[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 861b4f9fde0 VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release. via 00479fb662f WHATSNEW: Add release notes for Samba 4.15.13. via 2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY via ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038 via fd3cdcc1800 tests/krb5: Add test requesting a service ticket expiring post-2038 via d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports via 48d6042dddf CVE-2022-37966 samba-tool: add 'domain trust modify' command via 89b1c78b520 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes" via 18996e99712 CVE-2022-37966 param: Add support for new option "kdc supported enctypes" via 34fc0da7869 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default via 693a247d3b2 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" via ee9ffe50e99 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows. via 1815d339417 CVE-2022-37966 python:tests/krb5: test much more etype combinations via d6b9e8b3397 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message via 25d88118903 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest via c768a27bc13 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes via 9049c5442aa CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req() via a1e91681158 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 via 1db952fab82 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18 via 91a030cbf58 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only via eed3d6a3962 CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default. via 0d7dc04404d CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values via 527a164b410 CVE-2022-37966 s4:kdc: use the strongest possible keys via 8b8835b09fa CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK via f644fc69971 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED via 716149ed2bc CVE-2022-37966 s3:net_ads: no longer reference des encryption types via 5f9e13ce20a CVE-2022-37966 s3:libnet: no longer reference des encryption types via 153e4a39142 CVE-2022-37966 s3:libads: no longer reference des encryption types via ac6563e70ad CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types via ece27efe594 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES* via c23c17a8d75 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES* via 6db1a9a9648 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES* via c0a367ad02a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES* via 5127bcfded4 CVE-2022-37966 system_mitkrb5: require support for aes enctypes via a4deabde39e CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True) via a7e2f5d32e5 CVE-2022-37966 kdc: Assume trust objects support AES by default via 1e32bfc0fdd CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 701b2650d1b CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4 via 590228fd72f CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key() via eefa5532055 CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key() via 33e5f0b4a44 CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures via cc6196fa005 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC via c273cb75625 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 84c28b05a0a CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects via 0ad59767324 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation via 1c06e8b08ca CVE-2022-37966 third_party/heimdal: Fix error message typo via 36d5770585a CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys" via 1daea832104 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes" via d775f1ed43a CVE-2022-37967 Add new PAC checksum via 4650ce1fa5c CVE-2022-37966 HEIMDAL: Look
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via b86b889c522 VERSION: Disable GIT_SNAPSHOT for the 4.15.12 release. via e5b3def0534 WHATSNEW: Add release notes for Samba 4.15.12. via a3816433ae9 CVE-2022-42898 source4/heimdal: PAC parse integer overflows via 9c909c57ce7 CVE-2022-42898 source4/heimdal: Round #2 of scan-build warnings cleanup via f792d3e3906 CVE-2022-42898 source4/heimdal: Add krb5_ret/store_[u]int64() via 8369aee33a0 CVE-2022-42898 source4/heimdal: Add bswap64() via 1e557547523 VERSION: Bump version up to Samba 4.15.12... from 37595203ef3 VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - commit b86b889c5222374b918078840a362125ab32ed62 Author: Jule Anger Date: Sun Nov 13 18:35:07 2022 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.15.12 release. Signed-off-by: Jule Anger commit e5b3def053434f3a67b66dd397cacec00c00d3ff Author: Jule Anger Date: Sun Nov 13 18:34:03 2022 +0100 WHATSNEW: Add release notes for Samba 4.15.12. Signed-off-by: Jule Anger commit a3816433ae971830c2b16b366b10283aeb5a87b5 Author: Joseph Sutton Date: Fri Oct 14 16:45:37 2022 +1300 CVE-2022-42898 source4/heimdal: PAC parse integer overflows Catch overflows that result from adding PAC_INFO_BUFFER_SIZE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203 Heavily edited by committer Nico Williams , original by Joseph Sutton . Signed-off-by: Nico Williams [jsut...@samba.org Zero-initialised header_size in krb5_pac_parse() to avoid a maybe-uninitialized error; added a missing check for ret == 0] [jsut...@samba.org Backported to our older version of Heimdal; removed lib/krb5/test_pac.c which we don't have] commit 9c909c57ce7abacd96ba18173a9dc4ba9a7c0230 Author: Nicolas Williams Date: Wed Nov 16 11:39:27 2016 -0600 CVE-2022-42898 source4/heimdal: Round #2 of scan-build warnings cleanup BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203 [jsut...@samba.org Kept only the modification to lib/krb5/store.c to avoid a build error] commit f792d3e3906414d836d186ec279586c13a83ba8d Author: Nicolas Williams Date: Thu May 21 14:24:38 2015 -0500 CVE-2022-42898 source4/heimdal: Add krb5_ret/store_[u]int64() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203 [jsut...@samba.org backported from Heimdal commit 996d4c5db3c8aee10b7496591db13f52a575cef5; removed changes to lib/krb5/libkrb5-exports.def.in which we don't have] commit 8369aee33a0b3de10485dc72223f4653585e3a79 Author: Nicolas Williams Date: Thu May 21 14:05:31 2015 -0500 CVE-2022-42898 source4/heimdal: Add bswap64() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203 [jsut...@samba.org backported from Heimdal commit 0271b171e5331f0f562319b887f5f0b058ecc9b4; removed changes to cf/roken-frag.m4 that we don't have] --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 49 ++- source4/heimdal/lib/krb5/pac.c | 583 ++- source4/heimdal/lib/krb5/store-int.c | 13 +- source4/heimdal/lib/krb5/store.c | 133 +- source4/heimdal/lib/krb5/version-script.map | 4 + source4/heimdal/lib/roken/bswap.c| 17 + source4/heimdal/lib/roken/roken.h.in | 5 + source4/heimdal/lib/roken/version-script.map | 1 + 9 files changed, 589 insertions(+), 218 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 342a497a486..db3716dfa51 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=15 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b62e20cbc53..4c2a4bd596f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,49 @@ + === + Release Notes for Samba 4.15.12 + November 15, 2022 + === + + +This is a security release in order to address the following defects: + +o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against + integer overflows when parsing a PAC on a 32-bit system, which + allowed an attacker with a forged PAC to corrupt the heap. + https://www.samba.org/samba/security/CVE-2022-42898.html + +Changes since 4.15.11 +- +o Joseph
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 37595203ef3 VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release. via c074cc854b9 WHATSNEW: Add release notes for Samba 4.15.11. via e9db0373600 CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad() via 77e0f2febaa CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech() via 1aca3451551 CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap via ebac8bf0478 CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech() via 5a62eb5734d CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad() via 9f6f1e01aca CVE-2022-3437 source4/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap via 5f6dbf2ab29 CVE-2022-3437 source4/heimdal: Use constant-time memcmp() in unwrap_des3() via c22914f845b CVE-2022-3437 source4/heimdal: Use constant-time memcmp() for arcfour unwrap via 310bffc0855 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3() via a49a3ac8e08 CVE-2022-3437 source4/heimdal_build: Add gssapi-subsystem subsystem via fe1204d9da2 CVE-2022-3437 source4/heimdal: Remove __func__ compatibility workaround via 9f658aa5fe2 .gitlab-ci: Work around new git restrictions arising from CVE-2022-24765 via 52ed3d07fd5 bootstrap: Migrate to CentOS8 Stream via ae64b3bfc18 bootstrap: chown the whole cloned repo, not just the subfolders via 6881b17bf27 bootstrap: Fix CentOS8 runner via 1ad45400995 VERSION: Bump version up to Samba 4.15.11... from c3bff29ce35 VERSION: Disable GIT_SNAPSHOT for the 4.15.10 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - commit 37595203ef30b1a631b94075328f8d0d604e6e71 Author: Jule Anger Date: Mon Oct 24 12:35:24 2022 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release. Signed-off-by: Jule Anger commit c074cc854b9ae6e85f0e667523778b655c49da16 Author: Jule Anger Date: Mon Oct 24 12:19:04 2022 +0200 WHATSNEW: Add release notes for Samba 4.15.11. Signed-off-by: Jule Anger commit e9db03736007721e37c4fba847ce4aa0c4520924 Author: Joseph Sutton Date: Wed Oct 12 13:57:33 2022 +1300 CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad() We later subtract 8 when calculating the length of the output message buffer. If padlength is excessively high, this calculation can underflow and result in a very large positive value. Now we properly constrain the value of padlength so underflow shouldn't be possible. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985 Author: Joseph Sutton Date: Mon Oct 10 20:33:09 2022 +1300 CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech() If len_len is equal to total_len - 1 (i.e. the input consists only of a 0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', used as the 'len' parameter to der_get_length(), will overflow to SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, whatever data follows in memory. Add a check to ensure that doesn't happen. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1aca34515515f2cb00fbf5ad8b9212b319f01836 Author: Joseph Sutton Date: Mon Aug 15 16:54:23 2022 +1200 CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ebac8bf0478e19849f83af6d44b73d7ab3afd25b Author: Joseph Sutton Date: Mon Aug 15 16:53:55 2022 +1200 CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech() We should make sure that the result of 'total_len - mech_len' won't overflow, and that we don't memcmp() past the end of the buffer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5a62eb5734d50fe556934aefa3bac5698372f00e Author: Joseph Sutton Date: Mon Aug 15 16:53:45 2022 +1200 CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad() By decrementing 'pad' only when we know it's safe, we ensure we can't stray backwards past the start of a buffer, which would be undefined behaviour. In the previous version of the loop, 'i' is the number of bytes left to check, and 'pad' is the current byte we're checking. 'pad' was decremented at the end of each loop iteration. If 'i' was 1
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via c3bff29ce35 VERSION: Disable GIT_SNAPSHOT for the 4.15.10 release. via e87c9ae8178 WHATSNEW: Add release notes for Samba 4.15.10. via d4e11e82ecd s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(). via 6b5792b0a2c smbd: check for streams support in unix_convert() via fa6012b63ab smbd: return NT_STATUS_OBJECT_NAME_INVALID if a share doesn't support streams via c5796b0c7a3 smbtorture: add a test trying to create a stream on share without streams support via 77d1d989d1c smbd: implement access checks for SMB2-GETINFO as per MS-SMB2 3.3.5.20.1 via 3e4d6d27213 smbtorture: check required access for SMB2-GETINFO via 41131daece9 s4/libcli/smb2: avoid using smb2_composite_setpathinfo() in smb2_util_setatr() via ab0f75acbbc smbd: directly pass fsp to SMB_VFS_FGETXATTR() in fget_ea_dos_attribute() via 135b59d00a7 smbd: add and use vfs_fget_dos_attributes() via 1115b311c37 smbtorture: add test smb2.stream.attributes2 via 6369f59f38a smbtorture: rename smb2.streams.attributes to smb2.streams.attributes1 via 1c5a02bfb41 vfs_default: assert all passed in fsp's and names are non-stream type via 82342c74390 vfs_streams_xattr: restrict which fcntl's are allowed on streams via a3f3f26a6bf smbd: skip access checks for stat-opens on streams in open_file() via 0fb876b34b2 smbd: use metadata_fsp() in get_acl_group_bits() via b1ebf29f202 smbd: ignore request to set the SPARSE attribute on streams via 95e658ad866 smbd: use metadata_fsp() with SMB_VFS_FSET_DOS_ATTRIBUTES() via ff3798ae0ff smbd: use metadata_fsp() with SMB_VFS_FGET_DOS_ATTRIBUTES() via f0a52d43373 smbd: use metadata_fsp() with SMB_VFS_FSET_NT_ACL() via fc6121cade5 smbd: use metadata_fsp() with SMB_VFS_FGET_NT_ACL() via 2412d67678b CI: add a test trying to delete a stream on a pathref ("stat open") handle via 216000dbe6d vfs_xattr_tdb: add "xattr_tdb:ignore_user_xattr" option via a3795100e42 vfs_xattr_tdb: add a module config via 6d8a013942e vfs_xattr_tdb: move close_xattr_db() via d6c0c4e1c55 smdb: use fsp_is_alternate_stream() in open_file() via 8391f3dce37 smbd: Introduce metadata_fsp() via 0acf72bf2f3 smbd: Introduce fsp_is_alternate_stream() via f6bb11dbaac lib:replace: Only include on non-Linux systems via 907e4ce03ab s3: smbd: Plumb close_type parameter through close_file_in_loop(), file_close_conn() via 4c436dfe8cc s3: smbd: Add "enum file_close_type close_type" parameter to file_close_conn(). via 6cd04ec396c s3: smbd: Add "enum file_close_type close_type" parameter to close_cnum(). via 659dfb93c2a s3/smbd: Use after free when iterating smbd_server_connection->connections via 6b54bb8abea s3/smbd: Use after free when iterating smbd_server_connection->connections via 89110595b44 s3:smbd: only clear LEASE_READ if there's no read lease is left via ec1ad34f288 s4:torture/smb2: add smb2.lease.v[1,2]_bug_15148 via 93febc222bf s3:smbd: share_mode_flags_set() takes SMB2_LEASE_* values via bb66bbfa4e7 libcli/smb: Set error status if 'iov' pointer is NULL via 6b711620fe4 libcli/smb: Ensure we call tevent_req_nterror() on failure via 94bdda617e0 s3/util/py_net.c: fix samba-tool domain join segfault via f9815fddb5e s3:rpcclient: Goto done in cmd_samr_setuserinfo_int() via 31617c2e6d7 mdssvc: return all-zero policy handle if spotlight is disabled via 0553d07c8d3 CI: fix check for correct mdsvc resonse when connecting to a share with Spotlight disabled via 2df19cddd55 mdssvc: convert mds_init_ctx() to return NTSTATUS via c38d9d6fe9b VERSION: Bump version up to Samba 4.15.10... via fca89646410 Merge tag 'samba-4.15.9' into v4-15-test via ca5abc39c1d s3:winbind: Use the canonical realm name to renew the credentials via e7ae7cba136 s3:winbind: Create service principal inside add_ccache_to_list() via 206c4f0094e nfs4_acls: Correctly skip chown when gid did not change via fce5a61033a s3:libads: Check if we have a valid sockaddr via ae5d715bd2c s4:libads: Fix trailing whitespaces in ldap.c via b70ea7082d6 smbd: Make non_widelink_open() robust for non-cwd dirfsp from c8fc01ca364 VERSION: Disable GIT_SNAPSHOT for the 4.15.9 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 68 +- lib/replace/system/filesys.h | 4 +- lib/replace/wscript| 3 +
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via c8fc01ca364 VERSION: Disable GIT_SNAPSHOT for the 4.15.9 release. via ed0c58449ec WHATSNEW: Add release notes for Samba 4.15.9. via a4707e4a955 CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro. via d6aef6838a6 CVE-2022-32742: s4: torture: Add raw.write.bad-write test. via 185a6d12935 CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust via 63d353e7b5e CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets via b7e3cb83005 CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT via be9945a4d8e CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info via 22bd1bc2d73 CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd via b64e1b4a510 CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx() via e21efbabccb CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal via faa0a83813d s4:kdc: Remove kadmin mode from HDB plugin via 4b0304ab670 CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name via 959ed604ee1 CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components via 389a5523485 CVE-2022-2031 tests/krb5: Test truncated forms of server principals via c7408dd944e CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life via a46d0ac59f0 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less via 04e452890ad CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal via 8b9fe095b91 CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal() via 5e7d75d8754 CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function via 3fd067c7d63 CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function via 5dd0ef19919 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd via 981948677c8 CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache via a1df5b86e96 s4:kpasswd: Restructure code for clarity via 298884abb35 CVE-2022-2031 s4:kpasswd: Require an initial ticket via 9da789c73dd CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket via 481a70c3746 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR via 38c83abffd3 CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error() via b1003099c20 CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure via 2ee46c16d2a CVE-2022-2031 s4:kpasswd: Correctly generate error strings via 6fc3d93b4fe CVE-2022-2031 tests/krb5: Add tests for kpasswd service via b2c3b060bae CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests via e56d66f729b CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method via 2815de0510e CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm via e44b70b862e tests/krb5: Add option for creating accounts with expired passwords via 57edd8e2e04 tests/krb5: Fix enum typo via b9e880b3d9c CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages via 3852adddff6 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect() via 39db18962f5 CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures via 3bbb7bc57f0 CVE-2022-2031 tests/krb5: Add new definitions for kpasswd via efb69ab420f CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts via 440aa37cc46 CVE-2022-2031 tests/krb5: Split out _make_tgs_request() via f4ea2a80d84 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno via e21702d20b6 CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure via b0d3fd37a88 CVE-2022-2031 s4:kpasswd: Account for missing target principal via 6199a076350 heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer() via 8f4b78907bb CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID PAC buffers via 19d76f10310 selftest: Simplify krb5 test environments via 9a1bee7c95d tests/krb5: Add helper function to modify ticket flags via 3ac74c8b94d tests/krb5: Correctly determine whether tickets are service tickets via d34d201773a kdc: Canonicalize realm for enterprise principals via 2eef0f950bc kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs via 0426d20aeab heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket via 612c769ab70 selftest: Properly check extra PAC buffers with Heimdal via 5e6c25f1ed0 heimdal:kdc: Always generate a
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 27bd8a32359 VERSION: Disable GIT_SNAPSHOT for the 4.15.5 release. via 81aab85bae8 WHATSNEW: Add release notes for Samba 4.15.5. via e7d0d40e684 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT(). via d46ffccc078 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename. via 9371ace08e6 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert(). via 66774e97e20 CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks. via b97f4a6519f CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND. via dbeef6bc732 CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture. via f03c42ea77f CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND. via 700f80d551d CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix via e3f84b2b9f8 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1. via 9e90f31639a CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2. via 3e0d40f5481 CVE-2021-44141: s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls. via c7aa173d2a4 CVE-2021-44141: s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls. via a180e5726d5 CVE-2021-44141: s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls. via 300abd383ea CVE-2021-44141: s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls. via a7b6aa7d1f2 CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels. via 08c40af6381 CVE-2021-44141: s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file(). via bfcf165b29b CVE-2021-44141: s4: torture: In raw.search:test_one_file() add a second connection. via c032a254bb5 CVE-2021-44141: s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first. via 4fc4bd4f20c CVE-2021-44141: s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first. via 738c7080e78 CVE-2021-44141: s4: torture: In raw.search:test_one_file() remove the leading '\' in the test filenames. via 10242faa078 CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf. via f8698b1f797 CVE-2021-44141: s3: smbd: Remove 'struct uc_state' name_has_wildcard element. via f77e56e2d1b CVE-2021-44141: s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard. via e94d2bcbdc6 CVE-2021-44141: s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard' via 104499b56de CVE-2021-44141: s3: smbd: In unix_convert() remove the now unneeded block indentation. via 36f480c7c8e CVE-2021-44141: s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard. via 3471f03816f CVE-2021-44141: s3: smbd: Inside unix_convert(), never set state->name_is_wildcard. via d52dd78e9d8 CVE-2021-44141: s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x0002 is no longer used. via b0fc0efbac5 CVE-2021-44141: s3: smbd: We no longer need determine_path_error(). via 5e42ab3f6a0 CVE-2021-44141: s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component. via b73be0c7a7c CVE-2021-44141: s3: smbd: filename_convert() no longer deals with wildcards. via 6f2c67d9993 CVE-2021-44141: s3: smbd: parse_dfs_path() can ignore wildcards. via d91d4a17443 CVE-2021-44141: s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path(). via fc8e6669edb CVE-2021-44141: s3: smbd: dfs_path_lookup() no longer deals with wildcards. via 12b44645fb9 CVE-2021-44141: s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path(). via 0f1436ed031 CVE-2021-44141: s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path(). via e6d9ef3b1e8 CVE-2021-44141: s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames. via 5c55cd93e5b CVE-2021-44141: s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname. via 3490db2a389
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via bd9db127ff4 VERSION: Disable GIT_SNAPSHOT for the 4.15.4 release. via 6700eeac21d WHATSNEW: Add release notes for Samba 4.15.4. via 2a59fd316f7 auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors via af3c6b570f2 s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test via a4bf80d8203 libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests via aa9889230fe libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL via 3ffd53f9e76 s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx via 058c8a5278d auth/credentials: cli_credentials_set_ntlm_response() pass session_keys via 6d158512e8d s3:smbd: handle --build-options without parsing smb.conf via a4281c9ea7f s3:libsmb: fix signing regression SMBC_server_internal() via a9c32e69546 s4:selftest: run libsmbclient.noanon_list against maptoguest via 025749c3773 s4:torture/libsmbclient: add libsmbclient.noanon_list test via dfabc5da386 selftest/Samba3: enable SMB1 for maptoguest via 5a2227d704c s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory() via 6c28c948a49 ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation via 671dee2bd7d s3:smbd: Fix dereferencing null pointer "fsp" via 680f68a072c s3:modules: VFS CAP symlinkat always fails via 76e7fdb70c6 s3:modules: Fix the horrible vfs_crossrename module via 4a6e8bc5e29 s3: smbclient: In do_host_query(), if we need SMB1, ensure we select NT1 as the client max protocol" before continuing. via 4907ecaaf4e s3: selftest: Add two tests that show we try and send an SMB1 request over an SMB2 connection to list servers if "-mSMB3" is selected. via a43ad2777e3 s3: includes: Make the comments describing itime consistent. Always use "invented" time. via 85941fe0cd1 s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..). via b48e5c61aaf s3: smbd: Create and use a common function for generating a fileid - create_clock_itime(). via 263aeea95d8 lib: util: Add a function nt_time_to_unix_timespec_raw(). via 032df88d61d tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories. via 96cd0ab567e VERSION: Bump version up to Samba 4.15.4... from 0c85a0adaa5 VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 68 ++- auth/credentials/credentials.h | 6 +- auth/credentials/credentials_internal.h| 2 + auth/credentials/credentials_ntlm.c| 65 ++- auth/ntlmssp/ntlmssp_server.c | 8 + ctdb/protocol/protocol_util.c | 13 ++ lib/util/time.c| 30 +++ lib/util/time.h| 2 + libcli/auth/smbencrypt.c | 89 - selftest/knownfail.d/smb1-tests| 10 +- selftest/target/Samba3.pm | 1 + source3/client/client.c| 1 + source3/include/includes.h | 4 +- source3/include/proto.h| 1 + source3/lib/system.c | 52 + source3/libsmb/libsmb_server.c | 2 +- source3/modules/vfs_cap.c | 2 +- source3/modules/vfs_crossrename.c | 2 +- .../script/tests/test_smbclient_list_servers.sh| 45 + source3/selftest/tests.py | 20 ++ source3/smbd/close.c | 2 + source3/smbd/dosmode.c | 3 +- source3/smbd/open.c| 6 +- source3/smbd/server.c | 9 +- source4/selftest/tests.py | 17 ++ source4/torture/libsmbclient/libsmbclient.c| 50 + source4/torture/rpc/schannel.c | 209 + source4/torture/smb2/create.c | 205 source4/torture/smb2/session.c | 51 + source4/torture/smb2/smb2.c| 1 + 31 files changed, 938 insertions(+), 40 deletions(-) create mode 100755 source3/script/tests/test_smbclient_list_servers.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 0c85a0adaa5 VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release. via ccddc464bd0 WHATSNEW: Add release notes for Samba 4.15.3. via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c via fea324d9cc4 testprogs: Add rpcclient schannel tests via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression via 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO via c22480e2640 s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share via f57b3e1 smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids via 2306c9e7d18 s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids via a68e2904eae smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done() via 2c4c3867933 s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL via 9e182796362 smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO via 2209a095dda smb2_server: decouple IOCTL check from signing/encryption states via 4c8c39a7b55 smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes via 685250e6298 s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE via eba52e21acb libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon* via dc59b392111 s3:winbind: Fix possible NULL pointer dereference via 9aa03f402b7 CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts via 9f4c89d0d3f CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it via 1142f18ff1d CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details via 4f1dbaf60b8 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing via 6b5cb85c2cc CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero via 12702424935 CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration via 5d39c5b54b9 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts via bf9fdf5b455 cmdline: Make -P work in clustered mode via f1c064e792a cmdline: Add a callback to set the machine account details via 575e620ad6c lib: Add required includes to source3/include/secrets.h via 3309ab5fa02 selftest: Add reproducer for bug 14908 via 4d68d797f18 s3:modules:recycle - fix crash in recycle_unlink_internal via 9bcba58e4d4 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails via 5d5e5a1f355 CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs via ae21fe9c01b CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss via 3f009a620a3 CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts via ebe18e23ba6 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials via 38ddd41e9c6 CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain via ad6af1bb831 s3: smbd: Ensure in the directory scanning loops inside rmdir_internals() we don't overwrite the 'ret' variable. via 728c9b83564 s3: smbtorture3: Add test for setting delete on close on a directory, then creating a file within to see if delete succeeds. via 89903ed1e32 s3: smbd: dirfsp is being used uninitialized inside rmdir_internals(). via 6aae2575b38 smbd: get rid of get_file_handle_for_metadata() via c357c1b2024 lib/cmdline: setup default file logging for servers via 47c00820819 lib/cmdline: remember config_type in
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 5850ae94ba6 VERSION: Disable GIT_SNAPSHOT for the 4.15.1 release. via 3caf4af915a WHATSNEW: Add release notes for Samba 4.15.1. via a795e0c8459 Release ldb 2.4.1 via 9e2da222f7f pyldb: Make ldb.Message containment testing consistent with indexing via b4601d0db20 pyldb: Add tests for ldb.Message containment testing via 2311987af25 pyldb: Raise TypeError for an invalid ldb.Message index via bef676475fe pyldb: Add test for an invalid ldb.Message index type via ba4032b73a4 s4/torture/drs/python: Fix attribute existence check via d32f732c796 pyldb: Fix deleting an ldb.Control critical flag via 3b6c8bd55b3 pytest:segfault: Add test for deleting an ldb.Control critical flag via 6db664a07da pyldb: Fix deleting an ldb.Message dn via f4ca03b0cc2 pytest:segfault: Add test for deleting an ldb.Message dn via 34d50f415ae Fix Python docstrings via 753e0dfc6c9 lib/krb5_wrap: Fix missing error check in new salt code via c72b210cdca dsdb: Allow special chars like "@" in samAccountName when generating the salt via b1dbaecb2ec tests/krb5: Add tests for account salt calculation via 798ac7ff1ba tests/krb5: Fix account salt calculation to match Windows via fcd11a480e7 tests/krb5: Allow specifying the UPN for test accounts via 8c0296c8956 tests/krb5: Allow creating machine accounts without a trailing dollar via 4cedeb32538 tests/krb5: Allow specifying prefix or suffix for test account names via cd1b3cbce50 tests/krb5: Decrease length of test account prefix via 3affd02a83a selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") via 057e6d872db selftest/Samba3: remove unused close(USERMAP); calls via f901e3dc08c waf: Allow building with MIT KRB5 >= 1.20 via 28630a31be8 selftest: Improve error handling and perl style when setting up users in Samba4.pm via cd04ce50ac3 selftest: Remove duplicate setup of $base_dn and $ldbmodify via 175dde8ab48 pytest: s3_net_join: avoid name clash via 63e688099b4 selftest: krb5 account creation: clarify account type as an enum via c4b15874037 pytest: dynamic tests optionally add __doc__ via e17d54554c9 selftest: Increase account lockout windows to make test more realiable via 140ec12e25e pytest/rodc_rwdc: try to avoid race. via dc768d84f02 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594 via a7dcff14bdd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service via 54d9b9e0406 tests/krb5: Ensure PAC is not present if expect_pac is false via 19e770f04ea kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers via 30b2a47af03 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals via ce53ffc660e tests/krb5: Add tests for requesting a service ticket without a PAC via 3f89f5d3e09 tests/krb5: Add method to get the PAC from a ticket via 3c2cf8200d2 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange() via 34e3b8e09f4 tests/krb5: Allow get_tgt() to request including or omitting a PAC via bab70b995a1 heimdal:kdc: Fix ticket signing without a PAC via af42d3fa44c selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule) via 9a25efd54aa gitlab-ci: Do not download artifacts of unrelated builds via 64f81e2e589 gitlab-ci: Do not retry for job_execution_timeout via 2cf612f8096 krb5: Fix PAC signature leak affecting KDC via 276820695a9 s4:kdc: Check ticket signature via 1d764175725 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function via 03ababc0de6 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows via e735b36fcc1 kdc: correctly generate PAC TGS signature via 329054bc433 kdc: use ticket client name when signing PAC via 4cdcbc761c3 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal via 7df64eb0189 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails via 764c7d74090 krb5: rework PAC validation loop via 060abb2f1b4 krb5: allow NULL parameter to krb5_pac_free() via 4b2890412c9 kdc: sign ticket using Windows PAC via 79278289cf3 kdc: remove KRB5SignedPath, to be replaced with PAC via 2e20aefce2c s4/torture: Expect ticket checksum PAC buffer via 8ba2b8aef8a s4:kdc: Fix debugging messages via 9edf3d6d810 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter via d8871802eb2 tests/krb5: Fix duplicate account creation via 7b8d569aefc tests/krb5: Allow bypassing cache when creating accounts via f90bc484f49 tests/krb5: Don't include empty AD-IF-RELEVANT via
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via fc8342bd26d VERSION: Disable GIT_SNAPSHOT for the 4.15.0 release. via e671beb5276 WHATSNEW: Add release notes for Samba 4.15.0. via bb9e236768f VERSION: Bump version up to Samba 4.15.0rc8... from 9f5b76a42d7 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc7 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 22 +- 2 files changed, 10 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index f57bed5d2a2..0e58d4b399b 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=7 +SAMBA_VERSION_RC_RELEASE= # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index bf63cf2b908..18cc15dcff5 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,19 +1,15 @@ -Release Announcements -= + == + Release Notes for Samba 4.15.0 + September 20, 2021 + == -This is the seventh release candidate of Samba 4.15. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. -Samba 4.15 will be the next version of the Samba suite. +This is the first stable release of the Samba 4.15 release series. +Please read the release notes carefully before upgrading. -UPGRADING -= - Removed SMB (development) dialects --- +== The following SMB (development) dialects are no longer supported: SMB2_22, SMB2_24 and SMB3_10. They are were @@ -32,7 +28,7 @@ explicitly to a specific dialect, just leave them unspecified or specify the value "default". New GPG key +=== The GPG release key for Samba releases changed from: @@ -53,7 +49,7 @@ Starting from Jan 21th 2021, all Samba releases will be signed with the new key. See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt New minimum version for the experimental MIT KDC - + The build of the AD DC using the system MIT Kerberos, an experimental feature, now requires MIT Kerberos 1.19. An up-to-date -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 9f5b76a42d7 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc7 release. via 54d6868e169 WHATSNEW: Add release notes for Samba 4.15.0rc7. via 8d4c482410c ctdb-daemon: Don't mark a node as unhealthy when connecting to it via 7c353e6e383 ctdb-daemon: Ignore flag changes for disconnected nodes via 665b380d249 ctdb-daemon: Simplify ctdb_control_modflags() via f340dcbc675 ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete via c8a9f9147c2 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS via 17e0a052da0 ctdb-daemon: Modernise remaining debug macro in this function via 05d2f5e41c7 ctdb-daemon: Update logging for flag changes via e634ddde5e6 ctdb-daemon: Correct the condition for logging unchanged flags via 9f06ec8b108 ctdb-tools: Use disable and enable controls in tool via 772126bd68b ctdb-client: Add client code for disable/enable controls via 8ed5910b847 ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE via b5f8913f359 ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED via c61b5e7b489 ctdb-daemon: Factor out a function to get node structure from PNN via 65d64194b6d ctdb-daemon: Add a helper variable via 675d68caabc ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE via 84a285851d7 ctdb-protocol: Add new controls to disable and enable nodes via c01d48d7a54 ctdb-recoverd: Push flags for a node if any remote node disagrees via 2cc4b917f78 ctdb-recoverd: Update the local node map before pushing out flags via f8fa33ac320 ctdb-recoverd: Add a helper variable via bddd7db7b2f WHATSNEW: The New VFS via bd730209109 Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups() via 92251109fa2 smbd: fix "ea support = no" via 13ba74a67a3 WHATSNEW: unknown options now trigger an error in all tools via cc39fca1f5a WHATSNEW: clarify the -e and -s handling for ldb tools via b52fdad21fb s4/torture/masktest: don't ignore unknown options via 1eaab01e178 s4/torture/locktest: don't ignore unknown options via 047274d1278 s4/torture/gentest: don't ignore unknown options via 79f231a5484 s4/regtree: don't ignore unknown options via b87f953efb9 s4/regshell: don't ignore unknown options via f377070e75b s4/regpatch: don't ignore unknown options via 9e0b596ab76 s4/regdiff: don't ignore unknown options via c4dc60a7992 s4/cifsdd: don't ignore unknown options via c94c2bb7503 testparm: don't ignore unknown options via 7c0725daaf3 split_tokens: don't ignore unknown options via ece1e503d84 smbtree: don't ignore unknown options via 3e5d5713a10 smbget: don't ignore unknown options via 647e2865eb3 smbcquotas: don't ignore unknown options via 2270e098c02 smbcacls: don't ignore unknown options via eeebabe4067 sharesec: don't ignore unknown options via 9af6e536edd regedit: don't ignore unknown options via 02144f364e6 profiles: don't ignore unknown options via 362c9f28a36 pdbedit: don't ignore unknown options via 609509f8ed1 ntlm_auth: don't ignore unknown options via 84579c965b1 nmblookup: don't ignore unknown options via 99eca1a3329 mvxattr: don't ignore unknown options via df0e4a6b67d log2pcaphex: don't ignore unknown options via 2f8aabd1761 s3/async-tracker: don't ignore unknown options via e5f6c2e25c5 vfstest: don't ignore unknown options via 7bee957378e pdbtest: don't ignore unknown options via 66dd6cc6286 rpcclient: don't ignore unknown options via 424135b1796 s3/param: don't ignore unknown options via 4af952f4ccd source3/lib/smbconf: don't ignore unknown options via a0e860c2360 nmblookup: don't ignore unknown options via 6e320e7f767 s4/smbclient: don't ignore unknown options via 43f57091f7f smbstatus: don't ignore unknown options via 26ccc96a41d texpect: don't ignore unknown options via be8c65fb748 smbclient: don't ignore unknown options via 223ac583cfa selftest: remove unsupported smbcacls option --get via 619baa2390f lib/cmdline: restore s3 option name --max-protocol for MAXPROTOCOL from 4.14 via ec937b7035d manpages: remove duplicate options from smbclient via 4ccc9a4c391 selftest: fix ---configfile option via b2934e2a726 lib/cmdline: fix --configfile handling of POPT_COMMON_CONFIG_ONLY used by ntlm_auth via 35d474c3030 vfs_btrfs: fix btrfs_fget_compression() via a7b9904c90b docs: Avoid duplicate information on USER and PASSWD, reference the common section via 4ad10cf8e82 docs: Document all the other ways to send a password to smbclient et al via 8416bcce6a7 docs: Ensure to rebuild manpages if samba.entities
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6. via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes via 1252f2c170c s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4 in python via 86d3397f852 dsdb: Be careful to avoid use of the expensive talloc_is_parent() via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once via 8c246869e14 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline fix via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container type via 8d17a87523b tests/krb5: Add tests for omitting sname in inner request via c837f43a9cd tests/krb5: Allow specifying parameters specific to the inner FAST request body via b628cda6604 tests/krb5: Add tests for omitting sname in request via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors without FAST via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in as_req testcase via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST via b6496bd5990 tests/krb5: Make cname checking less strict via c9b594a1a21 tests/krb5: Make e-data checking less strict via ef69ac460bc Update common on currently supported Fedora versions via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34 via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10 via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align with what is tested via e30483eb251 autobuild.py: Do not build MIT builds by default (eg sn-devel) via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos via e850967129d autobuild.py: Explain why each job is removed from the default set via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb via 2f8295604ce samba-tool: Rework transations/locks to hold a lock during mdb backup via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb via 535bd82604e mit-samba: Only set the function opening bracket once via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of casting via 9698e453ae9 mit-samba: Send the logging to the kdc log facility via 4bf41b6ccf5 mit-samba: Define debug class for kdb module via 07cfa4d6f95 tests/krb5: Add FAST tests via 003307b7d34 initial FAST tests via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for checking TGS replies via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply via 904df7418b8 tests/krb5: Adjust reply padata checking depending on whether FAST was sent via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included FAST via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method via 6ed03543ea0 tests/krb5: Remove unused variables via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check padata in reply via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict via d544371bd15 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via cbfc80e7b7d VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc5 release. via da5c0a93a63 WHATSNEW: Add release notes for Samba 4.15.0rc5. via defbbe7127f s4/samba: POPT_COMMON_DAEMON via c65fb0b0a0e winbindd: use POPT_COMMON_DAEMON via 3eef217a9da nmbd: use POPT_COMMON_DAEMON via e1be4413c99 smbd: use POPT_COMMON_DAEMON via 476ed842726 lib/cmdline: restore pre-4.15 logging behaviour for daemons via 29c895c6d8a lib/cmdline: add POPT_COMMON_DAEMON daemon popt options via 4889512c705 s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem. via 5ec6be2ae36 s3: smbd: Add fifo test for the DISABLE_OPATH case. via b5b0471caf3 s3:winbind: Do not start if the priviliged socket path is too long via 915784c099c WHATSNEW: servers are now also logging to stderr at startup via 6bae027bf57 WHATSNEW: fix a typo via 51d64ce925b script/autobuild.py: Restore MIT ADDC tests against fl2008* via 57b266e23c4 s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error. via 2ed234deee3 s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor. via cf4845f9b35 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send() via 591bd2f3405 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send() via 16306431a24 registry: check for running as root in clustering mode via 189bb79ac74 s3/lib/dbwrap: check if global_messaging_context() succeeded via 19485894d4b vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times() via a0fe4423b8e lib/gpfswrap: add gpfs_set_times_path() wrapper via 85e5508c4d9 vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fntimes() via f626ffdf6d5 vfs_gpfs: pass fsp to smbd_gpfs_set_times() via 3fe4d78f021 vfs_gpfs: deal with pathref fsps in vfs_gpfs_fntimes() via 45a63783526 vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes() via e07c7110e55 vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes() via ee741bcc44c vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles via 896a92e0382 vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x() via 3db79fdfd61 vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares via 81fa1a65849 vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat() via f171810b970 vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code via 5b80738ec02 smbd: avoid calling creating a pathref in smb_set_file_dosmode() via 8cc118dacc9 VERSION: Bump version up to 4.15.0rc5... from 8a2c51f268b VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc4 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 34 +++- lib/cmdline/cmdline.c| 80 + lib/cmdline/cmdline.h| 29 lib/cmdline/cmdline_private.h| 4 + lib/cmdline/cmdline_s3.c | 11 +- lib/util/gpfswrap.c | 14 ++ lib/util/gpfswrap.h | 1 + script/autobuild.py | 4 +- source3/lib/dbwrap/dbwrap_open.c | 4 + source3/modules/vfs_gpfs.c | 268 ++- source3/nmbd/nmbd.c | 103 +++- source3/registry/reg_backend_db.c| 9 ++ source3/rpc_server/mdssvc/mdssvc.c | 5 + source3/script/tests/test_fifo.sh| 83 ++ source3/selftest/tests.py| 3 + source3/smbd/files.c | 4 + source3/smbd/msdfs.c | 7 +- source3/smbd/server.c| 112 - source3/smbd/trans2.c| 67 source3/winbindd/wb_queryuser.c | 30 +++- source3/winbindd/winbindd.c | 116 ++--- source3/winbindd/winbindd_allocate_uid.c | 44 - source4/samba/server.c | 88 +++--- 24 files changed, 728 insertions(+), 394 deletions(-) create mode 100755 source3/script/tests/test_fifo.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b185563e6ae..9dc372ed3ca 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=4
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 8a2c51f268b VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc4 release. via bf634d022cf WHATSNEW: Add release notes for Samba 4.15.0rc4. via 3f8db63d9bc util_sock: fix assignment of sa_socklen via 522fd7b38be WHATSNEW: Fix formatting. via e0dc3168210 s3/rpc_server: track the number of policy handles with a talloc destructor via 1e56dc7dd19 selftest: add a test for the "deadtime" parameter via 068bdf8fbfb VERSION: Bump version up to Samba 4.15.0rc4... from 16a28116179 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc3 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 45 +-- source3/lib/util_sock.c | 9 + source3/rpc_server/rpc_handles.c | 20 +-- source3/script/tests/test_deadtime.sh | 67 +++ source3/selftest/tests.py | 4 +++ 6 files changed, 126 insertions(+), 21 deletions(-) create mode 100755 source3/script/tests/test_deadtime.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index c529cb04f23..b185563e6ae 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=3 +SAMBA_VERSION_RC_RELEASE=4 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0e6aeea6530..9b072788ad1 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the third release candidate of Samba 4.15. This is *not* +This is the fourth release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -70,18 +70,19 @@ client that is in the allow list and NOT in the deny list. "server multi channel support" no longer experimental - -This option is enabled by default starting with to 4.15 (on Linux and FreeBSD). +This option is enabled by default starting with 4.15 (on Linux and FreeBSD). Due to dependencies on kernel APIs of Linux or FreeBSD, it's only possible to use this feature on Linux and FreeBSD for now. + samba-tool available without the ad-dc -- -The samba-tool command is now available when samba is configured ---without-ad-dc. Not all features will work, and some ad-dc specific options -have been disabled. The samba-tool domain options, for example, are limited +The 'samba-tool' command is now available when samba is configured +"--without-ad-dc". Not all features will work, and some ad-dc specific options +have been disabled. The 'samba-tool domain' options, for example, are limited when no ad-dc is present. Samba must still be built with ads in order to enable -samba-tool. +'samba-tool'. Improved command line user experience @@ -98,7 +99,7 @@ simplified and provides better control for encryption, singing and kerberos. Also several command line options have a smb.conf variable to control the default now. -All tools are logging to stderr by default. You can use --debug-stdout to +All tools are logging to stderr by default. You can use "--debug-stdout" to change the behavior. ### Common parser: @@ -158,23 +159,24 @@ to redirect ticket requests to the right DC. This is e.g. needed for one way trusts. The options `winbind use krb5 enterprise principals` and `winbind scan trusted domains` will be deprecated in one of the next releases. + Support for Offline Domain Join (ODJ) - The net utility is now able to support the offline domain join feature as known from the Windows djoin.exe command for many years. Samba's -implementation is accessible via the "net offlinejoin" subcommand. It +implementation is accessible via the 'net offlinejoin' subcommand. It can provision computers and request offline joining for both Windows and Unix machines. It is also possible to provision computers from -Windows (using djoin.exe) and use the generated data in Samba's net +Windows (using djoin.exe) and use the generated data in Samba's 'net' utility. The existing options for the provisioning and joining steps are documented in the net(8) manpage. -samba-tool dns zoneoptions for aging control -
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 16a28116179 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc3 release. via c8627e00de3 WHATSNEW: Add release notes for Samba 4.15.0rc3. via 545c0fc8e80 WHATSNEW: add matrix.org and libera via 0524e0c6548 WHATSNEW: Add various DNS changes via f8c7428abcf WHATSNEW: reformat for style (mostly Bind9 DLZ allow/deny) via 4745b8e8a1b s3:winbindd: Pass the right variable to the debug message via 12f76f4292a s3: VFS: streams_depot: Allow "streams directory" outside of share path to work again. via 185f191bd43 s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute stream rootdir into a function. via 6b5f770790c s3: selftest: Add a test for vfs_streams_depot with the target path outside of the share. via 20ec0ea95e9 s4: torture: CHECK ret value and fail if false via 34d2bc28460 s3: smbd: Ensure all returns from OpenDir() correctly set errno. via ccd0b865574 s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case. via 9a23ff2ca2b s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs to the aio list on the file handle. via 654430f6f6f s4: torture: Add test for smb2.ioctl.bug14769. via 24b661c01ef s3: smbd: Call smbd_fsctl_torture_async_sleep() when we get FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP. via 68ceb6c8f05 s3: smbd: Add smbd_fsctl_torture_async_sleep() server-side code. via 69c5ab71106 s3: libcli: Add FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP. via 04af36c4916 s3: smbd: Split out smb2_ioctl_smbtorture() into a separate file. via 7c8ba49b2e9 libreplace: remove now unused USE_COPY_FILE_RANGE define via 681675b68c5 vfs_default: detect EOPNOTSUPP and ENOSYS errors from copy_file_range() via c5fbec5db03 s3:libsmb: close the temporary IPC$ connection in cli_full_connection() via 9d152be356d s3:libsmb: start encryption as soon as possible after the session setup via eb8518e4fb8 wscript: fix installing pre-commit with 'git worktree' via f9ed3a8cb95 script/bisect-test.py: add support git worktree via 24c95d2523f wafsamba: add support git worktree to vcs_dir_contents() via f834da87269 VERSION: Bump version up to Samba 4.15.0rc3... from 16fb5c685a5 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 152 +-- buildtools/wafsamba/samba_dist.py| 2 +- lib/replace/wscript | 2 - libcli/smb/smb_constants.h | 2 + script/bisect-test.py| 2 +- selftest/knownfail | 1 + selftest/target/Samba3.pm| 10 ++ source3/libsmb/cliconnect.c | 39 +- source3/libsmb/clidfs.c | 56 ++--- source3/modules/vfs_ceph.c | 14 ++- source3/modules/vfs_default.c| 12 +- source3/modules/vfs_streams_depot.c | 73 --- source3/selftest/tests.py| 5 + source3/smbd/dir.c | 2 + source3/smbd/smb2_ioctl.c| 83 +++-- source3/smbd/smb2_ioctl_private.h| 5 + source3/smbd/smb2_ioctl_smbtorture.c | 230 +++ source3/winbindd/winbindd.c | 2 +- source3/wscript_build| 1 + source4/torture/smb2/ioctl.c | 80 source4/torture/smb2/streams.c | 6 +- wscript | 20 ++- 23 files changed, 672 insertions(+), 129 deletions(-) create mode 100644 source3/smbd/smb2_ioctl_smbtorture.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ba0f12ea840..c529cb04f23 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=2 +SAMBA_VERSION_RC_RELEASE=3 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 074767e3251..0e6aeea6530 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the second release candidate of Samba 4.15. This is *not* +This is the third release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -55,15 +55,17 @@ See
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 16fb5c685a5 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release. via d872e7f0cd7 WHATSNEW: Add release notes for Samba 4.15.0rc2. via 4467a0ba7f0 smbd: only open full fd for directories if needed via 4f3b6f6b311 smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS via 9b8e795df6f s3: smbd: Don't leak meta-data about the containing directory of the share root. via 3acccfc764d s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage. via fccedb4d94a configure: Do not put arguments into double quotes via c933b88dbe1 samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry" via c33b18ec92e lib:cmdline: Use lp_load_global() for servers via 2a21ecf1f91 s3:smbd: really support AES-256* in the server via 13839721f06 s4:torture/smb2: add tests to check all signing and encryption algorithms via e606987911e gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15 via 047cbaad5d9 gitlab: Use shorter names for Samba AD DC env with MIT KRB5 via f2b2ecec7fc s3:winbindd: Add a check for the path length of 'winbindd socket directory' via 68bd2229bd4 WHATSNEW: mention the offline domain join feature via 8380f21aadd libcli/smb: allow unexpected padding in SMB2 READ responses via 170b8195507 libcli/smb: make smb2cli_ioctl_parse_buffer() available as smb2cli_parse_dyn_buffer() via b644b297bf8 s3:smbd: implement FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 via 0be68189ffc s3:smbd: introduce a body_size variable in smbd_smb2_request_read_done via 570b3ced84a s4:torture/smb2: add smb2.read.bug14607 test via 81eeb1c6708 VERSION: Bump version up to 4.15.0rc2... from 6a6f6044771 VERSION: Disable GIT_SNAPSHOT for the Samba 4.15.0rc1 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable - Log - --- Summary of changes: .gitlab-ci-main.yml | 12 +- VERSION | 2 +- WHATSNEW.txt| 35 +++- configure | 2 +- lib/cmdline/cmdline.h | 9 + lib/cmdline/cmdline_s3.c| 2 +- libcli/smb/smb2_signing.c | 54 +++-- libcli/smb/smb2cli_ioctl.c | 123 ++-- libcli/smb/smb2cli_read.c | 22 +- libcli/smb/smbXcli_base.c | 91 + libcli/smb/smbXcli_base.h | 9 + libcli/smb/smb_constants.h | 2 + script/autobuild.py | 6 +- selftest/target/Samba3.pm | 1 + source3/printing/samba-bgqd.c | 58 +- source3/smbd/dir.c | 25 +++ source3/smbd/dosmode.c | 23 ++- source3/smbd/globals.h | 4 + source3/smbd/open.c | 31 ++- source3/smbd/smb2_ioctl.c | 10 + source3/smbd/smb2_read.c| 14 +- source3/smbd/smb2_sesssetup.c | 6 + source3/winbindd/winbindd.c | 25 +++ source4/torture/smb2/read.c | 136 + source4/torture/smb2/session.c | 436 wscript_configure_system_gnutls | 10 +- 26 files changed, 976 insertions(+), 172 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 1aee591b068..0979c007dc6 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -331,10 +331,10 @@ samba-ad-dc-ntvfs: samba-admem-mit: extends: .needs_samba-mit-build -samba-ad-dc-4a-mitkrb5: +samba-addc-mit-4a: extends: .needs_samba-mit-build -samba-ad-dc-4b-mitkrb5: +samba-addc-mit-4b: extends: .needs_samba-mit-build # This task is run first to ensure we compile before we start the @@ -389,7 +389,7 @@ samba-ad-dc-1: samba-nt4: extends: .needs_samba-nt4-build-private -samba-ad-dc-1-mitkrb5: +samba-addc-mit-1: extends: .needs_samba-mit-build-private samba-no-opath1: @@ -421,15 +421,15 @@ pages: - samba-ctdb - samba-ad-dc-ntvfs - samba-admem-mit -- samba-ad-dc-4a-mitkrb5 -- samba-ad-dc-4b-mitkrb5 +- samba-addc-mit-4a +- samba-addc-mit-4b - samba-ad-back1 - samba-ad-back2 - samba-fileserver - samba-ad-dc-1 - samba-nt4 - samba-schemaupgrade -- samba-ad-dc-1-mitkrb5 +- samba-addc-mit-1 - samba-fips - samba-no-opath1 - samba-no-opath2 diff --git a/VERSION b/VERSION index 787b2dd26b0..ba0f12ea840 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=1 +SAMBA_VERSION_RC_RELEASE=2