[SCM] Samba Shared Repository - branch v4-2-test updated

Stefan Metzmacher metze at samba.org
Tue Apr 12 19:18:08 UTC 2016

The branch, v4-2-test has been updated
       via  4882bde VERSION: Bump version up to 4.2.12
       via  47f3a1f Merge tag 'samba-4.2.11' into v4-2-test
       via  cdf4f21 VERSION: Disable git snapshots for the 4.2.11 release.
       via  aada3ea WHATSNEW: Add release notes for Samba 4.2.11.
       via  96331b2 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
       via  cb48e70 VERSION: Bump version up to 4.2.11...
       via  343f384 VERSION: Disable git snapshots for the 4.2.10 release.
       via  5f0e4f1 WHATSNEW: Add release notes for Samba 4.2.10.
       via  b065ce6 CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
       via  88e9a0a CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
       via  df411cb CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
       via  284894c CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
       via  024d3b2 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
       via  8e0b06a CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
       via  3ef461d CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
       via  93a0f92 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
       via  0cf3151 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
       via  61faaa6 CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
       via  2bc6172 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
       via  ae68d3f CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
       via  cbf20b4 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
       via  f556d92 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
       via  a995740 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
       via  9464684 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
       via  02aef97 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
       via  d30363f CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
       via  8d97085 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
       via  664d7ac CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
       via  e39fdce CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
       via  1e6b4ab CVE-2015-5370: s3:rpc_server: verify presentation context arrays
       via  cdefee1 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
       via  0239bfa CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
       via  63d21d2 CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
       via  8c96ef7 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
       via  69280e6 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
       via  25bf597 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
       via  af2582e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
       via  189c0fb CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
       via  2a92546 CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
       via  df51c22 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
       via  9818296 CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
       via  81bbffa CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
       via  acea87f CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
       via  19f489d CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
       via  df3cdf0 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
       via  1ed83c7 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
       via  14a7db6 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
       via  71d1c9f CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
       via  e601549 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
       via  fbf402c CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
       via  dd8c942 CVE-2015-5370: s4:rpc_server: check frag_length for requests
       via  74de5d8 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
       via  772ba3f CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
       via  9dd171f CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
       via  d5916e0 CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
       via  5ac7fc8 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
       via  b430b1f CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
       via  0863c95 CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
       via  9a52709 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
       via  1da3379 CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
       via  b51da52 CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
       via  eb3f8a5 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
       via  0d20260 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
       via  b40ab6b CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
       via  409b8fd CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
       via  358af62 CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
       via  f3c68c6 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
       via  0f4a3c3 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
       via  97a19d9 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
       via  494ba35 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
       via  2cf79f9 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
       via  ec8b2a3 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
       via  d7f0712 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
       via  1780b43 CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
       via  77e7d19 CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
       via  2f0c9d6 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
       via  b075822 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
       via  c784fcd CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
       via  8e8c2da CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
       via  c0236de CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
       via  b91112d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
       via  69c7776 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
       via  1e88acf CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
       via  a1c6916 CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
       via  e767733 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
       via  9a3f045 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
       via  665b874 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
       via  8266be4 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
       via  2240a39 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
       via  0f7bb07 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
       via  84d8692 CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
       via  e5a4d9a CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
       via  a20f132 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
       via  630dcb5 CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
       via  045e9b4 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
       via  d61cd59 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
       via  9153fc5 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
       via  b26aabe CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
       via  d6c4dde CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
       via  2d2243c CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
       via  fce895b CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
       via  17d9204 CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
       via  416f383 CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
       via  3410c21 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
       via  2b1f995 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
       via  d33cb24 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  e34628f CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  f0b5e62 CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
       via  dbb5220 CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  dd32cfc CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  b6e3f0c CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
       via  ee77128 CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  bbc9a16 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  5a9aa81 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
       via  29ab0d9 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
       via  db01cab CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
       via  ad99552 CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
       via  7847ee8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
       via  52aa7b6 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
       via  dab41de CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
       via  ddbcb11 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
       via  889162a CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
       via  08ca648 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
       via  1f3708a CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
       via  1c06e92 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
       via  8ee232f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
       via  27939fc CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
       via  54c9e0d CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
       via  bf4259a CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
       via  ba52792 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
       via  7790d38 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
       via  15417d6 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
       via  95e334b CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
       via  2e3bcb7 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
       via  7f4be89 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
       via  b7ea999 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
       via  1c24db6 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
       via  1afcdaa CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
       via  a8dc7d6 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
       via  543b97d CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
       via  32d1130 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
       via  d5d1d63 CVE-2016-2115: docs-xml: add "client ipc signing" option
       via  7c7f42f CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
       via  4eefd40 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
       via  5fb616a CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
       via  a6ab8e7 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
       via  dfffc46 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
       via  87d7973 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
       via  141d4ac CVE-2016-2114: s4:smb2_server: fix session setup with required signing
       via  ae4b827 CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
       via  dcf61e4 CVE-2016-2113: selftest: use "tls verify peer = no_check"
       via  64f8f67 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
       via  95da9fc CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
       via  3a73092 CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
       via  da2065e CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
       via  d2d2236 CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
       via  f3d752f CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
       via  b8c5862 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
       via  1c25d638a CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
       via  0a1d2b4 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
       via  16472fc CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
       via  ded3595 CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
       via  59c4273 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
       via  5a5bede CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
       via  2612783 CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
       via  efd47e4 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
       via  5a26043 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
       via  6256822 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
       via  f8c3a46 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
       via  190de2d CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
       via  8e63804 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
       via  799557f CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
       via  531c5aa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
       via  9d6ffb3 CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
       via  2ee2de4 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
       via  f5e066c CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
       via  270f04c CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
       via  b0c0ffe CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
       via  9b983ae CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
       via  1e35c14 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
       via  2608fb3 CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
       via  9f39d0f CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
       via  7188b6a CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
       via  b1bcc58 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
       via  ba33643 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
       via  c741e86 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
       via  9aae9b11 CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
       via  610229e CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
       via  eafd2ce CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
       via  7f74142 CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
       via  96e93b8 CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
       via  40397d1 CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
       via  fec6dae CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
       via  98c1677 CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
       via  fd1c98f CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
       via  2e11c70 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
       via  280a371 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
       via  65bd884 CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
       via  48b24ce CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
       via  bb90457 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
       via  530f0d1 CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
       via  741c532 CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
       via  76318d5 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
       via  3d783b7 CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
       via  3a8334d CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
       via  22bf4ed CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
       via  2e35e39 CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
       via  65deaae CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
       via  639bd4d CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
       via  0489a58 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
       via  a98f718 CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
       via  c528a17 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
       via  e073b53 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
       via  3c07679 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
       via  9c171a5 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
       via  f78d549 CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
       via  332d580 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
       via  b7d6410 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
       via  2c6474b CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
       via  f789325 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
       via  8dcd3cb CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
       via  8cd4741 s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
       via  d1ebe5b s3:rpc_server/samr: correctly handle session_extract_session_key() failures
       via  9981c0b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
       via  6138f8b libads: Fix CID 1356316 Uninitialized pointer read
       via  1993e69 libsmb: Fix CID 1356312 Explicit null dereferenced
       via  6891eeb s3-auth: check for return code of cli_credentials_set_machine_account().
       via  62f4ee1 s4-smb_server: check for return code of cli_credentials_set_machine_account().
       via  3447148 s4:rpc_server: require access to the machine account credentials
       via  cceb49a auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
       via  2b442ce auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
       via  592baac s4:torture/rpc/schannel: don't use validation level 6 without privacy
       via  89298e5 s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
       via  e80d4f9 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
       via  93863b8 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
       via  2d70e9f s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
       via  9be91a7 s3:test_rpcclient_samlogon.sh: test samlogon with schannel
       via  5e8f48b s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
       via  1838e168 selftest: setup information of new samba.example.com CA in the client environment
       via  f40bc59 selftest: set tls crlfile if it exist
       via  9452268 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
       via  8b14e45 selftest: add Samba::prepare_keyblobs() helper function
       via  d93ff57 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
       via  9030298 selftest: add CA-samba.example.com (non-binary) files
       via  44b5d2d selftest: add config and script to create a samba.example.com CA
       via  61e6ca8 selftest: add some helper scripts to mange a CA
       via  66df1ed selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
       via  ad389f1 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
       via  8f0d8f4 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
       via  a99a012 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
       via  fc5c623 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
       via  3393d9b s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
       via  6ae0007 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
       via  1989639 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
       via  54dd7b7 s3:libsmb: remove unused functions in clispnego.c
       via  28c23bd s3:libsmb: remove unused cli_session_setup_kerberos*() functions
       via  1dd4e36 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
       via  ac680c1 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
       via  68a32f1 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
       via  80c665b s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
       via  d9c89a5 s3:libsmb: unused ntlmssp.c
       via  db624e4 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
       via  a427633 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
       via  24a5cf6 s3:libads: keep service and hostname separately in ads_service_principal
       via  d4369e3 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
       via  a1476b9 s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
       via  8c9308c s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
       via  8368d9d s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
       via  e5ca0c6 s3:libads: add missing TALLOC_FREE(frame) in error path
       via  3fd5063 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
       via  083682b s4:selftest: simplify the loops over samba4.ldb.ldap
       via  04a81c9 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
       via  a2c24e2 s4:libcli/ldap: fix retry authentication after a bad password
       via  c531695 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
       via  4a3c66d auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
       via  1e19d98 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
       via  c4b08fb auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
       via  b63aa96 auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
       via  679b2c4 auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
       via  f2600f5 librpc/ndr: add ndr_ntlmssp_find_av() helper function
       via  7c7ee91 ntlmssp.idl: make AV_PAIR_LIST public
       via  9176107 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
       via  4222e9b security.idl: add LSAP_TOKEN_INFO_INTEGRITY
       via  a7243e3 auth/ntlmssp: use ntlmssp_version_blob() in the server
       via  1526b7e auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
       via  4f261d9 auth/ntlmssp: add ntlmssp_version_blob()
       via  e81031b auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
       via  d2b612d auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
       via  e487dba auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
       via  7b39ef9 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
       via  7b20770 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
       via  9cfc310 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
       via  637f37b winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
       via  53f6f3d s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
       via  c5a25e8 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
       via  653742d auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
       via  0ece92e auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
       via  b3873ba s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
       via  1742cec s3:auth_generic: make use of the top level NTLMSSP client code
       via  bdbcffc winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
       via  23b65d6 s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
       via  bf52fad selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
       via  b981475 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
       via  77d9b8c s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
       via  dd2a2b7 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
       via  8acba3b auth/ntlmssp: add gensec_ntlmssp_server_domain()
       via  c6cbac8 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
       via  0dd1f05 s3:auth_generic: add auth_generic_client_start_by_sasl()
       via  7b92239 s3:auth_generic: add auth_generic_client_start_by_name()
       via  933ca54 auth/gensec: make gensec_security_by_name() public
       via  66b2e5d auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
       via  3b0fc77 auth/gensec: keep a pointer to a possible child/sub gensec_security context
       via  744e043 s4:pygensec: make sig_size() and sign/check_packet() available
       via  3353447 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
       via  c1f6fe4 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
       via  ac9a891 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
       via  a881c5f s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
       via  3b4608c s3:librpc/gse: fix debug message in gse_init_client()
       via  41ca435 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
       via  b8fd2d0 wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
       via  ff2a6f6 s3:libads: remove unused ads_connect_gc()
       via  9b4eabb s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
       via  ebc2711 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
       via  4d7fdf1 dcerpc.idl: make WERROR RPC faults available in ndr_print output
       via  8104a49 epmapper.idl: make epm_twr_t available in python bindings
       via  7e1a935 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
       via  5e4be46 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
       via  cf4f1bc lib/util_net: add support for .ipv6-literal.net
       via  76d4d9d lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
       via  84e3a91 spnego: Correctly check asn1_tag_remaining retval
       via  9ac8373 s4:torture/ntlmssp fix a compiler warning
       via  3dd652e s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
       via  7d30bb7 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
       via  ca3f4c3 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
       via  cc6803d s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
       via  8a09a9e s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
       via  31ec805 ntlmssp: when pulling messages it is important to clear memory first.
       via  c0f4c95 ntlmssp: properly document version defines in IDL (from MS-NLMP).
       via  5bcd766 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
       via  0973458 ntlmssp: add some missing defines from MS-NLMP to our IDL.
       via  0a6405f tls: increase Diffie-Hellman group size to 2048 bits
       via  88c76da s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
       via  2c5ba35 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
       via  2057efc s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
       via  53988ca asn1: Make 'struct asn1_data' private
       via  d91415e asn1: Remove a reference to asn1_data internals
       via  17d663a libcli: Remove a reference to asn1->ofs
       via  f7ea845 lib: Use asn1_current_ofs()
       via  f6a2ad0 asn1: Add asn1_current_ofs()
       via  9e65ef3 lib: Use asn1_has_nesting
       via  12396cf asn1: Add asn1_has_nesting
       via  79280a3 lib: Use asn1_extract_blob()
       via  2a8a339 asn1: Add asn1_extract_blob()
       via  9c520e9 lib: Use asn1_set_error()
       via  a8b03c4 asn1: Add asn1_set_error()
       via  3aba426 lib: Use asn1_has_error()
       via  9d86ce3 asn1: Add asn1_has_error()
       via  afbef75 asn1: Make "struct nesting" private
       via  6eca81c asn1: Add some early returns
       via  165e6ff asn1: Add overflow check to asn1_write
       via  afd0849 asn1: Make asn1_peek_full_tag return 0/errno
       via  8a8d380 asn1: Remove an unused asn1 function
       via  7d64f42 Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
       via  d2bf0f7 s4:rpc_server: pass the remote address to gensec_set_remote_address()
       via  810817f lib/util: globally include herrors in error.h
       via  fc0df96 s4:selftest: run rpc.netlogon.admin against also ad_dc
       via  c8a3e03 lib/tls: Change default supported TLS versions.
       via  839452e lib/tls: Add new 'tls priority' option
       via  986b2a6 docs: Explain that winbindd enforces smb signing by default.
       via  c4f578f torture: Free the temporary memory context
       via  6775efd torture: Correctly invalidate the memory ccache.
       via  618bf77 torture: Fix the usage of the MEMORY credential cache.
       via  16343ed Convert all uses of uint32/16/8 to _t in source3/rpc_client.
       via  f0dcb43 Convert all uses of uint32/16/8 to _t in source3/rpc_server.
       via  c685323 rpc_server: Fix CID 1035535 Uninitialized scalar variable
       via  2426e5d rpc_server: Fix CID 1035534 Uninitialized scalar variable
       via  73d868b libsmb: Print the principal name that we failed to kinit for.
       via  b99e5ba Convert all uint32/16/8 to _t in source3/libsmb.
       via  235da54 Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
       via  ecba7a9 s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
       via  2cdcb2c s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
       via  c227eb6 auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
       via  bbff988 heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
       via  59986c3 heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
       via  075ec8f heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
       via  4640ada heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
       via  f222d62 heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
       via  e84d1f0 heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
       via  bbc7426 dcerpc.idl: fix calculatin of uint16 secondary_address_size;
       via  c8342ed s4:pyrpc: remove pointless alter_context() method
       via  e2acb2e python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
       via  320bfd5 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
       via  8688510 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
       via  7a68f81 libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
       via  e5135c2 s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
       via  505c31e python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
       via  5235af3 python/samba/tests: move hexdump() from DNSTest to TestCase
       via  ac466c7 python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
       via  7427812 Implement TestCase.assertIsNotNone for python < 2.7.
       via  f994c97 Implement TestCase.assertIn for older versions of Python.
       via  478d84c Implement assertIsNone for Python < 2.7.
       via  8abd8be Handle skips when running on python2.6.
       via  44f45c3 Run cleanup after tearDown, for consistency with Python >= 2.7.
       via  17cbd88 Use samba TestCase so we get all compatibility functions on Python < 2.7.
       via  f4b7a42 Provide TestCase.assertIsInstance for python < 2.7.
       via  01b5c10 Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
       via  cc1b47c Add replacement addCleanup.
       via  72a7db4 Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
       via  5cc22fb Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
       via  d82a560 selftest/tests/*.py: remove use of testtools.
       via  775c1df Rename TestSkipped to Skiptest, consistent with Python 2.7.
       via  2dbf2f2 Avoid importing TestCase and TestSkipped from testtools.
       via  f8e78f9 s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
       via  858b4bd s4-tests: Print out what the error is in delete_force()
       via  2b8a89c python/samba/tests: don't lower case path names in connect_samdb()
       via  e28c482 s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
       via  427f202 Reduce number of places where sys.path is (possibly) updated for external module paths.
       via  417807e librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
       via  d8bd1cb lib/util: fix output format in dump_data*()
       via  6c5078c s4:pyrpc: add base.bind_time_features_syntax(features)
       via  d0ce818 librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
       via  1e2d23d librpc/rpc: add dcerpc_fault_from_nt_status()
       via  008d25b librpc/rpc: add faultcode to nt_status mappings
       via  9dddf6a midltests: add valid/midltests_DRS_EXTENSIONS.*
       via  0ef2b7a auth/credentials: anonymous should not try to use kerberos
       via  b1174ad s3:ntlm_auth: don't start gensec backend twice
       via  6e50231 auth/gensec: remove unused gensec_[un]wrap_packets() hooks
       via  941abd1 s4:auth/gensec: remove unused gensec_socket_init()
       via  58789c5 s4:auth/gensec: remove unused include of lib/socket/socket.h
       via  6bf16fc s4:auth/gensec: remove unused and untested cyrus_sasl module
       via  53c92ba s4:libcli/ldap: conversion to tstream
       via  b8405b3 s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
       via  fa70808 s4:lib/tls: fix tstream_tls_connect_send() define
       via  e6f746e s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
       via  c14fa4d s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
       via  6b4479b s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
       via  26405f1 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
       via  39431e5 s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
       via  983b0ea gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
       via  8e597a7 s4-gensec: Check if we have delegated credentials.
       via  7e7bfe1 s4:auth/gensec_gssapi: remove allow_warnings=True
       via  7bc4888 auth/kerberos: remove allow_warnings=True
       via  1b04d32 auth/kerberos: avoid compiler warnings
       via  4c5fe20 s4:lib/tls: remove allow_warnings=True
       via  0d4412a s4:lib/tls: add tls_cert_generate() prototype to tls.h
       via  4f3e283 s4:auth/gensec_gssapi: remove compiler warnings
       via  3c7f303 VERSION: Bump version up to 4.2.10...
      from  0dd1749 smbd: Only check dev/inode in open_directory, not the full stat()


- Log -----------------------------------------------------------------
commit 4882bdec1a70be79b610305a639aab4a64d95400
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 12 21:17:20 2016 +0200

    VERSION: Bump version up to 4.2.12
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 47f3a1f221508598a1f43f723d1b654bebee4c57
Merge: 0dd1749 cdf4f21
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 12 21:16:50 2016 +0200

    Merge tag 'samba-4.2.11' into v4-2-test
    samba: tag release samba-4.2.11
    Signed-off-by: Stefan Metzmacher <metze at samba.org>


Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |  581 ++++-
 auth/credentials/credentials.c                     |    1 +
 auth/credentials/credentials.h                     |    5 +-
 auth/credentials/credentials_krb5.c                |    5 +-
 auth/credentials/credentials_ntlm.c                |   12 +-
 auth/gensec/gensec.c                               |  113 +-
 auth/gensec/gensec.h                               |   25 +-
 auth/gensec/gensec_internal.h                      |   19 +-
 auth/gensec/gensec_start.c                         |   18 +-
 auth/gensec/gensec_util.c                          |  118 +-
 auth/gensec/schannel.c                             |   22 +-
 auth/gensec/spnego.c                               |  357 ++-
 auth/gensec/wscript_build                          |    2 +-
 auth/kerberos/gssapi_helper.c                      |  395 +++
 auth/kerberos/gssapi_helper.h                      |   55 +
 auth/kerberos/gssapi_pac.c                         |   16 +-
 auth/kerberos/wscript_build                        |    3 +-
 auth/ntlmssp/gensec_ntlmssp.c                      |    9 +
 auth/ntlmssp/gensec_ntlmssp_server.c               |   44 +-
 auth/ntlmssp/ntlmssp.c                             |   91 +-
 auth/ntlmssp/ntlmssp.h                             |   17 +
 auth/ntlmssp/ntlmssp_client.c                      |  534 +++-
 auth/ntlmssp/ntlmssp_ndr.c                         |    1 +
 auth/ntlmssp/ntlmssp_private.h                     |   10 +-
 auth/ntlmssp/ntlmssp_server.c                      |  422 +++-
 auth/ntlmssp/ntlmssp_sign.c                        |  103 +-
 auth/ntlmssp/ntlmssp_util.c                        |  176 +-
 auth/ntlmssp/wscript_build                         |    2 +-
 .../ldap/ldapserverrequirestrongauth.xml           |   26 +
 .../smbdotconf/protocol/clientipcmaxprotocol.xml   |   29 +
 .../smbdotconf/protocol/clientipcminprotocol.xml   |   29 +
 docs-xml/smbdotconf/protocol/clientmaxprotocol.xml |    9 +-
 docs-xml/smbdotconf/protocol/clientminprotocol.xml |    6 +
 docs-xml/smbdotconf/protocol/clientusespnego.xml   |    5 +
 .../security/allowdcerpcauthlevelconnect.xml       |   27 +
 docs-xml/smbdotconf/security/clientipcsigning.xml  |   26 +
 docs-xml/smbdotconf/security/clientntlmv2auth.xml  |    5 +
 docs-xml/smbdotconf/security/clientsigning.xml     |   13 +-
 docs-xml/smbdotconf/security/rawntlmv2auth.xml     |   19 +
 docs-xml/smbdotconf/security/serversigning.xml     |    2 +-
 docs-xml/smbdotconf/security/tlspriority.xml       |   22 +
 docs-xml/smbdotconf/security/tlsverifypeer.xml     |   47 +
 lib/param/loadparm.c                               |   48 +-
 lib/param/loadparm.h                               |    6 +
 lib/param/param_table.c                            |   91 +
 lib/util/asn1.c                                    |  109 +-
 lib/util/asn1.h                                    |   25 +-
 lib/util/tests/asn1_tests.c                        |    6 +-
 lib/util/util.c                                    |    2 +-
 lib/util/util_net.c                                |  247 +-
 lib/util/util_net.h                                |    1 +
 libcli/auth/proto.h                                |    6 +
 libcli/auth/smbencrypt.c                           |  170 +-
 libcli/auth/spnego.h                               |    8 +-
 libcli/auth/spnego_parse.c                         |   55 +-
 libcli/cldap/cldap.c                               |   12 +-
 libcli/ldap/ldap_message.c                         |   32 +-
 libcli/smb/smbXcli_base.c                          |    1 +
 libcli/smb/smb_constants.h                         |    1 +
 libcli/smb/smb_signing.c                           |    4 +
 libcli/smb/tstream_smbXcli_np.c                    |   12 +-
 libcli/util/error.h                                |    1 +
 librpc/idl/dcerpc.idl                              |   17 +-
 librpc/idl/epmapper.idl                            |    2 +-
 librpc/idl/ntlmssp.idl                             |   48 +-
 librpc/idl/security.idl                            |   18 +-
 librpc/ndr/ndr_basic.c                             |   39 +-
 librpc/ndr/ndr_ntlmssp.c                           |   16 +
 librpc/ndr/ndr_ntlmssp.h                           |    2 +
 librpc/rpc/binding.c                               |    2 +-
 librpc/rpc/dcerpc_error.c                          |  164 +-
 librpc/rpc/dcerpc_util.c                           |  204 +-
 librpc/rpc/rpc_common.h                            |   40 +-
 nsswitch/libwbclient/wbc_pam.c                     |   21 +-
 nsswitch/winbind_struct_protocol.h                 |    1 +
 python/samba/tests/__init__.py                     |  685 ++++-
 python/samba/tests/dcerpc/bare.py                  |   13 +-
 python/samba/tests/dcerpc/dnsserver.py             |    2 +-
 python/samba/tests/dcerpc/raw_protocol.py          | 2623 ++++++++++++++++++++
 python/samba/tests/dcerpc/srvsvc.py                |    6 +-
 python/samba/tests/dns.py                          |   12 -
 python/samba/tests/docs.py                         |    3 +-
 python/samba/tests/ntacls.py                       |    7 +-
 python/samba/tests/subunitrun.py                   |    4 +-
 python/samba/tests/xattr.py                        |   10 +-
 selftest/filter-subunit                            |   11 +-
 selftest/format-subunit                            |   10 +-
 selftest/knownfail                                 |   30 +
 .../DC-localdc.samba.example.com-S00-cert.pem      |  190 ++
 .../DC-localdc.samba.example.com-S00-key.pem       |   54 +
 .../DC-localdc.samba.example.com-S00-openssl.cnf   |  250 ++
 ...C-localdc.samba.example.com-S00-private-key.pem |   51 +
 .../DC-localdc.samba.example.com-S00-req.pem       |   30 +
 .../DC-localdc.samba.example.com-cert.pem          |    1 +
 .../DC-localdc.samba.example.com-private-key.pem   |    1 +
 ...ugindc.plugindom.samba.example.com-S02-cert.pem |  191 ++
 ...lugindc.plugindom.samba.example.com-S02-key.pem |   54 +
 ...ndc.plugindom.samba.example.com-S02-openssl.cnf |  250 ++
 ...plugindom.samba.example.com-S02-private-key.pem |   51 +
 ...lugindc.plugindom.samba.example.com-S02-req.pem |   30 +
 ...C-plugindc.plugindom.samba.example.com-cert.pem |    1 +
 ...ndc.plugindom.samba.example.com-private-key.pem |    1 +
 .../manage-ca/CA-samba.example.com/NewCerts/00.pem |  190 ++
 .../manage-ca/CA-samba.example.com/NewCerts/01.pem |  169 ++
 .../manage-ca/CA-samba.example.com/NewCerts/02.pem |  191 ++
 .../manage-ca/CA-samba.example.com/NewCerts/03.pem |  170 ++
 .../Private/CA-samba.example.com-crlnumber.txt     |    1 +
 .../Private/CA-samba.example.com-crlnumber.txt.old |    1 +
 .../Private/CA-samba.example.com-index.txt         |    4 +
 .../Private/CA-samba.example.com-index.txt.attr    |    1 +
 .../CA-samba.example.com-index.txt.attr.old        |    1 +
 .../Private/CA-samba.example.com-index.txt.old     |    3 +
 .../Private/CA-samba.example.com-openssl.cnf       |  203 ++
 .../Private/CA-samba.example.com-private-key.pem   |  102 +
 .../Private/CA-samba.example.com-serial.txt        |    1 +
 .../Private/CA-samba.example.com-serial.txt.old    |    1 +
 .../Public/CA-samba.example.com-cert.pem           |   62 +
 .../Public/CA-samba.example.com-crl.pem            |   32 +
 ...trator at plugindom.samba.example.com-S03-cert.pem |  170 ++
 ...strator at plugindom.samba.example.com-S03-key.pem |   30 +
 ...tor at plugindom.samba.example.com-S03-openssl.cnf |  242 ++
 ...plugindom.samba.example.com-S03-private-key.pem |   27 +
 ...strator at plugindom.samba.example.com-S03-req.pem |   19 +
 ...inistrator at plugindom.samba.example.com-cert.pem |    1 +
 ...tor at plugindom.samba.example.com-private-key.pem |    1 +
 ...ER-administrator at samba.example.com-S01-cert.pem |  169 ++
 ...SER-administrator at samba.example.com-S01-key.pem |   30 +
 ...administrator at samba.example.com-S01-openssl.cnf |  242 ++
 ...nistrator at samba.example.com-S01-private-key.pem |   27 +
 ...SER-administrator at samba.example.com-S01-req.pem |   19 +
 .../USER-administrator at samba.example.com-cert.pem  |    1 +
 ...administrator at samba.example.com-private-key.pem |    1 +
 selftest/manage-ca/manage-CA-samba.example.com.cnf |   21 +
 selftest/manage-ca/manage-CA-samba.example.com.sh  |   18 +
 selftest/manage-ca/manage-ca.sh                    |  387 +++
 .../manage-CA-example.com.cnf                      |   17 +
 .../openssl-BASE-template.cnf                      |  201 ++
 .../manage-ca.templates.d/openssl-CA-template.cnf  |    2 +
 .../manage-ca.templates.d/openssl-DC-template.cnf  |   49 +
 .../openssl-USER-template.cnf                      |   41 +
 selftest/selftest.pl                               |   40 +
 selftest/target/Samba.pm                           |  105 +
 selftest/target/Samba3.pm                          |    1 +
 selftest/target/Samba4.pm                          |  233 +-
 selftest/tests/__init__.py                         |    2 -
 selftest/tests/test_run.py                         |    2 +-
 selftest/tests/test_samba.py                       |    2 +-
 selftest/tests/test_socket_wrapper.py              |    2 +-
 selftest/tests/test_target.py                      |    2 +-
 selftest/tests/test_testlist.py                    |    2 +-
 source3/auth/auth_domain.c                         |    2 +-
 source3/auth/auth_samba4.c                         |    4 +-
 source3/auth/auth_util.c                           |   15 +
 source3/include/ads.h                              |   30 +-
 source3/include/auth_generic.h                     |    7 +-
 source3/include/proto.h                            |   48 +-
 source3/lib/netapi/cm.c                            |    2 +-
 source3/lib/tldap.c                                |    6 +-
 source3/libads/ads_ldap_protos.h                   |    6 +-
 source3/libads/ads_proto.h                         |   11 +-
 source3/libads/ads_status.c                        |    6 +-
 source3/libads/ads_status.h                        |    2 +-
 source3/libads/disp_sec.c                          |    4 +-
 source3/libads/ldap.c                              |  163 +-
 source3/libads/ldap_printer.c                      |    4 +-
 source3/libads/ldap_utils.c                        |   10 +-
 source3/libads/sasl.c                              |  706 ++----
 source3/libads/sasl_wrapping.c                     |    2 +-
 source3/libnet/libnet_join.c                       |    6 +-
 source3/librpc/crypto/gse.c                        |  394 ++-
 source3/librpc/rpc/dcerpc.h                        |   10 +-
 source3/librpc/rpc/dcerpc_helpers.c                |   98 +-
 source3/libsmb/auth_generic.c                      |   51 +-
 source3/libsmb/cliconnect.c                        |  674 ++---
 source3/libsmb/clidgram.c                          |    2 +-
 source3/libsmb/clientgen.c                         |   11 +-
 source3/libsmb/clierror.c                          |    6 +-
 source3/libsmb/clifsinfo.c                         |   22 +-
 source3/libsmb/clilist.c                           |    6 +-
 source3/libsmb/clirap.c                            |   26 +-
 source3/libsmb/clirap.h                            |   48 +-
 source3/libsmb/clirap2.c                           |   30 +-
 source3/libsmb/clisecdesc.c                        |    4 +-
 source3/libsmb/clispnego.c                         |  283 +--
 source3/libsmb/libsmb_dir.c                        |   18 +-
 source3/libsmb/libsmb_file.c                       |    6 +-
 source3/libsmb/libsmb_misc.c                       |    4 +-
 source3/libsmb/libsmb_server.c                     |    2 +-
 source3/libsmb/libsmb_stat.c                       |   10 +-
 source3/libsmb/libsmb_xattr.c                      |   14 +-
 source3/libsmb/namequery.c                         |    4 +-
 source3/libsmb/nmblib.c                            |    2 +-
 source3/libsmb/ntlmssp.c                           |  765 ------
 source3/libsmb/ntlmssp_wrap.c                      |  135 -
 source3/libsmb/passchange.c                        |    7 +-
 source3/libsmb/proto.h                             |   26 +-
 source3/libsmb/samlogon_cache.c                    |    2 +-
 source3/libsmb/smb_share_modes.c                   |   18 +-
 source3/libsmb/smbsock_connect.c                   |    2 +-
 source3/pam_smbpass/wscript_build                  |    2 +-
 source3/param/loadparm.c                           |   44 +-
 source3/rpc_client/cli_lsarpc.c                    |    4 +-
 source3/rpc_client/cli_lsarpc.h                    |    4 +-
 source3/rpc_client/cli_netlogon.c                  |    4 +-
 source3/rpc_client/cli_netlogon.h                  |    2 +-
 source3/rpc_client/cli_pipe.c                      |  327 ++-
 source3/rpc_client/rpc_client.h                    |    4 +-
 source3/rpc_server/netlogon/srv_netlog_nt.c        |   57 +-
 source3/rpc_server/rpc_handles.c                   |    7 +-
 source3/rpc_server/rpc_ncacn_np.c                  |    3 +-
 source3/rpc_server/rpc_pipes.h                     |   11 +
 source3/rpc_server/rpc_server.c                    |   12 +
 source3/rpc_server/samr/srv_samr_nt.c              |   21 +-
 source3/rpc_server/srv_access_check.c              |    6 +-
 source3/rpc_server/srv_access_check.h              |    4 +-
 source3/rpc_server/srv_pipe.c                      |  502 ++--
 source3/rpcclient/rpcclient.c                      |    5 +-
 source3/script/tests/test_ntlm_auth_s3.sh          |    2 +
 source3/script/tests/test_rpcclient_samlogon.sh    |   11 +-
 source3/script/tests/test_smbclient_auth.sh        |   11 +
 source3/selftest/tests.py                          |    7 +-
 source3/smbd/negprot.c                             |    6 +-
 source3/smbd/sesssetup.c                           |    4 +-
 source3/smbd/smb2_negprot.c                        |   10 +-
 source3/smbd/smb2_sesssetup.c                      |    3 +-
 source3/torture/test_ntlm_auth.py                  |  553 +++--
 source3/utils/net_ads.c                            |    2 +-
 source3/utils/net_rpc.c                            |    2 +-
 source3/utils/net_util.c                           |    2 +-
 source3/utils/ntlm_auth.c                          |  819 +-----
 source3/winbindd/winbindd_ccache_access.c          |   44 +-
 source3/winbindd/winbindd_cm.c                     |    6 +-
 source3/winbindd/winbindd_dual_srv.c               |    2 +-
 source3/wscript_build                              |   10 +-
 source4/auth/gensec/cyrus_sasl.c                   |  452 ----
 source4/auth/gensec/gensec_gssapi.c                |  322 +--
 source4/auth/gensec/gensec_gssapi.h                |    1 -
 source4/auth/gensec/gensec_krb5.c                  |   12 +-
 source4/auth/gensec/gensec_socket.h                |   28 -
 source4/auth/gensec/pygensec.c                     |   83 +
 source4/auth/gensec/socket.c                       |  435 ----
 source4/auth/gensec/wscript_build                  |   14 +-
 source4/auth/ntlm/auth_util.c                      |    4 +-
 source4/auth/wscript_configure                     |    4 -
 source4/dsdb/tests/python/dsdb_schema_info.py      |    3 +-
 source4/heimdal/lib/gssapi/krb5/aeap.c             |   98 +-
 source4/heimdal/lib/gssapi/krb5/arcfour.c          |  645 ++++-
 source4/heimdal/lib/gssapi/krb5/decapsulate.c      |    3 +
 source4/heimdal_build/wscript_configure            |    1 +
 source4/ldap_server/ldap_bind.c                    |   50 +-
 source4/ldap_server/ldap_server.c                  |    7 +
 source4/ldap_server/ldap_server.h                  |    2 +
 source4/lib/tls/tls.c                              |    2 +-
 source4/lib/tls/tls.h                              |   32 +-
 source4/lib/tls/tls_tstream.c                      |  288 ++-
 source4/lib/tls/tlscert.c                          |   19 +-
 source4/lib/tls/wscript                            |    6 +-
 source4/libcli/cliconnect.c                        |    2 +-
 source4/libcli/ldap/ldap_bind.c                    |  125 +-
 source4/libcli/ldap/ldap_client.c                  |  443 ++--
 source4/libcli/ldap/ldap_client.h                  |   17 +-
 source4/libcli/ldap/ldap_controls.c                |   48 +-
 source4/libcli/ldap/wscript_build                  |    4 +-
 source4/libcli/raw/libcliraw.h                     |    1 +
 source4/libcli/raw/rawnegotiate.c                  |   11 +-
 source4/libcli/smb2/connect.c                      |    7 +-
 source4/libcli/smb_composite/connect.c             |    1 +
 source4/libcli/smb_composite/sesssetup.c           |   35 +-
 source4/librpc/rpc/dcerpc.c                        |  351 ++-
 source4/librpc/rpc/dcerpc.h                        |   14 +-
 source4/librpc/rpc/dcerpc_auth.c                   |   93 +-
 source4/librpc/rpc/dcerpc_connect.c                |   22 +
 source4/librpc/rpc/dcerpc_roh.c                    |   13 +-
 source4/librpc/rpc/dcerpc_util.c                   |   22 +-
 source4/librpc/rpc/pyrpc.c                         |   80 +-
 source4/param/loadparm.c                           |    3 +-
 source4/rpc_server/backupkey/dcesrv_backupkey.c    |   13 +-
 source4/rpc_server/common/reply.c                  |   49 +-
 source4/rpc_server/dcerpc_server.c                 |  812 ++++--
 source4/rpc_server/dcerpc_server.h                 |   57 +-
 source4/rpc_server/dcesrv_auth.c                   |  275 +-
 source4/rpc_server/dcesrv_mgmt.c                   |    8 +
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c    |    8 +
 source4/rpc_server/drsuapi/dcesrv_drsuapi.c        |    8 +
 source4/rpc_server/echo/rpc_echo.c                 |    7 +
 source4/rpc_server/epmapper/rpc_epmapper.c         |    8 +
 source4/rpc_server/handles.c                       |    8 +-
 source4/rpc_server/lsa/dcesrv_lsa.c                |    8 +
 source4/rpc_server/lsa/lsa_lookup.c                |   12 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c      |   46 +-
 source4/rpc_server/remote/dcesrv_remote.c          |    8 +-
 source4/rpc_server/samr/dcesrv_samr.c              |   12 +
 source4/rpc_server/samr/samr_password.c            |   25 +-
 source4/selftest/tests.py                          |   77 +-
 source4/smb_server/smb/negprot.c                   |    6 +-
 source4/smb_server/smb/sesssetup.c                 |   10 +
 source4/smb_server/smb2/negprot.c                  |    7 +-
 source4/smb_server/smb2/sesssetup.c                |    8 -
 source4/torture/basic/base.c                       |   20 +-
 source4/torture/drs/python/drs_base.py             |    6 +-
 source4/torture/ndr/ntlmssp.c                      |  181 +-
 source4/torture/raw/samba3misc.c                   |    7 +
 source4/torture/rpc/alter_context.c                |    2 +-
 source4/torture/rpc/backupkey.c                    |   21 +-
 source4/torture/rpc/forest_trust.c                 |   12 +-
 source4/torture/rpc/netlogon.c                     |  101 +-
 source4/torture/rpc/netlogon.h                     |    7 +
 source4/torture/rpc/remote_pac.c                   |  121 +-
 source4/torture/rpc/samba3rpc.c                    |   75 +-
 source4/torture/rpc/samlogon.c                     |    3 +-
 source4/torture/rpc/samr.c                         |    4 +-
 source4/torture/rpc/schannel.c                     |   29 +-
 source4/torture/rpc/testjoin.c                     |   35 +-
 source4/winbind/wb_pam_auth.c                      |    4 +-
 source4/winbind/wb_samba3_cmd.c                    |    9 +-
 testprogs/blackbox/test_ldb.sh                     |    3 +
 testprogs/blackbox/test_ldb_simple.sh              |   41 +
 .../midltests/valid/midltests_DRS_EXTENSIONS.idl   |   64 +
 .../midltests/valid/midltests_DRS_EXTENSIONS.out   |   43 +
 wscript_configure_system_mitkrb5                   |    4 +-
 321 files changed, 17822 insertions(+), 7115 deletions(-)
 create mode 100644 auth/kerberos/gssapi_helper.c
 create mode 100644 auth/kerberos/gssapi_helper.h
 create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
 create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
 create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
 create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
 create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
 create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
 create mode 100644 docs-xml/smbdotconf/security/tlspriority.xml
 create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
 create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
 create mode 100755 selftest/manage-ca/manage-ca.sh
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
 delete mode 100644 source3/libsmb/ntlmssp.c
 delete mode 100644 source3/libsmb/ntlmssp_wrap.c
 delete mode 100644 source4/auth/gensec/cyrus_sasl.c
 delete mode 100644 source4/auth/gensec/gensec_socket.h
 delete mode 100644 source4/auth/gensec/socket.c
 create mode 100755 testprogs/blackbox/test_ldb_simple.sh
 create mode 100644 testprogs/win32/midltests/valid/midltests_DRS_EXTENSIONS.idl
 create mode 100644 testprogs/win32/midltests/valid/midltests_DRS_EXTENSIONS.out

Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 2492fbd..df0db6d 100644
@@ -25,7 +25,7 @@
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f03be3a..ecb5fe6 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,580 @@
+                   ==============================
+                   Release Notes for Samba 4.2.11
+                           April 12, 2016
+                   ==============================
+This is a security release containing one additional
+regression fix for the security release 4.2.10.
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+Changes since 4.2.10:
+o  Stefan Metzmacher <metze at samba.org>
+   * Bug 11804 - prerequisite backports for the security release on
+     April 12th, 2016
+Release notes for the original 4.2.10 release follows:
+                   ==============================
+                   Release Notes for Samba 4.2.10
+                           April 12, 2016
+                   ==============================
+This is a security release in order to address the following CVEs:
+o  CVE-2015-5370 (Multiple errors in DCE-RPC code)
+o  CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+o  CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+o  CVE-2016-2112 (LDAP client and server don't enforce integrity)
+o  CVE-2016-2113 (Missing TLS certificate validation)
+o  CVE-2016-2114 ("server signing = mandatory" not enforced)
+o  CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+o  CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+o  CVE-2015-5370
+   Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+   denial of service attacks (crashes and high cpu consumption)
+   in the DCE-RPC client and server implementations. In addition,
+   errors in validation of the DCE-RPC packets can lead to a downgrade
+   of a secure connection to an insecure one.
+   While we think it is unlikely, there's a nonzero chance for
+   a remote code execution attack against the client components,
+   which are used by smbd, winbindd and tools like net, rpcclient and
+   others. This may gain root access to the attacker.
+   The above applies all possible server roles Samba can operate in.
+   Note that versions before 3.6.0 had completely different marshalling
+   functions for the generic DCE-RPC layer. It's quite possible that
+   that code has similar problems!
+   The downgrade of a secure connection to an insecure one may
+   allow an attacker to take control of Active Directory object
+   handles created on a connection created from an Administrator
+   account and re-use them on the now non-privileged connection,
+   compromising the security of the Samba AD-DC.
+o  CVE-2016-2110:
+   There are several man in the middle attacks possible with
+   NTLMSSP authentication.
+   can be cleared by a man in the middle.
+   This was by protocol design in earlier Windows versions.
+   Windows Server 2003 RTM and Vista RTM introduced a way
+   to protect against the trivial downgrade.
+   See MsvAvFlags and flag 0x00000002 in
+   https://msdn.microsoft.com/en-us/library/cc236646.aspx
+   This new feature also implies support for a mechlistMIC
+   when used within SPNEGO, which may prevent downgrades
+   from other SPNEGO mechs, e.g. Kerberos, if sign or
+   seal is finally negotiated.
+   The Samba implementation doesn't enforce the existence of
+   required flags, which were requested by the application layer,
+   e.g. LDAP or SMB1 encryption (via the unix extensions).
+   As a result a man in the middle can take over the connection.
+   It is also possible to misguide client and/or
+   server to send unencrypted traffic even if encryption
+   was explicitly requested.
+   LDAP (with NTLMSSP authentication) is used as a client
+   by various admin tools of the Samba project,
+   e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+   As an active directory member server LDAP is also used
+   by the winbindd service when connecting to domain controllers.
+   Samba also offers an LDAP server when running as
+   active directory domain controller.
+   The NTLMSSP authentication used by the SMB1 encryption
+   is protected by smb signing, see CVE-2015-5296.
+o  CVE-2016-2111:
+   It's basically the same as CVE-2015-0005 for Windows:
+     The NETLOGON service in Microsoft Windows Server 2003 SP2,
+     Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+     and R2, when a Domain Controller is configured, allows remote
+     attackers to spoof the computer name of a secure channel's
+     endpoint, and obtain sensitive session information, by running a
+     crafted application and leveraging the ability to sniff network
+     traffic, aka "NETLOGON Spoofing Vulnerability".
+   The vulnerability in Samba is worse as it doesn't require
+   credentials of a computer account in the domain.
+   This only applies to Samba running as classic primary domain controller,
+   classic backup domain controller or active directory domain controller.
+   The security patches introduce a new option called "raw NTLMv2 auth"
+   ("yes" or "no") for the [global] section in smb.conf.
+   Samba (the smbd process) will reject client using raw NTLMv2
+   without using NTLMSSP.
+   Note that this option also applies to Samba running as
+   standalone server and member server.
+   You should also consider using "lanman auth = no" (which is already the default)
+   and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+   as they might impact compatibility with older clients. These also
+   apply for all server roles.
+o  CVE-2016-2112:
+   Samba uses various LDAP client libraries, a builtin one and/or the system
+   ldap libraries (typically openldap).
+   As active directory domain controller Samba also provides an LDAP server.
+   Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+   for LDAP connections, including possible integrity (sign) and privacy (seal)
+   protection.
+   Samba has support for an option called "client ldap sasl wrapping" since version
+   3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+   Tools using the builtin LDAP client library do not obey the
+   "client ldap sasl wrapping" option. This applies to tools like:
+   "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+   options like "--sign" and "--encrypt". With the security update they will
+   also obey the "client ldap sasl wrapping" option as default.
+   In all cases, even if explicitly request via "client ldap sasl wrapping",
+   "--sign" or "--encrypt", the protection can be downgraded by a man in the
+   middle.
+   The LDAP server doesn't have an option to enforce strong authentication
+   yet. The security patches will introduce a new option called
+   "ldap server require strong auth", possible values are "no",
+   "allow_sasl_over_tls" and "yes".
+   As the default behavior was as "no" before, you may
+   have to explicitly change this option until all clients have
+   been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+   Windows clients and Samba member servers already use
+   integrity protection.
+o  CVE-2016-2113:
+   Samba has support for TLS/SSL for some protocols:
+   ldap and http, but currently certificates are not
+   validated at all. While we have a "tls cafile" option,
+   the configured certificate is not used to validate
+   the server certificate.
+   This applies to ldaps:// connections triggered by tools like:
+   "ldbsearch", "ldbedit" and more. Note that it only applies
+   to the ldb tools when they are built as part of Samba or with Samba
+   extensions installed, which means the Samba builtin LDAP client library is
+   used.
+   It also applies to dcerpc client connections using ncacn_http (with https://),
+   which are only used by the openchange project. Support for ncacn_http
+   was introduced in version 4.2.0.
+   The security patches will introduce a new option called
+   "tls verify peer". Possible values are "no_check", "ca_only",
+   "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+   If you use the self-signed certificates which are auto-generated
+   by Samba, you won't have a crl file and need to explicitly
+   set "tls verify peer = ca_and_name".
+o  CVE-2016-2114
+   Due to a regression introduced in Samba 4.0.0,
+   an explicit "server signing = mandatory" in the [global] section
+   of the smb.conf was not enforced for clients using the SMB1 protocol.
+   As a result it does not enforce smb signing and allows man in the middle attacks.
+   This problem applies to all possible server roles:
+   standalone server, member server, classic primary domain controller,
+   classic backup domain controller and active directory domain controller.
+   In addition, when Samba is configured with "server role = active directory domain controller"
+   the effective default for the "server signing" option should be "mandatory".
+   During the early development of Samba 4 we had a new experimental
+   file server located under source4/smb_server. But before
+   the final 4.0.0 release we switched back to the file server
+   under source3/smbd.
+   But the logic for the correct default of "server signing" was not
+   ported correctly ported.
+   Note that the default for server roles other than active directory domain
+   controller, is "off" because of performance reasons.
+o  CVE-2016-2115:
+   Samba has an option called "client signing", this is turned off by default
+   for performance reasons on file transfers.
+   This option is also used when using DCERPC with ncacn_np.
+   In order to get integrity protection for ipc related communication
+   by default the "client ipc signing" option is introduced.
+   The effective default for this new option is "mandatory".
+   In order to be compatible with more SMB server implementations,
+   the following additional options are introduced:
+   "client ipc min protocol" ("NT1" by default) and
+   "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+   These options overwrite the "client min protocol" and "client max protocol"
+   options, because the default for "client max protocol" is still "NT1".
+   The reason for this is the fact that all SMB2/3 support SMB signing,
+   while there are still SMB1 implementations which don't offer SMB signing
+   by default (this includes Samba versions before 4.0.0).
+   Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+   against active directory domain controllers despite of the
+   "client signing" and "client ipc signing" options.
+o  CVE-2016-2118 (a.k.a. BADLOCK):
+   The Security Account Manager Remote Protocol [MS-SAMR] and the
+   Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+   are both vulnerable to man in the middle attacks. Both are application level
+   protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+   These protocols are typically available on all Windows installations
+   as well as every Samba server. They are used to maintain
+   the Security Account Manager Database. This applies to all
+   roles, e.g. standalone, domain member, domain controller.
+   Any authenticated DCERPC connection a client initiates against a server
+   can be used by a man in the middle to impersonate the authenticated user
+   against the SAMR or LSAD service on the server.
+   The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+   and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+   in this case. A man in the middle can change auth level to CONNECT
+   (which means authentication without message protection) and take over
+   the connection.
+   As a result, a man in the middle is able to get read/write access to the
+   Security Account Manager Database, which reveals all passwords
+   and any other potential sensitive information.
+   Samba running as an active directory domain controller is additionally
+   missing checks to enforce PKT_PRIVACY for the
+   Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+   and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+   The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+   is not enforcing at least PKT_INTEGRITY.
+New smb.conf options
+  allow dcerpc auth level connect (G)
+    This option controls whether DCERPC services are allowed to be used with
+    DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+    message integrity nor privacy protection.
+    Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+    of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+    The behavior can be overwritten per interface name (e.g. lsarpc,
+    netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+    'allow dcerpc auth level connect:interface = yes' as option.
+    This option yields precedence to the implementation specific restrictions.
+    E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+    The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+    Default: allow dcerpc auth level connect = no
+    Example: allow dcerpc auth level connect = yes
+  client ipc signing (G)
+    This controls whether the client is allowed or required to use
+    SMB signing for IPC$ connections as DCERPC transport. Possible
+    values are auto, mandatory and disabled.
+    When set to mandatory or default, SMB signing is required.
+    When set to auto, SMB signing is offered, but not enforced and
+    if set to disabled, SMB signing is not offered either.
+    Connections from winbindd to Active Directory Domain Controllers
+    always enforce signing.
+    Default: client ipc signing = default
+  client ipc max protocol (G)
+    The value of the parameter (a string) is the highest protocol level that will
+    be supported for IPC$ connections as DCERPC transport.
+    Normally this option should not be set as the automatic negotiation phase
+    in the SMB protocol takes care of choosing the appropriate protocol.
+    The value default refers to the latest supported protocol, currently SMB3_11.
+    See client max protocol for a full list of available protocols.
+    The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+    Default: client ipc max protocol = default
+    Example: client ipc max protocol = SMB2_10
+  client ipc min protocol (G)
+    This setting controls the minimum protocol version that the will be
+    attempted to use for IPC$ connections as DCERPC transport.
+    Normally this option should not be set as the automatic negotiation phase
+    in the SMB protocol takes care of choosing the appropriate protocol.
+    The value default refers to the higher value of NT1 and the
+    effective value of "client min protocol".
+    See client max protocol for a full list of available protocols.
+    The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+    Default: client ipc min protocol = default
+    Example: client ipc min protocol = SMB3_11
+  ldap server require strong auth (G)
+    The ldap server require strong auth defines whether the
+    ldap server requires ldap traffic to be signed or
+    signed and encrypted (sealed). Possible values are no,
+    allow_sasl_over_tls and yes.
+    A value of no allows simple and sasl binds over all transports.
+    A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+    over TLS encrypted connections. Unencrypted connections only
+    allow sasl binds with sign or seal.
+    A value of yes allows only simple binds over TLS encrypted connections.
+    Unencrypted connections only allow sasl binds with sign or seal.
+    Default: ldap server require strong auth = yes
+  raw NTLMv2 auth (G)
+    This parameter determines whether or not smbd(8) will allow SMB1 clients
+    without extended security (without SPNEGO) to use NTLMv2 authentication.
+    If this option, lanman auth and ntlm auth are all disabled, then only
+    clients with SPNEGO support will be permitted. That means NTLMv2 is only
+    supported within NTLMSSP.
+    Default: raw NTLMv2 auth = no
+  tls verify peer (G)
+    This controls if and how strict the client will verify the peer's
+    certificate and name. Possible values are (in increasing order): no_check,
+    ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+    When set to no_check the certificate is not verified at all,
+    which allows trivial man in the middle attacks.
+    When set to ca_only the certificate is verified to be signed from a ca
+    specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+    is required. The certificate lifetime is also verified. If the "tls crl file"
+    option is configured, the certificate is also verified against
+    the ca crl.
+    When set to ca_and_name_if_available all checks from ca_only are performed.
+    In addition, the peer hostname is verified against the certificate's
+    name, if it is provided by the application layer and not given as
+    an ip address string.
+    When set to ca_and_name all checks from ca_and_name_if_available are performed.
+    In addition the peer hostname needs to be provided and even an ip
+    address is checked against the certificate's name.
+    When set to as_strict_as_possible all checks from ca_and_name are performed.
+    In addition the "tls crl file" needs to be configured. Future versions
+    of Samba may implement additional checks.
+    Default: tls verify peer = as_strict_as_possible
+  tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+    This option can be set to a string describing the TLS protocols to be
+    supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+    The default turns off SSLv3, as this protocol is no longer considered
+    secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+    in HTTPS applications.
+    The valid options are described in the GNUTLS Priority-Strings
+    documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+    Default: tls priority = NORMAL:-VERS-SSL3.0
+Behavior changes
+o  The default auth level for authenticated binds has changed from
+   That means ncacn_ip_tcp:server is now implicitly the same
+   as ncacn_ip_tcp:server[sign] and offers a similar protection
+   as ncacn_np:server, which relies on smb signing.
+o  The following constraints are applied to SMB1 connections:
+   - "client lanman auth = yes" is now consistently
+     required for authenticated connections using the
+     SMB1 LANMAN2 dialect.
+   - "client ntlmv2 auth = yes" and "client use spnego = yes"
+     (both the default values), require extended security (SPNEGO)
+     support from the server. That means NTLMv2 is only used within
+     NTLMSSP.
+o  Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+   default of "client ldap sasl wrapping = sign". Even with
+   "client ldap sasl wrapping = plain" they will automatically upgrade
+   to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+   server.
+Changes since 4.2.9:
+o  Jeremy Allison <jra at samba.org>

Samba Shared Repository

More information about the samba-cvs mailing list