[SCM] Samba Shared Repository - branch v4-2-test updated
Stefan Metzmacher
metze at samba.org
Tue Apr 12 19:18:08 UTC 2016
The branch, v4-2-test has been updated
via 4882bde VERSION: Bump version up to 4.2.12
via 47f3a1f Merge tag 'samba-4.2.11' into v4-2-test
via cdf4f21 VERSION: Disable git snapshots for the 4.2.11 release.
via aada3ea WHATSNEW: Add release notes for Samba 4.2.11.
via 96331b2 s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
via cb48e70 VERSION: Bump version up to 4.2.11...
via 343f384 VERSION: Disable git snapshots for the 4.2.10 release.
via 5f0e4f1 WHATSNEW: Add release notes for Samba 4.2.10.
via b065ce6 CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against plugin_s4_dc
via 88e9a0a CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
via df411cb CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
via 284894c CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
via 024d3b2 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
via 8e0b06a CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
via 3ef461d CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
via 93a0f92 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
via 0cf3151 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
via 61faaa6 CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
via 2bc6172 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
via ae68d3f CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
via cbf20b4 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
via f556d92 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
via a995740 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
via 9464684 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
via 02aef97 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
via d30363f CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
via 8d97085 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
via 664d7ac CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
via e39fdce CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
via 1e6b4ab CVE-2015-5370: s3:rpc_server: verify presentation context arrays
via cdefee1 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
via 0239bfa CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
via 63d21d2 CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
via 8c96ef7 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
via 69280e6 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
via 25bf597 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
via af2582e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
via 189c0fb CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
via 2a92546 CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
via df51c22 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
via 9818296 CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
via 81bbffa CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
via acea87f CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
via 19f489d CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
via df3cdf0 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
via 1ed83c7 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
via 14a7db6 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
via 71d1c9f CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
via e601549 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
via fbf402c CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
via dd8c942 CVE-2015-5370: s4:rpc_server: check frag_length for requests
via 74de5d8 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
via 772ba3f CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
via 9dd171f CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
via d5916e0 CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
via 5ac7fc8 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
via b430b1f CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
via 0863c95 CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
via 9a52709 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
via 1da3379 CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
via b51da52 CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
via eb3f8a5 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
via 0d20260 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
via b40ab6b CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
via 409b8fd CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
via 358af62 CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
via f3c68c6 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
via 0f4a3c3 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
via 97a19d9 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
via 494ba35 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
via 2cf79f9 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
via ec8b2a3 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
via d7f0712 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
via 1780b43 CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
via 77e7d19 CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
via 2f0c9d6 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
via b075822 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
via c784fcd CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
via 8e8c2da CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
via c0236de CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
via b91112d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
via 69c7776 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
via 1e88acf CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
via a1c6916 CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
via e767733 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
via 9a3f045 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
via 665b874 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
via 8266be4 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
via 2240a39 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
via 0f7bb07 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
via 84d8692 CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
via e5a4d9a CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
via a20f132 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
via 630dcb5 CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
via 045e9b4 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
via d61cd59 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
via 9153fc5 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
via b26aabe CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
via d6c4dde CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
via 2d2243c CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
via fce895b CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
via 17d9204 CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
via 416f383 CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via 3410c21 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
via 2b1f995 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
via d33cb24 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
via e34628f CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
via f0b5e62 CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
via dbb5220 CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
via dd32cfc CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
via b6e3f0c CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
via ee77128 CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
via bbc9a16 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 5a9aa81 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
via 29ab0d9 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
via db01cab CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via ad99552 CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
via 7847ee8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
via 52aa7b6 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via dab41de CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
via ddbcb11 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
via 889162a CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
via 08ca648 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
via 1f3708a CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
via 1c06e92 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
via 8ee232f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
via 27939fc CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
via 54c9e0d CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
via bf4259a CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
via ba52792 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
via 7790d38 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
via 15417d6 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
via 95e334b CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
via 2e3bcb7 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
via 7f4be89 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
via b7ea999 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
via 1c24db6 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
via 1afcdaa CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
via a8dc7d6 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
via 543b97d CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
via 32d1130 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
via d5d1d63 CVE-2016-2115: docs-xml: add "client ipc signing" option
via 7c7f42f CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 4eefd40 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
via 5fb616a CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
via a6ab8e7 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
via dfffc46 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
via 87d7973 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
via 141d4ac CVE-2016-2114: s4:smb2_server: fix session setup with required signing
via ae4b827 CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
via dcf61e4 CVE-2016-2113: selftest: use "tls verify peer = no_check"
via 64f8f67 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
via 95da9fc CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
via 3a73092 CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
via da2065e CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
via d2d2236 CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
via f3d752f CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
via b8c5862 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
via 1c25d638a CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
via 0a1d2b4 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
via 16472fc CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
via ded3595 CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
via 59c4273 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
via 5a5bede CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
via 2612783 CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
via efd47e4 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
via 5a26043 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
via 6256822 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
via f8c3a46 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
via 190de2d CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
via 8e63804 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
via 799557f CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
via 531c5aa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
via 9d6ffb3 CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
via 2ee2de4 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
via f5e066c CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
via 270f04c CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via b0c0ffe CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
via 9b983ae CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
via 1e35c14 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
via 2608fb3 CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
via 9f39d0f CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
via 7188b6a CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
via b1bcc58 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
via ba33643 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
via c741e86 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 9aae9b11 CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
via 610229e CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
via eafd2ce CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
via 7f74142 CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
via 96e93b8 CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via 40397d1 CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
via fec6dae CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
via 98c1677 CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
via fd1c98f CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
via 2e11c70 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
via 280a371 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
via 65bd884 CVE-2016-2110(<=4.2): auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via 48b24ce CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
via bb90457 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
via 530f0d1 CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
via 741c532 CVE-2016-2110(<=4.2): auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 76318d5 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
via 3d783b7 CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
via 3a8334d CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
via 22bf4ed CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
via 2e35e39 CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
via 65deaae CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
via 639bd4d CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
via 0489a58 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
via a98f718 CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
via c528a17 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
via e073b53 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
via 3c07679 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
via 9c171a5 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
via f78d549 CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
via 332d580 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
via b7d6410 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
via 2c6474b CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
via f789325 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
via 8dcd3cb CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag
via 8cd4741 s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
via d1ebe5b s3:rpc_server/samr: correctly handle session_extract_session_key() failures
via 9981c0b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
via 6138f8b libads: Fix CID 1356316 Uninitialized pointer read
via 1993e69 libsmb: Fix CID 1356312 Explicit null dereferenced
via 6891eeb s3-auth: check for return code of cli_credentials_set_machine_account().
via 62f4ee1 s4-smb_server: check for return code of cli_credentials_set_machine_account().
via 3447148 s4:rpc_server: require access to the machine account credentials
via cceb49a auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
via 2b442ce auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
via 592baac s4:torture/rpc/schannel: don't use validation level 6 without privacy
via 89298e5 s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
via e80d4f9 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
via 93863b8 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
via 2d70e9f s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
via 9be91a7 s3:test_rpcclient_samlogon.sh: test samlogon with schannel
via 5e8f48b s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
via 1838e168 selftest: setup information of new samba.example.com CA in the client environment
via f40bc59 selftest: set tls crlfile if it exist
via 9452268 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
via 8b14e45 selftest: add Samba::prepare_keyblobs() helper function
via d93ff57 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
via 9030298 selftest: add CA-samba.example.com (non-binary) files
via 44b5d2d selftest: add config and script to create a samba.example.com CA
via 61e6ca8 selftest: add some helper scripts to mange a CA
via 66df1ed selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!
via ad389f1 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
via 8f0d8f4 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
via a99a012 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
via fc5c623 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
via 3393d9b s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
via 6ae0007 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
via 1989639 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
via 54dd7b7 s3:libsmb: remove unused functions in clispnego.c
via 28c23bd s3:libsmb: remove unused cli_session_setup_kerberos*() functions
via 1dd4e36 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
via ac680c1 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
via 68a32f1 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
via 80c665b s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
via d9c89a5 s3:libsmb: unused ntlmssp.c
via db624e4 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
via a427633 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
via 24a5cf6 s3:libads: keep service and hostname separately in ads_service_principal
via d4369e3 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
via a1476b9 s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
via 8c9308c s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
via 8368d9d s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
via e5ca0c6 s3:libads: add missing TALLOC_FREE(frame) in error path
via 3fd5063 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
via 083682b s4:selftest: simplify the loops over samba4.ldb.ldap
via 04a81c9 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
via a2c24e2 s4:libcli/ldap: fix retry authentication after a bad password
via c531695 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
via 4a3c66d auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
via 1e19d98 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
via c4b08fb auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
via b63aa96 auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
via 679b2c4 auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
via f2600f5 librpc/ndr: add ndr_ntlmssp_find_av() helper function
via 7c7ee91 ntlmssp.idl: make AV_PAIR_LIST public
via 9176107 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
via 4222e9b security.idl: add LSAP_TOKEN_INFO_INTEGRITY
via a7243e3 auth/ntlmssp: use ntlmssp_version_blob() in the server
via 1526b7e auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
via 4f261d9 auth/ntlmssp: add ntlmssp_version_blob()
via e81031b auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
via d2b612d auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
via e487dba auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
via 7b39ef9 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
via 7b20770 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
via 9cfc310 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
via 637f37b winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
via 53f6f3d s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
via c5a25e8 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
via 653742d auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
via 0ece92e auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
via b3873ba s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
via 1742cec s3:auth_generic: make use of the top level NTLMSSP client code
via bdbcffc winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
via 23b65d6 s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
via bf52fad selftest/knownfail: s4-winbind doesn't support cached ntlm credentials
via b981475 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
via 77d9b8c s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
via dd2a2b7 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
via 8acba3b auth/ntlmssp: add gensec_ntlmssp_server_domain()
via c6cbac8 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
via 0dd1f05 s3:auth_generic: add auth_generic_client_start_by_sasl()
via 7b92239 s3:auth_generic: add auth_generic_client_start_by_name()
via 933ca54 auth/gensec: make gensec_security_by_name() public
via 66b2e5d auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
via 3b0fc77 auth/gensec: keep a pointer to a possible child/sub gensec_security context
via 744e043 s4:pygensec: make sig_size() and sign/check_packet() available
via 3353447 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
via c1f6fe4 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
via ac9a891 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
via a881c5f s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
via 3b4608c s3:librpc/gse: fix debug message in gse_init_client()
via 41ca435 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
via b8fd2d0 wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
via ff2a6f6 s3:libads: remove unused ads_connect_gc()
via 9b4eabb s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
via ebc2711 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
via 4d7fdf1 dcerpc.idl: make WERROR RPC faults available in ndr_print output
via 8104a49 epmapper.idl: make epm_twr_t available in python bindings
via 7e1a935 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
via 5e4be46 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
via cf4f1bc lib/util_net: add support for .ipv6-literal.net
via 76d4d9d lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
via 84e3a91 spnego: Correctly check asn1_tag_remaining retval
via 9ac8373 s4:torture/ntlmssp fix a compiler warning
via 3dd652e s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
via 7d30bb7 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
via ca3f4c3 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
via cc6803d s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
via 8a09a9e s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
via 31ec805 ntlmssp: when pulling messages it is important to clear memory first.
via c0f4c95 ntlmssp: properly document version defines in IDL (from MS-NLMP).
via 5bcd766 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
via 0973458 ntlmssp: add some missing defines from MS-NLMP to our IDL.
via 0a6405f tls: increase Diffie-Hellman group size to 2048 bits
via 88c76da s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
via 2c5ba35 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
via 2057efc s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
via 53988ca asn1: Make 'struct asn1_data' private
via d91415e asn1: Remove a reference to asn1_data internals
via 17d663a libcli: Remove a reference to asn1->ofs
via f7ea845 lib: Use asn1_current_ofs()
via f6a2ad0 asn1: Add asn1_current_ofs()
via 9e65ef3 lib: Use asn1_has_nesting
via 12396cf asn1: Add asn1_has_nesting
via 79280a3 lib: Use asn1_extract_blob()
via 2a8a339 asn1: Add asn1_extract_blob()
via 9c520e9 lib: Use asn1_set_error()
via a8b03c4 asn1: Add asn1_set_error()
via 3aba426 lib: Use asn1_has_error()
via 9d86ce3 asn1: Add asn1_has_error()
via afbef75 asn1: Make "struct nesting" private
via 6eca81c asn1: Add some early returns
via 165e6ff asn1: Add overflow check to asn1_write
via afd0849 asn1: Make asn1_peek_full_tag return 0/errno
via 8a8d380 asn1: Remove an unused asn1 function
via 7d64f42 Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
via d2bf0f7 s4:rpc_server: pass the remote address to gensec_set_remote_address()
via 810817f lib/util: globally include herrors in error.h
via fc0df96 s4:selftest: run rpc.netlogon.admin against also ad_dc
via c8a3e03 lib/tls: Change default supported TLS versions.
via 839452e lib/tls: Add new 'tls priority' option
via 986b2a6 docs: Explain that winbindd enforces smb signing by default.
via c4f578f torture: Free the temporary memory context
via 6775efd torture: Correctly invalidate the memory ccache.
via 618bf77 torture: Fix the usage of the MEMORY credential cache.
via 16343ed Convert all uses of uint32/16/8 to _t in source3/rpc_client.
via f0dcb43 Convert all uses of uint32/16/8 to _t in source3/rpc_server.
via c685323 rpc_server: Fix CID 1035535 Uninitialized scalar variable
via 2426e5d rpc_server: Fix CID 1035534 Uninitialized scalar variable
via 73d868b libsmb: Print the principal name that we failed to kinit for.
via b99e5ba Convert all uint32/16/8 to _t in source3/libsmb.
via 235da54 Convert all uses of uint8/16/32 to uint8/16/32_t in the libads code.
via c892540 security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
via ecba7a9 s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
via 2cdcb2c s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
via c227eb6 auth/kerberos: add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
via bbff988 heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
via 59986c3 heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
via 075ec8f heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
via 4640ada heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
via f222d62 heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
via e84d1f0 heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
via bbc7426 dcerpc.idl: fix calculatin of uint16 secondary_address_size;
via c8342ed s4:pyrpc: remove pointless alter_context() method
via e2acb2e python:samba/tests: don't use the x.alter_context() method in dcerpc/bare.py
via 320bfd5 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
via 8688510 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
via 7a68f81 libcli/smb: let tstream_smbXcli_np report connection errors as EPIPE instead of EIO
via e5135c2 s3:winbindd: use check dcerpc_binding_handle_is_connected() instead of a specific status
via 505c31e python/samba/tests: let the output of hexdump() match our C code in dump_data_cb()
via 5235af3 python/samba/tests: move hexdump() from DNSTest to TestCase
via ac466c7 python/samba/tests: add fallbacks for assert{Less,Greater}[Equal]()
via 7427812 Implement TestCase.assertIsNotNone for python < 2.7.
via f994c97 Implement TestCase.assertIn for older versions of Python.
via 478d84c Implement assertIsNone for Python < 2.7.
via 8abd8be Handle skips when running on python2.6.
via 44f45c3 Run cleanup after tearDown, for consistency with Python >= 2.7.
via 17cbd88 Use samba TestCase so we get all compatibility functions on Python < 2.7.
via f4b7a42 Provide TestCase.assertIsInstance for python < 2.7.
via 01b5c10 Use Samba TestCase class, as the python 2.6 one doesn't have assertIs, assertIsInstance or addCleanup.
via cc1b47c Add replacement addCleanup.
via 72a7db4 Add custom implementations of TestCase.assertIs and TestCase.assertIsNot, for Python2.6.
via 5cc22fb Fix use of TestCase.skipTest on python2.6 now that we no longer use testtools.
via d82a560 selftest/tests/*.py: remove use of testtools.
via 775c1df Rename TestSkipped to Skiptest, consistent with Python 2.7.
via 2dbf2f2 Avoid importing TestCase and TestSkipped from testtools.
via f8e78f9 s4-dsdb-test: Implement samdb_connect_env() to rely solely on environment
via 858b4bd s4-tests: Print out what the error is in delete_force()
via 2b8a89c python/samba/tests: don't lower case path names in connect_samdb()
via e28c482 s4-tests/env_loadparm: Throw KeyError in case SMB_CONF_PATH
via 427f202 Reduce number of places where sys.path is (possibly) updated for external module paths.
via 417807e librpc/ndr: make use of dump_data_cb() in ndr_dump_data()
via d8bd1cb lib/util: fix output format in dump_data*()
via 6c5078c s4:pyrpc: add base.bind_time_features_syntax(features)
via d0ce818 librpc/rpc: add dcerpc_[extract|construct]_bind_time_features()
via 1e2d23d librpc/rpc: add dcerpc_fault_from_nt_status()
via 008d25b librpc/rpc: add faultcode to nt_status mappings
via 9dddf6a midltests: add valid/midltests_DRS_EXTENSIONS.*
via 0ef2b7a auth/credentials: anonymous should not try to use kerberos
via b1174ad s3:ntlm_auth: don't start gensec backend twice
via 6e50231 auth/gensec: remove unused gensec_[un]wrap_packets() hooks
via 941abd1 s4:auth/gensec: remove unused gensec_socket_init()
via 58789c5 s4:auth/gensec: remove unused include of lib/socket/socket.h
via 6bf16fc s4:auth/gensec: remove unused and untested cyrus_sasl module
via 53c92ba s4:libcli/ldap: conversion to tstream
via b8405b3 s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
via fa70808 s4:lib/tls: fix tstream_tls_connect_send() define
via e6f746e s3:libads/sasl: use gensec_max_{input,wrapped}_size() in ads_sasl_spnego_ntlmssp_bind
via c14fa4d s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
via 6b4479b s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
via 26405f1 auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of SAMBA4_USES_HEIMDAL
via 39431e5 s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
via 983b0ea gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
via 8e597a7 s4-gensec: Check if we have delegated credentials.
via 7e7bfe1 s4:auth/gensec_gssapi: remove allow_warnings=True
via 7bc4888 auth/kerberos: remove allow_warnings=True
via 1b04d32 auth/kerberos: avoid compiler warnings
via 4c5fe20 s4:lib/tls: remove allow_warnings=True
via 0d4412a s4:lib/tls: add tls_cert_generate() prototype to tls.h
via 4f3e283 s4:auth/gensec_gssapi: remove compiler warnings
via 3c7f303 VERSION: Bump version up to 4.2.10...
from 0dd1749 smbd: Only check dev/inode in open_directory, not the full stat()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit 4882bdec1a70be79b610305a639aab4a64d95400
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 12 21:17:20 2016 +0200
VERSION: Bump version up to 4.2.12
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 47f3a1f221508598a1f43f723d1b654bebee4c57
Merge: 0dd1749 cdf4f21
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 12 21:16:50 2016 +0200
Merge tag 'samba-4.2.11' into v4-2-test
samba: tag release samba-4.2.11
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 581 ++++-
auth/credentials/credentials.c | 1 +
auth/credentials/credentials.h | 5 +-
auth/credentials/credentials_krb5.c | 5 +-
auth/credentials/credentials_ntlm.c | 12 +-
auth/gensec/gensec.c | 113 +-
auth/gensec/gensec.h | 25 +-
auth/gensec/gensec_internal.h | 19 +-
auth/gensec/gensec_start.c | 18 +-
auth/gensec/gensec_util.c | 118 +-
auth/gensec/schannel.c | 22 +-
auth/gensec/spnego.c | 357 ++-
auth/gensec/wscript_build | 2 +-
auth/kerberos/gssapi_helper.c | 395 +++
auth/kerberos/gssapi_helper.h | 55 +
auth/kerberos/gssapi_pac.c | 16 +-
auth/kerberos/wscript_build | 3 +-
auth/ntlmssp/gensec_ntlmssp.c | 9 +
auth/ntlmssp/gensec_ntlmssp_server.c | 44 +-
auth/ntlmssp/ntlmssp.c | 91 +-
auth/ntlmssp/ntlmssp.h | 17 +
auth/ntlmssp/ntlmssp_client.c | 534 +++-
auth/ntlmssp/ntlmssp_ndr.c | 1 +
auth/ntlmssp/ntlmssp_private.h | 10 +-
auth/ntlmssp/ntlmssp_server.c | 422 +++-
auth/ntlmssp/ntlmssp_sign.c | 103 +-
auth/ntlmssp/ntlmssp_util.c | 176 +-
auth/ntlmssp/wscript_build | 2 +-
.../ldap/ldapserverrequirestrongauth.xml | 26 +
.../smbdotconf/protocol/clientipcmaxprotocol.xml | 29 +
.../smbdotconf/protocol/clientipcminprotocol.xml | 29 +
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 +-
docs-xml/smbdotconf/protocol/clientminprotocol.xml | 6 +
docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 +
.../security/allowdcerpcauthlevelconnect.xml | 27 +
docs-xml/smbdotconf/security/clientipcsigning.xml | 26 +
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +
docs-xml/smbdotconf/security/clientsigning.xml | 13 +-
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 19 +
docs-xml/smbdotconf/security/serversigning.xml | 2 +-
docs-xml/smbdotconf/security/tlspriority.xml | 22 +
docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 +
lib/param/loadparm.c | 48 +-
lib/param/loadparm.h | 6 +
lib/param/param_table.c | 91 +
lib/util/asn1.c | 109 +-
lib/util/asn1.h | 25 +-
lib/util/tests/asn1_tests.c | 6 +-
lib/util/util.c | 2 +-
lib/util/util_net.c | 247 +-
lib/util/util_net.h | 1 +
libcli/auth/proto.h | 6 +
libcli/auth/smbencrypt.c | 170 +-
libcli/auth/spnego.h | 8 +-
libcli/auth/spnego_parse.c | 55 +-
libcli/cldap/cldap.c | 12 +-
libcli/ldap/ldap_message.c | 32 +-
libcli/smb/smbXcli_base.c | 1 +
libcli/smb/smb_constants.h | 1 +
libcli/smb/smb_signing.c | 4 +
libcli/smb/tstream_smbXcli_np.c | 12 +-
libcli/util/error.h | 1 +
librpc/idl/dcerpc.idl | 17 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 48 +-
librpc/idl/security.idl | 18 +-
librpc/ndr/ndr_basic.c | 39 +-
librpc/ndr/ndr_ntlmssp.c | 16 +
librpc/ndr/ndr_ntlmssp.h | 2 +
librpc/rpc/binding.c | 2 +-
librpc/rpc/dcerpc_error.c | 164 +-
librpc/rpc/dcerpc_util.c | 204 +-
librpc/rpc/rpc_common.h | 40 +-
nsswitch/libwbclient/wbc_pam.c | 21 +-
nsswitch/winbind_struct_protocol.h | 1 +
python/samba/tests/__init__.py | 685 ++++-
python/samba/tests/dcerpc/bare.py | 13 +-
python/samba/tests/dcerpc/dnsserver.py | 2 +-
python/samba/tests/dcerpc/raw_protocol.py | 2623 ++++++++++++++++++++
python/samba/tests/dcerpc/srvsvc.py | 6 +-
python/samba/tests/dns.py | 12 -
python/samba/tests/docs.py | 3 +-
python/samba/tests/ntacls.py | 7 +-
python/samba/tests/subunitrun.py | 4 +-
python/samba/tests/xattr.py | 10 +-
selftest/filter-subunit | 11 +-
selftest/format-subunit | 10 +-
selftest/knownfail | 30 +
.../DC-localdc.samba.example.com-S00-cert.pem | 190 ++
.../DC-localdc.samba.example.com-S00-key.pem | 54 +
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 ++
...C-localdc.samba.example.com-S00-private-key.pem | 51 +
.../DC-localdc.samba.example.com-S00-req.pem | 30 +
.../DC-localdc.samba.example.com-cert.pem | 1 +
.../DC-localdc.samba.example.com-private-key.pem | 1 +
...ugindc.plugindom.samba.example.com-S02-cert.pem | 191 ++
...lugindc.plugindom.samba.example.com-S02-key.pem | 54 +
...ndc.plugindom.samba.example.com-S02-openssl.cnf | 250 ++
...plugindom.samba.example.com-S02-private-key.pem | 51 +
...lugindc.plugindom.samba.example.com-S02-req.pem | 30 +
...C-plugindc.plugindom.samba.example.com-cert.pem | 1 +
...ndc.plugindom.samba.example.com-private-key.pem | 1 +
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 ++
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 ++
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 ++
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 170 ++
.../Private/CA-samba.example.com-crlnumber.txt | 1 +
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 +
.../Private/CA-samba.example.com-index.txt | 4 +
.../Private/CA-samba.example.com-index.txt.attr | 1 +
.../CA-samba.example.com-index.txt.attr.old | 1 +
.../Private/CA-samba.example.com-index.txt.old | 3 +
.../Private/CA-samba.example.com-openssl.cnf | 203 ++
.../Private/CA-samba.example.com-private-key.pem | 102 +
.../Private/CA-samba.example.com-serial.txt | 1 +
.../Private/CA-samba.example.com-serial.txt.old | 1 +
.../Public/CA-samba.example.com-cert.pem | 62 +
.../Public/CA-samba.example.com-crl.pem | 32 +
...trator at plugindom.samba.example.com-S03-cert.pem | 170 ++
...strator at plugindom.samba.example.com-S03-key.pem | 30 +
...tor at plugindom.samba.example.com-S03-openssl.cnf | 242 ++
...plugindom.samba.example.com-S03-private-key.pem | 27 +
...strator at plugindom.samba.example.com-S03-req.pem | 19 +
...inistrator at plugindom.samba.example.com-cert.pem | 1 +
...tor at plugindom.samba.example.com-private-key.pem | 1 +
...ER-administrator at samba.example.com-S01-cert.pem | 169 ++
...SER-administrator at samba.example.com-S01-key.pem | 30 +
...administrator at samba.example.com-S01-openssl.cnf | 242 ++
...nistrator at samba.example.com-S01-private-key.pem | 27 +
...SER-administrator at samba.example.com-S01-req.pem | 19 +
.../USER-administrator at samba.example.com-cert.pem | 1 +
...administrator at samba.example.com-private-key.pem | 1 +
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 +
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 +
selftest/manage-ca/manage-ca.sh | 387 +++
.../manage-CA-example.com.cnf | 17 +
.../openssl-BASE-template.cnf | 201 ++
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 +
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 +
.../openssl-USER-template.cnf | 41 +
selftest/selftest.pl | 40 +
selftest/target/Samba.pm | 105 +
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 233 +-
selftest/tests/__init__.py | 2 -
selftest/tests/test_run.py | 2 +-
selftest/tests/test_samba.py | 2 +-
selftest/tests/test_socket_wrapper.py | 2 +-
selftest/tests/test_target.py | 2 +-
selftest/tests/test_testlist.py | 2 +-
source3/auth/auth_domain.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 15 +
source3/include/ads.h | 30 +-
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 48 +-
source3/lib/netapi/cm.c | 2 +-
source3/lib/tldap.c | 6 +-
source3/libads/ads_ldap_protos.h | 6 +-
source3/libads/ads_proto.h | 11 +-
source3/libads/ads_status.c | 6 +-
source3/libads/ads_status.h | 2 +-
source3/libads/disp_sec.c | 4 +-
source3/libads/ldap.c | 163 +-
source3/libads/ldap_printer.c | 4 +-
source3/libads/ldap_utils.c | 10 +-
source3/libads/sasl.c | 706 ++----
source3/libads/sasl_wrapping.c | 2 +-
source3/libnet/libnet_join.c | 6 +-
source3/librpc/crypto/gse.c | 394 ++-
source3/librpc/rpc/dcerpc.h | 10 +-
source3/librpc/rpc/dcerpc_helpers.c | 98 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 674 ++---
source3/libsmb/clidgram.c | 2 +-
source3/libsmb/clientgen.c | 11 +-
source3/libsmb/clierror.c | 6 +-
source3/libsmb/clifsinfo.c | 22 +-
source3/libsmb/clilist.c | 6 +-
source3/libsmb/clirap.c | 26 +-
source3/libsmb/clirap.h | 48 +-
source3/libsmb/clirap2.c | 30 +-
source3/libsmb/clisecdesc.c | 4 +-
source3/libsmb/clispnego.c | 283 +--
source3/libsmb/libsmb_dir.c | 18 +-
source3/libsmb/libsmb_file.c | 6 +-
source3/libsmb/libsmb_misc.c | 4 +-
source3/libsmb/libsmb_server.c | 2 +-
source3/libsmb/libsmb_stat.c | 10 +-
source3/libsmb/libsmb_xattr.c | 14 +-
source3/libsmb/namequery.c | 4 +-
source3/libsmb/nmblib.c | 2 +-
source3/libsmb/ntlmssp.c | 765 ------
source3/libsmb/ntlmssp_wrap.c | 135 -
source3/libsmb/passchange.c | 7 +-
source3/libsmb/proto.h | 26 +-
source3/libsmb/samlogon_cache.c | 2 +-
source3/libsmb/smb_share_modes.c | 18 +-
source3/libsmb/smbsock_connect.c | 2 +-
source3/pam_smbpass/wscript_build | 2 +-
source3/param/loadparm.c | 44 +-
source3/rpc_client/cli_lsarpc.c | 4 +-
source3/rpc_client/cli_lsarpc.h | 4 +-
source3/rpc_client/cli_netlogon.c | 4 +-
source3/rpc_client/cli_netlogon.h | 2 +-
source3/rpc_client/cli_pipe.c | 327 ++-
source3/rpc_client/rpc_client.h | 4 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 57 +-
source3/rpc_server/rpc_handles.c | 7 +-
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 11 +
source3/rpc_server/rpc_server.c | 12 +
source3/rpc_server/samr/srv_samr_nt.c | 21 +-
source3/rpc_server/srv_access_check.c | 6 +-
source3/rpc_server/srv_access_check.h | 4 +-
source3/rpc_server/srv_pipe.c | 502 ++--
source3/rpcclient/rpcclient.c | 5 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 +
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/script/tests/test_smbclient_auth.sh | 11 +
source3/selftest/tests.py | 7 +-
source3/smbd/negprot.c | 6 +-
source3/smbd/sesssetup.c | 4 +-
source3/smbd/smb2_negprot.c | 10 +-
source3/smbd/smb2_sesssetup.c | 3 +-
source3/torture/test_ntlm_auth.py | 553 +++--
source3/utils/net_ads.c | 2 +-
source3/utils/net_rpc.c | 2 +-
source3/utils/net_util.c | 2 +-
source3/utils/ntlm_auth.c | 819 +-----
source3/winbindd/winbindd_ccache_access.c | 44 +-
source3/winbindd/winbindd_cm.c | 6 +-
source3/winbindd/winbindd_dual_srv.c | 2 +-
source3/wscript_build | 10 +-
source4/auth/gensec/cyrus_sasl.c | 452 ----
source4/auth/gensec/gensec_gssapi.c | 322 +--
source4/auth/gensec/gensec_gssapi.h | 1 -
source4/auth/gensec/gensec_krb5.c | 12 +-
source4/auth/gensec/gensec_socket.h | 28 -
source4/auth/gensec/pygensec.c | 83 +
source4/auth/gensec/socket.c | 435 ----
source4/auth/gensec/wscript_build | 14 +-
source4/auth/ntlm/auth_util.c | 4 +-
source4/auth/wscript_configure | 4 -
source4/dsdb/tests/python/dsdb_schema_info.py | 3 +-
source4/heimdal/lib/gssapi/krb5/aeap.c | 98 +-
source4/heimdal/lib/gssapi/krb5/arcfour.c | 645 ++++-
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 3 +
source4/heimdal_build/wscript_configure | 1 +
source4/ldap_server/ldap_bind.c | 50 +-
source4/ldap_server/ldap_server.c | 7 +
source4/ldap_server/ldap_server.h | 2 +
source4/lib/tls/tls.c | 2 +-
source4/lib/tls/tls.h | 32 +-
source4/lib/tls/tls_tstream.c | 288 ++-
source4/lib/tls/tlscert.c | 19 +-
source4/lib/tls/wscript | 6 +-
source4/libcli/cliconnect.c | 2 +-
source4/libcli/ldap/ldap_bind.c | 125 +-
source4/libcli/ldap/ldap_client.c | 443 ++--
source4/libcli/ldap/ldap_client.h | 17 +-
source4/libcli/ldap/ldap_controls.c | 48 +-
source4/libcli/ldap/wscript_build | 4 +-
source4/libcli/raw/libcliraw.h | 1 +
source4/libcli/raw/rawnegotiate.c | 11 +-
source4/libcli/smb2/connect.c | 7 +-
source4/libcli/smb_composite/connect.c | 1 +
source4/libcli/smb_composite/sesssetup.c | 35 +-
source4/librpc/rpc/dcerpc.c | 351 ++-
source4/librpc/rpc/dcerpc.h | 14 +-
source4/librpc/rpc/dcerpc_auth.c | 93 +-
source4/librpc/rpc/dcerpc_connect.c | 22 +
source4/librpc/rpc/dcerpc_roh.c | 13 +-
source4/librpc/rpc/dcerpc_util.c | 22 +-
source4/librpc/rpc/pyrpc.c | 80 +-
source4/param/loadparm.c | 3 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 13 +-
source4/rpc_server/common/reply.c | 49 +-
source4/rpc_server/dcerpc_server.c | 812 ++++--
source4/rpc_server/dcerpc_server.h | 57 +-
source4/rpc_server/dcesrv_auth.c | 275 +-
source4/rpc_server/dcesrv_mgmt.c | 8 +
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 +
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 +
source4/rpc_server/echo/rpc_echo.c | 7 +
source4/rpc_server/epmapper/rpc_epmapper.c | 8 +
source4/rpc_server/handles.c | 8 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 8 +
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 46 +-
source4/rpc_server/remote/dcesrv_remote.c | 8 +-
source4/rpc_server/samr/dcesrv_samr.c | 12 +
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 77 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb/sesssetup.c | 10 +
source4/smb_server/smb2/negprot.c | 7 +-
source4/smb_server/smb2/sesssetup.c | 8 -
source4/torture/basic/base.c | 20 +-
source4/torture/drs/python/drs_base.py | 6 +-
source4/torture/ndr/ntlmssp.c | 181 +-
source4/torture/raw/samba3misc.c | 7 +
source4/torture/rpc/alter_context.c | 2 +-
source4/torture/rpc/backupkey.c | 21 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/netlogon.c | 101 +-
source4/torture/rpc/netlogon.h | 7 +
source4/torture/rpc/remote_pac.c | 121 +-
source4/torture/rpc/samba3rpc.c | 75 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 4 +-
source4/torture/rpc/schannel.c | 29 +-
source4/torture/rpc/testjoin.c | 35 +-
source4/winbind/wb_pam_auth.c | 4 +-
source4/winbind/wb_samba3_cmd.c | 9 +-
testprogs/blackbox/test_ldb.sh | 3 +
testprogs/blackbox/test_ldb_simple.sh | 41 +
.../midltests/valid/midltests_DRS_EXTENSIONS.idl | 64 +
.../midltests/valid/midltests_DRS_EXTENSIONS.out | 43 +
wscript_configure_system_mitkrb5 | 4 +-
321 files changed, 17822 insertions(+), 7115 deletions(-)
create mode 100644 auth/kerberos/gssapi_helper.c
create mode 100644 auth/kerberos/gssapi_helper.h
create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
create mode 100644 docs-xml/smbdotconf/security/tlspriority.xml
create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-S02-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/plugindc.plugindom.samba.example.com/DC-plugindc.plugindom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-S03-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at plugindom.samba.example.com/USER-administrator at plugindom.samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
create mode 100755 selftest/manage-ca/manage-ca.sh
create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
delete mode 100644 source3/libsmb/ntlmssp.c
delete mode 100644 source3/libsmb/ntlmssp_wrap.c
delete mode 100644 source4/auth/gensec/cyrus_sasl.c
delete mode 100644 source4/auth/gensec/gensec_socket.h
delete mode 100644 source4/auth/gensec/socket.c
create mode 100755 testprogs/blackbox/test_ldb_simple.sh
create mode 100644 testprogs/win32/midltests/valid/midltests_DRS_EXTENSIONS.idl
create mode 100644 testprogs/win32/midltests/valid/midltests_DRS_EXTENSIONS.out
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 2492fbd..df0db6d 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=12
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f03be3a..ecb5fe6 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,580 @@
+ ==============================
+ Release Notes for Samba 4.2.11
+ April 12, 2016
+ ==============================
+
+This is a security release containing one additional
+regression fix for the security release 4.2.10.
+
+This fixes a regression that prevents things like 'net ads join'
+from working against a Windows 2003 domain.
+
+Changes since 4.2.10:
+=====================
+
+o Stefan Metzmacher <metze at samba.org>
+ * Bug 11804 - prerequisite backports for the security release on
+ April 12th, 2016
+
+Release notes for the original 4.2.10 release follows:
+------------------------------------------------------
+
+ ==============================
+ Release Notes for Samba 4.2.10
+ April 12, 2016
+ ==============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-5370 (Multiple errors in DCE-RPC code)
+
+o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
+
+o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
+
+o CVE-2016-2112 (LDAP client and server don't enforce integrity)
+
+o CVE-2016-2113 (Missing TLS certificate validation)
+
+o CVE-2016-2114 ("server signing = mandatory" not enforced)
+
+o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
+
+o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
+
+The number of changes are rather huge for a security release,
+compared to typical security releases.
+
+Given the number of problems and the fact that they are all related
+to man in the middle attacks we decided to fix them all at once
+instead of splitting them.
+
+In order to prevent the man in the middle attacks it was required
+to change the (default) behavior for some protocols. Please see the
+"New smb.conf options" and "Behavior changes" sections below.
+
+=======
+Details
+=======
+
+o CVE-2015-5370
+
+ Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
+ denial of service attacks (crashes and high cpu consumption)
+ in the DCE-RPC client and server implementations. In addition,
+ errors in validation of the DCE-RPC packets can lead to a downgrade
+ of a secure connection to an insecure one.
+
+ While we think it is unlikely, there's a nonzero chance for
+ a remote code execution attack against the client components,
+ which are used by smbd, winbindd and tools like net, rpcclient and
+ others. This may gain root access to the attacker.
+
+ The above applies all possible server roles Samba can operate in.
+
+ Note that versions before 3.6.0 had completely different marshalling
+ functions for the generic DCE-RPC layer. It's quite possible that
+ that code has similar problems!
+
+ The downgrade of a secure connection to an insecure one may
+ allow an attacker to take control of Active Directory object
+ handles created on a connection created from an Administrator
+ account and re-use them on the now non-privileged connection,
+ compromising the security of the Samba AD-DC.
+
+o CVE-2016-2110:
+
+ There are several man in the middle attacks possible with
+ NTLMSSP authentication.
+
+ E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
+ can be cleared by a man in the middle.
+
+ This was by protocol design in earlier Windows versions.
+
+ Windows Server 2003 RTM and Vista RTM introduced a way
+ to protect against the trivial downgrade.
+
+ See MsvAvFlags and flag 0x00000002 in
+ https://msdn.microsoft.com/en-us/library/cc236646.aspx
+
+ This new feature also implies support for a mechlistMIC
+ when used within SPNEGO, which may prevent downgrades
+ from other SPNEGO mechs, e.g. Kerberos, if sign or
+ seal is finally negotiated.
+
+ The Samba implementation doesn't enforce the existence of
+ required flags, which were requested by the application layer,
+ e.g. LDAP or SMB1 encryption (via the unix extensions).
+ As a result a man in the middle can take over the connection.
+ It is also possible to misguide client and/or
+ server to send unencrypted traffic even if encryption
+ was explicitly requested.
+
+ LDAP (with NTLMSSP authentication) is used as a client
+ by various admin tools of the Samba project,
+ e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
+
+ As an active directory member server LDAP is also used
+ by the winbindd service when connecting to domain controllers.
+
+ Samba also offers an LDAP server when running as
+ active directory domain controller.
+
+ The NTLMSSP authentication used by the SMB1 encryption
+ is protected by smb signing, see CVE-2015-5296.
+
+o CVE-2016-2111:
+
+ It's basically the same as CVE-2015-0005 for Windows:
+
+ The NETLOGON service in Microsoft Windows Server 2003 SP2,
+ Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
+ and R2, when a Domain Controller is configured, allows remote
+ attackers to spoof the computer name of a secure channel's
+ endpoint, and obtain sensitive session information, by running a
+ crafted application and leveraging the ability to sniff network
+ traffic, aka "NETLOGON Spoofing Vulnerability".
+
+ The vulnerability in Samba is worse as it doesn't require
+ credentials of a computer account in the domain.
+
+ This only applies to Samba running as classic primary domain controller,
+ classic backup domain controller or active directory domain controller.
+
+ The security patches introduce a new option called "raw NTLMv2 auth"
+ ("yes" or "no") for the [global] section in smb.conf.
+ Samba (the smbd process) will reject client using raw NTLMv2
+ without using NTLMSSP.
+
+ Note that this option also applies to Samba running as
+ standalone server and member server.
+
+ You should also consider using "lanman auth = no" (which is already the default)
+ and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
+ as they might impact compatibility with older clients. These also
+ apply for all server roles.
+
+o CVE-2016-2112:
+
+ Samba uses various LDAP client libraries, a builtin one and/or the system
+ ldap libraries (typically openldap).
+
+ As active directory domain controller Samba also provides an LDAP server.
+
+ Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
+ for LDAP connections, including possible integrity (sign) and privacy (seal)
+ protection.
+
+ Samba has support for an option called "client ldap sasl wrapping" since version
+ 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
+
+ Tools using the builtin LDAP client library do not obey the
+ "client ldap sasl wrapping" option. This applies to tools like:
+ "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
+ options like "--sign" and "--encrypt". With the security update they will
+ also obey the "client ldap sasl wrapping" option as default.
+
+ In all cases, even if explicitly request via "client ldap sasl wrapping",
+ "--sign" or "--encrypt", the protection can be downgraded by a man in the
+ middle.
+
+ The LDAP server doesn't have an option to enforce strong authentication
+ yet. The security patches will introduce a new option called
+ "ldap server require strong auth", possible values are "no",
+ "allow_sasl_over_tls" and "yes".
+
+ As the default behavior was as "no" before, you may
+ have to explicitly change this option until all clients have
+ been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
+ Windows clients and Samba member servers already use
+ integrity protection.
+
+o CVE-2016-2113:
+
+ Samba has support for TLS/SSL for some protocols:
+ ldap and http, but currently certificates are not
+ validated at all. While we have a "tls cafile" option,
+ the configured certificate is not used to validate
+ the server certificate.
+
+ This applies to ldaps:// connections triggered by tools like:
+ "ldbsearch", "ldbedit" and more. Note that it only applies
+ to the ldb tools when they are built as part of Samba or with Samba
+ extensions installed, which means the Samba builtin LDAP client library is
+ used.
+
+ It also applies to dcerpc client connections using ncacn_http (with https://),
+ which are only used by the openchange project. Support for ncacn_http
+ was introduced in version 4.2.0.
+
+ The security patches will introduce a new option called
+ "tls verify peer". Possible values are "no_check", "ca_only",
+ "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
+
+ If you use the self-signed certificates which are auto-generated
+ by Samba, you won't have a crl file and need to explicitly
+ set "tls verify peer = ca_and_name".
+
+o CVE-2016-2114
+
+ Due to a regression introduced in Samba 4.0.0,
+ an explicit "server signing = mandatory" in the [global] section
+ of the smb.conf was not enforced for clients using the SMB1 protocol.
+
+ As a result it does not enforce smb signing and allows man in the middle attacks.
+
+ This problem applies to all possible server roles:
+ standalone server, member server, classic primary domain controller,
+ classic backup domain controller and active directory domain controller.
+
+ In addition, when Samba is configured with "server role = active directory domain controller"
+ the effective default for the "server signing" option should be "mandatory".
+
+ During the early development of Samba 4 we had a new experimental
+ file server located under source4/smb_server. But before
+ the final 4.0.0 release we switched back to the file server
+ under source3/smbd.
+
+ But the logic for the correct default of "server signing" was not
+ ported correctly ported.
+
+ Note that the default for server roles other than active directory domain
+ controller, is "off" because of performance reasons.
+
+o CVE-2016-2115:
+
+ Samba has an option called "client signing", this is turned off by default
+ for performance reasons on file transfers.
+
+ This option is also used when using DCERPC with ncacn_np.
+
+ In order to get integrity protection for ipc related communication
+ by default the "client ipc signing" option is introduced.
+ The effective default for this new option is "mandatory".
+
+ In order to be compatible with more SMB server implementations,
+ the following additional options are introduced:
+ "client ipc min protocol" ("NT1" by default) and
+ "client ipc max protocol" (the highest support SMB2/3 dialect by default).
+ These options overwrite the "client min protocol" and "client max protocol"
+ options, because the default for "client max protocol" is still "NT1".
+ The reason for this is the fact that all SMB2/3 support SMB signing,
+ while there are still SMB1 implementations which don't offer SMB signing
+ by default (this includes Samba versions before 4.0.0).
+
+ Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
+ against active directory domain controllers despite of the
+ "client signing" and "client ipc signing" options.
+
+o CVE-2016-2118 (a.k.a. BADLOCK):
+
+ The Security Account Manager Remote Protocol [MS-SAMR] and the
+ Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
+ are both vulnerable to man in the middle attacks. Both are application level
+ protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
+
+ These protocols are typically available on all Windows installations
+ as well as every Samba server. They are used to maintain
+ the Security Account Manager Database. This applies to all
+ roles, e.g. standalone, domain member, domain controller.
+
+ Any authenticated DCERPC connection a client initiates against a server
+ can be used by a man in the middle to impersonate the authenticated user
+ against the SAMR or LSAD service on the server.
+
+ The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
+ and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
+ in this case. A man in the middle can change auth level to CONNECT
+ (which means authentication without message protection) and take over
+ the connection.
+
+ As a result, a man in the middle is able to get read/write access to the
+ Security Account Manager Database, which reveals all passwords
+ and any other potential sensitive information.
+
+ Samba running as an active directory domain controller is additionally
+ missing checks to enforce PKT_PRIVACY for the
+ Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
+ and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
+ The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
+ is not enforcing at least PKT_INTEGRITY.
+
+====================
+New smb.conf options
+====================
+
+ allow dcerpc auth level connect (G)
+
+ This option controls whether DCERPC services are allowed to be used with
+ DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
+ message integrity nor privacy protection.
+
+ Some interfaces like samr, lsarpc and netlogon have a hard-coded default
+ of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
+
+ The behavior can be overwritten per interface name (e.g. lsarpc,
+ netlogon, samr, srvsvc, winreg, wkssvc ...) by using
+ 'allow dcerpc auth level connect:interface = yes' as option.
+
+ This option yields precedence to the implementation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+
+ Default: allow dcerpc auth level connect = no
+
+ Example: allow dcerpc auth level connect = yes
+
+ client ipc signing (G)
+
+ This controls whether the client is allowed or required to use
+ SMB signing for IPC$ connections as DCERPC transport. Possible
+ values are auto, mandatory and disabled.
+
+ When set to mandatory or default, SMB signing is required.
+
+ When set to auto, SMB signing is offered, but not enforced and
+ if set to disabled, SMB signing is not offered either.
+
+ Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.
+
+ Default: client ipc signing = default
+
+ client ipc max protocol (G)
+
+ The value of the parameter (a string) is the highest protocol level that will
+ be supported for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the latest supported protocol, currently SMB3_11.
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc max protocol = default
+
+ Example: client ipc max protocol = SMB2_10
+
+ client ipc min protocol (G)
+
+ This setting controls the minimum protocol version that the will be
+ attempted to use for IPC$ connections as DCERPC transport.
+
+ Normally this option should not be set as the automatic negotiation phase
+ in the SMB protocol takes care of choosing the appropriate protocol.
+
+ The value default refers to the higher value of NT1 and the
+ effective value of "client min protocol".
+
+ See client max protocol for a full list of available protocols.
+ The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
+
+ Default: client ipc min protocol = default
+
+ Example: client ipc min protocol = SMB3_11
+
+ ldap server require strong auth (G)
+
+ The ldap server require strong auth defines whether the
+ ldap server requires ldap traffic to be signed or
+ signed and encrypted (sealed). Possible values are no,
+ allow_sasl_over_tls and yes.
+
+ A value of no allows simple and sasl binds over all transports.
+
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
+ over TLS encrypted connections. Unencrypted connections only
+ allow sasl binds with sign or seal.
+
+ A value of yes allows only simple binds over TLS encrypted connections.
+ Unencrypted connections only allow sasl binds with sign or seal.
+
+ Default: ldap server require strong auth = yes
+
+ raw NTLMv2 auth (G)
+
+ This parameter determines whether or not smbd(8) will allow SMB1 clients
+ without extended security (without SPNEGO) to use NTLMv2 authentication.
+
+ If this option, lanman auth and ntlm auth are all disabled, then only
+ clients with SPNEGO support will be permitted. That means NTLMv2 is only
+ supported within NTLMSSP.
+
+ Default: raw NTLMv2 auth = no
+
+ tls verify peer (G)
+
+ This controls if and how strict the client will verify the peer's
+ certificate and name. Possible values are (in increasing order): no_check,
+ ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
+
+ When set to no_check the certificate is not verified at all,
+ which allows trivial man in the middle attacks.
+
+ When set to ca_only the certificate is verified to be signed from a ca
+ specified in the "tls ca file" option. Setting "tls ca file" to a valid file
+ is required. The certificate lifetime is also verified. If the "tls crl file"
+ option is configured, the certificate is also verified against
+ the ca crl.
+
+ When set to ca_and_name_if_available all checks from ca_only are performed.
+ In addition, the peer hostname is verified against the certificate's
+ name, if it is provided by the application layer and not given as
+ an ip address string.
+
+ When set to ca_and_name all checks from ca_and_name_if_available are performed.
+ In addition the peer hostname needs to be provided and even an ip
+ address is checked against the certificate's name.
+
+ When set to as_strict_as_possible all checks from ca_and_name are performed.
+ In addition the "tls crl file" needs to be configured. Future versions
+ of Samba may implement additional checks.
+
+ Default: tls verify peer = as_strict_as_possible
+
+ tls priority (G) (backported from Samba 4.3 to Samba 4.2)
+
+ This option can be set to a string describing the TLS protocols to be
+ supported in the parts of Samba that use GnuTLS, specifically the AD DC.
+
+ The default turns off SSLv3, as this protocol is no longer considered
+ secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
+ in HTTPS applications.
+
+ The valid options are described in the GNUTLS Priority-Strings
+ documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
+
+ Default: tls priority = NORMAL:-VERS-SSL3.0
+
+================
+Behavior changes
+================
+
+o The default auth level for authenticated binds has changed from
+ DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
+ That means ncacn_ip_tcp:server is now implicitly the same
+ as ncacn_ip_tcp:server[sign] and offers a similar protection
+ as ncacn_np:server, which relies on smb signing.
+
+o The following constraints are applied to SMB1 connections:
+
+ - "client lanman auth = yes" is now consistently
+ required for authenticated connections using the
+ SMB1 LANMAN2 dialect.
+ - "client ntlmv2 auth = yes" and "client use spnego = yes"
+ (both the default values), require extended security (SPNEGO)
+ support from the server. That means NTLMv2 is only used within
+ NTLMSSP.
+
+o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
+ default of "client ldap sasl wrapping = sign". Even with
+ "client ldap sasl wrapping = plain" they will automatically upgrade
+ to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
+ server.
+
+Changes since 4.2.9:
+====================
+
+o Jeremy Allison <jra at samba.org>
--
Samba Shared Repository
More information about the samba-cvs
mailing list