[SCM] Samba Shared Repository - annotated tag tdb-1.3.13 created

Stefan Metzmacher metze at samba.org
Fri Apr 28 08:58:34 UTC 2017

The annotated tag, tdb-1.3.13 has been created
        at  eae52b521257fff2ba2f99b9b0d972420893bea7 (tag)
   tagging  77d4e07ef3a0b9d7c2b1c660c8ac770c07120173 (commit)
  replaces  talloc-2.1.9
 tagged by  Stefan Metzmacher
        on  Fri Apr 28 10:58:22 2017 +0200

- Log -----------------------------------------------------------------
tdb: tag release tdb-1.3.13
Version: GnuPG v1


Alexander Bokovoy (9):
      gssapi: check for gss_acquire_cred_from
      lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
      credentials_krb5: convert to use smb_gss_krb5_import_cred
      libads: convert to use smb_gss_krb5_import_cred
      s3-gse: convert to use smb_gss_krb5_import_cred
      s3-gse: move krb5 fallback to smb_gss_krb5_import_cred wrapper
      lib/crypto: implement samba.crypto Python module for RC4
      _netr_ServerPasswordSet2: use info level 26 to set plain text machine password
      s3-tests: assignement in shell shall have no spaces around equal sign

Amitay Isaacs (9):
      replace: Fix compiler warning flag
      lib/util: Fix initializer
      ctdb-readonly: Avoid a tight loop waiting for revoke to complete
      ctdb-tools: Avoid deferencing argv[0] if argc == 0
      ctdb-common: Add traverse_update function to db_hash abstraction
      ctdb-common: Add hash_count abstraction
      ctdb-daemon: For hot records, use count instead of hopcount
      ctdb-daemon: Add tracking of migration records
      ctdb-docs: Fix documentation of -n option to ctdb tool

Andreas Schneider (43):
      s3:librpc: Handle gss_min in gse_get_client_auth_token() correctly
      docs: Improve the idmap_hash manpage
      idmap_hash: Add a deprecation message
      s3-libads: Do not leak the msg on error
      testprogs: Use smbclient by default in test_kinit_trusts
      testprogs: Add kinit_trusts tests with smbclient4
      krb5_wrap: Do not return an empty realm from smb_krb5_get_realm_from_hostname()
      krb5_wrap: Try to guess the correct realm from the service hostname
      krb5_wrap: pass client_realm to smb_krb5_get_realm_from_hostname()
      krb5_wrap: Make smb_krb5_get_realm_from_hostname() public
      s4:gensec-gssapi: Create a helper function to setup server_principal
      s4:gensec_gssapi: Move setup of service_principal to update function
      s4:gensec_gssapi: Use smb_krb5_get_realm_from_hostname()
      s4:gensec_gssapi: Correctly handle external trusts with MIT
      s3:gse: Use smb_krb5_get_realm_from_hostname()
      krb5_wrap: Remove obsolete smb_krb5_get_principal_from_service_hostname()
      s3:gse: Pass down the gensec_security pointer
      s3:gse: Move setup of service_principal to update function
      s3:gse: Check if we have a target_princpal set we should use
      s3:gse: Correctly handle external trusts with MIT
      selftest: Do not plan samba3.base.delaywrite twice
      krb5_wrap: Print a warning for an invalid keytab name
      s3:libads: Correctly handle the keytab kerberos methods
      param: Allow to specify kerberos method on the commandline
      testprogs: Test 'net ads join' with a dedicated keytab
      krb5_wrap: Fix smb_gss_krb5_import_cred() picky-developer build
      s3:vfs_expand_msdfs: Do not open the remote address as a file
      testprogs: Correctly expand shell parameters
      s3:winbind: Use correct struct member for size calculation
      s3:winbind: Remove unused struct getpwent_user
      s3:libsmb: Only print error message if kerberos use is forced
      s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
      nsswtich: Add negative tests for authentication with wbinfo
      s3:tests: Add a subsitution test for %D %u %g
      selftest: Define template homedir for 'ad_member' env
      lib: Add pam_wrapper 1.0.3
      python: Add a simple pam_winbind test
      s3:tests: Create a test directory for a clean test
      wafsamba: Add CHECK_CMOCKA function
      third_party: Add cmocka 1.1.1
      waf: Only build pam_wrapper if we build with pam
      docs: Update idmap_rid manpage
      ldb:tests: Build a ldb test for the tdb backend

Andrew Bartlett (71):
      repl_meta_data: Remove handling of backlinks from replmd_prepare_commit()
      talloc: use the system pytalloc-util for python3 as well
      lib/ldb: Enable use of a python3 pyldb-util system library
      buildtools: Work around a . being in the target name when building python3 helpers
      python: Remove unused import PY3
      autobuild: Add nopython environment to test --disable-python builds (but without tests)
      auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
      heimdal: Add initializer for stack pointers
      selftest: Add more RODC tests to avoid regressions here
      selftest: Add more tests for "samba-tool processes"
      samba-tool: Ensure that samba-tool processes --name=not-existing does not error
      pymessaging: Add support for irpc_add_name
      pymessaging: Add irpc_remove_name
      selftest: Test server_id database add and removal
      pymessaging: Add a hook to run the event loop, make callbacks practical
      messaging.idl: Register a message type for authentication log messages
      messaging: Declare well known server name auth_events as AUTH_EVENT_NAME in IDL
      python: Provide Python bindings for messaging.idl
      pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers
      auth_log: Add tests by listening for JSON messages over the message bus
      s4-smbd: Remember the original client and server IPs from the SMB connection
      s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
      gensec: Add gensec_{get,set}_target_service_description()
      gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
      s3-auth: Pass service_description into gensec via auth_generic_prepare()
      ntlm_auth: Set ntlm_auth as the service_description into gensec
      auth: Fill in user_info->service_description from all callers
      s4-ldap_server: Split gensec setup into a helper function
      s4-ldap_server: Set remote and local address values into GENSEC
      s4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times
      auth: Add a reminder about the strings currently used for auditing
      ldap_server: Move code into authenticate_ldap_simple_bind()
      auth: Add "auth_description" to allow logs to distinguish simple bind (etc)
      winbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_logon()
      s4-rpc_server: Correct comment about where the current iface can be found
      s3-auth: Split out get_user_sid_info3_and_extra() from create_local_nt_token_from_info3()
      debug: Add debug class for auth_audit
      s3-auth: Clarify the role and purpose of the auth_serversupplied_info->security_token
      auth: Always supply both the remote and local address to the auth subsystem
      auth: Add logging of service authorization
      dns: Provide local and remote socket address to GENSEC
      auth_log: Expand to include the type of password used (eg ntlmv2)
      auth_log: Also log the final type of authentication (ntlmssp,krb5)
      s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
      s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
      ldap_server: Log authorization for simple binds
      s4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
      s3-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
      auth_log: Split up auth/authz logging levels and handle anonymous better
      ldap_server: Log access without a bind
      auth: Log the transport connection for the authorization
      s4-messaging: split up messaging into a smaller library for send only
      auth_log: Prepared to allow logging JSON events to a server over the message bus
      auth_log: Improve comment
      auth: Add hooks for notification of authentication events over the message bus
      selftest: Turn on auth event notification and so allow tests to pass
      s3-rpc_server: pass remote and local address to rpc_pipe_open_external
      s3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe{,_p}()
      s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
      heimdal: Pass extra information to hdb_auth_status() to log success and failures
      samr: Add logging of password change success and failure
      dsdb: Add authentication audit logging for LDAP password change
      pycredentials: Add bindings for get_ntlm_response()
      python: Add bindings for NTLMSSP
      WHATSNEW: Add entry for auth audit
      autobuild: Do not require cmocka to be installed for samba-libs to build
      selftest: Do not enable inbound replication during replica_sync
      process_standard: clean up messaging for children after exit()
      s4-messaging: Add helpful comments
      tdb: Improve debugging when the allrecord lock fails to upgrade
      tdb: Improve debugging in _tdb_transaction_start

Aurelien Aptel (1):
      s3:smbd: exit early if srv_send_smb fails

Björn Baumbach (1):
      tdb/tools: add documentation for the tdbbackup -n option

Bob Campbell (3):
      python/tests: Add repl_rodc test
      drsblobs: Add decode for replPropertyMetaData1
      getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET

Chris Lamb (1):
      Correct "ommited" typos.

Christof Schmitt (1):
      winbindd: Fix password policy for pam authentication

Douglas Bagnall (21):
      ndr tests: silence a harmless warning
      selftest: ndr_pack/unpack performance test
      selftest: add search performance tests
      ndr: fix whitespace in libndr.h, ndr.c
      ndr: Use resizing array instead of linked lists (breaking ABI)
      pyldb: p3k readiness: allow single unicode string in msg element
      perftests/ad_dc_search: do less work in expensive member searches
      gitignore: add some hidden files
      selftest: remove unused broken client.py
      python/join: correct spelling of "ctx.del_noerror"
      samba-tool domain: correctly spell variable name
      python/remove_dc: avoid using non-existent variable
      python provision: FDSBackend takes forced uri
      python sites/subnets: correctly spell variable name
      python/examples/winreg: two variable name typos on a single line
      ./examples/scripts/SambaConfig.py: fix typo in "continue"
      scripts/traffic_summary: documentation typo
      dcerpc/misc tests: asset GUID ordering in python 2 and 3
      getncchanges: remove whitespace
      selftest/target/Samba.pm: Remove whitespace
      whitespace: remove in rootdse

Garming Sam (69):
      objectclass_attrs: Remove schema copy shallow from attr_handler2
      typo: uppon -> upon
      werror: Correct the error code checking
      samba-tool/domain: Correctly re-enable replication
      ldb_tdb: Do not care about duplicates if single value check disabled
      ldb_tdb: Do not check for duplicate values during a rename
      ldb_tdb: Add better comments for duplicate attr values
      python/dsdb_dn: Add a generic get_bytes method on DNs
      drsbase: use credentials if supplied
      getncchanges: Return correct denied REPL_SECRET error code
      tests/repl_rodc: Duplicate msDS-RevealedUsers test for RODC machine acct
      getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
      replmd: Ensure that binary blobs in links are ordered in the database
      replmd: Include extra data on DN in search if it exists
      getncchanges: Implement functionality for msDS-RevealedUsers
      tests/repl_rodc: Ensure that the machine account is tied to the destination DSA
      getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
      getncchanges: Refactor filter_attrs from build_object
      getncchanges: Prevent a small, but possible race condition in build_object
      getncchanges: Reorder and comment code for clarity
      tests/repl_rodc: Test the direct allow/deny attribute works
      getncchanges: include object SID in tokenGroups calculation for repl secret
      dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
      tests/match_rules: Use system privilege for msDS-RevealedUsers
      objectclass_attrs: Restrict systemOnly attributes
      getncchanges: Add a comment regarding sIDHistory for allow/deny in repl_secret
      getncchanges: generalize samdb_result_sid_array_ndr a little
      tests/dbcheck-links: remove spurious sleeping
      dsdb: Move parsed_dn_find into a common location
      dsdb: Allow parsed_dn_find to have a prefixed blob match
      getncchanges: Remove O(n) loop in link parsing
      auth/sam: Remove lastLogonTimestamp from RODC success accounting
      repl_secret: Prevent null deref on DEBUG
      repl_secret: Error condition should sound harmless
      selftest: Check that LDAP is available during RODC startup
      wbinfo: Prevent client segfault with given EOF
      samba_dnsupdate: Add additional debugging
      whitespace: auth_log.py python conventions
      whitespace: auth_log.c C code conventions
      ldap_server: Move a variable into a smaller scope
      whitespace: auth_log_pass_change.py python conventions
      whitespace: Remove some whitespace
      winbindd: Make some debugging clearer
      samba_dnsupdate: Remove extra argument from debug
      drsuapi.idl: Expose GetNCChanges req8 like req10
      replmd: Send RODC referrals preferably to the PDC
      selftest: Add ldap rodc python test
      rodc: Force all RODC add and delete to cause a referral
      selftest: Make some assertions about RODC referrals
      password_lockout: Begin moving helper methods to a base class
      password_lockout: Move more helper methods to a base class
      password_lockout: Move more helper methods to a base class
      password_lockout: Remove use of global lp and host vars
      password_lockout: Remove use of global creds variables
      password_lockout: Factor out a base testcase
      password_lockout: Move lockoutObservationWindow tests from setUp
      password_lockout: Move some unnecessary methods from base
      sam.c: Make NTLM login set logonCount when unset
      tests/rodc: Add a number of tests for RODC-RWDC interaction
      password_lockout: Tests against RODC (once preloaded)
      drepl: Add partial attribute set in the case of repl secret
      rodc: Allow local RODC changes with version 0
      replmd: Reduce calls to ldb_request_get_control
      password-lockout: Allow RODC to ensure lockout and lockout reset
      join.py: Allow RODC to have push replication at join
      rodc/dns: Do not put a trailing dot at end of a DNS record
      dns_update: RODC updates should use lower case realm
      drepl_server: Allow refresh of partitions on UpdateRef
      updaterefs: Do not open transaction even when unnecessary

Gary Lockyer (26):
      script: Add test data for traffic_summary.pl
      script: Add script to provide an anonymous summary from tshark
      script: Add test script for traffic_summary.pl
      pymessaging: add single element tupple form of the server_id
      pysmb: Check for credentials using same method as pyrpc
      python net: add username, oldpassword and domain to change_password
      TestBase: move insta_creds from password_lockout.py
      lib/util: Add functions to escape log lines but not break all non-ascii
      auth: Generate a human readable Authentication log message.
      rpc: Always supply both the remote and local address to the auth subsystem
      auth_log: Add JSON logging of Authorisation and Authentications
      named_pipe_auth: Rename client -> remote_client and server -> local_server
      s4-named_pipe_auth: Rename client -> remote_client and server -> local_server
      s3-named_pipe_auth: Rename client -> remote_client and server -> local_server
      s3-rpc_server: Re-order local and remote address in make_server_pipes_struct()
      s3-rpc_server: Rename client -> remote_client and server -> local_server
      s4-ntvfs: Correct mixup between local/remote addresses
      auth log tests: password change tests
      ldap_server: Log failures to find a valid user in the simple bind
      rpc_server: Re-order and rename remote and local address in np_open()
      auth log: Add tests for anonymous bind and SamLogon
      TestBase: restore setting FEATURE_SEAL in insta_creds
      password_hash: Add tests to allow refactoring
      password_hash: refactor setup_supplemental_field
      tests dsdb: load paramaters from test environment
      pyrpc: Fix segfault in ClientConnection

Günther Deschner (1):
      s3-libgpo: Fix the build of the group policy CSEs

Hanno Böck (1):
      cleanupdb: Fix a memory read error

Ian Stakenvicius (14):
      waf: disable-python - fix ctdb configuration
      waf: disable-python - add option globally to build system
      waf: disable-python - configuration adjustments
      waf: disable-python - align talloc's wscript
      waf: disable-python - align ldb's wscript
      waf: disable-python - align tevent wscript
      waf: disable-python - align tdb's wscript
      waf: disable-python - don't build python/
      waf: disable-python - don't build PROVISION, pyparam_util
      waf: disable-python - don't build pyrpc_util, dcerpc.py
      waf: disable-python - don't build samba-net
      waf: disable-python - don't build samba-policy
      waf: disable-python - don't build torture bits
      waf: disable-python - don't include python.h in test_headers.c

Jakub Hrozek (13):
      ldb_tdb: Remove unused function ltdb_add_attr_results
      ldb_tdb: Remove unused function parameter
      ldb_tdb: Remove unused function parameter
      ldb: Clarify LDB_MODULES_PATH is used
      ldb:tests: Add a simple cmocka test for ldb_connect()
      ldb:tests: A rudimentary ldb_add() test
      ldb:tests: Add a basic search test
      ldb:tests: Add a basic delete test
      ldb:tests: Add a test for ldb transactions
      ldb:tests: Add a modify test
      ldb:tests: unit test for ldb_search()
      ldb:tests: Add tests for case insensitive searches
      ldb:tests: Unit test the ldb_rename() operation

Jan Engelhardt (1):
      build: correct package dependencies

Jeremy Allison (56):
      s3: smbd: Restart reading the incoming SMB2 fd when the send queue is drained.
      s3: locking: Move two leases functions into a new file.
      s3: locking: Update oplock optimization for the leases era !
      Fix for Solaris C compiler.
      s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.
      Changes to make the Solaris C compiler happy.
      CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust.
      CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
      CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
      CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.
      CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error.
      CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success.
      CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.
      CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
      CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function.
      CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.
      CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.
      s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
      WHATSNEW: Document "strict sync" default change.
      s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
      s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
      s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
      s3: smbd: Fix "follow symlink = no" regression part 2.
      s3: smbd: Fix "follow symlink = no" regression part 2.
      s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
      s4: messaging. Add imessaging_reinit_all() function.
      s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
      s4: process_standard: Move talloc_free of event context so it is last thing freed before exit().
      s4: process_standard: Always free tevent_context before exit().
      s4: process_standard: Add return checking for tevent_add_fd() to standard_accept_connection() and standard_new_task().
      s4: process_standard: Add tevent SIGHUP signal handler to standard_accept_connection() and standard_new_task().
      s4: process_standard: Add a simplified SIGTERM handler based on code from source4/smbd/server.c. Use from a tevent handler added to standard_accept_connection() and standard_new_task()
      s4: messaging. Minor cleanup. Check for error returns on imessaging_register calls.
      s4: server. Whitespace and 80+ column cleanup.
      s4: server: Create a server 'state' struct.
      s4: server: Use server_state as a parameter to stdin handler, not just name.
      s4: server: Use server_state as a parameter to max_runtime_handler, not just name.
      s4: server: Plumb server_state through the irpc messaging for samba_terminate().
      s4: server: Add error return checks for tevent_add_fde, tevent_add_timer.
      s4: server: Add a tevent signal handler for SIGTERM.
      s4: messaging: When talloc_free()'ing an event context, only remove msg_dgm_ref's that point to *that* context.
      s4: server: Remove use of talloc_autofree_context as the parent of event_ctx.
      s4: server: Use state as the talloc context for open_schannel_session_store.
      lib: Remove smb_iconv_handle_reinit_lp()
      lib:charset: Add utility functions reinit_iconv_handle() and free_iconv_handle(void)
      s3:lib:charcnv: Remove use of global global_iconv_handle
      s3:param: Use new utility function to hide use of global_iconv_handle
      lib: param: Use utility functions to get rid of two more uses of global_iconv_handle.
      lib: param: Remove the last external use of global_iconv_handle by calling the utility function reinit_iconv_handle().
      lib:charset: Make global_iconv_handle private
      lib:charset: Remove use of talloc_autofree_context() for global_iconv_handle
      lib: debug: Avoid negative array access.
      s3:lib: Fix incorrect logic in sys_broken_getgroups()
      s3:smbd: Fix incorrect use of sys_getgroups()
      lib: param: Remove lpcfg_register_defaults_hook().
      lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)

Lumir Balhar (25):
      python: samba.credentials: Port pycredentials.c to Python3-compatible form.
      python: samba.tests.credentials: Python 3 compatible tests
      python: samba.param: Port param module to Python 3
      python: samba.tests.param: Add missing tests
      python: samba._glue: Port samba._glue module to Python 3.
      python: samba.tests.glue: Add new tests for samba._glue.
      python: samba.tests.dcerpc: Move Class RawDCERPCTest to separated file.
      python: Make top-level samba modules Python 3 compatible
      python: wscript_build: Build some modules for Python 3
      python: samba.tests: Enable Python 3 tests for ported modules
      python: pidl: Port Python interface generator
      python: samba.dcerpc: Port RPC related stuff to Python 3
      python: samba.tests.dcerpc.misc: Port and enable tests
      python: samba.dcerpc: Port security module to Python 3 comp. form
      python: wscript_build: Build some DCE/RPC modules with Python 3
      python: samba.auth: Port samba.auth to Python 3 compatible form
      python: samba.tests.auth: Add tests for samba.auth module
      python: samba._ldb: Port of samba._ldb to Python 3 compatible form
      python: samba.tests: Move import of ported modules out of PY3 condition
      python: samba.tests.core: Port and enable core tests in Python 3
      python: samba.getopt: Port module to Python 3 compatible form
      python: selftests: Enable samba.getopt tests execution with Python 3
      python: samba.gensec: Fix error handling in set_credentials() function
      python: samba.gensec: Port module to Python 3 compatible form
      python: selftest: Add possibility to run old Python test suites with Python 3

Martin Schwenke (4):
      ctdb-build: Add WAFLOCK magic to manpages target
      ctdb-build: Fix RPM build
      ctdb-tests: Catch cases where mktemp fails due to missing TMPDIR
      autobuild: Stop waf uninstall from removing test_tmpdir

Michael Adam (4):
      s3:vfs:shadow_copy2: fix quoting in debug messages
      s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
      s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
      s3:tests: fix commment typo in the offline test

Noel Power (2):
      param: Check for valid values of 'name resolve order' option
      s3:tests: Add test for illegal value detection for 'name resolve order'

Petr Viktorin (1):
      python: Port the samba.net module to Python 3

Ralph Boehme (145):
      selftest: don't run vfs_fruit tests against ad_dc env
      s3/includes: add FinderInfo offset define to MacExtensions.h
      vfs_streams_xattr: call SMB_VFS_OPEN with smb_fname_base
      vfs_streams_xattr: use SMB_VFS_NEXT_OPEN and CLOSE
      vfs_catia: run translation on all handle based VFS functions
      vfs_catia: add catia_readdir_attr
      vfs_catia: add catia_(g|s)et_dos_attributes
      vfs_fruit: fix fruit_pread with metadata=stream
      vfs_fruit: fix fruit_ftruncate with metadata=stream
      vfs_fruit: rename empty_finderinfo() and make it more robust
      vfs_fruit: fix fruit_pwrite() with metadata=stream
      vfs_fruit: replace unsafe ad_entry macro with a function
      vfs_fruit: refactor fruit_open_meta()
      vfs_fruit: correct fruit_open_meta_stream() implementation
      vfs_fruit: refactor fruit_stat_meta()
      vfs_fruit: correct fruit_stat_meta_stream() implementation
      vfs_fruit: update_btime() is only needed for metadata=netatalk
      vfs_fruit: refactor readdir_attr_meta()
      vfs_fruit: correct readdir_attr_meta_finderi_stream() implementation
      vfs_fruit: fix fruit_rename() for the fruit:resource!=file case
      vfs_fruit: refactor fruit_unlink()
      vfs_fruit: fix fruit_chmod() for the fruit:resource!=file case
      vfs_fruit: fix fruit_chown() for the fruit:resource!=file case
      vfs_fruit: fix fruit_rmdir() for the fruit:resource!=file case
      vfs_fruit: in fruit_rmdir() check ._ files before deleting them
      vfs_fruit: refactor fruit_open_rsrc()
      vfs_fruit: refactor fruit_stat_rsrc()
      vfs_fruit: add fruit_stat_rsrc_stream() implementation
      vfs_fruit: add fruit_stat_rsrc_xattr() implementation
      vfs_fruit: refactor fruit_streaminfo()
      vfs_fruit: fix fruit_ntimes() for the fruit:metadata!=netatalk case
      vfs_fruit: refactor fruit_ftruncate() and fix stream case
      vfs_fruit: refactor readdir_attr_macmeta() resource fork size
      vfs_fruit: use SMB_VFS_NEXT_OPEN in two places
      vfs_fruit: remove base_fsp name translation
      vfs_fruit: fix fruit_check_access()
      selftest: disable vfs_fruit tests
      vfs_fruit: rework struct adouble API
      vfs_fruit: refactor fruit_open and use new adouble API
      vfs_fruit: refactor fruit_pread and fruit_pwrite and use new adouble API
      vfs_fruit: refactor fruit_fstat and use new adouble API
      vfs_fruit: use fio in fruit_fallocate
      vfs_fruit: refactor fruit_ftruncate and use new adouble API
      selftest: reenable vfs_fruit tests
      selftest: move vfs_fruit tests that require "fruit:metadata=netatalk" to vfs.fruit_netatalk
      selftest: run vfs_fruit tests against share with fruit:metadata=stream
      selftest: also run vfs_fruit tests with streams_depot
      selftest: add description to vfs_fruit testsuites
      s4/torture: vfs_fruit: add test_null_afpinfo test
      s4/torture: vfs_fruit: test deleting a file with resource fork
      s4/torture: add a vfs_fruit renaming test with open rsrc fork
      lib/torture: add torture_assert_mem_equal_goto
      s4/torture: add test for AAPL find with name with illegal NTFS characters
      docs/vfs_fruit: document known limitations with fruit:encoding=native
      s4/torture: change shares in used torture_suite_add_2ns_smb2_test()
      selftest: add shares without vfs_fruit for the vfs_fruit tests
      vfs_fruit: ignore or delete invalid AFP_AfpInfo streams
      s4/torture: vfs_fruit: test invalid AFPINFO_STREAM_NAME
      vfs_fruit: use stat info from base_fsp
      s4/torture: vfs_fruit: add stream with illegal ntfs characters to copyile test
      vfs_fruit: only veto AppleDouble files with fruit:resource=file
      vfs_fruit: enabling AAPL extensions must be a global switch
      libcli/smb: add max_credits arg to smbXcli_negprot_send()
      libcli/smb: add smb2cli_conn_get_cur_credits
      s4/torture: add some SMB2 crediting tests
      libcli/smb: add smb2cli_conn_get_mid and smb2cli_conn_set_mid
      s4/torture: add a creditting test skipping a SMB2 MID
      manpages/vfs_fruit: document global options
      s3/wscript: fix Linux kernel oplock detection
      s3/smbd: add const to get_lease_type() args
      s3/smbd: add comments and some reformatting to open_file_ntcreate()
      s3/smbd: req is already validated at the beginning of open_file_ntcreate()
      s3/smbd: simplify defer_open()
      s3/smbd: add and use retry_open() instead of defer_open() in two places
      s3/smbd: fix schedule_async_open() timer
      s3/smbd: remove async_open arg from defer_open()
      s3/smbd: all callers of defer_open() pass a lck
      s3/smbd: fix deferred open with streams and kernel oplocks
      s3/selftest: adopt config.h check from source4
      s4/torture: some tests for kernel oplocks
      s3/smbd: add my copyright to open.c
      lib/pthreadpool: fix a memory leak
      winbindd: use NULL for pointer check in get_cache()
      winbindd: untangle reconnect_methods vs reconnect_ads_methods
      winbindd: fix long lines in get_cache()
      winbindd: README.Coding fixes for get_cache()
      winbindd: remove trailing spaces in get_cache()
      CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
      CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
      s3/smbd: move copychunk ioctl limits to IDL
      vfs_default: let copy_chunk_send use const from IDL
      s3/smbd: move cc_copy into fsctl_srv_copychunk_state
      s3/smbd: implement a serializing async copy-chunk loop
      s3/smbd: optimize copy-chunk by merging chunks if possible
      vfs_default: move check for fsp->op validity
      s3/smbd: make copy chunk asynchronous
      winbindd: use passdb backend for well-known SIDs
      selftest: wbinfo -s tests for wellknown SIDs
      selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
      winbindd: trigger possible passdb_dsdb initialisation
      selftest: fix SID composition in a test script
      winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
      selftest: fix for wbinfo -s tests for wellknown SIDs
      winbindd: use correct domain name for failed lookupsids
      winbindd: remove unused single_domains array
      selftest: new environment "ad_member_idmap_rid"
      selftest: tests idmap mapping with idmap_rid
      vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
      s4/torture: vfs_fruit: test for bug 12565
      s3/include: add NT_STATUS_LOOKUP_ERR
      s3/rpc_client: use NT_STATUS_LOOKUP_ERR
      s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
      winbindd: error handling in rpc_lookup_sids()
      libcli/security: fix dom_sid_in_domain()
      winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()
      winbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX
      winbindd: handling of failed lookupsids in wb_lookupsids_single_done()
      winbindd: remove fallback to lookupsid for unknown SIDs
      winbindd: remove lookupsid() fallback for a failed lookupsids()
      winbindd: remove fallback from lookuprids
      winbindd: only use the domain name from lookup sids if the domain matches
      lib/util: add and use iov_concat
      dbwrap: add enum dbwrap_req_state
      dbwrap: add parse_record_send/recv to struct db_context
      ctdb_conn: add ctdbd_parse_send/recv
      dbwrap_ctdb: factor out a db_ctdb_try_parse_local_record() function
      dbwrap_ctdb: implement parse_record_send()/recv()
      dbwrap: add dbwrap_parse_record_send/recv
      dbwrap_watch: add parse_record_send/recv wrappers
      s3/locking: add fetch_share_mode_send/recv
      s3/smbd: add file_id return arg to smbd_dirptr_lanman2_entry
      s3/smbd: ask_sharemode is not needed for info_level SMB_FIND_FILE_NAMES_INFO
      s3/smbd: enable processing SMB2 requests async internally
      s3/smbd: make write time fetching async
      s3/smbd: add "smbd:find async delay usec" to SMB2 FIND
      s4/torture: add a test for compound SMB2 FIND requests
      selftest: also run smb2.compound_find against share with async delay set
      lib/util: add a test for tfork()
      lib/util: make use of tfork in samba_runcmd_send()
      wafsamba: add source directory define SRCDIR to config.h
      lib/util: add a test for samba_runcmd_send()
      vfs_acl_xattr|tdb: ensure create mask is at least 0666 if ignore_system_acls is set
      vfs_fruit: lp_case_sensitive() does not return a bool
      lib/util: fix a Coverity finding in tfork
      tdb: runtime check for robust mutexes may hang in threaded programs

Shilpa Krishnareddy (1):
      notify: Fix ordering of events in notifyd

Stefan Metzmacher (85):
      py_net: make use of pytalloc_GenericObject_steal()
      pidl:Python: make sure print HASH references for STRUCT types
      pidl:Python: replace pytalloc_CObject_FromTallocPtr() with pytalloc_GenericObject_reference_ex()
      pidl:Python: use of pytalloc_GenericObject_reference*() for pyrpc_{ex,im}port_union() wrapping
      gensec:spnego: Add debug message for the failed principal
      s3:winbindd: fix endless forest trust scan
      dsdb/tests: remove duplicate test_smartcard_required3() from sam.py
      ldb-samba: remember the error string of a failing bind in ildb_connect()
      s4:ldap_server: match windows in the error messages of failing LDAP Bind requests
      dsdb/tests: add test_ldap_bind_must_change_pwd()
      s4:selftest: run samba4.sam.python also against fl2008r2dc
      s3:libads: remove unused fallback to gss_acquire_cred()
      winbindd: find the domain based on the sid within wb_lookupusergroups_send()
      idmap_autorid: allocate new domain range if the callers knows the sid is valid
      ldb: add LDB_FLG_DONT_CREATE_DB
      HEIMDAL:kdc: make it possible to disable the principal based referral detection
      s4:kdc: disable principal based autodetected referral detection
      winbindd: remove bogus fallback to the forest root in wb_lookupname*()
      winbindd: remove bogus fallback to the forest root in wb_lookupsid*()
      winbindd: remove unused find_root_domain()
      winbindd: avoid multiple wbint_LookupSids/lsa_LookupSids calls to the same domain
      remove historic source3/change-log
      netlogon.idl: make netr_LogonInfoClass public
      lsa.idl: add SID_NAME_LABEL
      libcli/security: add SID_NAME_LABEL to sid_type_lookup()
      libwbclient: add WBC_SID_NAME_LABEL
      auth4: add TODO comment on the auth_sam_trigger_repl_secret msDS-NeverRevealGroup interaction
      netlogond3: only call make_auth_context_subsystem() in one place
      auth3: add make_auth3_context_for_{ntlm,netlogon,winbind}
      auth3: make use of make_auth3_context_for_ntlm()
      pdbtest: make use of make_auth3_context_for_ntlm()
      netlogond3: make use of make_auth3_context_for_netlogon()
      winbindd: make use of make_auth3_context_for_winbind()
      auth3: make make_auth_context_subsystem() static
      auth4: make auth_check_password_wrapper() static
      auth4: add auth_context_create_for_netlogon()
      netlogon4: make use of auth_context_create_for_netlogon()
      winbindd: let winbindd_dual_auth_passdb() return pauthoritative
      auth3: let auth_check_ntlm_password() return pauthoritative
      auth4: let auth_check_password* return pauthoritative
      ntlm_auth3: let contact_winbind_auth_crap() return pauthoritative
      auth: let auth4_context->check_ntlm_password() return pauthoritative
      auth4: debug if method->ops->check_password() gives NOT_IMPLEMENTED
      auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()
      winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY
      auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
      auth4: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
      auth: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines
      auth4: add a "winbind_rodc" backend
      auth4: reflect the reality and use "winbind_rodc" instead of "winbind" for the auth methods as AD_DC
      selftest: temporary skip samba.blackbox.pdbtest.s4winbind
      auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in make_auth_context_subsystem()
      auth4: implement the deprecated 'auth methods' in auth_methods_from_lp()
      s4:selftest: specify auth methods of pdbtests without 'samba4:' prefix
      Revert "selftest: temporary skip samba.blackbox.pdbtest.s4winbind"
      wafsamba: move -L/some/path from LINKFLAGS_PYEMBED to LIBPATH_PYEMBED
      rpcclient: allow -U'OTHERDOMAIN\user' again
      pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating
      winbindd: let WBFLAG_PAM_GET_PWD_POLICY only fake the password policy
      script/compare_cc_results.py: ignore all LIB*_WRAPPER_SO_PATH values
      nss_wrapper: use conf.blddir to construct libnss_wrapper_so_path
      resolv_wrapper: use conf.blddir to construct libnss_wrapper_so_path
      uid_wrapper: use conf.blddir to construct libnss_wrapper_so_path
      s3:ntlm_auth: fix memory leak in manage_gensec_request()
      WHATSNEW: Deprecate "auth methods" and "map untrusted to domain"
      selftest: make sure we don't have any umask limitations for selftest
      testprogs/blackbox: use subunit_ helper functions in test_smbclient_*
      testprogs/blackbox: add test_rpcclient_*_grep helper functions
      auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
      winbindd: allow wbinfo -a REALM\\user to work on a DC
      testprogs/blackbox: add test_trust_ntlm.sh
      s4:selftest: run test_trust_ntlm.sh against various environments
      auth4: add a "sam_failtrusts" module
      auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
      auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
      auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
      auth4: improve authsam_want_check for upn authentication
      auth4: avoid map_user_info() in auth_check_password_send()
      auth4: remove unused map_user_info[_cracknames]()
      auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
      auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
      auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
      auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
      lib/util: add tfork()
      tdb: version 1.3.13

Uri Simchoni (27):
      smbd: refuse_symlink() - do not fail if the file does not exist
      smbd: get_ea_list_from_file_path() - remove a duplicate statement
      smbd: remove coupling between get_ea_names_from_file() and "ea support"
      testparm: remove check for "ea support" in fruit shares
      vfs_fruit: drop "ea support" from the manpage
      selftest: remove "ea support" from vfs_fruit-related setups.
      talloc: fix doxygen of talloc_move
      doc: update "ea support" section of the smb.conf manpage
      smbd: add zero_file_id flag
      vfs_fruit: enable zero file id
      vfs_fruit: document added zero_file_id parameter
      torture: add torture_assert_mem_not_equal_goto()
      selftest: tests for vfs_fruite file-id behavior
      s3: libsmb: add replace support to SMB2 rename
      s3: libsmb: add replace support to cli_rename()
      smbclient: add -f option to rename command
      manpages: update smbclient manpage with rename -f option
      libcli: introduce smbXcli_conn_support_passthrough()
      s3-libsmb: cli_cifs_rename_send()
      s3-libsmb: fail rename and replace inside cifs variant
      s3-libsmb: support rename and replace for SMB1
      docs: fixup smbclient rename -f option
      build: refuse to build without PAM support if enabled
      selftest: test fetching a large ACL from vfs_acl_xattr
      vfs_xattr_tdb: handle case of zero size.
      vfs_acl_xattr: factor out fetching of an extended attribute
      vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()

Volker Lendecke (132):
      auth3: Fix some whitespace
      auth3: Simplify get_system_info3
      auth4: Fix map_user_info_cracknames for domain==NULL
      auth4: Only use CrackNames if we're a DC
      auth4: Reduce indentation level by an early error return
      samdb: Fix a typo
      posix_acls: Do a *bit* of reformatting
      posix_acls: Use talloc_zero_array
      waf: Fix a typo
      winbind: Fix a cut&paste debug typo
      smbd: Do an early exit on negprot failure
      torture3: Add test for smbd crash
      lib: Make gencache hash size configurable, default to 10000
      Revert "winbind: Remove rpc_lookup_usergroups"
      Revert "winbind: Remove "lookup_usergroups" winbind method"
      Revert "winbind: Remove validate_ug"
      Revert "winbind: Remove wcache_lookup_usergroups"
      Revert "winbind: Remove wb_cache_lookup_usergroups"
      Revert "winbind: Remove wbint_LookupUserGroups"
      Revert "winbind: Remove wb_lookupusergroups"
      Re-enable token groups fallback
      auth4: Move a variable closer to its use
      auth4: Remove an unused struct declaration
      winbind: Fix a debug message
      cli_netlogon: Remove a fallback for authoritative=NULL
      cli_netlogon: Remove a fallback for flags=NULL
      cli_netlogon: Add return parms to rpccli_netlogon_password_logon
      winbind: Pass up args from winbind_samlogon_retry_loop
      winbind: Pass up args from winbind_dual_SamLogon
      winbind: Add "authoritative" to winbindd_response
      winbind: Set "authoritative" in response to auth_crap
      libwbclient: Add "authoritative" to wbcAuthErrorInfo
      winbind: Correcly pass !authoritative from wb_irpc_SamLogon
      winbind: Remove unused wcache_tdc_fetch_domainbysid
      winbind: Add a debug message for out-of-range IDs
      auth3: Centralize auth_check_ntlm_password failure handling
      auth3: Use talloc_move instead of _steal
      auth3: Simplify auth_check_ntlm_password talloc handling
      auth3: Simplify auth_check_ntlm_password server_info handling
      auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
      auth3: Simplify auth_check_ntlm_password logic with a "goto fail"
      winbind: Fix a typo
      ldap_server: Fix a typo
      winbind: Use talloc_strdup_upper where appropriate
      winbindd: Remove an unused #define
      auth_winbind3: Correctly handle !authoritative
      auth_winbind4: Correctly handle !authoritative
      auth_ntdomain3: Correctly handle !authoritative
      libsmb: Remove some stale code
      libsmb: Make a few functions static
      libsmb: Simplify trustdom_cache_store
      libsmb: Use talloc in trustdom_cache_key
      libsmb: Slightly simplify trustdom_cache_fetch
      examples: Add '-p', '--port' to smb2mount
      examples:clifuse: Add a stub for getattr
      passdb: Remove pdb_ipa
      lib: Fix an uninitialized variable warning
      docs: Deprecate "map untrusted to domain"
      docs: Deprecate "auth methods"
      tldap: Allow dropping messages in tldap_search()
      s3:winbind: Use the correct talloc context for user information
      lib: Avoid an includes.h
      lib: Make sys_poll_intr available to ctdb
      lib: Simplify smb_nanosleep
      winbind: Add idmap_config_const_string
      winbind: Use idmap_config_const_string in domain_has_idmap_config
      winbind: Use idmap_config_const_string in idmap_init_named_domain
      winbind: Use idmap_config_const_string in wb_xids2sids_add_dom
      winbind: Use idmap_config_const_string in idmap_tdb2_db_init
      winbind: Use idmap_config_const_string in idmap_script_db_init
      winbind: Use idmap_config_const_string in idmap_init_domain
      idmap_ldap: Use idmap_config_const_string
      idmap_ldap: Use idmap_config_const_string
      idmap_rfc2307: Use idmap_config_const_string
      idmap_ad: Use idmap_config_const_string
      winbind: Add idmap_config_bool()
      idmap: Use idmap_config_bool in idmap_init_domain
      idmap_rfc2307: Use idmap_config_bool
      idmap_ad: Use idmap_config_bool
      idmap_autorid: Use idmap_config_bool
      winbind: Add idmap_config_int
      idmap_rid: Use idmap_config_int
      idmap_autorid: Use idmap_config_int
      idmap_tdb: Avoid a few casts
      idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()
      idmap_rfc2307: Clarify the documentation a bit
      net: Don't crash if lsa_LookupPrivDisplayName returns NULL
      wbinfo: Add "authoritative" to wbinfo -a output
      auth3: Slightly simplify make_auth_context_subsystem() step1
      auth3: Slightly simplify make_auth_context_subsystem() step2
      auth3: Introduce make_auth_context_specific
      auth3: Don't try other auth modules on any error
      auth3: Simplify the logic in auth_check_ntlm_password
      auth3: Introduce auth3_context_set_challenge
      winbindd: Call make_auth_context_subsystem directly
      netlogond3: "authorititative" is a uint8
      netlogond3: Call make_auth_context_subsystem directly
      pdbtest: Call make_auth_context_subsystem directly
      auth3: Remove unused make_auth_context_fixed
      winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means "Dunno"
      server_id_db: Protect against non-0-terminated data records
      lib: Remove unused winbind_get_groups and _get_sid_aliases
      lib: Remove an unnecessary include
      lib: Avoid an includes.h
      lib: Avoid an includes.h
      lib: Avoid an includes.h
      lib: Avoid an includes.h
      lib: Avoid an includes.h
      lib: Avoid an includes.h
      idmap_ldap: Fix CID 1404836 Dereference before null check
      smbd: Fix smb1 findfirst with DFS
      auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
      selftest: Test for bug 12558
      tdb: Fix some signed/unsigned hickups
      tdb: Do lock upgrades properly
      tdb: Test for readonly lock upgrade bug
      winbind: Simplify a logic expression
      winbind: Avoid a "ok==false"
      winbind: Slightly simplify remove_timed_out_clients
      winbind_pam: Use any_nt_status_not_ok in map_auth_samlogon
      winbind_msrpc: Use any_nt_status_not_ok
      smbldap: pdb_ipa is gone
      smbldap: Move ldapsam_privates to pdb_ldap.h
      smbldap: Fix a typo
      smbldap: Introduce "smbldap_get_ldap"
      smbldap: Introduce "smbldap_get_paged_results"
      smbldap: Introduce "smbldap_get_paged_results"
      smbldap: Privatize struct smbldap_state
      smbldap: Bump version number
      secrets: Protect against a non-0-terminated ldap password
      tdbtool: Add "storehex" command
      lib: Fix CID 1405493 Error handling issues (CHECKED_RETURN)


Samba Shared Repository

More information about the samba-cvs mailing list