[SCM] Samba Shared Repository - branch v4-3-test updated

Stefan Metzmacher metze at samba.org
Tue Apr 12 19:14:19 UTC 2016

The branch, v4-3-test has been updated
       via  cd143a4 VERSION: Bump version up to 4.3.9
       via  5bd1f11 Merge tag 'samba-4.3.8' into v4-3-test
       via  4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.
       via  10e9011 WHATSNEW: Add release notes for Samba 4.3.8.
       via  ad9257b s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
       via  caa886e VERSION: Bump version up to 4.3.8...
       via  6597749 VERSION: Disable git snapshots for the 4.3.7 release.
       via  17e1b9f WHATSNEW: Add release notes for Samba 4.3.7.
       via  0e2bcca CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
       via  9ec6afa CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
       via  21fe775 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
       via  a141a37 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
       via  6ac5ad0 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
       via  51a4a8f CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
       via  cd2911f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
       via  ac0d474 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
       via  4449c51 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
       via  365fffe CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
       via  bc001b0 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
       via  7ab9a8c CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
       via  7f2d791 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
       via  73550f4 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
       via  46ddaf3 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
       via  f3a67c2 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
       via  278cdd1 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
       via  adaf1ae CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
       via  14d97d4 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
       via  dbcd01e CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
       via  3f6a270 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
       via  11df891 CVE-2015-5370: s3:rpc_server: verify presentation context arrays
       via  9832a22 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
       via  e1b75bc CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
       via  84cbf3d CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
       via  d11c5d3 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
       via  476c2f5 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
       via  8695339 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
       via  a4a828e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
       via  db297a7 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
       via  905313c CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
       via  0cf8404 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
       via  e87721a CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
       via  8e691e7 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
       via  f606cfd CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
       via  f39183c CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
       via  28d558e CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
       via  db30949 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
       via  cce7265 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
       via  795b44e CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
       via  67e2661 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
       via  f77f9bf CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
       via  3239e26 CVE-2015-5370: s4:rpc_server: check frag_length for requests
       via  d249ce6 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
       via  0e26f3c CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
       via  6ed0ef7 CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
       via  615019f CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
       via  e0b58a1 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
       via  cf0a939 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
       via  f0d318f CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
       via  6228c53 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
       via  a7d02ec CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
       via  1d99eec CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
       via  6b2d064 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
       via  26ad208 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
       via  2ed603a CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
       via  e9511b5 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
       via  5ab994c CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
       via  6db7571 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
       via  9f62223 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
       via  4ea6765 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
       via  8ba1be0 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
       via  69e1d93 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
       via  5eb3b63 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
       via  3165b23 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
       via  563d8fe CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
       via  fd3b82e CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
       via  1077b50 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
       via  5325276 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
       via  f8b98b3 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
       via  16e3a4c CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
       via  308543b CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
       via  08f976d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
       via  0235d72 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
       via  df2dcc1 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
       via  443e00f CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
       via  1551c41 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
       via  9b9d307 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
       via  735d4ba CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
       via  21b9022 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
       via  821d484 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
       via  447f9f1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
       via  220e4ca CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
       via  e6da619 CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
       via  3df2b07 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
       via  0899c0a CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
       via  71c2c21 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
       via  e39b737 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
       via  5be0fb1 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
       via  f64b017 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
       via  47d8c31 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
       via  1c7be37 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
       via  82dd128 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
       via  e96791f CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
       via  6602e7e CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
       via  45a9ca1 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
       via  e9718e2 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
       via  4762d25 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  1ac5f37 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  3ba93ce CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
       via  a2d14bb CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  6045947 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  8f219a0 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  7869c5f CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  20e4023 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  ca98500 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  7b93802 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
       via  e7be37e CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
       via  979067f CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
       via  101e8e8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
       via  9ae9c64 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
       via  d5659c7 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
       via  0a3d923 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
       via  9bfa937 CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
       via  5eb6341 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
       via  e8dc268 CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
       via  31e7611 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
       via  fa2630f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
       via  2d68100 CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
       via  cdad358 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
       via  b66500f CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
       via  27c66c4 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
       via  9339d90 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
       via  38552d7 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
       via  bdff08d CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
       via  2b23bc3 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
       via  5859266 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
       via  e0588d9 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
       via  2220923 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
       via  60851a0 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
       via  7903203 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
       via  c21c9a3 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
       via  2c13697 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
       via  668cc85 CVE-2016-2115: docs-xml: add "client ipc signing" option
       via  9fa185c CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
       via  2f7d773 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
       via  25b05a8 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
       via  8611441 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
       via  7c6c666 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
       via  67f8524 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
       via  2217276 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
       via  641cbcc CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
       via  d778580 CVE-2016-2113: selftest: use "tls verify peer = no_check"
       via  dc4f8d0 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
       via  fdac236 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
       via  389b15e CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
       via  54a039d CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
       via  c20ee1b CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
       via  fc02668 CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
       via  9ca8e88 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
       via  27f1625 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
       via  104a691 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
       via  a027a87 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
       via  8dad04c CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
       via  c7f2a10 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
       via  90cc943 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
       via  963236f CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
       via  b012535 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
       via  e9cfd12 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
       via  5172192 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
       via  6977700 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
       via  e072666 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
       via  b723d97 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
       via  a8c60aa CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
       via  60647fa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
       via  dbdd9cb CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
       via  ff1e470 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
       via  e260f6a CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
       via  3643bc9 CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
       via  3dbb32c CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
       via  eaabdc1 CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
       via  f319256 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
       via  f22b75d CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
       via  a1ae538 CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
       via  5dbffb8 CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
       via  b6899e1 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
       via  8e1e621 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
       via  9784d68 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
       via  473bbfa CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
       via  984d024 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
       via  5074d1e CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
       via  7434b8d CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
       via  630e39d CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
       via  b9b3b1e CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
       via  2f393b3 CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
       via  fb8bb0f CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
       via  b76361d CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
       via  a6d1056 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
       via  fc9df72 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
       via  95a1c91 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
       via  39dd2c6 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
       via  299b49f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
       via  a278c35 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
       via  1cc7fbe CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
       via  8cae040 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
       via  b5e95cc CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
       via  3ae39af CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
       via  f32ad5c CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
       via  3673533 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
       via  9440fa8 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
       via  efe18dc CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
       via  0e3bb02 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
       via  8714377 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
       via  677e214 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
       via  2ee222b CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
       via  a7a0d2e CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
       via  d29c945 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
       via  4e5c214 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
       via  f914050 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
       via  8df0d59 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
       via  25f0a4c s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
       via  cce2e6a s3:rpc_server/samr: correctly handle session_extract_session_key() failures
       via  343637b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
       via  ba36c3f libads: Fix CID 1356316 Uninitialized pointer read
       via  e681d11 libsmb: Fix CID 1356312 Explicit null dereferenced
       via  656795b s3-auth: check for return code of cli_credentials_set_machine_account().
       via  6db7be4 s4-smb_server: check for return code of cli_credentials_set_machine_account().
       via  bca3039 s4:rpc_server: require access to the machine account credentials
       via  a6e7f49 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
       via  c0beb87 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
       via  5cdddba s4:torture/rpc/schannel: don't use validation level 6 without privacy
       via  61a09ae s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
       via  1cd3836 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
       via  8665944 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
       via  46f52e7 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
       via  1103a6b s3:test_rpcclient_samlogon.sh: test samlogon with schannel
       via  6a3a45d s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
       via  3f05c5a selftest: setup information of new samba.example.com CA in the client environment
       via  1311631 selftest: set tls crlfile if it exist
       via  739e896 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
       via  0ad8ef8 selftest: add Samba::prepare_keyblobs() helper function
       via  f058da2 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
       via  8be3031 selftest: add CA-samba.example.com (non-binary) files
       via  08976c4 selftest: add config and script to create a samba.example.com CA
       via  158e06d selftest: add some helper scripts to mange a CA
       via  f91a66f selftest: s!addc.samba.example.com!addom.samba.example.com!
       via  1346b27 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
       via  663ec33 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
       via  5182c93 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
       via  44e2da8 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
       via  fd1e4ec s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
       via  32ad277 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
       via  e09c17a s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
       via  2d6afd9 s3:libsmb: remove unused functions in clispnego.c
       via  979fc6a s3:libsmb: remove unused cli_session_setup_kerberos*() functions
       via  8a1d0a9 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
       via  70d546d s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
       via  c4c3bd6 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
       via  1498885 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
       via  e8b6ef4 s3:libsmb: unused ntlmssp.c
       via  bbc4eb8 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
       via  59b8032 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
       via  d19d039 s3:libads: keep service and hostname separately in ads_service_principal
       via  e952e63 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
       via  3d3725b s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
       via  4cbf13e s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
       via  c63d32b s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
       via  383d18d s3:libads: add missing TALLOC_FREE(frame) in error path
       via  95461fb s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
       via  e2bea35 s4:selftest: simplify the loops over samba4.ldb.ldap
       via  ccc1c51 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
       via  b000387 s4:libcli/ldap: fix retry authentication after a bad password
       via  58478f4 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
       via  debafe8 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
       via  1016c9d auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
       via  294ef73 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
       via  6d08a2a auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
       via  192d5be auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
       via  3136ede librpc/ndr: add ndr_ntlmssp_find_av() helper function
       via  30b4e8f ntlmssp.idl: make AV_PAIR_LIST public
       via  983edc9 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
       via  c3392f3 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
       via  00fbd5b auth/ntlmssp: use ntlmssp_version_blob() in the server
       via  3a52567 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
       via  9419ce6 auth/ntlmssp: add ntlmssp_version_blob()
       via  a575c5e auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
       via  c8059be auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
       via  34ce552 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
       via  6d18d46 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
       via  3938b90 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
       via  db7e894 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
       via  aea667c winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
       via  6ee35d9 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
       via  81745b6 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
       via  7303a10 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
       via  7fcefea auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
       via  3585e41 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
       via  993420f s3:auth_generic: make use of the top level NTLMSSP client code
       via  cb7bf55 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
       via  c9d2b8d s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
       via  0f54d60 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
       via  2dac558 s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
       via  8800015 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
       via  33f7f44 auth/ntlmssp: add gensec_ntlmssp_server_domain()
       via  aa0ed80 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
       via  14b2a51 s3:auth_generic: add auth_generic_client_start_by_sasl()
       via  a0feacf s3:auth_generic: add auth_generic_client_start_by_name()
       via  9e42312 auth/gensec: make gensec_security_by_name() public
       via  35f80cf auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
       via  2e6af15 auth/gensec: keep a pointer to a possible child/sub gensec_security context
       via  b474d13 s4:pygensec: make sig_size() and sign/check_packet() available
       via  f702a9e s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
       via  5a046d5 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
       via  47272c3 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
       via  2b351b7 s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
       via  91e2717 s3:librpc/gse: fix debug message in gse_init_client()
       via  4357b22 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
       via  88a09dc wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
       via  0555445 s3:libads: remove unused ads_connect_gc()
       via  49a7697 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
       via  3121494 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
       via  e7595fa dcerpc.idl: make WERROR RPC faults available in ndr_print output
       via  0117f64 epmapper.idl: make epm_twr_t available in python bindings
       via  0d53d8a s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
       via  16e14f9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
       via  7f24c0b lib/util_net: add support for .ipv6-literal.net
       via  6b6fbcf lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
       via  a70f620 spnego: Correctly check asn1_tag_remaining retval
       via  5530d91 s4:torture/ntlmssp fix a compiler warning
       via  7019a9c s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
       via  14f4002 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
       via  97ac363 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
       via  a54b256 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
       via  109618b s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
       via  1865f12 ntlmssp: when pulling messages it is important to clear memory first.
       via  42c2d63 ntlmssp: properly document version defines in IDL (from MS-NLMP).
       via  1e0e8d6 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
       via  5b4999a ntlmssp: add some missing defines from MS-NLMP to our IDL.
       via  e73cfb9 tls: increase Diffie-Hellman group size to 2048 bits
       via  24c6d42 s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
       via  62e5169 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
       via  5bbf46e s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
       via  83b6653 asn1: Make 'struct asn1_data' private
       via  66ea451 asn1: Remove a reference to asn1_data internals
       via  c27fd04 libcli: Remove a reference to asn1->ofs
       via  9c89afd lib: Use asn1_current_ofs()
       via  95fa77f asn1: Add asn1_current_ofs()
       via  54aecd7 lib: Use asn1_has_nesting
       via  9ac8312 asn1: Add asn1_has_nesting
       via  2b11481 lib: Use asn1_extract_blob()
       via  a44d9bb asn1: Add asn1_extract_blob()
       via  274c9a4 lib: Use asn1_set_error()
       via  a330540 asn1: Add asn1_set_error()
       via  89d0afc lib: Use asn1_has_error()
       via  4b04663 asn1: Add asn1_has_error()
       via  d51a607 asn1: Make "struct nesting" private
       via  6d2f6e1 asn1: Add some early returns
       via  bb6607a asn1: Add overflow check to asn1_write
       via  7ef1333 asn1: Make asn1_peek_full_tag return 0/errno
       via  980785a asn1: Remove an unused asn1 function
       via  b5c5fec Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
       via  a06c22f VERSION: Bump version up to 4.3.7...
      from  ca09ef7 build: fix build when --without-quota specified


- Log -----------------------------------------------------------------
commit cd143a4b7fe8ff4f786bd319371e853ac56c37ae
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 12 21:13:35 2016 +0200

    VERSION: Bump version up to 4.3.9
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 5bd1f11c6bd12c3879c035758dfe996b25742d18
Merge: ca09ef7 4b4a2bd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 12 21:12:44 2016 +0200

    Merge tag 'samba-4.3.8' into v4-3-test
    samba: tag release samba-4.3.8
    Signed-off-by: Stefan Metzmacher <metze at samba.org>


Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |  561 +++++
 auth/credentials/credentials.h                     |    5 +-
 auth/credentials/credentials_ntlm.c                |   12 +-
 auth/gensec/gensec.c                               |  113 +-
 auth/gensec/gensec.h                               |    4 +
 auth/gensec/gensec_internal.h                      |    7 +
 auth/gensec/gensec_start.c                         |   18 +-
 auth/gensec/gensec_util.c                          |    2 +-
 auth/gensec/schannel.c                             |   22 +-
 auth/gensec/spnego.c                               |  301 ++-
 auth/ntlmssp/gensec_ntlmssp.c                      |    9 +
 auth/ntlmssp/gensec_ntlmssp_server.c               |   44 +-
 auth/ntlmssp/ntlmssp.c                             |   91 +-
 auth/ntlmssp/ntlmssp.h                             |   17 +
 auth/ntlmssp/ntlmssp_client.c                      |  534 +++-
 auth/ntlmssp/ntlmssp_ndr.c                         |    1 +
 auth/ntlmssp/ntlmssp_private.h                     |   10 +-
 auth/ntlmssp/ntlmssp_server.c                      |  424 +++-
 auth/ntlmssp/ntlmssp_sign.c                        |  103 +-
 auth/ntlmssp/ntlmssp_util.c                        |  176 +-
 auth/ntlmssp/wscript_build                         |    2 +-
 .../ldap/ldapserverrequirestrongauth.xml           |   26 +
 .../smbdotconf/protocol/clientipcmaxprotocol.xml   |   29 +
 .../smbdotconf/protocol/clientipcminprotocol.xml   |   29 +
 docs-xml/smbdotconf/protocol/clientmaxprotocol.xml |    9 +-
 docs-xml/smbdotconf/protocol/clientminprotocol.xml |    6 +
 docs-xml/smbdotconf/protocol/clientusespnego.xml   |    5 +
 .../security/allowdcerpcauthlevelconnect.xml       |   27 +
 docs-xml/smbdotconf/security/clientipcsigning.xml  |   26 +
 docs-xml/smbdotconf/security/clientntlmv2auth.xml  |    5 +
 docs-xml/smbdotconf/security/clientsigning.xml     |   12 +-
 docs-xml/smbdotconf/security/rawntlmv2auth.xml     |   19 +
 docs-xml/smbdotconf/security/serversigning.xml     |    2 +-
 docs-xml/smbdotconf/security/tlsverifypeer.xml     |   47 +
 lib/param/loadparm.c                               |   47 +-
 lib/param/loadparm.h                               |    6 +
 lib/param/param_table.c                            |   83 +
 lib/util/asn1.c                                    |  109 +-
 lib/util/asn1.h                                    |   25 +-
 lib/util/tests/asn1_tests.c                        |    6 +-
 lib/util/util_net.c                                |  247 +-
 lib/util/util_net.h                                |    1 +
 libcli/auth/proto.h                                |    6 +
 libcli/auth/smbencrypt.c                           |  170 +-
 libcli/auth/spnego.h                               |    8 +-
 libcli/auth/spnego_parse.c                         |   55 +-
 libcli/cldap/cldap.c                               |   12 +-
 libcli/ldap/ldap_message.c                         |   32 +-
 libcli/smb/smbXcli_base.c                          |    1 +
 libcli/smb/smb_constants.h                         |    1 +
 libcli/smb/smb_signing.c                           |    4 +
 libcli/smb/tstream_smbXcli_np.c                    |    4 +
 librpc/idl/dcerpc.idl                              |   15 +-
 librpc/idl/epmapper.idl                            |    2 +-
 librpc/idl/ntlmssp.idl                             |   48 +-
 librpc/idl/security.idl                            |    9 +
 librpc/ndr/ndr_ntlmssp.c                           |   16 +
 librpc/ndr/ndr_ntlmssp.h                           |    2 +
 librpc/rpc/binding.c                               |    2 +-
 librpc/rpc/dcerpc_error.c                          |    6 +-
 librpc/rpc/dcerpc_util.c                           |  141 +-
 librpc/rpc/rpc_common.h                            |    9 +-
 nsswitch/libwbclient/wbc_pam.c                     |   21 +-
 nsswitch/winbind_struct_protocol.h                 |    1 +
 python/samba/tests/__init__.py                     |  525 ++++
 python/samba/tests/dcerpc/dnsserver.py             |    2 +-
 python/samba/tests/dcerpc/raw_protocol.py          | 2623 ++++++++++++++++++++
 selftest/knownfail                                 |   28 +
 .../DC-addc.addom.samba.example.com-S02-cert.pem   |  191 ++
 .../DC-addc.addom.samba.example.com-S02-key.pem    |   54 +
 ...DC-addc.addom.samba.example.com-S02-openssl.cnf |  250 ++
 ...ddc.addom.samba.example.com-S02-private-key.pem |   51 +
 .../DC-addc.addom.samba.example.com-S02-req.pem    |   30 +
 .../DC-addc.addom.samba.example.com-cert.pem       |    1 +
 ...DC-addc.addom.samba.example.com-private-key.pem |    1 +
 .../DC-localdc.samba.example.com-S00-cert.pem      |  190 ++
 .../DC-localdc.samba.example.com-S00-key.pem       |   54 +
 .../DC-localdc.samba.example.com-S00-openssl.cnf   |  250 ++
 ...C-localdc.samba.example.com-S00-private-key.pem |   51 +
 .../DC-localdc.samba.example.com-S00-req.pem       |   30 +
 .../DC-localdc.samba.example.com-cert.pem          |    1 +
 .../DC-localdc.samba.example.com-private-key.pem   |    1 +
 .../manage-ca/CA-samba.example.com/NewCerts/00.pem |  190 ++
 .../manage-ca/CA-samba.example.com/NewCerts/01.pem |  169 ++
 .../manage-ca/CA-samba.example.com/NewCerts/02.pem |  191 ++
 .../manage-ca/CA-samba.example.com/NewCerts/03.pem |  169 ++
 .../Private/CA-samba.example.com-crlnumber.txt     |    1 +
 .../Private/CA-samba.example.com-crlnumber.txt.old |    1 +
 .../Private/CA-samba.example.com-index.txt         |    4 +
 .../Private/CA-samba.example.com-index.txt.attr    |    1 +
 .../CA-samba.example.com-index.txt.attr.old        |    1 +
 .../Private/CA-samba.example.com-index.txt.old     |    3 +
 .../Private/CA-samba.example.com-openssl.cnf       |  203 ++
 .../Private/CA-samba.example.com-private-key.pem   |  102 +
 .../Private/CA-samba.example.com-serial.txt        |    1 +
 .../Private/CA-samba.example.com-serial.txt.old    |    1 +
 .../Public/CA-samba.example.com-cert.pem           |   62 +
 .../Public/CA-samba.example.com-crl.pem            |   32 +
 ...inistrator at addom.samba.example.com-S03-cert.pem |  169 ++
 ...ministrator at addom.samba.example.com-S03-key.pem |   30 +
 ...strator at addom.samba.example.com-S03-openssl.cnf |  242 ++
 ...tor at addom.samba.example.com-S03-private-key.pem |   27 +
 ...ministrator at addom.samba.example.com-S03-req.pem |   19 +
 ...-administrator at addom.samba.example.com-cert.pem |    1 +
 ...strator at addom.samba.example.com-private-key.pem |    1 +
 ...ER-administrator at samba.example.com-S01-cert.pem |  169 ++
 ...SER-administrator at samba.example.com-S01-key.pem |   30 +
 ...administrator at samba.example.com-S01-openssl.cnf |  242 ++
 ...nistrator at samba.example.com-S01-private-key.pem |   27 +
 ...SER-administrator at samba.example.com-S01-req.pem |   19 +
 .../USER-administrator at samba.example.com-cert.pem  |    1 +
 ...administrator at samba.example.com-private-key.pem |    1 +
 selftest/manage-ca/manage-CA-samba.example.com.cnf |   21 +
 selftest/manage-ca/manage-CA-samba.example.com.sh  |   18 +
 selftest/manage-ca/manage-ca.sh                    |  387 +++
 .../manage-CA-example.com.cnf                      |   17 +
 .../openssl-BASE-template.cnf                      |  201 ++
 .../manage-ca.templates.d/openssl-CA-template.cnf  |    2 +
 .../manage-ca.templates.d/openssl-DC-template.cnf  |   49 +
 .../openssl-USER-template.cnf                      |   41 +
 selftest/selftest.pl                               |   40 +
 selftest/target/Samba.pm                           |  105 +
 selftest/target/Samba3.pm                          |    1 +
 selftest/target/Samba4.pm                          |  232 +-
 source3/auth/auth_domain.c                         |    2 +-
 source3/auth/auth_samba4.c                         |    4 +-
 source3/auth/auth_util.c                           |   15 +
 source3/include/auth_generic.h                     |    7 +-
 source3/include/proto.h                            |   48 +-
 source3/lib/netapi/cm.c                            |    2 +-
 source3/lib/tldap.c                                |    6 +-
 source3/libads/ads_proto.h                         |    1 -
 source3/libads/ldap.c                              |  134 -
 source3/libads/sasl.c                              |  671 ++---
 source3/libnet/libnet_join.c                       |    6 +-
 source3/librpc/crypto/gse.c                        |   81 +-
 source3/librpc/rpc/dcerpc.h                        |   10 +-
 source3/librpc/rpc/dcerpc_helpers.c                |   98 +-
 source3/libsmb/auth_generic.c                      |   51 +-
 source3/libsmb/cliconnect.c                        |  669 ++---
 source3/libsmb/clientgen.c                         |    9 +
 source3/libsmb/clispnego.c                         |  283 +--
 source3/libsmb/ntlmssp.c                           |  765 ------
 source3/libsmb/ntlmssp_wrap.c                      |  135 -
 source3/libsmb/passchange.c                        |    7 +-
 source3/pam_smbpass/wscript_build                  |    2 +-
 source3/param/loadparm.c                           |   43 +-
 source3/rpc_client/cli_pipe.c                      |  314 ++-
 source3/rpc_server/netlogon/srv_netlog_nt.c        |   57 +-
 source3/rpc_server/rpc_handles.c                   |    1 +
 source3/rpc_server/rpc_ncacn_np.c                  |    3 +-
 source3/rpc_server/rpc_pipes.h                     |   11 +
 source3/rpc_server/rpc_server.c                    |   12 +
 source3/rpc_server/samr/srv_samr_nt.c              |   21 +-
 source3/rpc_server/srv_pipe.c                      |  494 ++--
 source3/rpcclient/rpcclient.c                      |    5 +-
 source3/script/tests/test_ntlm_auth_s3.sh          |    2 +
 source3/script/tests/test_rpcclient_samlogon.sh    |   11 +-
 source3/script/tests/test_smbclient_auth.sh        |   11 +
 source3/selftest/tests.py                          |    7 +-
 source3/smbd/negprot.c                             |    6 +-
 source3/smbd/sesssetup.c                           |    4 +-
 source3/smbd/smb2_negprot.c                        |   10 +-
 source3/smbd/smb2_sesssetup.c                      |    3 +-
 source3/torture/test_ntlm_auth.py                  |  553 +++--
 source3/utils/net_ads.c                            |    2 +-
 source3/utils/net_rpc.c                            |    2 +-
 source3/utils/net_util.c                           |    2 +-
 source3/utils/ntlm_auth.c                          |  803 +-----
 source3/winbindd/winbindd_ccache_access.c          |   44 +-
 source3/winbindd/winbindd_cm.c                     |    6 +-
 source3/wscript_build                              |   10 +-
 source4/auth/gensec/gensec_krb5.c                  |   11 +-
 source4/auth/gensec/pygensec.c                     |   83 +
 source4/auth/ntlm/auth_util.c                      |    4 +-
 source4/ldap_server/ldap_bind.c                    |   50 +-
 source4/ldap_server/ldap_server.c                  |    6 +
 source4/ldap_server/ldap_server.h                  |    2 +
 source4/lib/tls/tls.c                              |    2 +-
 source4/lib/tls/tls.h                              |   23 +
 source4/lib/tls/tls_tstream.c                      |  251 +-
 source4/lib/tls/tlscert.c                          |   18 +-
 source4/lib/tls/wscript                            |    5 +
 source4/libcli/cliconnect.c                        |    2 +-
 source4/libcli/ldap/ldap_bind.c                    |   62 +-
 source4/libcli/ldap/ldap_client.c                  |    9 +-
 source4/libcli/ldap/ldap_controls.c                |   48 +-
 source4/libcli/raw/libcliraw.h                     |    1 +
 source4/libcli/raw/rawnegotiate.c                  |   11 +-
 source4/libcli/smb2/connect.c                      |    7 +-
 source4/libcli/smb_composite/connect.c             |    1 +
 source4/libcli/smb_composite/sesssetup.c           |   35 +-
 source4/librpc/rpc/dcerpc.c                        |  351 ++-
 source4/librpc/rpc/dcerpc.h                        |   14 +-
 source4/librpc/rpc/dcerpc_auth.c                   |   93 +-
 source4/librpc/rpc/dcerpc_connect.c                |   22 +
 source4/librpc/rpc/dcerpc_roh.c                    |   13 +-
 source4/librpc/rpc/dcerpc_util.c                   |   22 +-
 source4/param/loadparm.c                           |    3 +-
 source4/rpc_server/backupkey/dcesrv_backupkey.c    |   13 +-
 source4/rpc_server/common/reply.c                  |   49 +-
 source4/rpc_server/dcerpc_server.c                 |  812 ++++--
 source4/rpc_server/dcerpc_server.h                 |   57 +-
 source4/rpc_server/dcesrv_auth.c                   |  261 +-
 source4/rpc_server/dcesrv_mgmt.c                   |    8 +
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c    |    8 +
 source4/rpc_server/drsuapi/dcesrv_drsuapi.c        |    8 +
 source4/rpc_server/echo/rpc_echo.c                 |    7 +
 source4/rpc_server/epmapper/rpc_epmapper.c         |    8 +
 source4/rpc_server/handles.c                       |    8 +-
 source4/rpc_server/lsa/dcesrv_lsa.c                |    8 +
 source4/rpc_server/lsa/lsa_lookup.c                |   12 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c      |   46 +-
 source4/rpc_server/remote/dcesrv_remote.c          |    8 +-
 source4/rpc_server/samr/dcesrv_samr.c              |   12 +
 source4/rpc_server/samr/samr_password.c            |   25 +-
 source4/selftest/tests.py                          |   75 +-
 source4/smb_server/smb/negprot.c                   |    6 +-
 source4/smb_server/smb/sesssetup.c                 |   10 +
 source4/smb_server/smb2/negprot.c                  |    7 +-
 source4/smb_server/smb2/sesssetup.c                |    8 -
 source4/torture/basic/base.c                       |   20 +-
 source4/torture/ndr/ntlmssp.c                      |  183 +-
 source4/torture/raw/samba3misc.c                   |    7 +
 source4/torture/rpc/backupkey.c                    |   21 +-
 source4/torture/rpc/forest_trust.c                 |   12 +-
 source4/torture/rpc/lsa.c                          |   14 +-
 source4/torture/rpc/netlogon.c                     |  101 +-
 source4/torture/rpc/netlogon.h                     |    7 +
 source4/torture/rpc/remote_pac.c                   |   39 +-
 source4/torture/rpc/samba3rpc.c                    |   61 +-
 source4/torture/rpc/samlogon.c                     |    3 +-
 source4/torture/rpc/samr.c                         |    4 +-
 source4/torture/rpc/schannel.c                     |   29 +-
 source4/torture/rpc/testjoin.c                     |   35 +-
 testprogs/blackbox/test_ldb_simple.sh              |   41 +
 wscript_configure_system_mitkrb5                   |    4 +-
 238 files changed, 15105 insertions(+), 4869 deletions(-)
 create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
 create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
 create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
 create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
 create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
 create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
 create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
 create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
 create mode 100755 selftest/manage-ca/manage-ca.sh
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
 delete mode 100644 source3/libsmb/ntlmssp.c
 delete mode 100644 source3/libsmb/ntlmssp_wrap.c
 create mode 100755 testprogs/blackbox/test_ldb_simple.sh

Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 371c694..b59769a 100644
@@ -25,7 +25,7 @@
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a47ede4..435ae45 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,565 @@
+                   Release Notes for Samba 4.3.8
+                           April 12, 2016
+                   =============================
+This is a security release containing one additional
+regression fix for the security release 4.3.7.
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+Changes since 4.3.7:
+o  Stefan Metzmacher <metze at samba.org>
+   * Bug 11804 - prerequisite backports for the security release on
+     April 12th, 2016
+Release notes for the original 4.3.7 release follows:
+                   =============================
+                   Release Notes for Samba 4.3.7
+                           April 12, 2016
+                   =============================
+This is a security release in order to address the following CVEs:
+o  CVE-2015-5370 (Multiple errors in DCE-RPC code)
+o  CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+o  CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+o  CVE-2016-2112 (LDAP client and server don't enforce integrity)
+o  CVE-2016-2113 (Missing TLS certificate validation)
+o  CVE-2016-2114 ("server signing = mandatory" not enforced)
+o  CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+o  CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+o  CVE-2015-5370
+   Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+   denial of service attacks (crashes and high cpu consumption)
+   in the DCE-RPC client and server implementations. In addition,
+   errors in validation of the DCE-RPC packets can lead to a downgrade
+   of a secure connection to an insecure one.
+   While we think it is unlikely, there's a nonzero chance for
+   a remote code execution attack against the client components,
+   which are used by smbd, winbindd and tools like net, rpcclient and
+   others. This may gain root access to the attacker.
+   The above applies all possible server roles Samba can operate in.
+   Note that versions before 3.6.0 had completely different marshalling
+   functions for the generic DCE-RPC layer. It's quite possible that
+   that code has similar problems!
+   The downgrade of a secure connection to an insecure one may
+   allow an attacker to take control of Active Directory object
+   handles created on a connection created from an Administrator
+   account and re-use them on the now non-privileged connection,
+   compromising the security of the Samba AD-DC.
+o  CVE-2016-2110:
+   There are several man in the middle attacks possible with
+   NTLMSSP authentication.
+   can be cleared by a man in the middle.
+   This was by protocol design in earlier Windows versions.
+   Windows Server 2003 RTM and Vista RTM introduced a way
+   to protect against the trivial downgrade.
+   See MsvAvFlags and flag 0x00000002 in
+   https://msdn.microsoft.com/en-us/library/cc236646.aspx
+   This new feature also implies support for a mechlistMIC
+   when used within SPNEGO, which may prevent downgrades
+   from other SPNEGO mechs, e.g. Kerberos, if sign or
+   seal is finally negotiated.
+   The Samba implementation doesn't enforce the existence of
+   required flags, which were requested by the application layer,
+   e.g. LDAP or SMB1 encryption (via the unix extensions).
+   As a result a man in the middle can take over the connection.
+   It is also possible to misguide client and/or
+   server to send unencrypted traffic even if encryption
+   was explicitly requested.
+   LDAP (with NTLMSSP authentication) is used as a client
+   by various admin tools of the Samba project,
+   e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+   As an active directory member server LDAP is also used
+   by the winbindd service when connecting to domain controllers.
+   Samba also offers an LDAP server when running as
+   active directory domain controller.
+   The NTLMSSP authentication used by the SMB1 encryption
+   is protected by smb signing, see CVE-2015-5296.
+o  CVE-2016-2111:
+   It's basically the same as CVE-2015-0005 for Windows:
+     The NETLOGON service in Microsoft Windows Server 2003 SP2,
+     Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+     and R2, when a Domain Controller is configured, allows remote
+     attackers to spoof the computer name of a secure channel's
+     endpoint, and obtain sensitive session information, by running a
+     crafted application and leveraging the ability to sniff network
+     traffic, aka "NETLOGON Spoofing Vulnerability".
+   The vulnerability in Samba is worse as it doesn't require
+   credentials of a computer account in the domain.
+   This only applies to Samba running as classic primary domain controller,
+   classic backup domain controller or active directory domain controller.
+   The security patches introduce a new option called "raw NTLMv2 auth"
+   ("yes" or "no") for the [global] section in smb.conf.
+   Samba (the smbd process) will reject client using raw NTLMv2
+   without using NTLMSSP.
+   Note that this option also applies to Samba running as
+   standalone server and member server.
+   You should also consider using "lanman auth = no" (which is already the default)
+   and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+   as they might impact compatibility with older clients. These also
+   apply for all server roles.
+o  CVE-2016-2112:
+   Samba uses various LDAP client libraries, a builtin one and/or the system
+   ldap libraries (typically openldap).
+   As active directory domain controller Samba also provides an LDAP server.
+   Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+   for LDAP connections, including possible integrity (sign) and privacy (seal)
+   protection.
+   Samba has support for an option called "client ldap sasl wrapping" since version
+   3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+   Tools using the builtin LDAP client library do not obey the
+   "client ldap sasl wrapping" option. This applies to tools like:
+   "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+   options like "--sign" and "--encrypt". With the security update they will
+   also obey the "client ldap sasl wrapping" option as default.
+   In all cases, even if explicitly request via "client ldap sasl wrapping",
+   "--sign" or "--encrypt", the protection can be downgraded by a man in the
+   middle.
+   The LDAP server doesn't have an option to enforce strong authentication
+   yet. The security patches will introduce a new option called
+   "ldap server require strong auth", possible values are "no",
+   "allow_sasl_over_tls" and "yes".
+   As the default behavior was as "no" before, you may
+   have to explicitly change this option until all clients have
+   been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+   Windows clients and Samba member servers already use
+   integrity protection.
+o  CVE-2016-2113:
+   Samba has support for TLS/SSL for some protocols:
+   ldap and http, but currently certificates are not
+   validated at all. While we have a "tls cafile" option,
+   the configured certificate is not used to validate
+   the server certificate.
+   This applies to ldaps:// connections triggered by tools like:
+   "ldbsearch", "ldbedit" and more. Note that it only applies
+   to the ldb tools when they are built as part of Samba or with Samba
+   extensions installed, which means the Samba builtin LDAP client library is
+   used.
+   It also applies to dcerpc client connections using ncacn_http (with https://),
+   which are only used by the openchange project. Support for ncacn_http
+   was introduced in version 4.2.0.
+   The security patches will introduce a new option called
+   "tls verify peer". Possible values are "no_check", "ca_only",
+   "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+   If you use the self-signed certificates which are auto-generated
+   by Samba, you won't have a crl file and need to explicitly
+   set "tls verify peer = ca_and_name".
+o  CVE-2016-2114
+   Due to a regression introduced in Samba 4.0.0,
+   an explicit "server signing = mandatory" in the [global] section
+   of the smb.conf was not enforced for clients using the SMB1 protocol.
+   As a result it does not enforce smb signing and allows man in the middle attacks.
+   This problem applies to all possible server roles:
+   standalone server, member server, classic primary domain controller,
+   classic backup domain controller and active directory domain controller.
+   In addition, when Samba is configured with "server role = active directory domain controller"
+   the effective default for the "server signing" option should be "mandatory".
+   During the early development of Samba 4 we had a new experimental
+   file server located under source4/smb_server. But before
+   the final 4.0.0 release we switched back to the file server
+   under source3/smbd.
+   But the logic for the correct default of "server signing" was not
+   ported correctly ported.
+   Note that the default for server roles other than active directory domain
+   controller, is "off" because of performance reasons.
+o  CVE-2016-2115:
+   Samba has an option called "client signing", this is turned off by default
+   for performance reasons on file transfers.
+   This option is also used when using DCERPC with ncacn_np.
+   In order to get integrity protection for ipc related communication
+   by default the "client ipc signing" option is introduced.
+   The effective default for this new option is "mandatory".
+   In order to be compatible with more SMB server implementations,
+   the following additional options are introduced:
+   "client ipc min protocol" ("NT1" by default) and
+   "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+   These options overwrite the "client min protocol" and "client max protocol"
+   options, because the default for "client max protocol" is still "NT1".
+   The reason for this is the fact that all SMB2/3 support SMB signing,
+   while there are still SMB1 implementations which don't offer SMB signing
+   by default (this includes Samba versions before 4.0.0).
+   Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+   against active directory domain controllers despite of the
+   "client signing" and "client ipc signing" options.
+o  CVE-2016-2118 (a.k.a. BADLOCK):
+   The Security Account Manager Remote Protocol [MS-SAMR] and the
+   Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+   are both vulnerable to man in the middle attacks. Both are application level
+   protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+   These protocols are typically available on all Windows installations
+   as well as every Samba server. They are used to maintain
+   the Security Account Manager Database. This applies to all
+   roles, e.g. standalone, domain member, domain controller.
+   Any authenticated DCERPC connection a client initiates against a server
+   can be used by a man in the middle to impersonate the authenticated user
+   against the SAMR or LSAD service on the server.
+   The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+   and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+   in this case. A man in the middle can change auth level to CONNECT
+   (which means authentication without message protection) and take over
+   the connection.
+   As a result, a man in the middle is able to get read/write access to the
+   Security Account Manager Database, which reveals all passwords
+   and any other potential sensitive information.
+   Samba running as an active directory domain controller is additionally
+   missing checks to enforce PKT_PRIVACY for the
+   Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+   and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+   The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+   is not enforcing at least PKT_INTEGRITY.
+New smb.conf options
+  allow dcerpc auth level connect (G)
+    This option controls whether DCERPC services are allowed to be used with
+    DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+    message integrity nor privacy protection.
+    Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+    of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+    The behavior can be overwritten per interface name (e.g. lsarpc,
+    netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+    'allow dcerpc auth level connect:interface = yes' as option.
+    This option yields precedence to the implementation specific restrictions.
+    E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+    The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+    Default: allow dcerpc auth level connect = no
+    Example: allow dcerpc auth level connect = yes
+  client ipc signing (G)
+    This controls whether the client is allowed or required to use
+    SMB signing for IPC$ connections as DCERPC transport. Possible
+    values are auto, mandatory and disabled.
+    When set to mandatory or default, SMB signing is required.
+    When set to auto, SMB signing is offered, but not enforced and
+    if set to disabled, SMB signing is not offered either.
+    Connections from winbindd to Active Directory Domain Controllers
+    always enforce signing.
+    Default: client ipc signing = default
+  client ipc max protocol (G)
+    The value of the parameter (a string) is the highest protocol level that will
+    be supported for IPC$ connections as DCERPC transport.
+    Normally this option should not be set as the automatic negotiation phase
+    in the SMB protocol takes care of choosing the appropriate protocol.
+    The value default refers to the latest supported protocol, currently SMB3_11.
+    See client max protocol for a full list of available protocols.
+    The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+    Default: client ipc max protocol = default
+    Example: client ipc max protocol = SMB2_10
+  client ipc min protocol (G)
+    This setting controls the minimum protocol version that the will be
+    attempted to use for IPC$ connections as DCERPC transport.
+    Normally this option should not be set as the automatic negotiation phase
+    in the SMB protocol takes care of choosing the appropriate protocol.
+    The value default refers to the higher value of NT1 and the
+    effective value of "client min protocol".
+    See client max protocol for a full list of available protocols.
+    The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+    Default: client ipc min protocol = default
+    Example: client ipc min protocol = SMB3_11
+  ldap server require strong auth (G)
+    The ldap server require strong auth defines whether the
+    ldap server requires ldap traffic to be signed or
+    signed and encrypted (sealed). Possible values are no,
+    allow_sasl_over_tls and yes.
+    A value of no allows simple and sasl binds over all transports.
+    A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+    over TLS encrypted connections. Unencrypted connections only
+    allow sasl binds with sign or seal.
+    A value of yes allows only simple binds over TLS encrypted connections.
+    Unencrypted connections only allow sasl binds with sign or seal.
+    Default: ldap server require strong auth = yes
+  raw NTLMv2 auth (G)
+    This parameter determines whether or not smbd(8) will allow SMB1 clients
+    without extended security (without SPNEGO) to use NTLMv2 authentication.
+    If this option, lanman auth and ntlm auth are all disabled, then only
+    clients with SPNEGO support will be permitted. That means NTLMv2 is only
+    supported within NTLMSSP.
+    Default: raw NTLMv2 auth = no
+  tls verify peer (G)
+    This controls if and how strict the client will verify the peer's
+    certificate and name. Possible values are (in increasing order): no_check,
+    ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+    When set to no_check the certificate is not verified at all,
+    which allows trivial man in the middle attacks.
+    When set to ca_only the certificate is verified to be signed from a ca
+    specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+    is required. The certificate lifetime is also verified. If the "tls crl file"
+    option is configured, the certificate is also verified against
+    the ca crl.
+    When set to ca_and_name_if_available all checks from ca_only are performed.
+    In addition, the peer hostname is verified against the certificate's
+    name, if it is provided by the application layer and not given as
+    an ip address string.
+    When set to ca_and_name all checks from ca_and_name_if_available are performed.
+    In addition the peer hostname needs to be provided and even an ip
+    address is checked against the certificate's name.
+    When set to as_strict_as_possible all checks from ca_and_name are performed.
+    In addition the "tls crl file" needs to be configured. Future versions
+    of Samba may implement additional checks.
+    Default: tls verify peer = as_strict_as_possible
+  tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+    This option can be set to a string describing the TLS protocols to be
+    supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+    The default turns off SSLv3, as this protocol is no longer considered
+    secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+    in HTTPS applications.
+    The valid options are described in the GNUTLS Priority-Strings
+    documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+    Default: tls priority = NORMAL:-VERS-SSL3.0
+Behavior changes
+o  The default auth level for authenticated binds has changed from
+   That means ncacn_ip_tcp:server is now implicitly the same
+   as ncacn_ip_tcp:server[sign] and offers a similar protection
+   as ncacn_np:server, which relies on smb signing.
+o  The following constraints are applied to SMB1 connections:
+   - "client lanman auth = yes" is now consistently
+     required for authenticated connections using the
+     SMB1 LANMAN2 dialect.
+   - "client ntlmv2 auth = yes" and "client use spnego = yes"
+     (both the default values), require extended security (SPNEGO)
+     support from the server. That means NTLMv2 is only used within
+     NTLMSSP.
+o  Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+   default of "client ldap sasl wrapping = sign". Even with
+   "client ldap sasl wrapping = plain" they will automatically upgrade
+   to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+   server.
+Changes since 4.3.6:
+o  Jeremy Allison <jra at samba.org>

Samba Shared Repository

More information about the samba-cvs mailing list