[SCM] Samba Shared Repository - annotated tag tdb-1.3.9 created

Stefan Metzmacher metze at samba.org
Mon Apr 11 18:35:17 UTC 2016

The annotated tag, tdb-1.3.9 has been created
        at  b53028b2d9e583aee1bee432dd3c80db1d4efa3b (tag)
   tagging  acf6deb6981f3e4043b51c1ed134362cc9112d2c (commit)
  replaces  talloc-2.1.6
 tagged by  Stefan Metzmacher
        on  Mon Apr 11 20:35:02 2016 +0200

- Log -----------------------------------------------------------------
tdb: tag release tdb-1.3.9
Version: GnuPG v1


Alexander Bokovoy (1):
      s4-libnet: only build python-dckeytab module for Heimdal in AD DC mode

Amitay Isaacs (39):
      ctdb-doc: Sort the tunable variables in alphabetical order
      ctdb-tunables: Add missing flags in the initializer
      ctdb-tunables: Mark tunable MaxRedirectCount obsolete
      ctdb-tunables: Mark tunable ReclockPingPeriod obsolete
      ctdb-doc: Update tunables documentation
      ctdb-doc: Add documentation for missing tunables
      ctdb-recovery-helper: Get tunables first, so control timeout can be set
      ctdb-tunables: Fix the implementation of LIST_TUNABLES control
      ctdb-doc: Update ctdb man page
      ctdb-doc: Update ctdb man page
      ctdb-client: Increase the timeout for TRANS3_COMMIT control
      ctdb-protocol: Check header is not null before copying
      ctdb-protocol: Add protocol debug routines
      ctdb-tests: Add a utility to parse ctdb packets
      ctdb-client: Add client API for sending message to multiple nodes
      ctdb-tunables: Add new tunable RecBufferSizeLimit
      ctdb-protocol: Add new data type ctdb_pulldb_ext for new control
      ctdb-protocol: Add new controls DB_PULL and DB_PUSH_START/DB_PUSH_CONFIRM
      ctdb-daemon: Implement new controls DB_PULL and DB_PUSH_START/DB_PUSH_CONFIRM
      ctdb-client: Add client API functions for new controls
      ctdb-recovery-helper: Factor out generic recv function
      ctdb-recovery-helper: Pass capabilities to database recovery functions
      ctdb-recovery-helper: Rename pnn to dmaster in recdb_records()
      ctdb-recovery-helper: Create accessors for recdb structure fields
      ctdb-protocol: Add file IO functions for ctdb_rec_buffer
      ctdb-recovery-helper: Re-factor function to retain records from recdb
      ctdb-recovery-helper: Write recovery records to a recovery file
      ctdb-protocol: Introduce variable for checking srvid prefix
      ctdb-protocol: Add srvid for messages during recovery
      ctdb-protocol: Add new capability
      ctdb-recovery-helper: Introduce pull database abstraction
      ctdb-recovery-helper: Introduce push database abstraction
      ctdb-tests: Add a test for recovery of large databases
      ctdb-recovery-helper: Improve log message
      ctdb-recovery-helper: Introduce new #define variable
      ctdb-protocol: Add srvid for assigning banning credits
      ctdb-recoverd: Add message handler to assigning banning credits
      ctdb-recovery-helper: Add banning to parallel recovery
      ctdb-system: Add ctdb_parse_connections() function

Andreas Schneider (33):
      s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry()
      s3-libads: Call smb_krb5_create_key_from_string() directly
      s3-libads: Use the C99 boolean false
      krb5_wrap: Move smb_krb5_kt_add_entry() to krb5_wrap
      krb5_wrap: Add smb_krb5_open_keytab_relative() function
      s3-libnet: Allow the keytab function to use a relative path
      s4-libnet: Implement export_keytab without HDB
      s4-selftest: Make export keytab test heimdal specific
      krb5-wrap: Use the principal returned by the KDC to create the ccache
      mit_samba: Make mit_samba a shim layer between Samba and KDB
      mit_samba: Directly pass the principal and kflags
      mit_samba: Add ks_is_tgs_principal()
      mit_samba: Add function to change the password
      mit_samba: Add functions to generate random password and salt.
      mit_samba: Add function for handling bad password count
      mit_samba: Setup logging to stdout
      wscript: Build the KDC code if we have the AD DC build enabled
      mit-kdb: Add initial MIT KDB Samba driver
      mit-kdb: Add more ks_is_kadmin* functions.
      mit-kdb: Do not allow to get a kadmin ticket as a client.
      mit-kdb: Add ks_create_principal().
      mit-kdb: Add ks_get_admin_principal() and use it for kadmin users.
      mit-kdb: Implement KDB function to change passwords
      mit-kdb: Add support for bad password count
      mit-kdb: Add support for KDB version 8
      mit-kdb: Fix segfault in krb5kdc dereferencing an invalid pointer
      mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests
      lib: Update socket_wrapper to version 1.1.6
      lib: Update uid_wrapper to version 1.2.1
      lib: Update nss_wrapper to version 1.1.3
      s4-libnet: Link dckeytab.so correctly when is AD DC enabled
      pam_winbind: Use the correct type to check the pam_parse() return code
      pam_winbind: Create and use a wbclient context

Andrew Bartlett (4):
      selftest: Avoid sorting issues on Ubuntu 10.04 vs 14.04
      smbd: Only check dev/inode in open_directory, not the full stat()
      dsdb/repl: Ensure we use the LOCAL attid value, not the remote one

Anubhav Rakshit (1):
      torture:smb2: Add test replay6 to verify Error Codes for DurableHandleReqV2 replay

Aurelien Aptel (6):
      s3/utils/regedit.c: typo
      s4/auth/ntlm/auth_unix.c: add parens
      s4/client/cifsdd.c: typo
      s4/heimdal/lib/gssapi/mech/gss_compare_name.c: typo
      s4/heimdal/lib/krb5/pac.c: typo
      examples/perfcounter/perf_writer.c: fix memset

Christof Schmitt (7):
      gpfswrap: Add wrapper for gpfs_set_winattrs
      vfs_gpfs: Implement new dos_attributes vfs functions
      vfs_gpfs: Remove xattr functions
      vfs: Add helper to check for missing VFS functions
      vfs_full_audit: Assert that all VFS functions are implemented
      vfs_time_audit: Assert that all VFS functions are implemented
      selftest: Load time_audit and full_audit

Douglas Bagnall (36):
      util/binsearch: macro for greater than or equal search
      util/tests: add test for BINARY_ARRAY_SEARCH_V macro
      ldb paged_results: quieten a warning.
      ldb controls: better error string for VLV control
      ldap VLV: memdup, not strdup VLV context_id
      vlv: better syntax for parsing greater than or equal strings
      ASN1: use a talloc context in read_contextSimple
      ldb controls: use uint8_t* for contextID binary blob
      asn1: make readContextSimple() add a NUL byte
      ldb_controls: add base64 option to VLV
      Add python server sort tests
      ldb sort: allow sorting on attributes not returned in search
      torture_ldap_sort: avoid segfault
      configure: set HAVE___ATTRIBUTE__ for heimdal
      ldb client controls: avoid talloc_memdup(x, y, (size_t)-1);
      ndr: avoid unnecessary searches of token list
      librpc ndr: add ndr_pull_steal_switch_value()
      ndr: Use ndr_steal to avoid long lists
      ndr: inline search for ndr_token_peek()
      ndrdump: add quiet flag
      Implement Virtual List View (VLV)
      ldb controls: don't ignore memory allocation failure
      ldb sort tests: point out a known fails against Windows
      dsdb sort test: avoid exception with fewer elements
      dsdb python tests: fix several usage strings
      ldb client controls: don't ignore failed memdup
      ldb controls: allow paged_search to use a cookie
      ldb_controls: avoid unnecessary unchecked talloc_asprintf()s
      util/attr.h: use HAVE___ATTRIBUTE__, not __GNUC__ comparisons
      libreplace: use HAVE___ATTRIBUTE__ instead of __GNUC__
      tevent.h: use HAVE___ATTRIBUTE__ instead of __GNUC__
      s3/modules/getdate: use HAVE___ATTRIBUTE__ instead of __GNUC__
      mdssvc/sparql_parser.c: use HAVE___ATTRIBUTE__ instead of __GNUC__
      s4/lib/wmi_wrap: use HAVE___ATTRIBUTE__ instead of __GNUC__
      third_party/zlib/zlib.h: use HAVE___ATTRIBUTE__ instead of __GNUC__
      VLV: avoid name conflict with string.h's index()

Garming Sam (22):
      tests: Allow alternative error code for backupkey test
      ldb controls: base64 encode VLV response context strings
      ldap VLV: use correct ASN.1 encoding for requests
      ldap: fix search control rule identifiers ASN.1 type
      ldap VLV: correct ASN1 parsing of VLV requests
      CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
      CVE-2016-0771: tests/dns: prepare script for further testing
      CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
      CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
      CVE-2016-0771: tests/dns: restore formerly segfaulting test
      CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
      CVE-2016-0771: tests/dns: Add some more test cases for TXT records
      CVE-2016-0771: tests/dns: modify tests to check via RPC
      CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
      CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
      CVE-2016-0771: tests: rename test getopt to get_opt
      CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
      CVE-2016-0771: tests/dns: Remove dependencies on env variables
      tests: Allow alternative error code for backupkey test
      build: mark explicit dependencies on pytalloc-util
      sort: enable custom behaviour on critical control
      autobuild: Return the last 50 log lines

G√ľnther Deschner (31):
      auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
      lib/socket/interfaces: Fix some uninitialied bytes.
      Partly revert "s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add"
      s3:libnet:libnet_join: prepare to allow connecting with machine creds.
      s3:libads:ldap: print LDAP error message with log level 10.
      s3:libads:ndr: add ADS_AUTH_USER_CREDS to ndr_print_ads_auth_flags()
      s3:libads:ldap: fix ads_check_ou_dn to deal with account_ou not being initialized
      s3:libnet:libnet_join: always try to create machineaccount via LDAP first.
      s3:librpc:idl:libnet_join: add encryption types to libnet_JoinCtx.
      s3:libnet:libnet_join: define list of desired encryption types only once.
      s3:libnet:libnet_join: fill in output enctypes and only modify when necessary.
      s3:libnet:libnet_join: update msDS-SupportedEncryptionTypes (if required) with machine creds.
      param: add parameter "server multi channel support", defaults to off.
      s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.
      s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.
      wscript: detect if we have libkdb5 and kdb.h.
      s4-kdc: Introduce a simple sdb_kdb shim layer
      mit_samba: Use sdb in the mit_samba plugin
      mit_samba: Use talloc_zero in mit_samba_context_init().
      mit-kdb: Do not overwrite the error code in failure case.
      mit-kdb: Use calloc so both authdata elements are zeroed
      mit-kdb: Use calloc to initialize master keylists.
      mit-kdb: Return 0 in kdb_samba_db_put_principal()
      mit-kdb: Restrict admin/changepw principal db_entry with some flags
      s4-smb_server: check for return code of cli_credentials_set_machine_account().
      s3-auth: check for return code of cli_credentials_set_machine_account().
      s3:smbXsrv.idl: add 8 byte channel_sequence number and request counters to IDL.
      libcli:smb:smbXcli_base: add smb2cli_session_current_channel_sequence() call.
      torture:smb2: add test for checking sequence number wrap around.
      lib/torture: add torture_assert_u64_not_equal_goto macro
      s4:torture:smb2:rename.c: Fix file permissions.

Herwin Weststrate (1):
      Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth

Jeremy Allison (69):
      CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
      CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
      CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
      CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
      CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
      CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
      CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
      CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
      CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
      CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
      CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
      CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
      s3:lib. Add split_stream_filename() Not yet used.
      s3:lib: Rewrite synthetic_smb_fname_split() to use split_stream_filename().
      s3:lib: Remove the const SMB_STRUCT_STAT * parameter from synthetic_smb_fname_split().
      s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split().
      s3: smbd: Simplify logic inside rename_internals_fsp() part 1.
      s3: smbd: Simplify logic inside rename_internals_fsp() part 2
      s3: smbd: Remove the last lp_posix_pathnames() in the rename path.
      s3:smbd: Fix build for vfs_aixacl2.c.
      s3:smbd:vfs: Change smb_get_nt_acl_nfs4() to take a const struct smb_filename *.
      s3:smbd:vfs: Change posix_get_nt_acl() from const char * to const struct smb_filename *.
      s3:vfs: Change smbacl4_GetFileOwner() to take const struct smb_filename * from const char *.
      s3: vfs: vfs_hpuxacl. refuse_symlink() means we can always use STAT here.
      s3: vfs: vfs_solarisacl. refuse_symlink() means we can always use STAT here.
      s3:vfs: vfs_streams_xattr.c - Remove duplicate code. This is exactly vfs_stat_smb_basename().
      s3:vfs: vfs_streams_xattr.c: Change walk_xattr_streams() to const struct smb_filename * from const char *.
      s3: smbd: Reformatting - remove unneeded const char *fname variable.
      s3: smbd: Change canonicalize_ea_name() to take a const smb_filename * parameter from const char *.
      s3:smbd: Change get_ea_list_from_file_path() to take a const smb_filename * parameter from const char *.
      s3:smbd: Change get_ea_names_from_file() to take a const smb_filename * parameter from const char *.
      s3:smbd: Change refuse_symlink() to take a const smb_filename * parameter from const char *.
      s3:vfs: Change get_acl_blob() to take a const smb_filename * parameter from const char *.
      s3: vfs: vfs_xattr_tdb - cleanup. Remove unneeded variable "path".
      nsswitch: linux: Remove use of strcpy().
      examples: Remove all uses of strcpy in examples (except for validchr.c).
      lib:tdb: Remove use of strcpy in tdb test.
      nsswitch: winbind_nss_aix: Remove all uses of strcpy.
      nsswitch: winbind_nss_solaris.c: Remove unused macro containing strcpy.
      s3:smbd: Fix build for vfs_afsacl.c.
      s3: vfs: vfs_afsacl. refuse_symlink() means we can always use STAT here.
      s3:smbd: Move lp_posix_pathnames() out of ea_list_has_invalid_name().
      s3: smbd: Add uint32_t flags field to struct smb_filename.
      s3: Filenames: Add uint32_t flags parameter to synthetic_smb_fname().
      s3: vfs: Remove use of lp_posix_pathnames() below the VFS.
      s3: posix_acls. Always use STAT, not LSTAT here.
      s3: smbd: Remove unneeded lp_posix_pathnames() check in SMB2 create.
      s3: smbd: Remove many common uses of lp_posix_pathnames().
      s3: vfs: recycle. Remove use of vfs_stat_smb_basename().
      s3: vfs: vfs_acl_tdb. Remove use of vfs_stat_smb_basename().
      s3: smbd: Modify vfs_stat_smb_basename() to take a const struct smb_filename * instead of const char *.
      s3: torture. Remove spurious lp_posix_pathnames() included by cut-and-paste error.
      s3: smbd: DFS - Remove the last lp_posix_pathnames() from the SMB2/3 code paths.
      s3: smbd: DFS: Pass uint32_t ucf_flags through into resolve_dfspath_wcard().
      s3: smbd: DFS: Pass uint32_t ucf_flags through into dfs_redirect().
      s3: smbd: DFS: Pass uint32_t ucf_flags through into unix_convert().
      s3: vfs: Use the new VFS functions for setting and getting DOS attributes.
      lib:replace: Missing semicolon on function definition.
      s3: vfs: full_audit. Sort vfs fn list and add comments on missing entries.
      s3: vfs: full_audit. Add missing get_dfs_referrals_fn().
      s3: vfs: full_audit. Add missing fsctl_fn().
      s3: vfs: full_audit. Add audit_file_fn().
      s3: vfs: full_audit. Implement missing durable_XXX functions.
      s3: vfs: Sort vfs function entries in vfs_time_audit.
      s3: vfs: time_audit. Add missing get_dfs_referrals().
      s3: vfs: time_audit. Add missing fsctl().
      s3: vfs: time_audit: Add get/fget/set/fset dos_attributes functions.
      s3: vfs: time_audit. Add missing audit_file().
      s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.

Jorge Schrauwen (1):
      configure: Don't check for inotify on illumos

Martin Schwenke (42):
      ctdb-tests: Fix description of NFS tickle test
      ctdb-tests: Fix CIFS tickle test
      ctdb-tests: Re-indent and re-format some functions
      ctdb-tests: Allow tcptickle_sniff_wait_show() to filter by MAC address
      ctdb-tests: Add a new NFS tickle test for the releasing node
      ctdb-doc: Drop outdated NEWS file
      ctdb-tools: Drop "ctdb rebalanceip"
      ctdb-tools: Drop "ctdb rebalancenode"
      ctdb-recoverd: Drop use of DeferredRebalanceOnNodeAdd tunable
      ctdb-tunables: Mark tunable DeferredRebalanceOnNodeAdd obsolete
      ctdb-daemon: Validate length of new interface names
      ctdb-daemon: Replace an unsafe strcpy(3) call
      ctdb-util: Move rb_tree.c to ctdb-util
      ctdb-tests: Link ctdb-util instead of including
      ctdb-killtcp: Use the given event context directly
      ctdb-killtcp: Determine the interface as soon as vnn is known
      ctdb-killtcp: Avoid CTDB_NO_MEMORY()
      ctdb-killtcp: Change struct ctdb_tcp_kill to store arbitrary destructor data
      ctdb-killtcp: Factor out ctdb_killtcp()
      ctdb-killtcp: Factor out killtcp code into separate file.
      ctdb-killtcp: Avoid unnecessary dependency on lib/util/time.h
      ctdb-killtcp: Simplify includes by using ctdb_sock_addr_to_string()
      ctdb-killtcp: New helper ctdb_killtcp
      ctdb-scripts: Add interface argument to kill_tcp_connections()
      ctdb-scripts: Use ctdb_killtcp helper to kill connections
      ctdb-tools: Drop "ctdb killtcp" command
      ctdb-client: Drop killtcp client functions
      ctdb-daemon: Remove implementation of CTDB_CONTROL_KILL_TCP
      ctdb-protocol: Drop killtcp protocol support
      ctdb-killtcp: Merge "common" killtcp code into helper
      ctdb-killtcp: Drop check to see if capture socket can be read
      ctdb-killtcp: Drop unnecessary casts
      ctdb-killtcp: Don't send initial tickle ACK during setup
      ctdb-killtcp: Set debug level via environment variable CTDB_DEBUGLEVEL
      ctdb-killtcp: Clarify a debug message
      ctdb-system: Return window size and RST bit when reading TCP packets
      ctdb-killtcp: Filter out sent packets
      ctdb-killtcp: Keep track of number of kill attempts and maximum allowed
      ctdb-killtcp: Don't count attempts for individual connections
      ctdb-killtcp: Store retry interval in killtcp structure
      ctdb-killtcp: Send tickle ACKs in batches
      ctdb-killtcp: Change default retry interval, batch size and attempts

Michael Adam (21):
      smbd:smb2: remove an unnecessary !! cast.
      smbd: enable multi-channel if 'server multi channel support = yes' in the config
      s3:winbindd:idmap: add domain_has_idmap_config() helper function.
      idmap_hash: rename be_init() --> idmap_hash_initialize()
      idmap_hash: only allow the hash module for default idmap config.
      smbd: fix use after free via conn->fsp_fi_cache
      smbd:smb2: add a modify flag to dispatch table
      smbd:smb2: add request_counters_updated to the smbd_smb2_request struct
      smbd:smb2: implement channel sequence checks and request counters in dispatch
      smbd:smb2: update outstanding request counters before sending a reply
      smbd:smb2: add some asserts before decrementing the counters
      torture:smb2: use assert, not warning in error case in durable-open.reopen1a
      torture:smb2: fix crashes in smb2.durable-open.reopen1a test
      torture:smb2: durable-open.reopen1a only needs one io struct
      torture:smb2: for oplocks, durable reconnect works with different client guid
      torture:smb2: add durable-open.reopen1a-lease
      torture:smb2: use assert, not warning in error case in durable-v2-open.reopen1a
      torture:smb2: fix crashes in smb2.durable-v2-open.reopen1a test
      torture:smb2: get rid of supefluous io2 var in durable-v2-open.reopen1a
      torture:smb2: for oplocks, durable reconnect works with different client-guid
      torture:smb2: add durable-v2-open.reopen1a-lease

Ralph Boehme (4):
      testparm: vfs_fruit checks
      docs: update vfs_fruit manpage
      s3:mdssvc: older glib2 versions require g_type_init()
      tdb: avoid a race condition when checking for robust mutexes

Richard Sharpe (2):
      Fix an obvious error where we were converting a UNIX error to an NT STATUS but not returning it.
      s3: vfs: Add VFS functions for setting and getting DOS attributes.

Robin Hack (1):
      samba3.blackbox.smbclient_auth.plain: Add new regression test case.

Rowland Penny (1):
      Bug 11818 : obvious missing word When trying to demote a dc, 'remove_dc.remove_sysvol_references' is sent 'remote_samdb, dc_name' , it expects 'remote_samdb, logger, dc_name'

Santiago Vila (1):
      examples/smb.conf.default: Fix typo in comment line: sever -> server

Shyamsunder Rathi (1):
      s3/vfs:stream_depots: Parse substitutions in streams-depot-directory path

Stefan Metzmacher (118):
      CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
      CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
      CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
      CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
      CVE-2016-0771: dns.idl: make use of dnsp_hinfo
      lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
      lib/util_net: add support for .ipv6-literal.net
      s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
      s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
      epmapper.idl: make epm_twr_t available in python bindings
      dcerpc.idl: make WERROR RPC faults available in ndr_print output
      librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
      s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
      s3:libads: remove unused ads_connect_gc()
      wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
      s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
      s3:librpc/gse: fix debug message in gse_init_client()
      s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
      s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
      s3:librpc/gse: don't log gss_acquire_creds failed at level 0
      s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
      s4:pygensec: make sig_size() and sign/check_packet() available
      auth/gensec: keep a pointer to a possible child/sub gensec_security context
      auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
      auth/gensec: make gensec_security_by_name() public
      s3:auth_generic: add auth_generic_client_start_by_name()
      s3:auth_generic: add auth_generic_client_start_by_sasl()
      auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
      auth/ntlmssp: add gensec_ntlmssp_server_domain()
      s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
      s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
      s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
      s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
      winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
      s3:auth_generic: make use of the top level NTLMSSP client code
      s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
      auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
      auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
      auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
      s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
      winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
      s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
      auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
      auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
      auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
      auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
      auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
      auth/ntlmssp: add ntlmssp_version_blob()
      auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
      auth/ntlmssp: use ntlmssp_version_blob() in the server
      security.idl: add LSAP_TOKEN_INFO_INTEGRITY
      ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
      ntlmssp.idl: make AV_PAIR_LIST public
      librpc/ndr: add ndr_ntlmssp_find_av() helper function
      auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
      auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
      auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
      auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
      s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
      s4:libcli/ldap: fix retry authentication after a bad password
      s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
      s4:selftest: simplify the loops over samba4.ldb.ldap
      s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
      s3:libads: add missing TALLOC_FREE(frame) in error path
      s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
      s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
      s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
      s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
      s3:libads: keep service and hostname separately in ads_service_principal
      s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
      s3:libsmb: make use gensec based SPNEGO/NTLMSSP
      s3:libsmb: unused ntlmssp.c
      s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
      s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
      s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
      s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
      s3:libsmb: remove unused cli_session_setup_kerberos*() functions
      s3:libsmb: remove unused functions in clispnego.c
      s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
      s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
      s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
      s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
      s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
      s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
      s4:rpc_server: dcesrv_generic_session_key should only work on local transports
      s4:dsdb/test/notification: make test_invalid_filter more resilient against ordering races
      s4:dsdb/test/sort: avoid 'from collections import Counter'
      selftest: mark samba4.winbind.struct.domain_info.ad_member as flapping
      s3:winbindd: don't unclude two '\0' at the end of the domain list
      s4:torture/lsa: improve debug message
      s3:wscript: pylibsmb depends on pycredentials
      ldb-samba:wscript: python_samba__ldb depends on pyauth
      selftest: s!addc.samba.example.com!addom.samba.example.com!
      selftest: add some helper scripts to mange a CA
      selftest: add config and script to create a samba.example.com CA
      selftest: add CA-samba.example.com (non-binary) files
      selftest: add CA-samba.example.com binary files (currently unused by Samba)
      selftest: mark commands in manage-CA-samba.example.com.sh as DONE
      selftest: add Samba::prepare_keyblobs() helper function
      selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
      selftest: set tls crlfile if it exist
      selftest: setup information of new samba.example.com CA in the client environment
      s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
      s3:test_rpcclient_samlogon.sh: test samlogon with schannel
      s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
      s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
      s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
      s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
      s4:torture/rpc/schannel: don't use validation level 6 without privacy
      auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
      auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
      s4:rpc_server: require access to the machine account credentials
      s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
      s3:rpc_server/samr: correctly handle session_extract_session_key() failures
      s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
      Revert "autobuild: Return the last 50 log lines"
      selftest/Samba3: use the correct "SELFTEST_WINBINDD_SOCKET_DIR" for "net join"
      tdb: version 1.3.9

Uri Simchoni (24):
      selftest: run net ads join test in a private client env
      selftest: add some test cases to net ads join
      build: fix disk-free quota support on Solaris 10
      build: improve comments in tests/oldquotas.c
      smbd: remove quota support for some ancient OSs
      build: fix build when --without-quota specified
      vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set
      seltest: add test for "ignore system acls" in vfs_acl_xattr.
      lib/util: fix function comment
      s3-profile: reduce dependencies of smbprofile.h
      s3-profile: add PROFILE_TIMESTAMP macro
      asys: call clock_gettime_mono() only on profile-enabled build
      vfs_aio_linux: call clock_gettime_mono() only on profile-enabled build
      vfs_aio_fork: call clock_gettime_mono() only on profile-enabled build
      vfs_glusterfs: call clock_gettime_mono() only on profile-enabled build
      nt-quotas: vfs_get_ntquota() return NTSTATUS
      nt-quotas: return 0 as indication of no quota
      ntquotas - skip entry if the quota is zero
      sys-quotas: do not fail if user has no quota
      xfs-quota: do not fail if user has no quota
      nfs-quota: do not fail on ECONNREFUSED
      smbd: do not cover up VFS failures to get quota
      smbcquotas: print "NO LIMIT" only if returned quota value is 0.
      tdb: rework cleanup logic in tdb_runtime_check_for_robust_mutexes()

Volker Lendecke (25):
      vfs_united_media: Fix CID 1355492 Uninitialized scalar variable
      smbd: Avoid an "else"
      smbd: Prevent a crash
      libads: Fix CID 1356316 Uninitialized pointer read
      crypto: Fix CID 1356314 Resource leak
      lib: Fix CID 1356315 Dereference before null check
      ctdb: Fix CID 1356313 Explicit null dereferenced
      libsmb: Fix CID 1356312 Explicit null dereferenced
      winbind: Fix CID 1357100 Unchecked return value
      torture: Fix the O3 developer build
      idmap: Factor out lp_scan_idmap_domains()
      winbind: Introduce id_map_ptrs_init
      winbind: Do per-domain xids2sids calls
      winbind: Add idmap_backend_unixids_to_sids
      winbind: Pass down the domain name to xids2sids
      winbind: Use plural xids2sids in _wbint_UnixIDs2Sids
      winbind: Remove unused idmap_[ug]id_to_sid
      winbind: Remove unused idmap_backends_unixid_to_sid
      winbind: Fix a typo in a wrong comment...
      pam_winbind: Avoid a use of sprintf
      docs: build idmap_script.8 by default
      docs: Mention _NO_WINBINDD in idmap_script.8
      nwrap: Fix the build on Solaris
      vfs_catia: Align loop index with terminator
      vfs_catia: Fix bug 11827, memleak


Samba Shared Repository

More information about the samba-cvs mailing list