[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6. via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes via 1252f2c170c s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4 in python via 86d3397f852 dsdb: Be careful to avoid use of the expensive talloc_is_parent() via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once via 8c246869e14 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline fix via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container type via 8d17a87523b tests/krb5: Add tests for omitting sname in inner request via c837f43a9cd tests/krb5: Allow specifying parameters specific to the inner FAST request body via b628cda6604 tests/krb5: Add tests for omitting sname in request via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors without FAST via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in as_req testcase via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST via b6496bd5990 tests/krb5: Make cname checking less strict via c9b594a1a21 tests/krb5: Make e-data checking less strict via ef69ac460bc Update common on currently supported Fedora versions via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34 via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10 via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align with what is tested via e30483eb251 autobuild.py: Do not build MIT builds by default (eg sn-devel) via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos via e850967129d autobuild.py: Explain why each job is removed from the default set via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb via 2f8295604ce samba-tool: Rework transations/locks to hold a lock during mdb backup via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb via 535bd82604e mit-samba: Only set the function opening bracket once via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of casting via 9698e453ae9 mit-samba: Send the logging to the kdc log facility via 4bf41b6ccf5 mit-samba: Define debug class for kdb module via 07cfa4d6f95 tests/krb5: Add FAST tests via 003307b7d34 initial FAST tests via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for checking TGS replies via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply via 904df7418b8 tests/krb5: Adjust reply padata checking depending on whether FAST was sent via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included FAST via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method via 6ed03543ea0 tests/krb5: Remove unused variables via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check padata in reply via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict via d544371bd15 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via a0b4d29 NEWS[4.15.0rc6]: Samba 4.15.0rc6 Available for Download from 7289e15 support/globalsupport.html: update my description https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit a0b4d291df4f6d54cb7ce597c6121cbaffb3 Author: Jule Anger Date: Thu Sep 9 08:32:45 2021 +0200 NEWS[4.15.0rc6]: Samba 4.15.0rc6 Available for Download Signed-off-by: Jule Anger --- Summary of changes: posted_news/20210909-063410.4.15.0rc6.body.html | 12 posted_news/20210909-063410.4.15.0rc6.headline.html | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 posted_news/20210909-063410.4.15.0rc6.body.html create mode 100644 posted_news/20210909-063410.4.15.0rc6.headline.html Changeset truncated at 500 lines: diff --git a/posted_news/20210909-063410.4.15.0rc6.body.html b/posted_news/20210909-063410.4.15.0rc6.body.html new file mode 100644 index 000..ca4a7dd --- /dev/null +++ b/posted_news/20210909-063410.4.15.0rc6.body.html @@ -0,0 +1,12 @@ + +09 September 2021 +Samba 4.15.0rc6 Available for Download + +This is the 6th release candidate of the upcoming Samba 4.15 release series. + + +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +The source code can be https://download.samba.org/pub/samba/rc/samba-4.15.0rc6.tar.gz";>downloaded now. +See https://download.samba.org/pub/samba/rc/samba-4.15.0rc6.WHATSNEW.txt";>the release notes for more info. + + diff --git a/posted_news/20210909-063410.4.15.0rc6.headline.html b/posted_news/20210909-063410.4.15.0rc6.headline.html new file mode 100644 index 000..444d767 --- /dev/null +++ b/posted_news/20210909-063410.4.15.0rc6.headline.html @@ -0,0 +1,3 @@ + + 09 September 2021 Samba 4.15.0rc6 Available for Download + -- Samba Website Repository
[SCM] Samba Shared Repository - annotated tag samba-4.15.0rc6 created
The annotated tag, samba-4.15.0rc6 has been created at 4630cc318db335984b96bc21fbf3fd2cd8810354 (tag) tagging 30c5a0e60e8b6c4df442ef1ecc872c4b6c599845 (commit) replaces samba-4.15.0rc5 tagged by Jule Anger on Thu Sep 9 08:32:11 2021 +0200 - Log - samba: tag release samba-4.15.0rc6 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmE5qmsACgkQqplEL7aA tiBUZRAAqOjZw0Nqx5wEQJhjYWcNzI323LVwIlGKbW+TfmC6nSjXrlvFfHKc2tKG 2KHKke9xU3owVMM8gAVjDik6OL8uaLTiBcTwBFF3CSOaXe98jX0MvuN1qkvTAki8 Wg7jvMTMT1ILgmZJ5m6t963bTaQ3dgkQEgN3RrCAHyponE1u+xTsfXX1baAYNgWU nGyyHbtCc6VK7tQC5wSt46wmUyvcYCn5TbxpOkjYt/jqc0yDZxxfgyzLGB7QmpId F3xqUhNj5FopmGblMUb4IzyH5L29+CxIW27UReQyiba5IiN+W8qsN1Dr7rTZTptV WT1u0k2r401vDQs/7YWhwTeNCb2E3zdg1AwV2JmBhh40NuPAg2PO9b8FXcAPVNZV szEYVteVRQM1b8gJJivpALv3BA6fSopQR27eybXSeCWF0/JeXMxmOVvUKWgwtvqy SvCeNMddAILthfIletxfVeoFNiUgIs0i4MqlfpoGBoK4bXWV+PWCHs2lEHBRmSoR 51jnB2oeJXiRZX0GRRnCVMKys/ccmEAYRkUUg+WUfyB5gGIvXZUsuXSSe3QSsCcA nEHXGlo2svLf+RNi/F4nKsUgUdU+muyWCBscrjAFZJqNsZaaAzs0PfpNEWQid44/ nuDUzKygwPdeAk5pFIFXSEs0l4p+wBnUteHVFMfjSlyY/2BWsZE= =mQYI -END PGP SIGNATURE- Andreas Schneider (10): bootstrap: Install krb5-workstation on Fedora based distros python:waf: Correctly check for python-dateutil bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros selftest: Re-format long lines in selftesthelpers.py selftest: Add support for setting ENV variables in plansmbtorture4testsuite() selftest: Add support for setting ENV variables in plantestsuite() mit-samba: Define debug class for kdb module mit-samba: Send the logging to the kdc log facility mit-samba: Use talloc_get_type_abort() instead of casting mit-samba: Only set the function opening bracket once Andrew Bartlett (22): samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb samba-tool: Rework transations/locks to hold a lock during mdb backup samba-tool domain backup: Use tdbbackup on metadata.tdb autobuild.py: Explain why each job is removed from the default set gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC autobuild.py: Do not build MIT builds by default (eg sn-devel) build: Move minimum MIT krb5 version to 1.19 to align with what is tested mit-kdc: Remove build time support for KDB_API < 10 bootstrap: Update to get newer krb5 on Fedora 34 bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml Update common on currently supported Fedora versions tests/krb5: Remove harmful and a-typical return in as_req testcase tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname WHATSNEW: Update for KDC crash fixes WHATSNEW: Update with samba-tool domain backup offline fix selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl selftest: Only run samba_tool_drs_showrepl test once dsdb: Be careful to avoid use of the expensive talloc_is_parent() selftest: Add a test for LookupSids3 and LookupNames4 in python s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes Gary Lockyer (1): initial FAST tests Joseph Sutton (81): pygensec: Fix memory leaks pygensec: Don't modify Python bytes objects tests/krb5: Fix ms_kile_client_principal_lookup_test errors tests/krb5: Fix comment typo tests/krb5: Fix method name typo tests/krb5: formatting tests/krb5: Remove unneeded statements tests/krb5: Use more compact dict lookup tests/krb5: Simplify Python syntax tests/krb5: Remove magic constants tests/krb5: Fix including enc-authorization-data tests/krb5: Fix callback_dict parameter tests/krb5: Fix encpart_decryption_key with MIT KDC tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC tests/krb5: Check Kerberos protocol version number tests/krb5: Use credentials kvno when creating password key tests/krb5: Allow cf2 to automatically use the enctype of the first key tests/krb5: Refactor get_pa_data() tests/krb5: Add get_enc_timestamp_pa_data_from_key() tests/krb5: Add method to return dict containing padata elements tests/krb5: Make _test_as_exchange() return value more consistent tests/krb5: Add get_EpochFromKerberosTime() tests/krb5: Use encryption with admin credentials tests/krb5: Allow specifying additional details when creating an account tests/krb5: Add more methods for obtaining machine and service credentials tests/krb5: Add method to calculate account salt tests/krb5: Add check_rep
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 2baaa891bb3 VERSION: Bump version up to Samba 4.15.0rc7... via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6. from 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 2baaa891bb3690a2783eb2c5e45368c320e27236 Author: Jule Anger Date: Thu Sep 9 08:27:18 2021 +0200 VERSION: Bump version up to Samba 4.15.0rc7... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 30c5a0e60e8b6c4df442ef1ecc872c4b6c599845 Author: Jule Anger Date: Thu Sep 9 08:25:57 2021 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release. Signed-off-by: Jule Anger commit 718da33d4e6d4c958f1e1c20761b496f447f40f5 Author: Jule Anger Date: Thu Sep 9 08:24:41 2021 +0200 WHATSNEW: Add release notes for Samba 4.15.0rc6. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 32 +++- 2 files changed, 32 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index c47655ceb3c..efc0c7f02d6 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=6 +SAMBA_VERSION_RC_RELEASE=7 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 2f3e1422485..739a0b319ca 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the fifth release candidate of Samba 4.15. This is *not* +This is the sixth release candidate of Samba 4.15. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -341,6 +341,36 @@ smb.conf changes winbind scan trusted domainsChanged No +CHANGES SINCE 4.15.0rc5 +=== + +o Andrew Bartlett + * BUG 14806: Address a signifcant performance regression in database access + in the AD DC since Samba 4.12. + * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since + Samba 4.9 by using an explicit database handle cache. + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + * BUG 14818: Address flapping samba_tool_drs_showrepl test. + * BUG 14819: Address flapping dsdb_schema_attributes test. + +o Luke Howard + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Gary Lockyer + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Andreas Schneider + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + +o Joseph Sutton + * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the + server name in a TGS-REQ. + + CHANGES SINCE 4.15.0rc4 === -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9e7d2d9794a ctdb-daemon: Don't mark a node as unhealthy when connecting to it via 7f697b1938e ctdb-daemon: Ignore flag changes for disconnected nodes via ae10a8a4b70 ctdb-daemon: Simplify ctdb_control_modflags() via 916c5ee131d ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete via e75256767ff ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS via 0132bd5a223 ctdb-daemon: Modernise remaining debug macro in this function via b6d25d079e3 ctdb-daemon: Update logging for flag changes via eec44e28625 ctdb-daemon: Correct the condition for logging unchanged flags via 5914054698d ctdb-tools: Use disable and enable controls in tool via 6fe6a54e7f3 ctdb-client: Add client code for disable/enable controls via 15a6489c288 ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE via 60c1ef14653 ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED via 1ac7bc7532b ctdb-daemon: Factor out a function to get node structure from PNN via e0a7b5a9e86 ctdb-daemon: Add a helper variable via 6845dca87e6 ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE via 49dc5d8cd2d ctdb-protocol: Add new controls to disable and enable nodes via 8305f6a7f13 ctdb-recoverd: Push flags for a node if any remote node disagrees via 620d0787142 ctdb-recoverd: Update the local node map before pushing out flags via 82a075d4d73 ctdb-recoverd: Add a helper variable from 4366c3bb71f gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9e7d2d9794af7251c42cb22f23ee9f86c6ea05c1 Author: Martin Schwenke Date: Fri Jul 9 17:25:32 2021 +1000 ctdb-daemon: Don't mark a node as unhealthy when connecting to it Remote nodes are already initialised as UNHEALTHY when the node list is initialised at startup (ctdb_load_nodes_file() calls convert_node_map_to_list()) and when disconnected (ctdb_node_dead()). So, drop this code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Thu Sep 9 02:38:34 UTC 2021 on sn-devel-184 commit 7f697b1938efb3972f03f25546bf807d5af9a26c Author: Martin Schwenke Date: Tue Jul 27 15:50:54 2021 +1000 ctdb-daemon: Ignore flag changes for disconnected nodes If this node is not connected to a node then we shouldn't know anything about it. The state will be pushed later by the recovery master. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Signed-off-by: Amitay Isaacs commit ae10a8a4b70e53ea3be6257d1f86f2d9a56aa62a Author: Martin Schwenke Date: Thu Jul 8 11:11:11 2021 +1000 ctdb-daemon: Simplify ctdb_control_modflags() Now that there are separate disable/enable controls used by the ctdb tool this control can ignore any flag updates for the current nodes. These only come from the recovery master, which depends on being able to fetch flags for all nodes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 916c5ee131dc5c7f1d9c3540147d1f915c8302ad Author: Martin Schwenke Date: Wed Jan 17 19:04:34 2018 +1100 ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete CTDB_SRVID_SET_NODE_FLAGS is no longer sent so drop monitor_handler() and replace with srvid_not_implemented(). Mark the SRVID obsolete in its comment. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit e75256767fffc6a7ac0b97e58737a39c63c8b187 Author: Martin Schwenke Date: Thu Jul 8 11:32:20 2021 +1000 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS The code that handles this message is ctdb_recoverd.c:monitor_handler(). Although it appears to do something potentially useful, it only logs the flags changes. All changes made are to local structures - there are no actual side-effects. It used to trigger a takeover run when the DISABLED flag changed. This was dropped back in commit 662f06de9fdce7b1bc1772a4fbe43de271564917. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit 0132bd5a2233193256af434a37506f86ed62c075 Author: Martin Schwenke Date: Thu Jul 8 11:34:49 2021 +1000 ctdb-daemon: Modernise remaining debug macro in this function BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaa
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4366c3bb71f gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image via 4f300d672a8 fuzzing/oss-fuzz: strip RUNPATH from dependencies via f94b1d3b31f fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04 via 541f9ee5ab6 fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era via e608dcd2d67 configure: allow configure script to accept parameters with spaces via 2fe8d3eeac4 fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04 from 18e08c70900 docs: Avoid duplicate information on USER and PASSWD, reference the common section https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4366c3bb71fe9c083dedeae8798547b64a64d2b4 Author: Uri Simchoni Date: Tue Sep 7 18:39:12 2021 +0300 gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365 Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 9 01:45:09 UTC 2021 on sn-devel-184 commit 4f300d672a8ef1820e68bc82833de4f5d4c0996e Author: Uri Simchoni Date: Mon Sep 6 22:55:55 2021 +0300 fuzzing/oss-fuzz: strip RUNPATH from dependencies Strip all RUNPATH headers from all dependency shared objects that we copy to the fuzzing target, as those libraries aren't placed in their original place. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit f94b1d3b31f2fb5bdbfce7b5f79d80f098b91975 Author: Uri Simchoni Date: Sat Sep 4 10:30:56 2021 +0300 fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04 Add a linker flag to generate fuzzer binaries with an RPATH header instead of RUNPATH. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 541f9ee5ab66b41a2a8d9c54183b095ad99f3769 Author: Uri Simchoni Date: Sat Sep 4 10:11:58 2021 +0300 fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era Remove what appears to be a copy+paste error in one place, and explain that RPATH/RUNPATH is set by the linker, not by chrpath utility. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit e608dcd2d6736505022d0f9d1e008333bb70f1af Author: Uri Simchoni Date: Sat Sep 4 11:01:56 2021 +0300 configure: allow configure script to accept parameters with spaces Specifically this enables passing two linker flags to the --fuzz-target-ldflags configure argument. Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett commit 2fe8d3eeac4cddedfeac936ce785c2c6f12d86ef Author: Uri Simchoni Date: Fri Sep 3 18:46:17 2021 + fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04 Update the build_image.sh script to install Ubuntu 20.04 packages instead of Ubuntu 16.04 on the oss-fuzz container - this will allow the oss-fuzz container to be based on Ubuntu 20.04. REF: https://github.com/google/oss-fuzz/issues/6301#issuecomment-911705365 Signed-off-by: Uri Simchoni Reviewed-by: Andrew Bartlett --- Summary of changes: .gitlab-ci-main.yml | 2 +- configure | 2 +- lib/fuzzing/oss-fuzz/build_image.sh | 2 +- lib/fuzzing/oss-fuzz/check_build.sh | 3 +-- lib/fuzzing/oss-fuzz/do_build.sh| 33 +++-- 5 files changed, 27 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 4b2f17938c8..a6c362931da 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -323,7 +323,7 @@ samba-libs: samba-fuzz: extends: .shared_template variables: -SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1604} +SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu2004} ctdb: extends: .shared_template diff --git a/configure b/configure index 2b0ffb0dae1..a6ca50feb47 100755 --- a/configure +++ b/configure @@ -13,5 +13,5 @@ export JOBS unset LD_PRELOAD cd . || exit 1 -$PYTHON $WAF configure $@ || exit 1 +$PYTHON $WAF configure "$@" || exit 1 cd $PREVPATH diff --git a/lib/fuzzing/oss-fuzz/build_image.sh b/lib/fuzzing/oss-fuzz/build_image.sh index 5df07dc43be..5d5e27e716d 100755 --- a/lib/fuzzing/oss-fuzz/build_image.sh +++ b/lib/fuzzing/oss-fuzz/build_image.sh @@ -1,6 +1,6 @@ #!/bin/sh -e -DIST=ubuntu1604 +DIST=ubuntu2004 SCRIPT_DIR=`dirname $0` $SCRIPT_DIR/../../../bootstrap/generated-dists/$DIST/bootstrap.sh diff --git a/lib/fuzzing/oss-fuzz/check_build.sh b/lib/fuzzing/oss-fuzz/check_build.sh index 501c2c813fc..98b83a81bbf 100755 --- a/lib/fuzzing/oss-fuzz/check_build.sh +++ b/lib/fuzzing/oss-fuzz/check_build.sh @@ -25,8 +25,7
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 18e08c70900 docs: Avoid duplicate information on USER and PASSWD, reference the common section via 9b50d2e52e6 docs: Document all the other ways to send a password to smbclient et al via a363742635c docs: Ensure to rebuild manpages if samba.entities or samba.version changes from 867c6ff9f3f docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 18e08c709002506fe217ca6a7a098fcdc00f8c29 Author: Andrew Bartlett Date: Tue Aug 10 09:20:45 2021 +1200 docs: Avoid duplicate information on USER and PASSWD, reference the common section BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Sep 9 00:52:09 UTC 2021 on sn-devel-184 commit 9b50d2e52e6c85bc3ab991cd8a4b870aff397bda Author: Andrew Bartlett Date: Tue Aug 10 09:14:08 2021 +1200 docs: Document all the other ways to send a password to smbclient et al This was previously hidden knowlege not easily available to administrators and end users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison commit a363742635c54a6cb19363f4be9d2be2b731a5e6 Author: Andrew Bartlett Date: Tue Aug 10 09:13:15 2021 +1200 docs: Ensure to rebuild manpages if samba.entities or samba.version changes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison --- Summary of changes: buildtools/wafsamba/wafsamba.py | 6 - docs-xml/build/DTD/samba.entities | 52 ++- docs-xml/manpages/smbclient.1.xml | 14 +++ 3 files changed, 50 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index dee007bf84e..865975cb2d1 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -946,9 +946,13 @@ def SAMBAMANPAGES(bld, manpages, extra_source=None): bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file:///usr/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG for m in manpages.split(): -source = m + '.xml' +source = [m + '.xml'] if extra_source is not None: source = [source, extra_source] +# ${SRC[1]} and ${SRC[2]} are not referenced in the +# SAMBA_GENERATOR but trigger the dependency calculation so +# ensures that manpages are rebuilt when these change. +source += ['build/DTD/samba.entities', 'build/DTD/samba.build.version'] bld.SAMBA_GENERATOR(m, source=source, target=m, diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities index 80e051e7684..beff3cb1f6e 100644 --- a/docs-xml/build/DTD/samba.entities +++ b/docs-xml/build/DTD/samba.entities @@ -595,13 +595,16 @@ - If &pct;password is not specified, the user will be + If &pct;PASSWORD is not specified, the user will be prompted. The client will first check the - USER environment variable, then the - LOGNAME variable and if either exists, - the string is uppercased. If these environmental + USER environment variable + (which is also permitted to also contain the + password seperated by a &pct;), then the + LOGNAME variable (which is not + permitted to contain a password) and if either exists, + the value is used. If these environmental variables are not found, the username - GUEST is used. + found in a Kerberos Credentials cache may be used. @@ -616,9 +619,15 @@ - Be cautious about including passwords in scripts. For - security it is better to let the client ask for the - password if needed. + Be cautious about including passwords in scripts + or passing user-supplied values onto the command line. For + security it is better to let the Samba client tool ask for the + password if needed, or obtain the password once with kinit. +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 867c6ff9f3f docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values from 16e907f8415 Added russian translate file https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 867c6ff9f3f28ab4bfa0cb1660889f3f5be0d111 Author: Stefan Metzmacher Date: Wed Sep 8 15:10:14 2021 +0200 docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values This matches what smbstatus prints out. Note there's also the removal of an '-' in "hmac-sha-256" => HMAC-SHA256". BUG: https://bugzilla.samba.org/show_bug.cgi?id=14825 RN: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Sep 8 16:37:07 UTC 2021 on sn-devel-184 --- Summary of changes: docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml | 8 docs-xml/smbdotconf/security/clientsmbsigningalgos.xml| 10 +- docs-xml/smbdotconf/security/serversmbencryptionalgos.xml | 8 docs-xml/smbdotconf/security/serversmbsigningalgos.xml| 10 +- lib/param/loadparm.h | 4 ++-- libcli/smb/util.c | 14 +++--- 6 files changed, 27 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml index 27da51ad625..78df3f909e9 100644 --- a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml +++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml @@ -9,13 +9,13 @@ It is also possible to remove individual algorithms from the default list, by prefixing them with '-'. This can avoid having to specify a hardcoded list. - Note: that the removal of aes-128-ccm from the list will result + Note: that the removal of AES-128-CCM from the list will result in SMB3_00 and SMB3_02 being unavailable, as it is the default and only available algorithm for these dialects. -aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm -aes-256-gcm --aes-128-gcm -aes-128-ccm +AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM +AES-256-GCM +-AES-128-GCM -AES-128-CCM diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml index 1ad6c09626f..f7c61f3e661 100644 --- a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml +++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml @@ -9,14 +9,14 @@ It is also possible to remove individual algorithms from the default list, by prefixing them with '-'. This can avoid having to specify a hardcoded list. - Note: that the removal of aes-128-cmac from the list will result - in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256 + Note: that the removal of AES-128-CMAC from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256 will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only available algorithms for these dialects. -aes-128-gmac, aes-128-cmac, hmac-sha-256 -aes-128-cmac, hmac-sha-256 --aes-128-cmac +AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 +AES-128-CMAC, HMAC-SHA256 +-AES-128-CMAC diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml index 3217970d4e7..2dd2db98cc5 100644 --- a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml +++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml @@ -9,13 +9,13 @@ It is also possible to remove individual algorithms from the default list, by prefixing them with '-'. This can avoid having to specify a hardcoded list. - Note: that the removal of aes-128-ccm from the list will result + Note: that the removal of AES-128-CCM from the list will result in SMB3_00 and SMB3_02 being unavailable, as it is the default and only available algorithm for these dialects. -aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm -aes-256-gcm --aes-128-gcm -aes-128-ccm +AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM +AES-256-GCM +-AES-128-GCM -AES-128-CCM diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml index e73d4f04242..7884e603b5b 100644 --- a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml +++ b/docs-xml/smbdotconf/security/servers
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes via 1252f2c170c s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4 via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4 in python via 86d3397f852 dsdb: Be careful to avoid use of the expensive talloc_is_parent() via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once via 8c246869e14 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline fix via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container type via 8d17a87523b tests/krb5: Add tests for omitting sname in inner request via c837f43a9cd tests/krb5: Allow specifying parameters specific to the inner FAST request body via b628cda6604 tests/krb5: Add tests for omitting sname in request via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors without FAST via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in as_req testcase via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST via b6496bd5990 tests/krb5: Make cname checking less strict via c9b594a1a21 tests/krb5: Make e-data checking less strict via ef69ac460bc Update common on currently supported Fedora versions via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34 via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10 via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align with what is tested via e30483eb251 autobuild.py: Do not build MIT builds by default (eg sn-devel) via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos via e850967129d autobuild.py: Explain why each job is removed from the default set via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb via 2f8295604ce samba-tool: Rework transations/locks to hold a lock during mdb backup via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb via 535bd82604e mit-samba: Only set the function opening bracket once via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of casting via 9698e453ae9 mit-samba: Send the logging to the kdc log facility via 4bf41b6ccf5 mit-samba: Define debug class for kdb module via 07cfa4d6f95 tests/krb5: Add FAST tests via 003307b7d34 initial FAST tests via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for checking TGS replies via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply via 904df7418b8 tests/krb5: Adjust reply padata checking depending on whether FAST was sent via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included FAST via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method via 6ed03543ea0 tests/krb5: Remove unused variables via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check padata in reply via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict via d544371bd15 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict via 6457ecee2a9 tests/krb5: Check encrypted-pa-data via 79972f42603 tests/krb5: Add methods to determine whether elements were included in the r
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 7289e15 support/globalsupport.html: update my description from 2896b86 support/globalsupport.html: Order SerNet colleagues by name. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 7289e15f747fb618a7ff07a8c5bb5523a0af09c7 Author: Ralph Boehme Date: Wed Sep 8 09:57:35 2021 +0200 support/globalsupport.html: update my description --- Summary of changes: support/globalsupport.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/support/globalsupport.html b/support/globalsupport.html index aa4982f..1f733c1 100644 --- a/support/globalsupport.html +++ b/support/globalsupport.html @@ -82,7 +82,7 @@ Members of the core http://samba.TEAM"; target=_blank>samba.TEAM wor mailto:b...@samba.org>Björn Baumbach is maintainer of SAMBA+ and fixes numerous Samba bugs. -mailto:r...@samba.org>Ralph Böhme is maintainer of Netatalk and implements its features to Samba. +mailto:s...@samba.org>Ralph Böhme works on the Samba fileserver and is the team lead of the SerNet Samba team. mailto:b...@samba.org>Björn Jacke is Samba expert since almost ever and integrated Samba in networks of all sizes. -- Samba Website Repository