[SCM] Samba Shared Repository - branch master updated

2021-12-14 Thread Andrew Bartlett
The branch, master has been updated
   via  0f4eca775aa tests/krb5: Add tests for AS-REQ to self with FAST
   via  100be7eb8e7 tests/krb5: Correctly determine whether tickets are 
service tickets
   via  1eb91291b54 tests/krb5: Generate unique UPNs for enterprise tests
   via  3b23ae59ac4 s4:torture: Fix typo
   via  030afa6c01b s4:torture: Remove comments that are no longer relevant
   via  bba30095ca1 kdc: Pad UPN_DNS_INFO PAC buffer
   via  31f3e815799 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to 
match Windows"
   via  7dfcbc4e381 tests/krb5: Add tests for PAC buffer alignment
   via  abbeb5c2175 s4:mitkdc: Call krb5_pac_init() in 
kdb_samba_db_sign_auth_data()
   via  3a3f7feac59 s4:mitkdc: Do not allocate the PAC buffer in 
samba_make_krb5_pac()
   via  731d9c42d07 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
   via  e95fb04c5de s4:mitkdc: Add support for pac_attrs and requester_sid
   via  b46a942f95b s4:mitkdc: Reset errno to 0 for com_err messages
   via  c69bfa0939d s4:mitkdc: Use talloc_get_type_abort() in 
ks_get_context()
   via  f00eb8485f4 s4:mitkdc: Initilalize is_error with errno instead of 
EPERM(1)
  from  5b526f4533b tdb: Raw performance torture to beat 
tdb_increment_seqnum

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0f4eca775aa52cfe40a25ead90c560d76b286ad9
Author: Joseph Sutton 
Date:   Tue Dec 14 19:16:15 2021 +1300

tests/krb5: Add tests for AS-REQ to self with FAST

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184

commit 100be7eb8e70ba270a8e92957a5e47466160a901
Author: Joseph Sutton 
Date:   Tue Dec 14 19:16:00 2021 +1300

tests/krb5: Correctly determine whether tickets are service tickets

Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 1eb91291b54b194d8312dac6dd605c793eabfd53
Author: Joseph Sutton 
Date:   Tue Dec 14 19:16:26 2021 +1300

tests/krb5: Generate unique UPNs for enterprise tests

This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 3b23ae59ac4953d20ca4422b567a15227a17c545
Author: Joseph Sutton 
Date:   Thu Dec 9 13:18:54 2021 +1300

s4:torture: Fix typo

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 030afa6c01bfc0bfd20a204a5cc7c9d33032a1e7
Author: Joseph Sutton 
Date:   Thu Dec 9 13:18:45 2021 +1300

s4:torture: Remove comments that are no longer relevant

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit bba30095ca14dd947cb32a4403e351b0523304dd
Author: Joseph Sutton 
Date:   Fri Dec 10 14:59:22 2021 +1300

kdc: Pad UPN_DNS_INFO PAC buffer

Padding this buffer to a multiple of 8 bytes allows the PAC buffer
padding to match Windows.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 31f3e815799a205f48bebae666deb327e1058674
Author: Joseph Sutton 
Date:   Tue Dec 14 19:19:42 2021 +1300

Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"

This alignment should be done on the Samba side instead.

This reverts commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1.

Signed-off-by: Joseph Sutton 
    Reviewed-by: Andrew Bartlett 

commit 7dfcbc4e381080b3e3e1777134aecef5522d1f01
Author: Joseph Sutton 
Date:   Thu Dec 9 11:56:55 2021 +1300

tests/krb5: Add tests for PAC buffer alignment

Signed-off-by: Joseph Sutton 
    Reviewed-by: Andrew Bartlett 

commit abbeb5c2175ad9574d75e852c101887d6e642cb4
Author: Andreas Schneider 
Date:   Mon Dec 13 08:31:49 2021 +0100

s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()

Signed-off-by: Andreas Schneider 
    Reviewed-by: Andrew Bartlett 

commit 3a3f7feac59feba08438831cb02564e9b80cdc59
Author: Andreas Schneider 
Date:   Thu Oct 7 15:12:35 2021 +0200

s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()

This will be allocated by the KDC in MIT KRB5 1.20 and newer.

Signed-off-by: Andreas Schneider 
    Reviewed-by: Andrew Bartlett 

commit 731d9c42d0775d9b1a7475ad2efbe23c2439f6db
Author: Andreas Schneider 
Date:   Mon Dec 13 15:48:08 2021 +0100

s4:mitkdc: Pass NULL to ks_get_pac() as the client_key

This is unused with MIT KRB5 < 1.20 as this is probably not the right k

[SCM] Samba Shared Repository - branch master updated

2021-12-08 Thread Andrew Bartlett
The branch, master has been updated
   via  b948aeac539 hdb: Initialise HDB structure
  from  221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be 
missing for skew errors

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit b948aeac5398693e0c8c70cbff531965ed7ecd23
Author: Joseph Sutton 
Date:   Wed Dec 8 16:42:32 2021 +1300

hdb: Initialise HDB structure

Additional fields may be added to this structure without us explicitly
initialising them. This could cause Heimdal to crash upon reading
garbage data, so we should zero-initialise the structure.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Dec  9 02:47:27 UTC 2021 on sn-devel-184

---

Summary of changes:
 source4/kdc/hdb-samba4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index f0939193ad7..92bc5ff28a6 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -530,7 +530,7 @@ NTSTATUS hdb_samba4_create_kdc(struct 
samba_kdc_base_context *base_ctx,
return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
}
 
-   *db = talloc(base_ctx, HDB);
+   *db = talloc_zero(base_ctx, HDB);
if (!*db) {
krb5_set_error_message(context, ENOMEM, "malloc: out of 
memory");
return NT_STATUS_NO_MEMORY;


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-12-07 Thread Andrew Bartlett
The branch, master has been updated
   via  221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be 
missing for skew errors
   via  9844a331864 tests/krb5: Allow 'renew-till' element to be present if 
STRICT_CHECKING=0
   via  d5cb6a1449d tests/krb5: Don't require claims PAC buffers if 
STRICT_CHECKING=0
   via  f03f304deb3 tests/krb5: Adjust unknown critical FAST option test
   via  7d14aedd3dc tests/krb5: Add test for FAST with invalid ticket 
checksum
   via  aa38476d89d tests/krb5: Remove magic flag constants
   via  45d81d56abe tests/krb5: Allow additional unexpected padata types
   via  6bf3610c5dc tests/krb5: Make edata checking less strict
   via  dfe6ef6f3ec tests/krb5: Add tests for FAST with use-session-key 
flag and armor ticket
   via  9c050a4a03a tests/krb5: Add test for AD-fx-fast-armor in 
enc-authorization-data
   via  1eb1049d2bd tests/krb5: Don't request renewable tickets
   via  f8e55b3670c tests/krb5: Adjust expected error codes for FAST tests
  from  8bd7b316bd6 kdc: Canonicalize realm for enterprise principals

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 221569a14c8ecd529eae5c8c021cffe65324afec
Author: Joseph Sutton 
Date:   Mon Dec 6 14:54:31 2021 +1300

tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors

A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Dec  7 08:32:42 UTC 2021 on sn-devel-184

commit 9844a331864ff44645d15e946707fe5278f97ae6
Author: Joseph Sutton 
Date:   Mon Dec 6 13:06:52 2021 +1300

tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit d5cb6a1449db10f2ab287798704c035f793f584c
Author: Joseph Sutton 
Date:   Wed Nov 17 20:17:27 2021 +1300

tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit f03f304deb30522ed5bdc0875cf3b5233ef6ddc5
Author: Joseph Sutton 
Date:   Wed Nov 17 20:16:32 2021 +1300

tests/krb5: Adjust unknown critical FAST option test

Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 7d14aedd3dc904d4341d06c8b38d6e94e780ea71
Author: Joseph Sutton 
Date:   Wed Nov 17 20:15:12 2021 +1300

tests/krb5: Add test for FAST with invalid ticket checksum

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit aa38476d89d4a41bef63f3814dd921c4dd4e103f
Author: Joseph Sutton 
Date:   Wed Nov 17 20:14:50 2021 +1300

tests/krb5: Remove magic flag constants

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 45d81d56abeb5dbc63471ef45bf6473d3ebf5189
Author: Joseph Sutton 
Date:   Tue Dec 7 10:59:27 2021 +1300

tests/krb5: Allow additional unexpected padata types

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 6bf3610c5dc729cf1dd0b6b63d85e512c25e99c3
Author: Joseph Sutton 
Date:   Tue Dec 7 15:45:06 2021 +1300

tests/krb5: Make edata checking less strict

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit dfe6ef6f3ec61a99e4f067d26dc1abae5adf5cce
Author: Joseph Sutton 
Date:   Thu Nov 18 13:44:32 2021 +1300

tests/krb5: Add tests for FAST with use-session-key flag and armor ticket

This flag should be ignored and the FAST armor key used instead.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 9c050a4a03a8bb1dd8b25a1e800942ce1da68710
Author: Joseph Sutton 
Date:   Tue Nov 16 19:56:24 2021 +1300

tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 1eb1049d2bdd44af95da820b3dcb5ccd94e4c231
Author: Joseph Sutton 
Date:   Tue Nov 16 19:55:44 2021 +1300

tests/krb5: Don't request renewable tickets

This is not necessary for testing FAST, and was causing some of the
tests to fail.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit f8e55b3670c221e5d880c79d0def7be82819e435
Author: Joseph Sutton 
Date:   Tue Nov 16 19:55:17 2021 +1300

tests/krb5: Adjust expected error codes for FAST tests

This allows more of the tests to pass.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/tests/krb5/fast_tests.py

[SCM] Samba Shared Repository - branch master updated

2021-12-06 Thread Andrew Bartlett
The branch, master has been updated
   via  8bd7b316bd6 kdc: Canonicalize realm for enterprise principals
   via  dceee8f heimdal_build: Do not build samba4kinit unless building 
embedded Heimdal
   via  a0d75b1cce4 lib/replace: For heimdal_build: Try to use the OS or 
compiler provided atomic operators
   via  2701293f48a s4:torture: Remove pre-send and post-receive callbacks
  from  7eb1e1cc949 s4:torture: Remove test combination with enterprise 
principal without canonicalize flag

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c
Author: Joseph Sutton 
Date:   Tue Dec 7 13:15:38 2021 +1300

kdc: Canonicalize realm for enterprise principals

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Dec  7 04:54:35 UTC 2021 on sn-devel-184

commit dceee8f62ace1b7a67401d502d2b3c4a1e17
Author: Andrew Bartlett 
Date:   Tue Dec 7 11:30:10 2021 +1300

heimdal_build: Do not build samba4kinit unless building embedded Heimdal

We should not attempt to build local copies of Heimdal utilities against
a system krb5 library.

Inspired by a WIP commit by Stefan Metzmacher  in his
lorikeet-heimdal import branch of patches to upgrade to a modern Heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett 
Reviewed-by: Joseph Sutton 

commit a0d75b1cce4b97e1d6b78ba2b7adf96988d55608
Author: Andrew Bartlett 
Date:   Tue Jul 6 12:26:44 2021 +1200

lib/replace: For heimdal_build: Try to use the OS or compiler provided 
atomic operators

This provides the defines that may be needed to use the
compiler-provided atomics, rather than a fallback.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Joseph Sutton 

commit 2701293f48a9e4014f9ba1e925d458fe25865bfb
Author: Joseph Sutton 
Date:   Fri Dec 3 11:58:53 2021 +1300

s4:torture: Remove pre-send and post-receive callbacks

The client-side testing done by these callbacks is no longer needed, and
the server-side testing is covered by Python-based tests. Removing these
leaves us with a more manageable test of the Kerberos API.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/replace/wscript  |7 +
 selftest/knownfail.d/kdc-enterprise  |   63 --
 selftest/knownfail_heimdal_kdc   |3 -
 selftest/knownfail_mit_kdc   |   36 +
 source4/heimdal_build/wscript_build  |   31 +-
 source4/kdc/db-glue.c|   24 +-
 source4/torture/krb5/kdc-canon-heimdal.c | 1069 +-
 7 files changed, 71 insertions(+), 1162 deletions(-)
 delete mode 100644 selftest/knownfail.d/kdc-enterprise


Changeset truncated at 500 lines:

diff --git a/lib/replace/wscript b/lib/replace/wscript
index 53cb5d4fa76..a928b80f2f7 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -298,6 +298,13 @@ def configure(conf):
 'HAVE___SYNC_FETCH_AND_ADD',
 msg='Checking for __sync_fetch_and_add compiler builtin')
 
+conf.CHECK_CODE('''
+int i;
+(void)__sync_add_and_fetch(, 1);
+''',
+'HAVE___SYNC_ADD_AND_FETCH',
+msg='Checking for __sync_add_and_fetch compiler builtin')
+
 conf.CHECK_CODE('''
 int32_t i;
 atomic_add_32(, 1);
diff --git a/selftest/knownfail.d/kdc-enterprise 
b/selftest/knownfail.d/kdc-enterprise
deleted file mode 100644
index c9b6c98a2ee..000
--- a/selftest/knownfail.d/kdc-enterprise
+++ /dev/null
@@ -1,63 +0,0 @@
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\(
-samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5

[SCM] Samba Shared Repository - branch master updated

2021-12-06 Thread Andrew Bartlett
The branch, master has been updated
   via  7eb1e1cc949 s4:torture: Remove test combination with enterprise 
principal without canonicalize flag
   via  23ec41fd13f s4:torture: Remove AS_REQ_SELF test stage
   via  f8b17214d06 tests/krb5: Add tests for enterprise principals with 
canonicalization
   via  860065a3c99 tests/krb5: Add tests for AS-REQ with an SPN
   via  31900a0a582 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with 
different encryption types
   via  ff6d325e38d tests/krb5: Check ticket cname for Heimdal
   via  3fc9dc2395e tests/krb5: Check logon name in PAC for 
canonicalization tests
   via  10983779bc5 tests/krb5: Only create testing accounts once per test 
run
   via  8036aa12766 waf:mitkrb5: Always define lib so we get the header 
include path
   via  238e4c86ca7 waf:mitkrb5: Fix MIT KRB5 detection if not in default 
system location
   via  61404faf767 waf:mitkrb5: Detect com_err with pkgconfig first
   via  61ce2899791 wafsamba: Pass lib to CHECK_DECLS()
   via  18788e174ed s3:waf: Fix dependendies for libads
   via  93619962020 s4:waf: Fix dependencies for TORTURE_UTIL
   via  8393adaa5ad s3:param: Only include smb_ldap.h for LDAP_* defines
   via  3bfdbc1e93b s3:param: Remove trailing spaces in loadparm.c
   via  528e5efc17d samba-tool: Test DNS record creation on member join
   via  5e31e8f15bf samba-tool: Create DNS entries on member join
  from  05c09e8cfa0 heimdal_build: Prepare for Heimdal upgrade by only 
building HEIMDAL_ASN1_GEN_HOSTCC when needed.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7eb1e1cc9498c761c9fcd2bd839e1e2c28a365df
Author: Joseph Sutton 
Date:   Fri Dec 3 11:58:40 2021 +1300

s4:torture: Remove test combination with enterprise principal without 
canonicalize flag

This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Dec  6 22:57:54 UTC 2021 on sn-devel-184

commit 23ec41fd13f3ccae6b494682901f084d34538bec
Author: Joseph Sutton 
Date:   Fri Dec 3 11:57:49 2021 +1300

s4:torture: Remove AS_REQ_SELF test stage

This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit f8b17214d06ad9f1321a1d57f6e9bfe7b8899bf6
Author: Joseph Sutton 
Date:   Tue Nov 30 09:42:00 2021 +1300

tests/krb5: Add tests for enterprise principals with canonicalization

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 860065a3c99475e43f68330f7349cb317bc5b009
Author: Joseph Sutton 
Date:   Thu Nov 25 16:22:58 2021 +1300

tests/krb5: Add tests for AS-REQ with an SPN

Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 31900a0a58283868798dcb90ed43519b39559c2c
Author: Joseph Sutton 
Date:   Fri Dec 3 13:13:29 2021 +1300

tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption 
types

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit ff6d325e38d83b689da47c1b059f3ed865ffa7c2
Author: Joseph Sutton 
Date:   Thu Nov 25 16:16:52 2021 +1300

tests/krb5: Check ticket cname for Heimdal

This is currently not checked in several places due to STRICT_CHECKING
being set to 0.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 3fc9dc2395ebc292087ae050bd721747e851056d
Author: Joseph Sutton 
Date:   Thu Dec 2 16:51:26 2021 +1300

tests/krb5: Check logon name in PAC for canonicalization tests

This allows us to ensure that the correct name makes it through to the
PAC.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 10983779bc5d50cdb69b64656cbc56f0250e3f23
Author: Joseph Sutton 
Date:   Thu Dec 2 16:50:55 2021 +1300

tests/krb5: Only create testing accounts once per test run

This decreases the time that the tests take to run.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 8036aa12766840e019f28e914a30769f71444ba9
Author: Andreas Schneider 
Date:   Mon Dec 6 18:01:40 2021 +0100

waf:mitkrb5: Always define lib so we get the header include path

If you have libkrb5 in a non-standard include path, we would not check the
latest version but search default paths (e.g. /usr/include) first.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett

[SCM] Samba Shared Repository - branch master updated

2021-12-06 Thread Andrew Bartlett
The branch, master has been updated
   via  05c09e8cfa0 heimdal_build: Prepare for Heimdal upgrade by only 
building HEIMDAL_ASN1_GEN_HOSTCC when needed.
   via  98cb41cb35d build: Remove kdc_include except where needed
   via  209a33670fa build: Only use embedded Heimdal include paths in an 
embedded Heimdal build
  from  d6380560f87 docs: fix documentation for default of 
"fruit:zero_file_id"

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 05c09e8cfa09d22b31b7da6b461413dfb807984a
Author: Andrew Bartlett 
Date:   Thu Dec 2 13:25:07 2021 +1300

heimdal_build: Prepare for Heimdal upgrade by only building 
HEIMDAL_ASN1_GEN_HOSTCC when needed.

This will otherwise break the system-heimdal build.

This is correct regardless.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Joseph Sutton 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Dec  6 21:48:30 UTC 2021 on sn-devel-184

commit 98cb41cb35dfacbd5c6acfb13a0ac555b474da08
Author: Andrew Bartlett 
Date:   Thu Dec 2 11:47:35 2021 +1300

build: Remove kdc_include except where needed

This include was being set on too many subsystems, including some 
MIT-related.

This was a problem because it would then trigger the mixing of MIT and 
Heimdal
krb5.h files.  It is now only set on the plugins and services that use the
embedded Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett 
Reviewed-by: Joseph Sutton 

commit 209a33670fab5dd7373444ae1ce76dbb5dfa0058
Author: Andrew Bartlett 
Date:   Thu Dec 2 11:33:02 2021 +1300

build: Only use embedded Heimdal include paths in an embedded Heimdal build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett 
Reviewed-by: Joseph Sutton 

---

Summary of changes:
 buildtools/wafsamba/samba3.py   |  4 ++--
 source4/heimdal_build/wscript_build | 18 +-
 source4/kdc/wscript_build   |  9 -
 3 files changed, 11 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba3.py b/buildtools/wafsamba/samba3.py
index ebc7fbb707f..4277c5f6f2e 100644
--- a/buildtools/wafsamba/samba3.py
+++ b/buildtools/wafsamba/samba3.py
@@ -35,8 +35,8 @@ def s3_fix_kwargs(bld, kwargs):
 
 # the extra_includes list is relative to the source3 directory
 extra_includes = [ '.', 'include', 'lib' ]
-# local heimdal paths only included when USING_SYSTEM_KRB5 is not set
-if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
+# local heimdal paths must only be included when using our embedded Heimdal
+if bld.CONFIG_SET("USING_EMBEDDED_HEIMDAL"):
 extra_includes += [ '../source4/heimdal/lib/com_err',
 '../source4/heimdal/lib/krb5',
 '../source4/heimdal/lib/gssapi',
diff --git a/source4/heimdal_build/wscript_build 
b/source4/heimdal_build/wscript_build
index 079cac744f9..77519356575 100644
--- a/source4/heimdal_build/wscript_build
+++ b/source4/heimdal_build/wscript_build
@@ -856,21 +856,21 @@ HEIMDAL_SUBSYSTEM('HEIMDAL_VERS_HOSTCC',
use_global_deps=False,
use_hostcc=True)
 
-HEIMDAL_SUBSYSTEM('HEIMDAL_ASN1_GEN_HOSTCC',
-   'lib/asn1/gen.c',
-   includes='../heimdal/lib/asn1',
-   group='hostcc_build_main',
-   cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
-   deps='ROKEN_HOSTCC',
-   use_global_deps=False,
-   use_hostcc=True)
-
 HEIMDAL_SUBSYSTEM('HEIMDAL_VERS',
'lib/vers/print_version.c ../heimdal_build/version.c',
 deps='roken replace')
 
 
 if not bld.CONFIG_SET('USING_SYSTEM_ASN1_COMPILE'):
+HEIMDAL_SUBSYSTEM('HEIMDAL_ASN1_GEN_HOSTCC',
+  'lib/asn1/gen.c',
+  includes='../heimdal/lib/asn1',
+  group='hostcc_build_main',
+  
cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
+  deps='ROKEN_HOSTCC',
+  use_global_deps=False,
+  use_hostcc=True)
+
 # here is the asn1 compiler build rule
 HEIMDAL_BINARY('asn1_compile',
 'lib/asn1/gen_copy.c '
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 0edca94e75f..c7f28a72342 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -58,7 +58,6 @@ bld.SAMBA_LIBRARY('HDB_SAMBA4',
 bld.SAMBA_LIBRARY('HDB_SAMBA4_PLUGIN',
   source='hdb-samba4-plugin.c',
   deps='hdb HDB_SAMBA4 samba-util samba-hostconfig ',
-  includes=kdc_include,
   link_name='modules/hdb/hdb_samba4.so',
   realname='hdb_samba4.so',
 

[SCM] Samba Shared Repository - branch master updated

2021-12-03 Thread Andrew Bartlett
The branch, master has been updated
   via  dab828f63c0 pytest/source_char: check for mixed direction text
   via  0f7e58b0e29 samba-tool domain backup: backup but do not follow 
symlinks
   via  697abc15ea5 samba-tool domain backup: cope better with dangling 
symlinks
  from  5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit dab828f63c0a6bf0bb96920fd36383f6cbe43179
Author: Douglas Bagnall 
Date:   Wed Nov 17 20:17:53 2021 +

pytest/source_char: check for mixed direction text

As pointed out in https://lwn.net/Articles/875964, forbidding bidi
marker characters is not always going to be enough to avoid
right-to-left vs left-to-right confusion. Consider this:

$ python -c's = "b = x  # 2 * n * m"; print(s); print(s.replace("x", 
"א").replace("n", "ח"))'

b = x  # 2 * n * m
b = א  # 2 * ח * m

Those two lines are semantically the same, with the Hebrew letters
"א" and "ח" replacing "x" and "n". But they look like they mean
different things.

It is not enough to say we only allow these scripts (or indeed
non-ascii) in strings and comments, as demonstrated in this example:

$ python -c's = "b = \"x#\"  #  n"; print(s); print(s.replace("x", 
"א").replace("n", "ח"))'

b = "x#"  #  n
b = "א#"  #  ח

where the second line is visually disordered but looks valid. Any series
of neutral characters between teo RTL characters will be reversed (and
possibly mirrored).

In practice this affects one file, which is a text file for testing
unicode normalisation.

I think, for the reasons shown above, we are unlikely to see legitimate
    RTL code outside perhaps of documentation files — but if we do, we can
add those files to the allow-list.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Dec  3 18:53:43 UTC 2021 on sn-devel-184

commit 0f7e58b0e29778711d3385adbba957c175c3bdef
Author: Douglas Bagnall 
Date:   Wed Dec 1 10:20:48 2021 +1300

samba-tool domain backup: backup but do not follow symlinks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 697abc15ea50e9069eb483fdd734588281bae123
Author: Douglas Bagnall 
Date:   Thu Nov 25 09:26:54 2021 +1300

samba-tool domain backup: cope better with dangling symlinks

Our previous behaviour was to try to os.stat() the non-existent
target.

The new code greatly improves efficiency for this little task.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/netcmd/domain_backup.py | 10 +-
 python/samba/tests/source_chars.py   | 29 +
 testdata/source-chars-bidi.py| 24 
 3 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 testdata/source-chars-bidi.py


Changeset truncated at 500 lines:

diff --git a/python/samba/netcmd/domain_backup.py 
b/python/samba/netcmd/domain_backup.py
index 81738196385..6cb0e512595 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -1109,6 +1109,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
 
 # Recursively get all file paths in the backup directories
 all_files = []
+all_stats = set()
 for backup_dir in backup_dirs:
 for (working_dir, _, filenames) in os.walk(backup_dir):
 if working_dir.startswith(paths.sysvol):
@@ -1126,7 +1127,13 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
 # Ignore files that have already been added. This prevents
 # duplicates if one backup dir is a subdirectory of 
another,
 # or if backup dirs contain hardlinks.
-if any(os.path.samefile(full_path, file) for file in 
all_files):
+try:
+s = os.stat(full_path, follow_symlinks=False)
+except FileNotFoundError:
+logger.warning(f"{full_path} does not exist!")
+continue
+
+if (s.st_ino, s.st_dev) in all_stats:
 continue
 
 # Assume existing backup files are from a previous backup.
@@ -1140,6 +1147,7 @@ class cmd_domain_backup_offline(samba.netcmd.

[SCM] Samba Shared Repository - branch master updated

2021-11-29 Thread Andrew Bartlett
The branch, master has been updated
   via  38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present 
for TGTs
   via  9bd26804852 heimdal:kdc: Do not generate extra PAC buffers for 
S4U2Self service ticket
   via  ee4aa21c487 selftest: Properly check extra PAC buffers with Heimdal
   via  1f4f3018c50 heimdal:kdc: Always generate a PAC for S4U2Self
   via  192d6edfe91 tests/krb5: Add a test for S4U2Self with no 
authorization data required
   via  4b60e951649 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued 
tickets
   via  90025b6a4d2 kdc: Don't include extra PAC buffers in service tickets
   via  e61983c7f2c Revert "CVE-2020-25719 s4/torture: Expect additional 
PAC buffers"
   via  73a48063469 tests/krb5: Add tests for renewal and validation of 
RODC TGTs with PAC requests
   via  690a00a40c0 kdc: Always add the PAC if the header TGT is from an 
RODC
   via  b6a25f5f016 kdc: Match Windows error code for mismatching sname
   via  bac5f750594 tests/krb5: Add test for S4U2Self with wrong sname
   via  d5d22bf84a7 kdc: Adjust SID mismatch error code to match Windows
   via  f7a2fef8f49 heimdal:kdc: Adjust no-PAC error code to match Windows
   via  9cfb88ba048 s4:torture: Fix typo
   via  11fb9476ad3 heimdal:kdc: Fix error message for user-to-user
   via  749349efab9 tests/krb5: Add comments for tests that fail against 
Windows
   via  ca80c47406e tests/krb5: Add tests for validation with requester SID 
PAC buffer
   via  ebc9137cee9 tests/krb5: Align PAC buffer checking to more closely 
match Windows with PacRequestorEnforcement=2
   via  ec823c2a83c tests/krb5: Add TGS-REQ tests with FAST
   via  778029c1dc4 tests/krb5: Add tests for TGS requests with a non-TGT
   via  7574ba9f580 tests/krb5: Add tests for invalid TGTs
   via  28d501875a9 tests/krb5: Remove unnecessary expect_pac arguments
   via  d95705172bc tests/krb5: Adjust error codes to better match Windows 
with PacRequestorEnforcement=2
   via  e930274aa43 tests/krb5: Split out methods to create renewable or 
invalid tickets
   via  a560c2e9ad8 tests/krb5: Allow PasswordKey_create() to use s2kparams
   via  167bd207048 tests/krb5: Run test_rpc against member server
   via  f0b222e3ecf tests/krb5: Deduplicate AS-REQ tests
   via  57b1b76154d tests/krb5: Remove unused variable
   via  ad4d6fb01fd selftest: Check received LDB error code when 
STRICT_CHECKING=0
  from  cbf312f02bc s3:winbind: Fix possible NULL pointer dereference

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 38c5bad4a853b19fe9a51fb059e150b153c4632a
Author: Joseph Sutton 
Date:   Wed Nov 24 20:41:54 2021 +1300

kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184

commit 9bd26804852d957f81cb311e5142f9190f9afa65
Author: Joseph Sutton 
Date:   Tue Nov 23 19:38:35 2021 +1300

heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket

Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
when generating a service ticket for S4U2Self, we want to avoid adding
the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit ee4aa21c487fa80082a548b2e4f115a791e30340
Author: Joseph Sutton 
Date:   Thu Nov 25 09:29:42 2021 +1300

selftest: Properly check extra PAC buffers with Heimdal

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1
Author: Joseph Sutton 
Date:   Tue Nov 23 17:30:50 2021 +1300

heimdal:kdc: Always generate a PAC for S4U2Self

If we decided not to put a PAC into the ticket, mspac would be NULL
here, and the resulting ticket would not contain a PAC. This could
happen if there was a request to omit the PAC or the service did not
require authorization data. Ensure that we always generate a PAC.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 192d6edfe912105ec344dc554f872a24c03540a3
Author: Joseph Sutton 
Date:   Thu Nov 25 12:46:40 2021 +1300

tests/krb5: Add a test for S4U2Self with no authorization data required

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 4b60e9516497c2e7f1545fe50887d0336b9893f2
Author: Joseph Sutton 
Date:   Thu Nov 25 10:53:49 2021 +1300

kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets

Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket 

Upcoming Samba security release

2021-11-04 Thread Andrew Bartlett via samba-announce
Hi,

this is a heads-up that there will be Samba security updates
on Tuesday, November 9. Please make sure that your Samba servers
will be updated immediately after the release!

Impacted components:

* AD DC (CVSS 8.8, high)
* AD Domain member (CVSS 8.1, high)
* File server (CVSS 4.8 medium)

Cheers,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)   https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions




Upcoming Samba security release

2021-11-02 Thread Andrew Bartlett via samba-announce
Hi,

this is a heads-up that there will be Samba security updates
on Tuesday, November 9. Please make sure that your Samba servers
will be updated immediately after the release!

Impacted components:

* AD DC (CVSS 8.8, high)
* AD Domain member (CVSS 8.1, high)
* File server (CVSS 4.8 medium)

Cheers,

Andrew Bartlett
-- 
Andrew Bartlett (he/him)   https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions




[SCM] Samba Shared Repository - branch master updated

2021-10-23 Thread Andrew Bartlett
The branch, master has been updated
   via  5094d986b76 lib/krb5_wrap: Fix missing error check in new salt code
  from  5eeb441b771 dsdb: Allow special chars like "@" in samAccountName 
when generating the salt

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5094d986b7686f057195dcb10764295b88967019
Author: Andrew Bartlett 
Date:   Fri Oct 22 10:50:36 2021 +1300

lib/krb5_wrap: Fix missing error check in new salt code

CID 1492905: Control flow issues  (DEADCODE)

This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184

---

Summary of changes:
 lib/krb5_wrap/krb5_samba.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 63a6e951f80..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -594,9 +594,9 @@ int smb_krb5_salt_principal(krb5_context krb5_ctx,
 * No matter what realm (including none) in the UPN,
 * the realm is replaced with our upper-case realm
 */
-   smb_krb5_principal_set_realm(krb5_ctx,
-*salt_princ,
-upper_realm);
+   krb5_ret = smb_krb5_principal_set_realm(krb5_ctx,
+   *salt_princ,
+   upper_realm);
if (krb5_ret != 0) {
krb5_free_principal(krb5_ctx, *salt_princ);
TALLOC_FREE(frame);


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-10-19 Thread Andrew Bartlett
The branch, master has been updated
   via  04f188f4d57 bootstrap: Debian 11 has liburing-dev
  from  c901adaa0d4 bootstrap: Add Debian 11

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 04f188f4d573f0138b75f26d1c18d98329a3446e
Author: Martin Schwenke 
Date:   Tue Oct 19 11:00:22 2021 +1100

bootstrap: Debian 11 has liburing-dev

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872

Signed-off-by: Martin Schwenke 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Oct 19 09:14:10 UTC 2021 on sn-devel-184

---

Summary of changes:
 .gitlab-ci-main.yml | 2 +-
 bootstrap/config.py | 1 -
 bootstrap/generated-dists/debian11/bootstrap.sh | 1 +
 bootstrap/generated-dists/debian11/packages.yml | 1 +
 bootstrap/sha1sum.txt   | 2 +-
 5 files changed, 4 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index ba8de6c22fe..cc48ec12a64 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 8d90789fe49d9003a7e5c66b1a00639bcce1238f
+  SAMBA_CI_CONTAINER_TAG: dd885c72c8615e2d6166a04f3709d9ceaa728f84
   #
   # We use the ubuntu1804 image as default as
   # it matches what we have on sn-devel-184.
diff --git a/bootstrap/config.py b/bootstrap/config.py
index c98ece513ec..2cf754782a1 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -404,7 +404,6 @@ DEB_DISTS = {
 'vagrant_box': 'debian/bullseye64',
 'replace': {
 'language-pack-en': '',   # included in locales
-'liburing-dev': '',   # not available
 }
 },
 'ubuntu1804': {
diff --git a/bootstrap/generated-dists/debian11/bootstrap.sh 
b/bootstrap/generated-dists/debian11/bootstrap.sh
index 84f5f6855b7..07d6209c072 100755
--- a/bootstrap/generated-dists/debian11/bootstrap.sh
+++ b/bootstrap/generated-dists/debian11/bootstrap.sh
@@ -70,6 +70,7 @@ apt-get -y install \
 libtasn1-dev \
 libtracker-sparql-2.0-dev \
 libunwind-dev \
+liburing-dev \
 lmdb-utils \
 locales \
 lsb-release \
diff --git a/bootstrap/generated-dists/debian11/packages.yml 
b/bootstrap/generated-dists/debian11/packages.yml
index 32f37eeb013..6d3c2385339 100644
--- a/bootstrap/generated-dists/debian11/packages.yml
+++ b/bootstrap/generated-dists/debian11/packages.yml
@@ -59,6 +59,7 @@ packages:
   - libtasn1-dev
   - libtracker-sparql-2.0-dev
   - libunwind-dev
+  - liburing-dev
   - lmdb-utils
   - locales
   - lsb-release
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index a9996ecf27d..60a3cced99c 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-8d90789fe49d9003a7e5c66b1a00639bcce1238f
+dd885c72c8615e2d6166a04f3709d9ceaa728f84


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-10-18 Thread Andrew Bartlett
The branch, master has been updated
   via  c901adaa0d4 bootstrap: Add Debian 11
  from  9d3a6919202 tests/krb5: Add tests for requesting a service ticket 
without a PAC

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c901adaa0d4526deff550806e49976d686122674
Author: Martin Schwenke 
Date:   Thu Oct 14 14:50:41 2021 +1100

bootstrap: Add Debian 11

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14872

Signed-off-by: Martin Schwenke 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Oct 18 17:19:17 UTC 2021 on sn-devel-184

---

Summary of changes:
 .gitlab-ci-main.yml   | 8 +++-
 bootstrap/.gitlab-ci.yml  | 3 +++
 bootstrap/config.py   | 8 
 bootstrap/generated-dists/Vagrantfile | 7 +++
 bootstrap/generated-dists/{centos7 => debian11}/Dockerfile| 2 +-
 bootstrap/generated-dists/{debian10 => debian11}/bootstrap.sh | 0
 bootstrap/generated-dists/{centos7 => debian11}/locale.sh | 0
 bootstrap/generated-dists/{debian10 => debian11}/packages.yml | 0
 bootstrap/sha1sum.txt | 2 +-
 9 files changed, 27 insertions(+), 3 deletions(-)
 copy bootstrap/generated-dists/{centos7 => debian11}/Dockerfile (92%)
 copy bootstrap/generated-dists/{debian10 => debian11}/bootstrap.sh (100%)
 copy bootstrap/generated-dists/{centos7 => debian11}/locale.sh (100%)
 copy bootstrap/generated-dists/{debian10 => debian11}/packages.yml (100%)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index f807eef41ce..ba8de6c22fe 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 752c448d3186fe93a0c4039b8fbe897bb67a1f33
+  SAMBA_CI_CONTAINER_TAG: 8d90789fe49d9003a7e5c66b1a00639bcce1238f
   #
   # We use the ubuntu1804 image as default as
   # it matches what we have on sn-devel-184.
@@ -58,6 +58,7 @@ variables:
   SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ubuntu2004
   SAMBA_CI_CONTAINER_IMAGE_debian9: debian9
   SAMBA_CI_CONTAINER_IMAGE_debian10: debian10
+  SAMBA_CI_CONTAINER_IMAGE_debian11: debian11
   SAMBA_CI_CONTAINER_IMAGE_opensuse151: opensuse151
   SAMBA_CI_CONTAINER_IMAGE_opensuse152: opensuse152
   SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33
@@ -569,6 +570,11 @@ debian10-samba-o3:
   variables:
 SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian10}
 
+debian11-samba-o3:
+  extends: .samba-o3-template
+  variables:
+SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_debian11}
+
 opensuse151-samba-o3:
   extends: .samba-o3-template
   variables:
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 1cef89374de..01da6106b53 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -97,6 +97,9 @@ ubuntu2004:
 debian10:
   extends: .build_image_template
 
+debian11:
+  extends: .build_image_template
+
 fedora33:
   extends: .build_image_template
 
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 7fe3bbd956a..c98ece513ec 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -399,6 +399,14 @@ DEB_DISTS = {
 'liburing-dev': '',   # not available
 }
 },
+'debian11': {
+'docker_image': 'debian:11',
+'vagrant_box': 'debian/bullseye64',
+'replace': {
+'language-pack-en': '',   # included in locales
+'liburing-dev': '',   # not available
+}
+},
 'ubuntu1804': {
 'docker_image': 'ubuntu:18.04',
 'vagrant_box': 'ubuntu/bionic64',
diff --git a/bootstrap/generated-dists/Vagrantfile 
b/bootstrap/generated-dists/Vagrantfile
index 7c1e0d80c6a..358d8e23d59 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -31,6 +31,13 @@ Vagrant.configure("2") do |config|
 v.vm.provision :shell, path: "debian10/locale.sh"
 end
 
+config.vm.define "debian11" do |v|
+v.vm.box = "debian/bullseye64"
+v.vm.hostname = "debian11"
+v.vm.provision :shell, path: "debian11/bootstrap.sh"
+v.vm.provision :shell, path: "debian11/locale.sh"
+end
+
 config.vm.define "fedora33" do |v|
 v.vm.box = "fedora/33-cloud-base"
 v.vm.hostname = "fedora33"
diff --git a/bootstrap/generated-dists/centos7/Dockerfile 
b/bootstrap/generated-dists/debian11/Dockerfile
similarity index 92%
copy from bootstrap/generated-dists/centos7/Dockerfile

[SCM] Samba Shared Repository - branch master updated

2021-10-17 Thread Andrew Bartlett
The branch, master has been updated
   via  9d3a6919202 tests/krb5: Add tests for requesting a service ticket 
without a PAC
   via  288355896a2 tests/krb5: Add method to get the PAC from a ticket
   via  0dc69c1327f tests/krb5: Allow specifying whether to expect a PAC 
with _test_as_exchange()
   via  e086c6193f6 tests/krb5: Allow get_tgt() to request including or 
omitting a PAC
   via  d23d8e85935 heimdal:kdc: Fix ticket signing without a PAC
  from  a7ad665e65f selftest/dbcheck: Fix up RODC one-way links (use 
correct dbcheck rule)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
Author: Joseph Sutton 
Date:   Fri Oct 15 14:29:26 2021 +1300

tests/krb5: Add tests for requesting a service ticket without a PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184

commit 288355896a2b6f460c42559ec46ff980ab57782e
Author: Joseph Sutton 
Date:   Fri Oct 15 14:27:25 2021 +1300

tests/krb5: Add method to get the PAC from a ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 0dc69c1327f72384628a869a00482f6528b8671b
Author: Joseph Sutton 
Date:   Fri Oct 15 14:27:15 2021 +1300

tests/krb5: Allow specifying whether to expect a PAC with 
_test_as_exchange()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5
Author: Joseph Sutton 
Date:   Fri Oct 15 14:26:40 2021 +1300

tests/krb5: Allow get_tgt() to request including or omitting a PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216
Author: Joseph Sutton 
Date:   Fri Oct 15 12:12:30 2021 +1300

heimdal:kdc: Fix ticket signing without a PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/tests/krb5/kdc_base_test.py |   9 +--
 python/samba/tests/krb5/kdc_tgs_tests.py | 120 +++
 python/samba/tests/krb5/raw_testcase.py  |  11 +++
 selftest/knownfail_heimdal_kdc   |   5 ++
 selftest/knownfail_mit_kdc   |   5 ++
 source4/heimdal/kdc/krb5tgs.c|   6 +-
 6 files changed, 150 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/kdc_base_test.py 
b/python/samba/tests/krb5/kdc_base_test.py
index 87160f675ae..1fc15315b0b 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1306,9 +1306,9 @@ class KDCBaseTest(RawKerberosTest):
 
 def get_tgt(self, creds, to_rodc=False, kdc_options=None,
 expected_flags=None, unexpected_flags=None,
-fresh=False):
+pac_request=True, expect_pac=True, fresh=False):
 user_name = creds.get_username()
-cache_key = (user_name, to_rodc, kdc_options)
+cache_key = (user_name, to_rodc, kdc_options, pac_request)
 
 if not fresh:
 tgt = self.tkt_cache.get(cache_key)
@@ -1363,7 +1363,7 @@ class KDCBaseTest(RawKerberosTest):
 kdc_options=kdc_options,
 preauth_key=None,
 ticket_decryption_key=ticket_decryption_key,
-pac_request=True,
+pac_request=pac_request,
 pac_options=pac_options,
 to_rodc=to_rodc)
 self.check_pre_authentication(rep)
@@ -1405,8 +1405,9 @@ class KDCBaseTest(RawKerberosTest):
 kdc_options=kdc_options,
 preauth_key=preauth_key,
 ticket_decryption_key=ticket_decryption_key,
-pac_request=True,
+pac_request=pac_request,
 pac_options=pac_options,
+expect_pac=expect_pac,
 to_rodc=to_rodc)
 self.check_as_reply(rep)
 
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py 
b/python/samba/tests/krb5/kdc_tgs_tests.py
index 3075cc6b0a9..9d846a2c3ad 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -23,15 +23,18 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
+import samba.tests.krb5.kcrypto as kcrypto
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 from samba.tests.krb5.rfc4120_constants import (
 AES256_CTS_HMAC_SHA1_96,
 ARCFOUR_HMAC_MD5,
  

[SCM] Samba Shared Repository - branch master updated

2021-10-15 Thread Andrew Bartlett
The branch, master has been updated
   via  a7ad665e65f selftest/dbcheck: Fix up RODC one-way links (use 
correct dbcheck rule)
   via  ce3d33f4c14 gitlab-ci: Do not download artifacts of unrelated builds
   via  1cdf8493b5a gitlab-ci: Do not retry for job_execution_timeout
  from  1d3e118f6f2 s3: smbspool. Remove last use of 'extern char 
**environ;'.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4
Author: Andrew Bartlett 
Date:   Fri Oct 15 13:09:20 2021 +1300

selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)

The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.

These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Andrew Bartlett 
Reviewed-by: Joseph Sutton 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184

commit ce3d33f4c141afdfa3fbe9fe26835dc32ef95fe0
Author: Andrew Bartlett 
Date:   Fri Oct 15 08:22:17 2021 +1300

gitlab-ci: Do not download artifacts of unrelated builds

This needs: is overridden in many cases, but ensures none of the other
main jobs start until this build finishes.  However this also
ensures we do not download artifacts from any build unless we
specifically depend on it, saving bandwidth

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 1cdf8493b5a43a084b5004e5c2667b9dd9e31d91
Author: Andrew Bartlett 
Date:   Thu Oct 14 20:24:49 2021 +1300

gitlab-ci: Do not retry for job_execution_timeout

If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 
hours).

This is for when the job runs long for any reason, currently the
reasons for a timeout are not transient, we need to either change
the timeout or fix the system.  Likewise if the tests get into a loop
or deadlock we want to see that as a failure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 .gitlab-ci-main.yml   | 12 +++-
 testprogs/blackbox/dbcheck.sh |  4 ++--
 2 files changed, 13 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index d876923f9e7..f807eef41ce 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -97,6 +97,16 @@ include:
 key: ccache.${CI_JOB_NAME}.${SAMBA_CI_JOB_IMAGE}.${SAMBA_CI_FLAVOR}
 paths:
   - ccache
+
+  # This is overridden in many cases, but ensures none of the other
+  # main jobs start until and unless this build finishes.  However
+  # this also ensures we do not download artifacts from any build
+  # unless we specifically depend on it, saving bandwidth
+
+  needs:
+- job: samba-def-build
+  artifacts: false
+
   before_script:
 - uname -a
 - lsb_release -a
@@ -148,7 +158,6 @@ include:
   - api_failure
   - runner_unsupported
   - stale_schedule
-  - job_execution_timeout
   - archived_failure
   - scheduler_failure
   - data_integrity_failure
@@ -177,6 +186,7 @@ others:
 .shared_template_build_only:
   extends: .shared_template
   timeout: 2h
+  needs:
   artifacts:
 expire_in: 1 week
 paths:
diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh
index e2ba987e2de..5462441005e 100755
--- a/testprogs/blackbox/dbcheck.sh
+++ b/testprogs/blackbox/dbcheck.sh
@@ -19,12 +19,12 @@ dbcheck() {
 
 # This list of attributes can be freely extended
 dbcheck_fix_one_way_links() {
-   $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes 
fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent 
defaultObjectCategory fromServer rIDSetReferences msDS-RevealOnDemandGroup 
msDS-NeverRevealGroup" --cross-ncs $ARGS
+   $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes 
fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent 
defaultObjectCategory fromServer rIDSetReferences" --cross-ncs $ARGS
 }
 
 # This list of attributes can be freely extended
 dbcheck_fix_stale_links() {
-   $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes 
remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations 
msDS-NC-RO-Replica-Locations" --cross-ncs $ARGS
+   $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes 
remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations 
msDS-NC-RO-Replica-Locations msDS-Reveal

[SCM] Samba Shared Repository - branch master updated

2021-10-14 Thread Andrew Bartlett
 
Date:   Wed Oct 13 09:46:07 2021 -0700

s3: smbspool. Remove last use of 'extern char **environ;'.

This should come from lib/replace/replace.h to cope with
system (MacOSX etc.) differences.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184

commit f6adfefbbb41b9100736134d0f975f1ec0c33c42
Author: Nicolas Williams 
Date:   Sun Oct 10 21:55:59 2021 -0500

krb5: Fix PAC signature leak affecting KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsut...@samba.org Cherry-picked from Heimdal commit
 54581d2d52443a9a07ed5980df331f660b397dcf]

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 02fa69c6c73c01d82807be4370e838f3e7c66f35
Author: Joseph Sutton 
Date:   Fri Oct 8 16:08:39 2021 +1300

s4:kdc: Check ticket signature

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 3bdce12789af1e7a7aba56691f184625a432410d
Author: Joseph Sutton 
Date:   Fri Oct 8 15:43:41 2021 +1300

heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function

This lets us call it from Samba.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1
Author: Joseph Sutton 
Date:   Wed Aug 11 13:27:11 2021 +1200

s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a
Author: Luke Howard 
Date:   Thu Sep 23 17:51:51 2021 +1000

kdc: correctly generate PAC TGS signature

When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.

Patch from Isaac Bourkis .

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsut...@samba.org Backported from Heimdal commit
 e7863e2af922809dad25a2e948e98c408944d551
 - Samba's Heimdal version does not have the generate_pac() helper
 function.
 - Samba's Heimdal version does not use the 'r' context variable.
]

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 75d1a7cd14b134506061ed64ddb9b99856231d2c
Author: Luke Howard 
Date:   Thu Sep 23 14:39:35 2021 +1000

kdc: use ticket client name when signing PAC

The principal in the PAC_LOGON_NAME buffer is expected to match the client 
name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsut...@samba.org Backported from Heimdal commit
 3b0856cab2b25624deb1f6e0e67637ba96a647ac
 - Renamed variable to avoid shadowing existing variable
]

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit db30b71f79864a20b38a1f812a5df833f3a92de8
Author: Luke Howard 
Date:   Sun Jan 6 17:54:58 2019 +1100

kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsut...@samba.org Backported from Heimdal commit
 f1dd2b818aa0866960945edea02a6bc782ed697c
 - Removed change to _kdc_find_etype() use_strongest_session_key
 parameter since Samba's Heimdal version uses different logic
]

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit d6a472e953545ec3858ca969c1a4191e4f27ba63
Author: Luke Howard 
Date:   Fri Sep 17 13:57:57 2021 +1000

krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails

Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsut...@samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 2773379603a5a625c5d1c6e62f29c442942ff570
Author: Isaac Boukris 
Date:   Sun Sep 19 15:16:58 2021 +0300

krb5: rework PAC validation loop

Avoid allocating the PAC on error.

Closes: #836

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

[jsut...@samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76
Author: Isaac Boukris 
Date:   Sun Sep 19

[SCM] Samba Shared Repository - branch master updated

2021-10-13 Thread Andrew Bartlett
The branch, master has been updated
   via  8ab0238abd1 .gitlab-ci: Avoid duplicate CI on all merge requests
   via  bcc22d00569 .gitlab-ci.yml: Restore building most of our jobs
  from  dd178d97250 .gitlab-ci: Increase build timeout

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8ab0238abd171f9a11b013fd185605e7d1722b27
Author: Andrew Bartlett 
Date:   Thu Oct 14 08:51:21 2021 +1300

.gitlab-ci: Avoid duplicate CI on all merge requests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Oct 14 01:21:11 UTC 2021 on sn-devel-184

commit bcc22d00569551cfa25851c8c267ec9decc63d21
Author: Andrew Bartlett 
Date:   Thu Oct 14 08:11:49 2021 +1300

.gitlab-ci.yml: Restore building most of our jobs

We are changing the primary build jobs to use "when"
not "only".  These a similar and related GitLab syntax
tools to control when jobs are run.

With 'when' now in use it must be specified on all jobs
that inherit from each other via:

.extends .shared_template

"only" can be left however for the pages and coverity as
these use:

.extends .shared_runner_build_image

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
    
Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 .gitlab-ci-main.yml | 32 
 1 file changed, 24 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index a75305c7f5a..d876923f9e7 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -83,6 +83,13 @@ include:
   interruptible: true
   timeout: 2h
 
+  # Otherwise we run twice, once on push and once on MR
+  # https://forum.gitlab.com/t/new-rules-syntax-and-detached-pipelines/37292
+  rules:
+- if: $CI_MERGE_REQUEST_ID
+  when: never
+- when: on_success
+
   variables:
 AUTOBUILD_JOB_NAME: $CI_JOB_NAME
   stage: build
@@ -353,13 +360,16 @@ samba-fips:
 .private_test_only:
   extends: .private_runner_test
   stage: test_private
-  only:
-variables:
+  rules:
+  # See above, to avoid a duplicate CI on the MR (these rules override the 
others)
+- if: $CI_MERGE_REQUEST_ID
+  when: never
+
   # These jobs are only run if the gitlab repo has private runners 
available.
   # To enable private jobs, you must add the following var and value to
   # your gitlab repo by navigating to:
   # settings -> CI/CD -> Environment variables
-  - $SUPPORT_PRIVATE_TEST == "yes"
+- if: $SUPPORT_PRIVATE_TEST == "yes"
 
 .needs_samba-def-build-private:
   extends:
@@ -514,11 +524,14 @@ ubuntu1804-samba-o3:
 AUTOBUILD_JOB_NAME: samba-o3
 SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804}
 SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage"
-  only:
-variables:
-  # do not run o3 builds (which run a lot of VMs) if told not to
-  # (this uses the same variable as autobuild.py)
-  - $AUTOBUILD_SKIP_SAMBA_O3 == "0"
+  rules:
+# See above, to avoid a duplicate CI on the MR (these rules override the 
others)
+- if: $CI_MERGE_REQUEST_ID
+  when: never
+# do not run o3 builds (which run a lot of VMs) if told not to
+# (this uses the same variable as autobuild.py)
+- if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+  when: never
 
 # All other jobs do not want code coverage.
 .samba-o3-template:
@@ -526,6 +539,9 @@ ubuntu1804-samba-o3:
   variables:
 AUTOBUILD_JOB_NAME: samba-o3
   rules:
+# See above, to avoid a duplicate CI on the MR (these rules override the 
others)
+- if: $CI_MERGE_REQUEST_ID
+  when: never
 # do not run o3 builds (which run a lot of VMs) if told not to
 # (this uses the same variable as autobuild.py)
 - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-10-13 Thread Andrew Bartlett
The branch, master has been updated
   via  dd178d97250 .gitlab-ci: Increase build timeout
   via  7857e1249b7 .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in 
GitLab CI
  from  fc2347be4ed Fix detection of rpc/xdr.h on macOS

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit dd178d97250e041b29aad9b26d2994163bd99231
Author: Joseph Sutton 
Date:   Mon Oct 11 15:37:48 2021 +1300

.gitlab-ci: Increase build timeout

While the build will not take > 1hr, uploading the artifacts
needed to pass the build objects to the next stage can take
some time due to the distance between the runners and the
private CI server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861

Signed-off-by: Joseph Sutton 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Oct 13 12:00:03 UTC 2021 on sn-devel-184

commit 7857e1249b72be8c8841b99cb0820c9c563178f9
Author: Andrew Bartlett 
Date:   Tue Oct 12 07:55:54 2021 +1300

.gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI

GitLab CI resources are expensive and often rationed so
provide a way to test other things without testing an -O3
build also, as this will save 9 jobs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861

Signed-off-by: Andrew Bartlett 
Reviewed-by: Ralph Boehme 

---

Summary of changes:
 .gitlab-ci-default.yml |  1 +
 .gitlab-ci-main.yml| 18 +-
 2 files changed, 14 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-default.yml b/.gitlab-ci-default.yml
index d0831017d9b..e6089183674 100644
--- a/.gitlab-ci-default.yml
+++ b/.gitlab-ci-default.yml
@@ -3,6 +3,7 @@ variables:
   # "--enable-coverage" or ""
   # See .gitlab-ci-coverage.yml
   SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: ""
+  AUTOBUILD_SKIP_SAMBA_O3: "0"
 
 include:
   - /.gitlab-ci-default-runners.yml
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 052618db5c5..a75305c7f5a 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -169,7 +169,7 @@ others:
 
 .shared_template_build_only:
   extends: .shared_template
-  timeout: 1h
+  timeout: 2h
   artifacts:
 expire_in: 1 week
 paths:
@@ -514,16 +514,24 @@ ubuntu1804-samba-o3:
 AUTOBUILD_JOB_NAME: samba-o3
 SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804}
 SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage"
+  only:
+variables:
+  # do not run o3 builds (which run a lot of VMs) if told not to
+  # (this uses the same variable as autobuild.py)
+  - $AUTOBUILD_SKIP_SAMBA_O3 == "0"
 
 # All other jobs do not want code coverage.
 .samba-o3-template:
   extends: .shared_template
   variables:
 AUTOBUILD_JOB_NAME: samba-o3
-  only:
-variables:
-  # do not run o3 for coverage since they are using different images
-  - $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
+  rules:
+# do not run o3 builds (which run a lot of VMs) if told not to
+# (this uses the same variable as autobuild.py)
+- if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+  when: never
+# do not run o3 for coverage since they are using different images
+- if: $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
 
 ubuntu2004-samba-o3:
   extends: .samba-o3-template


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-09-28 Thread Andrew Bartlett
The branch, master has been updated
   via  3f4660900a7 selftest: test 
tsocket_address_inet_from_hostport_strings
   via  262148721ee selftest: add more tests for 
test_address_inet_from_strings
   via  c26fcef50d0 WHATSNEW: document dns forwarder change
   via  2a098030977 libcli/dns.c: dns forwarder port test changes
   via  617a5a1d357 libcli/dns: smb.conf dns forwarder port support
   via  f39a06de3be lib/tsocket: new function to parse host port strs.
   via  775939823a5 libcli/dns: dns forwarder port doc changes
   via  860d8902a9c pyldb: Make ldb.Message containment testing consistent 
with indexing
   via  865fe238599 pyldb: Add tests for ldb.Message containment testing
   via  22353767ca7 pyldb: Raise TypeError for an invalid ldb.Message index
   via  b018e51d272 pyldb: Add test for an invalid ldb.Message index type
   via  fb758c32e76 s4/torture/drs/python: Fix attribute existence check
   via  9d25a21d602 pyldb: Fix deleting an ldb.Control critical flag
   via  b1adaa517c1 pytest:segfault: Add test for deleting an ldb.Control 
critical flag
   via  d7af772de88 pyldb: Fix deleting an ldb.Message dn
   via  6a041f6a99c pytest:segfault: Add test for deleting an ldb.Message dn
  from  81e27693c62 mdssvc: Use ndr_policy_handle_empty()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 3f4660900a71816df505c2e634eef86a86afcda3
Author: Uri Simchoni 
Date:   Thu Sep 16 20:03:59 2021 +0300

selftest: test tsocket_address_inet_from_hostport_strings

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Sep 28 10:34:12 UTC 2021 on sn-devel-184

commit 262148721ee6d794f7f2d1ad1b36e00a1401ec41
Author: Uri Simchoni 
Date:   Thu Sep 16 20:03:02 2021 +0300

selftest: add more tests for test_address_inet_from_strings

Test the case of NULL address as input

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit c26fcef50d09d3d70c646f3151dda265d4b0eb92
Author: Uri Simchoni 
Date:   Thu Sep 16 10:11:46 2021 +0300

WHATSNEW: document dns forwarder change

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit 2a098030977d7720436b7850fa731557eeb70bc2
Author: Matthew Grant 
Date:   Sat Sep 18 10:05:24 2021 +1200

libcli/dns.c: dns forwarder port test changes

Test harness for the dns fowarder setting in smb.conf. Adds IPv6
forwarder as second target DNS forwarder, listening on port 54.

Signed-off-by: Matthew Grant 
Reviewed-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit 617a5a1d3579b27de0e2b0736909ca83b7b3ee15
Author: Matthew Grant 
Date:   Sat Sep 18 10:02:11 2021 +1200

libcli/dns: smb.conf dns forwarder port support

Call new tsocket_address_inet_from_hostport_strings() instead of
tsocket_address_inet_from_strings() to implement setting a port to query
for a DNS forwarder.

Signed-off-by: Matthew Grant 
Reviewed-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit f39a06de3bea9ec03a3e82c8892d9e572abd1163
Author: Matthew Grant 
Date:   Sun Sep 19 17:41:42 2021 +1200

lib/tsocket: new function to parse host port strs.

tsocket_address_inet_from_hostport_strings() on top of
tsocket_address_inet_from_strings(), implementing the ability to parse a
port number appended to an IPv6 or IPv4 address. IPv6 addresses can also
optionally have square brackets around them, but these are needed to
specify the port number as colon is used to delimit port from the IP
address in the string.

Note that this code just recognises and parses the strings with port
given, or just IPv6 with square brackets.  The rest of the parsing is
passed on to tsocket_address_inet_from strings(), and errors from there
passed back up the stack.

Signed-off-by: Matthew Grant 
Reviewed-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit 775939823a5a956acc236c808d5aee78cbd9e132
Author: Matthew Grant 
Date:   Sat Sep 18 09:57:26 2021 +1200

libcli/dns: dns forwarder port doc changes

Documentation changes specifying how list entries for dns forwarder
are to be specified with ability to add trailing target port number.

Signed-off-by: Matthew Grant 
Reviewed-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit 860d8902a9c502d4be83396598cf4a53c80fea69
Author: Joseph Sutton 
Date:   Sat Sep 25 14:39:59 2021 +1200

pyldb: Make ldb.Message containment testing consistent with indexing

Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between

[SCM] Samba Shared Repository - branch master updated

2021-09-23 Thread Andrew Bartlett
The branch, master has been updated
   via  5b331443d06 tests/krb5: Add classes for testing invalid checksums
   via  c0b81f0dd54 tests/krb5: Add method to determine if principal is 
krbtgt
   via  ea7b550a500 tests/krb5: Verify checksums of tickets obtained from 
the KDC
   via  1458cd9065d tests/krb5: Add get_rodc_krbtgt_creds() to 
RawKerberosTest
   via  394e8db261b tests/krb5: Simplify account creation
   via  f2f1f3a1e92 tests/krb5: Provide ticket enc-part key to tgs_req()
   via  f9284d8517e tests/krb5: Fix checking for presence of authorization 
data
   via  9d01043042f tests/krb5: Add method to get DC credentials
   via  38b4b334caf tests/krb5: Allow tgs_req() to check the returned 
ticket enc-part
   via  054ec1a8cc4 tests/krb5: Set key version number for all accounts 
created with create_account()
   via  14cd933a9d6 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
   via  b6eaf2cf44f tests/krb5: Get supported enctypes for credentials from 
database
   via  432eba9e098 tests/krb5: Add methods to convert between enctypes and 
bitfields
   via  7cedd383bcc tests/krb5: Make get_default_enctypes() return a set of 
enctype constants
   via  4c67a53cdca tests/krb5: Simplify adding authdata to ticket by using 
modified_ticket()
   via  1fcde7cb6ce tests/krb5: Add method for modifying a ticket and 
creating PAC checksums
   via  12b5e72a35d tests/krb5: Add method to verify ticket PAC checksums
  from  702ebb3d8c8 registry: skip root check when running with uid-wrapper 
enabled

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5b331443d0698256ee7fcc040a1ab8137efe925d
Author: Joseph Sutton 
Date:   Mon Sep 20 15:10:35 2021 +1200

tests/krb5: Add classes for testing invalid checksums

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184

commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8
Author: Joseph Sutton 
Date:   Mon Sep 20 15:06:18 2021 +1200

tests/krb5: Add method to determine if principal is krbtgt

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit ea7b550a500d9e458498d37688b67dafd3d9509d
Author: Joseph Sutton 
Date:   Mon Sep 20 14:10:07 2021 +1200

tests/krb5: Verify checksums of tickets obtained from the KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 1458cd9065de34c42bd5ec63feb2f66c25103982
Author: Joseph Sutton 
Date:   Tue Sep 21 13:54:47 2021 +1200

tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 394e8db261b10d130c5e5730989bf68f9bf4f85f
Author: Joseph Sutton 
Date:   Mon Sep 20 14:05:58 2021 +1200

tests/krb5: Simplify account creation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c
Author: Joseph Sutton 
Date:   Wed Sep 22 11:41:45 2021 +1200

tests/krb5: Provide ticket enc-part key to tgs_req()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit f9284d8517edd9ffd96f0c24166a16366f97de8f
Author: Joseph Sutton 
Date:   Mon Sep 20 14:08:16 2021 +1200

tests/krb5: Fix checking for presence of authorization data

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239
Author: Joseph Sutton 
Date:   Mon Sep 20 13:58:09 2021 +1200

tests/krb5: Add method to get DC credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 38b4b334caf1b32f1479db3ada48b2028946f5e6
Author: Joseph Sutton 
Date:   Mon Sep 20 13:59:24 2021 +1200

tests/krb5: Allow tgs_req() to check the returned ticket enc-part

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655
Author: Joseph Sutton 
Date:   Mon Sep 20 13:54:39 2021 +1200

tests/krb5: Set key version number for all accounts created with 
create_account()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 14cd933a9d6af08deb680c9f688b166138d45ed9
Author: Joseph

[SCM] Samba Shared Repository - branch master updated

2021-09-21 Thread Andrew Bartlett
The branch, master has been updated
   via  ec95b3042bf tests/krb5: Add RodcPacEncryptionKey type allowing for 
RODC PAC signatures
   via  a562882b151 tests/krb5: Add methods for creating zeroed checksums 
and verifying checksums
   via  419e4061ced tests/krb5: Cache obtained tickets
   via  6193f7433b1 tests/krb5: Return encpart from get_tgt() as part of 
KerberosTicketCreds
   via  59c1043be25 tests/krb5: Move get_tgt() and get_service_ticket() to 
kdc_base_test
   via  035a8f19855 tests/krb5: Allow get_tgt() to specify expected and 
unexpected flags
   via  4ecfa82e71b tests/krb5: Allow get_tgt() to specify different 
kdc-options
   via  2d69805b1e3 tests/krb5: Allow get_tgt() to get tickets from the RODC
   via  5d3a135c232 tests/krb5: Allow get_service_ticket() to get tickets 
from the RODC
   via  7645dfa5bed tests/krb5: Set DN of created accounts to ldb.Dn type
   via  c226029655c tests/krb5: Don't manually create PAC request and 
options in fast_tests
   via  3504e99dc5b tests/krb5: Use PAC buffer type constants from 
krb5pac.idl
   via  a5e62d681d8 tests/krb5: Allow as_req() to specify different 
kdc-options
   via  6403a09d94a tests/krb5: Allow tgs_req() to send requests to the RODC
   via  1a3426da544 tests/krb5: Allow tgs_req() to specify different 
kdc-options
   via  1f0654b8fac tests/krb5: Allow tgs_req() to send additional padata
   via  2a4d53dc12a tests/krb5: Refactor tgs_req() to use 
_generic_kdc_exchange
   via  0061fa2c2a2 tests/krb5: Check correct flags element
   via  a281ae09bcf tests/krb5: Add helper method for modifying PACs
   via  b81f6f3d714 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from 
a gitlab variable)
   via  21a77173590 python/join: Check for correct msDS-KrbTgtLink attribute
   via  cde38d36b98 python: Don't leak file handles
  from  9a24d8e491f lib:cmdline: fix a comment

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ec95b3042bf2649c0600cafb12818c27242b5098
Author: Joseph Sutton 
Date:   Thu Sep 16 17:20:22 2021 +1200

tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures

Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184

commit a562882b15125902c5d89f094b8c9b1150f5d010
Author: Joseph Sutton 
Date:   Thu Sep 16 16:54:57 2021 +1200

tests/krb5: Add methods for creating zeroed checksums and verifying 
checksums

Creating a zeroed checksum is needed for signing a PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit 419e4061ced466ec7e5e23f815823b540ef4751c
Author: Joseph Sutton 
Date:   Tue Sep 21 11:51:20 2021 +1200

tests/krb5: Cache obtained tickets

Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit 6193f7433b15579aa32b26a146287923c9d3844d
Author: Joseph Sutton 
Date:   Tue Sep 21 11:51:05 2021 +1200

tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds

The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit 59c1043be25b92db75ab5676601cb15426ef37a3
Author: Joseph Sutton 
Date:   Thu Sep 16 13:24:46 2021 +1200

tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce
Author: Joseph Sutton 
Date:   Thu Sep 16 13:14:45 2021 +1200

tests/krb5: Allow get_tgt() to specify expected and unexpected flags

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3
Author: Joseph Sutton 
Date:   Thu Sep 16 13:14:06 2021 +1200

tests/krb5: Allow get_tgt() to specify different kdc-options

BUG: https://bugzilla.samba.org

[SCM] Samba Shared Repository - branch master updated

2021-09-15 Thread Andrew Bartlett
The branch, master has been updated
   via  d12cb47724c selftest: Update user_account_control tests to pass 
against Windows 2019
   via  35292bd3222 tests/krb5: Allow replicating accounts to the created 
RODC
   via  ef5666bc51c tests/krb5: Create RODC account for testing
   via  3cc9e77f38f tests/krb5: Allow replicating accounts to the RODC
   via  af633992e31 tests/krb5: Add get_secrets() method to get the secret 
attributes of a DN
   via  a5bf7aad54b tests/krb5: Add method to get RODC krbtgt credentials
   via  7bc52cecb44 tests/krb5: Sign-extend kvno from 32-bit integer
   via  19a2af02f57 pyldb: Avoid use-after-free in msg_diff()
   via  c2bbe774ce0 ldb_msg: Don't fail in ldb_msg_copy() if source DN is 
NULL
   via  a99a76722d6 pytest:segfault: Add test for ldb.msg_diff()
   via  943079fd94f tests/krb5: Generate padata for FAST tests
   via  c9fd8ffd892 tests/krb5: Add get_cached_creds() method to create 
persistent accounts for testing
   via  0e99382d73f tests/krb5: Get encpart decryption key from 
kdc_exchange_dict
   via  a5186f92803 tests/krb5: Get expected cname from TGT for TGS-REQ 
messages
   via  4ba5e82ae53 tests/krb5: Allow specifying status code to be checked
  from  d40f57321a1 WHATSNEW: Document changes for "kernel share modes"

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d12cb47724c2e8d19a28286d4c3ef72271a002fd
Author: Andrew Bartlett 
Date:   Mon Aug 30 18:17:47 2021 +1200

selftest: Update user_account_control tests to pass against Windows 2019

This gets us closer to passing against Windows 2019, without
making major changes to what was tested.  More tests are needed,
but it is important to get what was being tested tested again.

Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT)
are now required on all objects, this can't be omitted any more.

Also for UF_NORMAL_ACCOUNT for these accounts without a password
set |UF_PASSWD_NOTREQD must be included.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184

commit 35292bd32225b39ad7a03c3aa53027458f0671eb
Author: Joseph Sutton 
Date:   Mon Sep 13 21:24:31 2021 +1200

tests/krb5: Allow replicating accounts to the created RODC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit ef5666bc51ca80e1acdadd525a9c61762756c8e3
Author: Joseph Sutton 
Date:   Mon Sep 13 21:24:05 2021 +1200

tests/krb5: Create RODC account for testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac
Author: Joseph Sutton 
Date:   Mon Sep 13 22:13:24 2021 +1200

tests/krb5: Allow replicating accounts to the RODC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit af633992e31e839cdd7f77740c1f25d129be2f79
Author: Joseph Sutton 
Date:   Mon Sep 13 20:58:01 2021 +1200

tests/krb5: Add get_secrets() method to get the secret attributes of a DN

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21
Author: Joseph Sutton 
Date:   Mon Sep 13 20:20:23 2021 +1200

tests/krb5: Add method to get RODC krbtgt credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540
Author: Joseph Sutton 
Date:   Mon Sep 13 21:14:18 2021 +1200

tests/krb5: Sign-extend kvno from 32-bit integer

This helps to avoid problems with RODC kvnos that have the high bit set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 19a2af02f57d99db8ed3c6b028c3abdf4b553700
Author: Joseph Sutton 
Date:   Mon Sep 13 11:15:17 2021 +1200

pyldb: Avoid use-after-free in msg_diff()

Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton 
Reviewed-by: Andre

[SCM] Samba Shared Repository - branch master updated

2021-09-13 Thread Andrew Bartlett
The branch, master has been updated
   via  01378a52a1c tests/krb5: Create testing accounts in appropriate 
containers
   via  c3b74629027 tests/krb5: Check for presence of 'key-expiration' 
element
   via  d3106a8d352 tests/krb5: Check 'caddr' element
   via  9cba5f9a1b0 tests/krb5: Check for presence of 'renew-till' element
   via  0afb548a0a3 tests/krb5: Allow Kerberos requests to be sent to DC or 
RODC
   via  1974b872fb5 tests/krb5: Make time assertion less strict
   via  85ddfc1afcf tests/krb5: Allow specifying ticket flags expected to 
be set or reset
   via  571265257f3 tests/krb5: Remove magic constants
   via  7556a4dfa64 tests/krb5: Don't create PAC request or options 
manually in fast_tests
   via  bc21ba25920 tests/krb5: Don't create PAC request manually in 
as_req_tests
   via  c0db1ba54d2 tests/krb5: add options to kdc_exchange_dict to specify 
including PAC-REQUEST or PAC-OPTIONS
   via  1f23b16ef3a tests/krb5: Move padata generation methods to base class
   via  9973b51e48a tests/krb5: Keep track of account DN in credentials 
object
   via  9aa90085744 tests/krb5: Allow specifying additional User Account 
Control flags for account
   via  7aae0e9b100 tests/krb5: Allow specifying an OU to create accounts in
   via  bf55786fcd9 tests/krb5: Replace expected_cname_private with 
expected_anon parameter
   via  3fd73b65a3d tests/krb5: Use more compact dict lookup
   via  08086c43987 tests/krb5: Add KDCOptions flag for constrained 
delegation
   via  448b661bf88 tests/krb5: Use signed integers to represent key 
version numbers in ASN.1
   via  9924dd97618 tests/krb5: Add methods to obtain the length of 
checksum types
   via  c6badf818e9 tests/krb5: Calculate expected salt if not given 
explicitly
   via  0092b4a3ed5 security.idl: Add well-known SIDs for FAST
   via  ff2f38fae79 krb5pac.idl: Add ticket checksum PAC buffer type
  from  95d8cdf0c36 tsocket: set errno on some failures of 
tsocket_address_inet_from_strings

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 01378a52a1cf0b6855492673455013d5719be45b
Author: Joseph Sutton 
Date:   Fri Sep 3 09:18:32 2021 +1200

tests/krb5: Create testing accounts in appropriate containers

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184

commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94
Author: Joseph Sutton 
Date:   Wed Sep 1 19:47:27 2021 +1200

tests/krb5: Check for presence of 'key-expiration' element

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit d3106a8d35225e826d548d3bea0d42edc3998c38
Author: Joseph Sutton 
Date:   Wed Sep 1 19:45:57 2021 +1200

tests/krb5: Check 'caddr' element

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64
Author: Joseph Sutton 
Date:   Wed Sep 1 19:43:41 2021 +1200

tests/krb5: Check for presence of 'renew-till' element

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit 0afb548a0a3221730c4a81d51bc31e99ec90e334
Author: Joseph Sutton 
Date:   Wed Sep 1 19:34:20 2021 +1200

tests/krb5: Allow Kerberos requests to be sent to DC or RODC

If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit 1974b872fb5a7da052305d01e2f1efc8d0637078
Author: Joseph Sutton 
Date:   Wed Sep 1 19:15:17 2021 +1200

tests/krb5: Make time assertion less strict

This assertion could fail if there was a time difference between the KDC
and the client.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit 85ddfc1afcf21797dab15431a5f375444c4d316e
Author: Joseph Sutton 
Date:   Wed Sep 1 19:13:11 2021 +1200

tests/krb5: Allow specifying ticket flags expected to be set or reset

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b
Author: Joseph Sutton 
Date:   Wed Sep 1 17:46:02 2021 +1200

tests/krb5: Remove magic constants

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7
Author: Joseph Sutton 
Date:   Thu Sep 2 14:38:33 2021 +1200

tests/krb5: Don't create PAC request or options manually

[SCM] Samba Shared Repository - branch master updated

2021-09-08 Thread Andrew Bartlett
The branch, master has been updated
   via  4366c3bb71f gitlab-ci: run samba-fuzz autobuild target on Ubuntu 
20.04-based image
   via  4f300d672a8 fuzzing/oss-fuzz: strip RUNPATH from dependencies
   via  f94b1d3b31f fuzzing/oss-fuzz: fix samba build script for Ubuntu 
20.04
   via  541f9ee5ab6 fuzzing/oss-fuzz: fix RPATH comments for 
post-Ubuntu-16.04 era
   via  e608dcd2d67 configure: allow configure script to accept parameters 
with spaces
   via  2fe8d3eeac4 fuzzing/oss-fuzz: fix image build recipe for Ubuntu 
20.04
  from  18e08c70900 docs: Avoid duplicate information on USER and PASSWD, 
reference the common section

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 4366c3bb71fe9c083dedeae8798547b64a64d2b4
Author: Uri Simchoni 
Date:   Tue Sep 7 18:39:12 2021 +0300

gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image

REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Sep  9 01:45:09 UTC 2021 on sn-devel-184

commit 4f300d672a8ef1820e68bc82833de4f5d4c0996e
Author: Uri Simchoni 
Date:   Mon Sep 6 22:55:55 2021 +0300

fuzzing/oss-fuzz: strip RUNPATH from dependencies

Strip all RUNPATH headers from all dependency shared objects that
we copy to the fuzzing target, as those libraries aren't placed
in their original place.

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit f94b1d3b31f2fb5bdbfce7b5f79d80f098b91975
Author: Uri Simchoni 
Date:   Sat Sep 4 10:30:56 2021 +0300

fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04

Add a linker flag to generate fuzzer binaries with an RPATH
header instead of RUNPATH.

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit 541f9ee5ab66b41a2a8d9c54183b095ad99f3769
Author: Uri Simchoni 
Date:   Sat Sep 4 10:11:58 2021 +0300

fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era

Remove what appears to be a copy+paste error in one place, and
explain that RPATH/RUNPATH is set by the linker, not by chrpath
utility.

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit e608dcd2d6736505022d0f9d1e008333bb70f1af
Author: Uri Simchoni 
Date:   Sat Sep 4 11:01:56 2021 +0300

configure: allow configure script to accept parameters with spaces

Specifically this enables passing two linker flags to the 
--fuzz-target-ldflags
configure argument.

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

commit 2fe8d3eeac4cddedfeac936ce785c2c6f12d86ef
Author: Uri Simchoni 
Date:   Fri Sep 3 18:46:17 2021 +

fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04

Update the build_image.sh script to install Ubuntu 20.04 packages
instead of Ubuntu 16.04 on the oss-fuzz container - this will
allow the oss-fuzz container to be based on Ubuntu 20.04.

REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365

Signed-off-by: Uri Simchoni 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 .gitlab-ci-main.yml |  2 +-
 configure   |  2 +-
 lib/fuzzing/oss-fuzz/build_image.sh |  2 +-
 lib/fuzzing/oss-fuzz/check_build.sh |  3 +--
 lib/fuzzing/oss-fuzz/do_build.sh| 33 +++--
 5 files changed, 27 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 4b2f17938c8..a6c362931da 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -323,7 +323,7 @@ samba-libs:
 samba-fuzz:
   extends: .shared_template
   variables:
-SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1604}
+SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004}
 
 ctdb:
   extends: .shared_template
diff --git a/configure b/configure
index 2b0ffb0dae1..a6ca50feb47 100755
--- a/configure
+++ b/configure
@@ -13,5 +13,5 @@ export JOBS
 unset LD_PRELOAD
 
 cd . || exit 1
-$PYTHON $WAF configure $@ || exit 1
+$PYTHON $WAF configure "$@" || exit 1
 cd $PREVPATH
diff --git a/lib/fuzzing/oss-fuzz/build_image.sh 
b/lib/fuzzing/oss-fuzz/build_image.sh
index 5df07dc43be..5d5e27e716d 100755
--- a/lib/fuzzing/oss-fuzz/build_image.sh
+++ b/lib/fuzzing/oss-fuzz/build_image.sh
@@ -1,6 +1,6 @@
 #!/bin/sh -e
 
-DIST=ubuntu1604
+DIST=ubuntu2004
 SCRIPT_DIR=`dirname $0`
 
 $SCRIPT_DIR/../../../bootstrap/generated-dists/$DIST/bootstrap.sh
diff --git a/lib/fuzzing/oss-fuzz/check_build.sh 
b/lib/fuzzing/oss-fuzz/check_build.sh
index 501c2c813fc..98b83a81bbf 100755
--- a/lib/fuzzing/oss-fuzz/check_build.sh
+++ b/lib/fuzzing/oss-fuzz/check_build.s

[SCM] Samba Shared Repository - branch master updated

2021-09-02 Thread Andrew Bartlett
The branch, master has been updated
   via  59ed0992854 third_party: Update waf to version 2.0.22
   via  e41bc0f43f6 third_party: Add a script to update waf
  from  d0f6d54354b winbind: ensure wb_parent_idmap_setup_send() gets 
called in winbindd_allocate_uid_send()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 59ed09928541d40df72592419247add608a54aca
Author: Andreas Schneider 
Date:   Wed Aug 25 15:34:58 2021 +0200

third_party: Update waf to version 2.0.22

New in waf 2.0.22

* Fix stdin propagation with faulty vcvarsall scripts #2315
* Enable mixing Unix-style paths with destdir on Windows platforms #2337
* Fix shell escaping unit test parameters #2314
* Improve extras/clang_compilation_database and extras/swig compatibility 
#2336
* Propagate C++ flags to the Cuda compiler in extras/cuda #2311
* Fix detection of Qt 5.0.0 (preparation for Qt6) #2331
* Enable Haxe processing #2308
* Fix regression in MACOSX_DEPLOYMENT_TARGET caused by distutils #2330
* Fix extras/wafcache concurrent trimming issues #2312
* Fix extras/wafcache symlink handling #2327

The import was done like this:

./third_party/waf/update.sh

Then changing buildtools/bin/waf and buildtools/wafsamba/wafsamba.py
by hand.

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Andreas Schneider 
Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Sep  2 21:22:17 UTC 2021 on sn-devel-184

commit e41bc0f43f6d86d554f37881263c43c356994726
Author: Andreas Schneider 
Date:   Thu Aug 26 14:52:14 2021 +0200

third_party: Add a script to update waf

./third_party/waf/update.sh

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 buildtools/bin/waf |   2 +-
 buildtools/wafsamba/wafsamba.py|   2 +-
 third_party/update.sh  |   5 -
 third_party/waf/update.sh  |  79 +
 third_party/waf/waflib/Build.py|   4 +-
 third_party/waf/waflib/Context.py  |   6 +-
 third_party/waf/waflib/Tools/msvc.py   |   2 +-
 third_party/waf/waflib/Tools/python.py |   2 +-
 third_party/waf/waflib/Tools/qt5.py|   6 +-
 third_party/waf/waflib/Tools/waf_unit_test.py  |   2 +-
 third_party/waf/waflib/Utils.py|  15 ++-
 .../waflib/extras/clang_compilation_database.py|  28 +++--
 third_party/waf/waflib/extras/haxe.py  | 131 +
 third_party/waf/waflib/extras/wafcache.py  |  59 --
 14 files changed, 294 insertions(+), 49 deletions(-)
 create mode 100755 third_party/waf/update.sh
 create mode 100644 third_party/waf/waflib/extras/haxe.py


Changeset truncated at 500 lines:

diff --git a/buildtools/bin/waf b/buildtools/bin/waf
index 041450fc131..b0ccb09a877 100755
--- a/buildtools/bin/waf
+++ b/buildtools/bin/waf
@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
 import os, sys, inspect
 
-VERSION="2.0.21"
+VERSION="2.0.22"
 REVISION="x"
 GIT="x"
 INSTALL="x"
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 4fe9daf160e..dee007bf84e 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -38,7 +38,7 @@ LIB_PATH="shared"
 
 os.environ['PYTHONUNBUFFERED'] = '1'
 
-if Context.HEXVERSION not in (0x2001500,):
+if Context.HEXVERSION not in (0x2001600,):
 Logs.error('''
 Please use the version of waf that comes with Samba, not
 a system installed version. See http://wiki.samba.org/index.php/Waf
diff --git a/third_party/update.sh b/third_party/update.sh
index a510e8a7042..29456991874 100755
--- a/third_party/update.sh
+++ b/third_party/update.sh
@@ -23,9 +23,4 @@ hg clone https://bitbucket.org/micktwomey/pyiso8601 
"$WORKDIR/pyiso8601"
 rm -rf "$WORKDIR/pyiso8601/.hg"
 rsync -avz --delete "$WORKDIR/pyiso8601/" "$THIRD_PARTY_DIR/pyiso8601/"
 
-echo "Updating waf..."
-git clone git://git.samba.org/third_party/waf.waf15/ "$WORKDIR/waf"
-rm -rf "$WORKDIR/waf/.git"
-rsync -C -avz --delete "$WORKDIR/waf/" "$THIRD_PARTY_DIR/waf/"
-
 rm -rf "$WORKDIR"
diff --git a/third_party/waf/update.sh b/third_party/waf/update.sh
new file mode 100755
index 000..16bda84a3f0
--- /dev/null
+++ b/third_party/waf/update.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+if [[ $# -lt 1 ]]; then
+echo "Usage: update.sh VERSION"
+exit 1
+fi
+
+WAF_VERSION="${1}"
+WAF_GIT="https:

[SCM] Samba Shared Repository - branch master updated

2021-08-18 Thread Andrew Bartlett
   via  67ff72395ce tests/krb5: Fix including enc-authorization-data
   via  a2b183c179e tests/krb5: Remove magic constants
   via  41c3e410344 tests/krb5: Simplify Python syntax
   via  38b3a361819 tests/krb5: Use more compact dict lookup
   via  1320ac0f91a tests/krb5: Remove unneeded statements
   via  df6623363a7 tests/krb5: formatting
   via  7013a8edd1f tests/krb5: Fix method name typo
   via  9eb4c4b7b1c tests/krb5: Fix comment typo
   via  4797ced8909 tests/krb5: Fix ms_kile_client_principal_lookup_test 
errors
   via  6818d204897 pygensec: Don't modify Python bytes objects
   via  814df05f8c1 pygensec: Fix memory leaks
  from  4809f4a6ee9 registry: check for running as root in clustering mode

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854
Author: Joseph Sutton 
Date:   Thu Jul 29 10:58:44 2021 +1200

tests/krb5: Add FAST tests

Example command:

SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py

Signed-off-by: Joseph Sutton 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184

commit b7b62957bdce9929fabd3812b9378bdbd6c12966
Author: Gary Lockyer 
Date:   Thu Jun 10 09:56:58 2021 +1200

initial FAST tests

Currently incomplete, and tested only against MIT Kerberos.

[abart...@samba.org
 Originally "WIP inital FAST tests"

 Samba's general policy that we don't push WIP patches, we polish
 into a 'perfect' patch stream.

 However, I think there are good reasons to keep this patch distinct
 in this particular case.

 Gary is being modest in titling this WIP (now removed from the title
 to avoid confusion). They are not WIP in the normal sense of
 partially or untested code or random unfinished thoughts. The primary
 issue is that at that point where Gary had to finish up he had
 trouble getting FAST support enabled on Windows, so couldn't test
 against our standard reference. They are instead good, working
 initial tests written against the RFC and tested against Samba's AD DC
 in the mode backed by MIT Kerberos.

 This preserves clear authorship for the two distinct bodies of work,
 as in the next patch Joseph was able to extend and improve the tests
 significantly. ]

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit aa2c221f4e1bfc3403de857e62eaeaee1577560c
Author: Joseph Sutton 
Date:   Tue Jul 27 14:49:58 2021 +1200

tests/krb5: Check PADATA-FX-ERROR in reply

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 66e1eb58bedf036ad25a868993d44480c4e0e055
Author: Joseph Sutton 
Date:   Thu Jul 29 11:50:16 2021 +1200

tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07
Author: Joseph Sutton 
Date:   Tue Jul 27 14:50:20 2021 +1200

tests/krb5: Check PADATA-PAC-OPTIONS in reply

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 29070e74baa18d94642efcd36930b9bab216e10c
Author: Joseph Sutton 
Date:   Tue Jul 27 16:29:39 2021 +1200

tests/krb5: Make generic_check_kdc_error() also work for checking TGS 
replies

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit ab4e7028a6ac01eab9531c8a26507a912df54278
Author: Joseph Sutton 
Date:   Wed Jul 28 20:49:25 2021 +1200

tests/krb5: Make check_rep_padata() also work for checking TGS replies

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7
Author: Joseph Sutton 
Date:   Tue Jul 27 14:49:12 2021 +1200

tests/krb5: Check PADATA-FX-COOKIE in reply

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd
Author: Joseph Sutton 
Date:   Tue Jul 27 14:36:56 2021 +1200

tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 44a44109db96eab08a3da3683c34446bc13b295b
Author: Joseph Sutton 
Date:   Tue Jul 27 16:42:26 2021 +1200

tests/krb5: Adjust re

[SCM] Samba Shared Repository - branch master updated

2021-08-03 Thread Andrew Bartlett
The branch, master has been updated
   via  000f389d09e gitlab: Use shorter names for Samba AD DC env with MIT 
KRB5
   via  aab5cc95e22 s3:winbindd: Add a check for the path length of 
'winbindd socket directory'
  from  e2962b4262f configure: Do not put arguments into double quotes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 000f389d09ec9e9906d5e2a0aa317c471c5f5b96
Author: Andreas Schneider 
Date:   Tue Aug 3 13:20:40 2021 +0200

gitlab: Use shorter names for Samba AD DC env with MIT KRB5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Aug  3 20:35:49 UTC 2021 on sn-devel-184

commit aab5cc95e224fef0efafeb1c37a4eb414aee65a0
Author: Andreas Schneider 
Date:   Tue Aug 3 11:04:37 2021 +0200

s3:winbindd: Add a check for the path length of 'winbindd socket directory'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14779

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 .gitlab-ci-main.yml | 12 ++--
 script/autobuild.py |  6 +++---
 source3/winbindd/winbindd.c | 25 +
 3 files changed, 34 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 9ea3a3f5606..657b28e274f 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -331,10 +331,10 @@ samba-ad-dc-ntvfs:
 samba-admem-mit:
   extends: .needs_samba-mit-build
 
-samba-ad-dc-4a-mitkrb5:
+samba-addc-mit-4a:
   extends: .needs_samba-mit-build
 
-samba-ad-dc-4b-mitkrb5:
+samba-addc-mit-4b:
   extends: .needs_samba-mit-build
 
 # This task is run first to ensure we compile before we start the
@@ -389,7 +389,7 @@ samba-ad-dc-1:
 samba-nt4:
   extends: .needs_samba-nt4-build-private
 
-samba-ad-dc-1-mitkrb5:
+samba-addc-mit-1:
   extends: .needs_samba-mit-build-private
 
 samba-no-opath1:
@@ -421,15 +421,15 @@ pages:
 - samba-ctdb
 - samba-ad-dc-ntvfs
 - samba-admem-mit
-- samba-ad-dc-4a-mitkrb5
-- samba-ad-dc-4b-mitkrb5
+- samba-addc-mit-4a
+- samba-addc-mit-4b
 - samba-ad-back1
 - samba-ad-back2
 - samba-fileserver
 - samba-ad-dc-1
 - samba-nt4
 - samba-schemaupgrade
-- samba-ad-dc-1-mitkrb5
+- samba-addc-mit-1
 - samba-fips
 - samba-no-opath1
 - samba-no-opath2
diff --git a/script/autobuild.py b/script/autobuild.py
index 7ec3073f67e..efecaf41d74 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -659,7 +659,7 @@ tasks = {
 ],
 },
 
-"samba-ad-dc-1-mitkrb5": {
+"samba-addc-mit-1": {
 "dependency": "samba-mit-build",
 "sequence": [
 ("random-sleep", random_sleep(1, 1)),
@@ -675,7 +675,7 @@ tasks = {
 ],
 },
 
-"samba-ad-dc-4a-mitkrb5": {
+"samba-addc-mit-4a": {
 "dependency": "samba-mit-build",
 "sequence": [
 ("random-sleep", random_sleep(1, 1)),
@@ -688,7 +688,7 @@ tasks = {
 ("check-clean-tree", CLEAN_SOURCE_TREE_CMD),
 ],
 },
-"samba-ad-dc-4b-mitkrb5": {
+"samba-addc-mit-4b": {
 "dependency": "samba-mit-build",
 "sequence": [
 ("random-sleep", random_sleep(1, 1)),
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 4f367d07ecb..89e62b43ca0 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1658,6 +1658,7 @@ int main(int argc, const char **argv)
bool ok;
const struct dcesrv_endpoint_server *ep_server = NULL;
struct dcesrv_context *dce_ctx = NULL;
+   size_t winbindd_socket_dir_len = 0;
 
setproctitle_init(argc, discard_const(argv), environ);
 
@@ -1810,6 +1811,30 @@ int main(int argc, const char **argv)
}
}
 
+   winbindd_socket_dir_len = strlen(lp_winbindd_socket_directory());
+   if (winbindd_socket_dir_len > 0) {
+   size_t winbindd_socket_len =
+   winbindd_socket_dir_len + 1 +
+   strlen(WINBINDD_SOCKET_NAME);
+   struct sockaddr_un un = {
+   .sun_family = AF_UNIX,
+   };
+   size_t sun_path_len = sizeof(un.sun_path);
+
+   if (winbindd_socket_len >= sun_path_len) {
+   DBG_ERR("The winbind socket path [%s/%s] is too long "
+   "(%zu >= %zu)\n",
+   l

[SCM] Samba Shared Repository - branch master updated

2021-07-05 Thread Andrew Bartlett
The branch, master has been updated
   via  7c3bb491baf testprogs: Consistantly use kinit -c $KRB5CCNAME
   via  0388a8f33bd gensec_krb5: restore ipv6 support for kpasswd
  from  fc267567a07 printing: avoid crash in LPRng_time

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7c3bb491baf7d6f10760fb42b34a990e3806df9c
Author: Stefan Metzmacher 
Date:   Fri Apr 3 16:29:36 2020 +0200

testprogs: Consistantly use kinit -c $KRB5CCNAME

We want to be really clear which credentials cache we use.

The kerberos_kinit() shell function uses this internally.

-c is the common option between MIT and Heimdal, and is
equivilant to --cache

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Jul  5 23:51:43 UTC 2021 on sn-devel-184

commit 0388a8f33bdde49f1cc805a0291859203c1a52b4
Author: Stefan Metzmacher 
Date:   Fri Jul 2 09:37:25 2021 +0200

gensec_krb5: restore ipv6 support for kpasswd

We need to offer as much space we have in order to
get the address out of tsocket_address_bsd_sockaddr().

This fixes a regression in commit
43c808f2ff907497dfff0988ff90a48fdcfc16ef.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 source4/auth/gensec/gensec_krb5.c|  6 --
 testprogs/blackbox/common_test_fns.inc   |  2 +-
 testprogs/blackbox/test_chgdcpass.sh |  5 +++--
 testprogs/blackbox/test_export_keytab_heimdal.sh |  8 ++--
 testprogs/blackbox/test_kinit_heimdal.sh |  7 +--
 testprogs/blackbox/test_kinit_trusts_heimdal.sh  |  7 ---
 testprogs/blackbox/test_kpasswd_heimdal.sh   |  3 +--
 testprogs/blackbox/test_ktpass.sh|  5 +++--
 testprogs/blackbox/test_net_ads_dns.sh   |  8 
 testprogs/blackbox/test_password_settings.sh |  7 +--
 testprogs/blackbox/test_pkinit_heimdal.sh|  5 +++--
 testprogs/blackbox/test_pkinit_pac_heimdal.sh| 11 ---
 testprogs/blackbox/test_s4u_heimdal.sh   |  5 +++--
 testprogs/blackbox/test_samba_upgradedns.sh  |  4 
 testprogs/blackbox/test_trust_user_account.sh|  5 +++--
 15 files changed, 41 insertions(+), 47 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/gensec/gensec_krb5.c 
b/source4/auth/gensec/gensec_krb5.c
index 45abbb97b6b..7d87b3ac6b9 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -149,8 +149,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security 
*gensec_security, bool
struct samba_sockaddr addr;
bool ok;
 
+   addr.sa_socklen = sizeof(addr.u);
sockaddr_ret = tsocket_address_bsd_sockaddr(
-   tlocal_addr, , sizeof(addr.u.sa));
+   tlocal_addr, , addr.sa_socklen);
if (sockaddr_ret < 0) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
@@ -170,8 +171,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security 
*gensec_security, bool
struct samba_sockaddr addr;
bool ok;
 
+   addr.sa_socklen = sizeof(addr.u);
sockaddr_ret = tsocket_address_bsd_sockaddr(
-   tremote_addr, , sizeof(addr.u.sa));
+   tremote_addr, , addr.sa_socklen);
if (sockaddr_ret < 0) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
diff --git a/testprogs/blackbox/common_test_fns.inc 
b/testprogs/blackbox/common_test_fns.inc
index 7b421e9eb08..1c988f439a7 100755
--- a/testprogs/blackbox/common_test_fns.inc
+++ b/testprogs/blackbox/common_test_fns.inc
@@ -98,7 +98,7 @@ kerberos_kinit() {
if [ "${kbase}" = "samba4kinit" ]; then
kpassfile=$(mktemp)
echo $password > ${kpassfile}
-   $kinit_tool --password-file=${kpassfile} $principal $@
+   $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} 
$principal $@
status=$?
rm -f ${kpassfile}
else
diff --git a/testprogs/blackbox/test_chgdcpass.sh 
b/testprogs/blackbox/test_chgdcpass.sh
index 54137b980ca..d7d1d030c19 100755
--- a/testprogs/blackbox/test_chgdcpass.sh
+++ b/testprogs/blackbox/test_chgdcpass.sh
@@ -24,11 +24,11 @@ failed=0
 samba4bindir="$BINDIR"
 samba4srcdir="$SRCDIR/source4"
 
-samba4kinit=kinit
+samba4kinit_binary=kinit
 heimdal=0
 if test -x $BINDIR/samba4kinit; then
heimdal=1
-   samba4kin

[SCM] Samba Shared Repository - branch master updated

2021-07-04 Thread Andrew Bartlett
The branch, master has been updated
   via  fc267567a07 printing: avoid crash in LPRng_time
   via  16c28b367d9 fuzz: add fuzz_parse_lpq_entry
   via  0cb833b32c8 fuzz: fix multiple comment headers
   via  6d216dc3654 dns update: zero flags and reserved
   via  9d3731cd168 dns_common_replace: do not leak
   via  7c298ee89f8 samba-tool: dns update rejects malformed addresses
   via  e6e3dc8bd3a pydns: fix a comment in replace_by_dn()
   via  b80f66f8035 ldb-samba: dns tombstone matching: constrict value 
length
   via  7a111c1f35e dns_server: free old zones when reloading
   via  54b9271eb5e s4/dns_common_replace: add comments about tombstones
   via  26bb958af80 dns_common_replace: comment in needs_add case
   via  602dd50b31d dns_common_replace: do logging in needs_add case
   via  7edeb5901b0 dnsserver_common: comments about record sorting
   via  3a4cb8679a3 py/dnsserver: TXTRecord copes with single strings
   via  6bd6b2e9f3b dnsserver/update: add a few comments
   via  6f9564425f4 dns update: emit warnings upon unexpected occurrances
   via  1741a0667bb dlz_bind9: insert missing words into error message
   via  c84f7a0a641 dlz_bind9: fix a copy-pasted comment
  from  2458a20eaca s3: VFS: Update status of SMB_VFS_GETXATTR.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit fc267567a072c9483bbcc5cc18e150244bc5376b
Author: Douglas Bagnall 
Date:   Wed May 5 14:55:47 2021 +

printing: avoid crash in LPRng_time

If the string is too shhort we don't want to atoi() whatever is beyond
the end of it.

Found using Honggfuzz and the fuzz_parse_lpq_entry fuzzer.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Jul  5 05:07:13 UTC 2021 on sn-devel-184

commit 16c28b367d9edc760e62949f0eef34b8046ece75
Author: Douglas Bagnall 
Date:   Tue Apr 6 23:11:32 2021 +1200

fuzz: add fuzz_parse_lpq_entry

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 0cb833b32c8bf9341da74ded6545d6674156c08e
Author: Douglas Bagnall 
Date:   Fri May 14 15:05:05 2021 +1200

fuzz: fix multiple comment headers

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 6d216dc365463fbcc4927bfc988ba52c16eef4cf
Author: Douglas Bagnall 
Date:   Wed May 26 15:01:36 2021 +1200

dns update: zero flags and reserved

This is the observed behaviour on Windows.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 9d3731cd1681ebcfee60422d428f076182e483d3
Author: Douglas Bagnall 
Date:   Thu Apr 15 16:07:58 2021 +1200

dns_common_replace: do not leak

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 7c298ee89f8d3bcdeb8c4f1f951c524326191334
Author: Douglas Bagnall 
Date:   Sun Jun 20 14:52:48 2021 +1200

samba-tool: dns update rejects malformed addresses

Because neither filling out the struct will not necessarily tell you
you got it wrong, and the RPC could succeed in setting an arbitrary
wrong address (typically, an IPv6 address would set an A record to
"255.255.255.255").

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e6e3dc8bd3ad5ce07b27cf2e5f61c43601827168
Author: Douglas Bagnall 
Date:   Sun Jun 20 22:03:35 2021 +1200

pydns: fix a comment in replace_by_dn()

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit b80f66f803554d25352413c24889a5f8fadef6d3
Author: Douglas Bagnall 
Date:   Mon Mar 29 13:03:45 2021 +1300

ldb-samba: dns tombstone matching: constrict value length

We know the only values we want to see are uint32, ie < ~4 billion
(and real values will be 7 digits for hundreds of years).

We also know the caller (we have just checked) is a trusted system
session which won't be padding the thing with spaces. But if they do,
let's call them out.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 7a111c1f35ee949d1f669fe7ea1394c6b3a52ee7
Author: Douglas Bagnall 
Date:   Wed Mar 31 10:47:05 2021 +1300

dns_server: free old zones when reloading

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 54b9271eb5e90c214c7009778ab22d60f9ee88eb
Author: Douglas Bagnall 
Date:   Fri Jun 18 15:31:42 2021 +1200

s4/dns_common_replace: add comments about tombstones

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 26bb958af80199eda54e84d6ae427385d1843052
Author: Douglas Bagnall 
Date:   Sun Apr 11 11:58:25 2021 +1200

dns_common_replace: comment in needs_add case

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 602dd50b31daa754c3123a6adc2ccd36ca1875cc
Au

[SCM] Samba Shared Repository - branch master updated

2021-06-28 Thread Andrew Bartlett
The branch, master has been updated
   via  5f70396e62d idl: secrets_domain_info1_change is not a recursive 
structure
   via  feaf0d1ab71 s4:dsdsb: Check return code of cli_credentials_guess()
   via  ee9dc1fb474 s3:libsmb: Check return code of cli_credentials_guess()
   via  08585bcfb2b s3:libnetapi: Check return code of 
cli_credentials_guess()
   via  304cb910bd3 auth:creds: Check return code of cli_credentials_guess()
   via  9f69e93bad3 lib:cmdline: Ignore the return code of 
cli_credentials_guess()
   via  9f786df2a2f auth:creds: Return bool for cli_credentials_guess()
   via  f7ff694cddd auth:creds: Add sanity check for env variables
   via  5dd3a0cc175 s4:rpc_server: Check return code of 
cli_credentials_set_conf()
   via  cfe9fb2373f s4:kpasswd: Check return code of 
cli_credentials_set_conf()
   via  0ea4041432f s4:dns_server: Check return code of 
cli_credentials_set_conf()
   via  9c84bea515e s4:dns:bind_dlz: Check return codes of cli_credentials 
functions
   via  6fb3cd8d133 s4:auth: Check return code of cli_credentials_set_conf()
   via  2f700ebda69 s4:auth: Check return code of cli_credentials_set_conf()
   via  5281a6592b0 s3:winbindd: Check return code of 
cli_credentials_set_conf()
   via  0f13044634d s3:passdb: Check return code of 
cli_credentials_set_conf()
   via  b18fa931f31 s3:libsmb: Check return code of 
cli_credentials_set_conf()
   via  ced8390c955 s3:auth: Check return code of cli_credentials_set_conf()
   via  cdf8859b906 auth:creds: Check return code of 
cli_credentials_set_conf()
   via  1d6dfd5b4d7 auth:creds: Return a bool for cli_credentials_set_conf()
   via  701c55841fb rpc/dnsserver: check talloc_strndup return
   via  14ce22f4465 rpc dnsserver: improve handling of serial numbers
   via  0fa98cd38b5 rpc dnsserver: set the record rank
   via  8b3d2556dad rpc dnsserver: updates reset more than timestamp
   via  9fb87134b8c rpc:dnsserver: allow update replacing with similar 
record
   via  fa608837369 rpc:dnsserver: split off record rank setting logic
  from  b5339048001 s3: VFS: fake_acls. Add missing NULL check for return 
of cp_smb_filename().

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 5f70396e62d7cc77bf248576e2ca6e7f0f755bde
Author: Pavel Filipenský 
Date:   Tue Jun 22 16:00:00 2021 +0200

idl: secrets_domain_info1_change is not a recursive structure

575d39048e3b4f619d65d65303ac809c40c5d495 has marked
several structures as recursive, they contain typically a
backpointer named '* next'. secrets_domain_info1 is not self
recursive, it only contains a pointer named '*next_change'.

Signed-off-by: Pavel Filipenský 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun 29 03:07:17 UTC 2021 on sn-devel-184

commit feaf0d1ab7128230181c071c8da9cd2cc67bd41c
Author: Andreas Schneider 
Date:   Tue Jun 22 09:37:13 2021 +0200

s4:dsdsb: Check return code of cli_credentials_guess()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit ee9dc1fb47442c6b8839b10be135f2af525fe376
Author: Andreas Schneider 
Date:   Tue Jun 22 09:35:47 2021 +0200

s3:libsmb: Check return code of cli_credentials_guess()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 08585bcfb2b60c1684f2f5c69496d16b8d86ee6b
Author: Andreas Schneider 
Date:   Tue Jun 22 09:34:39 2021 +0200

s3:libnetapi: Check return code of cli_credentials_guess()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 304cb910bd3637e79805b7a0fd21f508d1f9d5a0
Author: Andreas Schneider 
Date:   Tue Jun 22 09:24:38 2021 +0200

auth:creds: Check return code of cli_credentials_guess()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9f69e93bad38d45a53219cf248ba92097298b7e7
Author: Andreas Schneider 
Date:   Tue Apr 27 16:19:31 2021 +0200

lib:cmdline: Ignore the return code of cli_credentials_guess()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9f786df2a2fd5c72b331625db74547fc88ad3e83
Author: Andreas Schneider 
Date:   Tue Apr 27 16:15:30 2021 +0200

auth:creds: Return bool for cli_credentials_guess()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit f7ff694cdddfe2c93751dd951fdf08defc51b5d5
Author: Andreas Schneider 
Date:   Tue Apr 27 16:11:48 2021 +0200

auth:creds: Add sanity check for env variables

CID 710829

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 5dd3a0cc17582388e59f8775d5ffdad679b05aa6
Author: Andreas Schneider 
Date:   Tue Jun 22 09:48:42 2021 +0200

s4:rpc_server: Check return code of cli_credentials_set_conf

[SCM] Samba Shared Repository - branch master updated

2021-06-21 Thread Andrew Bartlett
The branch, master has been updated
   via  002ef728bb0 torture: Fix build on freebsd, missing deps on cmdline
   via  e267cea8179 samba-tool: dbcheck search DnsAdmins from wellknown 
container
   via  0db57db80a5 samba-tool: Provision search DnsAdmins from wellknown 
container
   via  151f432ca8c samba-tool: Demote computer to wellknown container
   via  fee11c35586 samdb: Create computer in wellknown user container
   via  4602f4fc1b5 samdb: Create group in wellknown user container
   via  43ab8a4a1b4 samdb: Create user in wellknown user container
   via  5e559528b34 pytest: dcerpc/dnsserver: fix tombstone test
   via  97b9f45a764 pytest/dns_forwarder: remove unused function and imports
   via  aa97974c0e4 pytest segfaults: add a couple more failing tests
   via  24493ccceb1 pytest samba-tool dns: avoid testing update of '.' PTR
   via  de2b775e9ac pytest: dns_aging: do not insist on non-aging timestamp 
updates
   via  ad6637afa5e pytest: dns_aging sibling test fails on windows
   via  7fbb8f8e957 pytest dns_aging: add windows_variation
   via  ebfa200bfd9 pytest: dns_aging: fix two tests (bad arithmetic)
   via  eac8d6b30b3 pytest dns_aging: add sibling tests
   via  61355d36cbf pytest dns_aging: add simple delete tests
   via  663a154e3e0 pytest: samba-tool dns: allow identical updates
   via  b2453a0f5c2 pytest: samba-tool dns: allow valid updates
   via  6fb83b454cc pytest: dns_aging: test delete multiple records
   via  b24b82336f2 pytest: dns_aging: test RPC updates of disparate types
   via  8d32cdf1849 python dns: dns_record_match() matches IPv6 semantically
  from  91f5b5f3d07 selftest: Remove -d10 from test startup

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 002ef728bb02819385c0a8c2ca1b216ed712d153
Author: Amitay Isaacs 
Date:   Wed Jun 16 12:58:27 2021 +1000

torture: Fix build on freebsd, missing deps on cmdline

Missing dependency causes build failure on freebsd.

[2928/3944] Compiling source4/torture/util_smb.c
In file included from ../../source4/torture/util_smb.c:22:
../../lib/cmdline/cmdline.h:22:10: fatal error: 'popt.h' file not found
 ^~~~
1 error generated.

Signed-off-by: Amitay Isaacs 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun 22 02:05:17 UTC 2021 on sn-devel-184

commit e267cea8179886995b46f0796c969a56a1becd3f
Author: David Mulder 
Date:   Wed Aug 26 14:59:24 2020 -0600

samba-tool: dbcheck search DnsAdmins from wellknown container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 0db57db80a59e2ecfb1c626f66a72987d9fedcef
Author: David Mulder 
Date:   Wed Aug 26 14:33:13 2020 -0600

samba-tool: Provision search DnsAdmins from wellknown container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 151f432ca8c173e7bad488dfbd507517908102da
Author: David Mulder 
Date:   Wed Aug 26 10:06:21 2020 -0600

samba-tool: Demote computer to wellknown container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit fee11c35586adfa7e3ce79f03798732ffb870829
Author: David Mulder 
Date:   Wed Aug 26 08:15:07 2020 -0600

samdb: Create computer in wellknown user container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 4602f4fc1b537e74fdee8d9f1a390a4ea1ba18d5
Author: David Mulder 
Date:   Tue Aug 25 14:16:30 2020 -0600

samdb: Create group in wellknown user container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 43ab8a4a1b4152ae86e3dad23f10b40d4f61fb89
Author: David Mulder 
Date:   Tue Aug 25 12:44:02 2020 -0600

samdb: Create user in wellknown user container

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 5e559528b34e4b6b26fc708cdc0976e042d91eb3
Author: Douglas Bagnall 
Date:   Fri Mar 26 16:37:52 2021 +1300

pytest: dcerpc/dnsserver: fix tombstone test

It worked accidentally, like all our tombstone tests.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 97b9f45a76434c5c00f467ec93f21a111bf35c0f
Author: Douglas Bagnall 
Date:   Wed May 19 01:12:49 2021 +

pytest/dns_forwarder: remove unused function and imports

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit aa97974c0e42f5eb7c663b05407964ff816dae3b
Author: Douglas Bagnall 
Date:   Wed May 19 02:38:20 2021 +

[SCM] Samba Shared Repository - branch master updated

2021-06-20 Thread Andrew Bartlett
The branch, master has been updated
   via  84de4eb19e5 WHATSNEW: Improved cmdline user experience
   via  18eabaf34f6 lib:cmdline: Improve doxygen documentation
   via  69368d8aca3 docs-xml: Remove unused manpage entities
   via  fad6786e74e docs-xml: Update samba-tool manpage for option parser 
changes
   via  36bb6686cb2 python: Streamline option parser of python tools
   via  7f27bbd540b docs-xml: Use new cmdline entities for traffic_replay.7 
manpage
   via  84f7db5f677 docs-xml: Update winexe.1 manpage for new cmdline 
opition parser
   via  f4bf1b2f528 winexe: Some code cleanup and fixes
   via  32a71e50b49 winexe: Use the new cmdline option parser
   via  9f514b37fbe s4:lib: Remove obsolete popt cmdline parser
   via  a8052d70cbb librpc:tools: Migrate ndrdump to new cmdline option 
parser
   via  70a09d2cee7 librpc:tools: Remove '-l' which conflicts with 
'-l|--log-basename'
   via  212038bbc6f docs-xml: Update wbinfo.1 manpage for new cmdline 
opition parser
   via  387bb56bcdf nsswitch: Migrate wbinfo to new cmdline option parser
   via  2e520feace8 libcli:nbt: Migrate nmblookup4 to new cmdline option 
parser
   via  91c8c480f6f s4:utils: Migrate oLschema2ldif to new cmdline option 
parser
   via  12ba3d9d8f2 s4:registry: Migrate regpatch to new cmdline option 
parser
   via  8123c90edc0 s4:registry: Migrate regtree to new cmdline option 
parser
   via  bd52627e5bf s4:registry: Migrate regdiff to new cmdline option 
parser
   via  4982beaabc6 s4:registry: Migrate regshell to new cmdline option 
parser
   via  2af06390c3a dsdb periodic: DNS: split aging from tombstone deletion
   via  020c76a523a dns scavenging: add an explanatory comment
   via  3dd5ae46c91 dns scavenging: ensure tombstoned node has one record
   via  f52ce9f954a dns scavenging: avoid leak in dns_tombstone_records
   via  ef7daa51d88 dns scavenging: log tombstone inconsistency
   via  9fb69274cab dns scavenging: tighten lifetime of filtered records
   via  4a2bfd249d0 dns scavenging: avoid useless copy of msg
   via  444b8178b86 dns scavenging: simplify copy_current_records
   via  95e9da2fd7a dns scavenging: avoid passing blobs
   via  2d98d733ab7 dns scavenging: ensure usual ownership of element values
   via  2c6a0265f2b dns scavenging: avoid setting same flags twice
   via  25be60a1cc4 dns scavenging: avoid another small memory leak
   via  8f8eb92903c dns scavenging: avoid a small memory leak
   via  546c64b3fcf dns scavenging: correctly set tombstome timestamp
   via  dbfbbd42976 dns scavenging: tombstone deletion uses correct time 
units
   via  bdd755a6795 pytest dns_aging: test tombstone timestamp ranges
   via  16875db27e8 pytest: dns_aging: remove a test that fails on Windows
   via  0c5dc26ddc0 pytest: dns_aging: add Samba-specific scavenging test
   via  b5c01f56f30 pytest: dns_aging: try queries of recently tombstoned 
nodes
   via  a7c0a17c48e pytest: dns_aging tests deletions using DNS update
   via  3cee6c94109 pytest: dns_aging: remove/fix unused helper functions
   via  b1730288368 pytest: dns_aging: helper to get non-tombstoned records
   via  ad6d5a9c165 pytest: dns_aging: add helper for DNS delete updates
   via  983955a2bc8 pytest: dns_aging: correct typo mis-assertions in 2 
tests
   via  d7d4fd98be0 pytest: dns_aging: remind developers to use fl2003
   via  0423b0b8844 pytest: dns_aging: use assert_timestamps_equal() widely
   via  559384beb72 pytest: add A and  aging tests
   via  701e21ade91 pytest: adjust dns_aging to handle some non-TXT records
   via  c1504ae59bb pytests: dns_aging get informative assertions
  from  c09a56ea203 python:tests: Fix group_edit test with system libldb

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 84de4eb19e5f72550fbef52e22ff7b063d735638
Author: Andreas Schneider 
Date:   Thu Dec 17 15:58:27 2020 +0100

WHATSNEW: Improved cmdline user experience

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Jun 21 00:10:21 UTC 2021 on sn-devel-184

commit 18eabaf34f6d0d599c0e4b7eaa382258304f6a83
Author: Andreas Schneider 
Date:   Tue May 11 09:13:51 2021 +0200

lib:cmdline: Improve doxygen documentation

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 69368d8aca353b9bc498ea2c347036e42100f671
Author: Andreas Schneider 
Date:   Wed Apr 7 12:31:10 2021 +0200

docs-xml: Remove unused manpage entities

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit fad6786e74e04f7068c0657d731def3c8f5d2d59
Author: Andreas Schneider 
Date:   Wed Apr 7 14:25:41 2021 +0200

docs-xml: Update samba-tool manpage for option parser

[SCM] Samba Shared Repository - branch master updated

2021-06-20 Thread Andrew Bartlett
The branch, master has been updated
   via  c09a56ea203 python:tests: Fix group_edit test with system libldb
   via  084e8616a89 python:tests: Fix user_edit test with system libldb
   via  f47ea8716f0 python:tests: Fix contact_edit test with system libldb
   via  a45ea91cd7e samba-tool: Ensure commands don't crash without ad-dc
   via  f241fe5d46e dns: Enable dnsserver_common install when not ad dc
   via  fb5fe30e824 samba-tool: Disable AD DC options in samba-tool domain
   via  779d0f02718 samba-tool: Enable samba-tool without ad dc (but with 
ads)
  from  4079efae767 s3:modules: Reduce debug level if file doesn't exists 
on dfs share

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c09a56ea20333c1023c3873cbb0432fc68bae385
Author: Andreas Schneider 
Date:   Thu Jun 17 15:02:59 2021 +0200

python:tests: Fix group_edit test with system libldb

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Sun Jun 20 22:52:05 UTC 2021 on sn-devel-184

commit 084e8616a898fd9d645ebcdf4721a9c72631d8d3
Author: Andreas Schneider 
Date:   Thu Jun 17 15:00:21 2021 +0200

python:tests: Fix user_edit test with system libldb

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit f47ea8716f02fd4de44d3e0edbaeb26a9451f90d
Author: Andreas Schneider 
Date:   Thu Jun 17 14:57:41 2021 +0200

python:tests: Fix contact_edit test with system libldb

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit a45ea91cd7e8335319c96ea5bda02014f584df63
Author: David Mulder 
Date:   Thu Jun 17 15:20:41 2021 -0600

samba-tool: Ensure commands don't crash without ad-dc

This simply ensures against import errors when
samba is built without the ad-dc. Calling every
help message guarantees the imports succeeded.
The test is intentionally run against the
fileserver test environment, because it's
configured --without-ad-dc and does not disable
ads.

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit f241fe5d46e8dd2b3265be7eddbd6686a6f920db
Author: David Mulder 
Date:   Thu Jun 10 09:53:56 2021 -0600

dns: Enable dnsserver_common install when not ad dc

dnsserver_common is enabled without the ad-dc to
prevent imports from failing when samba-tool is
called where the ad-dc was not built. The
server-side dns code is used in the client when
we do direct LDAP modification of DNS records.

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit fb5fe30e824d2d511188053ce04cf797b769727a
Author: David Mulder 
Date:   Fri Sep 18 11:28:02 2020 -0600

samba-tool: Disable AD DC options in samba-tool domain

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 779d0f02718b3812024bafcd5477ec3039c7a0cf
Author: David Mulder 
Date:   Thu Sep 17 13:26:18 2020 -0600

samba-tool: Enable samba-tool without ad dc (but with ads)

Much of samba-tool can operate without the full AD DC,
for remote operations.

However the samba-tool gpo command depends on ads being
built. Without ads, every samba-tool command
crashes because ads imports fail.

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/netcmd/domain.py | 30 ++-
 python/samba/tests/samba_tool/contact_edit.sh |  7 ++-
 python/samba/tests/samba_tool/group_edit.sh   |  7 ++-
 python/samba/tests/samba_tool/user_edit.sh|  7 ++-
 source4/dns_server/wscript_build  |  6 --
 source4/scripting/bin/wscript_build   |  5 +++--
 source4/scripting/wscript_build   |  2 +-
 source4/selftest/tests.py |  7 +++
 8 files changed, 49 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 91c82297e26..eccae4e2f75 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -71,6 +71,7 @@ from samba import remove_dc, arcfour_encrypt, 
string_to_byte_array
 from samba.auth_util import system_session_unix
 from samba.net_s3 import Net as s3_Net
 from samba.param import default_path
+from samba import is_ad_dc_built
 
 from samba.dsdb import (
 DS_DOMAIN_FUNCTION_2000,
@@ -694,7 +695,7 @@ class cmd_domain_join(Command):
 debug=verbose)
 
 self.errf.write("Joined domain %s (%s)\n" % (domain_name, sid))
-elif role == "DC":
+elif role == "DC" and is_ad_dc_built():
 join_DC(logger=logger, server=server, cred

[SCM] Samba Shared Repository - branch master updated

2021-06-15 Thread Andrew Bartlett
The branch, master has been updated
   via  d37462d79a4 lib:ldb-samba: Migrate samba extensions to new cmdline 
option parser
   via  1d3af5d3363 lib:ldb-samba: Use talloc_zero_array() and use ldb as 
the mem context
   via  c2c7c1f50a8 lib:ldb-samba: Improve calculate_popt_array_length()
   via  a593065c7f2 lib:ldb: Use C99 initializers for builtin_popt_options[]
   via  ba32b542cdc s4:torture: Migrate masktest to new cmdline option 
parser
   via  caafb3cd4a2 s4:torture: Migrate locktest to new cmdline option 
parser
   via  c0034d309e1 s4:torture: Change -U|--user to --user1 and --user2
   via  b4c1f438455 s4:torture: Migrate gentest to new cmdline option parser
   via  2a0471df01f s4:torture: Change -U|--user to --user1 and --user2
   via  4b4fd5340a3 testprogs: Add smbtorture tests with new options
   via  a40bc1d0eec s4:torture: Migrate smbtorture to new cmdline option 
parser
   via  092d26af6ad s4:torture: Pass the pkinit ccache via a torture 
variable
   via  10caa8590c7 s4:torture: For NTLM make sure we have 
CRED_USE_KERBEROS_DESIRED
   via  59c97b09a82 s4:torture: Write better error on invalid cmdline option
   via  30fb11dafde s4:torture: Remove unused include
   via  48a5f934bbd s4:client: Migrate cifsdd to new cmdline option parser
   via  c01213471fe testprogs: Use new kerberos options for smbclient(4) 
tests
   via  b49a8605563 s4:client: Migrate smbclient4 to new cmdline option 
parser
   via  ea6c2fbfa97 s4:client: Use a creds helper variable
   via  db876e95b52 testprogs: Remove --debuglevel from 
test_kinit_trusts_mit.sh
  from  1f724a9f9bb heimdal_build: Use lib/asn1/rfc2459.opt rather than 
hard-coded

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d37462d79a4063ac06d2f5e6514b7c082cc26b21
Author: Andreas Schneider 
Date:   Wed Dec 2 18:06:24 2020 +0100

lib:ldb-samba: Migrate samba extensions to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun 16 01:25:28 UTC 2021 on sn-devel-184

commit 1d3af5d336383a7511c50542f4262764309d8230
Author: Andreas Schneider 
Date:   Fri Dec 18 08:38:22 2020 +0100

lib:ldb-samba: Use talloc_zero_array() and use ldb as the mem context

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit c2c7c1f50a8acb3169e19ba4329aa78839b66def
Author: Andreas Schneider 
Date:   Thu Dec 17 19:16:13 2020 +0100

lib:ldb-samba: Improve calculate_popt_array_length()

Note that memcmp() doesn't work well with padding bytes. So avoid it!

(gdb) ptype/o struct poptOption
/* offset|  size */  type = struct poptOption {
/*0  | 8 */const char *longName;
/*8  | 1 */char shortName;
/* XXX  3-byte hole  */
/*   12  | 4 */unsigned int argInfo;
/*   16  | 8 */void *arg;
/*   24  | 4 */int val;
/* XXX  4-byte hole  */
/*   32  | 8 */const char *descrip;
/*   40  | 8 */const char *argDescrip;

   /* total size (bytes):   48 */

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit a593065c7f22e17434f33d0132cc6a7073acf414
Author: Andreas Schneider 
Date:   Thu Dec 17 11:56:08 2020 +0100

lib:ldb: Use C99 initializers for builtin_popt_options[]

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit ba32b542cdc0a8f4164012e002e519c370ba2ff2
Author: Andreas Schneider 
Date:   Thu Dec 17 17:12:10 2020 +0100

s4:torture: Migrate masktest to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit caafb3cd4a229974a88d1b355890e31b65e15e8d
Author: Andreas Schneider 
Date:   Thu Dec 17 17:05:51 2020 +0100

s4:torture: Migrate locktest to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit c0034d309e18a888a93f0c42dcd0d95c35ce8bad
Author: Andreas Schneider 
Date:   Thu Dec 17 16:55:02 2020 +0100

s4:torture: Change -U|--user to --user1 and --user2

The '-U' option is already defined by the default cmdline parser!

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit b4c1f438455c91f19957ab9b69c32947c55bdf79
Author: Andreas Schneider 
Date:   Thu Dec 17 16:25:08 2020 +0100

s4:torture: Migrate gentest to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 2a0471df01fc81b638aa4b9c61714a6181f5e980
Author: Andreas Schneider 
Date:   Thu Dec 17 16:24:48 2020 +0100

s4:torture: Change -U|--user to --user1 and --user2

The '-U' option is already defined by the default cmdline parser

[SCM] Samba Shared Repository - branch master updated

2021-06-15 Thread Andrew Bartlett
The branch, master has been updated
   via  1f724a9f9bb heimdal_build: Use lib/asn1/rfc2459.opt rather than 
hard-coded
   via  d84c4f68f00 heimdal_build: Add C99 struct initializer in 
source4/heimdal_build/krb5-glue.c
   via  59eac15a4ff build: in SAMBA_BINARY use TO_LIST(cflags)
   via  d62917d3d7e heimdal_build: Provide C defines showing which Kerberos 
library is in use
   via  7b4aef782cd gse_krb5: Provide keytab name in 
fill_mem_keytab_from_dedicated_keytab() error strings.
   via  a1fa1f695f9 heimdal_build: check for secure_getenv
   via  f810e9119f3 heimdal_build: Set up new build groups for the Heimdal 
hostcc components
   via  4be71c7a059 heimdal_build: Rework Heimdal warning handling
  from  7d0b6904cc4 docs: Improve wording, fix a typo

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1f724a9f9bb5cf133bb21222cdc23eaad57eed85
Author: Andrew Bartlett 
Date:   Tue Jun 15 15:24:17 2021 +1200

heimdal_build: Use lib/asn1/rfc2459.opt rather than hard-coded

Based on patch by Stefan Metzmacher in his Heimdal upgrade branch

lib/asn1/rfc2459.opt imported from
lorikeet-heimdal-abartlet/lorikeet-heimdal-201107241840-plus-recent-changes
which is the closest tree I could find, and matches the options being
removed from the wscript_build file.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun 15 23:25:27 UTC 2021 on sn-devel-184

commit d84c4f68f00d4f2b941531235d3d5ba6da73ca6f
Author: Stefan Metzmacher 
Date:   Fri Nov 22 16:01:07 2019 +0100

heimdal_build: Add C99 struct initializer in 
source4/heimdal_build/krb5-glue.c

This avoids uninitiliased structure members in this dummy
structure we include to avoid including more of Heimdal.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit 59eac15a4ff17cdb52b2b28b120e3fee4b085b68
Author: Stefan Metzmacher 
Date:   Fri Nov 22 16:11:41 2019 +0100

build: in SAMBA_BINARY use TO_LIST(cflags)

This avoids unfortunate issues when the cflags is
already a list, as then -fPIC becomes ['-f', 'P', 'I', 'C'].

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

commit d62917d3d7eeb9c5782d7230a4012b5a9235154f
Author: Stefan Metzmacher 
Date:   Thu Apr 2 07:31:33 2020 +

heimdal_build: Provide C defines showing which Kerberos library is in use

Squashed from patches by Stefan Metzmacher as part of his Heimdal update 
branch

Signed-off-by: Andrew Bartlett 
Signed-off-by: Stefan Metzmacher 
Reviewed-by: Stefan Metzmacher 

commit 7b4aef782cdc8d801b91a2538a942a4e5bab4f94
Author: Andrew Bartlett 
Date:   Mon Sep 25 15:18:34 2017 +1300

gse_krb5: Provide keytab name in fill_mem_keytab_from_dedicated_keytab() 
error strings.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit a1fa1f695f9387880218440b5787fd98396f107d
Author: Andrew Bartlett 
Date:   Tue Sep 26 12:01:37 2017 +1300

heimdal_build: check for secure_getenv

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit f810e9119f3862bf238297f82940420c5bd2df4a
Author: Andrew Bartlett 
Date:   Tue Jun 15 13:50:48 2021 +1200

heimdal_build: Set up new build groups for the Heimdal hostcc components

This is based on various patches by Stefan Metzmacher in the patch set for
the Heimdal upgrade.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit 4be71c7a0594fd54fbf6949df49973cd4f9eabe8
Author: Andrew Bartlett 
Date:   Mon Jun 14 11:14:06 2021 +1200

heimdal_build: Rework Heimdal warning handling

If we have all the right -Wno-error flags then we can enable warnings
more generally, otherwise just set -Wno-strict-overflow (if available)

Adapted from patches by Stefan Metzmacher  in his
branch to update Heimdal.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 buildtools/wafsamba/wafsamba.py | 14 +++---
 lib/replace/wscript |  2 +-
 source3/librpc/crypto/gse_krb5.c|  7 ++-
 source4/heimdal/lib/asn1/rfc2459.opt|  6 +++
 source4/heimdal_build/krb5-glue.c   | 18 +---
 source4/heimdal_build/wscript_build | 80 -
 source4/heimdal_build/wscript_configure | 13 --
 wscript_configure_embedded_heimdal  |  1 +
 wscript_configure_system_heimdal|  2 +
 wscript_configure_system_mitkrb5|  1 +
 10 files changed, 74 insertions(+), 70 deletions(-)
 create mode 100644 source4/heimdal/lib/asn1/rfc2459.opt


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/wafsamba.py b

[SCM] Samba Shared Repository - branch master updated

2021-06-11 Thread Andrew Bartlett
The branch, master has been updated
   via  4152499652c pytests: add dns_aging, embracing and extending ageing 
tests
   via  e9a265612a7 py: samba.dnsserver: add helper for record buffers
   via  581d7a528e8 pytest:dns_base: make_txt_update can set arbitrary TTL
   via  e37437f1ff0 pydns: expose dns_records_match() as 
dsdb_dns.records.match()
   via  b7077203256 dns: merge dns_records_match and dns_record_match
   via  64e637802fc dlz: remove pretense of HINFO support
   via  51ace4d0010 dns_record_match: drop pretense of HINFO support
   via  341febfb264 dns common: dns_records_match() matches tombstones
   via  070e7113d4c dns: merge dlz/internal dns_records_match()
   via  f6025d9f340 dlz_bind9: remove redundant logging in b9_record_match()
   via  421dc7fc4d8 python:subunit: Avoid misleading "Test was never 
started" error message
   via  18b78fa4b46 python:subunit: Remove write_traceback()
   via  3031e8071c8 python:subunit: Fix skipping a test with no reason given
  from  18394daf1e6 dbcheck: formatting

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 4152499652c2d5e5eb9ccf5a6a61c273ac6e5f13
Author: Douglas Bagnall 
Date:   Wed Apr 28 17:40:08 2021 +1200

pytests: add dns_aging, embracing and extending ageing tests

This incorporates tests from various dns*.py files, but makes them
correct.

All but one of these tests pass against Windows 2012r2.

Further patches will remove the broken tests in other files, and fix
Samba so it passes these.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Jun 11 09:29:23 UTC 2021 on sn-devel-184

commit e9a265612a71d5b68197d2bcb205ec58c29463e5
Author: Douglas Bagnall 
Date:   Thu May 13 03:51:45 2021 +

py: samba.dnsserver: add helper for record buffers

We *always* make these steps when we get a record.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 581d7a528e86a8354ec20243deb2c436d9cf861d
Author: Douglas Bagnall 
Date:   Wed May 19 02:39:00 2021 +

pytest:dns_base: make_txt_update can set arbitrary TTL

Also, improve a variable name.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e37437f1ff0975d0923a89c0ed8a140cf005ba5b
Author: Douglas Bagnall 
Date:   Fri May 28 18:08:56 2021 +1200

pydns: expose dns_records_match() as dsdb_dns.records.match()

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit b7077203256aac45e64497614f58555b182d4a33
Author: Douglas Bagnall 
Date:   Sat May 29 21:25:29 2021 +1200

dns: merge dns_records_match and dns_record_match

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 64e637802fc58f0215160449fbdd7686150d10d2
Author: Douglas Bagnall 
Date:   Fri Apr 23 19:49:05 2021 +1200

dlz: remove pretense of HINFO support

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 51ace4d00106920cfae560d3d4489c5daefdeb79
Author: Douglas Bagnall 
Date:   Tue Apr 13 12:06:16 2021 +1200

dns_record_match: drop pretense of HINFO support

We don't support it really, and if we did there is no sense in which
it could be updated, which is the context in which this function is
used.

(modern HINFO returns the constant string "RFC8482". See RFC 8482).

Signed-off-by: Douglas Bagnall 
    Reviewed-by: Andrew Bartlett 

commit 341febfb264c68b2e459e066c0824b38cb6be84a
Author: Douglas Bagnall 
Date:   Tue Apr 13 09:57:33 2021 +1200

dns common: dns_records_match() matches tombstones

This will be needed by the RPC server. Other callers already filter
out tombstones, so this is OK.

Signed-off-by: Douglas Bagnall 
    Reviewed-by: Andrew Bartlett 

commit 070e7113d4c9f267db856eb4db6d6c2505047a64
Author: Douglas Bagnall 
Date:   Tue Apr 13 07:00:41 2021 +1200

dns: merge dlz/internal dns_records_match()

We have had three nearly identical functions called
dns_record[s]_match. This patch merges two of them, attempting to keep
the good bits and not the bugs.

That means:

1. We use the  match from dlz, which is agnostic to all the
billions of ways you can write the same IPv6 address (case sensitivity
is just the beginning).

2. We lean more on the TXT match from dns_utils, because the dlz used
a weird bitwise &= operator, but we adjust to exit early.

3. Keep HINFO from dlz (for now).

4. Use the dns_name_equal() that was already in dns_common, which was
used by dlz. dns_utils had a strange one that probably did the same
thing.

Signed-off-by: Douglas Bagnall 
Reviewed-by: 

[SCM] Samba Shared Repository - branch master updated

2021-06-11 Thread Andrew Bartlett
The branch, master has been updated
   via  18394daf1e6 dbcheck: formatting
   via  5bf75d01c79 dbcheck: Refactor RID Set check to use free_rid_bounds()
   via  739d7e54e78 netcmd: Avoid conflicting SIDs when creating an offline 
backup
   via  2a3b82ae237 ridalloc: Don't skip the first RID of a pool
   via  59d293b6060 netcmd: Use next_free_rid() function to calculate a SID 
for restoring a backup
   via  7c7cad81844 python/tests/dsdb: Add tests for RID allocation 
functions
   via  cc98e03e7a0 dsdb: Add next_free_rid() function to allocate a RID 
without modifying the database
   via  b7e6a1c5da7 netcmd: Add tests for performing an offline backup 
immediately after joining a domain
   via  4feb353f705 dbcheck: check correct RID set attributes when looking 
for SID conflicts
   via  9bfba62c484 netcmd: Refactor seizing DNS roles while restoring from 
a backup
   via  fb0d71b3587 netcmd: Use correct path for state directory during 
offline backup
   via  11dae9cf367 tests: Specify additional modules for 'vfs objects' 
parameter
   via  658e5a6cc20 netcmd: Ignore rIDUsedPool attribute in offline domain 
backup test
   via  e8c242bed19 netcmd: Fix error-checking condition
   via  9f1e5637bc5 provision: Refactor another usage of 
create_dns_dir_keytab_link
   via  ae5964be424 sambadns: Create BINDDNS_DIR/dns.keytab link to 
PRIVATE_DIR/dns.keytab on DC join
   via  f5c26f7231e samba_upgradedns: Create binddns_dir if it doesn't 
already exist
   via  c6b2846c9d6 testprogs: Test that dns.keytab is created after a dns 
upgrade
   via  3e4ec0a90a2 pyldb: Fix Message.items() for a message containing 
elements
   via  79a898e2b71 pyldb: Add test for Message.items()
   via  bb4d06e15e4 sambadns: Fix docstring for create_dns_dir()
   via  e7754b56a1d pytest: Fix typo in docstring
   via  fec996ff277 samldb: Fix function name typo in error message
   via  51afb64d68f selftest: Remove duplicate variable assignment
  from  e165dcc770e selftest: Only set netbios aliases for the ad_member env

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 18394daf1e6e7b71fe903d8061dc30e1b58ca3dd
Author: Joseph Sutton 
Date:   Fri Jun 4 11:37:56 2021 +1200

dbcheck: formatting

Reduce the length of some lines to 79 characters or less.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Jun 11 08:28:28 UTC 2021 on sn-devel-184

commit 5bf75d01c792793ef60219250b7e22ea0846ab03
Author: Joseph Sutton 
Date:   Fri Jun 4 11:32:00 2021 +1200

dbcheck: Refactor RID Set check to use free_rid_bounds()

This function provides a simpler method of getting the bounds of the
range of RIDs we want to check. We also now check that the low bound is
less than the high bound for both rIDAllocationPool and
rIDPreviousAllocationPool.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 739d7e54e78046dc77385b882fbba38ab5e7bd60
Author: Joseph Sutton 
Date:   Wed Jun 2 17:00:33 2021 +1200

netcmd: Avoid conflicting SIDs when creating an offline backup

To allow the new DC object to be created in a restored domain while
avoiding conflicts with existing SIDS, we fetch a SID that is available
at the time of backing up and store it in the backed-up database.
However, if a new security principal is created on this DC during the
backup process, the stored SID may be reused for that object, resulting
in an error on restoration.

By getting the SID for restore only after all the database files have
been backed up, we ensure that the chosen SID does not conflict with any
objects in the backed-up database.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 2a3b82ae2373c39a0a113d75a27a196b5233fe32
Author: Joseph Sutton 
Date:   Tue Jun 1 12:03:38 2021 +1200

ridalloc: Don't skip the first RID of a pool

Previously, if either of the rIDPreviousAllocation and rIDNextRID
attributes were not present in a RID Set, the first RID in
rIDAllocationPool was skipped over when determining their values.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 59d293b60608172ae61551c642d13d3b215924e4
Author: Joseph Sutton 
Date:   Thu May 27 15:35:35 2021 +1200

netcmd: Use next_free_rid() function to calculate a SID for restoring a 
backup

This means we won't get errors if the DC doesn't have a rIDNextRID
attribute, but we will still error if there is no RID Set or if all its
pools are exhausted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669

[SCM] Samba Shared Repository - branch master updated

2021-05-27 Thread Andrew Bartlett
The branch, master has been updated
   via  f753e2f7acf s3:lib: Remove util_cmdline
   via  c377845d27d s3:lib: Remove popt_samba3
   via  c90b3db95a9 s3:printing: Migrate samba-bgqd to new cmdline option 
parser
   via  84b5440eb4f s3:libsmb: Use cli_credentials to store traversal creds
   via  1796737eaee docs-xml: Update net manpage for new cmdline opition 
parser
   via  ea071d278a6 s3:utils: Use connection and credentials parser in net 
util
   via  91d20d1d111 s3:utils: Add cli_credentials and loadparm_context to 
net_context
   via  6fe55b2f261 s3:utils: Migrate net to new cmdline option parser
   via  94fc9ca4c50 s3:utils: Remove '-l' for '--long' from net
   via  f2b80723d38 examples: Migrate smb2mount to new cmdline option parser
   via  06a1861ca86 examples: Pass cli_credentials to connect_one in 
smb2mount
   via  8b01db48f43 docs-xml: Update smbtree manpage for new cmdline 
opition parser
   via  e8ba85b4a80 s3:utils: Migrate smbtree to new cmdline option parser
   via  5faa0cc81f3 docs-xml: Update smbcquotas manpage for new cmdline 
opition parser
   via  7b0b9826c28 s3:utils: Migrate smbcquotas to the new cmdline option 
parser
   via  9fccbfd5d95 s3:utils: Rename --user to --quota-user in smbcquotas
   via  fb89a5f38e1 s3:utils: Use samba_cmdline_burn() in smbget
   via  c31d9fa8f5e docs-xml: Update samba-regedit manpage for new cmdline 
opition parser
   via  b58dc5056e8 s3:utils: Migrate samba-regedit to new cmdline option 
parser
   via  57434b1484a docs-xml: Update smbcacls manpage for new cmdline 
opition parser
   via  e652f542e07 s3:utils: Migrate smbcacls to new cmdline option parser
   via  83eea54ff6e s3:utils: Use cli_credentials in 'struct 
cacl_callback_state'
   via  1280531a73d s3:utils: Pass cli_credentials to connect_one()
  from  e9a804c9bdb s3:param:py_param - allocate buffer for nt_name and 
comment

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit f753e2f7acf8f3394a5f1107344d0323acc05694
Author: Andreas Schneider 
Date:   Wed Jan 13 16:14:31 2021 +0100

s3:lib: Remove util_cmdline

  _  /)
 mo / )
 |/)\)
  /\_
  \__|=
 ()
 __)(__
   _/  \\_
  |  _ ___   _   ||
  | | \ |   | \  ||
  | |  ||   |  | ||
  | |_/ |   |_/  ||
  | | \ |   |||
  | |  \|   |||
  | |   \. _|_. | .  ||
  |  ||
  |   1992 - 2021||
  |  ||
  *   | *   *** **   |**  **
   \))ejm97/.,(//,,..,,\||(,,.,\\,.((//

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 28 03:41:52 UTC 2021 on sn-devel-184

commit c377845d27d4dcd7c1791e8b2b42b0f21c9d8bf3
Author: Andreas Schneider 
Date:   Wed Jan 13 15:01:56 2021 +0100

s3:lib: Remove popt_samba3

_|_
 |
 .-'-.
  .-''-.
   .-'  :_:  '-.
   ___/ ==:...:::-:::...:== \___
  /_\
':'-._.-'_
 ':::\ @-,`-[-][-^-][-]-`,-@ / _| |_
  '::| .---. ||_ @ _|
   ::|=|*   ___  _  ___   *|=|'.| |
   ':| |'   ))_) )) ))_)  '| |::.^|
   _:|=|'  ((`\ (( (( '|=|::.
 _| || |'_'| |:::.
|_   |=|'2003  _( )_  2021'|=|':.
  | || |' (   (_ ~ _)   ) '| | ':::'
  |^||=|*  )(_)(  *|=| '::'
 | '---' .'
 |_.::'
   .'___.::''
   |___.'':::'''
 .'_.::''''
.::: .''
 .:''':.   .:'

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit c90b3db95a9ae43327d8e2f09d39b27505c38f7c
Author: Andreas Schneider 
Date:   Tue May 25 09:36:48 2021 +0200

s3:printing: Migrate samba-bgqd to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 84b5440eb4f3c10e2729e916d097f5af07150dcd
Author: Andreas Schneider 
Date:   Wed Jan 13 16:11:17 2021 +0100

s3:libsmb: Use cli_credentials to store traversal creds

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 1796737eaee9d2e16bb034ce50c095a9546232f2
Author: Andreas Schneider 
Date:   Tue Jan 19 07:42:08 2021 +0100

docs-xml: Update net manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett

[SCM] Samba Shared Repository - branch master updated

2021-05-24 Thread Andrew Bartlett
The branch, master has been updated
   via  a4c0666f6bc docs-xml: Update pdbedit manpage for new cmdline 
opition parser
   via  aff65c0754c s3:utils: Migrate pdbedit to the new cmdline option 
parser
   via  95e82b5b5f8 docs-xml: Update sharesec manpage for new cmdline 
opition parser
   via  b41a0cd199d s3:utils: Migrate sharesec to new cmdline option parser
   via  4f81d8459a4 s3:utils: Remove '-V' for '--viewsddl' from sharesec
   via  d8b6e843fb4 s3:utils: Migrate spilt_tokens to new cmdline option 
parser
   via  0a6d6a28594 docs-xml: Update smbcontrol manpage for new cmdline 
opition parser
   via  824c355ed78 s3:utils: Migrate smbcontrol to new cmdline option 
parser
   via  774663094d5 s3:utils: Migrate dbwrap_torture to new cmdline option 
parser
   via  6bb6e0c54f8 docs-xml: Update smbstatus manpage for new cmdline 
opition parser
   via  ee5e420dc5c s3:utils: Migrate smbstatus to new cmdline option parser
   via  54f14587353 docs-xml: Update ntlm_auth manpage for new cmdline 
opition parser
   via  c96e94fbef8 s3:utils: Migrate ntlm_auth to new cmdline option parser
   via  f0cd9afa8cb lib:cmdline: Add a --configfile only parser for 
ntlm_auth
   via  c88a8a3cbea docs-xml: Update mdfind manpage for new cmdline opition 
parser
   via  6b4710b5f3c s3:utils: Migrate mdfind to new cmdline option parser
   via  667da24bd34 docs-xml: Update testparm manpage for new cmdline 
opition parser
   via  e63bf24d89a s3:utils: Migrate testparm to new cmdline option parser
   via  a5a2636e20d lib:cmdline: Add a --option only parser for testparm
   via  e2b2baeb549 docs-xml: Update nmblookup manpage for new cmdline 
opition parser
   via  4a8a77c21d4 s3:utils: Migrate nmblookup to new cmdline option parser
   via  60427f5191e s3:utils: Remove duplicate '-R' option from nmblookup
   via  17513416714 docs-xml: Update dbwrap_tool manpage for new cmdline 
opition parser
   via  8e1fe474c9b s3:utils: Migrate dbwrap_tool to new cmdline option 
parser
   via  00cbce7bc9b docs-xml: Update profiles manpage for new cmdline 
opition parser
   via  7d6608d1f91 s3:utils: Migrate profiles to new cmdline option parser
   via  9d9ed421b26 docs-xml: Update smbcacls manpage
   via  2d7740f65c6 docs: Update list of available commands in rpcclient
   via  139cefceca2 s3:rpcclient: Document command of witness protocol
  from  1d781bbff84 s3: smbd: Allow SMB1+UNIX extensions rename of dangling 
symlink.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a4c0666f6bc3ccb6eedb3f5c3ff3746ae07d1c47
Author: Andreas Schneider 
Date:   Mon Jan 18 16:28:28 2021 +0100

docs-xml: Update pdbedit manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue May 25 01:14:09 UTC 2021 on sn-devel-184

commit aff65c0754c7727e8fe9b9449ad8c2a90d715086
Author: Andreas Schneider 
Date:   Wed Jan 13 13:42:53 2021 +0100

s3:utils: Migrate pdbedit to the new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 95e82b5b5f87836ae1c6efca970d9059d1cfeca4
Author: Andreas Schneider 
Date:   Mon Jan 18 15:42:39 2021 +0100

docs-xml: Update sharesec manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit b41a0cd199dfc0e67664026b90ba3b5cb87e5c23
Author: Andreas Schneider 
Date:   Wed Jan 13 13:40:26 2021 +0100

s3:utils: Migrate sharesec to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 4f81d8459a48aecf6d342045caa1531234f4f87f
Author: Andreas Schneider 
Date:   Mon Jan 18 09:02:22 2021 +0100

s3:utils: Remove '-V' for '--viewsddl' from sharesec

The '-V' is already used for '-V|--version' in the common options.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit d8b6e843fb4dbb6f2e5e21015e14136f6103b677
Author: Andreas Schneider 
Date:   Wed Jan 13 13:32:24 2021 +0100

s3:utils: Migrate spilt_tokens to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 0a6d6a28594813f40e773f0205907947b02077d2
Author: Andreas Schneider 
Date:   Mon Jan 18 15:38:35 2021 +0100

docs-xml: Update smbcontrol manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 824c355ed786994e0b696c446edfb86e6a79d2c1
Author: Andreas Schneider 
Date:   Wed Jan 13 13:28:11 2021 +0100

s3:utils: Migrate smbcontrol to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 774663094d5bcbf47453fdcf69dabf1793fbcf56
Author: Andreas

[SCM] Samba Shared Repository - branch master updated

2021-05-19 Thread Andrew Bartlett
The branch, master has been updated
   via  09fed102c58 s3:utils: Migrate tevent_glib_tracker to new cmdline 
option parser
   via  de159c40c5b s3:torture: Migrate pdbtest to new cmdline option parser
   via  a19b9a2d4b9 docs-xml: Update vfstest manpage for new cmdline 
opition parser
   via  279c95cebfe s3:torture: Migrate vfstest to new cmdline option parser
   via  f81fe73f531 s3:rpc_server: Migrate test_mdsparser_es to new cmdline 
option parser
   via  0f6c86b2013 s3:lib: Migrate smbconftort to new cmdline option parser
   via  b87c36cb783 s3:param: Migrate test_lp_load to new cmdline option 
parser
   via  9caa71efa96 lib:cmdline: Add SAMBA_CMDLINE_CONFIG_NONE
   via  0433896ee8a lib:cmdline: Add a debug only option
   via  7fa1ae04df6 testprogs: Add additional rpcclient tests for new 
cmdline options
   via  ba7c2cee9d0 testprogs: Rename test_rpc_getusername_legacy()
   via  75088fdba74 docs-xml: Update rpcclient manpage for new cmdline 
opition parser
   via  4fb4da396c6 s3:rpcclient: Migrate rpcclient to new cmdline option 
parser
   via  4f9c07c0212 s3:rpcclient: Pass cli_credentials to process_cmd()
   via  894b8b3cab6 s3:rpcclient: Pass cli_credentials to do_cmd()
   via  ff7d4a65cab testprogs: Add more smbclient kerberos tests for new 
cmdline options
   via  74b2a52eebc docs-xml: Update smbclient manpage for new cmdline 
opition parser
   via  7b70a72b15c s3:client: Use samba_popt_get_context()
   via  64b8a3abeeb s3:client: Remove duplicate name-resolv (R) options
   via  e4474ac0a54 s3:client: Migrate smbclient to new cmdline option 
parser
  from  c216e056b22 selftest: Rename offline logon env to ad_member_offlogon

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 09fed102c584caa5587df7bebde317f0dc51fbb7
Author: Andreas Schneider 
Date:   Tue Jan 12 12:58:24 2021 +0100

s3:utils: Migrate tevent_glib_tracker to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 20 03:49:30 UTC 2021 on sn-devel-184

commit de159c40c5be8862270ca07b40c522cd9bacf6f4
Author: Andreas Schneider 
Date:   Tue Jan 12 12:53:08 2021 +0100

s3:torture: Migrate pdbtest to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit a19b9a2d4b975fc13b882bfa2d714791d922dfea
Author: Andreas Schneider 
Date:   Mon Jan 18 10:24:09 2021 +0100

docs-xml: Update vfstest manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 279c95cebfed3aa8adbad6edad57e5bdbad6abf2
Author: Andreas Schneider 
Date:   Tue Jan 12 12:08:18 2021 +0100

s3:torture: Migrate vfstest to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit f81fe73f531798a2530efe6b01700135585510d6
Author: Andreas Schneider 
Date:   Wed Jan 13 13:53:55 2021 +0100

s3:rpc_server: Migrate test_mdsparser_es to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 0f6c86b201367675e1181cb31bcf5ed249683f9a
Author: Andreas Schneider 
Date:   Tue Jan 12 11:59:58 2021 +0100

s3:lib: Migrate smbconftort to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit b87c36cb7832910edbe2cff11cd7570b23f8013b
Author: Andreas Schneider 
Date:   Fri Jan 8 08:27:19 2021 +0100

s3:param: Migrate test_lp_load to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 9caa71efa96b502b65ae59fb54397eb43b55e333
Author: Andreas Schneider 
Date:   Wed Jan 13 09:56:41 2021 +0100

lib:cmdline: Add SAMBA_CMDLINE_CONFIG_NONE

This will prevent loading a config file. This will be needed for
testparm.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 0433896ee8a0184d7e17b94f2309b457c65fc72d
Author: Andreas Schneider 
Date:   Tue Jan 5 14:23:27 2021 +0100

lib:cmdline: Add a debug only option

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 7fa1ae04df6fb0a3dc48471c2a468b569e0231f7
Author: Andreas Schneider 
Date:   Wed Dec 2 17:15:05 2020 +0100

testprogs: Add additional rpcclient tests for new cmdline options

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit ba7c2cee9d04d2e8a1ff46eaf0332594ac5b89a8
Author: Andreas Schneider 
Date:   Wed Dec 2 17:07:14 2020 +0100

testprogs: Rename test_rpc_getusername_legacy()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 75088fdba74e010a3f9673834eb1fc21add7caad
Author: Andreas Schneider 
Date:   Mon Jan 18 10:04:47 2021 +0100

docs

[SCM] Samba Shared Repository - branch master updated

2021-05-17 Thread Andrew Bartlett
The branch, master has been updated
   via  a204e42c2f8 dlz: remove support for ancient binds
   via  3103d948f6b dlz: do not build for Bind 9.8 or 9.9
   via  3ef2b588e85 dlz torture: update to supported DLZ API
   via  7d7017b3024 samba-tool:testparm: Display nicer parameter dump error 
messages
   via  11f26877ce1 samba-tool:testparm: Test error handling for unknown 
sections and parameters
   via  e54563861b2 samba-tool:testparm: Fix error with --section-name
   via  33bb6ad3563 samba-tool:testparm: Test that --section-name works 
without --parameter-name
  from  52744d35a37 nmbd: Reduce the wait interface loop sleep time

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit a204e42c2f84cb0930f6996880af4de85f5794ec
Author: Douglas Bagnall 
Date:   Fri Apr 23 19:37:55 2021 +1200

dlz: remove support for ancient binds

We no longer support versions of bind that have
DLZ_DLOPEN_VERSION != 3, so we no longer need all these ifdefs.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon May 17 22:29:01 UTC 2021 on sn-devel-184

commit 3103d948f6b94872326d8b7e88fe328fed910eae
Author: Douglas Bagnall 
Date:   Sat Apr 24 15:25:25 2021 +1200

dlz: do not build for Bind 9.8 or 9.9

If we drop support for versions before Bind 9.10 (which itself went
EOL in 2018) we can get rid of a whole lot of ifdefs for old API
versions that no-one should be using.

This patch stops the build, the next one clears out the ifdefs.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 3ef2b588e85ae47c52da16245fe873619a49e2fb
Author: Douglas Bagnall 
Date:   Sat Apr 24 15:25:44 2021 +1200

dlz torture: update to supported DLZ API

Bind 9.8 went EOL in 2014, but we still run our tests using the API
version that it alone uses.

This patch changes it to use the API of versions 9.10 onwards.

We don't change what we test or make use of the new API, just pass
around some NULL pointers.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 7d7017b30248c2855248a9bab56fd5b91597686c
Author: Joseph Sutton 
Date:   Wed Apr 28 15:46:46 2021 +1200

samba-tool:testparm: Display nicer parameter dump error messages

Now we catch errors for unknown sections or parameters and turn them
into CommandErrors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14143

Signed-off-by: Joseph Sutton 
Reviewed-by: Rowland Penny 
Reviewed-by: Andrew Bartlett 

commit 11f26877ce1849439948c8d1f12dc9dd43cd534d
Author: Joseph Sutton 
Date:   Thu Apr 29 20:23:21 2021 +1200

samba-tool:testparm: Test error handling for unknown sections and parameters

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14143

Signed-off-by: Joseph Sutton 
Reviewed-by: Rowland Penny 
Reviewed-by: Andrew Bartlett 

commit e54563861b2b06370fe3a2a10d7e7df2e3e18f24
Author: Joseph Sutton 
Date:   Thu Apr 22 12:57:24 2021 +1200

samba-tool:testparm: Fix error with --section-name

Pass the correct parameters into LoadparmService.dump() so that
--section-name works properly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14143

Signed-off-by: Joseph Sutton 
Reviewed-by: Rowland Penny 
Reviewed-by: Andrew Bartlett 

commit 33bb6ad35635590be112e94941dbfc02b4db1d30
Author: Joseph Sutton 
Date:   Thu Apr 29 20:17:09 2021 +1200

samba-tool:testparm: Test that --section-name works without --parameter-name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14143

Signed-off-by: Joseph Sutton 
Reviewed-by: Rowland Penny 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 WHATSNEW.txt  |  2 +
 python/samba/netcmd/testparm.py   | 12 +-
 python/samba/tests/netcmd.py  | 68 -
 source4/dns_server/dlz_bind9.c| 17 -
 source4/dns_server/dlz_minimal.h  | 32 ++--
 source4/dns_server/wscript_build  | 22 +--
 source4/torture/dns/dlz_bind9.c   | 79 ++-
 source4/torture/dns/wscript_build |  2 +-
 8 files changed, 138 insertions(+), 96 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 013f5b6eb35..1e407da422e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -49,6 +49,8 @@ supported release of Tru64 UNIX was in 2012.
 NIS support has been removed from this release. This is not
 available in Linux distributions anymore.
 
+The DLZ DNS plugin is no longer built for Bind versions 9.8 and 9.9,
+which have been out of support since 2018.
 
 smb.conf changes
 
diff --git a/python/samba

[SCM] Samba Shared Repository - branch master updated

2021-04-28 Thread Andrew Bartlett
The branch, master has been updated
   via  757c49f6dc5 s3:winbind: For 'security = ADS' require 
realm/workgroup to be set
   via  32868286094 s3:utils: Tell users that workgroup/realm is required 
for ADS mode
   via  0d243b329bd docs-xml: Update samba.8 manpage for new cmdline 
opition parser
   via  236c35f702d s4:samba: Migrate samba daemon to new cmdline option 
parser
   via  7d675bdae9f s4:samba: Pass a talloc memory context to 
binary_smbd_main()
   via  0531f6f5331 docs-xml: Update winbindd manpage for new cmdline 
opition parser
   via  93dfd5275d1 docs-xml: Update smbd manpage for new cmdline opition 
parser
   via  4be015dd106 docs-xml: Update nmbd manpage for new cmdline opition 
parser
   via  3467214cf96 s3: Remove --log-stdout from daemons
   via  c7b1d2d11cf lib:util: Add debug_get_log_type() function
   via  c23f75cd62d s3:winbind: Migrate winbindd to new cmdline option 
parser
   via  d8f84205337 s3:smbd: Migrate smbd to new cmdline option parser
   via  87927173e85 s3:nmbd: Migrate nmbd to new cmdline option parser
  from  7e63e84d47d WHATSNEW: Document removal of NIS support

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 757c49f6dc52afd6ee39c0b282e9a787b6df7a12
Author: Andreas Schneider 
Date:   Wed Apr 28 12:25:42 2021 +0200

s3:winbind: For 'security = ADS' require realm/workgroup to be set

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14695

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Apr 29 04:48:37 UTC 2021 on sn-devel-184

commit 328682860940679553831b6ff23acff4ce80a22f
Author: Andreas Schneider 
Date:   Wed Apr 28 12:09:21 2021 +0200

s3:utils: Tell users that workgroup/realm is required for ADS mode

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14695

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 0d243b329bdcf9b884b1db1f415599b5e233e663
Author: Andreas Schneider 
Date:   Thu Feb 11 14:31:26 2021 +0100

docs-xml: Update samba.8 manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 236c35f702d21fde5db7834ffaeab3f3032a2136
Author: Andreas Schneider 
Date:   Thu Jan 14 09:50:10 2021 +0100

s4:samba: Migrate samba daemon to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 7d675bdae9f659c5402ae3853419b2ee0460d2be
Author: Andreas Schneider 
Date:   Thu Jan 14 09:36:47 2021 +0100

s4:samba: Pass a talloc memory context to binary_smbd_main()

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 0531f6f5331508bb5fa24e3fc5e62aaafa94f383
Author: Andreas Schneider 
Date:   Fri Jan 15 15:14:39 2021 +0100

docs-xml: Update winbindd manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 93dfd5275d1c05419458a05b0480d9881c0ca1bd
Author: Andreas Schneider 
Date:   Fri Jan 15 14:41:51 2021 +0100

docs-xml: Update smbd manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 4be015dd106bc45b45dafd49dc20d5ffbf19b457
Author: Andreas Schneider 
Date:   Fri Jan 15 15:10:46 2021 +0100

docs-xml: Update nmbd manpage for new cmdline opition parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 3467214cf967641f4e4001a9dfea870f933fc2a3
Author: Andreas Schneider 
Date:   Mon Jan 11 09:52:36 2021 +0100

s3: Remove --log-stdout from daemons

The common cmdline parser provides --debug-stdout.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit c7b1d2d11cfc348e654375fc1e880bf4e1773b88
Author: Andreas Schneider 
Date:   Fri Jan 8 08:31:24 2021 +0100

lib:util: Add debug_get_log_type() function

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit c23f75cd62df38179b08ddf4061d434aeb31eb12
Author: Andreas Schneider 
Date:   Mon Jan 11 10:20:41 2021 +0100

s3:winbind: Migrate winbindd to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit d8f84205337a8baae7f4057a042e74b3d1c3633a
Author: Andreas Schneider 
Date:   Tue Jan 5 14:35:39 2021 +0100

s3:smbd: Migrate smbd to new cmdline option parser

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 87927173e85712c458cf7d0582da14dd2959d2ac
Author: Andreas Schneider 
Date:   Tue Jan 5 14:28:53 2021 +0100

s3:nmbd: Migrate nmbd to new cmdline option parser

This removes --log-stdout as we already have --debug-stdout in the
common options!

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew

[SCM] Samba Shared Repository - branch master updated

2021-04-27 Thread Andrew Bartlett
The branch, master has been updated
   via  eb573067425 docs-xml: Add doc entities for the options of the new 
cmdline parser
   via  8560c310808 lib:cmdline: Add sanity check for options
   via  d945ed03c91 lib:cmdline: Add samba_cmdline_burn()
   via  095bed6aa28 lib:cmdline: Set kerberos=required for 
--use-krb5-ccache=CCACHE
   via  054d11f73a7 lib:cmdline: Implement legacy kerberos options
   via  726ccf1d56b lib:cmdline: Parse cmdline options with popt
   via  e54f5f9527a lib:cmdline: Add callback for loading the config file
   via  6c812505658 lib:cmdline: Add client credentials
   via  5470da07c0f lib:cmdline: Add initial code for new cmdline option 
parser
   via  fcba4eb4329 auth:creds:tests: Add test for 
cli_credentials_get_password_and_obtained()
   via  bd2b1825015 auth:creds: Add 
cli_credentials_get_password_and_obtained()
   via  3b78f4f0932 auth:creds:tests: Add test for 
cli_credentials_get_username_and_obtained()
   via  f33844b70b6 auth:creds: Add 
cli_credentials_get_username_and_obtained()
   via  f65a32fac10 auth:creds:tests: Add test for 
cli_credentials_set_gensec_features()
   via  2fbc63cacc8 auth:creds: Add obtained arg to 
cli_credentials_set_gensec_features()
   via  7accd900352 auth:creds: Use 'client protection' option for smb sign 
and encrypt defaults
   via  4c4353705f3 lib:param: Add 'client protection' config option
   via  5a751ea55e7 auth:creds:tests: Add test for 
cli_credentials_set_kerberos_state()
   via  521f77c6671 auth:creds: Add obtained arg to 
cli_credentials_set_kerberos_state()
   via  a00726593c2 s4:rpc_server: Set Kerberos to desired
   via  08be28241b8 selftest: Check the return code of setup_namespaces()
   via  1cd233712e1 lib:param: Add 'client use kerberos' config parameter
   via  b2bad13ca35 s3:tests: Check for 'Client started' in the log
   via  f291b8f1571 tests: Use --configfile instead of -s
   via  86f7bc7a372 testprogs: Use --suppress-prompt instead of -s for 
testparm
   via  fca9c56836c tests: Use ldbsearch '--scope instead of '-s'
   via  9fb88e6ee79 docs-xml: Use 'desired' and 'required' for option 
'client ipc signing'
   via  293a941fc01 docs-xml: Use 'desired' and 'required' for option 
'client signing'
   via  c54d5dbe0ce selftest: Specify /dev/null as the smbd config file
   via  24c4fcf8115 s3:winbind: Pass the 'samba' daemon config file to 
winbindd
   via  0b8433cf87f s4:winbind: Add a missing no memory check
   via  ceccb618207 file_server: Pass the 'samba' daemon config file to smbd
   via  d45eddb585c file_server: Add a missing no memory check
   via  0e6e5f9c3a5 s3:utils: Link py_net only against needed 
cmdline_contexts library
   via  e45980ff5de build: Use bison at build time rather than lexyacc.sh 
to build the embedded heimdal
   via  c2c09113e55 heimdal: use correct prototype of yyparse()
   via  3bb4a0df366 heimdal_build: Make HEIMDAL_BINARY be based on 
HEIMDAL_SUBSYSTEM
   via  2ccd5c096aa HEIMDAL: Avoid yydebug compiler warning
   via  e84924fdfe2 python: remove 'from __future__ import unicode_literals'
   via  ba4aa2e8c1f python/hostconfig: remove 'from __future__ import 
absolute_import'
   via  c3a95b22aa1 python: remove all 'from __future__ import division'
   via  aecb2b779b8 python: remove all 'from __future__ import 
print_function'
   via  a4cce28bfa3 .gitlab-ci.yml: Always build the ubuntu1804-samba-o3 
with --enable-coverage
   via  836ad93795c .gitlab-ci.yml: Return code coverage reporting for 
"none" tasks
   via  742ae6172f8 s3-modules: Fix "-Werror=maybe-uninitialized" errors 
only seen with -O3 and --enable-coverage
   via  190e15dfb07 tests: Fix "-Werror=maybe-uninitialized" errors only 
seen with -O3 and --enable-coverage
   via  225fefe6cf8 torture: Avoid -Werror=strict-overflow in -O3 coverage 
build
   via  b5984c3da0f .gitlab-ci.yml and autobuild: Publish the current HTML 
docs with the code coverage
  from  ca6a8037aa1 lib:replace: Fix a posible double free

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit eb5730674252b43251dc5799fa2225a65f2f570c
Author: Andreas Schneider 
Date:   Fri Aug 21 13:33:09 2020 +0200

docs-xml: Add doc entities for the options of the new cmdline parser

Signed-off-by: Andreas Schneider 
    Reviewed-by: Andrew Bartlett 
    
Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr 28 04:32:47 UTC 2021 on sn-devel-184

commit 8560c31080881f746946bb88ea8e549b3df97d63
Author: Andreas Schneider 
Date:   Wed Sep 2 17:19:00 2020 +0200

lib:cmdline: Add sanity check for options

Make sure we don't have duplicate options!

Signed-off-by: Andreas Schneider 
    Reviewed-by: Andrew Bartlett 

commit d945ed03c9

[SCM] Samba Shared Repository - branch master updated

2021-04-21 Thread Andrew Bartlett
The branch, master has been updated
   via  0f29b8c2fee samba-tool: add dns zoneoptions for aging control
   via  38fe888f95f docs: Expand the "log level" docs on audit logging
   via  d03e7ffcff3 docs: underline special words in the audit logging part 
of "log level" in man smb.conf
   via  364b8be9816 docs: Further discourage the use of the "event 
notification" options
   via  a778a3a6420 docs: Add proper explination on why transactions need 
to be audited.
   via  2e533664e75 docs: Add missing documentation on dsdb_group_audit and 
dsdb_group_audit_json
   via  0d30d74e898 debug: Synchronise "log level" in smb.conf with the code
  from  58c6c031f5d libcli: Fix parsing access flags from multiple tables

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0f29b8c2fee0d6bcc5b83ef237518539179de465
Author: Douglas Bagnall 
Date:   Tue Apr 20 00:07:50 2021 +1200

samba-tool: add dns zoneoptions for aging control

This adds a subcommand for altering zone parameters.

At the moment the only options are related to record aging (a.k.a
scavenging). The code is structured to make it easy to add more
integer or boolean options, but it is not clear that this would be
useful; many other parameters are not used or would only have
deleterious effects.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

    Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr 21 10:04:14 UTC 2021 on sn-devel-184

commit 38fe888f95f8d22736080ed521939be932e7bca0
Author: Andrew Bartlett 
Date:   Fri Apr 16 10:43:07 2021 +1200

docs: Expand the "log level" docs on audit logging

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:40:30 2021 +1200

docs: underline special words in the audit logging part of "log level" in 
man smb.conf

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 364b8be9816b34b2a1b07c6259345c406d68c9f2
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:45:07 2021 +1200

docs: Further discourage the use of the "event notification" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit a778a3a6420f094a953563b87f84457fdebd20a3
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:44:22 2021 +1200

docs: Add proper explination on why transactions need to be audited.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:39:49 2021 +1200

docs: Add missing documentation on dsdb_group_audit and 
dsdb_group_audit_json

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa
Author: Andrew Bartlett 
Date:   Thu Apr 15 13:52:38 2021 +1200

debug: Synchronise "log level" in smb.conf with the code

This is done by pasting in the contents of default_classname_table[]
in lib/util/debug.c into
cut -f 2 -d \"| xargs -i sh -c 'echo "\t{}"'

    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 docs-xml/smbdotconf/logging/loglevel.xml   | 108 +++--
 .../smbdotconf/logon/autheventnotification.xml |  17 ++--
 docs-xml/smbdotconf/misc/dsdbeventnotification.xml |  14 ++-
 .../misc/dsdbgroupchangenotification.xml   |  16 +--
 .../misc/dsdbpasswordeventnotification.xml |  16 +--
 python/samba/netcmd/dns.py |  89 +
 python/samba/tests/samba_tool/dnscmd.py|  54 +++
 7 files changed, 262 insertions(+), 52 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/logging/loglevel.xml 
b/docs-xml/smbdotconf/logging/loglevel.xml
index 273765c6fbe..4c6bb5e7e73 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -24,8 +24,6 @@
printdrivers
lanman
smb
-   smb2
-   smb2_credits
rpc_parse
rpc_srv
rpc_cli
@@ -41,19 +39,24 @@
msdfs
dmapi
registry
-scavenger
-dns
-ldb
-tevent
-aut

[SCM] Samba Shared Repository - branch master updated

2021-04-16 Thread Andrew Bartlett
The branch, master has been updated
   via  8e3b369c055 allow tests to be run against a PAM-less build
   via  8ff6ad7454d lib/util: fix timespec normalization
   via  254af19ba89 auth4: Remove sync check_password from auth_operations
   via  f852fb4cd4e auth4: Make auth_sam pseudo-async
   via  a6f42ab8a77 auth4: Make auth_unix pseudo-async
   via  43a1e428157 auth4: Make auth_developer pseudo-async
   via  75957313687 auth4: Make auth_anonymous pseudo-async
  from  bfb9cd8b9b3 waf: Check correctly if gnutls has been compiled with 
fips mode support

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8e3b369c0550383499af4b4ebb09513ef0e0635c
Author: Philipp Gesang 
Date:   Wed Apr 14 08:35:40 2021 +0200

allow tests to be run against a PAM-less build

Indexing the config hash table fails for PAM related values:

Traceback (most recent call last):
  File "/src/samba/samba/selftest/tests.py", line 49, in 
pam_set_items_so_path = config_hash["PAM_SET_ITEMS_SO_PATH"]
KeyError: 'PAM_SET_ITEMS_SO_PATH'
Error creating recipe from python3 /src/samba/samba/selftest/tests.py| 
at /src/samba/samba/selftest/selftest.pl line 645.

which prevents the test suite from running when built
--without-pam. Access those values using the get() method
instead.

Signed-off-by: Philipp Gesang 
Reviewed-by: Douglas Bagnall 
    Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Apr 16 10:27:41 UTC 2021 on sn-devel-184

commit 8ff6ad7454d9da1dff91c8b827c54008e83cc150
Author: Philipp Gesang 
Date:   Thu Jan 17 11:06:26 2019 +0100

lib/util: fix timespec normalization

When fixing up timespec structs, negative values for the ns part
should be taken into account. Also, the range for a valid ns part
is [0, 10), not [0, 10].

Signed-off-by: Philipp Gesang 
Reviewed-by: Douglas Bagnall 
    Reviewed-by: Andrew Bartlett 

commit 254af19ba89b4c42e5f45ec731e6577d2fcc6736
Author: Volker Lendecke 
Date:   Wed Apr 14 22:24:44 2021 +0200

auth4: Remove sync check_password from auth_operations

Remove complexity in the data structures, and pushes the async-ness
one level down.

Signed-off-by: Volker Lendecke 
    Reviewed-by: Andrew Bartlett 

commit f852fb4cd4e2bcd676a9ea104c5bf00979771eed
Author: Volker Lendecke 
Date:   Thu Apr 15 10:04:21 2021 +0200

auth4: Make auth_sam pseudo-async

Signed-off-by: Volker Lendecke 
    Reviewed-by: Andrew Bartlett 

commit a6f42ab8a778b9863990da3112c2e868cd006303
Author: Volker Lendecke 
Date:   Wed Apr 14 21:59:55 2021 +0200

auth4: Make auth_unix pseudo-async

Signed-off-by: Volker Lendecke 
    Reviewed-by: Andrew Bartlett 

commit 43a1e42815718591faa8d526319b96d089a758fa
Author: Volker Lendecke 
Date:   Wed Apr 14 22:22:18 2021 +0200

auth4: Make auth_developer pseudo-async

This is a simpler approach to really just wrap the code.

Signed-off-by: Volker Lendecke 
    Reviewed-by: Andrew Bartlett 

commit 759573136876ef2b1b1c7484f99570d7de957e0d
Author: Volker Lendecke 
Date:   Wed Apr 14 21:48:32 2021 +0200

auth4: Make auth_anonymous pseudo-async

Signed-off-by: Volker Lendecke 
    Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/util/tests/time.c  | 53 
 lib/util/time.c| 53 
 lib/util/time.h|  1 +
 selftest/tests.py  |  4 +-
 source4/auth/auth.h|  4 --
 source4/auth/ntlm/auth.c   | 44 ++--
 source4/auth/ntlm/auth_anonymous.c | 66 +
 source4/auth/ntlm/auth_developer.c | 61 ++-
 source4/auth/ntlm/auth_sam.c   | 69 ++-
 source4/auth/ntlm/auth_unix.c  | 85 ++
 source4/auth/ntlm/wscript_build|  4 +-
 11 files changed, 350 insertions(+), 94 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/util/tests/time.c b/lib/util/tests/time.c
index fce0eef5e2e..039f7f4ccf8 100644
--- a/lib/util/tests/time.c
+++ b/lib/util/tests/time.c
@@ -82,6 +82,57 @@ static bool test_timestring(struct torture_context *tctx)
return true;
 }
 
+static bool test_normalize_timespec(struct torture_context *tctx)
+{
+   const struct {
+   time_t in_s; long in_ns;
+   time_t out_s; long out_ns;
+   } data [] = {
+ { 0, 0, 0, 0 }
+   , { 1, 0, 1, 0 }
+   , { -1, 0, -1, 0 }
+   , { 0, 10, 1, 0 }
+   , { 0, 20, 2, 0 }
+   , {

[SCM] Samba Shared Repository - branch master updated

2021-04-11 Thread Andrew Bartlett
The branch, master has been updated
   via  768d48fca9f tests python krb5: MS-KILE client principal look-up
  from  534de9b2827 VFS: Remove SMB_VFS_CHMOD, no longer used

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2
Author: Gary Lockyer 
Date:   Wed Feb 17 12:15:50 2021 +1300

tests python krb5: MS-KILE client principal look-up

Tests of [MS-KILE]: Kerberos Protocol Extensions
section 3.3.5.6.1 Client Principal Lookup

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Isaac Boukris 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184

---

Summary of changes:
 python/samba/tests/krb5/kdc_base_test.py   |  29 +-
 .../krb5/ms_kile_client_principal_lookup_tests.py  | 814 +
 python/samba/tests/usage.py|   1 +
 selftest/knownfail_heimdal_kdc |  12 +
 selftest/knownfail_mit_kdc |  16 +
 source4/selftest/tests.py  |   3 +
 6 files changed, 874 insertions(+), 1 deletion(-)
 create mode 100755 
python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/kdc_base_test.py 
b/python/samba/tests/krb5/kdc_base_test.py
index bef5458c881..1c7f05dda6d 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -22,6 +22,7 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 from collections import namedtuple
+import ldb
 from ldb import SCOPE_BASE
 from samba import generate_random_password
 from samba.auth import system_session
@@ -103,7 +104,7 @@ class KDCBaseTest(RawKerberosTest):
 for dn in self.accounts:
 delete_force(self.ldb, dn)
 
-def create_account(self, name, machine_account=False, spn=None):
+def create_account(self, name, machine_account=False, spn=None, upn=None):
 '''Create an account for testing.
The dn of the created account is added to self.accounts,
which is used by tearDown to clean up the created accounts.
@@ -133,6 +134,8 @@ class KDCBaseTest(RawKerberosTest):
 "unicodePwd": utf16pw}
 if spn is not None:
 details["servicePrincipalName"] = spn
+if upn is not None:
+details["userPrincipalName"] = upn
 self.ldb.add(details)
 
 creds = Credentials()
@@ -418,3 +421,27 @@ class KDCBaseTest(RawKerberosTest):
 self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn)
 sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0])
 return sid.decode('utf8')
+
+def add_attribute(self, dn_str, name, value):
+if isinstance(value, list):
+values = value
+else:
+values = [value]
+flag = ldb.FLAG_MOD_ADD
+
+dn = ldb.Dn(self.ldb, dn_str)
+msg = ldb.Message(dn)
+msg[name] = ldb.MessageElement(values, flag, name)
+self.ldb.modify(msg)
+
+def modify_attribute(self, dn_str, name, value):
+if isinstance(value, list):
+values = value
+else:
+values = [value]
+flag = ldb.FLAG_MOD_REPLACE
+
+dn = ldb.Dn(self.ldb, dn_str)
+msg = ldb.Message(dn)
+msg[name] = ldb.MessageElement(values, flag, name)
+self.ldb.modify(msg)
diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py 
b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
new file mode 100755
index 000..356a25f8e18
--- /dev/null
+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
@@ -0,0 +1,814 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2020 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHO

[SCM] Samba Shared Repository - branch master updated

2021-04-07 Thread Andrew Bartlett
The branch, master has been updated
   via  2f0ef147f99 auth/credentials: Remove unneeded try/except syntax
   via  c08f174c35f cracknames: Allow auto-conversion from an extended 
canonical name
   via  7c2b26a431d auth/credentials: Add test for binding with an extended 
canonical name
   via  7679995b95c auth/credentials: Add test for binding with a canonical 
name
   via  6b575838300 cracknames: Add support for SID string format
   via  3e531bb885c auth/credentials: Add test for binding with a domain SID
   via  4d5fb7d279e dcesrv_core: fix build
   via  aac8be5419f s3: rpc_server: Store new association groups in the id 
tree
   via  f5178ef11e6 s3: rpc_server: Search for already created association 
groups
   via  1e559f95870 selftest: Test RPC handles and association groups from 
different connection
   via  de28d915d7f s4:dsdb/password_hash: Add a more useful error message 
for passwords too long to be hashed
   via  e656d8b1ad4 provision tests: Add a test for hashing overly long 
passwords
   via  0730b936d7a s4:dsdb/password_hash: Add additional check for crypt() 
and crypt_r() failure
   via  609ca657652 provision: Decrease the length of random machine 
passwords
   via  88b3d3443b3 s4:dsdb/password_hash: Don't generate crypt() password 
for krbtgt account
   via  05d70f92b63 provision tests: Add test for the CryptSHA256 and 
CryptSHA512 password hashing schemes
  from  24ddc1ca9ca ldb/attrib_handler casefold: simplify space dropping

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2f0ef147f99374dc9543a741f3a9f2c27b904f29
Author: Joseph Sutton 
Date:   Tue Mar 30 16:08:40 2021 +1300

auth/credentials: Remove unneeded try/except syntax

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr  7 10:24:17 UTC 2021 on sn-devel-184

commit c08f174c35fb0159d219f96eaf37f008d76fb41e
Author: Joseph Sutton 
Date:   Tue Mar 30 16:02:27 2021 +1300

cracknames: Allow auto-conversion from an extended canonical name

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

commit 7c2b26a431daa29db99344632d0eda21139a558e
Author: Joseph Sutton 
Date:   Tue Mar 30 16:01:44 2021 +1300

auth/credentials: Add test for binding with an extended canonical name

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

commit 7679995b95c9d572a2e94213f5f55e3641844422
Author: Joseph Sutton 
Date:   Tue Mar 30 16:00:56 2021 +1300

auth/credentials: Add test for binding with a canonical name

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

commit 6b57583830007f745360a5dcab9760a66fd3ad0e
Author: Joseph Sutton 
Date:   Tue Mar 30 16:00:04 2021 +1300

cracknames: Add support for SID string format

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

commit 3e531bb885c90c6d8f10570eda1be20ac44a7c9b
Author: Joseph Sutton 
Date:   Tue Mar 30 13:28:32 2021 +1300

auth/credentials: Add test for binding with a domain SID

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319

Signed-off-by: Joseph Sutton 
Reviewed-by: Douglas Bagnall 

commit 4d5fb7d279ef899307a560da2bed037cda609f10
Author: Bernd Kuhls 
Date:   Sat Mar 27 17:17:34 2021 +0100

dcesrv_core: fix build

Move include of system/network.h to avoid a build error:

In file included from ../../lib/replace/system/network.h:35,
 from ../../librpc/rpc/dcesrv_core.c:2658:
usr/include/unistd.h: At top level:
usr/include/unistd.h:675:16: error: conflicting types for ‘geteuid’
  675 | extern __uid_t geteuid (void) __THROW;

Signed-off-by: Bernd Kuhls 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit aac8be5419fdd5e63e3558d556c1d1dc4cef
Author: Samuel Cabrero 
Date:   Fri Jun 26 17:20:32 2020 +0200

s3: rpc_server: Store new association groups in the id tree

Right now a new association group is created for each connection
assigning the legacy 0x53F0 id, but it is not stored anywhere. When a
second client request to join an association group by its id it is not
found and a new one is created with the same ID.

In practise, it means the association groups are not working even in the
same server process.

This commit stores the created association group in the idtree, but to
make use of it assigns a random id instead of the historical 0x53F0.

The test assoc_group_ok2 was wrongly passing before this change because
the same id 0x53F0 was assigned to all association groups.

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit

[SCM] Samba Shared Repository - branch master updated

2021-04-06 Thread Andrew Bartlett
The branch, master has been updated
   via  24ddc1ca9ca ldb/attrib_handler casefold: simplify space dropping
   via  2b2f4f51945 ldb: fix ldb_comparison_fold off-by-one overrun
   via  ff1c3af603b build: Only add -Wl,--as-needed when supported
  from  4d3b6506d30 librpc: Remove the gensec dependency from library 
dcerpc-binding

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 24ddc1ca9cad95673bdd8023d99867707b37085f
Author: Douglas Bagnall 
Date:   Tue Dec 8 22:00:55 2020 +1300

ldb/attrib_handler casefold: simplify space dropping

As seen in CVE-2021-20277, ldb_handler_fold() has been making mistakes
when collapsing spaces down to a single space.

This patch fixes the way it handles internal spaces (CVE-2021-20277
was about leading spaces), and involves a rewrite of the parsing loop.

The bug has a detailed description of the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr  7 03:16:39 UTC 2021 on sn-devel-184

commit 2b2f4f519454beb6f2a46705675a62274019fc09
Author: Douglas Bagnall 
Date:   Sat Mar 6 16:05:15 2021 +1300

ldb: fix ldb_comparison_fold off-by-one overrun

We run one character over in comparing all the bytes in two ldb_vals.

In almost all circumstances both ldb_vals would have an allocated '\0'
in the overrun position, but it is best not to rely on that.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit ff1c3af603b47a7e8f9faad8d1c2e4a489559155
Author: Martin Schwenke 
Date:   Mon Mar 29 16:30:37 2021 +1100

build: Only add -Wl,--as-needed when supported

If -Wl,--as-needed is added to EXTRA_LDFLAGS (via ADD_LDFLAGS, as per
commit 996560191ac6bd603901dcd6c0de5d239e019ef4) then on some
platforms (at least CentOS 8 and Fedora 33), any indirect/recursive
dependencies (i.e. private libraries) are added to both the
binary (reqid_test in the CTDB case) and to samba-util.so.  However,
only samba-util.so has rpath set to find private libraries.

When ld.so tries to resolve these dependencies for the binary it
fails. This may be a bug on those platforms, but it occurs reliably
and our users will also hit the bug.  For binaries that have other
private library dependencies (e.g. bundled talloc) rpath will contain
the private library directory so the duplicate private library
dependencies are then found... that is, when it works, it works by
accident!

For some reason (deep in waf or wafsamba) if -Wl,--as-needed is added to
LINKFLAGS (as is done in conf.add_as_needed()) then it works: the direct
dependencies are only added to samba-util.so and the same depenencies
(indirect dependencies for binaries) are not added incorrectly to the
binaries.

So, without changing 1/2 of waf/wafsamba the simplest fix is to revert
to adding -Wl,--as-needed to LINKFLAGS, which was the case before
commit 996560191ac6bd603901dcd6c0de5d239e019ef4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14288

Signed-off-by: Amitay Isaacs 
Signed-off-by: Martin Schwenke 
Reviewed-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/common/attrib_handlers.c | 57 +++-
 lib/ldb/tests/ldb_match_test.c   |  2 ++
 wscript  |  4 +--
 3 files changed, 31 insertions(+), 32 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index 81a74584bcb..febf2f414ca 100644
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -54,8 +54,8 @@ int ldb_handler_copy(struct ldb_context *ldb, void *mem_ctx,
 int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
 {
-   char *s, *t;
-   size_t l;
+   char *s, *t, *start;
+   bool in_space;
 
if (!in || !out || !(in->data)) {
return -1;
@@ -67,36 +67,33 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
return -1;
}
 
-   s = (char *)(out->data);
-   
-   /* remove trailing spaces if any */
-   l = strlen(s);
-   while (l > 0 && s[l - 1] == ' ') l--;
-   s[l] = '\0';
-   
-   /* remove leading spaces if any */
-   if (*s == ' ') {
-   for (t = s; *s == ' '; s++, l--) ;
-
-   /* remove leading spaces by moving down the string */
-   memmove(t, s, l);
-
-   s = t;
+   start = (

[SCM] Samba Shared Repository - branch master updated

2021-03-28 Thread Andrew Bartlett
The branch, master has been updated
   via  942c0d2128c build: Notice if flex is missing at configure time
  from  5bc1463a5c6 build: Consolidate --with-dnsupdate with --with-ads 
(which implied HAVE_KRB5)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 942c0d2128cb8e64a9354dde6bdae82a1c1c3d88
Author: Andrew Bartlett 
Date:   Fri Mar 26 21:48:45 2021 +1300

build: Notice if flex is missing at configure time

This may also fix the coverage build by ensuring --noline
is always specified to flex.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14586

Signed-off-by: Andrew Bartlett 
Reviewed-by: Gary Lockyer 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Mar 29 02:12:23 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/wscript|  9 -
 wscript| 16 +---
 wscript_configure_embedded_heimdal |  3 +++
 3 files changed, 16 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/wscript b/source3/wscript
index 3ee7d0914ed..b7dd5bd737a 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -1828,15 +1828,6 @@ main() {
define=None,
on_target=False)
 
-Logs.info("Checking for flex")
-conf.find_program('flex', var='FLEX')
-if conf.env['FLEX']:
-conf.env.FLEXFLAGS = ['-t']
-conf.CHECK_COMMAND('%s --version' % conf.env.FLEX[0],
-   msg='Using flex version',
-   define=None,
-   on_target=False)
-
 with_spotlight_tracker_backend = (
 conf.CONFIG_SET('HAVE_TRACKER')
 and conf.CONFIG_SET('HAVE_GLIB')
diff --git a/wscript b/wscript
index e44436391a8..9c501e9441f 100644
--- a/wscript
+++ b/wscript
@@ -232,6 +232,19 @@ def configure(conf):
 if not (Options.options.without_ad_dc):
 conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
 
+# Check for flex before doing the embedded heimdal checks so we can bail 
if we don't have it.
+Logs.info("Checking for flex")
+conf.find_program('flex', var='FLEX')
+if conf.env['FLEX']:
+conf.CHECK_COMMAND('%s --version' % conf.env.FLEX[0],
+   msg='Using flex version',
+   define=None,
+   on_target=False)
+conf.env.FLEXFLAGS = ['-t']
+
+# #line statements in these generated files cause issues for lcov
+conf.env.FLEXFLAGS += ["--noline"]
+
 if Options.options.with_system_mitkrb5:
 if not Options.options.with_experimental_mit_ad_dc and \
not Options.options.without_ad_dc:
@@ -355,9 +368,6 @@ def configure(conf):
  msg="Checking compiler for full RELRO support"):
 conf.env['ENABLE_RELRO'] = True
 
-# #line statements in these generated files cause issues for lcov
-conf.env.FLEXFLAGS += ["--noline"]
-
 conf.SAMBA_CONFIG_H('include/config.h')
 
 def etags(ctx):
diff --git a/wscript_configure_embedded_heimdal 
b/wscript_configure_embedded_heimdal
index 8c55ae2a938..92a29f71bf8 100644
--- a/wscript_configure_embedded_heimdal
+++ b/wscript_configure_embedded_heimdal
@@ -1 +1,4 @@
+if not conf.env['FLEX']:
+conf.fatal("Embedded Heimdal build requires flex but it was not found.  
Install flex or use --with-system-mitkrb5 or --with-system-heimdalkrb5")
+
 conf.RECURSE('source4/heimdal_build')


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-03-23 Thread Andrew Bartlett
The branch, master has been updated
   via  bf1c294adb7 auth:creds: Free the uname pointer in 
cli_credentials_parse_string()
   via  aa34799600b auth:creds: Don't include credentials_internal.h twice
   via  d7c111514ad netcmd: Fix opening SamDB database for offline backup
   via  bb3dcd403ce netcmd: Workaround issue backing up offline domain with 
lmdb >= 0.9.26
  from  c871c224611 s3:netapi: Add libnetapi_set_creds()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit bf1c294adb7ef623d0da1dd9b43d3b3fab58fa26
Author: Andreas Schneider 
Date:   Mon Mar 22 18:11:33 2021 +0100

auth:creds: Free the uname pointer in cli_credentials_parse_string()

The data is duplicated and we don't need it anymore.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Mar 24 03:13:05 UTC 2021 on sn-devel-184

commit aa34799600bc95758d01bc9d7b3dd58f251d71ad
Author: Andreas Schneider 
Date:   Thu Dec 3 17:10:22 2020 +0100

auth:creds: Don't include credentials_internal.h twice

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit d7c111514ad53787af5a7084355126dfa34f
Author: Joseph Sutton 
Date:   Mon Mar 22 11:06:30 2021 +1300

netcmd: Fix opening SamDB database for offline backup

When opening the backed-up SamDB database, open the top-level database
without loading any modules so the backend database files aren't
unnecessarily opened. The domain SID is now fetched from the original
database rather than from the backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Samuel Cabrero 

commit bb3dcd403ced922574a89011dd3814c4fe87dd76
Author: Samuel Cabrero 
Date:   Thu Mar 18 17:54:33 2021 +0100

netcmd: Workaround issue backing up offline domain with lmdb >= 0.9.26

The LMDB change "ITS#9278 fix robust mutex cleanup for FreeBSD" released
in version 0.9.26 makes samba-tool domain backup offline to fail with
the following error:

Failed to connect to 
'mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb'
 with backend 'mdb': Unable to load ltdb cache records for backend 'ldb_mdb 
backend'
module samba_dsdb initialization failed : Operations error
Unable to load modules for /tmp/foo/private/sam.ldb.bak-offline: Unable to 
load ltdb cache records for backend 'ldb_mdb backend'
ERROR(ldb): uncaught exception - Unable to load ltdb cache records for 
backend 'ldb_mdb backend'
  File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 
186, in _run
return self.run(*args, **kwargs)
  File 
"/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", 
line 1147, in run
session_info=system_session(), lp=lp)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", 
line 72, in __init__
options=options)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/__init__.py", 
line 114, in __init__
self.connect(url, flags, options)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", 
line 87, in connect
options=options)

The error occurs opening the backed ldb to write the backup date and the
next SID, a call to pthread_mutex_lock in mdb_txn_renew0 (frame 8) returns
EINVAL:

  #0  0x7ff63c2f1bea in wait4 () from /lib64/libc.so.6
  #1  0x7ff63c26f3a3 in do_system () from /lib64/libc.so.6
  #2  0x7ff63bc71e94 in smb_panic_default (why=0x7ffed481b7d0 "Signal 
6: Aborted") at ../../lib/util/fault.c:153
  #3  0x7ff63bc72168 in smb_panic (why=0x7ffed481b7d0 "Signal 6: 
Aborted") at ../../lib/util/fault.c:200
  #4  0x7ff63bc71c82 in fault_report (sig=6) at 
../../lib/util/fault.c:81
  #5  0x7ff63bc71c97 in sig_fault (sig=6) at ../../lib/util/fault.c:92
  #6  
  #7  0x7ff63c2178b5 in raise () from /lib64/libpthread.so.0
  #8  0x7ff637602e65 in mdb_txn_renew0 (txn=txn@entry=0x55d6f97fb800) 
at mdb.c:2710
  #9  0x7ff637603ae8 in mdb_txn_begin (env=0x55d6f85dfa80, parent=0x0, 
flags=131072, ret=0x55d6f89c0928)
  at mdb.c:2912
  #10 0x7ff6376236cc in lmdb_lock_read (module=0x55d6f8c5f4b0) at 
../../lib/ldb/ldb_mdb/ldb_mdb.c:585
  #11 0x7ff637641de6 in ldb_kv_cache_load (module=0x55d6f8c5f4b0) at 
../../lib/ldb/ldb_key_value/ldb_kv_cache.c:450
  #12 0x7ff637638792 in ldb_kv_init_store (ldb_kv=0x55d6f8af2a80, 
name=0x7ff637625675 "ldb_mdb backend",
  ldb=0x55d6f8cd22b0, options=0x0, _module=0x7ffed481c248) at 
../../lib/ldb/ldb_key_val

[SCM] Samba Shared Repository - branch master updated

2021-03-23 Thread Andrew Bartlett
The branch, master has been updated
   via  17283de8fd9 netcmd: Fix typos in offline domain backup test
   via  05b17c98598 netcmd: Avoid database corruption by opting not to 
create database files during an offline domain backup
   via  09995f780d1 netcmd: Determine which files are to be copied for an 
offline domain backup
   via  f52e6e5345b netcmd: Add test for an offline backup of nested 
directories
   via  542678908ac netcmd: Add test for an offline backup of a directory 
containing hardlinks
  from  447ad461588 man winbind: Remove untrue statement, you can run 
winbind without running nmbd.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 17283de8fd967fbfe68f64b0cacb1e7aadf559fc
Author: Joseph Sutton 
Date:   Tue Mar 16 22:46:02 2021 +1300

netcmd: Fix typos in offline domain backup test

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
Autobuild-Date(master): Wed Mar 24 00:46:31 UTC 2021 on sn-devel-184

commit 05b17c98598168b6d74a3f2dd0d9973e3bf407c1
Author: Joseph Sutton 
Date:   Tue Mar 16 22:20:21 2021 +1300

netcmd: Avoid database corruption by opting not to create database files 
during an offline domain backup

If backup dirs contain hardlinks, the backup process could previously
attempt to open an LMDB database already opened during the backup,
causing it to be recreated as a new TDB database. This commit ensures
that new database files are not created during this operation, and that
the main SamDB database is not modified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
Date:   Tue Mar 16 16:22:40 2021 +1300

netcmd: Determine which files are to be copied for an offline domain backup

The old behaviour attempted to check for and remove files with duplicate
names, but did not do so due to a bug, and would have left undetermined
which files were given priority when duplicate filenames were present.
Now when hardlinks are present, only one instance of each file is
chosen, with files in the private directory having priority. If one
backup dir is nested inside another, the files contained in the nested
directory are only added once. Additionally, the BIND DNS database is
omitted from the backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
Date:   Thu Mar 18 10:52:52 2021 +1300

netcmd: Add test for an offline backup of nested directories

This test verifies that when performing an offline backup of a domain
where one of the directories to be backed up is nested inside another,
the contained files are only included once in the backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
Date:   Tue Mar 16 16:13:05 2021 +1300

netcmd: Add test for an offline backup of a directory containing hardlinks

This test verifies that when performing an offline backup of a domain
where the directories to be backed up contain hardlinks, only one
instance of each file is backed up, and that files in the private
directory take precedence.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

[SCM] Samba Shared Repository - branch master updated

2021-03-10 Thread Andrew Bartlett
The branch, master has been updated
   via  65510204d41 smbd: Ensure errno is preserved across fsp destructor
   via  b659ec940c7 python: Disable calls to 
_dsdb_garbage_collect_tombstones without addc
   via  fed09b307f6 samba-tool: Enable pydns without ad dc
   via  a7897cc6cd5 samba-tool: Enable pydsdb without ad dc
   via  e5e39a836ae python: Test samdb import
  from  bb17b4e1bbd ldb: dn tests use cmocka print functions

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 65510204d4123b1825ea57607e84ba50f8ce3baf
Author: Sachin Prabhu 
Date:   Wed Mar 10 12:22:07 2021 +

smbd: Ensure errno is preserved across fsp destructor

The errno can be overwritten by the calls made by the fsp destructor.
This can cause problems if the original errno was required by subsequent
calls.

Signed-off-by: Jeremy Allison 
Signed-off-by: Sachin Prabhu 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Mar 10 22:55:17 UTC 2021 on sn-devel-184

commit b659ec940c7515bc46e3f984be7554cdcdf840a0
Author: David Mulder 
Date:   Thu Dec 3 17:32:09 2020 +

python: Disable calls to _dsdb_garbage_collect_tombstones without addc

dsdb._dsdb_garbage_collect_tombstones isn't
built without the addc, so ignore calls to it
in samdb.

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit fed09b307f6fcdf3189a02f34c9a4c1ba243e586
Author: David Mulder 
Date:   Thu Sep 17 13:27:41 2020 -0600

samba-tool: Enable pydns without ad dc

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit a7897cc6cd5ba2df57d354c71b625e98be2a3243
Author: David Mulder 
Date:   Thu Sep 17 13:27:14 2020 -0600

samba-tool: Enable pydsdb without ad dc

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit e5e39a836ae3ae8d8d9d338be67d2299390473be
Author: David Mulder 
Date:   Mon Dec 7 07:39:00 2020 -0700

python: Test samdb import

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/samdb.py|  5 +
 python/samba/tests/{policy.py => imports.py} | 29 +---
 source3/smbd/files.c |  3 +++
 source4/dns_server/wscript_build |  3 +--
 source4/dsdb/pydsdb.c|  4 
 source4/dsdb/wscript_build   |  3 +--
 source4/selftest/tests.py|  4 
 7 files changed, 31 insertions(+), 20 deletions(-)
 copy python/samba/tests/{policy.py => imports.py} (56%)


Changeset truncated at 500 lines:

diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index f95709ab7c8..292bee14da3 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -34,6 +34,7 @@ from samba.dcerpc import drsblobs, misc
 from samba.common import normalise_int32
 from samba.common import get_bytes, cmp
 from samba.dcerpc import security
+from samba import is_ad_dc_built
 import binascii
 
 __docformat__ = "restructuredText"
@@ -1369,6 +1370,10 @@ schemaUpdateNow: 1
 '''garbage_collect_tombstones(lp, samdb, [dn], current_time, 
tombstone_lifetime)
 -> (num_objects_expunged, num_links_expunged)'''
 
+if not is_ad_dc_built():
+raise SamDBError('Cannot garbage collect tombstones: ' \
+'AD DC was not built')
+
 if tombstone_lifetime is None:
 return dsdb._dsdb_garbage_collect_tombstones(self, dn,
  current_time)
diff --git a/python/samba/tests/policy.py b/python/samba/tests/imports.py
similarity index 56%
copy from python/samba/tests/policy.py
copy to python/samba/tests/imports.py
index 4029150c752..727f529ea9d 100644
--- a/python/samba/tests/policy.py
+++ b/python/samba/tests/imports.py
@@ -1,5 +1,5 @@
-# Unix SMB/CIFS implementation.
-# Copyright (C) Jelmer Vernooij  2010
+# Unix SMB/CIFS implementation. Tests for python imports
+# Copyright (C) David Mulder  2020
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -14,21 +14,18 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
-
-"""Tests for the libpolicy Python bindings.
-
-"""
-
 from samba.tests import TestCase
-from samba import policy
-
 
-class PolicyTests(TestCase):
+class PyImportsTestCase(TestCase):
+def setUp(self):
+super().setUp()
 
-def test_get_gpo_flags(self):
-self.assertEqual(["GPO_FLAG_USER_DISABLE"],
-  policy.get_gpo_flags(polic

[SCM] Samba Shared Repository - branch master updated

2021-03-10 Thread Andrew Bartlett
The branch, master has been updated
   via  bb17b4e1bbd ldb: dn tests use cmocka print functions
   via  fa933399780 ldb_match: remove redundant check
   via  33a95a1e75b ldb: add tests for ldb_wildcard_compare
   via  cc098f1cad0 ldb_match: trailing chunk must match end of string
  from  d7e620ff41d lib/util: Replace buggy string_sub_talloc() with 
talloc_string_sub() in lib/util

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit bb17b4e1bbd1f03445bb3ef8cfd5f33d5e49bccc
Author: Douglas Bagnall 
Date:   Fri Mar 5 15:49:56 2021 +1300

ldb: dn tests use cmocka print functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall 
Reviewed-by: Björn Jacke 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Mar 10 09:51:25 UTC 2021 on sn-devel-184

commit fa93339978040eab52b2722c1716028b48d8d084
Author: Douglas Bagnall 
Date:   Wed Mar 3 19:54:37 2021 +1300

ldb_match: remove redundant check

We already ensure the no-trailing-asterisk case ends at the end of the
string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall 
Reviewed-by: Björn Jacke 
Reviewed-by: Andrew Bartlett 

commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47
Author: Douglas Bagnall 
Date:   Fri Mar 5 15:47:56 2021 +1300

ldb: add tests for ldb_wildcard_compare

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall 
Reviewed-by: Björn Jacke 
Reviewed-by: Andrew Bartlett 

commit cc098f1cad04b2cfec4ddd6b2511cd5a600f31c6
Author: Douglas Bagnall 
Date:   Wed Mar 3 19:17:36 2021 +1300

ldb_match: trailing chunk must match end of string

A wildcard search is divided into chunks by the asterisks. While most
chunks match the first suitable string, the last chunk matches the
last possible string (unless there is a trailing asterisk, in which
case this distinction is moot).

We always knew this in our hearts, but we tried to do it in a funny
complicated way that stepped through the string, comparing here and
there, leading to CVE-2019-3824 and missed matches (bug 14044).

With this patch, we just jump to the end of the string and compare it.
As well as being correct, this should also improve performance, as the
previous algorithm involved a quadratic loop of erroneous memmem()s.

See https://tools.ietf.org/html/rfc4517

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall 
Reviewed-by: Björn Jacke 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/common/ldb_match.c |  82 +++--
 lib/ldb/tests/ldb_match_test.c | 134 ++---
 lib/ldb/tests/test_ldb_dn.c|   5 +-
 3 files changed, 161 insertions(+), 60 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_match.c b/lib/ldb/common/ldb_match.c
index 829afa77e71..2f4d41f3441 100644
--- a/lib/ldb/common/ldb_match.c
+++ b/lib/ldb/common/ldb_match.c
@@ -295,8 +295,9 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
uint8_t *p;
 
chunk = tree->u.substring.chunks[c];
-   if(a->syntax->canonicalise_fn(ldb, ldb, chunk, ) != 0) goto 
mismatch;
-
+   if(a->syntax->canonicalise_fn(ldb, ldb, chunk, ) != 0) {
+   goto mismatch;
+   }
/*
 * Empty strings are returned as length 0. Ensure
 * we can cope with this.
@@ -304,56 +305,43 @@ static int ldb_wildcard_compare(struct ldb_context *ldb,
if (cnk.length == 0) {
goto mismatch;
}
-   /*
-* Values might be binary blobs. Don't use string
-* search, but memory search instead.
-*/
-   p = memmem((const void *)val.data,val.length,
-  (const void *)cnk.data, cnk.length);
-   if (p == NULL) goto mismatch;
-
-   /*
-* At this point we know cnk.length <= val.length as
-* otherwise there could be no match
-*/
+   if (cnk.length > val.length) {
+   goto mismatch;
+   }
 
-   if ( (! tree->u.substring.chunks[c + 1]) && (! 
tree->u.substring.end_with_wildcard) ) {
-   uint8_t *g;
-   uint8_t *end = val.data + val.length;
-   do { /* greedy */
-
-   /*
-*

[SCM] Samba Shared Repository - branch master updated

2021-02-28 Thread Andrew Bartlett
The branch, master has been updated
   via  1c3e7f0f4de Suggest running './configure' rather than 'waf 
configure'.
   via  309c81e7e2a daemons: Do not notify systemd in child processes 
started by main samba
   via  65f21ed5e46 lib:util: Move variable initialization out of 
conditional compilation block
   via  f13b1da0466 test: samba-tool user show: Test 
';format=[GeneralizedTime,UnixTime,TimeSpec] attributes
   via  c6a570004d9 samba-tool user: add 
';format=[GeneralizedTime,UnixTime,TimeSpec]' support in "samba-tool user show"
   via  4d0491324a6 samba-tool user: add 
';format=[GeneralizedTime,UnixTime,TimeSpec]' support
   via  98ee82d4fc8 samba-tool user: use an implicit_attrs list instead of 
add_ATTR variables
   via  06851084cac pyglue: add float2nttime() and nttime2float()
   via  71e8b24b8a0 pyldb: catch potential overflow error in py_timestring
   via  fdc44a14e47 samba-tool user: use remote domain information
   via  26f63e648ae samba-tool user: fix some typos
   via  3174c6dd418 s4:dsdb/dirsync: fix a typo in a comment
   via  485743dac38 s3:libsmb: fix a typo in a comment
   via  bb00979c081 selftest: fix typos in README files
  from  d6ddb8aa2a9 vfs: update status of SMB_VFS_LISTXATTR

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1c3e7f0f4de105abfde74778bfea9d5cc9be8c8e
Author: Jelmer Vernooij 
Date:   Sat Feb 27 16:49:38 2021 +

Suggest running './configure' rather than 'waf configure'.

waf actively discourages system-wide waf installs, so the latter is unlikely
to work.

Signed-off-by: Jelmer Vernooij 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Mar  1 04:56:15 UTC 2021 on sn-devel-184

commit 309c81e7e2a124982cf1ab961070f7c0420b5ae7
Author: Samuel Cabrero 
Date:   Fri Feb 26 10:36:02 2021 +0100

daemons: Do not notify systemd in child processes started by main samba

When samba runs as ADDC only the main 'samba' daemon have to notify
its status to systemd because our systemd unit files contains implied
NotifyAccess=main since commit d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc.

This commit adds a function to disable the systemd notification in the
smbd and winbinddd child processes started by the main 'samba' daemon in
AD DC mode to avoid warnings like:

systemd[1]: samba-ad-dc.service: Got notification message from PID 26194,
but reception only permitted for main PID 26187
systemd[1]: samba-ad-dc.service: Got notification message from PID 26222,
but reception only permitted for main PID 26187

$ pstree -p
...

├─samba(26187)─┬─tfork(26189)(26188)───s3fs[master](26189)───tfork(26194)(26193)───smbd(26194)─┬─cleanupd(+
│  │
   ├─lpqd(2623+
│  │
   └─smbd-noti+
│  
├─tfork(26191)(26190)───rpc[master](26191)─┬─tfork(26198)(26195)───rpc(0)(26198)
│  │  
├─tfork(26200)(26199)───rpc(1)(26200)
│  │  
├─tfork(26206)(26201)───rpc(2)(26206)
│  │  
└─tfork(26212)(26207)───rpc(3)(26212)
│  ├─tfork(26196)(26192)───nbt[master](26196)
│  ├─tfork(26202)(26197)───wrepl[master](26202)
│  
├─tfork(26204)(26203)───ldap[master](26204)─┬─tfork(26242)(26241)───ldap(0)(26242)
│  │   
├─tfork(26244)(26243)───ldap(1)(26244)
│  │   
├─tfork(26246)(26245)───ldap(2)(26246)
│  │   
└─tfork(26248)(26247)───ldap(3)(26248)
│  ├─tfork(26208)(26205)───cldap[master](26208)
│  
├─tfork(26210)(26209)───kdc[master](26210)───tfork(26218)(26215)───krb5kdc(26218)
│  ├─tfork(26213)(26211)───drepl[master](26213)
│  
├─tfork(26216)(26214)───winbindd[master(26216)───tfork(26222)(26219)───winbindd(26222)───wi+
│  ├─tfork(26220)(26217)───ntp_signd[maste(26220)
│  ├─tfork(26223)(26221)───kcc[master](26223)
│  ├─tfork(26225)(26224)───dnsupdate[maste(26225)
│  └─tfork(26227)(26226)───dns[master](26227)

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit 65f21ed5e463770ddb9d595de5e5e7047b3884ef
Author: Samuel Cabrero 
Date:   Thu Feb 25 17:13:46 2021 +0100

lib:util: Move variable initialization out of conditional compilation block

Signed-off-by: Samu

[SCM] Samba Shared Repository - branch master updated

2021-02-08 Thread Andrew Bartlett
The branch, master has been updated
   via  1691cd7738b s3:testparm: Warn about 'server schannel = no'
   via  20f0a3b1098 pam_winbind: improve pam message if minimum password 
age strikes
  from  7fe39391c05 vfs: update status of SMB_VFS_LINKAT()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1691cd7738b89bec284646bc81f338d8027bfc79
Author: Andreas Schneider 
Date:   Mon Feb 8 09:48:16 2021 +0100

s3:testparm: Warn about 'server schannel = no'

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Feb  9 03:08:42 UTC 2021 on sn-devel-184

commit 20f0a3b10981873dde5c1bc76d7f3a26acc605da
Author: Björn Jacke 
Date:   Wed Jan 27 21:14:43 2021 +0100

pam_winbind: improve pam message if minimum password age strikes

if minimum password age strikes we should output the next possible password
change time and not other password restriction policies.

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 nsswitch/pam_winbind.c   | 9 ++---
 source3/utils/testparm.c | 7 +++
 2 files changed, 13 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index aee45bfe9bc..ffbad91861f 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -637,7 +637,7 @@ static const struct ntstatus_errors {
{"NT_STATUS_PWD_TOO_SHORT",
N_("Password too short")},
{"NT_STATUS_PWD_TOO_RECENT",
-   N_("The password of this user is too recent to change")},
+   N_("The password was recently changed and cannot be changed 
again before %s")},
{"NT_STATUS_PWD_HISTORY_CONFLICT",
N_("Password is already in password history")},
{"NT_STATUS_PASSWORD_EXPIRED",
@@ -2049,8 +2049,11 @@ static int winbind_chauthtok_request(struct pwb_context 
*ctx,
case WBC_PWD_CHANGE_NO_ERROR:
if ((min_pwd_age > 0) &&
(pwd_last_set + min_pwd_age > time(NULL))) {
-   PAM_WB_REMARK_DIRECT(ctx,
-"NT_STATUS_PWD_TOO_RECENT");
+   time_t next_change = pwd_last_set + 
min_pwd_age;
+   _make_remark_format(ctx, PAM_ERROR_MSG,
+   
_get_ntstatus_error_string("NT_STATUS_PWD_TOO_RECENT"),
+   ctime(_change));
+   goto done;
}
break;
case WBC_PWD_CHANGE_PASSWORD_TOO_SHORT:
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 2d717f19756..e870104a2c5 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -525,6 +525,13 @@ static int do_global_checks(void)
ret = 1;
}
 
+   if (!lp_server_schannel()) {
+   fprintf(stderr,
+   "WARNING: You have configured 'server schannel = no'. "
+   "Your server is vulernable to \"ZeroLogon\" "
+   "(CVE-2020-1472)\n\n");
+   }
+
return ret;
 }
 


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2021-02-02 Thread Andrew Bartlett
The branch, master has been updated
   via  da627106cdb dbcheck: Check Deleted Objects and reduce noise in 
reports about expired tombstones
   via  1ec1c35a3ae selftest: Confirm that we fix any errors on the Deleted 
Objects container itself
   via  144b32ae01f s4:kdc:mit: Fix heap-use-after-free
   via  12ca2e37b75 selftest: Fix libasan preload
  from  4f80f5f9046 s3: libsmb: cli_state_save_tcon(). Don't deepcopy tcon 
struct when temporarily swapping out a connection on a cli_state.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit da627106cdbf8d375b25fa3338a717447f3dbb6e
Author: Andrew Bartlett 
Date:   Thu Dec 10 16:03:49 2020 +1300

dbcheck: Check Deleted Objects and reduce noise in reports about expired 
tombstones

These reports (about recently deleted objects)
create concern about a perfectly normal part of DB operation.

We must not operate on objects that are expired or we might reanimate them,
but we must fix "Deleted Objects" if it is wrong (mostly it is set as being
deleted in , but in alpha19 we got this wrong).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Feb  3 05:29:11 UTC 2021 on sn-devel-184

commit 1ec1c35a3ae422720df491fc9bc787c9944c
Author: Andrew Bartlett 
Date:   Fri Dec 11 15:37:04 2020 +1300

selftest: Confirm that we fix any errors on the Deleted Objects container 
itself

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 144b32ae01fb388865737d6c92fd77fe0cecad81
Author: Andreas Schneider 
Date:   Tue Feb 2 09:29:14 2021 +0100

s4:kdc:mit: Fix heap-use-after-free

We need to duplicate the string as lp_load() will free the s4_conf_file
pointer and set it again.

Found with AddressSanitizer.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 12ca2e37b753db1f39a16f3c6f8c7260abde9085
Author: Andreas Schneider 
Date:   Tue Feb 2 09:17:17 2021 +0100

selftest: Fix libasan preload

libasan.so needs to be the first library which is preloaded or it wont
work.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/dbchecker.py  | 25 +-
 selftest/selftest.pl   |  2 +-
 source4/kdc/mit_samba.c| 10 +++--
 ...cted-dbcheck-link-output-lost-deleted-user3.txt | 16 +++---
 testprogs/blackbox/dbcheck-links.sh|  2 +-
 testprogs/blackbox/dbcheck-oldrelease.sh   | 12 +++
 6 files changed, 54 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 364dc9427d7..d10d765434c 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -1816,6 +1816,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), 
str(to_base)))
 # old static provision dumps
 return False
 
+if dn in self.deleted_objects_containers:
+# The Deleted Objects container will look like an expired
+# tombstone
+return False
+
 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob, repl_val)
 
 isDeleted = self.find_repl_attid(repl, drsuapi.DRSUAPI_ATTID_isDeleted)
@@ -1829,7 +1834,25 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), 
str(to_base)))
 if delta <= tombstone_delta:
 return False
 
-self.report("SKIPING: object %s is an expired tombstone" % dn)
+expunge_time = delete_time + tombstone_delta
+
+delta_days = delta / (24 * 60 * 60)
+
+if delta_days <= 2:
+self.report("SKIPPING additional checks on object "
+"%s which very recently "
+"became an expired tombstone (normal)" % dn)
+self.report("INFO: it is expected this will be expunged "
+"by the next daily task some time after %s, "
+"%d hours ago"
+% (time.ctime(expunge_time), delta // (60 * 60)))
+else:
+self.report("SKIPPING: object %s is an expired tombstone" % dn)
+self.report("INFO: it was expected this object would have "
+"been expunged soon after"
+"%s, %d days ago"
+% (time.ctime(expunge_tim

[SCM] Samba Shared Repository - branch master updated

2020-12-16 Thread Andrew Bartlett
The branch, master has been updated
   via  8004cf7a4af pep8 tidy up config
   via  1ed461a142f tests python krb5: initial TGS tests
   via  0f232ed42fb tests python krb5: add test base class
   via  d74c9dcf3aa tests python krb5: Add Authorization data ad-type 
constants
  from  93c576dae4a auth:creds: Add cli_credentials_dump()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8004cf7a4aff8f5a8615bc68c0e61d5bd5de039b
Author: Gary Lockyer 
Date:   Wed Dec 16 10:56:22 2020 +1300

pep8 tidy up config

Enable the following warnings:

E126: continuation line over-indented for hanging indent
E131: continuation line unaligned for hanging indent
E203: whitespace before ':'
E221: multiple spaces before operator
E501: line too long
E722: do not use bare 'except'

These were originally chosen so that as much of the existing samba code
passed. With the intention of integrating PEP8 checking into build
process.  But the PEP8 output does not integrate into the known fail
mechanism, so this approach was abandoned.

setup.cfg is the default PEP8 config file having these exceptions
enabled means that new code can be added with those issues. Also tools
like pyls (python language server) use setup.cfg.

Disable the following warnings:

E402: module level import not at top of file
  Samba has a significant amount of code setting
  sys.path.insert(0, "bin/python")
W503: Line break before binary operator
  We need to have a preference, and PEP8 expresses a weak preference
  for disabling 503

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Dec 17 00:54:51 UTC 2020 on sn-devel-184

commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e
Author: Gary Lockyer 
Date:   Mon Nov 30 14:19:15 2020 +1300

tests python krb5: initial TGS tests

Initial tests on the KDC TGS

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 0f232ed42fb2671d025643cafb19891373562e4a
Author: Gary Lockyer 
Date:   Mon Nov 30 14:16:28 2020 +1300

tests python krb5: add test base class

Add a base class for the KDC tests to reduce the amount of code
duplication in  the tests.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit d74c9dcf3aaa613abfac49288f427484468bf6e1
Author: Gary Lockyer 
Date:   Thu Dec 10 10:15:28 2020 +1300

tests python krb5: Add Authorization data ad-type constants

Add constants for the Authorization Data Type values.
RFC 4120 7.5.4.  Authorization Data Types

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/tests/krb5/kdc_base_test.py | 418 +++
 python/samba/tests/krb5/kdc_tgs_tests.py | 210 ++
 python/samba/tests/krb5/rfc4120_constants.py |  16 +
 python/samba/tests/usage.py  |   2 +
 selftest/knownfail_mit_kdc   |   5 +
 setup.cfg|  12 +-
 source4/selftest/tests.py|   3 +
 7 files changed, 658 insertions(+), 8 deletions(-)
 create mode 100644 python/samba/tests/krb5/kdc_base_test.py
 create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/kdc_base_test.py 
b/python/samba/tests/krb5/kdc_base_test.py
new file mode 100644
index 000..1a823d173e3
--- /dev/null
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -0,0 +1,418 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2020 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+from collections import namedtuple
+from ldb import SCOPE_BASE
+from samba import generate_random_password
+from samba.auth import system_session
+from samba.credentials import Credentials
+from samba

[SCM] Samba Shared Repository - branch master updated

2020-11-29 Thread Andrew Bartlett
The branch, master has been updated
   via  7f7e2b0e1e1 tests python krb5: Extra canonicalization tests
  from  369c1d53983 vfs_glusterfs: print exact cmdline for disabling 
write-behind translator

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd
Author: Gary Lockyer 
Date:   Wed Nov 18 14:49:28 2020 +1300

tests python krb5: Extra canonicalization tests

Add tests that set the server name to the client name for the machine
account in the kerberos AS_REQ.  This replicates the TEST_AS_REQ_SELF
test phase in source4/torture/krb5/kdc-canon-heimdal.c.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184

---

Summary of changes:
 .../samba/tests/krb5/as_canonicalization_tests.py  | 74 +++--
 selftest/knownfail.d/kdc-enterprise| 26 ++
 selftest/knownfail_mit_kdc | 96 ++
 3 files changed, 172 insertions(+), 24 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py 
b/python/samba/tests/krb5/as_canonicalization_tests.py
index 303788b672e..6ea3ff0491e 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -56,7 +56,8 @@ class TestOptions(Enum):
 NetbiosRealm  =  16
 UPN   =  32
 RemoveDollar  =  64
-Last  = 128
+AsReqSelf = 128
+Last  = 256
 
 def is_set(self, x):
 return self.value & x
@@ -76,8 +77,8 @@ class TestData:
 def __init__(self, options, creds):
 self.options = options
 self.user_creds = creds
-self.user_name = self.get_username(options, creds)
-self.realm = self.get_realm(options, creds)
+self.user_name = self._get_username(options, creds)
+self.realm = self._get_realm(options, creds)
 
 if TestOptions.Enterprise.is_set(options):
 client_name_type = NT_ENTERPRISE_PRINCIPAL
@@ -86,11 +87,14 @@ class TestData:
 
 self.cname = RawKerberosTest.PrincipalName_create(
 name_type=client_name_type, names=[self.user_name])
-self.sname = RawKerberosTest.PrincipalName_create(
-name_type=NT_SRV_INST, names=["krbtgt", self.realm])
+if TestOptions.AsReqSelf.is_set(options):
+self.sname = self.cname
+else:
+self.sname = RawKerberosTest.PrincipalName_create(
+name_type=NT_SRV_INST, names=["krbtgt", self.realm])
 self.canonicalize = TestOptions.Canonicalize.is_set(options)
 
-def get_realm(self, options, creds):
+def _get_realm(self, options, creds):
 realm = creds.get_realm()
 if TestOptions.NetbiosRealm.is_set(options):
 realm = creds.get_domain()
@@ -100,7 +104,7 @@ class TestData:
 realm = realm.lower()
 return realm
 
-def get_username(self, options, creds):
+def _get_username(self, options, creds):
 name = creds.get_username()
 if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"):
 name = name[:-1]
@@ -135,6 +139,9 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
 if ct != CredentialsType.Machine and\
 TestOptions.RemoveDollar.is_set(options):
 return True
+if ct != CredentialsType.Machine and\
+TestOptions.AsReqSelf.is_set(options):
+return True
 return False
 
 def build_test_name(ct, options):
@@ -448,26 +455,45 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
 
 def check_sname(self, sname, data):
 nt = sname['name-type']
-self.assertEqual(
-NT_SRV_INST,
-nt,
-"sname name-type, Options {0:08b}".format(data.options))
-
 ns = sname['name-string']
 name = ns[0].decode('ascii')
-self.assertEqual(
-'krbtgt',
-name,
-"sname principal, Options {0:08b}".format(data.options))
 
-realm = ns[1].decode('ascii')
-expected = data.realm
-if TestOptions.Canonicalize.is_set(data.options):
-expected = data.user_creds.get_realm().upper()
-self.assertEqual(
-expected,
-realm,
-"sname realm, Options {0:08b}".format(data.options))
+if TestOptions.AsReqSelf.is_set(data.options):
+expected_name_type = NT_PRINCIPAL
+if not TestOptions.Canonicalize.is_set(data.options)\
+   and TestOptions.Enterp

[SCM] Samba Shared Repository - branch master updated

2020-11-16 Thread Andrew Bartlett
The branch, master has been updated
   via  6ac16232de7 autobuild: Encode text/plain into base64 to wrap 
long-lines
  from  7bd040f60a0 libsmb: Remove unused sync cli_smb2_rename()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6ac16232de7c577c081f15759cab65fdef06ba55
Author: SATOH Fumiyasu 
Date:   Tue Nov 10 17:15:42 2020 +0900

autobuild: Encode text/plain into base64 to wrap long-lines

MIMEText(text, 'plain', 'utf-8') encodes the text into
base64 and adds 'Content-Transfer-Encoding: base64' header.

Signed-off-by: SATOH Fumiyasu 
Reviewed-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Nov 16 22:43:35 UTC 2020 on sn-devel-184

---

Summary of changes:
 script/autobuild.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/script/autobuild.py b/script/autobuild.py
index 24baa0fa9f2..a76309df8a2 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -1112,7 +1112,7 @@ def send_email(subject, text, log_tar):
 outer['From'] = options.email_from
 outer['Date'] = email.utils.formatdate(localtime=True)
 outer.preamble = 'Autobuild mails are now in MIME because we optionally 
attach the logs.\n'
-outer.attach(MIMEText(text, 'plain'))
+outer.attach(MIMEText(text, 'plain', 'utf-8'))
 if options.attach_logs:
 with open(log_tar, 'rb') as fp:
 msg = MIMEApplication(fp.read(), 'gzip', 
email.encoders.encode_base64)


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-11-12 Thread Andrew Bartlett
The branch, master has been updated
   via  2ba6d596ff0 tests python krb5: add arcfour salt tests
   via  d492355f293 tests python krb5: refactor compatability tests
   via  a00a1c97450 tests python krb5: Convert kdc-heimdal to python
   via  1bab87c50ba tests python krb5: raw_testcase permit RC4 salts
   via  82a413f48b7 tests python krb5: Refactor compatability test constants
   via  97b830cbcac tests python krb5: Refactor canonicalization test 
constants
   via  532c941fbb8 tests python krb5: Add constants module
  from  e9e06a11daf vfs_shadow_copy2: Preserve all open flags assuming ROFS

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77
Author: Gary Lockyer 
Date:   Tue Nov 10 16:57:11 2020 +1300

tests python krb5: add arcfour salt tests

MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected,
Heimdal does not.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184

commit d492355f293e2da400318665035b056dfaba852c
Author: Gary Lockyer 
Date:   Tue Nov 10 16:56:46 2020 +1300

tests python krb5: refactor compatability tests

Refactor to aid the adding of tests for the inclusion of a salt when
ARCFOUR_HMAC_MD5 encryption selected

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit a00a1c9745033dae05eee17cfa4e2c5354a81e68
Author: Gary Lockyer 
Date:   Fri Nov 6 09:07:04 2020 +1300

tests python krb5: Convert kdc-heimdal to python

Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
   TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
   TORTURE_KRB5_TEST_CHANGE_SERVER_IN
   TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e
Author: Gary Lockyer 
Date:   Tue Nov 10 13:51:39 2020 +1300

tests python krb5: raw_testcase permit RC4 salts

MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes
the check that a salt is not returned.  A test for the difference
between MIT and Heimdal will be added in the subsequent commits.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974
Author: Gary Lockyer 
Date:   Tue Nov 10 11:20:58 2020 +1300

tests python krb5: Refactor compatability test constants

Modify tests to use the constants defined in rfc4120_constants.py

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 97b830cbcac53fcf49bbcd272812d1ba019bac51
Author: Gary Lockyer 
Date:   Tue Nov 10 11:20:03 2020 +1300

tests python krb5: Refactor canonicalization test constants

Modify tests to use the constants defined in rfc4120_constants.py

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7
Author: Gary Lockyer 
Date:   Tue Nov 10 11:19:02 2020 +1300

tests python krb5: Add constants module

Extract the constants used in the tests into a separate module.
To reduce code duplication

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 .../samba/tests/krb5/as_canonicalization_tests.py  |  30 +--
 python/samba/tests/krb5/compatability_tests.py |  76 +--
 python/samba/tests/krb5/kdc_tests.py   | 219 +
 python/samba/tests/krb5/raw_testcase.py|   1 -
 python/samba/tests/krb5/rfc4120_constants.py   |  49 +
 python/samba/tests/usage.py|   2 +
 source4/selftest/tests.py  |   1 +
 7 files changed, 333 insertions(+), 45 deletions(-)
 create mode 100755 python/samba/tests/krb5/kdc_tests.py
 create mode 100644 python/samba/tests/krb5/rfc4120_constants.py


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py 
b/python/samba/tests/krb5/as_canonicalization_tests.py
index caa186bed41..303788b672e 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -41,6 +41,7 @@ from samba.dsdb import (
 UF_NORMAL_ACCOUNT)
 from samba.samdb import SamDB
 from samba.tests import delete_force, DynamicTestCase
+from samba.tests.krb5.rfc4120_constants import *
 
 global_asn1_print = False
 global_hexdump = False
@@ -123,35 +124,6 @@ class TestData:
 MACHINE_NAME = "tstkrb5cnnmch"
 USER_NAME= "tstkrb5cnnu

[SCM] Samba Shared Repository - branch master updated

2020-11-10 Thread Andrew Bartlett
The branch, master has been updated
   via  18fdfe8c102 winbind: alternatively use prama fini for destructors 
if supported
   via  f13e1ca54a2 talloc: alternatively use prama init for constructors 
if supported
   via  c32eb006108 waf: check for pragma init/fini support for 
constructors/destructors
   via  37b81f91168 util_net: fix a statement not reached warning
   via  c305ab07709 ldb_parse_test: studio compiler doesn't like empty 
struct definitions
   via  918317124ac ldb_key_value_test: studio compiler doesn't like empty 
struct definitions
   via  c862ad64aea ldb_kv_index: fix empty initializer compile warning
   via  e4f3354821a torture/sharemode: fix empty initializer compile warning
   via  aa8d6c779ca pidl: use unused attribute only if supported by feature 
macro
   via  3c1013caf4b tdb: fix studio compiler build
   via  268fcfdd5aa talloc/pytalloc: fix studio compler build
   via  6b855429b96 talloc: fix studio compiler build
   via  cce4e8012c5 auth_generic: fix empty initializer compile warning
   via  a4e90cfec49 http_conn.c: fix "void function cannot return value" 
error
   via  bbfd93f7b63 debug: remove a cast, which makes the Solaris Studio 
compiler unhappy
   via  a223c5b5b7f waf: use _POSIX_PTHREAD_SEMANTIC on Solaris
   via  104b3545e08 heimdal_build: silence warning: macro redefined
   via  edb1012536e replace: define BOOL_DEFINED to fix header yp_prot 
header check on Solaris
   via  b9e8959c3d5 waf/texpect: add required nsl dependency for Solaris
   via  96e2cf7905e replace/waf: fix libnsl checking on Solaris
  from  be03ce7d8bb manpages/vfs_glusterfs: Mention silent skipping of 
write-behind translator

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 18fdfe8c10291e04b6a54499d74a6ee15652f5db
Author: Björn Jacke 
Date:   Fri Oct 30 12:59:06 2020 +0100

winbind: alternatively use prama fini for destructors if supported

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Nov 10 08:17:53 UTC 2020 on sn-devel-184

commit f13e1ca54a2a448dd87809496e4b6da5af1589e8
Author: Björn Jacke 
Date:   Fri Oct 30 12:57:42 2020 +0100

talloc: alternatively use prama init for constructors if supported

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit c32eb006108c69a99c651e11a0a4160359e52145
Author: Björn Jacke 
Date:   Fri Oct 30 12:55:54 2020 +0100

waf: check for pragma init/fini support for constructors/destructors

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit 37b81f9116825e0fc0fcd62aa957655fe5c83f19
Author: Björn Jacke 
Date:   Mon Oct 26 11:30:06 2020 +0100

util_net: fix a statement not reached warning

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit c305ab07709bcb5eba11568ac2fd625410f441e2
Author: Björn Jacke 
Date:   Mon Oct 26 12:49:05 2020 +0100

ldb_parse_test: studio compiler doesn't like empty struct definitions

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit 918317124acbb4b0f0d12eeeae79eafdfddaa49c
Author: Björn Jacke 
Date:   Sun Oct 25 17:13:57 2020 +0100

ldb_key_value_test: studio compiler doesn't like empty struct definitions

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit c862ad64aea31d1d5ec66385bb50d9b97e609071
Author: Björn Jacke 
Date:   Mon Oct 19 02:39:46 2020 +0200

ldb_kv_index: fix empty initializer compile warning

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit e4f3354821a919ec60eb3af55709e7055513cc24
Author: Björn Jacke 
Date:   Mon Oct 19 02:35:02 2020 +0200

torture/sharemode: fix empty initializer compile warning

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit aa8d6c779ca89d6be1c8b973d3ea60e6073bf899
Author: Björn Jacke 
Date:   Mon Oct 19 02:03:02 2020 +0200

pidl: use unused attribute only if supported by feature macro

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit 3c1013caf4b57c6af5a5d210df232c08a1227a17
Author: Björn Jacke 
Date:   Thu Mar 7 12:50:29 2019 +0100

tdb: fix studio compiler build

Solaris Studio compiler 12.4 is pedantic about prototypes in headers having
the external visibility declarations too. It throws errors like:

redeclaration must have the same or more restrictive linker scoping: ...

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 

commit 268fcfdd5aa3adbcd6486090ee56aad6e6902a12
Author: Björn Jacke 
Date:   Sun Oct 18 21:55:22 2020 +0200

talloc/pytalloc: fix studio compler build

Solaris Studio compiler 12.4 is pedantic about prototypes in headers having
the external visibility declarations too. It throws e

[SCM] Samba Shared Repository - branch master updated

2020-11-08 Thread Andrew Bartlett
The branch, master has been updated
   via  e5e1759057a s3: spoolss: Make parameters in call to user_ok_token() 
match all other uses.
   via  1e1d8b9c83f tests python krb5: Add python kerberos compatability 
tests
   via  5cb5134377f selftest: add heimdal kdc specific known fail
   via  a5052c73c3f lib: talloc: More tests for realloc when used with 
memlimited pools
   via  4566ee91b8c lib: talloc: Fix memlimit on pool realloc.
   via  30a8bea8a34 lib: talloc: Add more debugging text for existing 
memlimit + pool tests
   via  6e0aab0b403 lib: talloc: Fix pool object accounting when doing 
talloc_realloc() in the ALWAYS_REALLOC compiled case.
   via  86eb6423bdc lib: talloc: Cleanup. Use consistent preprocessor logic 
macros.
  from  710196f0cc5 doc: improve --with-shared-modules documentation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e5e1759057a767f517bf480a2172a36623df2799
Author: Jeremy Allison 
Date:   Thu Nov 5 15:48:08 2020 -0800

s3: spoolss: Make parameters in call to user_ok_token() match all other 
uses.

We already have p->session_info->unix_info->unix_name, we don't
need to go through a legacy call to 
uidtoname(p->session_info->unix_token->uid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Nov  9 04:10:45 UTC 2020 on sn-devel-184

commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e
Author: Gary Lockyer 
Date:   Wed Nov 4 13:58:24 2020 +1300

tests python krb5: Add python kerberos compatability tests

Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 5cb5134377f099353e0f91c44cc11e45d548d40f
Author: Gary Lockyer 
Date:   Wed Nov 4 13:54:46 2020 +1300

selftest: add heimdal kdc specific known fail

Add a heimdal kerberos specific known fail, will be needed by subsequent
commits.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit a5052c73c3ffdca6b30194223e69a26430f3f989
Author: Arran Cudbard-Bell 
Date:   Tue Oct 20 14:12:17 2020 -0500

lib: talloc: More tests for realloc when used with memlimited pools

This requires the previous patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540

Signed-off-by: Arran Cudbard-Bell 
Reviewed-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

commit 4566ee91b8c37f62e8b56242a48230db59cd5ff0
Author: Jeremy Allison 
Date:   Tue Oct 20 10:52:55 2020 -0700

lib: talloc: Fix memlimit on pool realloc.

We only have to do the memlimit check before any
real malloc or realloc. Allocations out of a
memory pool have already been counted in the
memory limit, so don't check in those cases.

This is an application-visible change (although
fixing a bug) so bump the ABI to 2.3.1 -> 2.3.2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540

Signed-off-by: Jeremy Allison 
Signed-off-by: Arran Cudbard-Bell 
    Reviewed-by: Andrew Bartlett 

commit 30a8bea8a340dcf9a3120f5ee8041e62fb129d8d
Author: Arran Cudbard-Bell 
Date:   Tue Oct 20 14:10:30 2020 -0500

lib: talloc: Add more debugging text for existing memlimit + pool tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540

Signed-off-by: Arran Cudbard-Bell 
Reviewed-by: Jeremy Allison 
    Reviewed-by: Andrew Bartlett 

commit 6e0aab0b4038255b2d63e8687924a21d77bace91
Author: Jeremy Allison 
Date:   Tue Oct 20 12:14:58 2020 -0700

lib: talloc: Fix pool object accounting when doing talloc_realloc() in the 
ALWAYS_REALLOC compiled case.

tc_alloc_pool() or the fallback malloc can return NULL.

Wait until we know we are returning a valid pointer
before decrementing pool_hdr->object_count due to
reallocing out of the talloc_pool.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

commit 86eb6423bdcedf3433f3dbcf026573a238cf0d87
Author: Jeremy Allison 
Date:   Tue Oct 20 12:18:10 2020 -0700

lib: talloc: Cleanup. Use consistent preprocessor logic macros.

Match other use of ALWAYS_REALLOC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14540

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 ...oc-util-2.3.0.sigs => pytalloc-util-2.3.2.sigs} |   0
 .../ABI/{talloc-2.1.10.sigs => talloc-2.3.2.sigs}  |   0
 lib/talloc/talloc.c|  78 --
 lib/talloc/testsuite.c

[SCM] Samba Shared Repository - branch master updated

2020-11-04 Thread Andrew Bartlett
The branch, master has been updated
   via  8aebd48698e bootstrap: Add Fedora 33
   via  005435dc4d7 tests python krb5: Add python kerberos canonicalization 
tests
   via  41c8aa4b991 tests python krb5: Add canonicalize flag to ASN1
   via  b14dca7c1c0 tests python krb5: Make PrincipalName_create a class 
method
   via  04248f5e868 selftest: add mit kdc specific known fail
  from  a51cda69ec6 s3-vfs_glusterfs: always disable write-behind translator

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8aebd48698e3d41f3d27a5c4710729387760c6d4
Author: Andreas Schneider 
Date:   Wed Nov 4 16:15:16 2020 +0100

bootstrap: Add Fedora 33

This removes Fedora 31 support.

Signed-off-by: Andreas Schneider 
Reviewed-by: Alexander Bokovoy 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Nov  5 00:17:55 UTC 2020 on sn-devel-184

commit 005435dc4d7de9d442c7513edec8c782fe20fda3
Author: Gary Lockyer 
Date:   Tue Oct 27 09:32:21 2020 +1300

tests python krb5: Add python kerberos canonicalization tests

Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c.  The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 41c8aa4b991aad306d731b08d068c480eb5c7fed
Author: Gary Lockyer 
Date:   Tue Oct 27 09:31:24 2020 +1300

tests python krb5: Add canonicalize flag to ASN1

Add the canonicalize flag to KerberosFlags, so that it can be used in
python based canonicalization tests.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit b14dca7c1c063e069517ff01b33c63a000d398c3
Author: Gary Lockyer 
Date:   Tue Oct 27 09:29:56 2020 +1300

tests python krb5: Make PrincipalName_create a class method

Make PrincipalName_create a class method, so it can be used in helper
classes.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09
Author: Gary Lockyer 
Date:   Tue Nov 3 09:25:48 2020 +1300

selftest: add mit kdc specific known fail

Add a MIT kerberos specific known fail, will be needed by subsequent
commits.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 .gitlab-ci.yml |  16 +-
 bootstrap/.gitlab-ci.yml   |   4 +-
 bootstrap/config.py|  18 +-
 bootstrap/generated-dists/Vagrantfile  |  14 +-
 .../{fedora31 => fedora33}/Dockerfile  |   2 +-
 .../{fedora31 => fedora33}/bootstrap.sh|   1 +
 .../{fedora31 => fedora33}/locale.sh   |   0
 .../{fedora31 => fedora33}/packages.yml|   1 +
 bootstrap/sha1sum.txt  |   2 +-
 .../samba/tests/krb5/as_canonicalization_tests.py  | 499 +
 python/samba/tests/krb5/raw_testcase.py|   1 +
 python/samba/tests/krb5/rfc4120.asn1   |   8 +-
 python/samba/tests/krb5/rfc4120_pyasn1.py  |   4 +-
 python/samba/tests/usage.py|   1 +
 selftest/knownfail_mit_kdc | 144 ++
 selftest/wscript   |   2 +
 source4/selftest/tests.py  |   1 +
 17 files changed, 687 insertions(+), 31 deletions(-)
 rename bootstrap/generated-dists/{fedora31 => fedora33}/Dockerfile (92%)
 rename bootstrap/generated-dists/{fedora31 => fedora33}/bootstrap.sh (98%)
 rename bootstrap/generated-dists/{fedora31 => fedora33}/locale.sh (100%)
 rename bootstrap/generated-dists/{fedora31 => fedora33}/packages.yml (98%)
 create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py
 create mode 100644 selftest/knownfail_mit_kdc


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8fad80033b4..77c57135b86 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -32,7 +32,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 86279163d150fb95742f4b34fce0dfc1a639f5de
+  SAMBA_CI_CONTAINER_TAG: 446341a5c66a0cd04cac694991e4522385389e0f
   #
   # We use the ubuntu1804 image as default as
   # it matches what we have on sn-devel-184.
@@ -50,8 +50,8 @@ variables:
   SAMBA_CI_CONTAINER_IMAGE_debian10: 
${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-debian10:${SAMBA_CI_CONTAINER_TAG}
   SAMBA_CI_CONTAINER_IMAGE_opensuse150: 
${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse150:

Re: cli_credentials_parse_name... (Re: [SCM] Samba Shared Repository - branch master updated)

2020-11-04 Thread Andrew Bartlett
On Wed, 2020-11-04 at 19:23 +0200, Alexander Bokovoy wrote:
> On ke, 04 marras 2020, Stefan Metzmacher wrote:
> > Am 04.11.20 um 17:24 schrieb Alexander Bokovoy:
> > > The branch, master has been updated
> > >via  f9016912098 lookup_name: allow lookup for own realm
> > >via  00f4262ed0b cli_credentials: add a helper to parse
> > > user or group names
> > >via  eb0474d27ba cli_credentials_parse_string: fix parsing
> > > of principals
> > >   from  a1b021200e3 selftest: add test for new "samba-tool
> > > user unlock" command
> > > 
> > > https://git.samba.org/?p=samba.git;a=shortlog;h=master
> > > 
> > > 
> > > - Log -
> > > 
> > > commit f901691209867b32c2d7c5c9274eee196f541654
> > > Author: Alexander Bokovoy 
> > > Date:   Wed Nov 4 14:21:33 2020 +0200
> > > 
> > > lookup_name: allow lookup for own realm
> > > 
> > > When using a security tab in Windows Explorer, a lookup over
> > > a trusted
> > > forest might come as realm\name instead of NetBIOS domain
> > > name:
> > > 
> > > -
> > > ---
> > > [2020/01/13 11:12:39.859134,  1, pid=33253,
> > > effective(1732401004, 1732401004), real(1732401004, 0),
> > > class=rpc_parse]
> > > ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
> > >lsa_LookupNames3: struct lsa_LookupNames3
> > >   in: struct lsa_LookupNames3
> > >   handle   : *
> > >   handle: struct policy_handle
> > >   handle_type  : 0x
> > > (0)
> > >   uuid : 000e-
> > > --1c5e-a750e581
> > >   num_names: 0x0001 (1)
> > >   names: ARRAY(1)
> > >   names: struct lsa_String
> > >   length   : 0x001e (30)
> > >   size : 0x0020 (32)
> > >   string   : *
> > >   string   :
> > > 'ipa.test\admins'
> > >   sids : *
> > >   sids: struct lsa_TransSidArray3
> > >   count: 0x
> > > (0)
> > >   sids : NULL
> > >   level:
> > > LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
> > >   count: *
> > >   count: 0x (0)
> > >   lookup_options   :
> > > LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
> > >   client_revision  :
> > > LSA_CLIENT_REVISION_2 (2)
> > > 
> > > ...
> > > 
> > > diff --git a/auth/credentials/tests/test_creds.c
> > > b/auth/credentials/tests/test_creds.c
> > > index d2d3d30d73d..38550d6ecf9 100644
> > > --- a/auth/credentials/tests/test_creds.c
> > > +++ b/auth/credentials/tests/test_creds.c
> > > @@ -187,7 +187,7 @@ static void torture_creds_parse_string(void
> > > **state)
> > >   assert_string_equal(creds->domain, "");
> > >   assert_int_equal(creds->domain_obtained, CRED_SPECIFIED);
> > >  
> > > - assert_string_equal(creds->username, "wurst@brot.realm");
> > > + assert_string_equal(creds->username, "wurst");
> > 
> > I'm sorry but this is wrong!
> > I'm wondering why this wasn't covered by any high level test.
> > 
> > This needs to result in domain="" and username="wurst@brot.realm"
> > and that's exactly what we need to use for NTLMSSP.
> > Also note that "brot.realm" may not be a realm and "wurst" may not
> > be a sAMAccountName. A userPrincipalName can be 
> > anything@anydomain-of-msDS-SPNSuffixes.

cli_credentials_get_ntlm_username_domain() does this already.

> > I fear we need to revert these changes.
> > From the merge request (
> > https://gitlab.com/samba-team/samba/-/merge_requests/1658)
> > I didn't really look at the whole patchset (with behavior change)
> > I only focused on CRED_NO_PASSWORD.
> > 
> > I think we need to logic we have in wb_irpc_lsa_LookupNames4_call()
> > and/or parse_domain_user() here.
> 
> I'm pushing a revert for now and will look at those.

I'm not so sure this is totally wrong.  Can I have a look over these
paths at the office?  I need any possible distraction from US election
results anyway...

Andrew Bartlett

-- 
Andrew Bartlett   https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT  
https://catalyst.net.nz/services/samba






[SCM] Samba Shared Repository - branch master updated

2020-11-02 Thread Andrew Bartlett
The branch, master has been updated
   via  7d846cd178d s3: modules: vfs_glusterfs: Fix leak of char **lines 
onto mem_ctx on return.
   via  6a9d22f4a91 dsdb/mod/operational: correct comment arithmetic
  from  2a49ccbcf5e s3-vfs_glusterfs: refuse connection when write-behind 
xlator is present

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7d846cd178d653600c71ee4bd6a491a9e48a56da
Author: Jeremy Allison 
Date:   Mon Nov 2 15:46:51 2020 -0800

s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Nov  3 01:56:59 UTC 2020 on sn-devel-184

commit 6a9d22f4a91e07b8af0f1fb3a7d0cbab2ca0c76f
Author: Douglas Bagnall 
Date:   Fri Oct 23 16:30:25 2020 +1300

dsdb/mod/operational: correct comment arithmetic

E + F is not 1F! E + F is 1D!

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 source3/modules/vfs_glusterfs.c  | 2 ++
 source4/dsdb/samdb/ldb_modules/operational.c | 5 -
 2 files changed, 6 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index eea5b30e327..dacedd8e04a 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -338,11 +338,13 @@ static int check_for_write_behind_translator(TALLOC_CTX 
*mem_ctx,
"Please check the vfs_glusterfs(8) manpage for "
"further details.\n",
volume);
+   TALLOC_FREE(lines);
TALLOC_FREE(option);
TALLOC_FREE(buf);
return -1;
}
 
+   TALLOC_FREE(lines);
TALLOC_FREE(option);
TALLOC_FREE(buf);
return 0;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c 
b/source4/dsdb/samdb/ldb_modules/operational.c
index 50e913cdd5c..3c0bd039d56 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -797,7 +797,10 @@ static NTTIME 
get_msds_user_password_expiry_time_computed(struct ldb_module *mod
 *
 * 0x7FFEULL + 0x7FFFULL
 * =
-* 0xULL
+* 0xFFFDULL
+*
+* or to put it another way, adding two numbers less than 1<<63 can't
+* ever be more than 1<<64, therefore this result can't wrap.
 */
ret = (NTTIME)pwdLastSet - (NTTIME)maxPwdAge;
if (ret >= 0x7FFFULL) {


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-10-22 Thread Andrew Bartlett
The branch, master has been updated
   via  54b4d2d3cb3 wb_sids2xids: defer/skip wb_lookupsids* unless we get 
ID_TYPE_WB_REQUIRE_TYPE
   via  493f5d6b078 winbindd: allow idmap backends to mark entries with 
ID_[TYPE_WB_]REQUIRE_TYPE
   via  c55f4f37589 wb_sids2xids: build state->idmap_doms based on 
wb_parent_idmap_config
   via  3f4626ea6d2 wb_sids2xids: fill cache as soon as possible
   via  374acc2e5fc wb_sids2xids: directly use state->all_ids to collect 
results
   via  19c8b6a8b18 wb_sids2xids: change 'i' to 'li' in 
wb_sids2xids_lookupsids_done()
   via  cda61f592a0 wb_sids2xids: refactor wb_sids2xids_done() a bit
   via  f6bb0ed21f8 wb_sids2xids: inline 
wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
   via  231c8d04b19 wb_sids2xids: move more checks to 
wb_sids2xids_next_sids2unix()
   via  797b11f198e wb_sids2xids: rename 'non_cached' to 'lookup_sids'
   via  04956350a57 wb_sids2xids: maintain struct wbint_TransIDArray 
all_ids as cache
   via  79c1d3aaf6d wb_sids2xids: split out wb_sids2xids_next_sids2unix()
   via  28e020c0a86 winbindd: defer the setup_child() from 
init_idmap_child()
   via  b8c74b7b46d winbindd: assert wb_parent_idmap_setup_send/recv() was 
called before idmap_child_handle()
   via  82fd07793f0 wb_queryuser: explain why 
wb_parent_idmap_setup_send/recv is not needed
   via  d42aaeba6e0 wb_sids2xids: call wb_parent_idmap_setup_send/recv as 
the first step
   via  a8f57c94fc2 wb_xids2sids: make use of the new 
wb_parent_idmap_setup_send/recv() helpers
   via  209e81a2ea8 winbindd: add generic wb_parent_idmap_setup_send/recv() 
helpers
   via  cd9a9702c1f winbindd: add and use is_idmap_child()
   via  21035436290 winbindd: add and use idmap_child_pid()
   via  1694de1ae6c wb_sids2xids: avoid idmap_child() and use 
idmap_child_handle() instead
   via  5cc21a9d319 wb_xids2sids: avoid idmap_child() and use 
idmap_child_handle() instead
   via  7dbe5b48974 wb_queryuser: avoid idmap_child() and use 
idmap_child_handle() instead
   via  7518a0ca32c winbindd/idmap: apply const to struct nss_info_methods 
pointers
   via  95b0dac0af5 winbindd/idmap: apply const to struct idmap_methods 
pointers
   via  f5eec89011c test_idmap_tdb_common: correctly initialize the idmap 
domain with an init function
   via  58e9b6a s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_*
   via  1576421dbdd winbind.idl: rename wbint_TransID.type to 
wbint_TransID.type_hint
   via  302098c3259 rpc: avoid undefined behaviour when parsing bindings
   via  09479bf0ee1 .gitlab-ci.yml: Ensure we compile before we start the 
main parallel testing
   via  48c9b699065 .gitlab-ci.yml: Run the coverity submission job in 
parallel with the builds
   via  895c729ce36 py3: Add is_ad_dc_built option to python glue
  from  8f66ce0a3d1 oss-fuzz: Add very verbose explaination for RPATH vs 
RUNPATH

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 54b4d2d3cb307019a260d15c6e6b4a3fb7fc337c
Author: Stefan Metzmacher 
Date:   Fri Sep 11 16:24:49 2020 +0200

wb_sids2xids: defer/skip wb_lookupsids* unless we get 
ID_TYPE_WB_REQUIRE_TYPE

We try to give a valid hint for predefined sids and
pass ID_TYPE_BOTH as a hint that the domain part of the sid is valid.

In most cases the idmap child/backend does not require a type_hint
as mappings already exist.

This is a speed up as we no longer need to contact a domain controller.

It's also possible to accept kerberos authentication without reaching
out to a domain controller at all (if the idmap backend doesn't need a
hint).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Gary Lockyer 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Oct 23 04:47:26 UTC 2020 on sn-devel-184

commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87
Author: Stefan Metzmacher 
Date:   Tue Sep 15 17:26:11 2020 +0200

winbindd: allow idmap backends to mark entries with 
ID_[TYPE_WB_]REQUIRE_TYPE

This must only be used between winbindd parent and child!
It must not leak into outside world.

Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.

This will allow us to skip the wb_lookupsids_send/recv in the winbindd 
parent
in future and only do that on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Gary Lockyer 

commit c55f4f37589130a0d8952489da175bbcf53f6748
Author: Stefan Metzmacher 
Date:   Thu Sep 10 17:13:14 2020 +0200

wb_sids2xids: build state->idmap_doms based on wb_parent_idm

[SCM] Samba Shared Repository - branch master updated

2020-10-21 Thread Andrew Bartlett
The branch, master has been updated
   via  d031391bed0 fuzzing: Fix the oss-fuzz coverage build
  from  a01dfc29c1f lib: Add tevent_req_received() to 
messaging_filtered_read_recv()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d031391bed0d3c23b602816d968417267535c746
Author: Andrew Bartlett 
Date:   Thu Oct 22 07:34:35 2020 +1300

fuzzing: Fix the oss-fuzz coverage build

It was long thought that the issue here was that no seed corpus was
provided, but actually the issue is that to obtain coverage output
just as we already know for gcc gcov, you must provide fuzzing flags
to both the compile and link phase.

Thankfully clang as a linker does not mind the strange non-linker options
from $COVERAGE_FLAGS.

REF: 
https://stackoverflow.com/questions/56112019/clang-does-not-generate-profraw-file-when-linking-manually
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19495#c48

Reviewed-by: Douglas Bagnall 
Signed-off-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Oct 21 23:07:37 UTC 2020 on sn-devel-184

---

Summary of changes:
 lib/fuzzing/oss-fuzz/build_samba.sh | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/lib/fuzzing/oss-fuzz/build_samba.sh 
b/lib/fuzzing/oss-fuzz/build_samba.sh
index b27c7b7d5c8..5980f88ad02 100755
--- a/lib/fuzzing/oss-fuzz/build_samba.sh
+++ b/lib/fuzzing/oss-fuzz/build_samba.sh
@@ -59,7 +59,14 @@ case "$SANITIZER" in
SANITIZER_ARG='--undefined-sanitizer'
;;
 coverage)
-   SANITIZER_ARG=''
+   # Thankfully clang operating as ld has no objection to the
+   # cc style options, so we can just set ADDITIONAL_LDFLAGS
+   # to ensure the coverage build is done, despite waf splitting
+   # the compile and link phases.
+   ADDITIONAL_LDFLAGS="$COVERAGE_FLAGS"
+   export ADDITIONAL_LDFLAGS
+
+   SANITIZER_ARG=''
;;
 esac
 


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-10-20 Thread Andrew Bartlett
The branch, master has been updated
   via  9dfeb81d08c fuzz/oss-fuzz/build_samba: fetch fuzz seeds
   via  6d388da765e fuzz/oss-fuzz/build-samba: note the calling site
   via  be51499f7de fuzzing/README: link to wiki
  from  e246976b676 s3:tests: Add tests for 'valid users'.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9dfeb81d08cd5883c9dc1aaecaf0ce03f2812efc
Author: Douglas Bagnall 
Date:   Thu Oct 15 14:34:04 2020 +1300

fuzz/oss-fuzz/build_samba: fetch fuzz seeds

There is a git repository at
https://gitlab.com/samba-team/samba-fuzz-seeds that contains the
seeds. When the master branch of that repository is updated, a CI job
runs that creates a zip file of all the seeds as an artifact. That zip
file is downloaded and unpacked by oss_fuzz/build_samba. The contents
of that zip are further zips that contain the seeds for each fuzzing
binary; these are placed next to the binaries in the manner that
oss-fuzz expects.

That is, beside 'fuzz_foo', we put 'fuzz_foo_seed_corpus.zip' which
contains a pile of fuzz_foo seeds.

There may be times when a new fuzz target does not have a seed corpus,
and times when a removed fuzz target leaves behind a seed corpus.
This is OK, so we don't insist on an exact match between the target
names and the zip names, only that there is some overlap.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Oct 21 03:47:35 UTC 2020 on sn-devel-184

commit 6d388da765e0ac1df3e5ba1eab08838497e6
Author: Douglas Bagnall 
Date:   Thu Oct 15 14:31:15 2020 +1300

fuzz/oss-fuzz/build-samba: note the calling site

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit be51499f7deb4551e2a81f77582f3828d6652681
Author: Douglas Bagnall 
Date:   Thu Oct 15 14:07:10 2020 +1300

fuzzing/README: link to wiki

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/fuzzing/README.md   |  4 +++-
 lib/fuzzing/oss-fuzz/build_samba.sh | 18 +-
 lib/fuzzing/oss-fuzz/check_build.sh | 16 
 3 files changed, 36 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/fuzzing/README.md b/lib/fuzzing/README.md
index 5a248241248..33d33b92390 100644
--- a/lib/fuzzing/README.md
+++ b/lib/fuzzing/README.md
@@ -1,5 +1,7 @@
 # Fuzzing Samba
 
+See also https://wiki.samba.org/index.php/Fuzzing
+
 Fuzzing supplies valid, invalid, unexpected or random data as input to a piece
 of code. Instrumentation, usually compiler-implemented, is used to monitor for
 exceptions such as crashes, assertions or memory corruption.
@@ -7,7 +9,7 @@ exceptions such as crashes, assertions or memory corruption.
 See [Wikipedia article on fuzzing](https://en.wikipedia.org/wiki/Fuzzing) for
 more information.
 
-# Hongfuzz
+# Honggfuzz
 
 ## Configure with fuzzing
 
diff --git a/lib/fuzzing/oss-fuzz/build_samba.sh 
b/lib/fuzzing/oss-fuzz/build_samba.sh
index b06e03c4903..b27c7b7d5c8 100755
--- a/lib/fuzzing/oss-fuzz/build_samba.sh
+++ b/lib/fuzzing/oss-fuzz/build_samba.sh
@@ -1,11 +1,16 @@
 #!/bin/sh
 #
-# This is not a general-purpose build script, but instead one specific to the 
Google oss-fuzz compile environment.
+# This is not a general-purpose build script, but instead one specific
+# to the Google oss-fuzz compile environment.
 #
 # 
https://google.github.io/oss-fuzz/getting-started/new-project-guide/#Requirements
 #
 # 
https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/README.md#provided-environment-variables
 #
+# This file is run by
+# https://github.com/google/oss-fuzz/blob/master/projects/samba/build.sh
+# which does nothing else.
+#
 # We have to push to oss-fuzz CFLAGS into the waf ADDITIONAL_CFLAGS
 # as otherwise waf's configure fails linking the first test binary
 #
@@ -105,4 +110,15 @@ do
 
 # Truncate the original binary to save space
 echo -n > $x
+
 done
+
+# Grap the seeds dictionary from github and put the seed zips in place
+# beside their executables.
+
+wget 
https://gitlab.com/samba-team/samba-fuzz-seeds/-/jobs/artifacts/master/download?job=zips
 \
+ -O seeds.zip
+
+# We might not have unzip, but we do have python
+$PYTHON -mzipfile -e seeds.zip  $OUT
+rm -f seeds.zip
diff --git a/lib/fuzzing/oss-fuzz/check_build.sh 
b/lib/fuzzing/oss-fuzz/check_build.sh
index cc69cf26418..b971d2c1bb0 100755
--- a/lib/fuzzing/oss-fuzz/check_build.sh
+++ b/lib/fuzzing/oss-fuzz/check_build.sh
@@ -13,8 +13,15 @@ OUT=$1
 
 # build_samba.sh will have put a non-zero number of fuzzers here.  If
 # there are none, this will fail as it becomes literally fuzz_*
+
+seeds_found=no
+
 for bin in $OUT/fu

[SCM] Samba Shared Repository - branch master updated

2020-10-16 Thread Andrew Bartlett
The branch, master has been updated
   via  6bf1b9885b7 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 
zero password
   via  61f216dc896 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 
max len password
   via  56297c70890 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 
all zero password
   via  b2f4a556715 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 
confounder
   via  e790f9d20a1 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 
all zero password
   via  f47e3734158 CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 
all zero enc req
   via  07c316346ae CVE-2020-1472(ZeroLogon): torture: Move existing tests
   via  6f59a5fd841 CVE-2020-1472(ZeroLogon): Add zerologon test suite
   via  b9b6abf18b8 CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix 
confounder check
   via  c56c5c17fd4 tevent: also use portable __has_attribute macro to 
check for "deprecated" attribute
   via  de748864201 replace: also use portable __has_attribute macro to 
check for "deprecated" attribute
   via  2889baeec4a talloc: also use portable __has_attribute macro to 
check for "deprecated" attribute
   via  2541f67c67e fuzz: add fuzz_cli_credentials_parse_string
   via  e721dfc833a fuzz: add fuzz_dcerpc_parse_binding
  from  2b8b0139fcc vfs_zfsacl: add zfs configuration guidance to manpage

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6bf1b9885b7ca8f6164e5d9065aceb15a363ea90
Author: Gary Lockyer 
Date:   Mon Sep 28 10:02:16 2020 +1300

CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 zero password

Ensure that a password of all zeros shorter than the maximum length is
rejected.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 
    
Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Oct 16 06:09:06 UTC 2020 on sn-devel-184

commit 61f216dc89669be2641bba678cf6e1c69788364d
Author: Gary Lockyer 
Date:   Mon Sep 28 10:01:34 2020 +1300

CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 max len password

Ensure that a maximum length password (512) is still accepted

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit 56297c70890287d800e30cf057e4702314261d0b
Author: Gary Lockyer 
Date:   Mon Sep 28 10:00:54 2020 +1300

CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password

Check that an all zero password is rejected, Note this test user ARC4
encryption so that it passes the self encryption test.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit b2f4a556715119da526bf67ae4ee7b444ed7c9f5
Author: Gary Lockyer 
Date:   Mon Sep 28 10:00:00 2020 +1300

CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 confounder

Test that a confounder that encrypts to itself is rejected

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit e790f9d20a123859ed687ae1d5af6159c0fed61a
Author: Gary Lockyer 
Date:   Mon Sep 28 09:54:41 2020 +1300

CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero password

Check that a password buffer containing all zeros is rejected.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit f47e3734158c108f2ea3e875f87085649dc0704e
Author: Gary Lockyer 
Date:   Mon Sep 28 09:45:28 2020 +1300

CVE-2020-1472(ZeroLogon): torture: ServerSetPassword2 all zero enc req

Check that a request that encrypts to all zeros, is rejected if the length
encrypts to itself.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit 07c316346ae3e7778d5d6809245480f2b30275bd
Author: Gary Lockyer 
Date:   Mon Sep 28 09:33:35 2020 +1300

CVE-2020-1472(ZeroLogon): torture: Move existing tests

Move the existing ZeroLogon tests into the ZeroLogon testsuite.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit 6f59a5fd8416bd648265b909ca45de6376747548
Author: Gary Lockyer 
Date:   Mon Sep 28 09:29:25 2020 +1300

CVE-2020-1472(ZeroLogon): Add zerologon test suite

Add a ZeroLogon test suite, to allow the ZeroLogon tests to be run against
the s3 and s4 netlogon servers.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit b9b6abf18b873ee83194405719fe993b8fb2073a
Author: Gary Lockyer 
Date:   Thu Sep 24 13:35:47 2020 +1200

CVE-2020-1472(ZeroLogon): rpc_server/netlogon: Fix confounder check

Add check for zero length confounder, to allow setting of passwords 512
bytes long. This does not need to be backported, as it is extremely
unlikely that anyone is using 512 byte passwords.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

commit c56c5c17fd4f5764935ee6a4cd90b9c0a2c525b4
Author: Björn Jacke 
Date:   Thu Oct 8 12:21:31 20

[SCM] Samba Shared Repository - branch master updated

2020-09-10 Thread Andrew Bartlett
The branch, master has been updated
   via  ed9abf94b31 utils/asn1: avoid undefined behaviour warning
   via  47ee0c81f65 s4:torture/rpc: move test_fsrvp_seq_timeout as last
   via  9bbfdb11858 s4:torture/rpc: flip order of netlogon tests
   via  671fe10f212 s4:torture/rpc: run tests in the order that they're 
added
   via  6f5b0fef598 ctdb: Prevent man page duplication
   via  e60df214998 oss-fuzz: standardise on RUNPATH for the static-ish 
binaries
  from  53a368c58d0 idmap_ad: Honor "client ldap sasl wrapping" config 
setting

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit ed9abf94b3167a1a61b5da163e9b07b06c8a457b
Author: Douglas Bagnall 
Date:   Sun Sep 6 09:35:49 2020 +1200

utils/asn1: avoid undefined behaviour warning

UBSAN does not like an int >= 1<<24 being shifted left.
We check the overflow in the very next line.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25436

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Sep 11 05:05:59 UTC 2020 on sn-devel-184

commit 47ee0c81f65108216234f738c3ada6782931dc47
Author: David Disseldorp 
Date:   Tue Sep 8 01:20:51 2020 +0200

s4:torture/rpc: move test_fsrvp_seq_timeout as last

test_fsrvp_seq_timeout may see share snapshots left-over, which can
cause problems if subsequent tests expect a clean slate
(i.e. enum_created).

Signed-off-by: David Disseldorp 
Reviewed-by: Andrew Bartlett 

commit 9bbfdb11858fd6cdecdfedb3fcbf7cde219e3dd9
Author: David Disseldorp 
Date:   Sun Sep 6 18:46:38 2020 +0200

s4:torture/rpc: flip order of netlogon tests

The previous change to not run rpc tests in reverse order results in
the following failure:
  Testing netr_LogonGetDomainInfo
  UNEXPECTED(failure): samba4.rpc.netlogon with
   seal,padcheck.netlogon.GetDomainInfo(ad_dc)
  REASON: Exception: ../../source4/torture/rpc/netlogon.c:320:
  Expression `plain_pass != ((void *)0)' failed: plain_pass

Restore the dependent order of netlogon tests by reversing the
torture_rpc_tcase_add_test*() calls for the suite.

Signed-off-by: David Disseldorp 
Reviewed-by: Andrew Bartlett 

commit 671fe10f212b013af844ad4e3291322082b05619
Author: David Disseldorp 
Date:   Sun Sep 6 10:57:41 2020 +0200

s4:torture/rpc: run tests in the order that they're added

torture_rpc_tcase_add_test*() uses DLIST_ADD(), which sees them executed
in reverse order to which they're added. Use DLIST_ADD_END() instead to
fix this.

Signed-off-by: David Disseldorp 
Reviewed-by: Andrew Bartlett 

commit 6f5b0fef59850477ad30c2b5063b431725716056
Author: David Mulder 
Date:   Thu Sep 10 11:50:53 2020 -0600

ctdb: Prevent man page duplication

The new waf detects a duplicate instance of
ctdb_mutex_ceph_rados_helper.7.xml, which is due
to manpages_extra being a pointer to
manpages_misc, therefore each call to build()
added duplicate entries to the manpages_misc
global entry.

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit e60df214998afc145ca482cab184691b3ddc3bb2
Author: Andrew Bartlett 
Date:   Wed Aug 26 15:37:57 2020 +1200

oss-fuzz: standardise on RUNPATH for the static-ish binaries

We use ld.bfd for the coverage builds, rather than the faster ld.gold.

We run the oss-fuzz autobuild target on Ubuntu 16.04 to more closely
mirror the environment provided by the Google oss-fuzz build
container.

On Ubuntu 16.04, when linking with ld.bfd built binaries get a RPATH,
but builds in Ubuntu 18.04 and those using ld.gold get a RUNPATH.

Just convert them all to RUNPATH to make the check_build.sh test (run
by the oss-fuzz autobuild target) easier.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 ctdb/wscript|  2 +-
 lib/fuzzing/oss-fuzz/build_samba.sh | 11 +
 lib/util/asn1.c |  6 ++-
 source4/torture/rpc/fsrvp.c |  4 +-
 source4/torture/rpc/netlogon.c  | 82 ++---
 source4/torture/rpc/rpc.c   | 10 ++---
 6 files changed, 65 insertions(+), 50 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/wscript b/ctdb/wscript
index 35c8c0622fc..b883990c55e 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -705,7 +705,7 @@ def build(bld):
(sed_expr1, sed_expr2, sed_expr3, sed_expr4, sed_expr5,
 sed_expr6, sed_expr7, sed_expr8)
 
-manpages_extra = manpages_misc
+manpages_extra =

[SCM] Samba Shared Repository - branch master updated

2020-09-07 Thread Andrew Bartlett
The branch, master has been updated
   via  c760ed61907 gitlab-ci: Fix the sha1sum
  from  7a3c368d787 s3: libsmb: Cleanup in get_dc_list()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c760ed61907d5ea67b18dc4fa92ff8e287ff48da
Author: Andreas Schneider 
Date:   Mon Sep 7 17:36:58 2020 +0200

gitlab-ci: Fix the sha1sum

The images where build with an invalid sha1sum.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Sep  7 23:57:48 UTC 2020 on sn-devel-184

---

Summary of changes:
 .gitlab-ci.yml| 2 +-
 bootstrap/sha1sum.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index eac719e5ee5..569120f6f44 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -23,7 +23,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 2b36c89aa12c35958fd95380615dde0ef5a97b9d
+  SAMBA_CI_CONTAINER_TAG: 0ff8e6d23f6f418ee5af48921754f4073300c1a5
   #
   # We use the ubuntu1804 image as default as
   # it matches what we have on sn-devel-184.
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 28d7e55a73a..fb3adc00797 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-2b36c89aa12c35958fd95380615dde0ef5a97b9d
+0ff8e6d23f6f418ee5af48921754f4073300c1a5


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-08-25 Thread Andrew Bartlett
The branch, master has been updated
   via  830c0206453 oss-fuzz: Ensure a UTF8 locale is set for the samba 
build
   via  49f58b2b093 oss-fuzz: Try harder to ensure we always fail fast
  from  102e2a26d3c s3: libsmb: Cleanup - remove an ugly sockaddr_in cast 
inside resolve_wins_send().

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 830c0206453b41bef87bdc9b309b968f5abd6200
Author: Andrew Bartlett 
Date:   Wed Aug 26 12:50:00 2020 +1200

oss-fuzz: Ensure a UTF8 locale is set for the samba build

This ensures that LANG=en_US.UTF8 is set, which
Samba's build system needs to operate in UTF8 mode.

The change to use flex to generate code meant that this
difference between GitLab CI and oss-fuzz was exposed.

REF: https://github.com/google/oss-fuzz/pull/4366

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Aug 26 03:20:46 UTC 2020 on sn-devel-184

commit 49f58b2b093b962e2f3e060b1322a4e61be678a1
Author: Andrew Bartlett 
Date:   Wed Aug 26 12:47:04 2020 +1200

oss-fuzz: Try harder to ensure we always fail fast

During a previous attempt to fix the LANG= issue I changed
the script invocation to be via a shell, so the set -x et al
ensures these are always in place and we fail fast
rather than failures only being detected by lack of output.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 lib/fuzzing/oss-fuzz/build_samba.sh | 15 ++-
 1 file changed, 14 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/lib/fuzzing/oss-fuzz/build_samba.sh 
b/lib/fuzzing/oss-fuzz/build_samba.sh
index 5d3bc3ff6c3..333e8c38561 100755
--- a/lib/fuzzing/oss-fuzz/build_samba.sh
+++ b/lib/fuzzing/oss-fuzz/build_samba.sh
@@ -1,4 +1,4 @@
-#!/bin/sh -eux
+#!/bin/sh
 #
 # This is not a general-purpose build script, but instead one specific to the 
Google oss-fuzz compile environment.
 #
@@ -14,6 +14,19 @@
 # Additional arguments are passed to configure, to allow this to be
 # tested in autobuild.py
 #
+
+# Ensure we give good trace info, fail right away and fail with unset
+# variables
+set -e
+set -x
+set -u
+
+# It is critical that this script, just as the rest of Samba's GitLab
+# CI docker has LANG set to en_US.utf8 (oss-fuzz fails to set this)
+. /etc/default/locale
+export LANG
+export LC_ALL
+
 ADDITIONAL_CFLAGS="$CFLAGS"
 export ADDITIONAL_CFLAGS
 CFLAGS=""


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-08-24 Thread Andrew Bartlett
The branch, master has been updated
   via  9d935795ea5 Fix FTBFS / Increase the over-estimation for sparse 
files
  from  d3109a11c8d lib/util: Move cleanup for unit test in teardown 
function

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 9d935795ea5a3294f82fe65cca17c79a7b6589f0
Author: Mathieu Parent 
Date:   Thu Jun 25 09:48:04 2020 +0200

Fix FTBFS / Increase the over-estimation for sparse files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14418
Signed-off-by: Mathieu Parent 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Aug 25 04:23:19 UTC 2020 on sn-devel-184

---

Summary of changes:
 lib/ldb/tests/ldb_kv_ops_test.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/tests/ldb_kv_ops_test.c b/lib/ldb/tests/ldb_kv_ops_test.c
index 30adebf1952..9db2212895f 100644
--- a/lib/ldb/tests/ldb_kv_ops_test.c
+++ b/lib/ldb/tests/ldb_kv_ops_test.c
@@ -1717,8 +1717,11 @@ static void test_get_size(void **state)
/*
 * The tdb implementation of get_size over estimates for sparse files
 * which is perfectly acceptable for it's intended use.
+* mipsel, ia64: 9994
+* ppc64el, powerpc, ppc64: 13369
+* sparc64: 5046
 */
-   assert_in_range(size, 2500, 5000);
+   assert_in_range(size, 2500, 15000);
 #endif
 
/*
@@ -1746,8 +1749,11 @@ static void test_get_size(void **state)
/*
 * The tdb implementation of get_size over estimates for sparse files
 * which is perfectly acceptable for it's intended use.
+* mipsel, ia64: 9994
+* ppc64el, powerpc, ppc64: 13369
+* sparc64: 5046
 */
-   assert_in_range(size, 2500, 5000);
+   assert_in_range(size, 2500, 15000);
 #endif
talloc_free(tmp_ctx);
 }


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-08-23 Thread Andrew Bartlett
The branch, master has been updated
   via  d3109a11c8d lib/util: Move cleanup for unit test in teardown 
function
   via  c057586fc85 lib/util: Remove wrong return statement in unit test
   via  40afb0bbcdd lib/util: Fix cleanup in unit test
   via  7dabe5acdfa lib/util: Remove unnecessary semicolon from 
wscript_build
   via  4a252f6e0f5 python compat: remove ConfigParser
   via  3c026ba492a tests/vlv: attempt to cause trouble by changing sort 
attribute
   via  d64886f3e5e tests/vlv: remove redundant assignments
  from  df98e7db04c s4/dns: do not crash when additional data not found

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d3109a11c8dbfbe3afec8fdfe44371ab13780dc6
Author: Christof Schmitt 
Date:   Tue Aug 18 12:48:09 2020 -0700

lib/util: Move cleanup for unit test in teardown function

Where to call rmdir does not matter, but that should avoid the TOCTOU
warning from CID 1466194 and might be slightly cleaner.

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Aug 24 03:10:09 UTC 2020 on sn-devel-184

commit c057586fc85e84a51c9611714df454b188da2da5
Author: Christof Schmitt 
Date:   Tue Aug 18 09:29:28 2020 -0700

lib/util: Remove wrong return statement in unit test

Fixes CID 1466195

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

commit 40afb0bbcdd5813235bf0697c091c8cac755f587
Author: Christof Schmitt 
Date:   Tue Aug 18 11:14:47 2020 -0700

lib/util: Fix cleanup in unit test

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

commit 7dabe5acdfac9b43356e2e3678ffb657e659ef7c
Author: Christof Schmitt 
Date:   Tue Aug 18 09:28:12 2020 -0700

lib/util: Remove unnecessary semicolon from wscript_build

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

commit 4a252f6e0f5b0dab44e50db4a93e5c9a9a2d4ff1
Author: David Mulder 
Date:   Thu Aug 20 15:51:47 2020 -0600

python compat: remove ConfigParser

Signed-off-by: David Mulder 
Reviewed-by: Andrew Bartlett 

commit 3c026ba492a9d58a03884101b54deb3892e4a706
Author: Douglas Bagnall 
Date:   Wed May 22 10:32:29 2019 +1200

tests/vlv: attempt to cause trouble by changing sort attribute

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit d64886f3e5e6a9e25bc4510150fdc3ee38fab7c6
Author: Douglas Bagnall 
Date:   Wed May 22 10:33:15 2019 +1200

tests/vlv: remove redundant assignments

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/util/tests/test_util.c   | 16 ++--
 lib/util/wscript_build   |  2 +-
 python/samba/compat.py   |  5 -
 python/samba/gp_parse/gp_ini.py  | 11 +++
 python/samba/gpclass.py  |  6 +++---
 source4/dsdb/tests/python/vlv.py | 27 ---
 6 files changed, 45 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/util/tests/test_util.c b/lib/util/tests/test_util.c
index eebba39e70c..e547668ade3 100644
--- a/lib/util/tests/test_util.c
+++ b/lib/util/tests/test_util.c
@@ -94,8 +94,6 @@ static int group_teardown(void **state)
struct test_paths *paths = *state;
int ret;
 
-   return 0;
-
ret = rmdir(paths->dir);
assert_return_code(ret, errno);
 
@@ -111,7 +109,7 @@ static int group_teardown(void **state)
ret = unlink(paths->symlink_file);
assert_return_code(ret, errno);
 
-   ret = unlink(paths->testdir);
+   ret = rmdir(paths->testdir);
assert_return_code(ret, errno);
 
free(paths);
@@ -132,9 +130,14 @@ static void test_directory_create_or_exists_none(void 
**state)
assert_return_code(ret, errno);
assert_int_equal(sbuf.st_mode & 0777, 0775);
assert_true(S_ISDIR(sbuf.st_mode));
+}
 
-   ret = rmdir(paths->none);
-   assert_return_code(ret, errno);
+static int teardown_none_directory(void **state)
+{
+   struct test_paths *paths = *state;
+
+   rmdir(paths->none);
+   return 0;
 }
 
 static void test_directory_create_or_exists_dir(void **state)
@@ -220,7 +223,8 @@ static void 
test_directory_create_or_exists_symlink_file(void **state)
 int main(int argc, char **argv)
 {
const struct CMUnitTest tests[] = {
-   cmocka_unit_test(test_directory_create_or_exists_none),
+   cmocka_unit_test_teardown(test_directory_create_or_exists_none,
+ teardown_none_directory),
cmocka_unit_test(test_directory_create_or_exists_dir),
cmocka_unit_test(test_directory_create_or_exists_file),
  

[SCM] Samba Shared Repository - branch master updated

2020-08-20 Thread Andrew Bartlett
The branch, master has been updated
   via  4dbe8d11316 python: Remove remaining references to third_party 
python libs
   via  2420b7c6d20 python: Add checks for some more required python 
packages
   via  091e11260d6 Remove pyiso8601 from third_party
   via  0573c13da2c bootstrap: Fix python dependencies
   via  7dc535995bb bootstrap: Fix spelling of README.md
  from  ef57bc6d4b5 torture: Fix ldap.basic multibind test

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 4dbe8d11316891f7275a7a37e04e11abb1b3706d
Author: Andrew Bartlett 
Date:   Tue Aug 18 21:38:57 2020 +1200

python: Remove remaining references to third_party python libs

For now at least we do not have any in third_party.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Aug 21 00:12:52 UTC 2020 on sn-devel-184

commit 2420b7c6d2038aca33759ca3a7d41240c5f19bf7
Author: Andrew Bartlett 
Date:   Tue Aug 18 11:59:09 2020 +1200

python: Add checks for some more required python packages

This catches the most important packages we require, but
this may not be the full list.

python-gpg is not listed as we have a big workaround handler
for this in samba-tool.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

commit 091e11260d66a6a038aee08f2fed4fc1711aa03b
Author: Andrew Bartlett 
Date:   Mon Aug 17 17:14:25 2020 +1200

Remove pyiso8601 from third_party

The trend has been to remove widely available packages from third_party/

This module is both widely available, and only needed for --enable-selftest

It is, strangely enough, a BuildDependes in the RHEL/Fedora packages
just to stop it being installed in third_party.

The check for iso8601 being available is moved to python/wscript

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

commit 0573c13da2c7f4ac67f4b17c278fa42d65ac857b
Author: Andrew Bartlett 
Date:   Tue Aug 18 14:50:36 2020 +1200

bootstrap: Fix python dependencies

Python2 dependencies are removed and the RPM name of python-iso8601
is added to allow removal from third_party.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

commit 7dc535995bbdb42b1b053c22acff5978cb5da516
Author: Andrew Bartlett 
Date:   Tue Aug 18 14:53:35 2020 +1200

bootstrap: Fix spelling of README.md

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Mulder 

---

Summary of changes:
 .gitlab-ci.yml |   2 +-
 bootstrap/{READMD.md => README.md} |   0
 bootstrap/config.py|   5 +-
 bootstrap/generated-dists/centos7/bootstrap.sh |   1 +
 bootstrap/generated-dists/centos7/packages.yml |   1 +
 bootstrap/generated-dists/centos8/bootstrap.sh |   1 +
 bootstrap/generated-dists/centos8/packages.yml |   1 +
 bootstrap/generated-dists/fedora31/bootstrap.sh|   1 +
 bootstrap/generated-dists/fedora31/packages.yml|   1 +
 bootstrap/generated-dists/fedora32/bootstrap.sh|   1 +
 bootstrap/generated-dists/fedora32/packages.yml|   1 +
 bootstrap/generated-dists/opensuse150/bootstrap.sh |   1 +
 bootstrap/generated-dists/opensuse150/packages.yml |   1 +
 bootstrap/generated-dists/opensuse151/bootstrap.sh |   1 +
 bootstrap/generated-dists/opensuse151/packages.yml |   1 +
 bootstrap/sha1sum.txt  |   2 +-
 python/samba/__init__.py   |  40 
 python/samba/subunit/__init__.py   |   1 -
 python/wscript |  37 +++
 script/show_test_time  |   2 -
 third_party/pyiso8601/.hgignore|   8 -
 third_party/pyiso8601/.hgtags  |   6 -
 third_party/pyiso8601/LICENSE  |  20 --
 third_party/pyiso8601/MANIFEST.in  |   2 -
 third_party/pyiso8601/README.rst   | 180 --
 third_party/pyiso8601/dev-requirements.txt |   5 -
 third_party/pyiso8601/docs/Makefile| 177 --
 third_party/pyiso8601/docs/conf.py | 266 -
 third_party/pyiso8601/docs/index.rst   |  80 ---
 third_party/pyiso8601/docs/make.bat| 242 ---
 third_party/pyiso8601/iso8601/__init__.py  |   1 -
 third_party/pyiso8601/iso8601/iso8601.py   | 214 -
 third_party/pyiso8601/iso8601/test_iso8601.py  |  97 
 third_party/pyiso8601/setup.py |  25 --
 third_party/pyiso8601/tox.ini  |   8 -
 third_party/wscript|  64 +

[SCM] Samba Shared Repository - branch master updated

2020-08-17 Thread Andrew Bartlett
The branch, master has been updated
   via  20606fd0a4c WHATSNEW: list deprecated parameters
   via  8c9d9441edc docs: deprecate "raw NTLMv2 auth"
   via  37583b19d2c docs: deprecate "client plaintext auth"
   via  5543c11c8b0 docs: deprecate "client NTLMv2 auth"
   via  ac8e5ea22d9 docs: deprecate "client lanman auth"
   via  1b85db57e53 docs: deprecate "client use spnego"
   via  c6aa710f8da docs: Deprecate NT4-like domains and SMBv1-only 
protocol options
   via  9e212dd15e6 selftest: Do not let deprecated option warnings muck 
this test up
   via  d14cc45c98a param: Allow tests to silence deprecation warnings
   via  d3ff49f4850 selftest: Add test for suppression of deprecation 
warnings
  from  546a0f99e86 auth: Fix a typo

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 20606fd0a4c4697ff99da59f748af6908d929901
Author: Andrew Bartlett 
Date:   Tue Jun 16 22:23:32 2020 +1200

WHATSNEW: list deprecated parameters

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Aug 18 01:32:21 UTC 2020 on sn-devel-184

commit 8c9d9441edce2e8d7f0428d0ec5e209ed8a55dbc
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:55:35 2019 +1200

docs: deprecate "raw NTLMv2 auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit 37583b19d2c3dbf3e9d0498a39b8b9d9c727e1d4
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:55:23 2019 +1200

docs: deprecate "client plaintext auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit 5543c11c8b007b49641758428af7ba3976683438
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:54:01 2019 +1200

docs: deprecate "client NTLMv2 auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit ac8e5ea22d9f9b16a79f519f69852b46ac798541
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:53:46 2019 +1200

docs: deprecate "client lanman auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.
    
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
    Reviewed-by: Stefan Metzmacher 

commit 1b85db57e53533ce14beb79f6d949a08f6ef9f91
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:53:20 2019 +1200

docs: deprecate "client use spnego"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.
    
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit c6aa710f8da9ef92b388f1c0c59b2dd3c602ad2d
Author: Andrew Bartlett 
Date:   Tue Jun 16 21:46:33 2020 +1200

docs: Deprecate NT4-like domains and SMBv1-only protocol options
    
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit 9e212dd15e6c484d69f236f3c6d7186f0e6353b4
Author: Andrew Bartlett 
Date:   Mon Aug 10 20:36:53 2020 +1200

selftest: Do not let deprecated option warnings muck this test up
    
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit d14cc45c98a77fb8a6ac96181eec33f368b8dbd8
Author: Andrew Bartlett 
Date:   Wed Jul 29 21:26:55 2020 +1200

param: Allow tests to silence deprecation warnings

This helps make output sensitive tests more reliable.
    
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

commit d3ff49f48507d8a64b9c4847f79d7939f647e6f0
Author: Andrew Bartlett 
Date:   Mon Aug 10 12:18:07 2020 +1200

selftest: Add test for suppression of deprecation warnings
    
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

-

[SCM] Samba Shared Repository - branch master updated

2020-08-02 Thread Andrew Bartlett
The branch, master has been updated
   via  06f87f14b37 README.Coding: target Python 3.6+
   via  14210c248a9 python tests: drop python 2.6 compatibility functions
   via  9148f38c203 ndr: avoid excessive reallocing in pull_string_array
   via  9bf331b46a7 ndr: maintain proper talloc tree in pull_string_array
   via  326bc84c0d0 oss-fuzz: use uninstrumented dynamic python
  from  698d20d39d4 smbd: remove get_current_vuid()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 06f87f14b37e08e6f78892b2f768282a742359df
Author: Douglas Bagnall 
Date:   Wed Jul 29 15:35:12 2020 +1200

README.Coding: target Python 3.6+

Signed-off-by: Douglas Bagnall 
Reviewed-by: Noel Power 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Aug  3 04:13:37 UTC 2020 on sn-devel-184

commit 14210c248a9dd313671dcddf443096c17deb052a
Author: Douglas Bagnall 
Date:   Sat Jul 4 14:28:40 2020 +1200

python tests: drop python 2.6 compatibility functions

Signed-off-by: Douglas Bagnall 
Reviewed-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit 9148f38c203c3481a43ef6d39ea9313dfa1c1bea
Author: Douglas Bagnall 
Date:   Thu Jul 30 12:06:10 2020 +1200

ndr: avoid excessive reallocing in pull_string_array

Before, talloc_realloc() was being called n times for an array of
length n. This could be very expensive on long string arrays since it
is reasonable to assume each realloc moves O(n) bytes.

This addresses at least one OSS-Fuzz bug, making a timing out test case
100 times faster. Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19706

Signed-off-by: Douglas Bagnall 
Reviewed-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit 9bf331b46a70189f2f63a5223a31eae64a9854db
Author: Douglas Bagnall 
Date:   Thu Jul 30 10:46:17 2020 +1200

ndr: maintain proper talloc tree in pull_string_array

We don't want to leave other parts of the ndr struct hanging off this
string array just because LIBNDR_FLAG_REMAINING is used.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit 326bc84c0d0f83b4429e78b6c97420411620
Author: Douglas Bagnall 
Date:   Fri Jul 31 15:36:16 2020 +1200

oss-fuzz: use uninstrumented dynamic python

We can't link to the instrumented statically built Python, so instead
we use the system Python in the docker image.

REF: https://github.com/google/oss-fuzz/issues/4223
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22618
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14451

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 README.Coding.md|   5 +-
 lib/fuzzing/oss-fuzz/build_samba.sh |   6 ++
 librpc/ndr/ndr_string.c |  73 +
 python/samba/tests/__init__.py  | 106 
 4 files changed, 69 insertions(+), 121 deletions(-)


Changeset truncated at 500 lines:

diff --git a/README.Coding.md b/README.Coding.md
index 914e3573ad4..b87580f5f85 100644
--- a/README.Coding.md
+++ b/README.Coding.md
@@ -17,9 +17,8 @@ what most Samba developers use already anyways, with a few 
exceptions as
 mentioned below.
 
 The coding style for Python code is documented in
-[PEP8](https://www.python.org/dev/peps/pep-0008/). New Python code should be 
compatible
-with Python 2.6, 2.7, and Python 3.4 onwards. This means using Python 3 syntax
-with the appropriate `from __future__` imports.
+[PEP8](https://www.python.org/dev/peps/pep-0008/). New Python code
+should be compatible with Python 3.6 onwards.
 
 But to save you the trouble of reading the Linux kernel style guide, here
 are the highlights.
diff --git a/lib/fuzzing/oss-fuzz/build_samba.sh 
b/lib/fuzzing/oss-fuzz/build_samba.sh
index 93039e4dbe0..5d3bc3ff6c3 100755
--- a/lib/fuzzing/oss-fuzz/build_samba.sh
+++ b/lib/fuzzing/oss-fuzz/build_samba.sh
@@ -21,6 +21,12 @@ export CFLAGS
 LD="$CXX"
 export LD
 
+# Use the system Python, not the OSS-Fuzz provided statically linked
+# and instrumented Python, because we can't statically link.
+
+PYTHON=/usr/bin/python3
+export PYTHON
+
 # $SANITIZER is provided by the oss-fuzz "compile" command
 #
 # We need to add the waf configure option as otherwise when we also
diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c
index 25f211b2ad3..bddab9edd51 100644
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -348,6 +348,44 @@ _PUBLIC_ uint32_t ndr_size_string(int ret, const char * 
const* string, int flags
return ret+strlen(*string)+1;
 }
 
+static uint32_t guess_string_array_size(struct ndr_pull

[SCM] Samba Shared Repository - branch master updated

2020-07-01 Thread Andrew Bartlett
The branch, master has been updated
   via  d3086501456 tls: Use NORMAL:-VERS-SSL3.0 as the default 
configuration
   via  cabf873b75b selftest: Run test of how userPassword / crypt() style 
passwords are stored in quicktest
   via  2c4ecf002a3 selftest: Split 
samba.tests.samba_tool.user_virtualCryptSHA into GPG and not GPG parts
   via  91453f110fa dsdb: Allow "password hash userPassword schemes = 
CryptSHA256" to work on RHEL7
  from  213501163c0 share_mode_lock.c: initialize out param

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d30865014569f4b9a1261d9f0c40bc4fc98f883e
Author: Andreas Schneider 
Date:   Tue Jun 30 17:12:17 2020 +0200

tls: Use NORMAL:-VERS-SSL3.0 as the default configuration

This seems to be really broken in GnuTLS and the documentation is also
not correct.

This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider 
Reviewed-by: Alexander Bokovoy 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jul  1 14:56:33 UTC 2020 on sn-devel-184

commit cabf873b75b1d4d456190358bc3ed051bca16978
Author: Andrew Bartlett 
Date:   Wed Jul 1 14:31:54 2020 +1200

selftest: Run test of how userPassword / crypt() style passwords are stored 
in quicktest

This ensures that the crypt_r()/crypt_rn()/crypt() behaviour is tested in 
all
the samba-o3 builds and so is checked on RHEL7 in GitLab CI.

https://bugzilla.samba.org/show_bug.cgi?id=14424

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

commit 2c4ecf002a3fbbe8be061814468529c8bd6bb7aa
Author: Andrew Bartlett 
Date:   Wed Jul 1 14:30:24 2020 +1200

selftest: Split samba.tests.samba_tool.user_virtualCryptSHA into GPG and 
not GPG parts

This allows the userPassword (not GPG) part of the test to run on hosts 
without
python3-gpg (eg RHEL7) while still testing the userPassword handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

commit 91453f110fa72062291eb59ad9d95fab0f423557
Author: Andrew Bartlett 
Date:   Wed Jul 1 14:35:39 2020 +1200

dsdb: Allow "password hash userPassword schemes = CryptSHA256" to work on 
RHEL7

On RHEL7 crypt_r() will set errno.  This is a problem because the 
implementation of crypt_r()
in RHEL8 and elsewhere in libcrypt will return non-NULL but set errno on 
failure.

The workaround is to use crypt_rn(), provided only by libcrypt, which will 
return NULL
on failure, and so avoid checking errno in the non-failure case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424

Signed-off-by: Andrew Bartlett 
Reviewed-by: Alexander Bokovoy 

---

Summary of changes:
 docs-xml/smbdotconf/security/tlspriority.xml   |   6 +-
 lib/param/loadparm.c   |   6 -
 lib/replace/wscript|   1 +
 python/samba/tests/docs.py |  21 --
 .../tests/samba_tool/user_virtualCryptSHA_base.py  | 118 ++
 .../tests/samba_tool/user_virtualCryptSHA_gpg.py   | 261 +
 .../user_virtualCryptSHA_userPassword.py   | 185 +++
 selftest/quick |   3 +
 source3/param/loadparm.c   |   8 +-
 source4/dsdb/samdb/ldb_modules/password_hash.c |  37 ++-
 source4/selftest/tests.py  |   3 +-
 11 files changed, 603 insertions(+), 46 deletions(-)
 create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_base.py
 create mode 100644 python/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
 create mode 100644 
python/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/security/tlspriority.xml 
b/docs-xml/smbdotconf/security/tlspriority.xml
index 6d1f0dcb912..471dc25ba3b 100644
--- a/docs-xml/smbdotconf/security/tlspriority.xml
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -12,10 +12,8 @@
http://gnutls.org/manual/html_node/Priority-Strings.html;>GNUTLS
Priority-Strings documentation at 
http://gnutls.org/manual/html_node/Priority-Strings.html

-   By default it will try to find a config file matching "SAMBA", but if
-   that does not exist will use the entry for "SYSTEM" and last fallback to
-   NORMAL. In all cases the SSL3.0 protocol will be disabled.
+   The SSL3.0 protocol will be disabled.
  
 
- @SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0
+ NORMAL:-VERS-SSL3.0
 
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 53eedeb0cb2..da639a8b0ff 100644

Heads-up: Security Releases ahead!

2020-06-25 Thread Andrew Bartlett via samba-announce
Hi,

This is a heads-up that there will be Samba security updates on
Thursday, July 2 2020. Please make sure that your Samba
servers will be updated soon after the release!

Impacted components:
 - AD DC (CVSS 7.5, Medium)
 - File server (CVSS 7.5, Medium)

Andrew Bartlett

-- 
Andrew Bartlett   https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT  
https://catalyst.net.nz/services/samba






[SCM] Samba Shared Repository - branch master updated

2020-06-22 Thread Andrew Bartlett
The branch, master has been updated
   via  d701bc15187 libcli ldap tests: remove use of zero length array
   via  68d716bdd8c ldap.c: clarify the need for ldap_get_values_len() in a 
code comment
  from  ba5a73b1544 tests: Only run mdsparser test if we build with 
spotlight support

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d701bc1518766f36b1c7a3a00a82485098a8ee3d
Author: Gary Lockyer 
Date:   Mon Jun 22 13:42:56 2020 +1200

libcli ldap tests: remove use of zero length array

libcli/ldap/tests/ldap_message_test.c defines a zero length array
(uint8_t buf[0]), which is a GCC extension and breaks the build with
some strict compilers like xlc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14387

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Jun 23 02:15:35 UTC 2020 on sn-devel-184

commit 68d716bdd8cf1f8492b4b875b3c1a69f2be7702b
Author: Isaac Boukris 
Date:   Mon Jun 22 23:08:57 2020 +0200

ldap.c: clarify the need for ldap_get_values_len() in a code comment

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406

Signed-off-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 libcli/ldap/tests/ldap_message_test.c | 2 +-
 source3/libads/ldap.c | 6 ++
 2 files changed, 7 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/libcli/ldap/tests/ldap_message_test.c 
b/libcli/ldap/tests/ldap_message_test.c
index c5aacd4bc6b..f4b49bc47bc 100644
--- a/libcli/ldap/tests/ldap_message_test.c
+++ b/libcli/ldap/tests/ldap_message_test.c
@@ -115,7 +115,7 @@ static void test_empty_input(void **state)
struct asn1_data *asn1;
struct ldap_message *ldap_msg;
NTSTATUS status;
-   uint8_t buf[0];
+   uint8_t *buf = NULL;
size_t len = 0;
struct ldap_request_limits limits = {
.max_search_size = 256000,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 36e73440495..55c9668089d 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -3693,6 +3693,12 @@ static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX 
*mem_ctx,
char **ret = NULL;
size_t i, converted_size;
 
+   /*
+* Windows DC implicitly adds a short name for each FQDN added to
+* msDS-AdditionalDnsHostName, but it comes with a strage binary
+* suffix "\0$" which we should ignore (see bug #14406).
+*/
+
values = ldap_get_values_len(ads->ldap.ld, msg, field);
if (values == NULL) {
return NULL;


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-06-13 Thread Andrew Bartlett
The branch, master has been updated
   via  d827392f2ab replmd: slightly clarify a comment
   via  0f6c8a75e60 dsdb/mod/acl_util: do not deref NULL sd_flags control
   via  e73c89f1550 ldb commandline: don't crash if a received control 
contains no data
   via  def6b65c42a ldb/controls: avoid stealing our own stuff
   via  3fb21ed12e2 ldb/mod/paged_searches: cope with NULL control data
   via  2323ea6f07f python: do not always import socket_server
   via  5c06ab83381 python: do not always import urllib
  from  4aba00b554f doc: Add markup to README.Coding for samba wiki links

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d827392f2ab8d6c9c0d61a5681ecb30bd80aa485
Author: Douglas Bagnall 
Date:   Thu Apr 23 15:37:53 2020 +1200

replmd: slightly clarify a comment

it has been a long time since we introduced "control", so lets remind
ourselves which control it was.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Sat Jun 13 06:50:12 UTC 2020 on sn-devel-184

commit 0f6c8a75e604f80234ae7fe3edfd655cc8fe59c7
Author: Douglas Bagnall 
Date:   Thu Apr 23 15:31:13 2020 +1200

dsdb/mod/acl_util: do not deref NULL sd_flags control

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit e73c89f15504e31ce5102b487dddb1be9e22d1ea
Author: Douglas Bagnall 
Date:   Thu Apr 23 10:57:24 2020 +1200

ldb commandline: don't crash if a received control contains no data

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit def6b65c42a4f8b93536d71292b5966a58777bfd
Author: Douglas Bagnall 
Date:   Thu Apr 23 10:32:17 2020 +1200

ldb/controls: avoid stealing our own stuff

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 3fb21ed12e21382607ed9dc8dc879d62ec43f119
Author: Douglas Bagnall 
Date:   Thu Apr 23 10:31:39 2020 +1200

ldb/mod/paged_searches: cope with NULL control data

We won't get NULL data over ldap, but it can be set via 'local_oid:'.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 2323ea6f07f0a05a4bc3091236fa3a6502ca12bd
Author: Douglas Bagnall 
Date:   Tue May 26 11:33:42 2020 +1200

python: do not always import socket_server

This cost around 10ms for every Python script, and was only used in one
test.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

commit 5c06ab83381c5e652626d66b95c3b67ce309b249
Author: Douglas Bagnall 
Date:   Tue May 26 11:31:16 2020 +1200

python: do not always import urllib

Only provision.py wants a function from urllib, but we were importing
it in samba.compat, which is imported by samba, mening that every
python script importing anything from samba took 40ms longer to start
up.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/common/ldb_controls.c  |  2 +-
 lib/ldb/modules/paged_searches.c   |  4 +-
 lib/ldb/tools/cmdline.c| 45 --
 python/samba/compat.py |  9 -
 python/samba/provision/__init__.py |  2 +-
 python/samba/tests/dns_forwarder_helpers/server.py |  2 +-
 source4/dsdb/samdb/ldb_modules/acl_util.c  |  2 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c|  2 +-
 8 files changed, 48 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/common/ldb_controls.c b/lib/ldb/common/ldb_controls.c
index 4af06a436ab..d67c0afd845 100644
--- a/lib/ldb/common/ldb_controls.c
+++ b/lib/ldb/common/ldb_controls.c
@@ -737,7 +737,7 @@ struct ldb_control *ldb_parse_control_from_string(struct 
ldb_context *ldb, TALLO
 
ctrl->oid = LDB_CONTROL_EXTENDED_DN_OID;
ctrl->critical = crit;
-   ctrl->data = talloc_steal(ctrl, control);
+   ctrl->data = control;
 
return ctrl;
}
diff --git a/lib/ldb/modules/paged_searches.c b/lib/ldb/modules/paged_searches.c
index f8f3895e19d..315a17a092a 100644
--- a/lib/ldb/modules/paged_searches.c
+++ b/lib/ldb/modules/paged_searches.c
@@ -72,8 +72,8 @@ static int check_ps_continuation(struct ps_context *ac, 
struct ldb_request *req,
}
 
req_control = ldb_request_get_control(req, 
LDB_CONTROL_PAGED_RESULTS_OID);
-   if (req_control == NULL) {
-   ldb_set_errstring(ldb, "paged_searches: control is missing");
+   if (req_control == NULL || req_control->data == NULL) {
+   ldb_set_errstring(ldb, "paged_searches: control is missing or 
malformed");
  

[SCM] Samba Shared Repository - branch master updated

2020-06-12 Thread Andrew Bartlett
The branch, master has been updated
   via  7655a0298e5 db-glue.c: set forwardable flag on cross-realm tgt 
tickets
   via  fb7dfdbe8f9 selftest: test forwardable flag in cross-realm with 
s4u2proxy
   via  9b302a57ff0 selftest: test forwardable flag in cross-realm tgt 
tickets
   via  a823cc1e8bc selftest: allow EncASRepPart to be encoded as 
EncTGSRepPart
   via  8fdff19c546 heimdal: apply disallow-forwardable on server in TGS 
request
   via  197f97bc13c selftest: add test for disallowed-forwardable server
  from  eae301e1206 samba-tool dns query --help: Someone forgot 'PTR' from 
the list of record types

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7655a0298e5f55582bf48ec776d8cd8b79fb5dd9
Author: Isaac Boukris 
Date:   Tue Jan 14 13:16:02 2020 +0100

db-glue.c: set forwardable flag on cross-realm tgt tickets

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Match Windows behavior and allow the forwardable flag to be
set in cross-realm tickets. We used to allow forwardable to
any server, but now that we apply disallow-forwardable policy
in heimdal we need to explicitly allow in the corss-realm case
(and remove the workaround we have for it the MIT plugin).

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184

commit fb7dfdbe8f94f7f053d67832e7f28a751136d733
Author: Isaac Boukris 
Date:   Sat May 9 16:26:45 2020 +0200

selftest: test forwardable flag in cross-realm with s4u2proxy

Signed-off-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit 9b302a57ff0d4c3a373f762f2ad4daf736b0853b
Author: Isaac Boukris 
Date:   Wed May 6 15:54:55 2020 +0200

selftest: test forwardable flag in cross-realm tgt tickets

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit a823cc1e8bc9a68a7e662022705039397a5df7e1
Author: Isaac Boukris 
Date:   Thu May 7 01:25:36 2020 +0200

selftest: allow EncASRepPart to be encoded as EncTGSRepPart

that's how MIT kdc encodes it, clients accept both.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 8fdff19c5461315556014d25d237a958edeed1a2
Author: Isaac Boukris 
Date:   Mon Jan 13 23:42:54 2020 +0100

heimdal: apply disallow-forwardable on server in TGS request

upstream commit: 839b073facd2aecda6740224d73e560bc79965dc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

commit 197f97bc13c513ae6ae2b4129b23489081f63c64
Author: Isaac Boukris 
Date:   Sun Jan 19 16:24:24 2020 +0100

selftest: add test for disallowed-forwardable server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/tests/krb5/simple_tests.py|  7 -
 .../krb5/{simple_tests.py => xrealm_tests.py}  | 25 --
 python/samba/tests/usage.py|  1 +
 source4/heimdal/kdc/krb5tgs.c  |  6 +
 source4/kdc/db-glue.c  |  3 +++
 source4/kdc/mit_samba.c|  5 
 source4/selftest/tests.py  |  4 ++-
 testprogs/blackbox/test_s4u_heimdal.sh | 30 ++
 8 files changed, 61 insertions(+), 20 deletions(-)
 copy python/samba/tests/krb5/{simple_tests.py => xrealm_tests.py} (88%)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/simple_tests.py 
b/python/samba/tests/krb5/simple_tests.py
index c9998c4d2db..236fbda1cd5 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/simple_tests.py
@@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest):
 
 usage = 3
 enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
-enc_part2 = self.der_decode(enc_part2, 
asn1Spec=krb5_asn1.EncASRepPart())
+
+# MIT KDC encodes both EncASRepPart and EncTGSRepPart with application 
tag 26
+try:
+enc_part2 = self.der_decode(enc_part2, 
asn1Spec=krb5_asn1.EncASRepPart())
+except Exception:
+enc_part2 = self.der_decode(enc_part2, 
asn1Spec=krb5_asn1.EncTGSRepPart())
 
 # TGS Request
 service_creds = self.get_service_creds(allow_missing_password=True)
diff

[SCM] Samba Shared Repository - branch master updated

2020-06-10 Thread Andrew Bartlett
The branch, master has been updated
   via  6095a4f0d58 kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
   via  c8080bbd708 s3-libads: use ldap_init_fd() to initialize a ldap 
session if possible
  from  317538154a0 smbclient: Simplify do_list()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6095a4f0d58cad3dde6e76cadd7bcae0a240c9e6
Author: Isaac Boukris 
Date:   Mon Nov 12 12:26:25 2018 +0200

kdc: allow checksum of PA-FOR-USER to be HMAC_MD5

even if the tgt session key uses different hmac.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is
always HMAC_MD5, and that's what windows 7 client
and MIT client send.

In heimdal both the client and kdc use the checksum of
the tgt key instead and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Windows KDC allows either checksum (HMAC_MD5 or from
tgt) so we should do the same to support all clients.

Signed-off-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Jun 11 02:48:58 UTC 2020 on sn-devel-184

commit c8080bbd708eaa3212fa516861ac9e3b267989a0
Author: Björn Baumbach 
Date:   Wed Jun 3 19:40:59 2020 +0200

s3-libads: use ldap_init_fd() to initialize a ldap session if possible

Use the known ip address of the ldap server to open the connection and
initialize the ldap session with ldap_init_fd().

This avoid unnecessary DNS lookups which might block or prevent the
successful connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124

Signed-off-by: Björn Baumbach 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 selftest/knownfail  |  2 --
 source3/libads/ldap.c   | 18 +-
 source4/heimdal/kdc/krb5tgs.c   | 29 +++--
 source4/heimdal/lib/krb5/version-script.map |  1 +
 4 files changed, 41 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/selftest/knownfail b/selftest/knownfail
index 38e8597deda..57a4d93a37d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -393,5 +393,3 @@
 
^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 
^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
 
^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
-# Fixed upstream heimdal in PR #439
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index eb5fef0c7f3..d443e3ee20c 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
return NULL;
}
 
-#ifdef HAVE_LDAP_INITIALIZE
+#ifdef HAVE_LDAP_INIT_FD
+   {
+   int fd = -1;
+   NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+   status = open_socket_out(ss, port, to, );
+   if (!NT_STATUS_IS_OK(status)) {
+   return NULL;
+   }
+
+/* define LDAP_PROTO_TCP from openldap.h if required */
+#ifndef LDAP_PROTO_TCP
+#define LDAP_PROTO_TCP 1
+#endif
+   ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, );
+   }
+#elif defined(HAVE_LDAP_INITIALIZE)
ldap_err = ldap_initialize(, uri);
 #else
ldp = ldap_open(server, port);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index ee3ac3d8f53..53d0eaf935b 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1946,12 +1946,29 @@ server_lookup:
goto out;
}
 
-   ret = krb5_verify_checksum(context,
-  crypto,
-  KRB5_KU_OTHER_CKSUM,
-  datack.data,
-  datack.length,
-  );
+   /* Allow HMAC_MD5 checksum with any key type */
+   if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
+   unsigned char csdata[16];
+   Checksum cs;
+
+   cs.checksum.length = sizeof(csdata);
+   cs.checksum.data = 
+
+   ret = _krb5_HMAC_MD5_checksum(context, >key,
+ datack.data, datack.length,
+ KRB5_KU_OTHER_CKSUM, );
+   if (ret == 0 &&
+   krb5_data_ct_c

[SCM] Samba Shared Repository - branch master updated

2020-06-10 Thread Andrew Bartlett
The branch, master has been updated
   via  0208d5f64b2 Add docs build to CI
   via  4a3ed0d8459 docs-xml: Remove GNU TexInfo build
   via  9392c3f81ca docs-xml: Remove references to inkscape (not used any 
more, no more SVG files)
   via  ccb606c469e docs-xml: Remove final references to Samba3-HOWTO and 
Samba3-ByExample
   via  cedd00fdffd docs-xml: Remove references to building docs using 
Plucker
   via  158cea3ba87 Remove "undocumented" target mentioned in configure 
script
  from  ddac6b2eb4a util: Reallocate larger buffer if getpwuid_r() returns 
ERANGE

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 0208d5f64b2cb9b67d5ab6070f411cf45cea1fc4
Author: Andrew Bartlett 
Date:   Wed Jun 3 12:33:50 2020 +1200

Add docs build to CI

We did not check we could actually build the HTML of the
Samba Developers guide and HTML of the manpages previously.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun 10 07:11:59 UTC 2020 on sn-devel-184

commit 4a3ed0d8459f626b8df0781b3231270040a0480d
Author: Andrew Bartlett 
Date:   Wed Jun 3 12:21:50 2020 +1200

docs-xml: Remove GNU TexInfo build

This does not build and is not a common or required format for
documentation any more.

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

commit 9392c3f81ca83e4eda382ebfc335099616fa1bff
Author: Andrew Bartlett 
Date:   Wed Jun 3 12:14:38 2020 +1200

docs-xml: Remove references to inkscape (not used any more, no more SVG 
files)

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

commit ccb606c469e1d70af1dc6703d7e290061c35d982
Author: Andrew Bartlett 
Date:   Wed Jun 3 12:09:33 2020 +1200

docs-xml: Remove final references to Samba3-HOWTO and Samba3-ByExample

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

commit cedd00fdffd2dfaef3cb729fe55258448ec485f2
Author: Andrew Bartlett 
Date:   Wed Jun 3 12:08:01 2020 +1200

docs-xml: Remove references to building docs using Plucker

This was for Palm OS based handheld devices, Windows Mobile devices, and 
other PDAs...

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

commit 158cea3ba87de3b7d61c5d02f87824353381ab5c
Author: Andrew Bartlett 
Date:   Wed Jun 3 11:55:45 2020 +1200

Remove "undocumented" target mentioned in configure script

This was left over from 12aed897ec688d5bc379690208e8b85158b8227f

Signed-off-by: Andrew Bartlett 
Reviewed-by: David Disseldorp 

---

Summary of changes:
 .gitlab-ci.yml |  1 +
 docs-xml/.gitignore| 10 --
 docs-xml/Makefile  | 73 ++
 docs-xml/Makefile.settings.in  |  7 
 docs-xml/README|  8 ++---
 docs-xml/configure.ac  | 21 ---
 docs-xml/htmldocs.html |  8 -
 docs-xml/xslt/extract-examples.xsl | 51 --
 script/autobuild.py| 11 +-
 9 files changed, 16 insertions(+), 174 deletions(-)
 delete mode 100644 docs-xml/xslt/extract-examples.xsl


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7177d3b5c44..68e1a52bf1e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -125,6 +125,7 @@ others:
 - script/autobuild.py tdb  $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE 
--verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 - script/autobuild.py tevent   $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE 
--verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 - script/autobuild.py samba-xc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE 
--verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+- script/autobuild.py docs-xml $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE 
--verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 
 samba:
   extends: .shared_template
diff --git a/docs-xml/.gitignore b/docs-xml/.gitignore
index 8beaa2d485b..945bea4baa2 100644
--- a/docs-xml/.gitignore
+++ b/docs-xml/.gitignore
@@ -1,9 +1,5 @@
 Makefile.settings
 Samba3-Developers-Guide-attributions.xml
-Samba3-HOWTO-attributions.xml
-Samba3-HOWTO.d
-Samba4-HOWTO.d
-Samba4-HOWTO-attributions.xml
 autom4te.cache
 config.log
 config.status
@@ -13,7 +9,6 @@ tmp
 smbdotconf/parameters.all.xml
 *.d
 output/manpages
-Samba3-ByExample.tex
 Samba3-Developers-Guide.tex
 xslt/figures/*.pdf
 output/*.pdf
@@ -29,11 +24,6 @@ output/*.pdf
 *.loe
 *.lot
 *.toc
-Samba3-ByExample.pdf
 Samba3-Developers-Guide.pdf
-Samba3-HOWTO.pdf
-Samba3-HOWTO.tex
-Samba4-HOWTO.pdf
-Samba4-HOWTO.tex
 test.pdf
 test.tex
diff --git a/docs-xml/Makefile b/doc

[SCM] Samba Website Repository - branch master updated

2020-06-09 Thread Andrew Bartlett
The branch, master has been updated
   via  7fc403d gitlab moved their contributor graph URL
  from  94ebd2c Add Samba 4.10.16.

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 7fc403ddd45fec393184472df646a0aef8dceb88
Author: Andrew Bartlett 
Date:   Wed Jun 10 12:28:26 2020 +1200

gitlab moved their contributor graph URL

Signed-off-by: Andrew Bartlett 

---

Summary of changes:
 team/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/team/index.html b/team/index.html
index f2d7450..aa2288a 100755
--- a/team/index.html
+++ b/team/index.html
@@ -110,7 +110,7 @@ repository
 The following sites do source code repository analysis to list (recent) code 
contributors to the primary Samba codebase.
 
 
-  https://gitlab.com/samba-team/samba/graphs/master;>GitLab 
analysis of recent contributors
+  https://gitlab.com/samba-team/samba/-/graphs/master;>GitLab 
analysis of recent contributors
   https://www.openhub.net/p/samba/contributors?query=_span==twelve_month_commits;>OpenHub
 last 12 Month contributors to Samba
   https://github.com/samba-team/samba/graphs/contributors;>GitHub 
analysis of all-time contributions from people with GitHub accounts 
(only)
 


-- 
Samba Website Repository



[SCM] Samba Shared Repository - branch master updated

2020-06-02 Thread Andrew Bartlett
The branch, master has been updated
   via  1ded80ae6f0 s3/rpc_server: remove unnecessary srv_fss_agent.h header
  from  c14a95dc1ac smbd: simplify uid_entry_in_group()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1ded80ae6f00eade7caf67ed1c4c4435e4680f14
Author: David Disseldorp 
Date:   Thu May 28 18:40:26 2020 +0200

s3/rpc_server: remove unnecessary srv_fss_agent.h header

The srv_fssa_start() / _cleanup() functions are called via the
DCESRV_INTERFACE_FILESERVERVSSAGENT_INIT / SHUTDOWN_SERVER hooks,
so needn't be public.

Signed-off-by: David Disseldorp 
Reviewed-by: Reviewed-by: Samuel Cabrero 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Jun  3 03:57:12 UTC 2020 on sn-devel-184

---

Summary of changes:
 source3/rpc_server/fss/srv_fss_agent.c |  6 ++
 source3/rpc_server/fss/srv_fss_agent.h | 26 --
 source3/rpc_server/fssd.c  |  1 -
 3 files changed, 2 insertions(+), 31 deletions(-)
 delete mode 100644 source3/rpc_server/fss/srv_fss_agent.h


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/fss/srv_fss_agent.c 
b/source3/rpc_server/fss/srv_fss_agent.c
index 9a15c419ac7..0cc3a5d0fbb 100644
--- a/source3/rpc_server/fss/srv_fss_agent.c
+++ b/source3/rpc_server/fss/srv_fss_agent.c
@@ -32,7 +32,6 @@
 #include "librpc/gen_ndr/ndr_fsrvp.h"
 #include "rpc_server/rpc_server.h"
 #include "srv_fss_private.h"
-#include "srv_fss_agent.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -388,14 +387,14 @@ static struct fss_sc_smap *sc_smap_lookup(struct 
fss_sc_smap *smaps_head,
return NULL;
 }
 
-void srv_fssa_cleanup(void)
+static void srv_fssa_cleanup(void)
 {
talloc_free(fss_global.db_path);
talloc_free(fss_global.mem_ctx);
ZERO_STRUCT(fss_global);
 }
 
-NTSTATUS srv_fssa_start(struct messaging_context *msg_ctx)
+static NTSTATUS srv_fssa_start(struct messaging_context *msg_ctx)
 {
NTSTATUS status;
fss_global.mem_ctx = talloc_named_const(NULL, 0,
@@ -1733,7 +1732,6 @@ static NTSTATUS FileServerVssAgent__op_shutdown_server(
 #define DCESRV_INTERFACE_FILESERVERVSSAGENT_SHUTDOWN_SERVER \
fileservervssagent_shutdown_server
 
-
 static NTSTATUS fileservervssagent_shutdown_server(
struct dcesrv_context *dce_ctx,
const struct dcesrv_endpoint_server *ep_server)
diff --git a/source3/rpc_server/fss/srv_fss_agent.h 
b/source3/rpc_server/fss/srv_fss_agent.h
deleted file mode 100644
index f44a91545e4..000
--- a/source3/rpc_server/fss/srv_fss_agent.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * File Server Remote VSS Protocol (FSRVP) server
- *
- * Copyright (C) David Disseldorp  2012-2015
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifndef _SRV_FSS_AGENT_H_
-#define _SRV_FSS_AGENT_H_
-
-NTSTATUS srv_fssa_start(struct messaging_context *msg_ctx);
-void srv_fssa_cleanup(void);
-
-#endif /*_SRV_FSS_AGENT_H_ */
diff --git a/source3/rpc_server/fssd.c b/source3/rpc_server/fssd.c
index 3c8ae01b424..eaec70d230f 100644
--- a/source3/rpc_server/fssd.c
+++ b/source3/rpc_server/fssd.c
@@ -33,7 +33,6 @@
 #include "rpc_server/rpc_server.h"
 #include "rpc_server/rpc_service_setup.h"
 #include "rpc_server/rpc_sock_helper.h"
-#include "rpc_server/fss/srv_fss_agent.h"
 #include "rpc_server/fssd.h"
 
 #undef DBGC_CLASS


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-05-24 Thread Andrew Bartlett
The branch, master has been updated
   via  7ae03a19b3c build: add configure option to control vfs_snapper build
   via  e05e9df7815 build: quota wscript error message spelling fix
   via  6edcf6801dc s3: rpc_server: Avoid casts calling to 
find_policy_by_hnd()
   via  10cea64e4c9 s3: rpc_server: Remove dead code
   via  70fa7e817e4 s3: rpc_server: Drop s3 rpc handles implementation
   via  f98b3b6f10e pidl: Set dce_call in pipes_struct before dispatching 
call
   via  be024932efe s3: rpc_server: Remove SAMR specific 
policy_handle_find() function
   via  7273b4bcc7b s3: rpc_server: Move SAMR handle based access check to 
a wrapper function
   via  2bde40762a9 s3: rpc_server: Remove SAMR specific 
policy_handle_create() function
   via  da9749acb33 s3: rpc_server: pass DCE/RPC handle type to 
find_policy_handle
   via  711ca4fab59 s3: rpc_server: Strip out access check field from s3 
handles implementation
   via  72f73efd7f3 librpc: core: Move the s4 handles implementation to the 
RPC server core
   via  ebdacf187da selftest: Add test for handle types
   via  a4041ee6ca9 ldb: also use portable __has_attribute macro to check 
for attribute support
   via  2f75b35e1b8 talloc: also use portable __has_attribute macro to 
check for attribute support
   via  22870830159 tdb: also use __has_attribute macro to check for 
attribute support
   via  f133019db60 replace, attr.: use function attributes only if 
supported by feature macro (or old gcc)
   via  10b195fe124 gitlab-ci: Create a single samba-fips runner
  from  1e55591bc54 ctdb-tests: Add a new fetch ring test that also checks 
hot keys

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 7ae03a19b3ca895ba5f97a6bd4f9539d8daa6e0a
Author: Matt Taylor 
Date:   Mon May 11 15:26:41 2020 -0400

build: add configure option to control vfs_snapper build

vfs_snapper is currently built if dbus development headers / libraries
are detected during configure. This commit adds new --disable-snapper
and --enable-snapper (default) configure parameters. When enabled,
configure will fail if the dbus development headers / libraries are
missing.

Signed-off-by: Matt Taylor 
Reviewed-by: David Disseldorp 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon May 25 01:16:46 UTC 2020 on sn-devel-184

commit e05e9df7815164266fb8e1295cf2226f11032dc5
Author: Matt Taylor 
Date:   Tue May 12 15:07:14 2020 +0200

build: quota wscript error message spelling fix

Signed-off-by: Matt Taylor 
Reviewed-by: David Disseldorp 
Reviewed-by: Andrew Bartlett 

commit 6edcf6801dc2d5ffd10d077c8750910c0831c6bb
Author: Samuel Cabrero 
Date:   Mon May 18 12:04:33 2020 +0200

s3: rpc_server: Avoid casts calling to find_policy_by_hnd()

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit 10cea64e4c9c1dec67278ca1b40f40ae90e58c34
Author: Samuel Cabrero 
Date:   Mon Nov 4 19:01:28 2019 +0100

s3: rpc_server: Remove dead code

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit 70fa7e817e48c9faa3c6c7ae3749e4a8ebf3e6c2
Author: Samuel Cabrero 
Date:   Mon Nov 4 18:38:14 2019 +0100

s3: rpc_server: Drop s3 rpc handles implementation

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit f98b3b6f10e046ca5a9a7637159abf1b9dd40bda
Author: Samuel Cabrero 
Date:   Tue Oct 29 12:36:30 2019 +0100

pidl: Set dce_call in pipes_struct before dispatching call

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit be024932efe70d45ad511171d40ad355c583a9c2
Author: Samuel Cabrero 
Date:   Thu May 7 14:24:56 2020 +0200

s3: rpc_server: Remove SAMR specific policy_handle_find() function

The generic function already checks the handle type.

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit 7273b4bcc7baad239bc3aa09920f87de4f974b24
Author: Samuel Cabrero 
Date:   Thu May 14 18:35:28 2020 +0200

s3: rpc_server: Move SAMR handle based access check to a wrapper function

Now that the type associated to the handle is the same for all handle
types we can wrap the access check.

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit 2bde40762a9d6b6698de281db3303cb45a304398
Author: Samuel Cabrero 
Date:   Thu May 7 13:29:29 2020 +0200

s3: rpc_server: Remove SAMR specific policy_handle_create() function

Now that we pass the handle type to the generic handle creation and find
functions we can drop the specific SAMR ones.

The policy_handle_create() function labeled the talloc chunk used to
allocate the handle's associated data, and the policy_handle_find() is
checking the name matches with the expected data. The check

[SCM] Samba Shared Repository - branch master updated

2020-05-15 Thread Andrew Bartlett
The branch, master has been updated
   via  8b5e7644130 selftest: add python S4U2Self tests including unkeyed 
checksums
   via  19875a37318 Revert "CVE-2018-16860 selftest: Add test for S4U2Self 
with unkeyed checksum"
   via  b5adc112771 Revert "selftest: mitm-s4u2self: use zlib for 
CRC32_checksum calc"
   via  ce65e8979dd Revert "selftest: allow any kdc error in mitm-s4u2self 
test"
  from  ddd8ae51f8c smb2_server: do async shutdown for pending 
multi-channel requests

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8b5e7644130146bcc4e5a0dd05da6458a6025dd8
Author: Isaac Boukris 
Date:   Mon May 4 18:09:53 2020 +0200

selftest: add python S4U2Self tests including unkeyed checksums

To test the CRC32 I reverted the unkeyed-checksum fix (43958af1)
and the weak-crypto fix (389d1b97). Note that the unkeyed-md5
still worked even with weak-crypto disabled, and that the
unkeyed-sha1 never worked but I left it anyway.

Signed-off-by: Isaac Boukris 
    Reviewed-by: Andrew Bartlett 
    
Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184

commit 19875a37318a7cd5585572616cf12a775591193f
Author: Isaac Boukris 
Date:   Thu May 7 17:17:12 2020 +0200

Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed 
checksum"

This reverts commit 5639e973c1f6f1b28b122741763f1d05b47bc2d8.

This is no longer needed as the next commit includes a Python
test for this, without the complexity of being inside krb5.kdc.canon.

Signed-off-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit b5adc112771f22c2d7c4319063c3e89074c4f4ab
Author: Isaac Boukris 
Date:   Thu May 7 17:17:00 2020 +0200

Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc"

This reverts commit 151f8c0f31d3d17b9418db3793ec14ba7dbf2143.

This allows a clean revert (and so removal) of the test.

    Signed-off-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

commit ce65e8979dda9774b170db7a9fa7ba458af4cee9
Author: Isaac Boukris 
Date:   Thu May 7 17:16:53 2020 +0200

Revert "selftest: allow any kdc error in mitm-s4u2self test"

This reverts commit a53fa8ffe3e36f7921baf5d31a1052747f90aa7d.

This allows a clean revert (and so removal) of the test.
    
Signed-off-by: Isaac Boukris 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 python/samba/tests/krb5/kcrypto.py |  85 +++
 python/samba/tests/krb5/raw_testcase.py|  23 
 python/samba/tests/krb5/rfc4120.asn1   |   8 ++
 python/samba/tests/krb5/rfc4120_pyasn1.py  |  14 ++-
 .../tests/krb5/{simple_tests.py => s4u_tests.py}   |  58 ---
 python/samba/tests/usage.py|   1 +
 selftest/knownfail |   2 +
 selftest/skip_mit_kdc  |   1 +
 selftest/target/Samba4.pm  |  23 
 source4/selftest/tests.py  |   4 +
 source4/torture/krb5/kdc-canon-heimdal.c   | 116 ++---
 11 files changed, 209 insertions(+), 126 deletions(-)
 copy python/samba/tests/krb5/{simple_tests.py => s4u_tests.py} (73%)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/kcrypto.py 
b/python/samba/tests/krb5/kcrypto.py
index ed3c84fa186..2572fa5bab3 100755
--- a/python/samba/tests/krb5/kcrypto.py
+++ b/python/samba/tests/krb5/kcrypto.py
@@ -51,6 +51,7 @@ os.environ["PYTHONUNBUFFERED"] = "1"
 from math import gcd
 from functools import reduce
 from struct import pack, unpack
+from binascii import crc32
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import hmac
 from cryptography.hazmat.primitives.ciphers import algorithms as ciphers
@@ -533,6 +534,21 @@ class _MD5(_ChecksumProfile):
 return SIMPLE_HASH(text, hashes.MD5)
 
 
+class _SHA1(_ChecksumProfile):
+@classmethod
+def checksum(cls, key, keyusage, text):
+# This is unkeyed!
+return SIMPLE_HASH(text, hashes.SHA1)
+
+
+class _CRC32(_ChecksumProfile):
+@classmethod
+def checksum(cls, key, keyusage, text):
+# This is unkeyed!
+cksum = (~crc32(text, 0x)) & 0x
+return pack('{RESOLV_CONF}\" ";
+   $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+   $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
+   $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+   . " user create --configfile=$ctx->{smb_conf} $srv_account 
$ctx->

[SCM] Samba Shared Repository - branch master updated

2020-05-15 Thread Andrew Bartlett
The branch, master has been updated
   via  004e7a1fee7 s4/rpc_server/dnsserver: Allow parsing of dnsProperty 
to fail gracefully
   via  6eb2a48f5a9 selftest: Add test for handling of "short" dnsProperty 
records
   via  87bf1d687fe librpc/idl: Add dnsp_DnsProperty_short
   via  4e08ea2aa3e selftest: Avoid running the slowest of the "none" tests 
in samba-o3
  from  49951b283d9 smbd: Store share_entries in locking.tdb again

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 004e7a1fee766102de302e83f4dc5f4d977aef32
Author: Andrew Bartlett 
Date:   Wed May 13 12:01:05 2020 +1200

s4/rpc_server/dnsserver: Allow parsing of dnsProperty to fail gracefully

On (eg) the

DC=_msdcs.X.Y,CN=MicrosoftDNS,DC=ForestDnsZones,DC=X,DC=Y

record, in domains that have had a Microsoft Windows DC an attribute:

dNSProperty:: AQAAAJIA

00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00  ><
10 92 00 00 00 00 00 00 00  ><
18

We, until samba 4.12, would parse this as:

pull returned Success
dnsp_DnsProperty: struct dnsp_DnsProperty
wDataLength  : 0x (0)
namelength   : 0x (0)
flag : 0x (0)
version  : 0x0001 (1)
id   : DSPROPERTY_ZONE_NS_SERVERS_DA (146)
data : union dnsPropertyData(case 0)
name : 0x (0)
dump OK

However, the wDataLength is 0.  There is not anything in
[MS-DNSP] 2.3.2.1 dnsProperty to describe any special behaviour
for when the id suggests that there is a value, but wDataLength is 0.


https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/445c7843-e4a1-4222-8c0f-630c230a4c80

We now fail to parse it, because we expect an entry with id 
DSPROPERTY_ZONE_NS_SERVERS_DA
to therefore have a valid DNS_ADDR_ARRAY (section 2.2.3.2.3).

As context we changed it in our commit 
fee5c6a4247aeac71318186bbff7708d25de5912
because of bug https://bugzilla.samba.org/show_bug.cgi?id=14206
which was due to the artificial environment of the fuzzer.

Microsoft advises that Windows also fails to parse this, but
instead of failing the operation, the value is ignored.

Reported by Alex MacCuish.  Many thanks for your assistance in
tracking down the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

    Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
    
    Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri May 15 07:29:17 UTC 2020 on sn-devel-184

commit 6eb2a48f5a998b82bb071ef42d00d2f34a2b0ed8
Author: Andrew Bartlett 
Date:   Thu May 14 10:19:45 2020 +1200

selftest: Add test for handling of "short" dnsProperty records

These have been known to be given by Windows DCs that share the same domain
as while invalid, they are not format-checked inbound when set by the DNS
Manager MMC applet over the dnsserver pipe to Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 87bf1d687fe7b48a7b6d511dfc7f5414db16119c
Author: Andrew Bartlett 
Date:   Thu May 14 10:21:19 2020 +1200

librpc/idl: Add dnsp_DnsProperty_short

This will be used by a test and the DNS server code to parse short 
dnsProperty
records which come from Windows servers.

This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

commit 4e08ea2aa3ed95398c96792722aecff77547
Author: Andrew Bartlett 
Date:   Fri May 8 23:28:52 2020 +1200

selftest: Avoid running the slowest of the "none" tests in samba-o3

This job is already quite long and these tests are unlikely
to vary between hosts or under the -O3 compile

Signed-off-by: Andrew Bartlett 
Reviewed-by: Volker Lendecke 

---

Summary of changes:
 librpc/idl/dnsp.idl| 16 
 python/samba/tests/blackbox/ndrdump.py | 21 ++
 python/samba/tests/dns.py  | 51 
 script/autobuild.py|  3 +-
 selftest/knownfail.d/dns   |  7 
 selftest/slow-none | 13 ++
 source4/dns_server/dnsserver_common.c  |  9 -
 source4/rpc_server/dnsserver/dnsdb.c   | 72 ++-

[SCM] Samba Shared Repository - branch master updated

2020-04-29 Thread Andrew Bartlett
The branch, master has been updated
   via  dc280f88bec samba-tool: fetch "no such subcommand" error and print 
error message
   via  ae5cb7346bf librpc: Provide clearer debug messages for malformed 
DCE/RPC bind
  from  c7a4578d064 s3: pass DCE RPC handle type to create_policy_hnd

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit dc280f88becc6679cd95bf8914f80812358338cc
Author: Björn Baumbach 
Date:   Tue Apr 28 17:09:56 2020 +0200

samba-tool: fetch "no such subcommand" error and print error message

This patch especially improves the case where extra arguments are used.

Without this patch just the attributes are mentioned as invalid, if
samba-tool is called with an invalid/unknown subcommand.

Example without this patch:
  # samba-tool sites list --all
  Usage: samba-tool sites 

  samba-tool sites: error: no such option: --all

This can be deceptive for users. Is looks like the "list" command
does not provide a "--all" option.

Example with this patch:
  # samba-tool sites list --all
  samba-tool sites: no such subcommand: list

  Usage: samba-tool sites 
  (...)

Signed-off-by: Björn Baumbach 
Reviewed-by: Andrew Bartlett 

    Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr 29 08:08:21 UTC 2020 on sn-devel-184

commit ae5cb7346bf6f7759c88d7df6a5c1bd7965ee284
Author: Andrew Bartlett 
Date:   Fri Apr 24 11:04:00 2020 +1200

librpc: Provide clearer debug messages for malformed DCE/RPC bind

REF: https://lists.samba.org/archive/samba/2020-April/229334.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 librpc/rpc/dcerpc_util.c| 37 +
 python/samba/netcmd/__init__.py |  3 +++
 2 files changed, 32 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index f7596cb1ac1..cf6cb942b1c 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -357,20 +357,41 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct 
ncacn_packet *pkt,
}
 
if (data_and_pad < auth->auth_pad_length) {
-   DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
- "Calculated %u  got %u\n",
- (unsigned)data_and_pad,
- (unsigned)auth->auth_pad_length));
+   DBG_WARNING(__location__ ": ERROR: pad length too long. "
+   "Calculated %u (pkt_trailer->length=%u - 
auth_length=%u) "
+   "was less than auth_pad_length=%u\n",
+   (unsigned)data_and_pad,
+   (unsigned)pkt_trailer->length,
+   (unsigned)auth_length,
+   (unsigned)auth->auth_pad_length);
+   talloc_free(ndr);
+   ZERO_STRUCTP(auth);
+   return NT_STATUS_RPC_PROTOCOL_ERROR;
+   }
+
+   if (auth_data_only && data_and_pad > auth->auth_pad_length) {
+   DBG_WARNING(__location__ ": ERROR: auth_data_only pad length 
mismatch. "
+   "Client sent a longer BIND packet than expected by 
%u bytes "
+   "(pkt_trailer->length=%u - auth_length=%u) "
+   "= %u auth_pad_length=%u\n",
+   (unsigned)data_and_pad - 
(unsigned)auth->auth_pad_length,
+   (unsigned)pkt_trailer->length,
+   (unsigned)auth_length,
+   (unsigned)data_and_pad,
+   (unsigned)auth->auth_pad_length);
talloc_free(ndr);
ZERO_STRUCTP(auth);
return NT_STATUS_RPC_PROTOCOL_ERROR;
}
 
if (auth_data_only && data_and_pad != auth->auth_pad_length) {
-   DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
- "Calculated %u  got %u\n",
- (unsigned)data_and_pad,
- (unsigned)auth->auth_pad_length));
+   DBG_WARNING(__location__ ": ERROR: auth_data_only pad length 
mismatch. "
+   "Calculated %u (pkt_trailer->length=%u - 
auth_length=%u) "
+   "but auth_pad_length=%u\n",
+   (unsigned)data_and_pad,
+  

[SCM] Samba Shared Repository - branch master updated

2020-04-23 Thread Andrew Bartlett
The branch, master has been updated
   via  54a35604984 provision: Remove final code for the LDAP backend
   via  4ab753f0d1e source4/setup: Remove files unused since the LDAP 
backend was removed
  from  bd90ca6f00b smbd: let unix_convert() fail early if initial stat 
fails with EACCES

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 54a3560498446868fb7c80dbacec7246fe33902c
Author: Andrew Bartlett 
Date:   Mon Apr 20 17:09:52 2020 +1200

provision: Remove final code for the LDAP backend

The LDAP backend for the Samba AD DC, aiming to store the AD DC in
an existing LDAP server was largely removed many years aga, but the
other parts were removed in 2b0fc74a0916a6ab0d5ac007cc5e100d4682b2ea.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Apr 23 06:12:20 UTC 2020 on sn-devel-184

commit 4ab753f0d1e6bb7355a1447621f502ee5529a520
Author: Andrew Bartlett 
Date:   Mon Apr 20 17:04:05 2020 +1200

source4/setup: Remove files unused since the LDAP backend was removed

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

---

Summary of changes:
 python/samba/provision/__init__.py| 23 +--
 python/samba/provision/backend.py |  2 -
 python/samba/tests/provision.py   |  4 +-
 source4/setup/DB_CONFIG   | 14 -
 source4/setup/cn=samba.ldif   | 16 -
 source4/setup/fedorads-index.ldif |  7 ---
 source4/setup/fedorads-linked-attributes.ldif |  7 ---
 source4/setup/fedorads-pam.ldif   |  2 -
 source4/setup/fedorads-samba.ldif | 21 ---
 source4/setup/fedorads-sasl.ldif  | 20 ---
 source4/setup/memberof.conf   |  9 ---
 source4/setup/mmr_serverids.conf  |  1 -
 source4/setup/mmr_syncrepl.conf   | 12 
 source4/setup/modules.conf|  1 -
 source4/setup/olc_mmr.conf|  3 -
 source4/setup/olc_seed.ldif   | 16 -
 source4/setup/olc_serverid.conf   |  1 -
 source4/setup/olc_syncrepl.conf   | 13 
 source4/setup/olc_syncrepl_seed.conf  |  5 --
 source4/setup/refint.conf |  3 -
 source4/setup/schema-map-fedora-ds-1.0| 86 ---
 source4/setup/schema-map-openldap-2.3 | 56 -
 source4/setup/secrets_sasl_ldap.ldif  |  7 ---
 source4/setup/secrets_simple_ldap.ldif|  6 --
 source4/setup/wscript_build   |  2 +-
 25 files changed, 6 insertions(+), 331 deletions(-)
 delete mode 100644 source4/setup/DB_CONFIG
 delete mode 100644 source4/setup/cn=samba.ldif
 delete mode 100644 source4/setup/fedorads-index.ldif
 delete mode 100644 source4/setup/fedorads-linked-attributes.ldif
 delete mode 100644 source4/setup/fedorads-pam.ldif
 delete mode 100644 source4/setup/fedorads-samba.ldif
 delete mode 100644 source4/setup/fedorads-sasl.ldif
 delete mode 100644 source4/setup/memberof.conf
 delete mode 100644 source4/setup/mmr_serverids.conf
 delete mode 100644 source4/setup/mmr_syncrepl.conf
 delete mode 100644 source4/setup/modules.conf
 delete mode 100644 source4/setup/olc_mmr.conf
 delete mode 100644 source4/setup/olc_seed.ldif
 delete mode 100644 source4/setup/olc_serverid.conf
 delete mode 100644 source4/setup/olc_syncrepl.conf
 delete mode 100644 source4/setup/olc_syncrepl_seed.conf
 delete mode 100644 source4/setup/refint.conf
 delete mode 100644 source4/setup/schema-map-fedora-ds-1.0
 delete mode 100644 source4/setup/schema-map-openldap-2.3
 delete mode 100644 source4/setup/secrets_sasl_ldap.ldif
 delete mode 100644 source4/setup/secrets_simple_ldap.ldif


Changeset truncated at 500 lines:

diff --git a/python/samba/provision/__init__.py 
b/python/samba/provision/__init__.py
index a27c3ee78b3..05451c33491 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1005,7 +1005,7 @@ def secretsdb_self_join(secretsdb, domain,
 secretsdb.add(msg)
 
 
-def setup_secretsdb(paths, session_info, backend_credentials, lp):
+def setup_secretsdb(paths, session_info, lp):
 """Setup the secrets database.
 
 :note: This function does not handle exceptions and transaction on purpose,
@@ -1041,22 +1041,6 @@ def setup_secretsdb(paths, session_info, 
backend_credentials, lp):
 secrets_ldb.transaction_start()
 try:
 secrets_ldb.load_ldif_file_add(setup_path("secrets.ldif"))
-
-if (backend_credentials is not None and
-backend_credentials.authentication_requested()):
-if backend_credentials.get_bind_dn() is not None:
-s

[SCM] Samba Shared Repository - branch master updated

2020-04-08 Thread Andrew Bartlett
The branch, master has been updated
   via  03f79a3bd71 s3:rpc_server: Improve local dispatching
   via  bce570cfd75 spoolss: Add NCALRPC endpoint
   via  34240fd4e8e librpc:core: Make find_interface_by_uuid public
  from  37059e45182 smbtree: Align integer types

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 03f79a3bd71bc7a0a401d5f19560e831251d32b7
Author: Samuel Cabrero 
Date:   Mon Nov 18 14:01:52 2019 +0100

s3:rpc_server: Improve local dispatching

Craft core structures to dispatch local calls in the same way as remote
ones, removing the special handling in the autogenerated code.

This is also necessary to drop s3 rpc handles implementation.

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Apr  8 22:23:05 UTC 2020 on sn-devel-184

commit bce570cfd751fe2348e62cd8e06d64760d769611
Author: Samuel Cabrero 
Date:   Mon Nov 18 16:55:39 2019 +0100

spoolss: Add NCALRPC endpoint

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

commit 34240fd4e8e1371207e27375392e11ba846b9f23
Author: Samuel Cabrero 
Date:   Thu Oct 31 14:31:37 2019 +0100

librpc:core: Make find_interface_by_uuid public

Signed-off-by: Samuel Cabrero 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 librpc/idl/spoolss.idl   |2 +-
 librpc/rpc/dcesrv_core.c |2 +-
 librpc/rpc/dcesrv_core.h |5 +-
 pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm   |  193 +-
 source3/rpc_server/rpc_ncacn_np.c|  364 +++-
 source3/rpc_server/spoolss/srv_iremotewinspool.c | 2051 +-
 source3/winbindd/winbindd_dual_ndr.c |  287 ++-
 7 files changed, 565 insertions(+), 2339 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/spoolss.idl b/librpc/idl/spoolss.idl
index afe60d2faf0..569fa02a829 100644
--- a/librpc/idl/spoolss.idl
+++ b/librpc/idl/spoolss.idl
@@ -10,7 +10,7 @@ cpp_quote("#define spoolss_security_descriptor 
security_descriptor")
 
 [ uuid("12345678-1234-abcd-ef00-0123456789ab"),
   version(1.0),
-  endpoint("ncacn_np:[\\pipe\\spoolss]"),
+  endpoint("ncacn_np:[\\pipe\\spoolss]", "ncalrpc:"),
   pointer_default(unique),
   helpstring("Spooler SubSystem"),
   helper("../librpc/ndr/ndr_spoolss_buf.h")
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 4148c3f0f1a..88838121f2f 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -147,7 +147,7 @@ static bool interface_match_by_uuid(const struct 
dcesrv_interface *iface,
 /*
   find the interface operations on an endpoint by uuid
 */
-const struct dcesrv_interface *find_interface_by_uuid(const struct 
dcesrv_endpoint *endpoint,
+_PUBLIC_ const struct dcesrv_interface *find_interface_by_uuid(const struct 
dcesrv_endpoint *endpoint,
  const struct GUID *uuid, 
uint32_t if_version)
 {
struct dcesrv_if_list *ifl;
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index 161ed1a9691..c1234980b82 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -69,7 +69,7 @@ struct dcesrv_interface {
 
/* the local dispatch function for the chosen interface.
 */
-   NTSTATUS (*local)(void *p, int opnum, TALLOC_CTX *, const DATA_BLOB 
*in, DATA_BLOB *out);
+   NTSTATUS (*local)(struct dcesrv_call_state *, TALLOC_CTX *, void *);
 
/* for any private use by the interface code */
const void *private_data;
@@ -624,6 +624,9 @@ _PUBLIC_ void dcesrv_sock_report_output_data(struct 
dcesrv_connection *dce_conn)
 
 _PUBLIC_ NTSTATUS dcesrv_connection_loop_start(struct dcesrv_connection *conn);
 
+_PUBLIC_ const struct dcesrv_interface *find_interface_by_uuid(
+   const struct dcesrv_endpoint *endpoint,
+   const struct GUID *uuid, uint32_t if_version);
 
 void _dcesrv_save_ndr_fuzz_seed(DATA_BLOB call_blob,
struct dcesrv_call_state *call,
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm 
b/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
index a1729d86d77..14f6ad9a1a0 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm
@@ -212,67 +212,6 @@ sub gen_reply_switch($)
}
 }
 
-# generate the switch statement for local function dispatch
-sub gen_local_dispatch_switch($)
-{
-   my ($self, $interface) = @_;
-
-   my @alloc_error_block = ("p->fault_state = DCERPC_FAULT_CANT_PERFORM;",
-   

[SCM] Samba Website Repository - branch master updated

2020-03-31 Thread Andrew Bartlett
The branch, master has been updated
   via  a955fae Add another cross-link to the security releases and process
  from  f9562f7 Add Samba 4.10.14 to the list.

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit a955faedc567f2cb9ec4de4649990557f46d23c3
Author: Andrew Bartlett 
Date:   Wed Apr 1 11:25:02 2020 +1300

Add another cross-link to the security releases and process

Signed-off-by: Andrew Bartlett 

---

Summary of changes:
 history/index.html | 8 
 1 file changed, 8 insertions(+)


Changeset truncated at 500 lines:

diff --git a/history/index.html b/history/index.html
index ae4993d..b23da8d 100755
--- a/history/index.html
+++ b/history/index.html
@@ -7,6 +7,14 @@
 Only the last ten release announcements can be found below.  With every new 
release, the oldest announcement drops off the page.  This should allow for a 
quick glance at recent Samba activity.  For a more in-depth tour of Samba's 
release history, notes for all stable releases are archived in the list to the 
left.
 
 
+Security Release Announcements
+
+As well as being included in the recent releases listed below, we
+maintain a seperate list of
+Samba Security releases resulting from the
+https://wiki.samba.org/index.php/Samba_Security_Process;>
+Samba Security release process.
+
 Previous Release Announcements
 
 


-- 
Samba Website Repository



[SCM] Samba Shared Repository - branch master updated

2020-03-30 Thread Andrew Bartlett
The branch, master has been updated
   via  89041a6d18a lib ldb: lmdb clear stale readers on write txn start
  from  1cc250b46e9 s3: smbd: RIP smb_filename->original_lcomp.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 89041a6d18a1d091ea713e6986cac5ca66c2b481
Author: Gary Lockyer 
Date:   Mon Mar 30 12:08:30 2020 +1300

lib ldb: lmdb clear stale readers on write txn start

In use process failures and Bind9 shut downs leave stale entries in the
lmdb reader table.  This can result in lmdb filling it's database file, as
the free list can not be reclaimed due to the stale reader.

In this fix we call mdb_reader_check at the start of each transaction,
to free any stale readers.  As the default maximum number of readers is
127, this should not impact on performance to any great extent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14330

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Mar 31 01:26:07 UTC 2020 on sn-devel-184

---

Summary of changes:
 lib/ldb/ldb_mdb/ldb_mdb.c   | 17 +
 lib/ldb/tests/ldb_lmdb_free_list_test.c |  7 ++-
 2 files changed, 23 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ldb_mdb/ldb_mdb.c b/lib/ldb/ldb_mdb/ldb_mdb.c
index 6c679c214b8..1187aba578a 100644
--- a/lib/ldb/ldb_mdb/ldb_mdb.c
+++ b/lib/ldb/ldb_mdb/ldb_mdb.c
@@ -641,6 +641,23 @@ static int lmdb_transaction_start(struct ldb_kv_private 
*ldb_kv)
return LDB_ERR_PROTOCOL_ERROR;
}
 
+   /*
+* Clear out any stale readers
+*/
+   {
+   int stale;
+   mdb_reader_check(lmdb->env, );
+   if (stale > 0) {
+   ldb_debug(
+   lmdb->ldb,
+   LDB_DEBUG_ERROR,
+   "LMDB Stale readers, deleted (%d)",
+   stale);
+   }
+   }
+
+
+
ltx_head = lmdb_private_trans_head(lmdb);
 
tx_parent = lmdb_trans_get_tx(ltx_head);
diff --git a/lib/ldb/tests/ldb_lmdb_free_list_test.c 
b/lib/ldb/tests/ldb_lmdb_free_list_test.c
index fe78e3ab702..9b295460730 100644
--- a/lib/ldb/tests/ldb_lmdb_free_list_test.c
+++ b/lib/ldb/tests/ldb_lmdb_free_list_test.c
@@ -617,7 +617,12 @@ static void test_free_list_stale_reader(void **state)
ret = ldb_kv->kv_ops->finish_write(ldb_kv);
assert_int_equal(ret, LDB_SUCCESS);
}
-   assert_int_equal(ret, LDB_ERR_BUSY);
+   /*
+* We now do an explicit clear of stale readers at the start of a
+* write transaction so should not get LDB_ERR_BUSY any more
+* assert_int_equal(ret, LDB_ERR_BUSY);
+*/
+   assert_int_equal(ret, LDB_SUCCESS);
assert_int_not_equal(i, 0);
 
/*


-- 
Samba Shared Repository



[SCM] Samba Shared Repository - branch master updated

2020-03-22 Thread Andrew Bartlett
The branch, master has been updated
   via  c680daae6ad idl/drsblobs: do not overwrite number of schedules == 1
   via  a4cdfbd1674 dsdb: Allow delete (directly and over DRS) of an object 
with a link to itself
   via  ad750ed10f1 dsdb: Add test for the case of a link pointing back at 
its own object
   via  b8ed1525d65 selftest: Add test for dangling backlink to ourself, a 
missing and a real object
   via  1f65f211699 selftest: Add test for dangling backlinks to objects 
that do not exist
   via  83ff0527772 ldb build: Remove some PEP8 warnings from wscript
   via  fc13304d157 ldb tests: Confirm lmdb free list handling
  from  9496e0523ea s3:rpc_server: Remove dead code

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit c680daae6ad6bdcaf5b868a48e3f1ecaeb6b5cd2
Author: Douglas Bagnall 
Date:   Tue Mar 10 11:31:12 2020 +1300

idl/drsblobs: do not overwrite number of schedules == 1

If the struct has zero or two schedules, that is what it has, and we
should let that be.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Sun Mar 22 06:19:51 UTC 2020 on sn-devel-184

commit a4cdfbd167488103115821534bf66dec01ff4eb8
Author: Andrew Bartlett 
Date:   Mon Mar 2 18:01:29 2020 +1300

dsdb: Allow delete (directly and over DRS) of an object with a link to 
itself

Previously this would fail with Unsupported critical extension 
1.3.6.1.4.1.7165.4.3.2

Reported by Alexander Harm.  Many thanks for helping make Samba better
and for your patience with patches and providing debugging information.

REF: https://lists.samba.org/archive/samba/2020-February/228153.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14306

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit ad750ed10f1203911b68841836d513b03c4f0b35
Author: Andrew Bartlett 
Date:   Mon Mar 2 17:44:10 2020 +1300

dsdb: Add test for the case of a link pointing back at its own object

This type of object was not possible to delete in Samba without first 
removing
the link.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14306

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit b8ed1525d65e486962c914170b5fecb148196363
Author: Andrew Bartlett 
Date:   Tue Mar 3 15:51:22 2020 +1300

selftest: Add test for dangling backlink to ourself, a missing and a real 
object

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14306

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 1f65f211699714154ac01f2271cd11025ced7b81
Author: Andrew Bartlett 
Date:   Tue Mar 3 12:36:42 2020 +1300

selftest: Add test for dangling backlinks to objects that do not exist

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14306

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 83ff052777245d785046b09fbe73dd4deb2cd099
Author: Gary Lockyer 
Date:   Tue Mar 17 10:12:49 2020 +1300

ldb build: Remove some PEP8 warnings from wscript

Fix indentation of list members and fix lines > 79 characters to remove
PEP8 warnings.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

commit fc13304d1575ad6bc6e04cdb3eedf46d3c3678c7
Author: Gary Lockyer 
Date:   Mon Mar 16 15:18:12 2020 +1300

ldb tests: Confirm lmdb free list handling

Add cmocka tests to confirm lmdb's handling of the free list.

As a result of lmdb's MVCC (Multiversion Concurrency Control) long
running read transactions or stale readers (read transactions where the
process exited without ending the transaction) can cause the database to
run out of space.

Items in the free list are only reused when they would not be visible in
a read transaction.  So long running read transactions prevent entries
in the free list being reused, and the database can run out of space.

Signed-off-by: Gary Lockyer 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/ldb/tests/ldb_lmdb_free_list_test.c | 656 
 lib/ldb/wscript |  18 +-
 librpc/idl/drsblobs.idl |   2 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c |  78 ++-
 source4/dsdb/tests/python/linked_attributes.py  |  25 +
 testprogs/blackbox/dbcheck-links.sh |  99 
 6 files changed, 847 insertions(+), 31 deletions(-)
 create mode 100644 lib/ldb/tests/ldb_lmdb_free_list_test.c


Changeset truncated at 500 lines:

diff --git a/lib/ldb/tests/ldb_lmdb_free_list_test.c 
b/lib/ldb/tests/ldb_lmdb_free_list_test.c
new file mode 100644
index 000..fe78e3ab702
--- /dev/null
+++ b/lib/ldb/te

[SCM] Samba Shared Repository - branch master updated

2020-03-19 Thread Andrew Bartlett
The branch, master has been updated
   via  2321b11f1fc s4/param: py_sid shouldn't be decref'ed after insertion 
into dict
   via  9e84f1e5767 s4/param: treat NULL value passed to dict_insert as 
error
   via  32d56271eb7 s4/param: don't decref object we don't own
   via  e10910f8de5 bootstrap: Bring back a Ubuntu 16.04 build but just for 
the samba-fuzz task
   via  ee5c07cb0f1 build: Allow a fuzzing build with Python 3.5
   via  5406205382f python/samba/gp_parse: Fix test errors with python3.8
   via  ff70d7cc3ae tests: Add test for weak crypto
   via  0b84bc03e81 waf: Check if GnuTLS has support for crypto policies
   via  32f83be8f63 auth:ntlmssp: Mark as weak_crypto
   via  6ada071d620 gensec: Add a check if a gensec module implements weak 
crypto
   via  7d09c1cc877 lib:param: Add lp(cfg)_weak_crypto()
   via  3d1ecef173a s3:utils: Add weak crypto information to testparm
   via  cb034a9f601 lib:crypto: Add samba_gnutls_weak_crypto()
  from  81c1a14e327 smbd: let delayed update handler also update on-disk 
timestamps

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 2321b11f1fcde41d58d3381437118b8b726ab6d5
Author: Noel Power 
Date:   Mon Mar 16 16:00:24 2020 +

s4/param: py_sid shouldn't be decref'ed after insertion into dict

This was causing samba.tests.net_join_no_spnego(ad_dc) to
core dumps sometimes on tumbleweed with python3.8

with...

===
INTERNAL ERROR: Signal 11 in pid 1781 (4.12.0)
If you are running a recent Samba version, and if you think this problem is 
not yet fixed in the latest versions, please consider reporting this bug, see 
https://wiki.samba.org/index.php/Bug_Reporting
===
smb_panic_default: PANIC (pid 1781): internal error
BACKTRACE: 64 stack frames:

7128  #0 bin/shared/libsamba-util.so.0(log_stack_trace+0x1f) 
[0x7fa541c5b220]
7129  #1 bin/shared/libsamba-util.so.0(+0x1efc8) [0x7fa541c5afc8]
7130  #2 bin/shared/libsamba-util.so.0(log_stack_trace+0) [0x7fa541c5b201]
7131  #3 bin/shared/libsamba-util.so.0(+0x1eed9) [0x7fa541c5aed9]
7132  #4 bin/shared/libsamba-util.so.0(+0x1) [0x7fa541c5aeee]
7133  #5 /lib64/libc.so.6(+0x3bf20) [0x7fa542631f20]
7134  #6 /usr/lib64/libpython3.8.so.1.0(PyObject_GC_UnTrack+0xd) 
[0x7fa542386c1d]
7135  #7 /usr/lib64/libpython3.8.so.1.0(+0x12d599) [0x7fa542387599]
7136  #8 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4d6d) 
[0x7fa5424269ed]
7137  #9 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalCodeWithName+0x30c) 
[0x7fa5423eaf5c]
7138  #10 /usr/lib64/libpython3.8.so.1.0(_PyFunction_Vectorcall+0x18e) 
[0x7fa5423ebcbe]
7139  #11 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4a3a) 
[0x7fa5424266ba]
etc

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu Mar 19 22:23:52 UTC 2020 on sn-devel-184

commit 9e84f1e5767c23c0e75a0954ac9c3668d18baa30
Author: Noel Power 
Date:   Mon Mar 16 15:54:00 2020 +

s4/param: treat NULL value passed to dict_insert as error

insert_dict is used as a convenience to decrement the values to
prevent leaks with orpahaned PyObjects and avoid excessive creation of
temp variables.

if (!dict_insert(parameters,
 "rootdn",
 PyUnicode_FromString(settings->root_dn_str))) {
status = NT_STATUS_UNSUCCESSFUL;
goto out;
}

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit 32d56271eb7ebf694c08c226c80fdf97a885fe46
Author: Noel Power 
Date:   Mon Mar 16 15:27:15 2020 +

s4/param: don't decref object we don't own

provision_fn is a borrowed reference we should not
call Py_CLEAR on it

Signed-off-by: Noel Power 
Reviewed-by: Andrew Bartlett 

commit e10910f8de542b0be9b89942791bd37288b7a32a
Author: Andrew Bartlett 
Date:   Tue Mar 17 16:49:02 2020 +1300

bootstrap: Bring back a Ubuntu 16.04 build but just for the samba-fuzz task

This is needed to restore oss-fuzz support, as this uses the Ubuntu 16.04 
package list
because all the docker images provided start with a Ubuntu 16.04 base.

REF: https://github.com/google/oss-fuzz/issues/3505
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21189

Signed-off-by: Andrew Bartlett 
Reviewed-by: Gary Lockyer 

commit ee5c07cb0f1c85a56a3f330a692b1b04553213cc
Author: Andrew Bartlett 
Date:   Tue Mar 17 17:07:02 2020 +1300

build: Allow a fuzzing build with Python 3.5

The Python 3.6 changes are only in actual .py files, not in the

[SCM] Samba Shared Repository - branch master updated

2020-03-11 Thread Andrew Bartlett
The branch, master has been updated
   via  808d6c0c533 selftest: Add test for rpcclient LSA lookup calls
   via  00ab6349e22 rpcclient: Ask for minimal permissions for SID and name 
lookups
  from  12596a3a8d0 libcli: Align integer types

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 808d6c0c533b63cb2efac25755e09b72fdf65a87
Author: Christof Schmitt 
Date:   Mon Mar 9 16:25:00 2020 -0700

selftest: Add test for rpcclient LSA lookup calls

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Mar 11 09:52:44 UTC 2020 on sn-devel-184

commit 00ab6349e220ee9976eaec9ab599458925a16010
Author: Christof Schmitt 
Date:   Mon Mar 9 14:21:41 2020 -0700

rpcclient: Ask for minimal permissions for SID and name lookups

The RPC calls to lookup SIDS and names only require the
POLICY_LOOKUP_NAMES permission. Only ask for that instead of the
MAXIMUM_ALLOWED flag. This allows these calls to work against a NetApp
that does not accept MAXIMUM_ALLOWED (see bugzilla 11105).

Signed-off-by: Christof Schmitt 
Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 source3/rpcclient/cmd_lsarpc.c| 16 +-
 source3/script/tests/test_rpcclient_lookup.sh | 42 +++
 source3/selftest/tests.py |  5 
 3 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100755 source3/script/tests/test_rpcclient_lookup.sh


Changeset truncated at 500 lines:

diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index abb454331c2..aae1a5b629d 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -237,8 +237,8 @@ static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client 
*cli,
}
 
status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-SEC_FLAG_MAXIMUM_ALLOWED,
-);
+   LSA_POLICY_LOOKUP_NAMES,
+   );
 
if (!NT_STATUS_IS_OK(status))
goto done;
@@ -288,8 +288,8 @@ static NTSTATUS cmd_lsa_lookup_names_level(struct 
rpc_pipe_client *cli,
}
 
status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-SEC_FLAG_MAXIMUM_ALLOWED,
-);
+   LSA_POLICY_LOOKUP_NAMES,
+   );
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
@@ -406,8 +406,8 @@ static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client 
*cli, TALLOC_CTX *mem
}
 
status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-SEC_FLAG_MAXIMUM_ALLOWED,
-);
+   LSA_POLICY_LOOKUP_NAMES,
+   );
 
if (!NT_STATUS_IS_OK(status))
goto done;
@@ -481,8 +481,8 @@ static NTSTATUS cmd_lsa_lookup_sids_level(struct 
rpc_pipe_client *cli,
}
 
status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-SEC_FLAG_MAXIMUM_ALLOWED,
-);
+   LSA_POLICY_LOOKUP_NAMES,
+   );
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
diff --git a/source3/script/tests/test_rpcclient_lookup.sh 
b/source3/script/tests/test_rpcclient_lookup.sh
new file mode 100755
index 000..d404c5feaec
--- /dev/null
+++ b/source3/script/tests/test_rpcclient_lookup.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# Blackbox tests for the rpcclient LSA lookup commands
+#
+# Copyright (C) 2020 Christof Schmitt
+
+if [ $# -lt 4 ]; then
+cat <

[SCM] Samba Website Repository - branch master updated

2020-03-09 Thread Andrew Bartlett
The branch, master has been updated
   via  7045c7c Remove OpenIQ support listing
   via  0a34402 Update listing for Commercial IT Services Ltd
  from  515f7a4 Update Pacific ESI e-mail

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 7045c7c98e4b78b0bee1d5cf4ffec70a9b1d33b7
Author: Andrew Bartlett 
Date:   Tue Mar 10 13:27:49 2020 +1300

Remove OpenIQ support listing

e-mail to them bounces, the domain redirects to another organisation where
the e-mail also bounces.  Web enquiry also not responded to.

Signed-off-by: Andrew Bartlett 

commit 0a34402d63f64544216bfc006c699c62ee67c522
Author: Andrew Bartlett 
Date:   Tue Mar 10 13:26:22 2020 +1300

Update listing for Commercial IT Services Ltd

Roland requested by e-mail that the old phone number be removed.

Signed-off-by: Andrew Bartlett 

---

Summary of changes:
 support/australia.html  | 19 ---
 support/newzealand.html |  1 -
 2 files changed, 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/support/australia.html b/support/australia.html
index 8bf38cf..85fe923 100644
--- a/support/australia.html
+++ b/support/australia.html
@@ -88,25 +88,6 @@ We encourage you to contact Loftus IT to explore the 
benefits of an Open Source
 
 
 
-
-
-OpenIQ Pty Ltd
-
-50 York St,
-Sydney, NSW 2000
-
-http://www.OpenIQ.com.au;>http://www.OpenIQ.com.au
-+61-2-8001-6199
-mailto:he...@openiq.com.au;>he...@openiq.com.au
-Lee Curtis
-
-
-A crack team of enterprise architects and certified engineers with a bias 
towards data centre-grade Linux. 
-
-High availability installation of NAS setups backed by enterprise single 
sign-on. 
-
-
-
 
 
 Pacific ESI
diff --git a/support/newzealand.html b/support/newzealand.html
index 2b6b0b6..38ea67b 100644
--- a/support/newzealand.html
+++ b/support/newzealand.html
@@ -40,7 +40,6 @@ beyond.
 PO Box 301094, Albany
 
 http://www.cits.co.nz
-+64-9-448 2711
 i...@cits.co.nz
 Roland Venter
 


-- 
Samba Website Repository



[SCM] Samba Shared Repository - branch master updated

2020-03-09 Thread Andrew Bartlett
The branch, master has been updated
   via  54f26cfcf25 autobuild: Run the none env in the samba-o3 build
   via  609c9903473 Require Python 3.6 for Samba 4.13
   via  e9ce0f13e69 .gitlab-ci.yml: Do not build Samba for Ubuntu 16.04 or 
Debian 9 any longer
   via  d048d7e17d7 bootstrap: Remove long-unsupported OS versions
  from  0ae4f368c6c smbd: reuse close_free_pending_aio() in 
close_directory()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 54f26cfcf2587a2b1d97f466a886fa89a116eea1
Author: Andreas Schneider 
Date:   Fri Nov 22 15:23:35 2019 +0100

autobuild: Run the none env in the samba-o3 build

This includes tests which should make sure that certain code is not
optimized away, like memset_s().

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Mar  9 23:42:26 UTC 2020 on sn-devel-184

commit 609c9903473b139fdf1b2ed02b9c93b648eeea8c
Author: Andrew Bartlett 
Date:   Wed Mar 4 13:51:23 2020 +1300

Require Python 3.6 for Samba 4.13

This allows Samba to use formatted string literals, which
are quite handy.

REF: https://docs.python.org/3/whatsnew/3.6.html#whatsnew36-pep498

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit e9ce0f13e695f1d7e719923628255ea786a90c20
Author: Andrew Bartlett 
Date:   Wed Mar 4 13:55:27 2020 +1300

.gitlab-ci.yml: Do not build Samba for Ubuntu 16.04 or Debian 9 any longer

These only have Python 3.5 and we want to increase the minimum to Python 
3.6.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit d048d7e17d756099e208fa4d6b931a147b0b1489
Author: Andrew Bartlett 
Date:   Wed Mar 4 13:58:48 2020 +1300

bootstrap: Remove long-unsupported OS versions

Samba has not built on these versions for quite some time due to
the need for Python 3.5 and GnuTLS 3.4.7

These were always marked as broken, but given the requirements
these are never likely to come back.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 .gitlab-ci.yml|  14 +--
 WHATSNEW.txt  |  11 +++
 bootstrap/.gitlab-ci.yml  |  18 
 bootstrap/config.py   |  83 
 bootstrap/generated-dists/Vagrantfile |  42 -
 bootstrap/generated-dists/centos6/Dockerfile  |  27 --
 bootstrap/generated-dists/centos6/bootstrap.sh| 109 --
 bootstrap/generated-dists/centos6/locale.sh   |  55 ---
 bootstrap/generated-dists/centos6/packages.yml|  89 --
 bootstrap/generated-dists/debian7/Dockerfile  |  27 --
 bootstrap/generated-dists/debian7/bootstrap.sh| 101 
 bootstrap/generated-dists/debian7/locale.sh   |  55 ---
 bootstrap/generated-dists/debian7/packages.yml|  86 -
 bootstrap/generated-dists/debian8/Dockerfile  |  27 --
 bootstrap/generated-dists/debian8/bootstrap.sh| 105 -
 bootstrap/generated-dists/debian8/locale.sh   |  55 ---
 bootstrap/generated-dists/debian8/packages.yml|  90 --
 bootstrap/generated-dists/debian9/Dockerfile  |  27 --
 bootstrap/generated-dists/debian9/bootstrap.sh| 105 -
 bootstrap/generated-dists/debian9/locale.sh   |  55 ---
 bootstrap/generated-dists/debian9/packages.yml|  90 --
 bootstrap/generated-dists/ubuntu1404/Dockerfile   |  27 --
 bootstrap/generated-dists/ubuntu1404/bootstrap.sh | 103 
 bootstrap/generated-dists/ubuntu1404/locale.sh|  55 ---
 bootstrap/generated-dists/ubuntu1404/packages.yml |  88 -
 bootstrap/generated-dists/ubuntu1604/Dockerfile   |  27 --
 bootstrap/generated-dists/ubuntu1604/bootstrap.sh | 104 -
 bootstrap/generated-dists/ubuntu1604/locale.sh|  55 ---
 bootstrap/generated-dists/ubuntu1604/packages.yml |  89 --
 bootstrap/sha1sum.txt |   2 +-
 buildtools/wafsamba/samba_python.py   |   2 +-
 script/autobuild.py   |  11 +--
 32 files changed, 16 insertions(+), 1818 deletions(-)
 delete mode 100644 bootstrap/generated-dists/centos6/Dockerfile
 delete mode 100755 bootstrap/generated-dists/centos6/bootstrap.sh
 delete mode 100755 bootstrap/generated-dists/centos6/locale.sh
 delete mode 100644 bootstrap/generated-dists/centos6/packages.yml
 delete mode 100644 bootstrap/generated-dists/debian7/Dockerfile
 delete mode 100755 bootstrap

[SCM] Samba Shared Repository - branch master updated

2020-03-06 Thread Andrew Bartlett
The branch, master has been updated
   via  d2d2329b119 audit_logging tests: Fix timezone validation
   via  56e466b4b84 ndrdump tests: Make the tests less fragile
  from  b0ba7cd4f96 vfs_fruit: tmsize prevent overflow Force the type 
during arithmetic in order to prevent overflow when summing the Time Machine 
folder size. Increase the precision to off_t (used for file sizes), leave the 
overflow error traps but with more precise wording.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit d2d2329b11968c000b81b22909f6c4234fc8d101
Author: Gary Lockyer 
Date:   Tue Mar 3 10:44:47 2020 +1300

audit_logging tests: Fix timezone validation

test_audit_get_timestamp used the "%Z" format specifier in strptime,
this is non-portable.  Updated tests now explicitly set the time zone to
"UTC".

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Sat Mar  7 06:37:09 UTC 2020 on sn-devel-184

commit 56e466b4b849b7269add03faebeb0a63f9cda827
Author: Gary Lockyer 
Date:   Tue Mar 3 16:59:19 2020 +1300

ndrdump tests: Make the tests less fragile

Remove the C source file and line number from the expected output to
make the tests less likely to break if ndr.c changes.

Signed-off-by: Gary Lockyer 
    Reviewed-by: Andrew Bartlett 

---

Summary of changes:
 lib/audit_logging/tests/audit_logging_test.c | 27 +++
 python/samba/tests/blackbox/ndrdump.py   |  6 ++
 2 files changed, 29 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/audit_logging/tests/audit_logging_test.c 
b/lib/audit_logging/tests/audit_logging_test.c
index 1efb03b0b51..8c949e5f8fc 100644
--- a/lib/audit_logging/tests/audit_logging_test.c
+++ b/lib/audit_logging/tests/audit_logging_test.c
@@ -796,15 +796,35 @@ static void test_audit_get_timestamp(_UNUSED_ void 
**state)
time_t before;
time_t after;
time_t actual;
+   char *env_tz = NULL;
+   char *orig_tz = NULL;
 
TALLOC_CTX *ctx = talloc_new(NULL);
 
+   /*
+* Explicitly set the time zone to UTC to make the test easier
+*/
+   env_tz = getenv("TZ");
+   if (env_tz != NULL) {
+   orig_tz = talloc_strdup(ctx, env_tz);
+   }
+   setenv("TZ", "UTC", 1);
+
before = time(NULL);
t = audit_get_timestamp(ctx);
after = time(NULL);
 
-
c = strptime(t, "%a, %d %b %Y %H:%M:%S", );
+
+   /*
+* Restore the time zone if we changed it
+*/
+   if (orig_tz != NULL) {
+   setenv("TZ", orig_tz, 1);
+   TALLOC_FREE(orig_tz);
+   }
+
+   assert_non_null(c);
tm.tm_isdst = -1;
if (c != NULL && *c == '.') {
char *e;
@@ -812,10 +832,9 @@ static void test_audit_get_timestamp(_UNUSED_ void **state)
c = e;
}
if (c != NULL && *c == ' ') {
-   struct tm tz;
-   c = strptime(c, " %Z", );
+   assert_string_equal(" UTC", c);
+   c += 4;
}
-   assert_non_null(c);
assert_int_equal(0, strlen(c));
 
actual = mktime();
diff --git a/python/samba/tests/blackbox/ndrdump.py 
b/python/samba/tests/blackbox/ndrdump.py
index 22aa326e201..0b72684f270 100644
--- a/python/samba/tests/blackbox/ndrdump.py
+++ b/python/samba/tests/blackbox/ndrdump.py
@@ -22,6 +22,7 @@ from __future__ import print_function
 """Blackbox tests for ndrdump."""
 
 import os
+import re
 from samba.tests import BlackboxTestCase, BlackboxProcessError
 
 for p in ["../../../../../source4/librpc/tests",
@@ -436,6 +437,11 @@ dump OK
 except BlackboxProcessError as e:
 self.fail(e)
 
+# Filter out the C source file and line number
+regex = rb"\.\./\.\./librpc/ndr/ndr\.c:[0-9]+"
+actual = re.sub(regex, b"", actual)
+expected = re.sub(regex, b"", expected)
+
 self.assertEqual(actual, expected)
 
 # Test a print of NULL pointer in manually-written ndr_drsuapi.c


-- 
Samba Shared Repository



  1   2   3   4   5   6   7   8   9   10   >