[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated
via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release.
via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6.
via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid
flapping dsdb_schema_attributes
via 1252f2c170c s4-lsa: Cache sam.ldb handle in
lsa_LookupSids3/LookupNames4
via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4
in python
via 86d3397f852 dsdb: Be careful to avoid use of the expensive
talloc_is_parent()
via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once
via 8c246869e14 selftest: Split up targets for samba_tool_drs from
samba_tool_drs_showrepl
via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline
fix
via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes
via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a
missing sname
via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing
field
via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container
type
via 8d17a87523b tests/krb5: Add tests for omitting sname in inner
request
via c837f43a9cd tests/krb5: Allow specifying parameters specific to the
inner FAST request body
via b628cda6604 tests/krb5: Add tests for omitting sname in request
via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data
via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors
without FAST
via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in
as_req testcase
via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname
in outer request
via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE
without FAST
via b6496bd5990 tests/krb5: Make cname checking less strict
via c9b594a1a21 tests/krb5: Make e-data checking less strict
via ef69ac460bc Update common on currently supported Fedora versions
via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in
.gitlab-ci-main.yml
via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34
via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10
via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align
with what is tested
via e30483eb251 autobuild.py: Do not build MIT builds by default (eg
sn-devel)
via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can
test against a current MIT KDC
via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour
on older MIT Kerberos
via e850967129d autobuild.py: Explain why each job is removed from the
default set
via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb
via 2f8295604ce samba-tool: Rework transations/locks to hold a lock
during mdb backup
via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb
when backing up sam.ldb
via 535bd82604e mit-samba: Only set the function opening bracket once
via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of
casting
via 9698e453ae9 mit-samba: Send the logging to the kdc log facility
via 4bf41b6ccf5 mit-samba: Define debug class for kdb module
via 07cfa4d6f95 tests/krb5: Add FAST tests
via 003307b7d34 initial FAST tests
via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply
via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check
inner FAST errors
via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work
for checking TGS replies
via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for
checking TGS replies
via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply
via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 904df7418b8 tests/krb5: Adjust reply padata checking depending on
whether FAST was sent
via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included
FAST
via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error
via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method
via 6ed03543ea0 tests/krb5: Remove unused variables
via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a
non-error reply
via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check
padata in reply
via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to
generate FX-FAST padata
via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict
via d544371bd15 tests/krb5: Add expected_cname_private parameter to
kdc_exchange_dict
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via a0b4d29 NEWS[4.15.0rc6]: Samba 4.15.0rc6 Available for Download from 7289e15 support/globalsupport.html: update my description https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit a0b4d291df4f6d54cb7ce597c6121cbaffb3 Author: Jule Anger Date: Thu Sep 9 08:32:45 2021 +0200 NEWS[4.15.0rc6]: Samba 4.15.0rc6 Available for Download Signed-off-by: Jule Anger --- Summary of changes: posted_news/20210909-063410.4.15.0rc6.body.html | 12 posted_news/20210909-063410.4.15.0rc6.headline.html | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 posted_news/20210909-063410.4.15.0rc6.body.html create mode 100644 posted_news/20210909-063410.4.15.0rc6.headline.html Changeset truncated at 500 lines: diff --git a/posted_news/20210909-063410.4.15.0rc6.body.html b/posted_news/20210909-063410.4.15.0rc6.body.html new file mode 100644 index 000..ca4a7dd --- /dev/null +++ b/posted_news/20210909-063410.4.15.0rc6.body.html @@ -0,0 +1,12 @@ + +09 September 2021 +Samba 4.15.0rc6 Available for Download + +This is the 6th release candidate of the upcoming Samba 4.15 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/rc/samba-4.15.0rc6.tar.gz";>downloaded now. +See https://download.samba.org/pub/samba/rc/samba-4.15.0rc6.WHATSNEW.txt";>the release notes for more info. + + diff --git a/posted_news/20210909-063410.4.15.0rc6.headline.html b/posted_news/20210909-063410.4.15.0rc6.headline.html new file mode 100644 index 000..444d767 --- /dev/null +++ b/posted_news/20210909-063410.4.15.0rc6.headline.html @@ -0,0 +1,3 @@ + + 09 September 2021 Samba 4.15.0rc6 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - annotated tag samba-4.15.0rc6 created
The annotated tag, samba-4.15.0rc6 has been created at 4630cc318db335984b96bc21fbf3fd2cd8810354 (tag) tagging 30c5a0e60e8b6c4df442ef1ecc872c4b6c599845 (commit) replaces samba-4.15.0rc5 tagged by Jule Anger on Thu Sep 9 08:32:11 2021 +0200 - Log - samba: tag release samba-4.15.0rc6 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmE5qmsACgkQqplEL7aA tiBUZRAAqOjZw0Nqx5wEQJhjYWcNzI323LVwIlGKbW+TfmC6nSjXrlvFfHKc2tKG 2KHKke9xU3owVMM8gAVjDik6OL8uaLTiBcTwBFF3CSOaXe98jX0MvuN1qkvTAki8 Wg7jvMTMT1ILgmZJ5m6t963bTaQ3dgkQEgN3RrCAHyponE1u+xTsfXX1baAYNgWU nGyyHbtCc6VK7tQC5wSt46wmUyvcYCn5TbxpOkjYt/jqc0yDZxxfgyzLGB7QmpId F3xqUhNj5FopmGblMUb4IzyH5L29+CxIW27UReQyiba5IiN+W8qsN1Dr7rTZTptV WT1u0k2r401vDQs/7YWhwTeNCb2E3zdg1AwV2JmBhh40NuPAg2PO9b8FXcAPVNZV szEYVteVRQM1b8gJJivpALv3BA6fSopQR27eybXSeCWF0/JeXMxmOVvUKWgwtvqy SvCeNMddAILthfIletxfVeoFNiUgIs0i4MqlfpoGBoK4bXWV+PWCHs2lEHBRmSoR 51jnB2oeJXiRZX0GRRnCVMKys/ccmEAYRkUUg+WUfyB5gGIvXZUsuXSSe3QSsCcA nEHXGlo2svLf+RNi/F4nKsUgUdU+muyWCBscrjAFZJqNsZaaAzs0PfpNEWQid44/ nuDUzKygwPdeAk5pFIFXSEs0l4p+wBnUteHVFMfjSlyY/2BWsZE= =mQYI -END PGP SIGNATURE- Andreas Schneider (10): bootstrap: Install krb5-workstation on Fedora based distros python:waf: Correctly check for python-dateutil bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() mit-samba: Define debug class for kdb module mit-samba: Send the logging to the kdc log facility mit-samba: Use talloc_get_type_abort() instead of casting mit-samba: Only set the function opening bracket once Andrew Bartlett (22): samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb samba-tool: Rework transations/locks to hold a lock during mdb backup samba-tool domain backup: Use tdbbackup on metadata.tdb autobuild.py: Explain why each job is removed from the default set gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC autobuild.py: Do not build MIT builds by default (eg sn-devel) build: Move minimum MIT krb5 version to 1.19 to align with what is tested mit-kdc: Remove build time support for KDB_API < 10 bootstrap: Update to get newer krb5 on Fedora 34 bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml Update common on currently supported Fedora versions tests/krb5: Remove harmful and a-typical return in as_req testcase tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname WHATSNEW: Update for KDC crash fixes WHATSNEW: Update with samba-tool domain backup offline fix selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl selftest: Only run samba_tool_drs_showrepl test once dsdb: Be careful to avoid use of the expensive talloc_is_parent() selftest: Add a test for LookupSids3 and LookupNames4 in python s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes Gary Lockyer (1): initial FAST tests Joseph Sutton (81): pygensec: Fix memory leaks pygensec: Don't modify Python bytes objects tests/krb5: Fix ms_kile_client_principal_lookup_test errors tests/krb5: Fix comment typo tests/krb5: Fix method name typo tests/krb5: formatting tests/krb5: Remove unneeded statements tests/krb5: Use more compact dict lookup tests/krb5: Simplify Python syntax tests/krb5: Remove magic constants tests/krb5: Fix including enc-authorization-data tests/krb5: Fix callback_dict parameter tests/krb5: Fix encpart_decryption_key with MIT KDC tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC tests/krb5: Check Kerberos protocol version number tests/krb5: Use credentials kvno when creating password key tests/krb5: Allow cf2 to automatically use the enctype of the first key tests/krb5: Refactor get_pa_data() tests/krb5: Add get_enc_timestamp_pa_data_from_key() tests/krb5: Add method to return dict containing padata elements tests/krb5: Make _test_as_exchange() return value more consistent tests/krb5: Add get_EpochFromKerberosTime() tests/krb5: Use encryption with admin credentials tests/krb5: Allow specifying additional details when creating an account tests/krb5: Add more methods for obtaining machine and service credentials tests/krb5: Add method to calculate account salt tests/krb5: Add check_rep
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 2baaa891bb3 VERSION: Bump version up to Samba 4.15.0rc7... via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6. from 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 2baaa891bb3690a2783eb2c5e45368c320e27236 Author: Jule Anger Date: Thu Sep 9 08:27:18 2021 +0200 VERSION: Bump version up to Samba 4.15.0rc7... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 30c5a0e60e8b6c4df442ef1ecc872c4b6c599845 Author: Jule Anger Date: Thu Sep 9 08:25:57 2021 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. Signed-off-by: Jule Anger commit 718da33d4e6d4c958f1e1c20761b496f447f40f5 Author: Jule Anger Date: Thu Sep 9 08:24:41 2021 +0200 WHATSNEW: Add release notes for Samba 4.15.0rc6. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 32 +++- 2 files changed, 32 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index c47655ceb3c..efc0c7f02d6 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=6 +SAMBA_VERSION_RC_RELEASE=7 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2f3e1422485..739a0b319ca 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the fifth release candidate of Samba 4.15. This is *not* +This is the sixth release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -341,6 +341,36 @@ smb.conf changes winbind scan trusted domainsChanged No +CHANGES SINCE 4.15.0rc5 +=== + +o Andrew Bartlett + * BUG 14806: Address a signifcant performance regression in database access + in the AD DC since Samba 4.12. + * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since + Samba 4.9 by using an explicit database handle cache. + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + * BUG 14818: Address flapping samba_tool_drs_showrepl test. + * BUG 14819: Address flapping dsdb_schema_attributes test. + +o Luke Howard + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Gary Lockyer + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Andreas Schneider + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Joseph Sutton + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + + CHANGES SINCE 4.15.0rc4 === -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9e7d2d9794a ctdb-daemon: Don't mark a node as unhealthy when connecting to it via 7f697b1938e ctdb-daemon: Ignore flag changes for disconnected nodes via ae10a8a4b70 ctdb-daemon: Simplify ctdb_control_modflags() via 916c5ee131d ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete via e75256767ff ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS via 0132bd5a223 ctdb-daemon: Modernise remaining debug macro in this function via b6d25d079e3 ctdb-daemon: Update logging for flag changes via eec44e28625 ctdb-daemon: Correct the condition for logging unchanged flags via 5914054698d ctdb-tools: Use disable and enable controls in tool via 6fe6a54e7f3 ctdb-client: Add client code for disable/enable controls via 15a6489c288 ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE via 60c1ef14653 ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED via 1ac7bc7532b ctdb-daemon: Factor out a function to get node structure from PNN via e0a7b5a9e86 ctdb-daemon: Add a helper variable via 6845dca87e6 ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE via 49dc5d8cd2d ctdb-protocol: Add new controls to disable and enable nodes via 8305f6a7f13 ctdb-recoverd: Push flags for a node if any remote node disagrees via 620d0787142 ctdb-recoverd: Update the local node map before pushing out flags via 82a075d4d73 ctdb-recoverd: Add a helper variable from 4366c3bb71f gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9e7d2d9794af7251c42cb22f23ee9f86c6ea05c1 Author: Martin Schwenke Date: Fri Jul 9 17:25:32 2021 +1000 ctdb-daemon: Don't mark a node as unhealthy when connecting to it Remote nodes are already initialised as UNHEALTHY when the node list is initialised at startup (ctdb_load_nodes_file() calls convert_node_map_to_list()) and when disconnected (ctdb_node_dead()). So, drop this code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Thu Sep 9 02:38:34 UTC 2021 on sn-devel-184 commit 7f697b1938efb3972f03f25546bf807d5af9a26c Author: Martin Schwenke Date: Tue Jul 27 15:50:54 2021 +1000 ctdb-daemon: Ignore flag changes for disconnected nodes If this node is not connected to a node then we shouldn't know anything about it. The state will be pushed later by the recovery master. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Signed-off-by: Amitay Isaacs commit ae10a8a4b70e53ea3be6257d1f86f2d9a56aa62a Author: Martin Schwenke Date: Thu Jul 8 11:11:11 2021 +1000 ctdb-daemon: Simplify ctdb_control_modflags() Now that there are separate disable/enable controls used by the ctdb tool this control can ignore any flag updates for the current nodes. These only come from the recovery master, which depends on being able to fetch flags for all nodes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 916c5ee131dc5c7f1d9c3540147d1f915c8302ad Author: Martin Schwenke Date: Wed Jan 17 19:04:34 2018 +1100 ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete CTDB_SRVID_SET_NODE_FLAGS is no longer sent so drop monitor_handler() and replace with srvid_not_implemented(). Mark the SRVID obsolete in its comment. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit e75256767fffc6a7ac0b97e58737a39c63c8b187 Author: Martin Schwenke Date: Thu Jul 8 11:32:20 2021 +1000 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS The code that handles this message is ctdb_recoverd.c:monitor_handler(). Although it appears to do something potentially useful, it only logs the flags changes. All changes made are to local structures - there are no actual side-effects. It used to trigger a takeover run when the DISABLED flag changed. This was dropped back in commit 662f06de9fdce7b1bc1772a4fbe43de271564917. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 0132bd5a2233193256af434a37506f86ed62c075 Author: Martin Schwenke Date: Thu Jul 8 11:34:49 2021 +1000 ctdb-daemon: Modernise remaining debug macro in this function BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaa
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 4366c3bb71f gitlab-ci: run samba-fuzz autobuild target on Ubuntu
20.04-based image
via 4f300d672a8 fuzzing/oss-fuzz: strip RUNPATH from dependencies
via f94b1d3b31f fuzzing/oss-fuzz: fix samba build script for Ubuntu
20.04
via 541f9ee5ab6 fuzzing/oss-fuzz: fix RPATH comments for
post-Ubuntu-16.04 era
via e608dcd2d67 configure: allow configure script to accept parameters
with spaces
via 2fe8d3eeac4 fuzzing/oss-fuzz: fix image build recipe for Ubuntu
20.04
from 18e08c70900 docs: Avoid duplicate information on USER and PASSWD,
reference the common section
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 4366c3bb71fe9c083dedeae8798547b64a64d2b4
Author: Uri Simchoni
Date: Tue Sep 7 18:39:12 2021 +0300
gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image
REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365
Signed-off-by: Uri Simchoni
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Sep 9 01:45:09 UTC 2021 on sn-devel-184
commit 4f300d672a8ef1820e68bc82833de4f5d4c0996e
Author: Uri Simchoni
Date: Mon Sep 6 22:55:55 2021 +0300
fuzzing/oss-fuzz: strip RUNPATH from dependencies
Strip all RUNPATH headers from all dependency shared objects that
we copy to the fuzzing target, as those libraries aren't placed
in their original place.
Signed-off-by: Uri Simchoni
Reviewed-by: Andrew Bartlett
commit f94b1d3b31f2fb5bdbfce7b5f79d80f098b91975
Author: Uri Simchoni
Date: Sat Sep 4 10:30:56 2021 +0300
fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04
Add a linker flag to generate fuzzer binaries with an RPATH
header instead of RUNPATH.
Signed-off-by: Uri Simchoni
Reviewed-by: Andrew Bartlett
commit 541f9ee5ab66b41a2a8d9c54183b095ad99f3769
Author: Uri Simchoni
Date: Sat Sep 4 10:11:58 2021 +0300
fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era
Remove what appears to be a copy+paste error in one place, and
explain that RPATH/RUNPATH is set by the linker, not by chrpath
utility.
Signed-off-by: Uri Simchoni
Reviewed-by: Andrew Bartlett
commit e608dcd2d6736505022d0f9d1e008333bb70f1af
Author: Uri Simchoni
Date: Sat Sep 4 11:01:56 2021 +0300
configure: allow configure script to accept parameters with spaces
Specifically this enables passing two linker flags to the
--fuzz-target-ldflags
configure argument.
Signed-off-by: Uri Simchoni
Reviewed-by: Andrew Bartlett
commit 2fe8d3eeac4cddedfeac936ce785c2c6f12d86ef
Author: Uri Simchoni
Date: Fri Sep 3 18:46:17 2021 +
fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04
Update the build_image.sh script to install Ubuntu 20.04 packages
instead of Ubuntu 16.04 on the oss-fuzz container - this will
allow the oss-fuzz container to be based on Ubuntu 20.04.
REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365
Signed-off-by: Uri Simchoni
Reviewed-by: Andrew Bartlett
---
Summary of changes:
.gitlab-ci-main.yml | 2 +-
configure | 2 +-
lib/fuzzing/oss-fuzz/build_image.sh | 2 +-
lib/fuzzing/oss-fuzz/check_build.sh | 3 +--
lib/fuzzing/oss-fuzz/do_build.sh| 33 +++--
5 files changed, 27 insertions(+), 15 deletions(-)
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 4b2f17938c8..a6c362931da 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -323,7 +323,7 @@ samba-libs:
samba-fuzz:
extends: .shared_template
variables:
-SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1604}
+SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004}
ctdb:
extends: .shared_template
diff --git a/configure b/configure
index 2b0ffb0dae1..a6ca50feb47 100755
--- a/configure
+++ b/configure
@@ -13,5 +13,5 @@ export JOBS
unset LD_PRELOAD
cd . || exit 1
-$PYTHON $WAF configure $@ || exit 1
+$PYTHON $WAF configure "$@" || exit 1
cd $PREVPATH
diff --git a/lib/fuzzing/oss-fuzz/build_image.sh
b/lib/fuzzing/oss-fuzz/build_image.sh
index 5df07dc43be..5d5e27e716d 100755
--- a/lib/fuzzing/oss-fuzz/build_image.sh
+++ b/lib/fuzzing/oss-fuzz/build_image.sh
@@ -1,6 +1,6 @@
#!/bin/sh -e
-DIST=ubuntu1604
+DIST=ubuntu2004
SCRIPT_DIR=`dirname $0`
$SCRIPT_DIR/../../../bootstrap/generated-dists/$DIST/bootstrap.sh
diff --git a/lib/fuzzing/oss-fuzz/check_build.sh
b/lib/fuzzing/oss-fuzz/check_build.sh
index 501c2c813fc..98b83a81bbf 100755
--- a/lib/fuzzing/oss-fuzz/check_build.sh
+++ b/lib/fuzzing/oss-fuzz/check_build.sh
@@ -25,8 +25,7
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 18e08c70900 docs: Avoid duplicate information on USER and PASSWD,
reference the common section
via 9b50d2e52e6 docs: Document all the other ways to send a password to
smbclient et al
via a363742635c docs: Ensure to rebuild manpages if samba.entities or
samba.version changes
from 867c6ff9f3f docs-xml: use upper case for "{client,server} smb3
{signing,encryption} algorithms" values
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 18e08c709002506fe217ca6a7a098fcdc00f8c29
Author: Andrew Bartlett
Date: Tue Aug 10 09:20:45 2021 +1200
docs: Avoid duplicate information on USER and PASSWD, reference the common
section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett
Reviewed-by: Jeremy Allison
Autobuild-User(master): Jeremy Allison
Autobuild-Date(master): Thu Sep 9 00:52:09 UTC 2021 on sn-devel-184
commit 9b50d2e52e6c85bc3ab991cd8a4b870aff397bda
Author: Andrew Bartlett
Date: Tue Aug 10 09:14:08 2021 +1200
docs: Document all the other ways to send a password to smbclient et al
This was previously hidden knowlege not easily available to
administrators and end users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett
Reviewed-by: Jeremy Allison
commit a363742635c54a6cb19363f4be9d2be2b731a5e6
Author: Andrew Bartlett
Date: Tue Aug 10 09:13:15 2021 +1200
docs: Ensure to rebuild manpages if samba.entities or samba.version changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett
Reviewed-by: Jeremy Allison
---
Summary of changes:
buildtools/wafsamba/wafsamba.py | 6 -
docs-xml/build/DTD/samba.entities | 52 ++-
docs-xml/manpages/smbclient.1.xml | 14 +++
3 files changed, 50 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index dee007bf84e..865975cb2d1 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -946,9 +946,13 @@ def SAMBAMANPAGES(bld, manpages, extra_source=None):
bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog
file:///usr/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG
for m in manpages.split():
-source = m + '.xml'
+source = [m + '.xml']
if extra_source is not None:
source = [source, extra_source]
+# ${SRC[1]} and ${SRC[2]} are not referenced in the
+# SAMBA_GENERATOR but trigger the dependency calculation so
+# ensures that manpages are rebuilt when these change.
+source += ['build/DTD/samba.entities', 'build/DTD/samba.build.version']
bld.SAMBA_GENERATOR(m,
source=source,
target=m,
diff --git a/docs-xml/build/DTD/samba.entities
b/docs-xml/build/DTD/samba.entities
index 80e051e7684..beff3cb1f6e 100644
--- a/docs-xml/build/DTD/samba.entities
+++ b/docs-xml/build/DTD/samba.entities
@@ -595,13 +595,16 @@
- If &pct;password is not specified, the user will be
+ If &pct;PASSWORD is not specified, the user will be
prompted. The client will first check the
- USER environment variable, then the
- LOGNAME variable and if either exists,
- the string is uppercased. If these environmental
+ USER environment variable
+ (which is also permitted to also contain the
+ password seperated by a &pct;), then the
+ LOGNAME variable (which is not
+ permitted to contain a password) and if either exists,
+ the value is used. If these environmental
variables are not found, the username
- GUEST is used.
+ found in a Kerberos Credentials cache may be used.
@@ -616,9 +619,15 @@
- Be cautious about including passwords in scripts. For
- security it is better to let the client ask for the
- password if needed.
+ Be cautious about including passwords in scripts
+ or passing user-supplied values onto the command line.
For
+ security it is better to let the Samba client tool ask
for the
+ password if needed, or obtain the password once with
kinit.
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 867c6ff9f3f docs-xml: use upper case for "{client,server} smb3
{signing,encryption} algorithms" values
from 16e907f8415 Added russian translate file
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 867c6ff9f3f28ab4bfa0cb1660889f3f5be0d111
Author: Stefan Metzmacher
Date: Wed Sep 8 15:10:14 2021 +0200
docs-xml: use upper case for "{client,server} smb3 {signing,encryption}
algorithms" values
This matches what smbstatus prints out. Note there's also the removal of
an '-' in "hmac-sha-256" => HMAC-SHA256".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14825
RN: "{client,server} smb3 {signing,encryption} algorithms" should use the
same strings as smbstatus output
Signed-off-by: Stefan Metzmacher
Reviewed-by: Ralph Boehme
Autobuild-User(master): Ralph Böhme
Autobuild-Date(master): Wed Sep 8 16:37:07 UTC 2021 on sn-devel-184
---
Summary of changes:
docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml | 8
docs-xml/smbdotconf/security/clientsmbsigningalgos.xml| 10 +-
docs-xml/smbdotconf/security/serversmbencryptionalgos.xml | 8
docs-xml/smbdotconf/security/serversmbsigningalgos.xml| 10 +-
lib/param/loadparm.h | 4 ++--
libcli/smb/util.c | 14 +++---
6 files changed, 27 insertions(+), 27 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
index 27da51ad625..78df3f909e9 100644
--- a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
@@ -9,13 +9,13 @@
It is also possible to remove individual algorithms from the
default list,
by prefixing them with '-'. This can avoid having to specify a
hardcoded list.
- Note: that the removal of aes-128-ccm from the list will result
+ Note: that the removal of AES-128-CCM from the list will result
in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
available algorithm for these dialects.
-aes-128-gcm, aes-128-ccm, aes-256-gcm,
aes-256-ccm
-aes-256-gcm
--aes-128-gcm -aes-128-ccm
+AES-128-GCM, AES-128-CCM, AES-256-GCM,
AES-256-CCM
+AES-256-GCM
+-AES-128-GCM -AES-128-CCM
diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
index 1ad6c09626f..f7c61f3e661 100644
--- a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
+++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
@@ -9,14 +9,14 @@
It is also possible to remove individual algorithms from the
default list,
by prefixing them with '-'. This can avoid having to specify a
hardcoded list.
- Note: that the removal of aes-128-cmac from the list will result
- in SMB3_00 and SMB3_02 being unavailable, and the removal od
hmac-sha-256
+ Note: that the removal of AES-128-CMAC from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256
will result in SMB2_02 and SMB2_10 being unavailable, as these are the
default and only
available algorithms for these dialects.
-aes-128-gmac, aes-128-cmac, hmac-sha-256
-aes-128-cmac, hmac-sha-256
--aes-128-cmac
+AES-128-GMAC, AES-128-CMAC, HMAC-SHA256
+AES-128-CMAC, HMAC-SHA256
+-AES-128-CMAC
diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
index 3217970d4e7..2dd2db98cc5 100644
--- a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
+++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
@@ -9,13 +9,13 @@
It is also possible to remove individual algorithms from the
default list,
by prefixing them with '-'. This can avoid having to specify a
hardcoded list.
- Note: that the removal of aes-128-ccm from the list will result
+ Note: that the removal of AES-128-CCM from the list will result
in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
available algorithm for these dialects.
-aes-128-gcm, aes-128-ccm, aes-256-gcm,
aes-256-ccm
-aes-256-gcm
--aes-128-gcm -aes-128-ccm
+AES-128-GCM, AES-128-CCM, AES-256-GCM,
AES-256-CCM
+AES-256-GCM
+-AES-128-GCM -AES-128-CCM
diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
index e73d4f04242..7884e603b5b 100644
--- a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
+++ b/docs-xml/smbdotconf/security/servers
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated
via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid
flapping dsdb_schema_attributes
via 1252f2c170c s4-lsa: Cache sam.ldb handle in
lsa_LookupSids3/LookupNames4
via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4
in python
via 86d3397f852 dsdb: Be careful to avoid use of the expensive
talloc_is_parent()
via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once
via 8c246869e14 selftest: Split up targets for samba_tool_drs from
samba_tool_drs_showrepl
via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline
fix
via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes
via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a
missing sname
via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing
field
via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container
type
via 8d17a87523b tests/krb5: Add tests for omitting sname in inner
request
via c837f43a9cd tests/krb5: Allow specifying parameters specific to the
inner FAST request body
via b628cda6604 tests/krb5: Add tests for omitting sname in request
via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data
via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors
without FAST
via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in
as_req testcase
via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname
in outer request
via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE
without FAST
via b6496bd5990 tests/krb5: Make cname checking less strict
via c9b594a1a21 tests/krb5: Make e-data checking less strict
via ef69ac460bc Update common on currently supported Fedora versions
via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in
.gitlab-ci-main.yml
via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34
via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10
via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align
with what is tested
via e30483eb251 autobuild.py: Do not build MIT builds by default (eg
sn-devel)
via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can
test against a current MIT KDC
via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour
on older MIT Kerberos
via e850967129d autobuild.py: Explain why each job is removed from the
default set
via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb
via 2f8295604ce samba-tool: Rework transations/locks to hold a lock
during mdb backup
via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb
when backing up sam.ldb
via 535bd82604e mit-samba: Only set the function opening bracket once
via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of
casting
via 9698e453ae9 mit-samba: Send the logging to the kdc log facility
via 4bf41b6ccf5 mit-samba: Define debug class for kdb module
via 07cfa4d6f95 tests/krb5: Add FAST tests
via 003307b7d34 initial FAST tests
via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply
via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check
inner FAST errors
via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work
for checking TGS replies
via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for
checking TGS replies
via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply
via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 904df7418b8 tests/krb5: Adjust reply padata checking depending on
whether FAST was sent
via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included
FAST
via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error
via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method
via 6ed03543ea0 tests/krb5: Remove unused variables
via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a
non-error reply
via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check
padata in reply
via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to
generate FX-FAST padata
via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict
via d544371bd15 tests/krb5: Add expected_cname_private parameter to
kdc_exchange_dict
via 6457ecee2a9 tests/krb5: Check encrypted-pa-data
via 79972f42603 tests/krb5: Add methods to determine whether elements
were included in the r
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 7289e15 support/globalsupport.html: update my description from 2896b86 support/globalsupport.html: Order SerNet colleagues by name. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 7289e15f747fb618a7ff07a8c5bb5523a0af09c7 Author: Ralph Boehme Date: Wed Sep 8 09:57:35 2021 +0200 support/globalsupport.html: update my description --- Summary of changes: support/globalsupport.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/support/globalsupport.html b/support/globalsupport.html index aa4982f..1f733c1 100644 --- a/support/globalsupport.html +++ b/support/globalsupport.html @@ -82,7 +82,7 @@ Members of the core http://samba.TEAM"; target=_blank>samba.TEAM wor mailto:b...@samba.org>Björn Baumbach is maintainer of SAMBA+ and fixes numerous Samba bugs. -mailto:r...@samba.org>Ralph Böhme is maintainer of Netatalk and implements its features to Samba. +mailto:s...@samba.org>Ralph Böhme works on the Samba fileserver and is the team lead of the SerNet Samba team. mailto:b...@samba.org>Björn Jacke is Samba expert since almost ever and integrated Samba in networks of all sizes. -- Samba Website Repository
