[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via fd69161 VERSION: Disable git snapshots for the 4.1.23 release. via 8b05063 WHATSNEW: Add release notes for Samba 4.0.23. via f548984 CVE-2016-0771: tests/dns: Remove dependencies on env variables via 600af99 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest via feadfc4 CVE-2016-0771: tests: rename test getopt to get_opt via c7598f1 CVE-2016-0771: tests/dns: RPC => DNS roundtrip test via 74fc257 CVE-2016-0771: dnsserver: don't force UTF-8 for TXT via 1a97ee3 CVE-2016-0771: tests/dns: modify tests to check via RPC via 006551d CVE-2016-0771: tests/dns: Add some more test cases for TXT records via 6395b6c CVE-2016-0771: tests/dns: Correct error code for formerly unrun test via 83d94cb CVE-2016-0771: tests/dns: restore formerly segfaulting test via a76db39 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour via a03e3fa CVE-2016-0771: tests/dns: prepare script for further testing via ede159b CVE-2016-0771: tests/dns: Modify dns tests to match new IDL via 24c5af7 CVE-2016-0771: dns.idl: make use of dnsp_hinfo via 79f2cf1 CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record via 4c40108 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function via b003b71 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library via 757e25a CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings via 5b5fcbf CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test. via 2a7b77b CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test. via 72f4892 CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests. via 09514d7 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames. via e1825c8 CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink. via 63a27a3 CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink. via 39aaef0 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication. via e387562 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink. via c4fade4 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink. via 9e6620b CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink. via 7f893ff CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink. via 24f3cb0 CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink. via eba93d6 VERSION: Bump version up to 4.1.23... from cd89c83 VERSION: Disable git snapshots for the 4.1.22 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit fd69161868b5aa4d644488cc4e8069ba40266576 Author: Karolin SeegerDate: Wed Feb 24 12:19:51 2016 +0100 VERSION: Disable git snapshots for the 4.1.23 release. Signed-off-by: Karolin Seeger commit 8b0506340901b22a0b2647b0ad7ed15bd4427cdc Author: Karolin Seeger Date: Wed Feb 24 12:18:19 2016 +0100 WHATSNEW: Add release notes for Samba 4.0.23. CVE-2015-7560 Getting and setting Windows ACLs on symlinks can change permissions on link target. CVE-2016-0771: Read of uninitialized memory DNS TXT handling Signed-off-by: Karolin Seeger commit f548984208aba1fa7237c3b4b072cd9dfbd950b3 Author: Garming Sam Date: Fri Jan 29 17:28:54 2016 +1300 CVE-2016-0771: tests/dns: Remove dependencies on env variables Now that it is invoked as a normal script, there should be less of them. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686 Signed-off-by: Garming Sam Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 600af999a418d605705c00708cd9f744fc533a33 Author: Garming Sam Date: Fri Jan 29 17:03:56 2016 +1300 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest This makes it easier to invoke, particularly against Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686 Signed-off-by: Garming Sam Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit feadfc41a1f1223d59c8c0e9427d6a8bdb9a5e94 Author: Garming Sam Date: Fri Jan
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via cd89c83 VERSION: Disable git snapshots for the 4.1.22 release. via 219533c WHATSNEW: Add release notes for Samba 4.1.22. via bf13cbd CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl via c634a14 CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session via 4c3a492 CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal() via d9e943e CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect() via fa8 CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir via f0cb216 CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share). via 9d989c9 CVE-2015-7540: lib: util: Check *every* asn1 return call and early return. via 530d50a CVE-2015-7540: s4: libcli: ldap message - Ensure all asn1_XX returns are checked. via 582d0e7 ldb: bump version of the required system ldb to 1.1.24 via 83f1d39 CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators via f07626d CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes via a561ae6 CVE-2015-5330: strupper_talloc_n_handle(): properly count characters via 5f3c754 CVE-2015-5330: Fix handling of unicode near string endings via 7bcac23 CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen() via 1aef718 CVE-2015-5330: ldb_dn: simplify and fix ldb_dn_escape_internal() via bb1b783 CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search. via fb45695 CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0. via 776eb21 VERSION: Bump version up to 4.1.22... from 6397681 VERSION: Disable git snapshots for the 4.1.21 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit cd89c8372cbc5868f23094a9b7481be21a89a7e9 Author: Karolin SeegerDate: Thu Dec 10 12:45:56 2015 +0100 VERSION: Disable git snapshots for the 4.1.22 release. Signed-off-by: Karolin Seeger commit 219533c28f8d15465b0faea4624a640255b71801 Author: Karolin Seeger Date: Thu Dec 10 12:09:38 2015 +0100 WHATSNEW: Add release notes for Samba 4.1.22. This is a security to address CVE-2015-7540, CVE-2015-3223, CVE-2015-5252, CVE-2015-5299, CVE-2015-5296, CVE-2015-8467, CVE-2015-5330. Signed-off-by: Karolin Seeger commit bf13cbd3f33c31483b172fc094b0e5946e899bc4 Author: Andrew Bartlett Date: Wed Nov 18 17:36:21 2015 +1300 CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl Swapping between account types is now restricted Bug: https://bugzilla.samba.org/show_bug.cgi?id=11552 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison Reviewed-by: Ralph Boehme commit c634a143a876bd5a724d830c54fe12ef6d68d5fd Author: Stefan Metzmacher Date: Wed Sep 30 21:23:25 2015 +0200 CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 4c3a492259ceefe3d02df690d4369291627883a2 Author: Stefan Metzmacher Date: Wed Sep 30 21:17:02 2015 +0200 CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit d9e943e351a752ba627314da7fb8d2f6f1eb44b3 Author: Stefan Metzmacher Date: Wed Sep 30 21:17:02 2015 +0200 CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit fa86d75272e3190dcbd32eeff9b3e4f03bde Author: Jeremy Allison Date: Fri Oct 23 14:54:31 2015 -0700 CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir Fix originally from https://bugzilla.samba.org/show_bug.cgi?id=11529 Signed-off-by: Jeremy Allison Reviewed-by: David Disseldorp commit f0cb216f6385460d4d3c728257b26a95c5d1 Author: Jeremy Allison Date: Thu Jul 9 10:58:11 2015 -0700 CVE-2015-5252: s3: smbd: Fix symlink
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 6397681 VERSION: Disable git snapshots for the 4.1.21 release. via 821493c WHATSNEW: Add release notes for Samba 4.1.21. via 18e3eba samr4: Use
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 74be972 VERSION: Disable git snapshots for the 4.1.20 release. via ec3ff76 WHATSNEW: Add release notes for Samba 4.1.20. via 487c3b3 s3: winbindd: Fix TALLOC_FREE of uninitialized groups variable. via 711131e s3-util: Compare the maximum allowed length of a NetBIOS name via 0c640d0 s3-net: use talloc array in share allowedusers via 49e39b0 s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup. via 516f518 lib: replace: Add strsep function (missing on Solaris). via e889ea3 s3-auth: Fix a possible null pointer dereference via 28ee83d s3-smbd: Leave sys_disk_free() if dfree command is used via d7d60d8 s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths. via 7127c60 s3:libsmb: Fix a bug in conversion of ea list to ea array. via 5f029fc smbd:trans2: treat new SMB_SIGNING_DESIRED in case via a55bed3 docs:smb.conf: explain effect of new setting 'desired' of smb encrypt via aae0423 smbd:smb2: use encryption_desired in send_break via 57c879a smbd:smb2: only enable encryption in tcon if desired via 2cad86c smbd:smb2: only enable encryption in session if desired via 3ed2fbe smbd:smb2: separate between encryption required and enc desired via 2c19c6f smbXsrv: add bools encryption_desired to session and tcon via b615fb6 Introduce setting "desired" for 'smb encrypt' and 'client/server signing' via 0b97972 smbd: Make SMB3 clients use encryption with "smb encrypt = auto" via 15b323d s4:selftest: also run rpc.winreg with kerberos and all possible auth options via d8df89f s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal via 6d6799a s4:rpc_server: fix padding caclucation in dcesrv_auth_response() via 62966eb s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error via 496d7f9 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload via e22adb8 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define via e661c30 s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign() via 3336fb7 s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error via 18342a7 s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload via ad94101 s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define via 9ab5872 s3:rpc_server: remove pad handling from api_pipe_alter_context() via c17dd15 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes() via 843c953 s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer() via 213b98b librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro via c0432c2 dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16) via 5570954 auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting via 54b9c1c auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE via b6a59bb winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC. via 7e05f60 kerberos auth info3 should contain resource group ids available from pac_logon via 8ddab98 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC. via 4bdfb15 s3: auth: Change auth3_generate_session_info_pac() to use a copy of the info3 struct from the struct PAC_LOGON_INFO. via 02bda07 s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it. via a3d6a15 s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO. via 2ff1428 s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3() via 7434e77 docs: overhaul the description of "smb encrypt" to include SMB3 encryption. via 972a97b docs: Change smb encrypt default in docs to match s3 and lib/param via 290c1ae s3: smbd: Codenomicon crash in do_smb_load_module(). via 81dde5e s3:winbindd: make sure we pass a valid server to rpccli_netlogon_sam_network_logon*() via e700e9d s3: smbd: Use separate flag to track become_root()/unbecome_root() state. via af4617a s3:param/loadparm fix testparm --show-all-parameters via 9a67af3 VERSION: Bump version up to 4.1.20... from f14dcca VERSION: Disable git snapshots for the 4.1.19 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - ---
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via f14dcca VERSION: Disable git snapshots for the 4.1.19 release. via 45bd969 WHATSNEW: Add release notes for Samba 4.1.19. via 43e2626 s3: libsmbclient: Re-resolving targetcli on every read/write/lseek/ftruncate/close is both incorrect and slow. via f8c27d1 nsswitch: Extend idmap_rfc2307 testcase for reverse lookup via 2070fa2 idmap_rfc2307: Fix wbinfo --gid-to-sid query via 1da224b s4.2/fsmo.py: fixed fsmo transfer exception via 3e5744d s3: IPv6 enabled DNS connections for ADS client via a6d7aa5 Add IPv6 support for determining FQDN during ADS join. via ccf557c Add IPv6 support to ADS client side LDAP connects. Corrected format for IPv6 LDAP URI. via 34cffdb s4:torture:smb2:compound: compound read and padding via 9ba2dce s3:smb2: add padding to last command in compound requests via db28391 s3: smbcacls: Ensure we read a hex number as %x, not %u. via 995bef1 s4: libcli/finddcs_cldap: continue processing CLDAP until all addresses are used via 67fbd6d s3:winbindd: make sure we remove pending io requests before closing client sockets via d8626e9 s4:lib/tls: fix build with gnutls 3.4 via 13d1bdd libads: record service ticket endtime for sealed ldap connections via 0372b33 s3: smbd: VFS: fake_acl module called get_full_smb_filename() with a stream path, then used the result to call XATTR functions directly. via 8ac582e s3: smbd: VFS: For all EA and ACL calls use synthetic_smb_fname(), not synthetic_smb_fname_split(). via 178db7c s3: smbd: VFS: All the places that are currently calling vfs_stat_smb_fname() and vfs_lstat_smb_fname() should be calling vfs_stat_smb_basename(). via bb22fea s3: smbd: VFS: Add vfs_stat_smb_basename() - to be called when we *know* stream name parsing has already been done. via 18536b8 vfs_gpfs: move failure label before END_PROFILE via 007a5fd vfp_gpfs: ensure END_PROFILE is always called via 3db0ad9 s3:selftest: run smb2.notify with --signing=required via 1b2cf28 s3:smb2_sesssetup: remove unused smbd_smb2_session_setup_* destructors via 3af2142 s3:smb2_sesssetup: add smbd_smb2_session_setup_wrap_send/recv() via f28cbf0 s3:smb2_sesssetup: always assign smb2req-session when a session was created. via bd03b6a s3:smb2_sesssetup: let smbd_smb2_logoff_* use smbXsrv_session_shutdown_* via 6d611c6 s3:smbXsrv_session: cancel pending requests when we logoff a previous session via 75b9a6f s3:smbXsrv_session: add smb2srv_session_shutdown_send/recv helper functions via 749e6fd s3:smbXsrv_session: clear smb2req-session of pending requests in smbXsrv_session_logoff_all_callback() via 21fd82d s3:smbXsrv_session: clear smb2req-session of pending requests in smbXsrv_session_destructor() via 5e47040 s4:torture/smb2: add smb2.notify.session-reconnect test via dcea20f s4:torture/smb2: add smb2.notify.invalid-reauth test via 712d9e5 s4:torture/smb2: add smb2.notify.close test via bc0966d s4:torture/smb2: verify STATUS_NOTIFY_CLEANUP return value via 6caba46 s3:smbd: use STATUS_NOTIFY_CLEANUP on smb2 logoff (explicit and implicit) and tdis via 2284593 s3:smbd: use STATUS_NOTIFY_CLEANUP when closing a smb2 directory handle via f362fc9 s3:smbd: add a smbd_notify_cancel_by_map() helper function via 33e1a4f smbd:smb2: fix error code when the header says the request is signed but we don't have a sesseion via f687a77 s3:smb2_server: don't rely on the SMB2_HDR_FLAG_SIGNED if signing is required via 87b7535 VERSION: Bump version up to 4.1.19... from 1a121d1 WHATSNEW: Add release notes for Samba 4.1.18. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 85 - lib/addns/dns.h | 2 +- lib/addns/dnssock.c | 125 +- nsswitch/tests/test_idmap_rfc2307.sh | 72 +++- python/samba/netcmd/fsmo.py | 1 - selftest/knownfail | 1 - source3/include/libsmb_internal.h| 5 + source3/lib/util.c | 52 +++--- source3/libads/ldap.c| 8 +- source3/libads/sasl.c| 23 +++ source3/libsmb/libsmb_file.c | 202 ++ source3/modules/nfs4_acls.c | 4 +- source3/modules/non_posix_acls.c | 2 +- source3/modules/vfs_acl_common.c | 19 ++- source3/modules/vfs_acl_tdb.c| 16 +- source3/modules/vfs_fake_acls.c | 22 ++- source3/modules/vfs_gpfs.c | 9 +-
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 1a121d1 WHATSNEW: Add release notes for Samba 4.1.18. via a9ca30c s3: nmbd: Don't set work_changed = True inside update_server_ttl(). via 91e7c41 s3: nmbd: Ensure we only set work_changed = true if we modify the record. via bbde543 vfs: kernel_flock and named streams via 050f831 s3: smbd: Incorrect file size returned in the response of FILE_SUPERSEDE Create via c850922 s4: rpc: Refactor dcesrv_alter() function into setup and send steps. via f8ef498 Add DCERPC flag to call unbind hooks without destroying the connection itself upon termination of a connection with outstanding pending calls. via 8b78cc3 s4:rpc_server: Add multiplex state to dcerpc flags and control over multiplex PFC flag in bind_ack and and dcesrv_alter replies via 2e0df25 Make sure we initialize conn to NULL, because a routine we call may give an error and not touch conn, and then we get an error when trying to TALLOC_FREE it. via 08dd42c s3:smbd: update comment to correctly reflect MS-SMB2 via bfde0f0 s3:smbd: missing tevent_req_nterror via 9329307 spoolss: purge the printer name cache on name change via 1cd5d85 s3: libsmbclient: After getting attribute server, ensure main srv pointer is still valid. via 05284b8 s3: Fix fsctl_validate_neg_info to pass MS compliance suite. via 8628ae2 s3: Refactor smbd_smb2_request_process_negprot via fc4bdf5 s3-passdb: Fix 'force user' with winbind default domain via c2ea207 s4-process_model: Do not close random fds while forking. via ef714b3 s3: libsmbclient: Add missing talloc stackframe. via 58deb20 s4:auth/gensec_gssapi: let gensec_gssapi_update() return NT_STATUS_LOGON_FAILURE for unknown errors via af95423 s3: client - client use spnego principal = yes code checks wrong name. via 2f46746 docs: Mark 'client use spnego principal' as deprecated and also a bad idea. via c9a9483 s3:winbind:grent: don't stop group enumeration when a group has no gid via f5e3b94 s3: lib: libsmbclient: If reusing a server struct, check every cli-timout miliseconds if it's still valid before use. via b417ef0 s3: libcli: smb1: Ensure we correctly finish a tevent req if the writev fails in the SMB1 case. via 9e395c9 s3: lib: ntlmssp: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields. via 2355e2d s4: lib: auth: If NTLMSSP_NEGOTIATE_TARGET_INFO isn't set, cope with servers that don't send the 2 unused fields. via f9fd1dc docs/idmap_rid: remove deprecated base_rid from example via f244eaa talloc: version 2.1.2 via 75d7179 talloc: fix _talloc_total_limit_size prototype via 763a569 lib: talloc: Test suite for the new destructor reparent logic. via f635357 lib: talloc: Allow destructors to reparent the object they're called on. via 2a4ca9d lib: talloc: Fix bug when calling a destructor. via 1c2f26b talloc:build: improve detection of srcdir via 2a59ff1 talloc: version 2.1.1 via 38aeda4 talloc/tests: avoid some unused variable warnings via 21e38ad talloc: fix compiler warning via 43049ba talloc: check for TALLOC_GET_TYPE_ABORT_NOOP via 32035b0 talloc: avoid a function call in TALLOC_FREE() if possible. via 19a86f6 talloc: inline talloc_get_name() via 7e2707e talloc: inline more static functions via b77c479 talloc: Tune talloc_vasprintf via 7af07a5 talloc: Update flags in pytalloc-util pkgconfig file via 4992a53 Add a basic guide on pytalloc. via 88c9bff talloc: Add a warning to talloc_reference() documentation. via 2aa1291 talloc: Test the pooled object via 0f88b87 talloc: Add talloc_pooled_object via 62abe79 talloc: Allow nested pools. via 1a70518 talloc: Add a separate pool size via 8497337 talloc: Put pool-specific data before the chunk via 4e36c2f talloc: Introduce __talloc_with_prefix via a6a4ec7 talloc: Decouple the dual use of chunk-pool via 133b1c6 Fix valgrind errors with memmove and talloc pools. via 834b7ea Add simple limited pool tests to test_memlimit(). via 105a903 Remove talloc_memlimit_update(). No longer used. via 595a97e Inside _talloc_realloc(), keep track of size changes over malloc/realloc/free. via a1e788b Don't call talloc_memlimit_update() inside _talloc_realloc() when we're just manipulating pool members. via a0b5d06 Fix a conditional check. (size - tc-size 0) is always true if size and tc-size are unsigned. via 2d9ed12 In _talloc_steal_internal(), correctly decrement the memory limit in the source, and increment in the destination. via 833b365 Inside _talloc_free_internal(), always call talloc_memlimit_update_on_free() before we
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 492c673 VERSION: Disable git snapshots for the 4.1.17 release. via 8f38d4b WHATSNEW: Add release notes for Samba 4.1.17. via a9a513c s3-netlogon: Make sure we do not deference a NULL pointer. via 1996b18 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer. via 5a59b1a VERSION: Re-enable git snapshots. via e001101 VERSION: Bump version up to 4.1.17. from 1e682c3 VERSION: Disable git snapshots for the 4.1.16 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit 492c673de07d68e0e937ca584302fef577318b24 Author: Karolin Seeger ksee...@samba.org Date: Sat Feb 21 21:04:20 2015 +0100 VERSION: Disable git snapshots for the 4.1.17 release. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077 CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server could lead to security vulnerability. Signed-off-by: Karolin Seeger ksee...@samba.org commit 8f38d4b5e4ba45d8cc365e150f6e259d8272367c Author: Karolin Seeger ksee...@samba.org Date: Sat Feb 21 21:07:08 2015 +0100 WHATSNEW: Add release notes for Samba 4.1.17. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077 CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server could lead to security vulnerability. Signed-off-by: Karolin Seeger ksee...@samba.org commit a9a513c926209aa084991528d0f6ab84b20da5f7 Author: Andreas Schneider a...@samba.org Date: Mon Feb 16 10:59:23 2015 +0100 s3-netlogon: Make sure we do not deference a NULL pointer. This is an additional patch for CVE-2015-0240. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32 Pair-Programmed-With: Michael Adam ob...@samba.org Pair-Programmed-With: Andreas Schneider a...@samba.org Signed-off-by: Michael Adam ob...@samba.org Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Volker Lendecke v...@samba.org commit 1996b18510a63a2619d813113c6b57e4654be318 Author: Jeremy Allison j...@samba.org Date: Wed Jan 28 14:47:31 2015 -0800 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077 Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 5a59b1a8184fe3b483e4f19e024de39b667041ef Author: Karolin Seeger ksee...@samba.org Date: Tue Feb 10 21:30:36 2015 +0100 VERSION: Re-enable git snapshots. Signed-off-by: Karolin Seeger ksee...@samba.org commit e001101a9cd49dadc5b818cc7a0c490a305099eb Author: Karolin Seeger ksee...@samba.org Date: Thu Jan 15 12:10:58 2015 +0100 VERSION: Bump version up to 4.1.17. Signed-off-by: Karolin Seeger ksee...@samba.org (cherry picked from commit c4e46cd4e32ef5bf25f3a21f74bb40dfb1dd3c0d) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 62 +++-- source3/rpc_server/netlogon/srv_netlog_nt.c | 13 +- 3 files changed, 71 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 47509cb..8876650 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=1 -SAMBA_VERSION_RELEASE=16 +SAMBA_VERSION_RELEASE=17 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 81a1d56..48ebdf9 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,62 @@ == + Release Notes for Samba 4.1.17 + February 23, 2015 + == + + +This is a security release in order to address CVE-2015-0240 (Unexpected +code execution in smbd). + +o CVE-2015-0240: + All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an + unexpected code execution vulnerability in the smbd file server + daemon. + + A malicious client could send packets that may set up the stack in + such a way that the freeing of memory in a subsequent anonymous + netlogon packet could allow execution of arbitrary code. This code + would execute with root privileges. + + +Changes since 4.1.16: +- + +o Jeremy Allison j...@samba.org +* BUG 11077: CVE-2015-0240: talloc free on uninitialized stack pointer + in netlogon server could lead to security vulnerability. + + +o Andreas Schneider a...@samba.org +* BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 1e682c3 VERSION: Disable git snapshots for the 4.1.16 release. via 8010553 WHATSNEW: Add release notes for Samba 4.1.16. via 5cc1c0e CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl via 3c93b57 CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c via f2cb9b9 CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag via 9e15786 CVE-2014-8143:auth: Force talloc type of session_info pointer to match via cc49a60 VERSION: Bump version up to 4.1.16... from 28eacea VERSION: Disable git snapshots for the 4.1.15 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit 1e682c3ce0593b3cd93acc6a5be0d74db8d04fef Author: Karolin Seeger ksee...@samba.org Date: Mon Jan 12 21:42:02 2015 +0100 VERSION: Disable git snapshots for the 4.1.16 release. Signed-off-by: Karolin Seeger ksee...@samba.org commit 801055358de0988717b65b4f6a2a6a4b820b9fcd Author: Karolin Seeger ksee...@samba.org Date: Mon Jan 12 21:41:32 2015 +0100 WHATSNEW: Add release notes for Samba 4.1.16. Signed-off-by: Karolin Seeger ksee...@samba.org commit 5cc1c0ec403358d08e208a38feae11631510ab72 Author: Andrew Bartlett abart...@samba.org Date: Thu Dec 4 17:23:29 2014 +1300 CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow changes to userAccountControl This requires an additional control to be used in the LSA server to add domain trust account objects. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 3c93b5772ef002569810b01c39faac8b34168f05 Author: Andrew Bartlett abart...@samba.org Date: Mon Dec 8 14:20:21 2014 +1300 CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.c Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1 Pair-programmed-with: Garming Sam garm...@catalyst.net.nz Signed-off-by: Andrew Bartlett abart...@samba.org Signed-off-by: Garming Sam garm...@catalyst.net.nz Reviewed-by: Stefan Metzmacher me...@samba.org commit f2cb9b99235ebfdd0d53c3ebdaaac44f8b958311 Author: Andrew Bartlett abart...@samba.org Date: Mon Dec 8 12:19:19 2014 +1300 CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flag Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857 Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Garming Sam garm...@catalyst.net.nz Reviewed-by: Stefan Metzmacher me...@samba.org commit 9e15786d093ac984262394510333cb3c3d512e1a Author: Andrew Bartlett abart...@samba.org Date: Tue Nov 11 15:23:02 2014 +1300 CVE-2014-8143:auth: Force talloc type of session_info pointer to match This helps us keep things safe in LDB where we put this in a opaque pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Andrew Bartlett Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Garming Sam garm...@catalyst.net.nz Reviewed-by: Stefan Metzmacher me...@samba.org commit cc49a6005c4406efd781ebc9ab7bb0ba00a3a603 Author: Karolin Seeger ksee...@samba.org Date: Sun Jan 11 20:41:04 2015 +0100 VERSION: Bump version up to 4.1.16... and re-enable git snapshots. Signed-off-by: Karolin Seeger ksee...@samba.org (cherry picked from commit 9f52de75088380915835e815217bdcd0afa8dc85) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 55 - librpc/idl/security.idl | 13 ++- source4/auth/session.c | 5 + source4/dsdb/common/util.c | 4 +- source4/dsdb/pydsdb.c | 1 + source4/dsdb/samdb/ldb_modules/samldb.c | 192 +++- source4/dsdb/samdb/samdb.h | 6 + source4/rpc_server/lsa/dcesrv_lsa.c | 15 ++- source4/setup/schema_samba4.ldif| 1 + 10 files changed, 282 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index e5a8fba..47509cb 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=1 -SAMBA_VERSION_RELEASE=15 +SAMBA_VERSION_RELEASE=16 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index fe8cbeb..81a1d56 100644 ---
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 28eacea VERSION: Disable git snapshots for the 4.1.15 release. via c72d0e0 WHATSNEW: Add release notes for Samba 4.1.15. via 65f891a nsswitch: fix soname of linux nss_*.so.2 modules via 5636a48 selftest: use shared/libnss_wrapper_winbind.so.2 via b3f140d wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY() via 16f881c winbind: Retry after SESSION_EXPIRED error in ping-dc via c6ede38 winbind: Retry LogonControl RPC in ping-dc after session expiration via 45238fe librpc/ndr_drsuapi: Allow ndrdump to dump dsinfo52 blobs via db5d422 idl:drsuapi: Manage all possible lengths of drsuapi_DsBindInfo via e3e0c5e librpc-idl: change the drsuapi_DsBindInfoCtr so that it match what is on the wire both in NDR32 and NDR64. via e890269 librpc-idl: replace int32 by uint32 as the values are always 0 via 9dd858c librpc-idl: replace int32 by the enumeration as it's the type that we use in union's switch drsuapi_DsGetDCInfoCtrLevels via a6a301f drsuapi.idl: change the range for attribute values to 26214400 bytes. via d6c626a libcli/smb: only force signing of smb2 session setups when binding a new session via be1585f s3:smb2_server: allow reauthentication without signing via 7aacb3c s3:smb2_server: use the global signing key to check if signing is required via b1ecde9 testprogs/test_ldb: check rootdse search with extended-dn control via 54c8bca s4:dsdb/rootdse: expand extended dn values with the AS_SYSTEM control via 950506d s3:utils/profiles fix a use after free via b18866b s3:registry/regfio fix some valgrind warnings via d95c2d2 s3:registry/regfio read SD from the correct location via a3d2970 s3: modules: Fix *allocate* calls to follow POSIX error return convention. via 1a128c4 s3: smbd: Fix *allocate* calls to follow POSIX error return convention. via 5b5546b s3: smbd: Fix *allocate* calls to follow POSIX error return convention. via 8999aca s3-libsmb: Duplicate the memory before we free it. via 4051499 s3-libsmb: Set the netbios_name in use_ccache case too. via 8ca520e s3-lib: Do not require a password with --use-ccache. via 6e030c2 pam_winbind: fix warn_pwd_expire implementation. via 2bea37d libcli: SMB2: Pure SMB2-only negprot fix to make us behave as a Windows client does. via 192fa10 s3-smbstatus: Fix exit code of profile output. via 9c7b253 s3-smbclient: Return success if we listed the shares. via 6931f8d s4-rpc: dnsserver: Fix enumeration of IPv4 and IPv6 addresses via 05cace7 samba-tool: Fix the IP output of samba-tool dns serverinfo some_server via 1e02ce0 samba-tool: Fix enum values in dns.py via 7dfcd23 VERSION: Bump version up to 4.1.15... from 1eb23eb VERSION: Disable git snapshots for the 4.1.14 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 89 ++- buildtools/wafsamba/wafsamba.py | 6 +- libcli/smb/smbXcli_base.c | 18 ++- librpc/idl/drsuapi.idl | 104 ++--- librpc/ndr/ndr_drsuapi.c| 190 nsswitch/pam_winbind.c | 5 +- nsswitch/wscript_build | 24 ++- python/samba/netcmd/dns.py | 15 +- selftest/target/Samba.pm| 2 +- source3/client/client.c | 2 +- source3/include/local.h | 2 + source3/lib/util_cmdline.c | 3 +- source3/libnet/libnet_dssync.c | 21 ++- source3/libsmb/ntlmssp.c| 18 ++- source3/modules/vfs_ceph.c | 13 +- source3/modules/vfs_default.c | 17 ++- source3/modules/vfs_streams_xattr.c | 5 +- source3/modules/vfs_time_audit.c| 8 +- source3/registry/regfio.c | 10 +- source3/rpcclient/cmd_drsuapi.c | 4 + source3/script/tests/test_smbclient_s3.sh | 4 +- source3/smbd/smb2_server.c | 5 - source3/smbd/smb2_sesssetup.c | 4 + source3/smbd/vfs.c | 22 +-- source3/utils/profiles.c| 6 +- source3/utils/status.c | 7 +- source3/winbindd/winbindd_dual_srv.c| 18 +++ source3/wscript_build | 7 -
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 1eb23eb VERSION: Disable git snapshots for the 4.1.14 release. via b692217 WHATSNEW: Add release notes for Samba 4.1.14. via 4ddd4c6 s4-dns: dlz-bind: Add trailing '.' to all fqdn strings via a5adad6 s4-dns: Add support for BIND 9.10 via a30eeec s4-dns: Update dlz_minimal.h based on BIND release 9.10 via 8fed025 s4-dns: Check DLZ_DLOPEN_VERSION for different BIND versions via 221934c s4-dns: Update template variables, change BIND98 -- BIND9_8 via c4ae1b4 samba: pass down size_t instead of int to add_string_to_array(). via fed8ae0 lib/util: use size_t for add_string_to_array(). via e0b65dd s3-proto: remove duplicate proto for add_string_to_array(). via 2947da5 Revert buildtools: Rename perl vendorarch configure option. via 13c1147 Revert buildtools: Add perl vendorlib configure option. via a3a75d7 Revert wafsamba: If perl can't provide defaults, define them. via 3b4dc66 Revert wafsamba: Fail with error message if perl doesn't provide valid dirs. via 699bcec pidl/wscript: remove --with-perl-* options via 999867a Revert autobuild: Set perl vendorlib direcotry. via 8f967e2 Revert script/autobuild: make use of --with-perl-{arch,lib}-install-dir via 23aba84 pidl: remove superfluous use lib via 6feada1 pidl: fix the perl module search path (use lib ...) when installing pidl. via 50f3e56 wafsamba: add perl_fixup parameter to INSTALL_FILES via 016f1ef s3:build: don't detect perl in source3/wscript again. via 711a810 pidl/wscript: don't check for perl again. via 94e9dae build: do full SAMBA_CHECK_PERL() check in configure via dff2c03 wafsamba: add samba_perl.py with SAMBA_CHECK_PERL() higher level check. via 78cb744 dynconfig: implement PERL_ARCH_INSTALL_DIR via 89cc025 dynconfig: implement PERL_LIB_INSTALL_DIR. via f839d6c lib/ldb/wscript: pass dep_vars=['LDB_VERSION'] to SAMBA_GENERATOR() via 226ccc7 docs-xml/wscript_build: pass dep_vars=bld.dynconfig_varnames() to SAMBA_GENERATOR() via 48e500d dynconfig/wscript: add dynconfig_varnames() via d9d873c wafsamba: let SAMBA_BLDOPTIONS() use dep_vars=['defines'] instead of always=True via e19b17a wafsamba: fix dependencies on environment variables for python_fixup via 81c781d wafsamba: allow an optional dep_vars list to be passed to SAMBA_GENERATOR() via f0cf2c0 wafsamba: fix dependency for SAMBA_GENERATOR() when passing vars!=None via ae97d88 wafsamba: fix dependency calculation for SAMBA_GENERATOR() via cfbf91e wafsamba: improve wording in a comment via 6392749 wafsamba: remove unused variable from copy_and_fix_python_path via cda88f3 docs: Always declare rule to build parameters.all.xml and do it first via fd0fe9a docs: define and include entities for the docs via 422d803 docs: remove the file prefix from included path names via f66abcc docs: update XInclude year to conform with current standard via 3aa6401 pdb_tdb: Fix a TALLOC/SAFE_FREE mixup via 60501b0 s3-keytab: fix keytab array NULL termination. via 1d9c15f spoolss: remove unused fill_job_info3() via bcd16d6 spoolss: fix jobid in level 3 EnumJobs response via 20f803b spoolss: fix jobid in level 2 GetJob and EnumJobs responses via e1fb94b spoolss: fix jobid in level 1 GetJob and EnumJobs responses via 7bf4cb0 spoolss: fix GetJob jobid lookups via 9f438fd printing: add jobid_to_sysjob helper function via 00f6184 s3:smbd: fix file corruption using write cache size != 0 via 907e64c s3: nmbd: Ensure NetBIOS names are only 15 characters stored. via 56ed600 s3: libsmbclient - smb2. MacOSX 10 SMB2 server doesn't set STATUS_NO_MORE_FILES when handed a non-wildcard path. via 5126c01 spoolss: fix handling of bad EnumJobs levels via 39a9211 s3-nmbd: Fix netbios name truncation. via 0e03a17 There are tests all over the SMB1 code to check that srv_send_smb fails, but it never returns false. via 859a84d s3: daemons - ensure nmbd and winbindd are consistent in command line processing by adding POPT_COMMON_DYNCONFIG. via 43fbaf6 vfs_glusterfs: Remove integer fd code and store the glfs pointers. via ad4629b vfs_glusterfs: smb_stat_ex_from_stat commenting and cleanup. via 6a2496a vfs_glusterfs: Comment the top of the file. via 1883e25 nss_winbind: add getgroupmembership for FreeBSD via 0548c9e VERSION: Bump version up to 4.1.14... from 3211982 VERSION: Disable git snapshots for the 4.1.13 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log -
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 3211982 VERSION: Disable git snapshots for the 4.1.13 release. via b780193 WHATSNEW: Add release notes for Samba 4.1.13. via e0f4517 s3: nmbd: Ensure the main nmbd process doesn't create zombies. via 26a7036 pthreadpool: Slightly serialize jobs via fda66b9 s3: lib: Signal handling - ensure smbrun and change password code save and restore existing SIGCHLD handlers. via 78deb22 lib: util: Signal handling - change CatchChild() and CatchChildLeaveStatus() to return the previous handler. via 429ddb1 s3: smb2cli: query info return length check was reversed. via 0e17b3f s3-libads: Add all machine account principals to the keytab. via 6602ad3 registry: Don't leave dangling transactions via f2f050c s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call via a0eb3dd s3: Move init_lsa_ref_domain_list to lib via 2cd2490 idmap_rfc2307: Fix a crash after connection problem to DC via 043415e s3-libnet: Make sure we do not overwrite precreated SPNs. via 306e7e3 s3-libnet: Add libnet_join_get_machine_spns(). via f42d65e s3-libads: Add function to search for an element in an array. via 5923c9a s3-libads: Add a function to retrieve the SPNs of a computer account. via bff195a s3-libads: Improve service principle guessing. via f93df45 smbd: We now survive smb2.oplock.stream1 via 05417be s3: smbd: streams - Ensure share mode validation ignores internal opens (op_mid == 0). via 7bbf54d nsswitch: Skip groups we were not able to map. via bcc8912 s3: smbd - open logic fix. via ad70de6 s3:smbd:open_file: use a more natural check. via 4b3c8ad s3:smbd: fix a race in open code via 6b1091dc s3: winbindd: Old NT Domain code sets struct winbind_domain-alt_name to be NULL. Ensure this is safe with modern AD-DCs. via 632e0bc s3-winbindd: Use correct realm for trusted domains in idmap child via 5cf0aa0 libcli: Fix a segfault calling smbXcli_req_set_pending() on NULL. via 52b876a media_harmony: Fix a crash bug via 62513b7 docs: mention incompatibility between kernel oplocks and streams_xattr via a93d931 nmbd: Send waiting status to systemd. via beffc40 lib: Add daemon_status() to util library. via 538f62e selftest: Fix selftest where pid is used uninitialized. via 6ccee19 Merge tag 'samba-4.1.12' into v4-1-test via a75c1bc VERSION: Bump version up to 4.1.13... from 6cc1d30 Merge tag 'samba-4.1.11' into v4-1-test http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - --- Summary of changes: VERSION |2 +- WHATSNEW.txt | 91 +- docs-xml/manpages/vfs_streams_xattr.8.xml |4 + lib/util/become_daemon.c | 11 ++ lib/util/samba_util.h | 10 ++- lib/util/signal.c |8 +- libcli/smb/smb1cli_echo.c |1 - libcli/smb/smb2cli_query_info.c |2 +- nsswitch/winbind_nss_linux.c |5 + selftest/knownfail|1 - selftest/target/Samba.pm |7 +- source3/{lib/version_test.c = include/lsa.h} | 17 ++-- source3/lib/lsa.c | 67 + source3/lib/pthreadpool/pthreadpool.c |6 +- source3/lib/smbrun.c | 18 ++-- source3/libads/ads_proto.h|8 ++ source3/libads/kerberos_keytab.c | 74 ++- source3/libads/ldap.c | 91 ++ source3/libads/sasl.c | 124 + source3/libnet/libnet_join.c | 59 +++- source3/modules/vfs_media_harmony.c |4 +- source3/nmbd/nmbd.c |3 + source3/nmbd/nmbd_subnetdb.c |7 +- source3/registry/reg_api.c|2 +- source3/rpc_server/lsa/srv_lsa_nt.c | 48 +- source3/rpc_server/samr/srv_samr_chgpasswd.c |9 +- source3/rpc_server/wscript_build |2 +- source3/smbd/open.c | 79 source3/winbindd/idmap_rfc2307.c |1 + source3/winbindd/wb_sids2xids.c | 33 ++- source3/winbindd/winbindd_ads.c | 14 ++- source3/winbindd/winbindd_cm.c|8 +- source3/wscript_build |4 + 33 files changed, 620 insertions(+), 200 deletions(-) copy source3/{lib/version_test.c = include/lsa.h} (74%)
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 6cc1d30 Merge tag 'samba-4.1.11' into v4-1-test via 85c575d WHATSNEW: Add release notes for Samba 4.1.12. via 5475d5e s3: smbd: vfs_dirsort module. via f165bb9 s4-rpc: dnsserver: handle updates of tombstoned dnsNode objects via 98fb614 s4-rpc: dnsserver: Do not search for deleted DNS entries via 132b848 s4:dlz_bind9: let dlz_bind9 use dns_common_lookup() before add/modify via 8de4f48 s4:dlz_bind9: let dlz_bind9 use dns_common_lookup() before removing records via f20179b s4:dlz_bind9: let dlz_bind9 use dns_common_replace() via 5a3b783 s4:dlz_bind9: let dlz_bind9 use dns_common_extract() via 07f72fc s4:dlz_bind9: let dlz_bind9 use dns_common_lookup() for name lookup via 4f7d4fd torture-dns: Add test for dlz_bind9 updates via 0b9c775 torture-dns: Add test for dlz_bind9 zonedumps via 0542349 torture-dns: Add test for dlz_bind9 lookups via f5d39b6 s4:torture:dlz_bind9: fix spnego tests via ce13047 s4:dlz_bind9: do an early talloc_free(el_ctx) in dlz_allnodes() via 889e958 s4:dlz_bind9: avoid some compiler warnings via f23aa6f s4:dns_server: handle tombstones in handle_one_update() via 0329ef4 s4:dns_server: add DNS_TYPE_TOMBSTONE support to dns_common_replace() via 2fbb9b9 s4:dns_server: make sure dns_common_lookup() doesn't return tombstones via 31b5192 s4:dns_server: use .wType = DNS_TYPE_TOMBSTONE instead of ZERO_STRUCT() via ec0df9f s4:dns_server: split out dns_common_replace() via 256349dd s4:dns_server: remove const from dns_replace_records() via f3df058 s4:dns_server: split out dns_common_extract() and dns_common_lookup() via f3e6b38 s4:dns_server: split out a private 'dnsserver_common' library via d3abd55 s4:dns_server: map LDB_ERR_NO_SUCH_OBJECT to WERR_DNS_ERROR_NAME_DOES_NOT_EXIST via e6adf09 s4:dns_server: handle WERR_DNS_ERROR_NAME_DOES_NOT_EXIST in werr_to_dns_err() via eb0e0b1 provision: Correctly provision the SOA record minimum TTL via 748e78e s4-rpc: dnsserver: return DNS_RANK_NS_GLUE recors when explicitly asked for via c371cad s4-rpc: dnsserver: Do not return NS_GLUE records with VIEW_GLUE_DATA filter via 019c587 s4-rpc: dnsserver: Correctly set rank for glue NS records via 5fdc841 s4:setup/dns_update_list: make use of the new substitution variables via d3947ea s4:samba_dnsupdate: provide more substitution variables e.g. IF_RODC via 78cad21 s4:samba_dnsupdate: don't try to be smart when verifying NS records via 0301b53 s4:samba_dnsupdate: cache the already registered records via f8b7027 s4:samba_dnsupdate: fix dnsobj.__str__() via 40bac8e s4:samba_dnsupdate: don't lower case the registered names via a02 python/join: use lowercase for the dnshostname. via 0eaca4c selftest/Samba3: also bind to ipv6 via 2759e97 selftest/Samba4: also bind to ipv6 via b62a179 selftest: export _IPV6 environment variables via 534f6aa libcli/dns: ignore NS entries in dns_hosts_file.c at a higher log level for now via 1ef078e libcli/dns: add support to dns_hosts_file.c via 391b29a s3: winbindd: On new client connect, prune idle or hung connections older than winbind request timeout via fa781e2 s3: winbindd: Add new parameter winbind request timeout set to 60 seconds with man page. via 121cad3 dosmode: fix FSCTL_SET_SPARSE request validation via a5f0ec0 smbd: Properly initialize mangle_hash via 708986f Don't discard result of checking grouptype via 7a58844 docs: Fix typos in smb.conf (inherit acls) via df9396a samba: Retain case sensitivity of cifs client via c556d3e lib: strings: Simplify strcasecmp via 7c54339 s4: tests: Added local.charset test for Bug 10716 - smbd constantly crashes when filename contains non-ascii character via 2765daa lib: strings: Fix the behavior of strncasecmp_m_handle() in the face of bad conversions. via a8cbd5a lib: strings: Fix the behavior of strcasecmp_m_handle() in the face of bad conversions. via 5df60b2 printing: reload printer shares on OpenPrinter via 00a0c2d smbd: split printer reload processing via 44a3d3f server: remove duplicate snum_is_shared_printer() via 728e951 smbd: only reprocess printer_list.tdb if it changed via 5a647c5 printing: return last change time with pcap_cache_loaded() via b8042f8 printing: remove pcap_cache_add() via 62df2fd printing: reload printer_list.tdb from in memory list via 0fae4d3 printing: only reload printer shares on client enum via 83f448d printing: traverse_read the printer list for share updates via b95dbbe s3: smbd : SMB2 - fix SMB2_SEARCH when searching non wildcard
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via fcc634b Merge commit 'origin/v4-1-test^' into v4-1-stable via 80a1dfd VERSION: Disable git snapshots for the 4.1.10 release. via 7253047 WHATSNEW: Add release notes for Samba 4.1.10. via 1a9a02d ldb-samba: fix a memory leak in ldif_canonicalise_objectCategory() via 6526cb7 s3: SMB2 : Fix leak of blocking lock records in the database. via 8fa384d s3: smb2: Simplify logic in reprocess_blocked_smb2_lock(). via ead305e s3: smb2: Remove unused code from remove_pending_lock(). via 4c32263 selftest/knownfail: ignore samba3.smb2.oplock.exclusive5 failures in v4-1-* via f2da72f smbd: Remove 2 indentation levels via f8af687 s3: smbd - Prevent file truncation on an open that fails with share mode violation. via 610320e s4:dsdb/repl_meta_data: make sure objectGUID can't be deleted via b532f24 selftest: teardown the environments also on getting SIGPIPE via d485ebd libwbclient: allow only one initial_blob/challenge_blob in wbcCredentialCache() via 0390735 s3: libwbclient: Don't break out of loop too soon - find all parameters. via 82f4748 s4:dsdb/samldb: don't allow 'userParameters' to be modified over LDAP for now via a29068f dbcheck: Add check and test for various invalid userParameters values via 75eaf99 dsdb: Always store and return the userParameters as a array of LE 16-bit values via 50b6474 dsdb: Set syntax of userParameters to binary string, not unicode string via 30e638f torture4: Make raw.lock.multilock fail after 20 seconds via dfe449a torture4: Adapt comment to code via 7eb800d s4: smbtorture: Add multi-lock test. Regression test for bug #10684. via 2f118b6 s3: smbd: Locking - re-add pending lock records if we fail to acquire a lock (and the lock hasn't timed out). via 01753e8 s3: smbd: Locking - treat lock timeout the same as any other error. via 6484211 s3: smbd: Locking - add and use utility function lock_timed_out(). via 76dd28b s3: smbd: Locking - convert to using utility macro used elsewhere. via b23e9d5 s4:dsdb/extended_dn_in: don't force DSDB_SEARCH_SHOW_RECYCLED via f23869c s4:dsdb/kcc: use SHOW_RECYCLED instead of SHOW_DELETED in when deleting tombstone/deleted objects via 498e7cc s4:dsdb/schema_load: make error message more verbose via 38c5f5b dbcheck: Ensure dbcheck can operate with --attrs set via e4bf67a kerberos: Remove un-used event context argument from smb_krb5_init_context() via c0091d0 dsdb: Specify no event context to smb_krb5_init_context() in dsdb via 4c0595f dsdb: Add DSDB_SEARCH_ONE_ONLY support to dsdb_module_search*() via bdd363a dsdb: Do not permit nested event loops when in a transaction, use a nested event context via 5289cb9 dsdb: Rename private_data to rootdse_private_data in rootdse via f377654 dsdb: Add more tests for DN+String and DN+Binary comparisons via f18a67a selftest: Add tests for dbcheck detection and removal of partial objects via ddfbfd7 dsdb: Make it harder to corrupt the database by requiring DBCHECK or RELAX for final object deletion via 5572384 build: Exclude source4/selftest/provisions/release-4-1-0rc3 from the tarball via f2c728d dbcheck: Directly call dn.get_rdn_{val,name}() for clarity and consistency via 7746ad2 dbchecker: verify and fix broken dn values via 8546c70 dbchecker: make the deleted objects container detection more generic via 1b4a949 dsdb: Do not refresh the schema using the wrong event context via f72899e dsdb: Do not store a struct ldb_dn in struct schema_data via 4730d74 samba-tool dbcheck: handle missing objectClass via 87b40d4 dsdb: Improve missing objectClass handling via 56caec5 dsdb: Improve errors and checks for missing objectClass values via 483d5e3 dsdb: Clarify how the DSDB_REPL_FLAG_PRIORITISE_INCOMING flag works via a2d3f1a dsdb: Do not update notify_uSN until the transaction is genuinely committed to the DB via 519d069 dsdb: Further assert that we always have an objectClass and an rDN via ddf9b85 dsdb: Ensure to sort replPropertyMetaData as UNSIGNED, not SIGNED quantities via 5ce7f30 s4:samdb: respect SEARCH_FLAG_PRESERVEONDELETE via 73e5b13 s4-samldb: Do not allow deletion of objects with RID 1000 via f4f9a65 dsdb: Use dsdb_next_callback() rather than a no-op per-module callback via b5294f2 s4-dsdb: instanceType NC_HEAD is only allowed combined with WRITE for an originating add operation via 48b8d0e s4:dsdb/repl: make use of dcerpc_binding_handle_is_connected() via 0bd326d s3:smb2_read: let smb2_sendfile_send_data() behave like send_file_readX() via a8adafa net/doc: make clear that net vampire is
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via b02db8d VERSION: Disable git snapshots for the 4.1.8 release. via 7413eb3 WHATSNEW: Add release notes for Samba 4.1.8. via 814b88c printing: fix purge of all print jobs via af13e3e s3: smb2: Move from using SBVAL to put NTTIMEs on the wire to put_long_date_timespec. via f3fd95f s3: smb2: Move from using SBVAL to put NTTIMEs on the wire to put_long_date_timespec. via bb0871c bug #10609: CVE-2014-0239 Don't reply to replies via 60dbfbd lib-util: rename memdup to smb_memdup and fix all callers (bug #10556) via 2763d0f ad-dc: use exit_daemon() to communicate status of startup to systemd via 93979e0 winbindd: use exit_daemon() to pass startup status to systemd via 59d9a27 nmbd: use exit_daemon() to report status to systemd via def308a smbd: use exit_daemon() to support reporting to systemd from smbd via 2c61618 add systemd integration via 7982500 pidl/lib/wscript_build: make use of PERL_LIB_INSTALL_DIR via 7a6173d script/autobuild: make use of --with-perl-{arch,lib}-install-dir via a76395b wafsamba: Fail with error message if perl doesn't provide valid dirs. via 992e693 wafsamba: If perl can't provide defaults, define them. via dbe2ef7 FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at end via ab51cd9 FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to zero via 3b7b670 s3: smbd : Fix wildcard unlink to fail if we get an error rather than trying to continue. via d514226 s3: smbd: Remove open_file_fchmod(). via 690aab2 s3: smbd: change file_set_dosmode() to use get_file_handle_for_metadata() instead of open_file_fchmod(). via db4743a s3: smbd : Ensure file_new doesn't call into smbXsrv_open_create() for INTERNAL_OPEN_ONLY. via 90871a5 s3 : smbd : Protect all possible code paths from fsp-op == NULL. via 8f0c74e byteorder: do not assume PowerPC is big-endian via 1d255d2 Fix an empty if statement. via a790773 Minor typo fix in source3/wscript. via 15a2d25 s3: smbd - smb1 - fix read of deleted memory in reply_writeclose(). via 7346e39 idmap_autorid: fix failure in reverse lookup if ID is from domain range index #0 via c573720 dsdb: Do checks for invalid renames in samldb, before repl_meta_data via 423987a build: fix ordering problems with lib-provided and internal RPATHs via cebdd0d s4:torture/netlogon: Test netlogon with additional attrs via b81797c s4:torture/ldap: Add test for netlogon over tcp via 11a9d8c libcli/cldap: Add utility to create netlogon filter via 2e10364 s4:dsdb: Move cldap netlogon functions into samdb/ldb_modules via bb6fda9 s4:cldap_server: Do not handle netlogon ourself anymore via a7a61ec s4:dsdb/rootdse: Support netlogon request via 19a5ac2 s4:dsdb/rootdse: Pass rootdse context to rootdse_add_dynamic via 1e75825 provision: Fix string replacement ordering via 2c82031 s4:cldap_server: Move netlogon parsing into utility function via 161699f s4:torture/cldap: Fix a typo via aa82073 s3-lib/util: fix logic inside set_namearray loops. via 9dbafdc s3-lib/util: fix read across end of namelist string via bb79bdb s3-nmbd: reset debug settings after reading config file (bug #10239) via 675782c VERSION: Bump version number up to 4.1.8... from 9da023a WHATSNEW: Add release notes for Samba 4.1.7. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - --- Summary of changes: VERSION|2 +- WHATSNEW.txt | 121 ++- buildtools/wafadmin/Tools/config_c.py | 13 + buildtools/wafadmin/Tools/perl.py | 52 ++- lib/util/become_daemon.c | 37 ++- lib/util/byteorder.h | 10 +- lib/util/samba_util.h | 14 +- lib/util/util.c|2 +- lib/util/wscript_build |2 +- libcli/cldap/cldap.c | 90 +++-- libcli/cldap/cldap.h |2 + packaging/systemd/nmb.service |3 +- packaging/systemd/samba.service|3 +- packaging/systemd/smb.service |3 +- packaging/systemd/winbind.service |3 +- pidl/lib/wscript_build |4 +- python/samba/provision/__init__.py |2 +- python/samba/tests/dns.py | 29 ++ script/autobuild.py|4
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 9da023a WHATSNEW: Add release notes for Samba 4.1.7. via dadd863 s3: messages: Implement cleanup of dead records. via bdd6da6 s3:libsmb: SMBC_getatr() if no method worked, try all methods again on next attempt via 4aa742a client: use cli_qpathinfo3 for allinfo via 0874ff2 s3:libsmb: cli_qpathinfo3 use cli_qpathinfo2 for smb2 via e98e835 client: remove a write only variable via 66115ff s3:libsmb: SMBC_getatr use pathinfo3 for second try via 0bea2d2 s3:libsmb: SMBC_getatr do not let ino undefined on success via d15c014 s3:libsmb: SMBC_getatr try pathinfo2 only once via 976030c s3:libsmb: add function cli_qpathinfo3() via f76511c s3:libsmb: add function cli_qpathinfo_standard() via 1f4b445 s3:libsmb: pass creation or birth time in cli_qpathinfo_basic() via b1c6431 rpcclient: abort shadow-copy set on commit failure via 400e4f0 rpcclient: append a trailing slash to FSRVP request UNCs via c9703c9 s3: smbd: Ensure we always go via getgroups_unix_user() when creating an NT token. via 34fcb4e lsa.idl: define lsa.ForestTrustCollisionInfo and ForestTrustCollisionRecord as public structs via 3687ab1 s3-rpc_server: Fix handling of fragmented rpc requests. via f2592b6 s3:rpc_server: minor refactoring of process_request_pdu() via f3f0f62 pidl-waf: Only install Yapp::Driver if it is not available. via c7a35ab pidl-waf: Check for system perl(Parse::Yapp::Driver). via 7d66a2c pidl-waf: Add a function to check for a system perl module. via fadd326 pidl-waf: Do not glob to install pidl modules. via 3957564 pidl-waf: Install pidl modules to the perl vendorlib directory. via 7876b4b pidl-waf: Remove unused variable pidl_src. via fe7d930 autobuild: Set perl vendorlib direcotry. via b1d86ee buildtools: Add perl vendorlib configure option. via 4ba0f7a buildtools: Rename perl vendorarch configure option. via b53c122 dns: Extend tests for records with another type via 5e62b6e bug #10471: Don't respond with NXDOMAIN to records that exist with another type via 8745204 s3: smbd: Fileserving share access checks. via 032ab0b smbreadline: switch to new-style readline typedef via d60f58d s4:lib/socket: simplify iface_list_wildcard() and its callers via 0644125 s4:lib/socket: use the same logic in iface_list_wildcard() as in smbd via 8d256c8 s3:smbd: s/BUFFER_SIZE/LARGE_WRITEX_BUFFER_SIZE via 3ada2b3 s3:smbd: fix the maxentries calculation depending on the max_send. via f5f5e5b s3:smbd: simplify maxentries calculation in reply_search() via 57f6afc s3:smbd: fix the read numtoread calculation depending on the max_send. via 6deb0f2 s3:smbd: fix the lockread numtoread calculation depending on the max_send. via 434e211 s3:smbd: pass the final numtoread reply_outbuf() for the lockread reply. via 49197c1 s3:smbd: fix lockread numtoread calculation to match reply_outbuf() arguments. via 9404bd6 s3:smbd: take less than SMB_BUFFER_SIZE_MIN ('500') as header overhead in ipc.c via 39af4a7 s3:smbd: reject a MaxBufferSize SMB_BUFFER_SIZE_MIN (500) in a session setup request via 8724f6c s3:smbd: use sconn-smb1.sessions.max_send = SMB_BUFFER_SIZE_MAX via 047f881 s3:smbd: use SMB_BUFFER_SIZE_MIN/MAX to limit lp_max_xmit() via 08aa53b s3:include: let CLI_BUFFER_SIZE be an alias of SMB_BUFFER_SIZE_MAX via ba91a66 libcli/smb: add SMB_BUFFER_SIZE_MIN/MAX defines via 3a36bf7 s3:param: avoid using BUFFER_SIZE to limit the lp_min_receive_file_size() via 2092577 s3:client: only limit the buffer by the given length 'n' via 3528b52 s3:torture: use CLI_BUFFER_SIZE instead of BUFFER_SIZE via 8733ce1 s3:utils/smbfilter: use a local variable for the packet buffer via 3b6d207 s4: smbtorture: Add a proper change_notify going async followed by tdis test. via 4df79f0 s4: smbtorture: Update the torture_smb2_notify_ulogoff test to demonstrate the problem. via 91dea25 s3:smb2_tcon: cancel and wait for pending requests on tdis via e039346 s3:smb2_sesssetup: cancel and wait for pending requests on logoff via 3f4af7f s3:smb2_tcon: split smbd_smb2_tdis into an async *_send/recv pair. via 0ca9ce8 s3:smb2_sesssetup: split smbd_smb2_logoff into an async *_send/recv pair. via ad5d9c3 s3:smb2_lock: return RANGE_NOT_LOCKED instead of CANCELLED for logoff and tdis via 2ded846 s3:smb2_lock: fix whitespaces/tabs in smbd_smb2_lock_cancel() via 1a4e5cf s4:torture/smb2: accept NT_STATUS_RANGE_NOT_LOCKED after smb2_logoff/tdis via a9703c9 s3: lib: Back-port tevent_queue_wait_send/recv - smbd_tevent_queue_wait_send/recv via c77fbd2 tevent: fix
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 48966b6 VERSION: Disable git snapshots for the 4.1.6 release. via 6125d12 WHATSNEW: Add release notes for Samba 4.1.6. via 7ff3ed7 CVE-2013-6442: s3:smbcacls - ensure we don't lose an existing ACL when setting owner or group owner. via 435541a CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340 via 70efaac CVE-2013-4496:samr: Remove ChangePasswordUser via 05ba344 CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case. via f5743f0 CVE-2013-4496:s3-samr: Block attempts to crack passwords via repeated password changes via 0a0f17d VERSION: Bump version number up to 4.1.6... from 144791e VERSION: Disable git snapshots for the 4.1.5 release. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit 48966b660733c9c9726cc3a87fa670b4c8427f5a Author: Karolin Seeger ksee...@samba.org Date: Tue Mar 11 12:42:27 2014 +0100 VERSION: Disable git snapshots for the 4.1.6 release. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 CVE-2013-4496: Enforce password lockout for SAMR password changes. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327 CVE-2013-6442: ensure we don't lose an existing ACL when setting owner or group owner. Signed-off-by: Karolin Seeger ksee...@samba.org commit 6125d12c4f2fc9853c1bba9cb1725cf277856fdb Author: Karolin Seeger ksee...@samba.org Date: Tue Mar 11 12:40:13 2014 +0100 WHATSNEW: Add release notes for Samba 4.1.6. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 CVE-2013-4496: Password lockout not enforced for SAMR password changes. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327 CVE-2013-6442: smbcacls --chown | --chgrp dacl regression Signed-off-by: Karolin Seeger ksee...@samba.org commit 7ff3ed7f03debca689f79abc6edf591b4459822b Author: Jeremy Allison j...@samba.org Date: Wed Dec 18 13:56:18 2013 -0800 CVE-2013-6442: s3:smbcacls - ensure we don't lose an existing ACL when setting owner or group owner. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327 Bug 10327 - CVE-2013-6442: smbcacls --chown | --chgrp dacl regression Signed-off-by: Jeremy Allison j...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 435541a9bc25879ec5cdd987a72a3a278bae2877 Author: Andrew Bartlett abart...@samba.org Date: Thu Nov 28 06:50:01 2013 +1300 CVE-2013-4496:Revert remainder of ce895609b04380bfc41e4f8fddc84bd2f9324340 Part of this was removed when ChangePasswordUser was unimplemented, but remove the remainder of this flawed commit. Fully check the password first, as extract_pw_from_buffer() already does a partial check of the password because it needs a correct old password to correctly decrypt the length. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Andreas Schneider a...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 70efaacd009f44b9b31403afb3c7c858ecdcaf96 Author: Andrew Bartlett abart...@samba.org Date: Tue Nov 5 16:16:46 2013 +1300 CVE-2013-4496:samr: Remove ChangePasswordUser This old password change mechanism does not provide the plaintext to validate against password complexity, and it is not used by modern clients. The missing features in both implementations (by design) were: - the password complexity checks (no plaintext) - the minimum password length (no plaintext) Additionally, the source3 version did not check: - the minimum password age - pdb_get_pass_can_change() which checks the security descriptor for the 'user cannot change password' setting. - the password history - the output of the 'passwd program' if 'unix passwd sync = yes'. Finally, the mechanism was almost useless, as it was incorrectly only made available to administrative users with permission to reset the password. It is removed here so that it is not mistakenly reinstated in the future. Andrew Bartlett Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Andreas Schneider a...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 05ba34438145e73d301bc814864aadc237528203 Author: Stefan Metzmacher me...@samba.org Date: Tue Nov 5 14:04:20 2013 +0100 CVE-2013-4496:s3:auth: fix memory leak in the ACCOUNT_LOCKED_OUT case. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Signed-off-by: Andrew Bartlett abart...@samba.org
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 144791e VERSION: Disable git snapshots for the 4.1.5 release. via a738491 WHATSNEW: Add release notes for Samba 4.1.5. via 8c2ee1f s3:smb2_notify: fix use after free on long living notify requests via dd83f1d s3: modules: streaminfo: As we have no VFS function SMB_VFS_LLISTXATTR we can't cope with a symlink when lp_posix_pathnames() is true. via 6763283 s3: vfs_dirsort module. via 9cb8ae1 s3: vfs_dirsort module. via 4ce9501 smbd: Fix an ancient oplock bug via b5253bf vfs_btrfs: pass-through copy-chunk(len=0) requests via 1271434 smbd/smb2_ioctl: fail zero length copy chunk requests via 3a3d027 torture: add zero length FSCTL_SRV_COPYCHUNK test via 6265959 kdc: Add belts-and-braces check that we fail if the hdb version changes via 593ce2a Support for Heimdal's unified krb5 and hdb plugin system. via 68dc374 Cope with first element in hdb_method having a different name in different heimdal versions. via 3f09c5c smbd: Fix memory overwrites via dc58296 s3-winbind: Improve performance of wb_fill_pwent_sid2uid_done(). via e31075d Stop use after free via 28ddd77 s3: smbpasswd - fix crashes on invalid input. via 13e65fa s3:dir - We now pass the previously spinning directory tests on ext4. via da502c0 s3:dir - Introduce a 64-bit directory offset - 32 bit wire offset map using memcache. via 3f28508 s3:dir - Add a new memcache type (non-talloc) - SMB1_SEARCH_OFFSET_MAP. via d8bed98 s3:dir - Map wire offsets to native directory cookies. via 45e65e1 s3:dir - Cope with fixed mapping of 'special' values. via 23596ff s3: dir - Introduce 32-bit wire versions of the 'special' values. via d9e8ac1 s3:dir - Introduce a function to map a directory cookie to a 32-bit wire cookie. via 9b6d61c s3:dir - In the old SMB1 search code, rename offset to wire_offset to distinguish between wire and native offsets. via f4c8846 vfs/glusterfs: in case atime is not passed, set it to the current atime via d49d8b6 s3-passdb: Fix string duplication to pointers. via bf88959 wbinfo: Fix a memory leak in wbinfo_ping_dc(). via 07f1312 s3-libads: Fix memory leaks in ads_build_path(). via a498c8a lib: Fix strict-aliasing warning in md5 code. via a91d000 shadow_copy2: add a comment explaining why we don't talloc_zero_array(). via cc773c5 shadow_copy2: revert expensive and unnecessary zero-initialization via e8bc1ac docs: Fix typos in vfs_shadow_copy2.8.xml. via 4fe0bad docs: update the manpage of vfs_shadow_copy2 via 33fb6c1 s3:modules:shadow_copy2: remove redundant documentation comment block via 572ca24 s3:modules:shadow_copy2: improve headline comment via 44db7d8 s3:module:shadow_copy2: add my (C) via db8ea0a shadow_copy2: use stored mount_point instead of recalculating. via 5e9daae shadow_copy2: improve debug in shadow_copy2_convert() in snapdirseverywhere mode via c775897 shadow_copy2: fix shadow_copy2_convert() in the classical case. via 3672c20 shadow_copy2: add some blank lines for visual separation to shadow_copy2_convert() via 9f269c9 shadow_copy2: initialize converted string to null in shadow_copy2_convert() via 285e1e4 shadow_copy2: fix shadow_copy2_strip_snapshot() in the classical case via 790fcac shadow_copy2: add some debug to shadow_copy2_strip_snapshot() via 9607710 shadow_copy2: add comments explaining decisions in shadow_copy2_strip_snapshot() via 9af2451 shadow_copy2: introduce shadow_copy2_snapshot_path() via 042b0aa shadow_copy2: factor shadow_copy2_posix_gmt_string() out of shadow_copy2_insert_string() via 15170c0 shadow_copy2: shadow_copy2_insert_string(): do not prepend a / in absolute mode via b6a6eb5 shadow_copy2: make shadow_copy2_find_snapdir() return const char * via f61106d shadow_copy2: in the classical case, use configured path in shadow_copy2_find_snapdir() via 47a0a04 shadow_copy2: implement disk_free via cfa7632 shadow_copy2: log resulting config at the end of shadow_copy2_connect() via 1b1d020 shadow_copy2: add snapshot_basepath to the config. via fa6b219 shadow_copy2: add rel_connectpath to config. via 9b376b7 shadow_copy2: introduce shadow:mountpoint option via 52c70fb shadow_copy2: re-add the basedir option. via 266a8de shadow_copy2: disable snapdir:crossmountpoints if the snapdir is absolute. via e86972d shadow_copy2: introduce the bool snapdir_absolute in the config. via 5037f83 shadow_copy2: introduce config struct and function shadow_copy2_connect() via 0985cce shadow_copy2: add comment explaining the SMB level GMT format pattern via cd96d92
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via b6d7cae VERSION: Disable git snapshots for the 4.1.4 release. via a6b86bf WHATSNEW: Add release notes for Samba 4.1.4. via c765c2a s3:winbindd fix use of uninitialized variables via 9c78cc3 vfs_glusterfs: Enable per client log file via 5438b48 ldb: bad if test in ldb_comparison_fold() via 80c09fc s3-lib: Fix %G substitution for domain users in smbd via 3d62925 smbtorture: New torture test for bug #9870. via c9b6d8c smbd - allow updates on directory write times on open handles. via e440444 s3-winbindd: Fix DEBUG statement in winbind_msg_offline(). via a15ca71 smbd: Fix a panic when a smb2 brlock times out via c89fb8b selftest: Remove samba3.smb2.lock.*.rw-exclusive from flapping file via 52db703 selftest: Run smb2.lock tests also against AIO share via e9503d4 selftest: Introduce share for testing AIO via 6f46103 s3: Return correct error code from SMB2 AIO read failure via 53bdc43 s3-aio: Use correct locking context for SMB2 via 723d74f s3:smb2_server: avoid calling set_current_user_info() for each request via 2eb171f s3:smb2_server: generate a header blob for the sendfile path via a399931 s3:smb2_server: allocate smbd_smb2_request on talloc_tos() via 79c54dc s3:smb2_server: use tevent_req_notify_callback() in smbd_smb2_request_pending_queue() via 1b3cf43 s3:smb2_server: for performance reasons we use tevent_fd and readv/writev directly via dc55266 s3:smb2_server: fix drain_socket error handling via aa79211 smbd: Always use UCF_PREP_CREATEFILE for filename_convert calls to resolve a path for open. via 564fe6c smbd: change flag name from UCF_CREATING_FILE to UCF_PREP_CREATEFILE via 9859090 smbd: Fix regression for the dropbox case. via 3641751 lib/util: use proper include for struct stat via 180bca8 VERSION: Bump version up to 4.1.4. via ff99526 Merge tag 'samba-4.1.3' into v4-1-test via bfdf098 smbd: Fix bug 10284 via 9d44b17 s3-libnet: Use a const char for realm. via c0eb9ee s3-vfs: Make glfs_set_preopened() static. via 8875b80 s3-vfs: Remove unused variable in vfs_glusterfs. via e0bd27b examples: Fix scanf format in perf_writer_disk. via 8c059c0 s3-libsmb: Fix scanf format in parse_ace(). via 41fc4a4 s3-utils: Fix scanf format in sharesec. via 25ba5fb s3-utils: Fix scanf format in smbacls. via eabee6b testsuit: Fix fprintf format. via e1826b8 s3-libsmb: Use the right macro to set uint16_t attr. via 03f9a7a printing: always store sytem job-ID in queue state via 15cd0e0 spoolss: return the spoolss job ID in notifications via eb9fde4 s3-winbind: Pass the group name to fillup_pw_field(). via 1788e66 s3-lib: Add grpname to talloc_sub_specified(). via e99d701 spoolss: accept XPS_PASS datatype used by Windows 8 via e668a11 docs: remove duplicate used from smb.conf manpage. via a68ab7b docs: remove duplicate line from smb.conf manpage. via e28f390 docs: remove duplicate must from smb.conf manpage. via 576e5af docs: remove duplicate on from smb.conf manpage. via 7d1b124 docs: remove duplicate or from smb.conf manpage. via d17b1c1 docs: remove duplicate not from smb.conf manpage. via 5965734 docs: remove duplicate to from smb.conf manpage. via 75186f4 docs: remove duplicate the from smb.conf manpage. via 8a93864 docs: remove duplicate a from vfs_cacheprime manpage. via 2dbe943 docs: document remaining undocumented options in net manpage. via cfc9d1e docs: add net registry import specific options in net manpage. via c6d953e docs: add net rpc registry check specific options in net manpage. via aaee748 docs: add net groupmap set specific options in net manpage. via 1176b53 docs: add net rpc share migrate specific options in net manpage. via de44156 docs: add net idmap specific options in net manpage. via b14e1bc docs: add net rpc vampire specific options in net manpage. via d24edcd docs: mention more options in net manpage. via 5def0e7 docs: use popt.autohelp entity in samba.8 manpage. via 9358b50 docs: use popt.autohelp entity in smbd manpage. via 943d390 docs: use popt.autohelp entity in winbindd manpage. via 8d7651b docs: use popt.autohelp entity in nmbd manpage. via 4013bbf docs: fix ntlm_auth manpage. via 8e29981 docs: fix smbcontrol manpage. via 0b313d5 docs: use popt.autohelp entity in pdbedit manpage. via 1d10487 docs: fix testparm manpage. via 72ca1f4 docs: use popt.autohelp entity in dbwrap-tools manpage. via dc0cf1b docs: document all long option names in nmblookup manpage. via 6dca50e docs: remove
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 6898c4d VERSION: Disable git snapshots for the 4.1.3 release. via 98833dc WHATSNEW: Add release notes for Samba 4.1.3. via b89e14d CVE-2012-6150: Fail authentication for single group name which cannot be converted to sid via d96f88c CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked. via c406802 CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked. via ca5d6f5 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked. via 066c6e3 CVE-2013-4408:s3:Ensure we always check call_id when validating an RPC reply. via da5dfc7 CVE-2013-4408:s3:ctdb_conn: add some length verification to ctdb_packet_more() via bdb643e CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done() via c4e31ea CVE-2013-4408:s3:util_tsock: add some overflow detection to tstream_read_packet_done() via 0ba0b27 CVE-2013-4408:async_sock: add some overflow detection to read_packet_handler() via f71b390 CVE-2013-4408:s4:dcerpc_sock: check for invalid frag_len within sock_complete_packet() via db102cd CVE-2013-4408:s4:dcerpc_smb2: check for invalid frag_len in send_read_request_continue() via e5954aa CVE-2013-4408:s4:dcerpc_smb: check for invalid frag_len in send_read_request_continue() via 730027c CVE-2013-4408:s4:dcerpc: check for invalid frag_len in ncacn_pull() via f557bfe CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size via 895ce91 CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet() via c4a1b2e CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_next_vector() via 78b4989 CVE-2013-4408:librpc: check for invalid frag_len within dcerpc_read_ncacn_packet_done() via dbe7531 VERSION: Bump version number up to 4.1.3... from e1e735a VERSION: Disable git snapshots for the 4.1.2 release. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit 6898c4dbf993889a804e77dd6cb32e0be50f653f Author: Karolin Seeger ksee...@samba.org Date: Tue Dec 3 12:19:11 2013 +0100 VERSION: Disable git snapshots for the 4.1.3 release. Bug 10185 - CVE-2013-4408: DCERPC frag_len not checked BUG: https://bugzilla.samba.org/show_bug.cgi?id=10185 Bug 10306 - CVE-2012-6150: Fail authentication if user isn't member of *any* require_membership_of specified groups BUG: https://bugzilla.samba.org/show_bug.cgi?id=10306 (BUG: https://bugzilla.samba.org/show_bug.cgi?id=10300) Signed-off-by: Karolin Seeger ksee...@samba.org commit 98833dc13ee71c1b6367c63e06a5b73a4bc457d7 Author: Karolin Seeger ksee...@samba.org Date: Fri Dec 6 19:45:57 2013 +0100 WHATSNEW: Add release notes for Samba 4.1.3. Bug 10185 - CVE-2013-4408: DCERPC frag_len not checked BUG: https://bugzilla.samba.org/show_bug.cgi?id=10185 Bug 10306 - CVE-2012-6150: Fail authentication if user isn't member of *any* require_membership_of specified groups BUG: https://bugzilla.samba.org/show_bug.cgi?id=10306 (BUG: https://bugzilla.samba.org/show_bug.cgi?id=10300) Signed-off-by: Karolin Seeger ksee...@samba.org commit b89e14d3c7a2dc3a47d2ffdc8b3412dde6186f1e Author: Noel Power noel.po...@suse.com Date: Wed Oct 16 16:30:55 2013 +0100 CVE-2012-6150: Fail authentication for single group name which cannot be converted to sid furthermore if more than one name is supplied and no sid is converted then also fail. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10306 Signed-off-by: Noel Power noel.po...@suse.com Reviewed-by: Andreas Schneider a...@samba.org Reviewed-by: David Disseldorp dd...@samba.org [dd...@samba.org: fixed incorrect bugzilla tag I added to master commit] commit d96f88c91586c2aed60c9037eb86ffa6bb8259fb Author: Jeremy Allison j...@samba.org Date: Thu Nov 7 22:41:22 2013 -0800 CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Jeremy Allison j...@samba.org Signed-off-by: Stefan Metzmacher me...@samba.org commit c406802cf767929c7016041da51fb512094a7f30 Author: Jeremy Allison j...@samba.org Date: Thu Nov 7 21:40:55 2013 -0800 CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 Signed-off-by: Stefan Metzmacher me...@samba.org Signed-off-by: Jeremy Allison j...@samba.org commit ca5d6f5eed28350a7d0a5179e2d4ca31d0069959 Author: Jeremy Allison j...@samba.org Date: Thu Nov 7 20:38:01 2013 -0800 CVE-2013-4408:s3:Ensure LookupSids
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via e1e735a VERSION: Disable git snapshots for the 4.1.2 release. via cbd6790 WHATSNEW: Add release notes for Samba 4.1.2. via 7c06360 util: Remove 32bit macros breaking strict aliasing. via 5df543b s3-winbindd: Fix #10264, cache_traverse_validate_fn failure for NDR cache entries. via d815b15 Fix bug 10196 - RW Deny for a specific user is not overriding RW Allow for a group. via 4c108d4 Fix bug 10196 - RW Deny for a specific user is not overriding RW Allow for a group. via 2cfa1ef xattr: fix listing EAs on *BSD for non-root users via a52afc3 VERSION: Bump version number up to 4.1.2... via 5e64b07 Merge tag 'samba-4.1.1' into v4-1-test via 6207530 s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled via 5cc42ac vfs: Fix some build warnings in glusterfs. via 289b7fa vfs: Fix building the glusterfs module. via 8db5ecc libcli/smb: fix smb2cli_ioctl*() against Windows 2008. via 67840df nsswitch: Fix short writes in winbind_write_sock via 05c9553 vfs_glusterfs: Fix excessive debug output from vfs_gluster_open(). via 683ac33 vfs_glusterfs: Implement proper mashalling/unmarshalling of ACLs via cfa1739 VFS plugin was sending the actual size of the volume instead of the total number of block units because of which windows was getting the wrong volume capacity. via 0e8f8b7 dfs_server: Use dsdb_search_one to catch 0 results as well as NO_SUCH_OBJECT errors via 0419b68 s4:dsdb/rootdse: report 'dnsHostName' instead of 'dNSHostName' via 2a75290 dsdb/tests/ldap: fix test_ldapServiceName against w2k8r2 via 06c6866 s3-winbind: Send online/offline message of the domain to the parent. via 944c3e5 s3-winbind: Register handlers for domain online/offline messages. via 393f6a8 s3-winbind: Add functions for domain online/offline handling. via 7ea11ba idl: Add a new message for winbind domain states. via 45a1cbb ccan: Fix calling memset with zero length parameter via d932142 Fix bug #10187 - Missing talloc_free can leak stackframe in error path. from 32d78c8 VERSION: Disable git snapshots for the 4.1.1 release. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - --- Summary of changes: VERSION |2 +- WHATSNEW.txt | 96 - dfs_server/dfs_server_ad.c | 10 +- lib/ccan/tally/tally.c |2 +- lib/replace/xattr.c |4 + lib/util/byteorder.h | 52 +- libcli/smb/smb2cli_ioctl.c | 33 +- nsswitch/wb_common.c |4 +- python/samba/join.py | 11 ++- python/samba/tests/posixacl.py | 160 source3/librpc/idl/messaging.idl |2 + source3/modules/vfs_glusterfs.c | 175 -- source3/smbd/posix_acls.c| 81 +++--- source3/winbindd/winbindd.c |6 + source3/winbindd/winbindd_cache.c|3 +- source3/winbindd/winbindd_cm.c | 62 +++ source3/winbindd/winbindd_dual.c |5 + source3/winbindd/winbindd_msrpc.c|5 +- source3/winbindd/winbindd_proto.h| 10 ++ source4/dsdb/samdb/ldb_modules/rootdse.c |2 +- source4/dsdb/tests/python/ldap.py| 12 ++- 21 files changed, 521 insertions(+), 216 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index d7f0a02..c10ccb2 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=1 -SAMBA_VERSION_RELEASE=1 +SAMBA_VERSION_RELEASE=2 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4c96f34..5e5cfab 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,96 @@ = + Release Notes for Samba 4.1.2 + November 22, 2013 + = + + +This is is the latest stable release of Samba 4.1. + + +Changes since 4.1.1: + + +o Jeremy Allison j...@samba.org +* BUG 10187: Missing talloc_free can leak stackframe in error path. +* BUG 10196: RW Deny for a specific user is not overriding RW Allow for a + group. + + +o Anand Avati av...@redhat.com +* BUG 10224: vfs_glusterfs: Implement proper mashalling/unmarshalling of + ACLs. + + +o Andrew Bartlett abart...@samba.org +* BUG
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 32d78c8 VERSION: Disable git snapshots for the 4.1.1 release. via 07be799 WHATSNEW: Add release notes for Samba 4.1.1. via e737fc7 CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem) via 2ca3eae CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600 via bc067d0 CVE-2013-4476: selftest/Samba4: use umask 0077 within mk_keyblobs() via d6988a1 CVE-2013-4476: samba-tool provision: create ${private_dir}/tls with mode 0700 via 7fc2f97 CVE-2013-4476: lib-util: split out file_save_mode() from file_save() via 81e5048 CVE-2013-4476: lib-util: add file_check_permissions() via afe7ffd Add regression test for bug #10229 - No access check verification on stream files. via a2c4c0e Fix bug #10229 - No access check verification on stream files. via ff0cd26 VERSION: Bump version number up to 4.1.1... from a6fb418 VERSION: Bump version number up to 4.1.0... http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit 32d78c867eb259960736121146c7152934f3e6b3 Author: Karolin Seeger ksee...@samba.org Date: Fri Nov 8 11:04:28 2013 +0100 VERSION: Disable git snapshots for the 4.1.1 release. Bug 10234 - CVE-2013-4476: key.pem world readable BUG: https://bugzilla.samba.org/show_bug.cgi?id=10234 Bug 10235 - CVE-2013-4475: No access check verification on stream files (BUG: https://bugzilla.samba.org/show_bug.cgi?id=10229). BUG: https://bugzilla.samba.org/show_bug.cgi?id=10235 Signed-off-by: Karolin Seeger ksee...@samba.org commit 07be7991578578eaeb8eaa8a13588183a5f4b11c Author: Karolin Seeger ksee...@samba.org Date: Fri Nov 8 11:00:06 2013 +0100 WHATSNEW: Add release notes for Samba 4.1.1. Bug 10234 - CVE-2013-4476: key.pem world readable BUG: https://bugzilla.samba.org/show_bug.cgi?id=10234 Bug 10235 - CVE-2013-4475: No access check verification on stream files (bug #10229: https://bugzilla.samba.org/show_bug.cgi?id=10229). BUG: https://bugzilla.samba.org/show_bug.cgi?id=10235 Signed-off-by: Karolin Seeger ksee...@samba.org commit e737fc794ebd614886ea16cb51850bceaf3ef2e0 Author: Björn Baumbach b...@sernet.de Date: Tue Oct 29 17:53:59 2013 +0100 CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem) If the tls key is not owned by root or has not mode 0600 samba will not start up. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Pair-Programmed-With: Stefan Metzmacher me...@samba.org Signed-off-by: Björn Baumbach b...@sernet.de Signed-off-by: Stefan Metzmacher me...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org commit 2ca3eae4c50316a723ca9fcf8ec766d8b40b3908 Author: Björn Baumbach b...@sernet.de Date: Tue Oct 29 17:52:39 2013 +0100 CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org commit bc067d06682b796ab7abf6a05f103e7ebe0a4cef Author: Stefan Metzmacher me...@samba.org Date: Wed Oct 30 14:48:36 2013 +0100 CVE-2013-4476: selftest/Samba4: use umask 0077 within mk_keyblobs() We should generate private keys with 0600. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Pair-Programmed-With: Björn Baumbach b...@sernet.de Signed-off-by: Stefan Metzmacher me...@samba.org Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org commit d6988a14b4f82ff5bd6c48a61f8edd02f7b24aa6 Author: Björn Baumbach b...@sernet.de Date: Tue Oct 29 17:49:55 2013 +0100 CVE-2013-4476: samba-tool provision: create ${private_dir}/tls with mode 0700 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org commit 7fc2f97fb1dcd85aa1cad461fe611f844d7a3c62 Author: Björn Baumbach b...@sernet.de Date: Tue Oct 29 17:48:11 2013 +0100 CVE-2013-4476: lib-util: split out file_save_mode() from file_save() file_save_mode() writes files with specified mode. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org commit 81e50485bb2e623ca06a6dc2996877ccc31120b0 Author: Björn Baumbach b...@sernet.de Date: Tue Oct 29 17:43:17 2013 +0100 CVE-2013-4476: lib-util: add file_check_permissions() Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach b...@sernet.de Reviewed-by: Stefan Metzmacher me...@samba.org commit
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via a6fb418 VERSION: Bump version number up to 4.1.0... via 13b7959 WHATSNEW: Add release notes for Samba 4.1.0. via 82d6a43 doc: Update documentation of pam_winbind krb5 support. via 5a55cb6 s3-winbind: Add support for the kernel krb5 keyring buffer. via 58038f6 s3-winbind: Don't set a default directory for DIR. via 996415f Revert Support UPN_DNS_INFO in the PAC via 76c4a51 Merge tag 'samba-4.1.0rc4' into v4-1-test via 7160446 VERSION: Bump version up to 4.1.0rc5... from fcf3fd6 VERSION: Disable git snapshots for the 4.1.0rc4 release. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - --- Summary of changes: VERSION |2 +- WHATSNEW.txt | 34 +++-- docs-xml/manpages/pam_winbind.conf.5.xml | 26 +++ librpc/idl/krb5pac.idl | 16 ++ source3/winbindd/winbindd_pam.c |4 +- 5 files changed, 49 insertions(+), 33 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 74fa8d6..9576855 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # - 3.0.0rc1 # -SAMBA_VERSION_RC_RELEASE=4 +SAMBA_VERSION_RC_RELEASE= # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c01cb70..857a7ce 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,10 +1,10 @@ -Release Announcements -= + = + Release Notes for Samba 4.1.0 + October 11, 2013 + = -This is the fourth release candidate of Samba 4.1. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. + +This is is the first stable release of Samba 4.1. Samba 4.1 will be the next version of the Samba suite and includes all the technology found in both the Samba4 series and the stable 3.x @@ -12,12 +12,7 @@ series. The primary additional features over Samba 3.6 are support for the Active Directory logon protocols used by Windows 2000 and above. -If you are upgrading, or looking to develop, test or deploy Samba 4.1 -releases candidates, you should backup all configuration and data. - - -NEW FEATURES - +Major enhancements in Samba 4.1.0 include: Client tools support SMB2/3 === @@ -126,6 +121,10 @@ REMOVED COMPONENTS == The Samba Web Administration Tool (SWAT) has been removed. +Details why SWAT has been removed can be found on the samba-technical mailing +list: + +https://lists.samba.org/archive/samba-technical/2013-February/090572.html ## @@ -166,6 +165,17 @@ o David Disseldorp dd...@samba.org SMB2 FSCTL_SRV_COPYCHUNK request. +CHANGES SINCE 4.1.0rc4 +== + +o Stefan Metzmacher me...@samba.org +* BUG 10178: Fix PAC parsing failure. + + +o Andreas Schneider a...@samba.org +* BUG 10132: pam_winbindd: Support the KEYRING ccache type. + + CHANGES SINCE 4.1.0rc3 == diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index be7f684..725e809 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,24 @@ termkrb5_ccache_type = [type]/term listitempara - When pam_winbind is configured to try kerberos authentication by - enabling the parameterkrb5_auth/parameter option, it can - store the retrieved Ticket Granting Ticket (TGT) in a credential - cache. The type of credential cache can be controlled with this - option. The supported values are: parameterFILE/parameter - and parameterDIR/parameter (when the DIR type is supported - by the system's Kerberos library). In case of FILE a credential + When pam_winbind is configured to try kerberos authentication + by enabling the parameterkrb5_auth/parameter option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be + controlled with this option. The supported
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via fcf3fd6 VERSION: Disable git snapshots for the 4.1.0rc4 release. via 0d483e2 VERSION: Disable git snapshots for the 4.1.0rc4 release. via 09c540e WHATSNEW: Update changes since rc3. via 74cac5c dsdb: Convert the full string from UTF16 to UTF8, including embedded NULLs via 2c98a54 dbcheck: Add back the elements that were wrongly removed from CN=Deleted Objects via 2c4f2c5 pydsdb: Raise a more useful exception when dsdb_wellknown_dn fails. via c3e5353 pydsdb: Give KeyError when we fail a schema lookup in python via f0e374f dbcheck: Ensure to always increase the error_count via e7eb397 selftst: add tests based on 4.1.0rc3 to check for zero invocationID in replPropertyMetaData via 2fdacdd selftest: Add release-4-1-0rc3 saved provision via bdab150 selftest: Only run referenceprovision and ldapcmp for the 4.0.0 test via 476e03e selftest: Add script to assist in writing out a tree undump.sh can restore via 3f2907f dbcheck: Look for and fix the all-zero invocationID in replPropertyMetaData via 80c3c30 dsdb: Refuse to replicate an all-zero invocationID GUID in replPropertyMetaData via f5c378e smb.conf: Fill out the ntvfs handler smb.conf page from source4/NEWS via bb4d9a2 Remove NEWS file containing confusing information via ee8a3ed Remove confusing TODO file via 39efc6f dsdb: Use WERR_DS_ATT_NOT_DEF_IN_SCHEMA for failed schema lookups via b5b15ff dsdb-repl_meta_data: Make handling of Deleted Objects DN clearer in delete via 5c63561 dsdb-repl_meta_data: Do not re-delete the Deleted Objects DN during replication via 66f843e dsdb: Refuse to return an all-zero invocationID via 8158673 dsdb-repl_meta_data: Check for a NULL invocationID and do not proceed via 4ef85c7 python/drs: Ensure to pass in the local invocationID during the domain join via b5866b1 WHATSNEW: Add changes since 4.1.0rc3. via fd1583b torture3: Trigger a nasty cleanup bug in smbd via 3a5ae0c smbd: Fix flawed share_mode_stale_pid API via 9cfc001 smbd: Rename parameter i to idx via 252a2bc smbd: Don't store in-memory only flags in locking.tdb via 1706214 smbd: Simplify find_oplock_types via 4182c97 python-samba-tool fsmo: Do not give an error on a successful role transfer via 7f066b2 Fix bug 10162 - POSIX ACL mapping failing when setting DENY ACE's from Windows. via 9343c99 docs: point out side-effects of global valid users setting. via 78240de VERSION: Set version to 4.1.0rc4. via 676b5de libcli: continue to read from the socket even if the size is 0 via a75cbcd s3: libsmb - 10150 - Not all OEM servers support the ALTNAME info level. via c69e7c3 s3: libsmb : Bug 10150 - Not all OEM servers support the ALTNAME info level. via 4e5e7e4 s3: libsmb SMB2 wrapper layer. cli_smb2_get_ea_list_path() failed to close file on exit. via ee469fa libcli/smb: only check the SMB2 session setup signature if required and valid via f851d26 libcli/smb: fix non mendatory signing against some vendor SMB2 servers. via 007ed89 Fix is_legal_name() to not emit character conversion error messages. via 8fd1e54 s3: libsmb : The short name length is only a one byte field. via 9a29d7e libcli/smb: use SMB1 MID=0 for the initial Negprot via 1e969dc s3:smb2_find: Return that timestamps do not exist as directories via ebfa34b docs: Fix typos. via def64cc Raise the level of a debug. via 4674cca WHATSNEW: Start to add changes since 4.1.0rc3. via 69cf874 docs: document acl allow execute always via 434ca3f s3:smbd: ease file server upgrades from 3.6 and earlier with acl allow execute aways via 3f749ac loadparm: add new parameter acl allow execute always via c4166d0 dbwrap_ctdb: Treat empty records as non-existing via 7d791d5 VERSION: Bump version number up to 4.1.0... via dd444e6 VERSION: Disable git snapshots for the 4.1.0rc3 release. via 3beda4c WHATSNEW: Update changes since 4.1.0rc2. from 6a03c81 VERSION: Disable git snapshots for the 4.1.0rc3 release. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable - Log - commit fcf3fd6478090e7bebb65d142edbd097ab260fc4 Merge: 6a03c817b3a0ef278d10893eafd327ee20bdca58 0d483e25ce4aa53ad3968e947f88b175c8addc1b Author: Karolin Seeger ksee...@samba.org Date: Fri Sep 27 12:35:31 2013 +0200 VERSION: Disable git snapshots for the 4.1.0rc4 release. Merge commit 'origin/v4-1-test^' into v4-1-stable --- Summary of changes: VERSION|2 +- WHATSNEW.txt
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 6a03c81 VERSION: Disable git snapshots for the 4.1.0rc3 release. via d9517d5 WHATSNEW: Update changes since 4.1.0rc2. via cfa4e2a Optimization. Don't do the retry logic if sitename_fetch() returned NULL, we already did a NULL query. via 3912eeb9 Move the retry logic when site_name is passed in a NULL or to the wrapper function. via 2d7fe2b Move the manipulation of site_name into the caller function dsgetdcname(). via 0c046a4 Refactor dsgetdcname to be called via a wrapper function. via a616bbc dsgetdcname_cache_fetch() doesn't use the site_name parameter so don't pass it. via 317f960 smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 via 26ac864 smbd: Fix error return for STREAM_INFO via db4e8a7 smbd: Revert a93f9c3 via 0e91fd6 smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo via 9444c6f smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo via b4427b9 smbd: qfsinfo has fixed/variable buffers via 3691f46 smbd: qfilepathinfo has fixed/variable buffers via 6ee8231 smbd: Use #defines in smb2_getinfo_send via a9ef99c s3:smbd: allow info class SMB_QUERY_FS_ATTRIBUTE_INFO to return partial data via 25fbced s3:smbd: allow info class SMB_QUERY_FS_VOLUME_INFO to return partial data via 342afee s3:smbd: allow status code in smbd_do_qfsinfo() to be set by information class handler via 5e75d4b s3:smbd: allow GetInfo responses with STATUS_BUFFER_OVERFLOW to return partial, but valid data via 2b411e6 s3:smbd: return NT_STATUS_INFO_LENGTH_MISMATCH for GetInfo in case output_buffer_length is too small via a654601 torture: Ensure that GSSAPI and SPNEGO packets are accepted by dlz_bind9 via 1e653e4 selftest: Add a basic test of samba_upgradedns via 79b7888 selftest: Start internal DNS server on domain provisioned for BIND9_DLZ via 0d7c1f0 selftest: Test creation of the dns-SERVER account during selftest via e00be93 scripting/samba_upgradedns: Tighten up exception and attribute list handling via fee6fa5 scripting/join.py: Handle creating the dns-NAME account during a DC join via e6cbc39 WHATSNEW: Add paragraph about SMB2/3 support for client tools/library. via cf677c4 WHATSNEW: Add release notes for Samba 4.1.0rc3. via bfd3cc3 python/provision: remove unused linklocal=False argument from interface_ips_v6() via 21708c1 s4:samba_upgradedns: don't pass linklocal=False to interface_ips_v6() via 10c1784 python/pyglue: filter out loopback and linklocal addresses unless all_interfaces is given via ac1a309 client: add missing newlines to error messages for invalid iosize parameter. via 5ba00cf Add documentation for the new internal command timeout to smbclient. via b455784 Add documentation for the new -t timeout parameter in smbclient. via 742c5c6 Fix the documentation of --encrypt to explain SMB3 encryption for smbclient. via 4b3ce19 Fix the documentation of the iosize command to explain the new zero default for smbclient. via bd16454 Fix the documentation for --send-buffersize for the new default value of zero for smbclient. via 11890a5 Expand on the documentation of -m max-protocol for SMB2/3 for smbclient. via cda1b51 Add -e encrypt transport command line option documentation for smbcacls. via ff43be5 Add max protocol command line documentation for smbcacls. via 69058ee Add new timeout command and -t option to smbclient to set the per-operation timeout. via c0aed70 As SMB3 has transport level encryption, allow smbclient -e to force encryted SMB3 transport. via 449503d Remove restrictions on setting iosize inside smbclient for SMB2 connections. via 947cd1d libsmb: Fix a bunch of Coverity IDs via 2fb817c s3:libsmb: call smb2cli_logoff() from cli_ulogoff() via 159b051 s3:libsmb: make cli_ulogoff_send/recv static via 409ab74 s3:libsmb: call smb2cli_tdis() from cli_tdis() via 9d2ecfe s3:libsmb: only set tcon to invalid in smb2cli_tdis* via c935ba3 s3:libsmb: make cli_tdis_send/recv static via 26a1fd3 s3:libsmb: add support for SMB2 in cli_writeall() via 1d0a87e s3:libsmb: add SMB2 support to cli_pull* via e9d7054 s3:libsmb: add SMB2 support to cli_push* via bd104ef s3:libsmb: Plumb cli_smb2_set_security_descriptor() inside cli_set_security_descriptor(). via c774061 s3:libsmb: Plumb cli_smb2_query_security_descriptor() inside cli_query_security_descriptor(). via 5ef4556 s3:libsmb: Plumb cli_smb2_qpathinfo_alt_name() inside cli_qpathinfo_alt_name(). via 919cb48 s3:libsmb: Plumb cli_smb2_qpathinfo_basic() inside cli_qpathinfo_basic(). via e7ff8b9 s3:libsmb: Plumb cli_smb2_qfileinfo_basic() inside
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via 589cb52 VERSION: Disable git snapshots for the 4.1.0rc2 release. via 8b468af WHATSNEW: Add release notes for Samba 4.1.0rc2. via 099fd4c Ensure gpfs kernel leases are wrapped in a become_root()/unbecome_root() pair. via 224ea46 Wrap setting leases in become_root()/unbecome_root() to ensure correct delivery of signals. via cd0f88d Add torture tests to raw.eas to check sending Windows invalid names in the middle of an EA list. via 7f52ae9 Reply with correct trans2 message on a setpathinfo with a bad EA name. via e413edd Ensure we do pathname processing before SD and EA processing in NTTRANS_CREATE. via 12d06fb Ensure we can't create a file using NTTRANS with an invalid EA list. via b22b1bc Ensure we can't create a file using TRANS2_OPEN with an invalid EA list. via 2b165a1 Add error map of STATUS_INVALID_EA_NAME - ERRDOS, ERRbadfile via 65d4a4c Add the ability to send an NTSTATUS result back with a trans2 reply so we can return a parameter block with an error code. via d3b9f6c Ensure we can't create a file using SMB2_CREATE with an invalid EA list. via dc2320a Ensure we never return an EA name to a Windows client it can't handle. via 36bca02 Ensure set_ea cannot set invalid Windows EA names. via a6df18d Add ea_list_has_invalid_name() function. via 4bf25ec nsswitch: Add OPT_KRB5CCNAME to avoid an error message. via 597846c s3: Remove old mode special substitution. via 1ed811b s4:server: avoid calling into nss_winbind from within 'samba' via 8925c93 s4:rpc_server: make sure we don't terminate a connection with pending requests (bug #9820) via 3f86c28 s4-winbindd: Do not terminate a connection that is still pending (bug #9820) via 8e4d407 service_stream: Log if the connection termination is deferred or not (bug #9820) via 30b8af7 Fix bug 9678 - Windows 8 Roaming profiles fail via 2b6a6fd security.idl: add new security_secinfo bits via 34e6d50 samba-tool dbcheck: Correctly remove deleted DNs in dbcheck via d0e3791 dsdb: Include MS-ADTS doc references on deleted object contstraints via 0a2a985 dsdb tests: Add member/memberOf checking to delete_objects testing via 7004a3d dsdb: Improve DRS deleted link source/target handing in repl_meta_data via d6e1e12 dsdb: Ensure we always force deleted objects back under the deleted objects DN via 042b3e5 dsdb/repl_meta_data: split out replmd_deletion_state() via 20d8a33 dsdb: Prune deleted objects of links and extra attributes of replicated deletes via a0a3b58 torture/drs: Expand an error message to aid debugging via 071b36b dsdb/samdb: use RECYCLED it implies DELETED... via 55f0779 selftest: ensure samba4.rpc.samr.large-dc.two.samr.many is always tested via 8cbc577 rpc_server-drsuapi: Improve comments and DEBUG lines via 5acbbd7 dsdb: Add assert in drepl_take_FSMO_role via 498c92d selftest: Ensure the DC has started and and got a RID set before we proceed via 6287ac3 dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation fails via e97dfe2 dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searches via 75ef73f dsdb-descriptor: Do not do a subtree search unless we have child entries via c4c3d7f Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. via 2036f25 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. via 216b3f4 s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr() via 580b51c s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr() via 4bbb4c8 docs-xml: Remove obsolete swat manpage and references. via f65b92c pam_winbind: update documentation for DIR krb5ccname pragma. via 2978a06 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication. via 60be5a7 wbinfo: allow to define a custom krb5ccname for kerberized pam auth. via eb3b931 s3-waf: Rename regedit to samba-regedit. via 2e6fdd7 lib/param: sync debug related options with source3/param via 348cb51 lib/ldb-samba: only debug LDB_DEBUG_TRACE at level 10 via e92be34 lib/ldb-samba: make use of DBGC_LDB via 65fadd4 lib/util: add 'ldb' debug class via 2c8bd5b s3-winbind: Do not delete an existing valid credential cache. via 4e74c61 smbd: Fix a 100% loop at shutdown time via 54ee31e s3-smbstatus: display [u|g]id of -1 as -1 in connection list via d07b694 s3-lib: hide incomplete smbXsrv_tcon_global records via 38841bb s3-lib: fix segf while reading
[SCM] Samba Shared Repository - branch v4-1-stable updated
The branch, v4-1-stable has been updated via ae2e0a6 VERSION: Disable git snapshots for the 4.1.0rc1 release. via 55b3970 WHATSNEW: Some updates. via fd036b8 WHATSNEW: Start release notes for Samba 4.1.0rc1. via e5465d7 VERSION: Set version to 4.1.0rc1-GITSNAPSHOT. via a0130c6 Merge remote-tracking branch 'origin/v4-1-test' into master via e56343f VERSION: Set version to 4.1.0rc1-GITSNAPSHOT. via af6d9ce tevent: Fix a typo via 0025e97 WHATSNEW: Start release notes for Samba 4.1.0rc1. via a68cea6 docs: Fix typos in use ntdb section. via 2763cad dsdb-ridalloc: Fix RID pools - RID numbers increase too quickly via d641469 Make the output of the crackname script more readable via 47bd903 s3-winbind: Allow sec_initial_uid() to store creds. via c153e6c selftest: Use higher ip numbers. via bb122b0 selftest: Add a newline to root entries in the nss files. via 6a0cb7d selftest: Fix domain name of plugindc. via 99c800b torture: Don't segfault in smb2.session on error. via 096ff2e torture: Don't segfault in raw.session on error. via 67c8f87 torture: Fix comparsion of uninitalized bytes. via 2536ee8 Make the output of the crackname script more readable via caf3af3 s3-winbind: Allow sec_initial_uid() to store creds. via a4af4fa selftest: Use higher ip numbers. via d5511b1 selftest: Add a newline to root entries in the nss files. via 7392985 selftest: Fix domain name of plugindc. via bf5bc72 torture: Don't segfault in smb2.session on error. via d295e18 torture: Don't segfault in raw.session on error. via 474eee0 torture: Fix comparsion of uninitalized bytes. via bef3fc8 tsocket: Pass the full port number to getaddrinfo(). via 0b58eed tsocket: Pass the full port number to getaddrinfo(). via 3d20d20 smbtorture: Make cracksname easier to debug by outputing the offered format via 74dd365 Fix a missing parenthesis in the LDAP search request via af41eb6 docs-xml/manpages/smbclient.1.xml: fix case of -T flag in example. via 59462f2 winbindd and nmbd don't set their umask to zero on startup like smbd does. via 011dc52 sharesec: Document --view-all via 4da8984 sharesec: Document -v/--view via 780e2b0 sharesec: Implement --view-all via 4ee73fd s3:smbd/close remove filesystem lock before removing sharemode via 935992f s3:smbd/close use common exit path via 245b5ff s3:lib add mapping for ETXTBSY via 526f0df s3-ctdb: Fix auto-enabling of CTDB readonly support via c9924eb s3:smbd/aio mark file as modified in the SMB2 case via e65c532 nsswitch: fix a comment via 48ae86f heimdal_build: Add missing dep on samba4kgetcred via 7bf8fc7 torture: Add tests for LDAP substring search with no strings provided via 70cb7fd libcli/ldap: Cope with substring match with no chunks in ldap_push_filter via 4ca9639 ldb: bump version to allow a depencency on the substring crash fix via 1a279f7 ldb: Cope with substring match with no chunks in ldb_filter_from_tree via 32d0b75 Note how vfs_gpfs uses the acl map full control parameter. via 056e636 Add missing documentation for vfs_zfsacl. via b00d9d2 Use existing acl map full control parameter to control the adding of the DELETE_CHILD parameter on NFSv4/ZFS/GPFS file ACE's. via 398ee49 s3/smbclient: fix incorrect command tab completions via d544d17 build: Remove the struct MD5Context conf file check. via 9b88166 lsa4: Fix a set but unused variable warning via 0ee8650 ldb: Ensure not to segfault on a filter such as (mail=) via bbe09b3 Add missing SMB2/SMB3 share capability flag define via 06e5401 lsa4: Fix a set but unused variable warning via 7d5daaa lsa4: Remove an unused variable via 2448fe3 lsa4: Remove an unused variable via 720b4d3 lsa4: Remove an unused variable via 6c49f90 Fix glusterfs backend crash found at the Microsoft interop event. via b96cea4 Fix some blank line endings via d2642cb dns: Fix CID 1034969 Uninitialized scalar variable via ad86e2a s3:passdb/pdb_util make pdb_create_builtin consider whether backend deals with BUILTIN via 2d2d13e s3:passdb add a gid argument to pdb_create_builtin_alias via 212baed s3:utils/net_sam make use of pdb_create_builtin helper function via df41835 s3:passdb expose pdb_create_builtin function via 6a048b4 s3:passdb/pdb_tdb add parameter to control handling of BUILTIN via 324b3cc s3:passdb/pdb_ldap remove an unnecessary check via 01e094b s3:passdb/pdb_ldap make the module handle well-known via 987de8a s3:passdb make pdb_sid_to_id honor backend responsibilities via 55dd9e6 s3:passdb/pdb_samba_dsdb make