -PREVPATH=`dirname $0` +PREVPATH=$(dirname $0) WAF=BUILDTOOLS/bin/waf @@ -9,6 +9,13 @@ WAF=BUILDTOOLS/bin/waf JOBS=1 export JOBS +# Make sure we don't have any library preloaded. +unset LD_PRELOAD + +# Make sure we get stable hashes +PYTHONHASHSEE
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d7a91a855c7 s4-auth: Remove last traces of LanMan authentiation support in the AD DC. via 86f7e4e6905 s4-auth: Only build auth_developer module in developer mode via 360bb864e9a s4-auth: Do not trigger RODC replication unless missing all passwords via 1884bc11f01 s4-auth: Remove unused acct_flags parameter from 14e7112734b waf: Document the confusing --nonshared-binary, --builtin-libraries, --private-libraries and --bundled-libraries https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d7a91a855c7edfb0e09c93cbe4c56df0437fa467 Author: Andrew Bartlett Date: Fri Mar 25 12:18:01 2022 +1300 s4-auth: Remove last traces of LanMan authentiation support in the AD DC. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184 commit 86f7e4e69059e77c35f451919365685d909024af Author: Andrew Bartlett Date: Wed Mar 23 15:10:23 2022 +1300 s4-auth: Only build auth_developer module in developer mode This is a silly module for provoking NTSTATUS replies for testing and was useful many moons ago for determining the NTSTATUS -> DOS table that windows uses. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 360bb864e9a958c395f841bdc8caf866f8dcb0e0 Author: Andrew Bartlett Date: Wed Mar 16 16:27:54 2022 +1300 s4-auth: Do not trigger RODC replication unless missing all passwords With the NT hash becoming optional we cannot make blind assumptions that a missing value means we are on an RODC needing the password replicated. Instead, check for supplementalCredentials as well. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 1884bc11f0115078113253d48be684c32cb3c5f9 Author: Andrew Bartlett Date: Wed Mar 16 15:19:54 2022 +1300 s4-auth: Remove unused acct_flags parameter Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: WHATSNEW.txt| 5 + docs-xml/smbdotconf/security/lanmanauth.xml | 4 source4/auth/ntlm/auth_sam.c| 15 +++ source4/auth/ntlm/wscript_build | 3 ++- 4 files changed, 18 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d23bede2da2..1bdf3a01cfb 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -66,6 +66,11 @@ server used as a front. REMOVED FEATURES +LanMan Authentication and password storage removed from the AD DC +- + +The storage and authentication with LanMan passwords has been entirely +removed from the Samba AD DC, even when "lanman auth = yes" is set. smb.conf changes diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index 842c12d9b64..045e89d94d6 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -45,6 +45,10 @@ then only NTLMv2 logins will be permitted and no LM hash will be stored. All modern clients support NTLMv2, and but some older clients require special configuration to use it. + +This parameter has no impact on the Samba AD DC, +LM authentication is always disabled and no LM password is ever +stored. no diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 60795c40723..14b6c707aa5 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -52,7 +52,6 @@ extern const char *domain_ref_attrs[]; / static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, - uint16_t acct_flags, const struct samr_Password *nt_pwd, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, @@ -79,8 +78,8 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, *lm_sess_key = data_blob(NULL, 0); *user_sess_key = data_blob(NULL, 0); status = hash_password_check(mem_ctx, - lpcfg_lanman_auth(auth_context->lp_ctx), -user_info->password.hash.lanman, +false, +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0bd4bc40f4a samba-tool: Check specified domain and realm against our own via 3dccf63e82b samba-tool: Return correct result for _get_user_realm_domain() via 52f9629408e samba-tool delegation: Clarify msDS-AllowedToDelegateTo delegation command documentation via 9a480f274b6 samba-tool delegation: Add commands to add/remove principals for RBCD via 572f90bdefc samba-tool delegation show: Display information for RBCD via e4ea06ec242 samba-tool delegation: Add function to display security descriptor for RBCD via bd1fd3de5cc s4:selftest: Remove ad_dc_ntvfs env from several tests from 67294a23b97 testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0bd4bc40f4ad29446577d23e84e059e5bb1e5de5 Author: Joseph Sutton Date: Thu Feb 24 11:05:57 2022 +1300 samba-tool: Check specified domain and realm against our own Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 28 03:11:51 UTC 2022 on sn-devel-184 commit 3dccf63e82b38988828001a1d7f3a5a7b24a73de Author: Joseph Sutton Date: Thu Feb 24 10:07:35 2022 +1300 samba-tool: Return correct result for _get_user_realm_domain() We were returning the realm and the domain in the wrong order. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 52f9629408e7674f28a90d030c475178d644e192 Author: Joseph Sutton Date: Mon Feb 21 14:58:47 2022 +1300 samba-tool delegation: Clarify msDS-AllowedToDelegateTo delegation command documentation This makes the difference between msDS-AllowedToDelegateTo and msDS-AllowedToActOnBehalfOfOtherIdentity more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9a480f274b62d8e491bcd54bfd189099729ff57a Author: Joseph Sutton Date: Mon Feb 21 14:58:30 2022 +1300 samba-tool delegation: Add commands to add/remove principals for RBCD These commands allow updating the msDS-AllowedToActOnBehalfOfOtherIdentity attribute with principals allowed to delegate to an account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 572f90bdefcde13611fe50b7a5228fd6e3db2117 Author: Joseph Sutton Date: Mon Feb 21 15:07:50 2022 +1300 samba-tool delegation show: Display information for RBCD BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e4ea06ec242e6f26a5d997d0ba992bc0d2437cba Author: Joseph Sutton Date: Mon Feb 21 14:56:45 2022 +1300 samba-tool delegation: Add function to display security descriptor for RBCD We also check some features of the security descriptor, and display warnings if they are not as expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bd1fd3de5cc1ee83bb5164277de714a61b0fd544 Author: Andreas Schneider Date: Sat Mar 26 08:42:21 2022 +0100 s4:selftest: Remove ad_dc_ntvfs env from several tests It doesn't make sense to run tests against ad_dc and ad_dc_ntvfs in those cases. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/netcmd/common.py | 29 ++- python/samba/netcmd/delegation.py | 393 +- python/samba/netcmd/spn.py| 4 +- source4/selftest/tests.py | 6 +- 4 files changed, 413 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/common.py b/python/samba/netcmd/common.py index bb17bfa10f2..4cdccd073ba 100644 --- a/python/samba/netcmd/common.py +++ b/python/samba/netcmd/common.py @@ -20,6 +20,7 @@ import re from samba.dcerpc import nbt from samba.net import Net +from samba.netcmd import CommandError import ldb @@ -27,26 +28,44 @@ import ldb NEVER_TIMESTAMP = int(-0x8000) -def _get_user_realm_domain(user): +def _get_user_realm_domain(user, sam=None): r""" get the realm or the domain and the base user from user like: * username * DOMAIN\username * username@REALM + + A SamDB object can also be passed in to check +our domain or realm against the obtained ones. """ baseuser = user -realm = "" -domain = "" m = re.match(r"(\w+)\\(\w+$)", user) if m: domain
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ef1dbcdc6cb torture: Allow Samba as an AD DC to use zeros for LM key via cb691c51ee2 torture: Do not expect LM passwords to be accepted except by samba3 via ac79ce221f0 torture: Update rpc.samlogon to match Win19 and newer Samba behaviour for LM key via faea2f8a6b5 selftest: Remove auth_log test for RAP password change via d0b922bd51d ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default via 4234e9b05fa s3-ntlm_auth: Convert table of tests in --diagnostics to designated initialisers via 75c54d54ad9 dsdb: Remove LM hash parameter from samdb_set_password() and callers via a2fa7f427aa selftest: Allow RPC-SAMR to cope with OemChangePasswordUser2 being un-implemented via 45af51fd6e1 selftest: Cope with LM hash not being stored in the tombstone_reanimation test via f161e3f18f0 dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute via 0f53bfe7230 s4-rpc_server: Do not use LM hash in password changes via 6aaa1245630 s4-auth: Do not supply the LM hash to the AD DC authentication code via 2dbc8b98435 s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes" via 09eaf7403e8 s4/dsdb: Remove LM password generation and storage from password_hash via 338492d3457 s4-rpc_server: Remove pre-check for existing NT and LM hash from netlogon via 557b1ab5f96 kdc: Remove pre-check for existing NT and LM hash from kpasswd via 0a907c2f45c dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID via 1144addec50 dsdb: No longer supply exact password hashes in a control to indicate password changes via 9cec421d4df selftest: run s4member tests less via 4e21be7e89c selftest: Remove duplicate run of rpc.lsa tests against ad_dc as "samba3" via 5e9cb0ad208 selftest: Remove duplicate run of rpc.samr tests against ad_dc as "samba3" via 28fc8df722b selftest: Allow samba.tests.ntlm_auth to fail rather than error checking --diagnostics via 5b41c871d9b selftest: Use more torture_assert_goto() et al in rpc.samlogon test from def505e68be wafsamba: Fix call to sorted() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ef1dbcdc6cbf723bb98280c798484ea7de36eb96 Author: Andrew Bartlett Date: Mon Feb 28 13:24:31 2022 +1300 torture: Allow Samba as an AD DC to use zeros for LM key This is simple, explainable and secure. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184 commit cb691c51ee2e4b0a2d64234383dffddba00bb257 Author: Andrew Bartlett Date: Mon Feb 28 13:19:58 2022 +1300 torture: Do not expect LM passwords to be accepted except by samba3 This allows Samba as an AD DC (compared with the fileserver/NT4-like DC mode) to match windows and refuse all LM passwords, no matter what. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit ac79ce221f0536bf0643b25f157bac2621bef4cf Author: Andrew Bartlett Date: Mon Feb 28 10:07:35 2022 +1300 torture: Update rpc.samlogon to match Win19 and newer Samba behaviour for LM key Not all cases are covered, but this much covers the areas that Samba and Win19 will agree on. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit faea2f8a6b54714c50e0a5b15bd1775d67944e06 Author: Andrew Bartlett Date: Fri Feb 18 12:55:57 2022 +1300 selftest: Remove auth_log test for RAP password change RAP is SMB1, the password change routine requires LM hashes and so everything here is going away or has now gone, so remove the test. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit d0b922bd51d0c75ac9d850ceac689707cd24cf92 Author: Andrew Bartlett Date: Thu Feb 17 17:50:43 2022 +1300 ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 4234e9b05fade4339dab99f296776d5f55bd8629 Author: Andrew Bartlett Date: Thu Feb 17 10:48:54 2022 +1300 s3-ntlm_auth: Convert table of tests in --diagnostics to designated initialisers This makes it easeir to set some as "LM auth". Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 75c54d54ad9fdff7098c1b4f11252528f35ea658 Author: Andrew Bartlett Date: Thu Feb 17 07:35:54 2022 +1300 dsdb: Remove LM hash parameter from samdb_set_password() and callers This fixes the rpc.samr test because we no longer spe
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via def505e68be wafsamba: Fix call to sorted() via 005866b1092 s4-smbtorture: Fix typo in assertion message via 27dd0afb62d python/ntacls.py: Fix ACE type comparison via 52afaa0ceb5 s4:policy: Fix ACE type comparison via 95abdbcbb8c dsdb audit tests: Use assert_in_range() for comparing timestamps via 591db0ccc09 dsdb audit tests: Fix flapping test via 2a8ae72bc01 samba-tool: Fix typo via c4ecb66715c s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin via 1a28d97fefe s4:kdc: Remove trailing whitespace in wdc-samba4.c via 2380c7eab4d s4:kdc: Remove ks_is_tgs_principal() via c78f5b724be s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac() via b59c55e0528 s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac() via 0828cbd4bfe s4:kdc: Implement common samba_kdc_update_pac() via 27554581c1d s4:kdc: Make pac parameter of samba_client_requested_pac() const via 95cdbe1724f s4:kdc: Cleanup include files in pac-glue.c via a84cabf4711 lib:krb5_wrap: Implement smb_krb5_principal_is_tgs() via 1f24724b24e auth: Add required headers to auth_sam_reply.h via 27dd3d9fca0 s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy() via 70b4660c208 s4:kdc: Make sure ret is set if we goto bad_option via 94e9b338338 s4:kdc: Fix return code in mit_samba_update_pac() via 18dbdf6aace python:tests: Fix type error in raw_testcase.py via 5294dc80090 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() via b01388da8a7 s4-kdc: Handle previously unhandled auth event types from 70b9977a46e s3:libsmb: Fix errno for failed authentication in SMBC_server_internal() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit def505e68be66e0179a345d3f7e2bd930712e150 Author: Joseph Sutton Date: Tue Feb 15 20:05:55 2022 +1300 wafsamba: Fix call to sorted() In Python 3, sorted() does not take a 'cmp' parameter, so we need to use the 'key' parameter instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184 commit 005866b10922c8dd59d334f1a77712be33213986 Author: Joseph Sutton Date: Tue Feb 15 09:25:38 2022 +1300 s4-smbtorture: Fix typo in assertion message Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 27dd0afb62d4f7427c966e984c7c8b01bc4d93b5 Author: Joseph Sutton Date: Fri Mar 4 16:11:42 2022 +1300 python/ntacls.py: Fix ACE type comparison SEC_ACE_TYPE_ values are not flags, so this comparison does not behave as intended. Modify the check to more closely match the one in gp_create_gpt_security_descriptor(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 52afaa0ceb5f2a372c075f64c5ae445621263b36 Author: Joseph Sutton Date: Wed Mar 2 17:14:42 2022 +1300 s4:policy: Fix ACE type comparison SEC_ACE_TYPE_ values are not flags, so this comparison does not behave as intended. Modify the check to more closely match the comment. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 95abdbcbb8c96bb58aa1fe08ddc5c8280e9e6a30 Author: Joseph Sutton Date: Thu Mar 17 11:20:45 2022 +1300 dsdb audit tests: Use assert_in_range() for comparing timestamps This can make the code clearer. assert_in_range() takes only integer parameters, but POSIX allows us to assume that time_t is an integer. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 591db0ccc090f49c74dff8dab6a7240432d03024 Author: Joseph Sutton Date: Tue Sep 28 20:42:36 2021 +1300 dsdb audit tests: Fix flapping test Use gettimeofday() to obtain the current time for comparison, to be consistent with audit_logging.c. On Linux, time() may occasionally return a smaller value than gettimeofday(), despite being called later. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2a8ae72bc0125e22b2637b961ca3b03a16774dcb Author: Joseph Sutton Date: Thu Mar 18 19:22:52 2021 +1300 samba-tool: Fix typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c4ecb66715caec7cb900f6bdf6b7ad749c4ef037 Author: Andreas Schneider Date: Mon Mar 7 10:41:41 2022 +0100 s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 1a28d97fefed6391e4d4e9c37b51baac598a66cc Author: Andreas Schneider Date: Mon Mar 7 13:15:08 2022 +0100 s4:kdc: Remove trailing whitespace in wdc-samba4.c Signed-off-by: Andreas Schneider Reviewed
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 40f2070d3b2 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names via 24b580cae23 auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available via 427125d1822 s4:auth: rename user_info->mapped_state to user_info->cracknames_called via 8dfdbe095a4 winbindd: don't set mapped_state in winbindd_dual_auth_passdb() via e1d2c59d360 nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN via c56cb12f347 s3:auth: make_user_info_map() should not set mapped_state via a12683bd120 s4:auth: fix confusing DEBUG message in authsam_want_check() via c7b8c71b2b7 s4:auth: check for user_info->mapped.account_name if it needs to be filled via 52787b9c1e9 s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging via ca6948642bc s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging via 99efe5f4e9c s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging via 859c7817350 s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info via 9a4ac8ab2e2 auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info via a6fb598d9dc s4:auth: encrypt_user_info() should set password_state instead of mapped_state via 31db704882b s4:auth: a simple bind uses the DCs name as workstation via 5c04c013549 s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name() via 62fb6c1dc85 rodc: Add tests for simple BIND alongside NTLMSSP binds via 2ad44686229 s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon via 012bd9f5b78 s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON via 3625d138159 dsdb/tests: add test_login_basics_simple() via 0b1fbc9d56e dsdb/tests: prepare BasePasswordTestCase for simple bind tests via 751ce671a4a dsdb/tests: introduce assertLoginSuccess via 03ba5af3d9e dsdb/tests: make use of assertLoginFailure helper via 5a3214c9904 dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps] via 90754591a7e dsdb/tests: passwords.py don't need to import BasePasswordTestCase via a30a7626254 python:tests: let insta_creds() also copy the bind_dn from the template from 239178aee36 s3: smbd: Rename srv_set_signing() -> smb1_srv_set_signing() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86 Author: Stefan Metzmacher Date: Thu Mar 3 11:10:00 2022 +0100 s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names authenticate_ldap_simple_bind*() needs to pass the result of the cracknames operation into the auth stack as user_info->client.{account,domain}_name, because user_info->client.{account,domain}_name is also used when forwarding the request via netrLogonSamLogon* to a remote server, for exactly that the values are also used in order to map a AUTH_PASSWORD_PLAIN into AUTH_PASSWORD_RESPONSE, where the NTLMv2 response contains the account and domain names passed in the netr_IdentityInfo value. Otherwise it would not be possible to forward the LDAP simple bind authentication request to a remote DC. Currently this only applies to an RODC that forwards the request to an RWDC. But note that LDAP simple binds (as on Windows) only work for users in the DCs forest, as the DsCrackNames need to work and it can't work for users of remote forests. I tested that in a DC of a forest root domain, if rejected the LDAP simple bind against a different forest, but allowed it for a users of a child domain in the same forest. The NTLMSSP bind worked in both cases. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184 commit 24b580cae23860a0fe6c9d3a285d60564057043d Author: Stefan Metzmacher Date: Thu Mar 3 11:10:00 2022 +0100 auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available The optional user_info->orig_client.{account,domain}_name are the once really used by the client and should be used in audit logging. But we still fallback to user_info->client.{account,domain}_name. This will be important for the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher Reviewe
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e9e2aead1e7 s3:rpcclient: Fix crash in rpcclient via 1ed9ece3ed1 s3:rpcclient: Fix trailing whitespace in cmd_dfs.c via 39d85c34d2b s3:script: Blackbox tests for the rpcclient DFS commands via 0f5d7ff1a9f s4:kdc: redirect pre-authentication failures to an RWDC via 27ee5ad713b s4:kdc: let pac functions in wdc-samba4.c take astgs_request_t via f33f73f82fb third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab) via 95b1963339e examples: Update winbindd.stp and its generator script via e07f8901ec9 s3:winbind: Convert ListTrustedDomains parent/child call to NDR via d05b5366a63 s3:winbind: Remove list_all_domains condition always false via 64160686e45 s3:winbind: Move the function to list trusted domains to winbindd_dual_srv.c from 3f977cd6f83 s3:lib: Fix possible 32-bit arithmetic overflow https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e9e2aead1e72709a2d67962440e8deecca8c536a Author: Pavel Filipenský Date: Thu Feb 17 19:20:46 2022 +0100 s3:rpcclient: Fix crash in rpcclient rpcclient SERVER -c 'dfsenum 5' dumps core Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 7 00:00:32 UTC 2022 on sn-devel-184 commit 1ed9ece3ed14b30c8971946920b2b2663d30cbe5 Author: Pavel Filipenský Date: Thu Feb 17 19:20:46 2022 +0100 s3:rpcclient: Fix trailing whitespace in cmd_dfs.c Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 39d85c34d2b2b3b26f57980fc6955bc9f7f283a5 Author: Pavel Filipenský Date: Wed Feb 23 17:39:46 2022 +0100 s3:script: Blackbox tests for the rpcclient DFS commands Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be Author: Stefan Metzmacher Date: Mon Feb 21 10:29:12 2022 +0100 s4:kdc: redirect pre-authentication failures to an RWDC The most important case is that we still have a previous password cached at the RODC and the inbound replication hasn't wiped the cache yet and we also haven't triggered a new replication yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 27ee5ad713b760e8226537d79c529ace1efb07bf Author: Stefan Metzmacher Date: Thu Feb 24 21:31:52 2022 +0100 s4:kdc: let pac functions in wdc-samba4.c take astgs_request_t NOTE: This commit finally works again! This aligns us with the following Heimdal change: commit 11d8a053f50c88256b4d49c7e482c2eb8f6bde33 Author: Stefan Metzmacher AuthorDate: Thu Feb 24 18:27:09 2022 +0100 Commit: Luke Howard CommitDate: Thu Mar 3 09:58:48 2022 +1100 kdc-plugin: also pass astgs_request_t to the pac related functions This is more consistent and allows the pac hooks to be more flexible. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher commit f33f73f82fb2d5d96928ce5910e2d0d939c2ff57 Author: Stefan Metzmacher Date: Thu Mar 3 19:17:06 2022 +0100 third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab) NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 95b1963339e27667eacbe4b99e2501c1aba54b38 Author: Samuel Cabrero Date: Tue Feb 15 17:46:17 2022 +0100 examples: Update winbindd.stp and its generator script Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit e07f8901ec95aab8c36965000de185d99e642644 Author: Samuel Cabrero Date: Fri Jun 4 15:36:16 2021 +0200 s3:winbind: Convert ListTrustedDomains parent/child call to NDR By using NDR we avoid manual marshalling (netr_DomainTrust array to text string) and unmarshalling (parse the received text string back to a netr_DomainTrust array). Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit d05b5366a633110c627cf1d1f9d026d1a56e0123 Author: Samuel Cabrero Date: Tue Mar 1 12:24:41 2022 +0100 s3:winbind: Remove list_all_domains condition always false The 'list_all_domains' flag in a winbind request is only set by the torture_winbind_struct_list_trustdom() test, in fact to check the flag is ignored
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via e5607a8 Remove e-mail address via 3e57b41 Add link to security bugs in bugzilla from dac0a5d NEWS[4.16.0rc4]: Samba 4.16.0rc4 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit e5607a8c49189ae72060bbeb7d098bbf8f44bf37 Author: Andrew Bartlett Date: Tue Feb 1 15:47:21 2022 +1300 Remove e-mail address It is not our normal practice to include e-mail addresses in our advisory. Signed-off-by: Andrew Bartlett commit 3e57b41b141fbdca90774c5ba646beb93448e868 Author: Andrew Bartlett Date: Tue Aug 31 16:13:08 2021 +1200 Add link to security bugs in bugzilla Signed-off-by: Andrew Bartlett --- Summary of changes: history/security.html| 6 ++ security/CVE-2018-14629.html | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/history/security.html b/history/security.html index 608884f..54118f8 100755 --- a/history/security.html +++ b/history/security.html @@ -15,6 +15,12 @@ link to full release notes for each release. https://wiki.samba.org/index.php/Samba_Release_Planning;> supported Samba versions. + A list of public https://bugzilla.samba.org/buglist.cgi?f1=alias=regexp=Last Changed=PIDL=Samba 2.2=Samba 3.0=Samba 3.2=Samba 3.3=Samba 3.4=Samba 3.5=Samba 3.6=Samba 4.0=Samba 4.1 and newer_format=advanced=^CVE-.*"> + Samba Security Bugs is available. Some minor issues will + only be listed in https://bugzilla.samba.org;> + The Samba Bugzilla and not here, if they did not result + in a security release + Samba Security Releases diff --git a/security/CVE-2018-14629.html b/security/CVE-2018-14629.html index 1aca7b9..40ffcb7 100644 --- a/security/CVE-2018-14629.html +++ b/security/CVE-2018-14629.html @@ -68,7 +68,7 @@ and then disabling the 'dns' service in the smb.conf (eg 'server services = Credits === -The initial bug was found by Florian Stülpner florian.stuelp...@hiperscan.com +The initial bug was found by Florian Stülpner Aaron Haslett of Catalyst did the investigation and wrote the patch. -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cb10b8704e8 s3:script: Reformat shell scripts via 98aed0644ae s3:locale: Reformat shell scripts via 1399b2430a0 selftest: Reformat shell scripts via 22eb76c6d0b script: Reformat shell scripts via 55cd39b92cf release-scripts: Reformat shell scripts via f025cc1a12c python: Reformat shell scripts from 0c113e652fe s3: smbd: Rename OpenDir_ntstatus() -> OpenDir(). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cb10b8704e8640dbbb4b8c3ca876b890833e54ef Author: Andreas Schneider Date: Mon Feb 21 14:11:19 2022 +0100 s3:script: Reformat shell scripts shfmt -f source3/script/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 3 01:53:16 UTC 2022 on sn-devel-184 commit 98aed0644aec14ea7d88b7812cc15bf5f7379815 Author: Andreas Schneider Date: Mon Feb 21 14:10:29 2022 +0100 s3:locale: Reformat shell scripts shfmt -f source3/locale/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1399b2430a06f4a4b82f99643bf41b732183b5cb Author: Andreas Schneider Date: Mon Feb 21 14:06:36 2022 +0100 selftest: Reformat shell scripts shfmt -f selftest/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 22eb76c6d0bfb9c6858eb0cef4211b4f833e9ae7 Author: Andreas Schneider Date: Mon Feb 21 14:02:15 2022 +0100 script: Reformat shell scripts shfmt -f script/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 55cd39b92cf23ccf8f7714df6d269af43855d307 Author: Andreas Schneider Date: Mon Feb 21 14:00:54 2022 +0100 release-scripts: Reformat shell scripts shfmt -f release-scripts/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit f025cc1a12cbcd3619a3f39a25dd8080a7a759c4 Author: Andreas Schneider Date: Mon Feb 21 13:59:33 2022 +0100 python: Reformat shell scripts shfmt -f python/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/tests/krb5/pyasn1_regen.sh| 3 +- python/samba/tests/samba_tool/computer_edit.sh | 70 --- python/samba/tests/samba_tool/contact_edit.sh | 75 python/samba/tests/samba_tool/group_edit.sh| 97 +- python/samba/tests/samba_tool/user_edit.sh | 78 python/samba/tests/test_pam_winbind.sh | 8 +- python/samba/tests/test_pam_winbind_chauthtok.sh | 46 ++--- .../tests/test_pam_winbind_warn_pwd_expire.sh | 16 +- release-scripts/build-docs | 13 +- release-scripts/build-htmlman-git | 3 +- release-scripts/build-htmlman-nogit| 3 +- release-scripts/build-manpages-git | 3 +- release-scripts/build-manpages-nogit | 3 +- script/clean-source-tree.sh| 4 +- script/commit_mark.sh | 10 +- script/ctdb-import.tree-filter.sh | 1 - script/find_python.sh | 4 +- script/git-hooks/check-trailing-whitespace | 20 +- script/git-hooks/pre-commit-hook | 10 +- script/git-hooks/pre-commit-script | 6 +- script/release.sh | 127 - selftest/checkpassword_arg1.sh | 2 +- selftest/gdb_backtrace | 91 + selftest/gdb_run | 4 +- selftest/in_screen | 91 - selftest/ns/add_bridge_iface.sh| 8 +- selftest/ns/create_bridge.sh | 2 - selftest/ns/mk_nsenter.sh | 5 +- selftest/ns/nsenter-helper.sh | 18 +- selftest/save.env.sh | 16 +- source3/locale/net/genmsg | 40 ++-- source3/script/creategroup | 22 +-- source3/script/mknissmbpasswd.sh | 39 ++-- source3/script/mknissmbpwdtbl.sh | 63 --- source3/script/mksyms.sh | 33 ++-- source3/script/smbtar | 205 +++-- 36 files changed, 661 insertions(+), 578 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/pyasn1_regen.sh b/python/samba/tests/k
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0f4eca775aa tests/krb5: Add tests for AS-REQ to self with FAST via 100be7eb8e7 tests/krb5: Correctly determine whether tickets are service tickets via 1eb91291b54 tests/krb5: Generate unique UPNs for enterprise tests via 3b23ae59ac4 s4:torture: Fix typo via 030afa6c01b s4:torture: Remove comments that are no longer relevant via bba30095ca1 kdc: Pad UPN_DNS_INFO PAC buffer via 31f3e815799 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows" via 7dfcbc4e381 tests/krb5: Add tests for PAC buffer alignment via abbeb5c2175 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data() via 3a3f7feac59 s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac() via 731d9c42d07 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key via e95fb04c5de s4:mitkdc: Add support for pac_attrs and requester_sid via b46a942f95b s4:mitkdc: Reset errno to 0 for com_err messages via c69bfa0939d s4:mitkdc: Use talloc_get_type_abort() in ks_get_context() via f00eb8485f4 s4:mitkdc: Initilalize is_error with errno instead of EPERM(1) from 5b526f4533b tdb: Raw performance torture to beat tdb_increment_seqnum https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0f4eca775aa52cfe40a25ead90c560d76b286ad9 Author: Joseph Sutton Date: Tue Dec 14 19:16:15 2021 +1300 tests/krb5: Add tests for AS-REQ to self with FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184 commit 100be7eb8e70ba270a8e92957a5e47466160a901 Author: Joseph Sutton Date: Tue Dec 14 19:16:00 2021 +1300 tests/krb5: Correctly determine whether tickets are service tickets Previously we expected tickets to contain a ticket checksum if the sname was not the krbtgt. However, the ticket checksum should not be present if we are performing an AS-REQ to our own account. Now we determine a ticket is a service ticket only if the request is also a TGS-REQ. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1eb91291b54b194d8312dac6dd605c793eabfd53 Author: Joseph Sutton Date: Tue Dec 14 19:16:26 2021 +1300 tests/krb5: Generate unique UPNs for enterprise tests This helps to avoid problems with account creation on Windows due to UPN uniqueness constraints. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3b23ae59ac4953d20ca4422b567a15227a17c545 Author: Joseph Sutton Date: Thu Dec 9 13:18:54 2021 +1300 s4:torture: Fix typo Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 030afa6c01bfc0bfd20a204a5cc7c9d33032a1e7 Author: Joseph Sutton Date: Thu Dec 9 13:18:45 2021 +1300 s4:torture: Remove comments that are no longer relevant Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bba30095ca14dd947cb32a4403e351b0523304dd Author: Joseph Sutton Date: Fri Dec 10 14:59:22 2021 +1300 kdc: Pad UPN_DNS_INFO PAC buffer Padding this buffer to a multiple of 8 bytes allows the PAC buffer padding to match Windows. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 31f3e815799a205f48bebae666deb327e1058674 Author: Joseph Sutton Date: Tue Dec 14 19:19:42 2021 +1300 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows" This alignment should be done on the Samba side instead. This reverts commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7dfcbc4e381080b3e3e1777134aecef5522d1f01 Author: Joseph Sutton Date: Thu Dec 9 11:56:55 2021 +1300 tests/krb5: Add tests for PAC buffer alignment Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit abbeb5c2175ad9574d75e852c101887d6e642cb4 Author: Andreas Schneider Date: Mon Dec 13 08:31:49 2021 +0100 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 3a3f7feac59feba08438831cb02564e9b80cdc59 Author: Andreas Schneider Date: Thu Oct 7 15:12:35 2021 +0200 s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac() This will be allocated by the KDC in MIT KRB5 1.20 and newer. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 731d9c42d0775d9b1a7475ad2efbe23c2439f6db Author: Andreas Schneider Date: Mon Dec 13 15:48:08 2021 +0100 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key This is unused with MIT KRB5 < 1.20 as this is probably not the right k
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b948aeac539 hdb: Initialise HDB structure from 221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b948aeac5398693e0c8c70cbff531965ed7ecd23 Author: Joseph Sutton Date: Wed Dec 8 16:42:32 2021 +1300 hdb: Initialise HDB structure Additional fields may be added to this structure without us explicitly initialising them. This could cause Heimdal to crash upon reading garbage data, so we should zero-initialise the structure. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Dec 9 02:47:27 UTC 2021 on sn-devel-184 --- Summary of changes: source4/kdc/hdb-samba4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index f0939193ad7..92bc5ff28a6 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -530,7 +530,7 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION; } - *db = talloc(base_ctx, HDB); + *db = talloc_zero(base_ctx, HDB); if (!*db) { krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); return NT_STATUS_NO_MEMORY; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors via 9844a331864 tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0 via d5cb6a1449d tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0 via f03f304deb3 tests/krb5: Adjust unknown critical FAST option test via 7d14aedd3dc tests/krb5: Add test for FAST with invalid ticket checksum via aa38476d89d tests/krb5: Remove magic flag constants via 45d81d56abe tests/krb5: Allow additional unexpected padata types via 6bf3610c5dc tests/krb5: Make edata checking less strict via dfe6ef6f3ec tests/krb5: Add tests for FAST with use-session-key flag and armor ticket via 9c050a4a03a tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data via 1eb1049d2bd tests/krb5: Don't request renewable tickets via f8e55b3670c tests/krb5: Adjust expected error codes for FAST tests from 8bd7b316bd6 kdc: Canonicalize realm for enterprise principals https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 221569a14c8ecd529eae5c8c021cffe65324afec Author: Joseph Sutton Date: Mon Dec 6 14:54:31 2021 +1300 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors A skew error means the client just tried using PADATA-ENC-TIMESTAMP or PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce them in that case. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184 commit 9844a331864ff44645d15e946707fe5278f97ae6 Author: Joseph Sutton Date: Mon Dec 6 13:06:52 2021 +1300 tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d5cb6a1449db10f2ab287798704c035f793f584c Author: Joseph Sutton Date: Wed Nov 17 20:17:27 2021 +1300 tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f03f304deb30522ed5bdc0875cf3b5233ef6ddc5 Author: Joseph Sutton Date: Wed Nov 17 20:16:32 2021 +1300 tests/krb5: Adjust unknown critical FAST option test Heimdal does not check FAST options when no preauth data is supplied, so the original test could not pass against Heimdal. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7d14aedd3dc904d4341d06c8b38d6e94e780ea71 Author: Joseph Sutton Date: Wed Nov 17 20:15:12 2021 +1300 tests/krb5: Add test for FAST with invalid ticket checksum Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit aa38476d89d4a41bef63f3814dd921c4dd4e103f Author: Joseph Sutton Date: Wed Nov 17 20:14:50 2021 +1300 tests/krb5: Remove magic flag constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 45d81d56abeb5dbc63471ef45bf6473d3ebf5189 Author: Joseph Sutton Date: Tue Dec 7 10:59:27 2021 +1300 tests/krb5: Allow additional unexpected padata types Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6bf3610c5dc729cf1dd0b6b63d85e512c25e99c3 Author: Joseph Sutton Date: Tue Dec 7 15:45:06 2021 +1300 tests/krb5: Make edata checking less strict Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit dfe6ef6f3ec61a99e4f067d26dc1abae5adf5cce Author: Joseph Sutton Date: Thu Nov 18 13:44:32 2021 +1300 tests/krb5: Add tests for FAST with use-session-key flag and armor ticket This flag should be ignored and the FAST armor key used instead. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9c050a4a03a8bb1dd8b25a1e800942ce1da68710 Author: Joseph Sutton Date: Tue Nov 16 19:56:24 2021 +1300 tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1eb1049d2bdd44af95da820b3dcb5ccd94e4c231 Author: Joseph Sutton Date: Tue Nov 16 19:55:44 2021 +1300 tests/krb5: Don't request renewable tickets This is not necessary for testing FAST, and was causing some of the tests to fail. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f8e55b3670c221e5d880c79d0def7be82819e435 Author: Joseph Sutton Date: Tue Nov 16 19:55:17 2021 +1300 tests/krb5: Adjust expected error codes for FAST tests This allows more of the tests to pass. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/tests/krb5/fast_tests.py
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8bd7b316bd6 kdc: Canonicalize realm for enterprise principals via dceee8f heimdal_build: Do not build samba4kinit unless building embedded Heimdal via a0d75b1cce4 lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators via 2701293f48a s4:torture: Remove pre-send and post-receive callbacks from 7eb1e1cc949 s4:torture: Remove test combination with enterprise principal without canonicalize flag https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c Author: Joseph Sutton Date: Tue Dec 7 13:15:38 2021 +1300 kdc: Canonicalize realm for enterprise principals Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184 commit dceee8f62ace1b7a67401d502d2b3c4a1e17 Author: Andrew Bartlett Date: Tue Dec 7 11:30:10 2021 +1300 heimdal_build: Do not build samba4kinit unless building embedded Heimdal We should not attempt to build local copies of Heimdal utilities against a system krb5 library. Inspired by a WIP commit by Stefan Metzmacher in his lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit a0d75b1cce4b97e1d6b78ba2b7adf96988d55608 Author: Andrew Bartlett Date: Tue Jul 6 12:26:44 2021 +1200 lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators This provides the defines that may be needed to use the compiler-provided atomics, rather than a fallback. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 2701293f48a9e4014f9ba1e925d458fe25865bfb Author: Joseph Sutton Date: Fri Dec 3 11:58:53 2021 +1300 s4:torture: Remove pre-send and post-receive callbacks The client-side testing done by these callbacks is no longer needed, and the server-side testing is covered by Python-based tests. Removing these leaves us with a more manageable test of the Kerberos API. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/replace/wscript |7 + selftest/knownfail.d/kdc-enterprise | 63 -- selftest/knownfail_heimdal_kdc |3 - selftest/knownfail_mit_kdc | 36 + source4/heimdal_build/wscript_build | 31 +- source4/kdc/db-glue.c| 24 +- source4/torture/krb5/kdc-canon-heimdal.c | 1069 +- 7 files changed, 71 insertions(+), 1162 deletions(-) delete mode 100644 selftest/knownfail.d/kdc-enterprise Changeset truncated at 500 lines: diff --git a/lib/replace/wscript b/lib/replace/wscript index 53cb5d4fa76..a928b80f2f7 100644 --- a/lib/replace/wscript +++ b/lib/replace/wscript @@ -298,6 +298,13 @@ def configure(conf): 'HAVE___SYNC_FETCH_AND_ADD', msg='Checking for __sync_fetch_and_add compiler builtin') +conf.CHECK_CODE(''' +int i; +(void)__sync_add_and_fetch(, 1); +''', +'HAVE___SYNC_ADD_AND_FETCH', +msg='Checking for __sync_add_and_fetch compiler builtin') + conf.CHECK_CODE(''' int32_t i; atomic_add_32(, 1); diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise deleted file mode 100644 index c9b6c98a2ee..000 --- a/selftest/knownfail.d/kdc-enterprise +++ /dev/null @@ -1,63 +0,0 @@ -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7eb1e1cc949 s4:torture: Remove test combination with enterprise principal without canonicalize flag via 23ec41fd13f s4:torture: Remove AS_REQ_SELF test stage via f8b17214d06 tests/krb5: Add tests for enterprise principals with canonicalization via 860065a3c99 tests/krb5: Add tests for AS-REQ with an SPN via 31900a0a582 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types via ff6d325e38d tests/krb5: Check ticket cname for Heimdal via 3fc9dc2395e tests/krb5: Check logon name in PAC for canonicalization tests via 10983779bc5 tests/krb5: Only create testing accounts once per test run via 8036aa12766 waf:mitkrb5: Always define lib so we get the header include path via 238e4c86ca7 waf:mitkrb5: Fix MIT KRB5 detection if not in default system location via 61404faf767 waf:mitkrb5: Detect com_err with pkgconfig first via 61ce2899791 wafsamba: Pass lib to CHECK_DECLS() via 18788e174ed s3:waf: Fix dependendies for libads via 93619962020 s4:waf: Fix dependencies for TORTURE_UTIL via 8393adaa5ad s3:param: Only include smb_ldap.h for LDAP_* defines via 3bfdbc1e93b s3:param: Remove trailing spaces in loadparm.c via 528e5efc17d samba-tool: Test DNS record creation on member join via 5e31e8f15bf samba-tool: Create DNS entries on member join from 05c09e8cfa0 heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7eb1e1cc9498c761c9fcd2bd839e1e2c28a365df Author: Joseph Sutton Date: Fri Dec 3 11:58:40 2021 +1300 s4:torture: Remove test combination with enterprise principal without canonicalize flag This test combination is not needed. Removing it allows us to avoid modifying requests prior to sending them, which can cause problems with an upgraded Heimdal version. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Dec 6 22:57:54 UTC 2021 on sn-devel-184 commit 23ec41fd13f3ccae6b494682901f084d34538bec Author: Joseph Sutton Date: Fri Dec 3 11:57:49 2021 +1300 s4:torture: Remove AS_REQ_SELF test stage This behaviour is already covered by existing Python tests. This test stage also modifies the request prior to sending it, which can cause problems with an upgraded Heimdal version. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f8b17214d06ad9f1321a1d57f6e9bfe7b8899bf6 Author: Joseph Sutton Date: Tue Nov 30 09:42:00 2021 +1300 tests/krb5: Add tests for enterprise principals with canonicalization Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 860065a3c99475e43f68330f7349cb317bc5b009 Author: Joseph Sutton Date: Thu Nov 25 16:22:58 2021 +1300 tests/krb5: Add tests for AS-REQ with an SPN Using a SPN should only be permitted if it is also a UPN, and is not an enterprise principal. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 31900a0a58283868798dcb90ed43519b39559c2c Author: Joseph Sutton Date: Fri Dec 3 13:13:29 2021 +1300 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ff6d325e38d83b689da47c1b059f3ed865ffa7c2 Author: Joseph Sutton Date: Thu Nov 25 16:16:52 2021 +1300 tests/krb5: Check ticket cname for Heimdal This is currently not checked in several places due to STRICT_CHECKING being set to 0. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3fc9dc2395ebc292087ae050bd721747e851056d Author: Joseph Sutton Date: Thu Dec 2 16:51:26 2021 +1300 tests/krb5: Check logon name in PAC for canonicalization tests This allows us to ensure that the correct name makes it through to the PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 10983779bc5d50cdb69b64656cbc56f0250e3f23 Author: Joseph Sutton Date: Thu Dec 2 16:50:55 2021 +1300 tests/krb5: Only create testing accounts once per test run This decreases the time that the tests take to run. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8036aa12766840e019f28e914a30769f71444ba9 Author: Andreas Schneider Date: Mon Dec 6 18:01:40 2021 +0100 waf:mitkrb5: Always define lib so we get the header include path If you have libkrb5 in a non-standard include path, we would not check the latest version but search default paths (e.g. /usr/include) first. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 05c09e8cfa0 heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed. via 98cb41cb35d build: Remove kdc_include except where needed via 209a33670fa build: Only use embedded Heimdal include paths in an embedded Heimdal build from d6380560f87 docs: fix documentation for default of "fruit:zero_file_id" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 05c09e8cfa09d22b31b7da6b461413dfb807984a Author: Andrew Bartlett Date: Thu Dec 2 13:25:07 2021 +1300 heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed. This will otherwise break the system-heimdal build. This is correct regardless. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Dec 6 21:48:30 UTC 2021 on sn-devel-184 commit 98cb41cb35dfacbd5c6acfb13a0ac555b474da08 Author: Andrew Bartlett Date: Thu Dec 2 11:47:35 2021 +1300 build: Remove kdc_include except where needed This include was being set on too many subsystems, including some MIT-related. This was a problem because it would then trigger the mixing of MIT and Heimdal krb5.h files. It is now only set on the plugins and services that use the embedded Heimdal KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 209a33670fab5dd7373444ae1ce76dbb5dfa0058 Author: Andrew Bartlett Date: Thu Dec 2 11:33:02 2021 +1300 build: Only use embedded Heimdal include paths in an embedded Heimdal build BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: buildtools/wafsamba/samba3.py | 4 ++-- source4/heimdal_build/wscript_build | 18 +- source4/kdc/wscript_build | 9 - 3 files changed, 11 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba3.py b/buildtools/wafsamba/samba3.py index ebc7fbb707f..4277c5f6f2e 100644 --- a/buildtools/wafsamba/samba3.py +++ b/buildtools/wafsamba/samba3.py @@ -35,8 +35,8 @@ def s3_fix_kwargs(bld, kwargs): # the extra_includes list is relative to the source3 directory extra_includes = [ '.', 'include', 'lib' ] -# local heimdal paths only included when USING_SYSTEM_KRB5 is not set -if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): +# local heimdal paths must only be included when using our embedded Heimdal +if bld.CONFIG_SET("USING_EMBEDDED_HEIMDAL"): extra_includes += [ '../source4/heimdal/lib/com_err', '../source4/heimdal/lib/krb5', '../source4/heimdal/lib/gssapi', diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build index 079cac744f9..77519356575 100644 --- a/source4/heimdal_build/wscript_build +++ b/source4/heimdal_build/wscript_build @@ -856,21 +856,21 @@ HEIMDAL_SUBSYSTEM('HEIMDAL_VERS_HOSTCC', use_global_deps=False, use_hostcc=True) -HEIMDAL_SUBSYSTEM('HEIMDAL_ASN1_GEN_HOSTCC', - 'lib/asn1/gen.c', - includes='../heimdal/lib/asn1', - group='hostcc_build_main', - cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS, - deps='ROKEN_HOSTCC', - use_global_deps=False, - use_hostcc=True) - HEIMDAL_SUBSYSTEM('HEIMDAL_VERS', 'lib/vers/print_version.c ../heimdal_build/version.c', deps='roken replace') if not bld.CONFIG_SET('USING_SYSTEM_ASN1_COMPILE'): +HEIMDAL_SUBSYSTEM('HEIMDAL_ASN1_GEN_HOSTCC', + 'lib/asn1/gen.c', + includes='../heimdal/lib/asn1', + group='hostcc_build_main', + cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS, + deps='ROKEN_HOSTCC', + use_global_deps=False, + use_hostcc=True) + # here is the asn1 compiler build rule HEIMDAL_BINARY('asn1_compile', 'lib/asn1/gen_copy.c ' diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index 0edca94e75f..c7f28a72342 100644 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -58,7 +58,6 @@ bld.SAMBA_LIBRARY('HDB_SAMBA4', bld.SAMBA_LIBRARY('HDB_SAMBA4_PLUGIN', source='hdb-samba4-plugin.c', deps='hdb HDB_SAMBA4 samba-util samba-hostconfig ', - includes=kdc_include, link_name='modules/hdb/hdb_samba4.so', realname='hdb_samba4.so',
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dab828f63c0 pytest/source_char: check for mixed direction text via 0f7e58b0e29 samba-tool domain backup: backup but do not follow symlinks via 697abc15ea5 samba-tool domain backup: cope better with dangling symlinks from 5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dab828f63c0a6bf0bb96920fd36383f6cbe43179 Author: Douglas Bagnall Date: Wed Nov 17 20:17:53 2021 + pytest/source_char: check for mixed direction text As pointed out in https://lwn.net/Articles/875964, forbidding bidi marker characters is not always going to be enough to avoid right-to-left vs left-to-right confusion. Consider this: $ python -c's = "b = x # 2 * n * m"; print(s); print(s.replace("x", "א").replace("n", "ח"))' b = x # 2 * n * m b = א # 2 * ח * m Those two lines are semantically the same, with the Hebrew letters "א" and "ח" replacing "x" and "n". But they look like they mean different things. It is not enough to say we only allow these scripts (or indeed non-ascii) in strings and comments, as demonstrated in this example: $ python -c's = "b = \"x#\" # n"; print(s); print(s.replace("x", "א").replace("n", "ח"))' b = "x#" # n b = "א#" # ח where the second line is visually disordered but looks valid. Any series of neutral characters between teo RTL characters will be reversed (and possibly mirrored). In practice this affects one file, which is a text file for testing unicode normalisation. I think, for the reasons shown above, we are unlikely to see legitimate RTL code outside perhaps of documentation files — but if we do, we can add those files to the allow-list. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 3 18:53:43 UTC 2021 on sn-devel-184 commit 0f7e58b0e29778711d3385adbba957c175c3bdef Author: Douglas Bagnall Date: Wed Dec 1 10:20:48 2021 +1300 samba-tool domain backup: backup but do not follow symlinks BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 697abc15ea50e9069eb483fdd734588281bae123 Author: Douglas Bagnall Date: Thu Nov 25 09:26:54 2021 +1300 samba-tool domain backup: cope better with dangling symlinks Our previous behaviour was to try to os.stat() the non-existent target. The new code greatly improves efficiency for this little task. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/netcmd/domain_backup.py | 10 +- python/samba/tests/source_chars.py | 29 + testdata/source-chars-bidi.py| 24 3 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 testdata/source-chars-bidi.py Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py index 81738196385..6cb0e512595 100644 --- a/python/samba/netcmd/domain_backup.py +++ b/python/samba/netcmd/domain_backup.py @@ -1109,6 +1109,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command): # Recursively get all file paths in the backup directories all_files = [] +all_stats = set() for backup_dir in backup_dirs: for (working_dir, _, filenames) in os.walk(backup_dir): if working_dir.startswith(paths.sysvol): @@ -1126,7 +1127,13 @@ class cmd_domain_backup_offline(samba.netcmd.Command): # Ignore files that have already been added. This prevents # duplicates if one backup dir is a subdirectory of another, # or if backup dirs contain hardlinks. -if any(os.path.samefile(full_path, file) for file in all_files): +try: +s = os.stat(full_path, follow_symlinks=False) +except FileNotFoundError: +logger.warning(f"{full_path} does not exist!") +continue + +if (s.st_ino, s.st_dev) in all_stats: continue # Assume existing backup files are from a previous backup. @@ -1140,6 +1147,7 @@ class cmd_domain_backup_offline(samba.netcmd.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs via 9bd26804852 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket via ee4aa21c487 selftest: Properly check extra PAC buffers with Heimdal via 1f4f3018c50 heimdal:kdc: Always generate a PAC for S4U2Self via 192d6edfe91 tests/krb5: Add a test for S4U2Self with no authorization data required via 4b60e951649 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets via 90025b6a4d2 kdc: Don't include extra PAC buffers in service tickets via e61983c7f2c Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" via 73a48063469 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests via 690a00a40c0 kdc: Always add the PAC if the header TGT is from an RODC via b6a25f5f016 kdc: Match Windows error code for mismatching sname via bac5f750594 tests/krb5: Add test for S4U2Self with wrong sname via d5d22bf84a7 kdc: Adjust SID mismatch error code to match Windows via f7a2fef8f49 heimdal:kdc: Adjust no-PAC error code to match Windows via 9cfb88ba048 s4:torture: Fix typo via 11fb9476ad3 heimdal:kdc: Fix error message for user-to-user via 749349efab9 tests/krb5: Add comments for tests that fail against Windows via ca80c47406e tests/krb5: Add tests for validation with requester SID PAC buffer via ebc9137cee9 tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 via ec823c2a83c tests/krb5: Add TGS-REQ tests with FAST via 778029c1dc4 tests/krb5: Add tests for TGS requests with a non-TGT via 7574ba9f580 tests/krb5: Add tests for invalid TGTs via 28d501875a9 tests/krb5: Remove unnecessary expect_pac arguments via d95705172bc tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 via e930274aa43 tests/krb5: Split out methods to create renewable or invalid tickets via a560c2e9ad8 tests/krb5: Allow PasswordKey_create() to use s2kparams via 167bd207048 tests/krb5: Run test_rpc against member server via f0b222e3ecf tests/krb5: Deduplicate AS-REQ tests via 57b1b76154d tests/krb5: Remove unused variable via ad4d6fb01fd selftest: Check received LDB error code when STRICT_CHECKING=0 from cbf312f02bc s3:winbind: Fix possible NULL pointer dereference https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 38c5bad4a853b19fe9a51fb059e150b153c4632a Author: Joseph Sutton Date: Wed Nov 24 20:41:54 2021 +1300 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184 commit 9bd26804852d957f81cb311e5142f9190f9afa65 Author: Joseph Sutton Date: Tue Nov 23 19:38:35 2021 +1300 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ee4aa21c487fa80082a548b2e4f115a791e30340 Author: Joseph Sutton Date: Thu Nov 25 09:29:42 2021 +1300 selftest: Properly check extra PAC buffers with Heimdal Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1 Author: Joseph Sutton Date: Tue Nov 23 17:30:50 2021 +1300 heimdal:kdc: Always generate a PAC for S4U2Self If we decided not to put a PAC into the ticket, mspac would be NULL here, and the resulting ticket would not contain a PAC. This could happen if there was a request to omit the PAC or the service did not require authorization data. Ensure that we always generate a PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 192d6edfe912105ec344dc554f872a24c03540a3 Author: Joseph Sutton Date: Thu Nov 25 12:46:40 2021 +1300 tests/krb5: Add a test for S4U2Self with no authorization data required Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b60e9516497c2e7f1545fe50887d0336b9893f2 Author: Joseph Sutton Date: Thu Nov 25 10:53:49 2021 +1300 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when presented with an RODC-issued TGT. By removing this PAC buffer from RODC-issued tickets, we ensure that an RODC-issued ticket
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5094d986b76 lib/krb5_wrap: Fix missing error check in new salt code from 5eeb441b771 dsdb: Allow special chars like "@" in samAccountName when generating the salt https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5094d986b7686f057195dcb10764295b88967019 Author: Andrew Bartlett Date: Fri Oct 22 10:50:36 2021 +1300 lib/krb5_wrap: Fix missing error check in new salt code CID 1492905: Control flow issues (DEADCODE) This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184 --- Summary of changes: lib/krb5_wrap/krb5_samba.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 63a6e951f80..fff5b4e2a22 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -594,9 +594,9 @@ int smb_krb5_salt_principal(krb5_context krb5_ctx, * No matter what realm (including none) in the UPN, * the realm is replaced with our upper-case realm */ - smb_krb5_principal_set_realm(krb5_ctx, -*salt_princ, -upper_realm); + krb5_ret = smb_krb5_principal_set_realm(krb5_ctx, + *salt_princ, + upper_realm); if (krb5_ret != 0) { krb5_free_principal(krb5_ctx, *salt_princ); TALLOC_FREE(frame); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 04f188f4d57 bootstrap: Debian 11 has liburing-dev from c901adaa0d4 bootstrap: Add Debian 11 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 04f188f4d573f0138b75f26d1c18d98329a3446e Author: Martin Schwenke Date: Tue Oct 19 11:00:22 2021 +1100 bootstrap: Debian 11 has liburing-dev BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872 Signed-off-by: Martin Schwenke Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 19 09:14:10 UTC 2021 on sn-devel-184 --- Summary of changes: .gitlab-ci-main.yml | 2 +- bootstrap/config.py | 1 - bootstrap/generated-dists/debian11/bootstrap.sh | 1 + bootstrap/generated-dists/debian11/packages.yml | 1 + bootstrap/sha1sum.txt | 2 +- 5 files changed, 4 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index ba8de6c22fe..cc48ec12a64 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 8d90789fe49d9003a7e5c66b1a00639bcce1238f + SAMBA_CI_CONTAINER_TAG: dd885c72c8615e2d6166a04f3709d9ceaa728f84 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index c98ece513ec..2cf754782a1 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -404,7 +404,6 @@ DEB_DISTS = { 'vagrant_box': 'debian/bullseye64', 'replace': { 'language-pack-en': '', # included in locales -'liburing-dev': '', # not available } }, 'ubuntu1804': { diff --git a/bootstrap/generated-dists/debian11/bootstrap.sh b/bootstrap/generated-dists/debian11/bootstrap.sh index 84f5f6855b7..07d6209c072 100755 --- a/bootstrap/generated-dists/debian11/bootstrap.sh +++ b/bootstrap/generated-dists/debian11/bootstrap.sh @@ -70,6 +70,7 @@ apt-get -y install \ libtasn1-dev \ libtracker-sparql-2.0-dev \ libunwind-dev \ +liburing-dev \ lmdb-utils \ locales \ lsb-release \ diff --git a/bootstrap/generated-dists/debian11/packages.yml b/bootstrap/generated-dists/debian11/packages.yml index 32f37eeb013..6d3c2385339 100644 --- a/bootstrap/generated-dists/debian11/packages.yml +++ b/bootstrap/generated-dists/debian11/packages.yml @@ -59,6 +59,7 @@ packages: - libtasn1-dev - libtracker-sparql-2.0-dev - libunwind-dev + - liburing-dev - lmdb-utils - locales - lsb-release diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index a9996ecf27d..60a3cced99c 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -8d90789fe49d9003a7e5c66b1a00639bcce1238f +dd885c72c8615e2d6166a04f3709d9ceaa728f84 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c901adaa0d4 bootstrap: Add Debian 11 from 9d3a6919202 tests/krb5: Add tests for requesting a service ticket without a PAC https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c901adaa0d4526deff550806e49976d686122674 Author: Martin Schwenke Date: Thu Oct 14 14:50:41 2021 +1100 bootstrap: Add Debian 11 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872 Signed-off-by: Martin Schwenke Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Oct 18 17:19:17 UTC 2021 on sn-devel-184 --- Summary of changes: .gitlab-ci-main.yml | 8 +++- bootstrap/.gitlab-ci.yml | 3 +++ bootstrap/config.py | 8 bootstrap/generated-dists/Vagrantfile | 7 +++ bootstrap/generated-dists/{centos7 => debian11}/Dockerfile| 2 +- bootstrap/generated-dists/{debian10 => debian11}/bootstrap.sh | 0 bootstrap/generated-dists/{centos7 => debian11}/locale.sh | 0 bootstrap/generated-dists/{debian10 => debian11}/packages.yml | 0 bootstrap/sha1sum.txt | 2 +- 9 files changed, 27 insertions(+), 3 deletions(-) copy bootstrap/generated-dists/{centos7 => debian11}/Dockerfile (92%) copy bootstrap/generated-dists/{debian10 => debian11}/bootstrap.sh (100%) copy bootstrap/generated-dists/{centos7 => debian11}/locale.sh (100%) copy bootstrap/generated-dists/{debian10 => debian11}/packages.yml (100%) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index f807eef41ce..ba8de6c22fe 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 752c448d3186fe93a0c4039b8fbe897bb67a1f33 + SAMBA_CI_CONTAINER_TAG: 8d90789fe49d9003a7e5c66b1a00639bcce1238f # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -58,6 +58,7 @@ variables: SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004 SAMBA_CI_CONTAINER_IMAGE_debian9: debian9 SAMBA_CI_CONTAINER_IMAGE_debian10: debian10 + SAMBA_CI_CONTAINER_IMAGE_debian11: debian11 SAMBA_CI_CONTAINER_IMAGE_opensuse151: opensuse151 SAMBA_CI_CONTAINER_IMAGE_opensuse152: opensuse152 SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33 @@ -569,6 +570,11 @@ debian10-samba-o3: variables: SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian10} +debian11-samba-o3: + extends: .samba-o3-template + variables: +SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11} + opensuse151-samba-o3: extends: .samba-o3-template variables: diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 1cef89374de..01da6106b53 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -97,6 +97,9 @@ ubuntu2004: debian10: extends: .build_image_template +debian11: + extends: .build_image_template + fedora33: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 7fe3bbd956a..c98ece513ec 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -399,6 +399,14 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, +'debian11': { +'docker_image': 'debian:11', +'vagrant_box': 'debian/bullseye64', +'replace': { +'language-pack-en': '', # included in locales +'liburing-dev': '', # not available +} +}, 'ubuntu1804': { 'docker_image': 'ubuntu:18.04', 'vagrant_box': 'ubuntu/bionic64', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 7c1e0d80c6a..358d8e23d59 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -31,6 +31,13 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "debian10/locale.sh" end +config.vm.define "debian11" do |v| +v.vm.box = "debian/bullseye64" +v.vm.hostname = "debian11" +v.vm.provision :shell, path: "debian11/bootstrap.sh" +v.vm.provision :shell, path: "debian11/locale.sh" +end + config.vm.define "fedora33" do |v| v.vm.box = "fedora/33-cloud-base" v.vm.hostname = "fedora33" diff --git a/bootstrap/generated-dists/centos7/Dockerfile b/bootstrap/generated-dists/debian11/Dockerfile similarity index 92% copy from bootstrap/generated-dists/centos7/Dockerfile
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9d3a6919202 tests/krb5: Add tests for requesting a service ticket without a PAC via 288355896a2 tests/krb5: Add method to get the PAC from a ticket via 0dc69c1327f tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange() via e086c6193f6 tests/krb5: Allow get_tgt() to request including or omitting a PAC via d23d8e85935 heimdal:kdc: Fix ticket signing without a PAC from a7ad665e65f selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9d3a691920205f8a9dc05d0e173e25e6a335f139 Author: Joseph Sutton Date: Fri Oct 15 14:29:26 2021 +1300 tests/krb5: Add tests for requesting a service ticket without a PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184 commit 288355896a2b6f460c42559ec46ff980ab57782e Author: Joseph Sutton Date: Fri Oct 15 14:27:25 2021 +1300 tests/krb5: Add method to get the PAC from a ticket BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0dc69c1327f72384628a869a00482f6528b8671b Author: Joseph Sutton Date: Fri Oct 15 14:27:15 2021 +1300 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5 Author: Joseph Sutton Date: Fri Oct 15 14:26:40 2021 +1300 tests/krb5: Allow get_tgt() to request including or omitting a PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216 Author: Joseph Sutton Date: Fri Oct 15 12:12:30 2021 +1300 heimdal:kdc: Fix ticket signing without a PAC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/tests/krb5/kdc_base_test.py | 9 +-- python/samba/tests/krb5/kdc_tgs_tests.py | 120 +++ python/samba/tests/krb5/raw_testcase.py | 11 +++ selftest/knownfail_heimdal_kdc | 5 ++ selftest/knownfail_mit_kdc | 5 ++ source4/heimdal/kdc/krb5tgs.c| 6 +- 6 files changed, 150 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 87160f675ae..1fc15315b0b 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1306,9 +1306,9 @@ class KDCBaseTest(RawKerberosTest): def get_tgt(self, creds, to_rodc=False, kdc_options=None, expected_flags=None, unexpected_flags=None, -fresh=False): +pac_request=True, expect_pac=True, fresh=False): user_name = creds.get_username() -cache_key = (user_name, to_rodc, kdc_options) +cache_key = (user_name, to_rodc, kdc_options, pac_request) if not fresh: tgt = self.tkt_cache.get(cache_key) @@ -1363,7 +1363,7 @@ class KDCBaseTest(RawKerberosTest): kdc_options=kdc_options, preauth_key=None, ticket_decryption_key=ticket_decryption_key, -pac_request=True, +pac_request=pac_request, pac_options=pac_options, to_rodc=to_rodc) self.check_pre_authentication(rep) @@ -1405,8 +1405,9 @@ class KDCBaseTest(RawKerberosTest): kdc_options=kdc_options, preauth_key=preauth_key, ticket_decryption_key=ticket_decryption_key, -pac_request=True, +pac_request=pac_request, pac_options=pac_options, +expect_pac=expect_pac, to_rodc=to_rodc) self.check_as_reply(rep) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 3075cc6b0a9..9d846a2c3ad 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -23,15 +23,18 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +import samba.tests.krb5.kcrypto as kcrypto from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a7ad665e65f selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) via ce3d33f4c14 gitlab-ci: Do not download artifacts of unrelated builds via 1cdf8493b5a gitlab-ci: Do not retry for job_execution_timeout from 1d3e118f6f2 s3: smbspool. Remove last use of 'extern char **environ;'. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4 Author: Andrew Bartlett Date: Fri Oct 15 13:09:20 2021 +1300 selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) The previous commit was correct on intention, but it was not noticed as there is a race, that the incorrect rule was appended to. These links are removed by remove_plausible_deleted_DN_links not fix_all_old_dn_string_component_mismatch BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184 commit ce3d33f4c141afdfa3fbe9fe26835dc32ef95fe0 Author: Andrew Bartlett Date: Fri Oct 15 08:22:17 2021 +1300 gitlab-ci: Do not download artifacts of unrelated builds This needs: is overridden in many cases, but ensures none of the other main jobs start until this build finishes. However this also ensures we do not download artifacts from any build unless we specifically depend on it, saving bandwidth BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 1cdf8493b5a43a084b5004e5c2667b9dd9e31d91 Author: Andrew Bartlett Date: Thu Oct 14 20:24:49 2021 +1300 gitlab-ci: Do not retry for job_execution_timeout If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 hours). This is for when the job runs long for any reason, currently the reasons for a timeout are not transient, we need to either change the timeout or fix the system. Likewise if the tests get into a loop or deadlock we want to see that as a failure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: .gitlab-ci-main.yml | 12 +++- testprogs/blackbox/dbcheck.sh | 4 ++-- 2 files changed, 13 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index d876923f9e7..f807eef41ce 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -97,6 +97,16 @@ include: key: ccache.${CI_JOB_NAME}.${SAMBA_CI_JOB_IMAGE}.${SAMBA_CI_FLAVOR} paths: - ccache + + # This is overridden in many cases, but ensures none of the other + # main jobs start until and unless this build finishes. However + # this also ensures we do not download artifacts from any build + # unless we specifically depend on it, saving bandwidth + + needs: +- job: samba-def-build + artifacts: false + before_script: - uname -a - lsb_release -a @@ -148,7 +158,6 @@ include: - api_failure - runner_unsupported - stale_schedule - - job_execution_timeout - archived_failure - scheduler_failure - data_integrity_failure @@ -177,6 +186,7 @@ others: .shared_template_build_only: extends: .shared_template timeout: 2h + needs: artifacts: expire_in: 1 week paths: diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh index e2ba987e2de..5462441005e 100755 --- a/testprogs/blackbox/dbcheck.sh +++ b/testprogs/blackbox/dbcheck.sh @@ -19,12 +19,12 @@ dbcheck() { # This list of attributes can be freely extended dbcheck_fix_one_way_links() { - $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent defaultObjectCategory fromServer rIDSetReferences msDS-RevealOnDemandGroup msDS-NeverRevealGroup" --cross-ncs $ARGS + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent defaultObjectCategory fromServer rIDSetReferences" --cross-ncs $ARGS } # This list of attributes can be freely extended dbcheck_fix_stale_links() { - $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations msDS-NC-RO-Replica-Locations" --cross-ncs $ARGS + $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations msDS-NC-RO-Replica-Locations msDS-Reveal
[SCM] Samba Shared Repository - branch master updated
Date: Wed Oct 13 09:46:07 2021 -0700 s3: smbspool. Remove last use of 'extern char **environ;'. This should come from lib/replace/replace.h to cope with system (MacOSX etc.) differences. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184 commit f6adfefbbb41b9100736134d0f975f1ec0c33c42 Author: Nicolas Williams Date: Sun Oct 10 21:55:59 2021 -0500 krb5: Fix PAC signature leak affecting KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsut...@samba.org Cherry-picked from Heimdal commit 54581d2d52443a9a07ed5980df331f660b397dcf] Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 02fa69c6c73c01d82807be4370e838f3e7c66f35 Author: Joseph Sutton Date: Fri Oct 8 16:08:39 2021 +1300 s4:kdc: Check ticket signature BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3bdce12789af1e7a7aba56691f184625a432410d Author: Joseph Sutton Date: Fri Oct 8 15:43:41 2021 +1300 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function This lets us call it from Samba. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1 Author: Joseph Sutton Date: Wed Aug 11 13:27:11 2021 +1200 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a Author: Luke Howard Date: Thu Sep 23 17:51:51 2021 +1000 kdc: correctly generate PAC TGS signature When generating an AS-REQ, the TGS signature was incorrectly generated using the server key, which would fail to validate if the server was not also the TGS. Fix this. Patch from Isaac Bourkis . BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsut...@samba.org Backported from Heimdal commit e7863e2af922809dad25a2e948e98c408944d551 - Samba's Heimdal version does not have the generate_pac() helper function. - Samba's Heimdal version does not use the 'r' context variable. ] Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 75d1a7cd14b134506061ed64ddb9b99856231d2c Author: Luke Howard Date: Thu Sep 23 14:39:35 2021 +1000 kdc: use ticket client name when signing PAC The principal in the PAC_LOGON_NAME buffer is expected to match the client name in the ticket. Previously we were setting this to the canonical client name, which would have broken PAC validation if the client did not request name canonicalization BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsut...@samba.org Backported from Heimdal commit 3b0856cab2b25624deb1f6e0e67637ba96a647ac - Renamed variable to avoid shadowing existing variable ] Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit db30b71f79864a20b38a1f812a5df833f3a92de8 Author: Luke Howard Date: Sun Jan 6 17:54:58 2019 +1100 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsut...@samba.org Backported from Heimdal commit f1dd2b818aa0866960945edea02a6bc782ed697c - Removed change to _kdc_find_etype() use_strongest_session_key parameter since Samba's Heimdal version uses different logic ] Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d6a472e953545ec3858ca969c1a4191e4f27ba63 Author: Luke Howard Date: Fri Sep 17 13:57:57 2021 +1000 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if the checksum is absent or unkeyed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsut...@samba.org Cherry-picked from Heimdal commit c4b99b48c4b18f30d504b427bc1961d7a71f631e] Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2773379603a5a625c5d1c6e62f29c442942ff570 Author: Isaac Boukris Date: Sun Sep 19 15:16:58 2021 +0300 krb5: rework PAC validation loop Avoid allocating the PAC on error. Closes: #836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 [jsut...@samba.org Cherry-picked from Heimdal commit 6df8be5091363a1c9a9165465ab8292f817bec81] Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76 Author: Isaac Boukris Date: Sun Sep 19
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8ab0238abd1 .gitlab-ci: Avoid duplicate CI on all merge requests via bcc22d00569 .gitlab-ci.yml: Restore building most of our jobs from dd178d97250 .gitlab-ci: Increase build timeout https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8ab0238abd171f9a11b013fd185605e7d1722b27 Author: Andrew Bartlett Date: Thu Oct 14 08:51:21 2021 +1300 .gitlab-ci: Avoid duplicate CI on all merge requests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 14 01:21:11 UTC 2021 on sn-devel-184 commit bcc22d00569551cfa25851c8c267ec9decc63d21 Author: Andrew Bartlett Date: Thu Oct 14 08:11:49 2021 +1300 .gitlab-ci.yml: Restore building most of our jobs We are changing the primary build jobs to use "when" not "only". These a similar and related GitLab syntax tools to control when jobs are run. With 'when' now in use it must be specified on all jobs that inherit from each other via: .extends .shared_template "only" can be left however for the pages and coverity as these use: .extends .shared_runner_build_image BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: .gitlab-ci-main.yml | 32 1 file changed, 24 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index a75305c7f5a..d876923f9e7 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -83,6 +83,13 @@ include: interruptible: true timeout: 2h + # Otherwise we run twice, once on push and once on MR + # https://forum.gitlab.com/t/new-rules-syntax-and-detached-pipelines/37292 + rules: +- if: $CI_MERGE_REQUEST_ID + when: never +- when: on_success + variables: AUTOBUILD_JOB_NAME: $CI_JOB_NAME stage: build @@ -353,13 +360,16 @@ samba-fips: .private_test_only: extends: .private_runner_test stage: test_private - only: -variables: + rules: + # See above, to avoid a duplicate CI on the MR (these rules override the others) +- if: $CI_MERGE_REQUEST_ID + when: never + # These jobs are only run if the gitlab repo has private runners available. # To enable private jobs, you must add the following var and value to # your gitlab repo by navigating to: # settings -> CI/CD -> Environment variables - - $SUPPORT_PRIVATE_TEST == "yes" +- if: $SUPPORT_PRIVATE_TEST == "yes" .needs_samba-def-build-private: extends: @@ -514,11 +524,14 @@ ubuntu1804-samba-o3: AUTOBUILD_JOB_NAME: samba-o3 SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804} SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage" - only: -variables: - # do not run o3 builds (which run a lot of VMs) if told not to - # (this uses the same variable as autobuild.py) - - $AUTOBUILD_SKIP_SAMBA_O3 == "0" + rules: +# See above, to avoid a duplicate CI on the MR (these rules override the others) +- if: $CI_MERGE_REQUEST_ID + when: never +# do not run o3 builds (which run a lot of VMs) if told not to +# (this uses the same variable as autobuild.py) +- if: $AUTOBUILD_SKIP_SAMBA_O3 == "1" + when: never # All other jobs do not want code coverage. .samba-o3-template: @@ -526,6 +539,9 @@ ubuntu1804-samba-o3: variables: AUTOBUILD_JOB_NAME: samba-o3 rules: +# See above, to avoid a duplicate CI on the MR (these rules override the others) +- if: $CI_MERGE_REQUEST_ID + when: never # do not run o3 builds (which run a lot of VMs) if told not to # (this uses the same variable as autobuild.py) - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1" -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dd178d97250 .gitlab-ci: Increase build timeout via 7857e1249b7 .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI from fc2347be4ed Fix detection of rpc/xdr.h on macOS https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dd178d97250e041b29aad9b26d2994163bd99231 Author: Joseph Sutton Date: Mon Oct 11 15:37:48 2021 +1300 .gitlab-ci: Increase build timeout While the build will not take > 1hr, uploading the artifacts needed to pass the build objects to the next stage can take some time due to the distance between the runners and the private CI server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861 Signed-off-by: Joseph Sutton Reviewed-by: Ralph Boehme Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Oct 13 12:00:03 UTC 2021 on sn-devel-184 commit 7857e1249b72be8c8841b99cb0820c9c563178f9 Author: Andrew Bartlett Date: Tue Oct 12 07:55:54 2021 +1300 .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI GitLab CI resources are expensive and often rationed so provide a way to test other things without testing an -O3 build also, as this will save 9 jobs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861 Signed-off-by: Andrew Bartlett Reviewed-by: Ralph Boehme --- Summary of changes: .gitlab-ci-default.yml | 1 + .gitlab-ci-main.yml| 18 +- 2 files changed, 14 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-default.yml b/.gitlab-ci-default.yml index d0831017d9b..e6089183674 100644 --- a/.gitlab-ci-default.yml +++ b/.gitlab-ci-default.yml @@ -3,6 +3,7 @@ variables: # "--enable-coverage" or "" # See .gitlab-ci-coverage.yml SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "" + AUTOBUILD_SKIP_SAMBA_O3: "0" include: - /.gitlab-ci-default-runners.yml diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 052618db5c5..a75305c7f5a 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -169,7 +169,7 @@ others: .shared_template_build_only: extends: .shared_template - timeout: 1h + timeout: 2h artifacts: expire_in: 1 week paths: @@ -514,16 +514,24 @@ ubuntu1804-samba-o3: AUTOBUILD_JOB_NAME: samba-o3 SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804} SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage" + only: +variables: + # do not run o3 builds (which run a lot of VMs) if told not to + # (this uses the same variable as autobuild.py) + - $AUTOBUILD_SKIP_SAMBA_O3 == "0" # All other jobs do not want code coverage. .samba-o3-template: extends: .shared_template variables: AUTOBUILD_JOB_NAME: samba-o3 - only: -variables: - # do not run o3 for coverage since they are using different images - - $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == "" + rules: +# do not run o3 builds (which run a lot of VMs) if told not to +# (this uses the same variable as autobuild.py) +- if: $AUTOBUILD_SKIP_SAMBA_O3 == "1" + when: never +# do not run o3 for coverage since they are using different images +- if: $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == "" ubuntu2004-samba-o3: extends: .samba-o3-template -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3f4660900a7 selftest: test tsocket_address_inet_from_hostport_strings via 262148721ee selftest: add more tests for test_address_inet_from_strings via c26fcef50d0 WHATSNEW: document dns forwarder change via 2a098030977 libcli/dns.c: dns forwarder port test changes via 617a5a1d357 libcli/dns: smb.conf dns forwarder port support via f39a06de3be lib/tsocket: new function to parse host port strs. via 775939823a5 libcli/dns: dns forwarder port doc changes via 860d8902a9c pyldb: Make ldb.Message containment testing consistent with indexing via 865fe238599 pyldb: Add tests for ldb.Message containment testing via 22353767ca7 pyldb: Raise TypeError for an invalid ldb.Message index via b018e51d272 pyldb: Add test for an invalid ldb.Message index type via fb758c32e76 s4/torture/drs/python: Fix attribute existence check via 9d25a21d602 pyldb: Fix deleting an ldb.Control critical flag via b1adaa517c1 pytest:segfault: Add test for deleting an ldb.Control critical flag via d7af772de88 pyldb: Fix deleting an ldb.Message dn via 6a041f6a99c pytest:segfault: Add test for deleting an ldb.Message dn from 81e27693c62 mdssvc: Use ndr_policy_handle_empty() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3f4660900a71816df505c2e634eef86a86afcda3 Author: Uri Simchoni Date: Thu Sep 16 20:03:59 2021 +0300 selftest: test tsocket_address_inet_from_hostport_strings Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 28 10:34:12 UTC 2021 on sn-devel-184 commit 262148721ee6d794f7f2d1ad1b36e00a1401ec41 Author: Uri Simchoni Date: Thu Sep 16 20:03:02 2021 +0300 selftest: add more tests for test_address_inet_from_strings Test the case of NULL address as input Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit c26fcef50d09d3d70c646f3151dda265d4b0eb92 Author: Uri Simchoni Date: Thu Sep 16 10:11:46 2021 +0300 WHATSNEW: document dns forwarder change Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 2a098030977d7720436b7850fa731557eeb70bc2 Author: Matthew Grant Date: Sat Sep 18 10:05:24 2021 +1200 libcli/dns.c: dns forwarder port test changes Test harness for the dns fowarder setting in smb.conf. Adds IPv6 forwarder as second target DNS forwarder, listening on port 54. Signed-off-by: Matthew Grant Reviewed-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 617a5a1d3579b27de0e2b0736909ca83b7b3ee15 Author: Matthew Grant Date: Sat Sep 18 10:02:11 2021 +1200 libcli/dns: smb.conf dns forwarder port support Call new tsocket_address_inet_from_hostport_strings() instead of tsocket_address_inet_from_strings() to implement setting a port to query for a DNS forwarder. Signed-off-by: Matthew Grant Reviewed-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit f39a06de3bea9ec03a3e82c8892d9e572abd1163 Author: Matthew Grant Date: Sun Sep 19 17:41:42 2021 +1200 lib/tsocket: new function to parse host port strs. tsocket_address_inet_from_hostport_strings() on top of tsocket_address_inet_from_strings(), implementing the ability to parse a port number appended to an IPv6 or IPv4 address. IPv6 addresses can also optionally have square brackets around them, but these are needed to specify the port number as colon is used to delimit port from the IP address in the string. Note that this code just recognises and parses the strings with port given, or just IPv6 with square brackets. The rest of the parsing is passed on to tsocket_address_inet_from strings(), and errors from there passed back up the stack. Signed-off-by: Matthew Grant Reviewed-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 775939823a5a956acc236c808d5aee78cbd9e132 Author: Matthew Grant Date: Sat Sep 18 09:57:26 2021 +1200 libcli/dns: dns forwarder port doc changes Documentation changes specifying how list entries for dns forwarder are to be specified with ability to add trailing target port number. Signed-off-by: Matthew Grant Reviewed-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 860d8902a9c502d4be83396598cf4a53c80fea69 Author: Joseph Sutton Date: Sat Sep 25 14:39:59 2021 +1200 pyldb: Make ldb.Message containment testing consistent with indexing Previously, containment testing using the 'in' operator was handled by performing an equality comparison between the chosen object and each of the message's keys in turn. This behaviour was prone to errors due to not considering differences in case between
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5b331443d06 tests/krb5: Add classes for testing invalid checksums via c0b81f0dd54 tests/krb5: Add method to determine if principal is krbtgt via ea7b550a500 tests/krb5: Verify checksums of tickets obtained from the KDC via 1458cd9065d tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest via 394e8db261b tests/krb5: Simplify account creation via f2f1f3a1e92 tests/krb5: Provide ticket enc-part key to tgs_req() via f9284d8517e tests/krb5: Fix checking for presence of authorization data via 9d01043042f tests/krb5: Add method to get DC credentials via 38b4b334caf tests/krb5: Allow tgs_req() to check the returned ticket enc-part via 054ec1a8cc4 tests/krb5: Set key version number for all accounts created with create_account() via 14cd933a9d6 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES via b6eaf2cf44f tests/krb5: Get supported enctypes for credentials from database via 432eba9e098 tests/krb5: Add methods to convert between enctypes and bitfields via 7cedd383bcc tests/krb5: Make get_default_enctypes() return a set of enctype constants via 4c67a53cdca tests/krb5: Simplify adding authdata to ticket by using modified_ticket() via 1fcde7cb6ce tests/krb5: Add method for modifying a ticket and creating PAC checksums via 12b5e72a35d tests/krb5: Add method to verify ticket PAC checksums from 702ebb3d8c8 registry: skip root check when running with uid-wrapper enabled https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5b331443d0698256ee7fcc040a1ab8137efe925d Author: Joseph Sutton Date: Mon Sep 20 15:10:35 2021 +1200 tests/krb5: Add classes for testing invalid checksums BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184 commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8 Author: Joseph Sutton Date: Mon Sep 20 15:06:18 2021 +1200 tests/krb5: Add method to determine if principal is krbtgt BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ea7b550a500d9e458498d37688b67dafd3d9509d Author: Joseph Sutton Date: Mon Sep 20 14:10:07 2021 +1200 tests/krb5: Verify checksums of tickets obtained from the KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1458cd9065de34c42bd5ec63feb2f66c25103982 Author: Joseph Sutton Date: Tue Sep 21 13:54:47 2021 +1200 tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 394e8db261b10d130c5e5730989bf68f9bf4f85f Author: Joseph Sutton Date: Mon Sep 20 14:05:58 2021 +1200 tests/krb5: Simplify account creation BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c Author: Joseph Sutton Date: Wed Sep 22 11:41:45 2021 +1200 tests/krb5: Provide ticket enc-part key to tgs_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f9284d8517edd9ffd96f0c24166a16366f97de8f Author: Joseph Sutton Date: Mon Sep 20 14:08:16 2021 +1200 tests/krb5: Fix checking for presence of authorization data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239 Author: Joseph Sutton Date: Mon Sep 20 13:58:09 2021 +1200 tests/krb5: Add method to get DC credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 38b4b334caf1b32f1479db3ada48b2028946f5e6 Author: Joseph Sutton Date: Mon Sep 20 13:59:24 2021 +1200 tests/krb5: Allow tgs_req() to check the returned ticket enc-part BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655 Author: Joseph Sutton Date: Mon Sep 20 13:54:39 2021 +1200 tests/krb5: Set key version number for all accounts created with create_account() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 14cd933a9d6af08deb680c9f688b166138d45ed9 Author: Joseph
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ec95b3042bf tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures via a562882b151 tests/krb5: Add methods for creating zeroed checksums and verifying checksums via 419e4061ced tests/krb5: Cache obtained tickets via 6193f7433b1 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds via 59c1043be25 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test via 035a8f19855 tests/krb5: Allow get_tgt() to specify expected and unexpected flags via 4ecfa82e71b tests/krb5: Allow get_tgt() to specify different kdc-options via 2d69805b1e3 tests/krb5: Allow get_tgt() to get tickets from the RODC via 5d3a135c232 tests/krb5: Allow get_service_ticket() to get tickets from the RODC via 7645dfa5bed tests/krb5: Set DN of created accounts to ldb.Dn type via c226029655c tests/krb5: Don't manually create PAC request and options in fast_tests via 3504e99dc5b tests/krb5: Use PAC buffer type constants from krb5pac.idl via a5e62d681d8 tests/krb5: Allow as_req() to specify different kdc-options via 6403a09d94a tests/krb5: Allow tgs_req() to send requests to the RODC via 1a3426da544 tests/krb5: Allow tgs_req() to specify different kdc-options via 1f0654b8fac tests/krb5: Allow tgs_req() to send additional padata via 2a4d53dc12a tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange via 0061fa2c2a2 tests/krb5: Check correct flags element via a281ae09bcf tests/krb5: Add helper method for modifying PACs via b81f6f3d714 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) via 21a77173590 python/join: Check for correct msDS-KrbTgtLink attribute via cde38d36b98 python: Don't leak file handles from 9a24d8e491f lib:cmdline: fix a comment https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ec95b3042bf2649c0600cafb12818c27242b5098 Author: Joseph Sutton Date: Thu Sep 16 17:20:22 2021 +1200 tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures Signatures created by an RODC have an RODCIdentifier appended to them identifying the RODC's krbtgt account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184 commit a562882b15125902c5d89f094b8c9b1150f5d010 Author: Joseph Sutton Date: Thu Sep 16 16:54:57 2021 +1200 tests/krb5: Add methods for creating zeroed checksums and verifying checksums Creating a zeroed checksum is needed for signing a PAC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 419e4061ced466ec7e5e23f815823b540ef4751c Author: Joseph Sutton Date: Tue Sep 21 11:51:20 2021 +1200 tests/krb5: Cache obtained tickets Now tickets obtained with get_tgt() and get_service_ticket() make use of a cache so they can be reused, unless the 'fresh' parameter is specified as true. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 6193f7433b15579aa32b26a146287923c9d3844d Author: Joseph Sutton Date: Tue Sep 21 11:51:05 2021 +1200 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds The encpart is already contained in ticket_creds, so it no longer needs to be returned as a separate value. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 59c1043be25b92db75ab5676601cb15426ef37a3 Author: Joseph Sutton Date: Thu Sep 16 13:24:46 2021 +1200 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce Author: Joseph Sutton Date: Thu Sep 16 13:14:45 2021 +1200 tests/krb5: Allow get_tgt() to specify expected and unexpected flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Isaac Boukris Reviewed-by: Andrew Bartlett commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3 Author: Joseph Sutton Date: Thu Sep 16 13:14:06 2021 +1200 tests/krb5: Allow get_tgt() to specify different kdc-options BUG: https://bugzilla.samba.org
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d12cb47724c selftest: Update user_account_control tests to pass against Windows 2019 via 35292bd3222 tests/krb5: Allow replicating accounts to the created RODC via ef5666bc51c tests/krb5: Create RODC account for testing via 3cc9e77f38f tests/krb5: Allow replicating accounts to the RODC via af633992e31 tests/krb5: Add get_secrets() method to get the secret attributes of a DN via a5bf7aad54b tests/krb5: Add method to get RODC krbtgt credentials via 7bc52cecb44 tests/krb5: Sign-extend kvno from 32-bit integer via 19a2af02f57 pyldb: Avoid use-after-free in msg_diff() via c2bbe774ce0 ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL via a99a76722d6 pytest:segfault: Add test for ldb.msg_diff() via 943079fd94f tests/krb5: Generate padata for FAST tests via c9fd8ffd892 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing via 0e99382d73f tests/krb5: Get encpart decryption key from kdc_exchange_dict via a5186f92803 tests/krb5: Get expected cname from TGT for TGS-REQ messages via 4ba5e82ae53 tests/krb5: Allow specifying status code to be checked from d40f57321a1 WHATSNEW: Document changes for "kernel share modes" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d12cb47724c2e8d19a28286d4c3ef72271a002fd Author: Andrew Bartlett Date: Mon Aug 30 18:17:47 2021 +1200 selftest: Update user_account_control tests to pass against Windows 2019 This gets us closer to passing against Windows 2019, without making major changes to what was tested. More tests are needed, but it is important to get what was being tested tested again. Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT) are now required on all objects, this can't be omitted any more. Also for UF_NORMAL_ACCOUNT for these accounts without a password set |UF_PASSWD_NOTREQD must be included. Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184 commit 35292bd32225b39ad7a03c3aa53027458f0671eb Author: Joseph Sutton Date: Mon Sep 13 21:24:31 2021 +1200 tests/krb5: Allow replicating accounts to the created RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ef5666bc51ca80e1acdadd525a9c61762756c8e3 Author: Joseph Sutton Date: Mon Sep 13 21:24:05 2021 +1200 tests/krb5: Create RODC account for testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac Author: Joseph Sutton Date: Mon Sep 13 22:13:24 2021 +1200 tests/krb5: Allow replicating accounts to the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit af633992e31e839cdd7f77740c1f25d129be2f79 Author: Joseph Sutton Date: Mon Sep 13 20:58:01 2021 +1200 tests/krb5: Add get_secrets() method to get the secret attributes of a DN BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21 Author: Joseph Sutton Date: Mon Sep 13 20:20:23 2021 +1200 tests/krb5: Add method to get RODC krbtgt credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540 Author: Joseph Sutton Date: Mon Sep 13 21:14:18 2021 +1200 tests/krb5: Sign-extend kvno from 32-bit integer This helps to avoid problems with RODC kvnos that have the high bit set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 19a2af02f57d99db8ed3c6b028c3abdf4b553700 Author: Joseph Sutton Date: Mon Sep 13 11:15:17 2021 +1200 pyldb: Avoid use-after-free in msg_diff() Make a deep copy of the message elements in msg_diff() so that if either of the input messages are deallocated early, the result does not refer to non-existing elements. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 Signed-off-by: Joseph Sutton Reviewed-by: Andre
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 01378a52a1c tests/krb5: Create testing accounts in appropriate containers via c3b74629027 tests/krb5: Check for presence of 'key-expiration' element via d3106a8d352 tests/krb5: Check 'caddr' element via 9cba5f9a1b0 tests/krb5: Check for presence of 'renew-till' element via 0afb548a0a3 tests/krb5: Allow Kerberos requests to be sent to DC or RODC via 1974b872fb5 tests/krb5: Make time assertion less strict via 85ddfc1afcf tests/krb5: Allow specifying ticket flags expected to be set or reset via 571265257f3 tests/krb5: Remove magic constants via 7556a4dfa64 tests/krb5: Don't create PAC request or options manually in fast_tests via bc21ba25920 tests/krb5: Don't create PAC request manually in as_req_tests via c0db1ba54d2 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS via 1f23b16ef3a tests/krb5: Move padata generation methods to base class via 9973b51e48a tests/krb5: Keep track of account DN in credentials object via 9aa90085744 tests/krb5: Allow specifying additional User Account Control flags for account via 7aae0e9b100 tests/krb5: Allow specifying an OU to create accounts in via bf55786fcd9 tests/krb5: Replace expected_cname_private with expected_anon parameter via 3fd73b65a3d tests/krb5: Use more compact dict lookup via 08086c43987 tests/krb5: Add KDCOptions flag for constrained delegation via 448b661bf88 tests/krb5: Use signed integers to represent key version numbers in ASN.1 via 9924dd97618 tests/krb5: Add methods to obtain the length of checksum types via c6badf818e9 tests/krb5: Calculate expected salt if not given explicitly via 0092b4a3ed5 security.idl: Add well-known SIDs for FAST via ff2f38fae79 krb5pac.idl: Add ticket checksum PAC buffer type from 95d8cdf0c36 tsocket: set errno on some failures of tsocket_address_inet_from_strings https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 01378a52a1cf0b6855492673455013d5719be45b Author: Joseph Sutton Date: Fri Sep 3 09:18:32 2021 +1200 tests/krb5: Create testing accounts in appropriate containers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184 commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94 Author: Joseph Sutton Date: Wed Sep 1 19:47:27 2021 +1200 tests/krb5: Check for presence of 'key-expiration' element Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit d3106a8d35225e826d548d3bea0d42edc3998c38 Author: Joseph Sutton Date: Wed Sep 1 19:45:57 2021 +1200 tests/krb5: Check 'caddr' element Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64 Author: Joseph Sutton Date: Wed Sep 1 19:43:41 2021 +1200 tests/krb5: Check for presence of 'renew-till' element Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit 0afb548a0a3221730c4a81d51bc31e99ec90e334 Author: Joseph Sutton Date: Wed Sep 1 19:34:20 2021 +1200 tests/krb5: Allow Kerberos requests to be sent to DC or RODC If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER' refer to the hostnames of the DC and RODC respectively, and this commit allows either one of them to be used as the KDC for Kerberos exchanges. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit 1974b872fb5a7da052305d01e2f1efc8d0637078 Author: Joseph Sutton Date: Wed Sep 1 19:15:17 2021 +1200 tests/krb5: Make time assertion less strict This assertion could fail if there was a time difference between the KDC and the client. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit 85ddfc1afcf21797dab15431a5f375444c4d316e Author: Joseph Sutton Date: Wed Sep 1 19:13:11 2021 +1200 tests/krb5: Allow specifying ticket flags expected to be set or reset Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b Author: Joseph Sutton Date: Wed Sep 1 17:46:02 2021 +1200 tests/krb5: Remove magic constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7 Author: Joseph Sutton Date: Thu Sep 2 14:38:33 2021 +1200 tests/krb5: Don't create PAC request or options manually
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4366c3bb71f gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image via 4f300d672a8 fuzzing/oss-fuzz: strip RUNPATH from dependencies via f94b1d3b31f fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04 via 541f9ee5ab6 fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era via e608dcd2d67 configure: allow configure script to accept parameters with spaces via 2fe8d3eeac4 fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04 from 18e08c70900 docs: Avoid duplicate information on USER and PASSWD, reference the common section https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4366c3bb71fe9c083dedeae8798547b64a64d2b4 Author: Uri Simchoni Date: Tue Sep 7 18:39:12 2021 +0300 gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365 Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 9 01:45:09 UTC 2021 on sn-devel-184 commit 4f300d672a8ef1820e68bc82833de4f5d4c0996e Author: Uri Simchoni Date: Mon Sep 6 22:55:55 2021 +0300 fuzzing/oss-fuzz: strip RUNPATH from dependencies Strip all RUNPATH headers from all dependency shared objects that we copy to the fuzzing target, as those libraries aren't placed in their original place. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit f94b1d3b31f2fb5bdbfce7b5f79d80f098b91975 Author: Uri Simchoni Date: Sat Sep 4 10:30:56 2021 +0300 fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04 Add a linker flag to generate fuzzer binaries with an RPATH header instead of RUNPATH. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 541f9ee5ab66b41a2a8d9c54183b095ad99f3769 Author: Uri Simchoni Date: Sat Sep 4 10:11:58 2021 +0300 fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era Remove what appears to be a copy+paste error in one place, and explain that RPATH/RUNPATH is set by the linker, not by chrpath utility. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit e608dcd2d6736505022d0f9d1e008333bb70f1af Author: Uri Simchoni Date: Sat Sep 4 11:01:56 2021 +0300 configure: allow configure script to accept parameters with spaces Specifically this enables passing two linker flags to the --fuzz-target-ldflags configure argument. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 2fe8d3eeac4cddedfeac936ce785c2c6f12d86ef Author: Uri Simchoni Date: Fri Sep 3 18:46:17 2021 + fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04 Update the build_image.sh script to install Ubuntu 20.04 packages instead of Ubuntu 16.04 on the oss-fuzz container - this will allow the oss-fuzz container to be based on Ubuntu 20.04. REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365 Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett --- Summary of changes: .gitlab-ci-main.yml | 2 +- configure | 2 +- lib/fuzzing/oss-fuzz/build_image.sh | 2 +- lib/fuzzing/oss-fuzz/check_build.sh | 3 +-- lib/fuzzing/oss-fuzz/do_build.sh| 33 +++-- 5 files changed, 27 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 4b2f17938c8..a6c362931da 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -323,7 +323,7 @@ samba-libs: samba-fuzz: extends: .shared_template variables: -SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1604} +SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004} ctdb: extends: .shared_template diff --git a/configure b/configure index 2b0ffb0dae1..a6ca50feb47 100755 --- a/configure +++ b/configure @@ -13,5 +13,5 @@ export JOBS unset LD_PRELOAD cd . || exit 1 -$PYTHON $WAF configure $@ || exit 1 +$PYTHON $WAF configure "$@" || exit 1 cd $PREVPATH diff --git a/lib/fuzzing/oss-fuzz/build_image.sh b/lib/fuzzing/oss-fuzz/build_image.sh index 5df07dc43be..5d5e27e716d 100755 --- a/lib/fuzzing/oss-fuzz/build_image.sh +++ b/lib/fuzzing/oss-fuzz/build_image.sh @@ -1,6 +1,6 @@ #!/bin/sh -e -DIST=ubuntu1604 +DIST=ubuntu2004 SCRIPT_DIR=`dirname $0` $SCRIPT_DIR/../../../bootstrap/generated-dists/$DIST/bootstrap.sh diff --git a/lib/fuzzing/oss-fuzz/check_build.sh b/lib/fuzzing/oss-fuzz/check_build.sh index 501c2c813fc..98b83a81bbf 100755 --- a/lib/fuzzing/oss-fuzz/check_build.sh +++ b/lib/fuzzing/oss-fuzz/check_build.s
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 59ed0992854 third_party: Update waf to version 2.0.22 via e41bc0f43f6 third_party: Add a script to update waf from d0f6d54354b winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 59ed09928541d40df72592419247add608a54aca Author: Andreas Schneider Date: Wed Aug 25 15:34:58 2021 +0200 third_party: Update waf to version 2.0.22 New in waf 2.0.22 * Fix stdin propagation with faulty vcvarsall scripts #2315 * Enable mixing Unix-style paths with destdir on Windows platforms #2337 * Fix shell escaping unit test parameters #2314 * Improve extras/clang_compilation_database and extras/swig compatibility #2336 * Propagate C++ flags to the Cuda compiler in extras/cuda #2311 * Fix detection of Qt 5.0.0 (preparation for Qt6) #2331 * Enable Haxe processing #2308 * Fix regression in MACOSX_DEPLOYMENT_TARGET caused by distutils #2330 * Fix extras/wafcache concurrent trimming issues #2312 * Fix extras/wafcache symlink handling #2327 The import was done like this: ./third_party/waf/update.sh Then changing buildtools/bin/waf and buildtools/wafsamba/wafsamba.py by hand. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andreas Schneider Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 2 21:22:17 UTC 2021 on sn-devel-184 commit e41bc0f43f6d86d554f37881263c43c356994726 Author: Andreas Schneider Date: Thu Aug 26 14:52:14 2021 +0200 third_party: Add a script to update waf ./third_party/waf/update.sh Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: buildtools/bin/waf | 2 +- buildtools/wafsamba/wafsamba.py| 2 +- third_party/update.sh | 5 - third_party/waf/update.sh | 79 + third_party/waf/waflib/Build.py| 4 +- third_party/waf/waflib/Context.py | 6 +- third_party/waf/waflib/Tools/msvc.py | 2 +- third_party/waf/waflib/Tools/python.py | 2 +- third_party/waf/waflib/Tools/qt5.py| 6 +- third_party/waf/waflib/Tools/waf_unit_test.py | 2 +- third_party/waf/waflib/Utils.py| 15 ++- .../waflib/extras/clang_compilation_database.py| 28 +++-- third_party/waf/waflib/extras/haxe.py | 131 + third_party/waf/waflib/extras/wafcache.py | 59 -- 14 files changed, 294 insertions(+), 49 deletions(-) create mode 100755 third_party/waf/update.sh create mode 100644 third_party/waf/waflib/extras/haxe.py Changeset truncated at 500 lines: diff --git a/buildtools/bin/waf b/buildtools/bin/waf index 041450fc131..b0ccb09a877 100755 --- a/buildtools/bin/waf +++ b/buildtools/bin/waf @@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. import os, sys, inspect -VERSION="2.0.21" +VERSION="2.0.22" REVISION="x" GIT="x" INSTALL="x" diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index 4fe9daf160e..dee007bf84e 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -38,7 +38,7 @@ LIB_PATH="shared" os.environ['PYTHONUNBUFFERED'] = '1' -if Context.HEXVERSION not in (0x2001500,): +if Context.HEXVERSION not in (0x2001600,): Logs.error(''' Please use the version of waf that comes with Samba, not a system installed version. See http://wiki.samba.org/index.php/Waf diff --git a/third_party/update.sh b/third_party/update.sh index a510e8a7042..29456991874 100755 --- a/third_party/update.sh +++ b/third_party/update.sh @@ -23,9 +23,4 @@ hg clone https://bitbucket.org/micktwomey/pyiso8601 "$WORKDIR/pyiso8601" rm -rf "$WORKDIR/pyiso8601/.hg" rsync -avz --delete "$WORKDIR/pyiso8601/" "$THIRD_PARTY_DIR/pyiso8601/" -echo "Updating waf..." -git clone git://git.samba.org/third_party/waf.waf15/ "$WORKDIR/waf" -rm -rf "$WORKDIR/waf/.git" -rsync -C -avz --delete "$WORKDIR/waf/" "$THIRD_PARTY_DIR/waf/" - rm -rf "$WORKDIR" diff --git a/third_party/waf/update.sh b/third_party/waf/update.sh new file mode 100755 index 000..16bda84a3f0 --- /dev/null +++ b/third_party/waf/update.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +if [[ $# -lt 1 ]]; then +echo "Usage: update.sh VERSION" +exit 1 +fi + +WAF_VERSION="${1}" +WAF_GIT="https:
[SCM] Samba Shared Repository - branch master updated
via 67ff72395ce tests/krb5: Fix including enc-authorization-data via a2b183c179e tests/krb5: Remove magic constants via 41c3e410344 tests/krb5: Simplify Python syntax via 38b3a361819 tests/krb5: Use more compact dict lookup via 1320ac0f91a tests/krb5: Remove unneeded statements via df6623363a7 tests/krb5: formatting via 7013a8edd1f tests/krb5: Fix method name typo via 9eb4c4b7b1c tests/krb5: Fix comment typo via 4797ced8909 tests/krb5: Fix ms_kile_client_principal_lookup_test errors via 6818d204897 pygensec: Don't modify Python bytes objects via 814df05f8c1 pygensec: Fix memory leaks from 4809f4a6ee9 registry: check for running as root in clustering mode https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854 Author: Joseph Sutton Date: Thu Jul 29 10:58:44 2021 +1200 tests/krb5: Add FAST tests Example command: SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184 commit b7b62957bdce9929fabd3812b9378bdbd6c12966 Author: Gary Lockyer Date: Thu Jun 10 09:56:58 2021 +1200 initial FAST tests Currently incomplete, and tested only against MIT Kerberos. [abart...@samba.org Originally "WIP inital FAST tests" Samba's general policy that we don't push WIP patches, we polish into a 'perfect' patch stream. However, I think there are good reasons to keep this patch distinct in this particular case. Gary is being modest in titling this WIP (now removed from the title to avoid confusion). They are not WIP in the normal sense of partially or untested code or random unfinished thoughts. The primary issue is that at that point where Gary had to finish up he had trouble getting FAST support enabled on Windows, so couldn't test against our standard reference. They are instead good, working initial tests written against the RFC and tested against Samba's AD DC in the mode backed by MIT Kerberos. This preserves clear authorship for the two distinct bodies of work, as in the next patch Joseph was able to extend and improve the tests significantly. ] Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit aa2c221f4e1bfc3403de857e62eaeaee1577560c Author: Joseph Sutton Date: Tue Jul 27 14:49:58 2021 +1200 tests/krb5: Check PADATA-FX-ERROR in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 66e1eb58bedf036ad25a868993d44480c4e0e055 Author: Joseph Sutton Date: Thu Jul 29 11:50:16 2021 +1200 tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07 Author: Joseph Sutton Date: Tue Jul 27 14:50:20 2021 +1200 tests/krb5: Check PADATA-PAC-OPTIONS in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 29070e74baa18d94642efcd36930b9bab216e10c Author: Joseph Sutton Date: Tue Jul 27 16:29:39 2021 +1200 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit ab4e7028a6ac01eab9531c8a26507a912df54278 Author: Joseph Sutton Date: Wed Jul 28 20:49:25 2021 +1200 tests/krb5: Make check_rep_padata() also work for checking TGS replies Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7 Author: Joseph Sutton Date: Tue Jul 27 14:49:12 2021 +1200 tests/krb5: Check PADATA-FX-COOKIE in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd Author: Joseph Sutton Date: Tue Jul 27 14:36:56 2021 +1200 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Andreas Schneider commit 44a44109db96eab08a3da3683c34446bc13b295b Author: Joseph Sutton Date: Tue Jul 27 16:42:26 2021 +1200 tests/krb5: Adjust re
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 000f389d09e gitlab: Use shorter names for Samba AD DC env with MIT KRB5 via aab5cc95e22 s3:winbindd: Add a check for the path length of 'winbindd socket directory' from e2962b4262f configure: Do not put arguments into double quotes https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 000f389d09ec9e9906d5e2a0aa317c471c5f5b96 Author: Andreas Schneider Date: Tue Aug 3 13:20:40 2021 +0200 gitlab: Use shorter names for Samba AD DC env with MIT KRB5 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Aug 3 20:35:49 UTC 2021 on sn-devel-184 commit aab5cc95e224fef0efafeb1c37a4eb414aee65a0 Author: Andreas Schneider Date: Tue Aug 3 11:04:37 2021 +0200 s3:winbindd: Add a check for the path length of 'winbindd socket directory' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: .gitlab-ci-main.yml | 12 ++-- script/autobuild.py | 6 +++--- source3/winbindd/winbindd.c | 25 + 3 files changed, 34 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 9ea3a3f5606..657b28e274f 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -331,10 +331,10 @@ samba-ad-dc-ntvfs: samba-admem-mit: extends: .needs_samba-mit-build -samba-ad-dc-4a-mitkrb5: +samba-addc-mit-4a: extends: .needs_samba-mit-build -samba-ad-dc-4b-mitkrb5: +samba-addc-mit-4b: extends: .needs_samba-mit-build # This task is run first to ensure we compile before we start the @@ -389,7 +389,7 @@ samba-ad-dc-1: samba-nt4: extends: .needs_samba-nt4-build-private -samba-ad-dc-1-mitkrb5: +samba-addc-mit-1: extends: .needs_samba-mit-build-private samba-no-opath1: @@ -421,15 +421,15 @@ pages: - samba-ctdb - samba-ad-dc-ntvfs - samba-admem-mit -- samba-ad-dc-4a-mitkrb5 -- samba-ad-dc-4b-mitkrb5 +- samba-addc-mit-4a +- samba-addc-mit-4b - samba-ad-back1 - samba-ad-back2 - samba-fileserver - samba-ad-dc-1 - samba-nt4 - samba-schemaupgrade -- samba-ad-dc-1-mitkrb5 +- samba-addc-mit-1 - samba-fips - samba-no-opath1 - samba-no-opath2 diff --git a/script/autobuild.py b/script/autobuild.py index 7ec3073f67e..efecaf41d74 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -659,7 +659,7 @@ tasks = { ], }, -"samba-ad-dc-1-mitkrb5": { +"samba-addc-mit-1": { "dependency": "samba-mit-build", "sequence": [ ("random-sleep", random_sleep(1, 1)), @@ -675,7 +675,7 @@ tasks = { ], }, -"samba-ad-dc-4a-mitkrb5": { +"samba-addc-mit-4a": { "dependency": "samba-mit-build", "sequence": [ ("random-sleep", random_sleep(1, 1)), @@ -688,7 +688,7 @@ tasks = { ("check-clean-tree", CLEAN_SOURCE_TREE_CMD), ], }, -"samba-ad-dc-4b-mitkrb5": { +"samba-addc-mit-4b": { "dependency": "samba-mit-build", "sequence": [ ("random-sleep", random_sleep(1, 1)), diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 4f367d07ecb..89e62b43ca0 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -1658,6 +1658,7 @@ int main(int argc, const char **argv) bool ok; const struct dcesrv_endpoint_server *ep_server = NULL; struct dcesrv_context *dce_ctx = NULL; + size_t winbindd_socket_dir_len = 0; setproctitle_init(argc, discard_const(argv), environ); @@ -1810,6 +1811,30 @@ int main(int argc, const char **argv) } } + winbindd_socket_dir_len = strlen(lp_winbindd_socket_directory()); + if (winbindd_socket_dir_len > 0) { + size_t winbindd_socket_len = + winbindd_socket_dir_len + 1 + + strlen(WINBINDD_SOCKET_NAME); + struct sockaddr_un un = { + .sun_family = AF_UNIX, + }; + size_t sun_path_len = sizeof(un.sun_path); + + if (winbindd_socket_len >= sun_path_len) { + DBG_ERR("The winbind socket path [%s/%s] is too long " + "(%zu >= %zu)\n", + l
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7c3bb491baf testprogs: Consistantly use kinit -c $KRB5CCNAME via 0388a8f33bd gensec_krb5: restore ipv6 support for kpasswd from fc267567a07 printing: avoid crash in LPRng_time https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7c3bb491baf7d6f10760fb42b34a990e3806df9c Author: Stefan Metzmacher Date: Fri Apr 3 16:29:36 2020 +0200 testprogs: Consistantly use kinit -c $KRB5CCNAME We want to be really clear which credentials cache we use. The kerberos_kinit() shell function uses this internally. -c is the common option between MIT and Heimdal, and is equivilant to --cache Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jul 5 23:51:43 UTC 2021 on sn-devel-184 commit 0388a8f33bdde49f1cc805a0291859203c1a52b4 Author: Stefan Metzmacher Date: Fri Jul 2 09:37:25 2021 +0200 gensec_krb5: restore ipv6 support for kpasswd We need to offer as much space we have in order to get the address out of tsocket_address_bsd_sockaddr(). This fixes a regression in commit 43c808f2ff907497dfff0988ff90a48fdcfc16ef. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: source4/auth/gensec/gensec_krb5.c| 6 -- testprogs/blackbox/common_test_fns.inc | 2 +- testprogs/blackbox/test_chgdcpass.sh | 5 +++-- testprogs/blackbox/test_export_keytab_heimdal.sh | 8 ++-- testprogs/blackbox/test_kinit_heimdal.sh | 7 +-- testprogs/blackbox/test_kinit_trusts_heimdal.sh | 7 --- testprogs/blackbox/test_kpasswd_heimdal.sh | 3 +-- testprogs/blackbox/test_ktpass.sh| 5 +++-- testprogs/blackbox/test_net_ads_dns.sh | 8 testprogs/blackbox/test_password_settings.sh | 7 +-- testprogs/blackbox/test_pkinit_heimdal.sh| 5 +++-- testprogs/blackbox/test_pkinit_pac_heimdal.sh| 11 --- testprogs/blackbox/test_s4u_heimdal.sh | 5 +++-- testprogs/blackbox/test_samba_upgradedns.sh | 4 testprogs/blackbox/test_trust_user_account.sh| 5 +++-- 15 files changed, 41 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 45abbb97b6b..7d87b3ac6b9 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -149,8 +149,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool struct samba_sockaddr addr; bool ok; + addr.sa_socklen = sizeof(addr.u); sockaddr_ret = tsocket_address_bsd_sockaddr( - tlocal_addr, , sizeof(addr.u.sa)); + tlocal_addr, , addr.sa_socklen); if (sockaddr_ret < 0) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; @@ -170,8 +171,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool struct samba_sockaddr addr; bool ok; + addr.sa_socklen = sizeof(addr.u); sockaddr_ret = tsocket_address_bsd_sockaddr( - tremote_addr, , sizeof(addr.u.sa)); + tremote_addr, , addr.sa_socklen); if (sockaddr_ret < 0) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc index 7b421e9eb08..1c988f439a7 100755 --- a/testprogs/blackbox/common_test_fns.inc +++ b/testprogs/blackbox/common_test_fns.inc @@ -98,7 +98,7 @@ kerberos_kinit() { if [ "${kbase}" = "samba4kinit" ]; then kpassfile=$(mktemp) echo $password > ${kpassfile} - $kinit_tool --password-file=${kpassfile} $principal $@ + $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $principal $@ status=$? rm -f ${kpassfile} else diff --git a/testprogs/blackbox/test_chgdcpass.sh b/testprogs/blackbox/test_chgdcpass.sh index 54137b980ca..d7d1d030c19 100755 --- a/testprogs/blackbox/test_chgdcpass.sh +++ b/testprogs/blackbox/test_chgdcpass.sh @@ -24,11 +24,11 @@ failed=0 samba4bindir="$BINDIR" samba4srcdir="$SRCDIR/source4" -samba4kinit=kinit +samba4kinit_binary=kinit heimdal=0 if test -x $BINDIR/samba4kinit; then heimdal=1 - samba4kin
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fc267567a07 printing: avoid crash in LPRng_time via 16c28b367d9 fuzz: add fuzz_parse_lpq_entry via 0cb833b32c8 fuzz: fix multiple comment headers via 6d216dc3654 dns update: zero flags and reserved via 9d3731cd168 dns_common_replace: do not leak via 7c298ee89f8 samba-tool: dns update rejects malformed addresses via e6e3dc8bd3a pydns: fix a comment in replace_by_dn() via b80f66f8035 ldb-samba: dns tombstone matching: constrict value length via 7a111c1f35e dns_server: free old zones when reloading via 54b9271eb5e s4/dns_common_replace: add comments about tombstones via 26bb958af80 dns_common_replace: comment in needs_add case via 602dd50b31d dns_common_replace: do logging in needs_add case via 7edeb5901b0 dnsserver_common: comments about record sorting via 3a4cb8679a3 py/dnsserver: TXTRecord copes with single strings via 6bd6b2e9f3b dnsserver/update: add a few comments via 6f9564425f4 dns update: emit warnings upon unexpected occurrances via 1741a0667bb dlz_bind9: insert missing words into error message via c84f7a0a641 dlz_bind9: fix a copy-pasted comment from 2458a20eaca s3: VFS: Update status of SMB_VFS_GETXATTR. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fc267567a072c9483bbcc5cc18e150244bc5376b Author: Douglas Bagnall Date: Wed May 5 14:55:47 2021 + printing: avoid crash in LPRng_time If the string is too shhort we don't want to atoi() whatever is beyond the end of it. Found using Honggfuzz and the fuzz_parse_lpq_entry fuzzer. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jul 5 05:07:13 UTC 2021 on sn-devel-184 commit 16c28b367d9edc760e62949f0eef34b8046ece75 Author: Douglas Bagnall Date: Tue Apr 6 23:11:32 2021 +1200 fuzz: add fuzz_parse_lpq_entry Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0cb833b32c8bf9341da74ded6545d6674156c08e Author: Douglas Bagnall Date: Fri May 14 15:05:05 2021 +1200 fuzz: fix multiple comment headers Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6d216dc365463fbcc4927bfc988ba52c16eef4cf Author: Douglas Bagnall Date: Wed May 26 15:01:36 2021 +1200 dns update: zero flags and reserved This is the observed behaviour on Windows. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9d3731cd1681ebcfee60422d428f076182e483d3 Author: Douglas Bagnall Date: Thu Apr 15 16:07:58 2021 +1200 dns_common_replace: do not leak Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7c298ee89f8d3bcdeb8c4f1f951c524326191334 Author: Douglas Bagnall Date: Sun Jun 20 14:52:48 2021 +1200 samba-tool: dns update rejects malformed addresses Because neither filling out the struct will not necessarily tell you you got it wrong, and the RPC could succeed in setting an arbitrary wrong address (typically, an IPv6 address would set an A record to "255.255.255.255"). Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e6e3dc8bd3ad5ce07b27cf2e5f61c43601827168 Author: Douglas Bagnall Date: Sun Jun 20 22:03:35 2021 +1200 pydns: fix a comment in replace_by_dn() Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b80f66f803554d25352413c24889a5f8fadef6d3 Author: Douglas Bagnall Date: Mon Mar 29 13:03:45 2021 +1300 ldb-samba: dns tombstone matching: constrict value length We know the only values we want to see are uint32, ie < ~4 billion (and real values will be 7 digits for hundreds of years). We also know the caller (we have just checked) is a trusted system session which won't be padding the thing with spaces. But if they do, let's call them out. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 7a111c1f35ee949d1f669fe7ea1394c6b3a52ee7 Author: Douglas Bagnall Date: Wed Mar 31 10:47:05 2021 +1300 dns_server: free old zones when reloading Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 54b9271eb5e90c214c7009778ab22d60f9ee88eb Author: Douglas Bagnall Date: Fri Jun 18 15:31:42 2021 +1200 s4/dns_common_replace: add comments about tombstones Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 26bb958af80199eda54e84d6ae427385d1843052 Author: Douglas Bagnall Date: Sun Apr 11 11:58:25 2021 +1200 dns_common_replace: comment in needs_add case Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 602dd50b31daa754c3123a6adc2ccd36ca1875cc Au
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5f70396e62d idl: secrets_domain_info1_change is not a recursive structure via feaf0d1ab71 s4:dsdsb: Check return code of cli_credentials_guess() via ee9dc1fb474 s3:libsmb: Check return code of cli_credentials_guess() via 08585bcfb2b s3:libnetapi: Check return code of cli_credentials_guess() via 304cb910bd3 auth:creds: Check return code of cli_credentials_guess() via 9f69e93bad3 lib:cmdline: Ignore the return code of cli_credentials_guess() via 9f786df2a2f auth:creds: Return bool for cli_credentials_guess() via f7ff694cddd auth:creds: Add sanity check for env variables via 5dd3a0cc175 s4:rpc_server: Check return code of cli_credentials_set_conf() via cfe9fb2373f s4:kpasswd: Check return code of cli_credentials_set_conf() via 0ea4041432f s4:dns_server: Check return code of cli_credentials_set_conf() via 9c84bea515e s4:dns:bind_dlz: Check return codes of cli_credentials functions via 6fb3cd8d133 s4:auth: Check return code of cli_credentials_set_conf() via 2f700ebda69 s4:auth: Check return code of cli_credentials_set_conf() via 5281a6592b0 s3:winbindd: Check return code of cli_credentials_set_conf() via 0f13044634d s3:passdb: Check return code of cli_credentials_set_conf() via b18fa931f31 s3:libsmb: Check return code of cli_credentials_set_conf() via ced8390c955 s3:auth: Check return code of cli_credentials_set_conf() via cdf8859b906 auth:creds: Check return code of cli_credentials_set_conf() via 1d6dfd5b4d7 auth:creds: Return a bool for cli_credentials_set_conf() via 701c55841fb rpc/dnsserver: check talloc_strndup return via 14ce22f4465 rpc dnsserver: improve handling of serial numbers via 0fa98cd38b5 rpc dnsserver: set the record rank via 8b3d2556dad rpc dnsserver: updates reset more than timestamp via 9fb87134b8c rpc:dnsserver: allow update replacing with similar record via fa608837369 rpc:dnsserver: split off record rank setting logic from b5339048001 s3: VFS: fake_acls. Add missing NULL check for return of cp_smb_filename(). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5f70396e62d7cc77bf248576e2ca6e7f0f755bde Author: Pavel Filipenský Date: Tue Jun 22 16:00:00 2021 +0200 idl: secrets_domain_info1_change is not a recursive structure 575d39048e3b4f619d65d65303ac809c40c5d495 has marked several structures as recursive, they contain typically a backpointer named '* next'. secrets_domain_info1 is not self recursive, it only contains a pointer named '*next_change'. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jun 29 03:07:17 UTC 2021 on sn-devel-184 commit feaf0d1ab7128230181c071c8da9cd2cc67bd41c Author: Andreas Schneider Date: Tue Jun 22 09:37:13 2021 +0200 s4:dsdsb: Check return code of cli_credentials_guess() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ee9dc1fb47442c6b8839b10be135f2af525fe376 Author: Andreas Schneider Date: Tue Jun 22 09:35:47 2021 +0200 s3:libsmb: Check return code of cli_credentials_guess() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 08585bcfb2b60c1684f2f5c69496d16b8d86ee6b Author: Andreas Schneider Date: Tue Jun 22 09:34:39 2021 +0200 s3:libnetapi: Check return code of cli_credentials_guess() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 304cb910bd3637e79805b7a0fd21f508d1f9d5a0 Author: Andreas Schneider Date: Tue Jun 22 09:24:38 2021 +0200 auth:creds: Check return code of cli_credentials_guess() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9f69e93bad38d45a53219cf248ba92097298b7e7 Author: Andreas Schneider Date: Tue Apr 27 16:19:31 2021 +0200 lib:cmdline: Ignore the return code of cli_credentials_guess() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9f786df2a2fd5c72b331625db74547fc88ad3e83 Author: Andreas Schneider Date: Tue Apr 27 16:15:30 2021 +0200 auth:creds: Return bool for cli_credentials_guess() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit f7ff694cdddfe2c93751dd951fdf08defc51b5d5 Author: Andreas Schneider Date: Tue Apr 27 16:11:48 2021 +0200 auth:creds: Add sanity check for env variables CID 710829 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 5dd3a0cc17582388e59f8775d5ffdad679b05aa6 Author: Andreas Schneider Date: Tue Jun 22 09:48:42 2021 +0200 s4:rpc_server: Check return code of cli_credentials_set_conf
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 002ef728bb0 torture: Fix build on freebsd, missing deps on cmdline via e267cea8179 samba-tool: dbcheck search DnsAdmins from wellknown container via 0db57db80a5 samba-tool: Provision search DnsAdmins from wellknown container via 151f432ca8c samba-tool: Demote computer to wellknown container via fee11c35586 samdb: Create computer in wellknown user container via 4602f4fc1b5 samdb: Create group in wellknown user container via 43ab8a4a1b4 samdb: Create user in wellknown user container via 5e559528b34 pytest: dcerpc/dnsserver: fix tombstone test via 97b9f45a764 pytest/dns_forwarder: remove unused function and imports via aa97974c0e4 pytest segfaults: add a couple more failing tests via 24493ccceb1 pytest samba-tool dns: avoid testing update of '.' PTR via de2b775e9ac pytest: dns_aging: do not insist on non-aging timestamp updates via ad6637afa5e pytest: dns_aging sibling test fails on windows via 7fbb8f8e957 pytest dns_aging: add windows_variation via ebfa200bfd9 pytest: dns_aging: fix two tests (bad arithmetic) via eac8d6b30b3 pytest dns_aging: add sibling tests via 61355d36cbf pytest dns_aging: add simple delete tests via 663a154e3e0 pytest: samba-tool dns: allow identical updates via b2453a0f5c2 pytest: samba-tool dns: allow valid updates via 6fb83b454cc pytest: dns_aging: test delete multiple records via b24b82336f2 pytest: dns_aging: test RPC updates of disparate types via 8d32cdf1849 python dns: dns_record_match() matches IPv6 semantically from 91f5b5f3d07 selftest: Remove -d10 from test startup https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 002ef728bb02819385c0a8c2ca1b216ed712d153 Author: Amitay Isaacs Date: Wed Jun 16 12:58:27 2021 +1000 torture: Fix build on freebsd, missing deps on cmdline Missing dependency causes build failure on freebsd. [2928/3944] Compiling source4/torture/util_smb.c In file included from ../../source4/torture/util_smb.c:22: ../../lib/cmdline/cmdline.h:22:10: fatal error: 'popt.h' file not found ^~~~ 1 error generated. Signed-off-by: Amitay Isaacs Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jun 22 02:05:17 UTC 2021 on sn-devel-184 commit e267cea8179886995b46f0796c969a56a1becd3f Author: David Mulder Date: Wed Aug 26 14:59:24 2020 -0600 samba-tool: dbcheck search DnsAdmins from wellknown container BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 0db57db80a59e2ecfb1c626f66a72987d9fedcef Author: David Mulder Date: Wed Aug 26 14:33:13 2020 -0600 samba-tool: Provision search DnsAdmins from wellknown container BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 151f432ca8c173e7bad488dfbd507517908102da Author: David Mulder Date: Wed Aug 26 10:06:21 2020 -0600 samba-tool: Demote computer to wellknown container BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit fee11c35586adfa7e3ce79f03798732ffb870829 Author: David Mulder Date: Wed Aug 26 08:15:07 2020 -0600 samdb: Create computer in wellknown user container BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 4602f4fc1b537e74fdee8d9f1a390a4ea1ba18d5 Author: David Mulder Date: Tue Aug 25 14:16:30 2020 -0600 samdb: Create group in wellknown user container BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 43ab8a4a1b4152ae86e3dad23f10b40d4f61fb89 Author: David Mulder Date: Tue Aug 25 12:44:02 2020 -0600 samdb: Create user in wellknown user container BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143 Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 5e559528b34e4b6b26fc708cdc0976e042d91eb3 Author: Douglas Bagnall Date: Fri Mar 26 16:37:52 2021 +1300 pytest: dcerpc/dnsserver: fix tombstone test It worked accidentally, like all our tombstone tests. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 97b9f45a76434c5c00f467ec93f21a111bf35c0f Author: Douglas Bagnall Date: Wed May 19 01:12:49 2021 + pytest/dns_forwarder: remove unused function and imports Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit aa97974c0e42f5eb7c663b05407964ff816dae3b Author: Douglas Bagnall Date: Wed May 19 02:38:20 2021 +