[SCM] Samba Shared Repository - branch v4-13-test updated

Tue Nov 9 18:46:37 UTC 2021

The branch, v4-13-test has been updated
       via  959fb5a4c69 VERSION: Bump version up to Samba 4.13.15...
       via  db11778b576 VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release.
       via  6c14ac876b6 WHATSNEW: Add release notes for Samba 4.13.14.
       via  0203330e2fa CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
       via  08b6c8fda59 CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
       via  79d62d83e23 CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
       via  caf3d32f68f CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
       via  061c125c612 CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
       via  7c3b0376000 CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
       via  6925a53a290 CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
       via  5337dc5eaeb CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
       via  ec1ea05e8f1 CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
       via  3db47b076d0 CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
       via  f7636fb7215 CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
       via  721e40dd379 CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
       via  4290223ed40 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
       via  ec712adf500 CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
       via  f4492f9309f CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
       via  1f66e3f97e1 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
       via  adcd0d76132 CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
       via  6afefee92ce CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
       via  714cf311ab2 CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
       via  6b371124410 CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
       via  4a893891951 CVE-2021-23192 librpc: Remove the gensec dependency from library dcerpc-binding
       via  83a9fb52f3e CVE-2021-23192 rpc: Give dcerpc_util.c its own header
       via  3ed16e74292 CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
       via  26a1bd5cc75 CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
       via  9ac2254c50d CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
       via  2b28b9c3be2 CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
       via  1c5a0ef89c9 Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
       via  a803247a1dc CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
       via  c05ea4568fc CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
       via  06a46f79dd6 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
       via  864623d873f CVE-2020-25719 heimdal:kdc: Require PAC to be present
       via  b6ab45da636 CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
       via  1fb0c6b5ff9 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
       via  2eaf906f926 CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
       via  5f1aeeee089 CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
       via  c493ff06c68 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
       via  73f6a615455 CVE-2020-25719 heimdal:kdc: Check return code
       via  60ac2ff31f0 CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
       via  8513fe9e30a CVE-2020-25722 Ensure the structural objectclass cannot be changed
       via  c59f5762ead CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
       via  8d94ec0d3f7 CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
       via  aa66df26021 CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
       via  1566a68a3dc CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
       via  4cb7155917e CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
       via  a12d50c5334 CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
       via  65b170366ac CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
       via  944d1af2826 CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
       via  27629a5a662 CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
       via  69b14a883a2 CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
       via  d15ffe1ba20 CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
       via  43f321dce53 CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
       via  0a3ebd1d1b9 CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
       via  4b78fe5c13b CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
       via  8c1092d8ec0 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
       via  4d92c401a99 CVE-2020-25719 heimdal:kdc: Require authdata to be present
       via  706004d0267 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
       via  6b7d62e87eb CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
       via  8ae2a8740ce CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
       via  ff747922c11 CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
       via  fe94c4bc71b CVE-2020-25719 mit_samba: Create the talloc context earlier
       via  d86977088cd CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
       via  f99cff8c051 CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
       via  f0b9f23fa25 CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
       via  0e09aaa3e64 CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
       via  940ddac4572 CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
       via  9902f1b0bf3 CVE-2020-25719 mit-samba: Add ks_free_principal()
       via  4754bf4daf3 CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
       via  0954b59e85e CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
       via  103a6ebbbed CVE-2020-25719 s4/torture: Expect additional PAC buffers
       via  3c832b5a8ab CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
       via  d151c2528d1 CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
       via  9990c478bf4 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
       via  9e29510f3e1 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
       via  8bd96fc1aeb CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
       via  2895186282e CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
       via  241d3956af9 CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
       via  04ceb10cbb4 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
       via  e496c04a6c2 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
       via  5ad45816684 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
       via  51890d84286 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
       via  837e153c74f CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
       via  05c3582eaee CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
       via  97e5b765f28 CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
       via  fad4159de4b CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
       via  80a8c900ebc CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
       via  a01303f07c4 CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
       via  5d83f3ba83f CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
       via  e60e6301ad8 CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
       via  4dfa0a77ce0 CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
       via  13d066a83b1 CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
       via  b4ac46d376e CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
       via  decb2883d77 CVE-2020-25718 tests/krb5: Fix indentation
       via  dd176b4f8df CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
       via  223179aaa5e CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
       via  bed2ea1d378 CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
       via  b8424fad423 CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
       via  2a57c6e2f6a CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
       via  3f413fb5813 CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
       via  fdd25972d26 CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
       via  485db903ed2 CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
       via  1deb16de4d1 CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
       via  63de509875b CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
       via  96fbfe0edd6 CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
       via  2991eedefc1 CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
       via  18e4c639dfc CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
       via  57f7b13f70d CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
       via  466620563bd CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
       via  437465a90ef CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
       via  7913ec038f2 CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
       via  208bbf8cfda CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
       via  3a4095aec5e CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
       via  b121b1920f9 CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
       via  9be11622765 CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
       via  4439ac7bb6e CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
       via  90957fba9ff CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
       via  935997b92eb CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
       via  4b5a370e896 CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
       via  38e858b12c1 CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
       via  40a3b71e05c CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
       via  26bfddd4390 CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
       via  50f5069a73a CVE-2020-25722 s4/provision: add host/ SPNs at the start
       via  5650323f79c CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
       via  47279630f17 CVE-2020-25722 samba-tool spn add: remove --force option
       via  55c6c01a65e CVE-2020-25722 samba-tool spn: accept -H for database url
       via  3e349608853 CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
       via  c1973cedbaa CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
       via  f64fe0b1e74 CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
       via  a65866a6c73 CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
       via  ef7f582772a CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
       via  f1c64ed29ea CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
       via  ae9eb6c7d85 CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute
       via  038767ae9c2 CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
       via  7cbf3940757 CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
       via  0bb53df9253 CVE-2020-25722 Add test for SPN deletion followed by addition
       via  ef4df24b472 CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
       via  27d719174b7 CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
       via  9f807fdd8d1 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
       via  6a1f5f57971 CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
       via  a152f36b057 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
       via  131d5ceb9de CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
       via  9f73360e17d CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
       via  e95392aa08f CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
       via  eba5e132183 CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
       via  39cf01d0d26 CVE-2020-25717: Add FreeIPA domain controller role
       via  e8e0bea9b33 CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
       via  b0031f53185 CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
       via  844faf2f0ac CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
       via  d079628a43f CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
       via  885fe6e31b1 CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
       via  ce47a81eb5f CVE-2020-25717: s3:auth: Check minimum domain uid
       via  c703f7a5642 CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
       via  eea64478862 CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
       via  37c2f73cc95 CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
       via  b9d8f8025b7 CVE-2020-25717: loadparm: Add new parameter "min domain uid"
       via  6ca265b8634 CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
       via  8a946f2758f CVE-2020-25717: s3:auth: start with authoritative = 1
       via  9b977f50510 CVE-2020-25717: s3:rpcclient: start with authoritative = 1
       via  04ca59a5129 CVE-2020-25717: s3:torture: start with authoritative = 1
       via  25fd512f63b CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
       via  49779027293 CVE-2020-25717: s4:auth_simple: start with authoritative = 1
       via  38e7562ccdc CVE-2020-25717: s4:smb_server: start with authoritative = 1
       via  9b73069dc8e CVE-2020-25717: s4:torture: start with authoritative = 1
       via  66cd97e558c CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
       via  5966f8c2d47 CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
       via  2aa37d595e4 CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
       via  f507539d822 CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
       via  2966b61522e CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
       via  718aefaacf4 CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
       via  94635645197 CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
       via  62af3d24a44 CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
       via  f839cc40af6 CVE-2020-25719 tests/krb5: Add principal aliasing test
       via  6b82704c2f7 CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
       via  98f570d0841 CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
       via  f4841ce8c11 CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
       via  894be09a93c CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
       via  5fc5247aca3 CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
       via  c2d7c9a87f4 CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
       via  49ddf6166b3 CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
       via  5837a12c8d5 MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
       via  66d2176a706 CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
       via  17a08609b20 CVE-2020-25719 tests/krb5: Add is_tgt() helper method
       via  a61c71a611c CVE-2020-25722 tests/krb5: Allow creating server accounts
       via  24f759427f5 CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
       via  e2a1affc03a CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
       via  696ae3cb285 CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
       via  52a505512a2 CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
       via  1282c823978 CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
       via  17c4928b2d3 CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
       via  7bba574107d CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
       via  46672d19a4b CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
       via  4dfc225b0bb CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
       via  70b724f6d0c CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
       via  71c2d0d61f2 CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
       via  c212f3fe50c CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
       via  55d821ca8b5 CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
       via  20ce152fa00 CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
       via  a76d5d62023 CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
       via  08f9f8a9111 CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
       via  d7187adb616 CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
       via  cc9259de558 CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
       via  f77231f1ae9 CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
       via  761b80e1761 CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
       via  8d54b763dc4 CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
       via  e3021debe82 CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
       via  081a7c7ff9b CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
       via  9ff11f2a955 CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
       via  20720ec0bb1 CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
       via  0e3e5260790 CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
       via  20e466c1369 CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
       via  448585950bd CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
       via  0c20aa465c4 CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
       via  d82cba0d8c7 CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
       via  d2eee68c8a5 CVE-2020-17049 tests/krb5: Check account name and SID in PAC for S4U tests
       via  4ee7940140e CVE-2020-25722 selftest: Use self.assertRaisesLdbError() in user_account_control.py test
       via  ff8f61b7e30 CVE-2020-25722 selftest: Update user_account_control tests to pass against Windows 2019
       via  884b2d4c3bf CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
       via  d8762d35ac9 CVE-2020-25722 selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
       via  52611c7f53e CVE-2020-25722 selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
       via  10d33e2e8d5 CVE-2020-25722 pydsdb: Add API to return strings of known UF_ flags
       via  0777ea3d660 CVE-2020-25722 selftest: Use addCleanup rather than tearDown in user_account_control.py
       via  62fe5530de3 CVE-2020-25722 selftest: Modernise user_account_control.py tests use a common self.OU
       via  7f4e179825e CVE-2020-25722 selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
       via  1bfde439b6c CVE-2020-25719 selftest/knownfail_mit_kdc: Add pointless knownfail to allow a later cherry-pick to apply cleanly
       via  4fea58a531e CVE-2020-25717 auth4: Remove sync check_password from auth_operations
       via  25d6b0c5e48 CVE-2020-25717 auth4: Make auth_sam pseudo-async
       via  78c76cf5f72 CVE-2020-25717 auth4: Make auth_unix pseudo-async
       via  b64de25abd8 CVE-2020-25717 auth4: Make auth_developer pseudo-async
       via  bba5ff7c4e9 CVE-2020-25717 auth4: Make auth_anonymous pseudo-async
       via  d7a295b97e4 CVE-2020-25717 auth: Simplify DEBUG statements in make_auth3_context_for_ntlm()
       via  ad4192e815d CVE-2020-25717 auth3: Simplify check_samba4_security()
       via  b2e1e518f7e CVE-2020-25717 selftest: Only set netbios aliases for the ad_member env
       via  b2fffcfacbd CVE-2020-25717 selftest: Pass down the machine account name to provision_ad_member
       via  031fc79834c CVE-2020-25717 auth_generic: fix empty initializer compile warning
       via  654b09ec8b9 CVE-2020-25717 lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
       via  eb4123b5cae CVE-2020-25717 auth_sam: use pdb_get_domain_info to look up DNS forest information
       via  4a39d8a1610 CVE-2020-25717 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
       via  4a68c748e47 CVE-2020-25717 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
       via  4925a110c4e CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH
       via  bd12ce56f03 CVE-2020-25717 wb_sids2xids: defer/skip wb_lookupsids* unless we get ID_TYPE_WB_REQUIRE_TYPE
       via  04e10a84318 CVE-2020-25717 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE
       via  ed1542b9f37 CVE-2020-25717 wb_sids2xids: build state->idmap_doms based on wb_parent_idmap_config
       via  69c53f9c317 CVE-2020-25717 wb_sids2xids: fill cache as soon as possible
       via  0ec6beec7da CVE-2020-25717 wb_sids2xids: directly use state->all_ids to collect results
       via  ed766403618 CVE-2020-25717 wb_sids2xids: change 'i' to 'li' in wb_sids2xids_lookupsids_done()
       via  ab4f028db00 CVE-2020-25717 wb_sids2xids: refactor wb_sids2xids_done() a bit
       via  5e4491e8455 CVE-2020-25717 wb_sids2xids: inline wb_sids2xids_extract_for_domain_index() into wb_sids2xids_next_sids2unix()
       via  ca5cf8d35b9 CVE-2020-25717 wb_sids2xids: move more checks to wb_sids2xids_next_sids2unix()
       via  27b73f9d343 CVE-2020-25717 wb_sids2xids: rename 'non_cached' to 'lookup_sids'
       via  e226e0a163a CVE-2020-25717 wb_sids2xids: maintain struct wbint_TransIDArray all_ids as cache
       via  713f9c96007 CVE-2020-25717 wb_sids2xids: split out wb_sids2xids_next_sids2unix()
       via  3812930e641 CVE-2020-25717 winbindd: defer the setup_child() from init_idmap_child()
       via  be816313636 CVE-2020-25717 winbindd: assert wb_parent_idmap_setup_send/recv() was called before idmap_child_handle()
       via  12fb0f40f60 CVE-2020-25717 wb_queryuser: explain why wb_parent_idmap_setup_send/recv is not needed
       via  a3cca16fac5 CVE-2020-25717 wb_sids2xids: call wb_parent_idmap_setup_send/recv as the first step
       via  5e04b985acc CVE-2020-25717 wb_xids2sids: make use of the new wb_parent_idmap_setup_send/recv() helpers
       via  f3957ca5ce2 CVE-2020-25717 winbindd: add generic wb_parent_idmap_setup_send/recv() helpers
       via  aebe4cec6c5 CVE-2020-25717 winbindd: add and use is_idmap_child()
       via  b7b4bb1c55b CVE-2020-25717 winbindd: add and use idmap_child_pid()
       via  39da0df37c4 CVE-2020-25717 wb_sids2xids: avoid idmap_child() and use idmap_child_handle() instead
       via  861bc4ddd8d CVE-2020-25717 wb_xids2sids: avoid idmap_child() and use idmap_child_handle() instead
       via  d4c9be23183 CVE-2020-25717 wb_queryuser: avoid idmap_child() and use idmap_child_handle() instead
       via  68a823fd032 CVE-2020-25717 winbindd/idmap: apply const to struct nss_info_methods pointers
       via  337cb0847bf CVE-2020-25717 winbindd/idmap: apply const to struct idmap_methods pointers
       via  340e2153c7e CVE-2020-25717 test_idmap_tdb_common: correctly initialize the idmap domain with an init function
       via  0792d340860 CVE-2020-25717 s3:passdb: use ID_TYPE_* instead of WBC_ID_TYPE_*
       via  05b27742da4 CVE-2020-25717 winbind.idl: rename wbint_TransID.type to wbint_TransID.type_hint
      from  20ce74008b3 ldb: version 2.2.3

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -----------------------------------------------------------------
commit 959fb5a4c69478848d3fbcff7d952a727cef518d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 9 19:45:46 2021 +0100

    VERSION: Bump version up to Samba 4.13.15...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |  113 +-
 auth/auth_util.c                                   |    9 +-
 auth/credentials/tests/bind.py                     |   13 +-
 auth/gensec/gensec_util.c                          |   27 +-
 auth/ntlmssp/ntlmssp_server.c                      |    2 +-
 docs-xml/smbdotconf/security/mindomainuid.xml      |   17 +
 docs-xml/smbdotconf/security/serverrole.xml        |    7 +
 docs-xml/smbdotconf/winbind/idmapconfig.xml        |    4 +
 lib/param/loadparm.c                               |    4 +
 lib/param/loadparm_server_role.c                   |    2 +
 lib/param/param_table.c                            |    1 +
 lib/param/util.c                                   |    1 +
 libcli/auth/wscript_build                          |   10 +-
 libcli/netlogon/netlogon.c                         |    2 +-
 libds/common/flag_mapping.c                        |   50 +
 libds/common/flag_mapping.h                        |    1 +
 libds/common/flags.h                               |    5 +
 libds/common/roles.h                               |    1 +
 librpc/idl/idmap.idl                               |   23 +-
 librpc/idl/krb5pac.idl                             |   38 +-
 librpc/idl/winbind.idl                             |    2 +-
 librpc/ndr/ndr_krb5pac.c                           |    4 +-
 librpc/rpc/dcerpc_pkt_auth.c                       |  500 +++++
 librpc/rpc/dcerpc_pkt_auth.h                       |   59 +
 librpc/rpc/dcerpc_util.c                           |  465 +----
 librpc/rpc/dcerpc_util.h                           |   85 +
 librpc/rpc/dcesrv_auth.c                           |   30 +
 librpc/rpc/dcesrv_core.c                           |  161 +-
 librpc/rpc/dcesrv_reply.c                          |    1 +
 librpc/rpc/rpc_common.h                            |   74 -
 librpc/wscript_build                               |   25 +-
 python/samba/netcmd/spn.py                         |   37 +-
 python/samba/tests/__init__.py                     |   58 +-
 python/samba/tests/blackbox/ndrdump.py             |   35 +
 python/samba/tests/dcerpc/raw_protocol.py          | 1561 ++++++++++++++--
 python/samba/tests/dcerpc/raw_testcase.py          |   57 +-
 python/samba/tests/dsdb_api.py                     |   57 +
 python/samba/tests/krb5/alias_tests.py             |  201 ++
 python/samba/tests/krb5/kdc_base_test.py           |  168 +-
 python/samba/tests/krb5/kdc_tgs_tests.py           | 1922 ++++++++++++++++++-
 python/samba/tests/krb5/raw_testcase.py            |  239 ++-
 python/samba/tests/krb5/rfc4120_constants.py       |    3 +
 python/samba/tests/krb5/rodc_tests.py              |    2 +
 python/samba/tests/krb5/s4u_tests.py               |   49 +-
 python/samba/tests/krb5/spn_tests.py               |  212 +++
 python/samba/tests/krb5/test_ccache.py             |   67 +-
 python/samba/tests/krb5/test_ldap.py               |  100 +-
 python/samba/tests/krb5/test_min_domain_uid.py     |  121 ++
 python/samba/tests/krb5/test_rpc.py                |   70 +-
 python/samba/tests/krb5/test_smb.py                |   71 +-
 python/samba/tests/ldap_spn.py                     |  917 ++++++++++
 python/samba/tests/ldap_upn_sam_account.py         |  510 ++++++
 python/samba/tests/samba_tool/computer.py          |   18 +-
 python/samba/tests/usage.py                        |    3 +
 selftest/knownfail.d/ldap_spn                      |    1 +
 selftest/knownfail.d/modify-order                  |    2 +-
 selftest/knownfail.d/priv_attr                     |   13 +
 selftest/knownfail.d/uac_objectclass_restrict      |   17 +
 selftest/knownfail_heimdal_kdc                     |   16 +-
 selftest/knownfail_mit_kdc                         |  148 +-
 selftest/selftest.pl                               |    2 -
 selftest/target/Samba.pm                           |    2 +
 selftest/target/Samba3.pm                          |   98 +-
 selftest/target/Samba4.pm                          |    2 -
 selftest/tests.py                                  |    1 +
 source3/auth/auth.c                                |   18 +-
 source3/auth/auth_generic.c                        |  162 +-
 source3/auth/auth_sam.c                            |   47 +-
 source3/auth/auth_samba4.c                         |   31 +-
 source3/auth/auth_util.c                           |  105 +-
 source3/auth/proto.h                               |    3 -
 source3/auth/user_krb5.c                           |   79 +-
 source3/include/idmap.h                            |    2 +-
 source3/include/nss_info.h                         |    6 +-
 source3/include/smb_macros.h                       |    2 +-
 source3/lib/netapi/joindomain.c                    |    1 +
 source3/lib/util_names.c                           |   15 +-
 source3/librpc/rpc/dcerpc_helpers.c                |    1 +
 source3/libsmb/cliconnect.c                        |    9 +
 source3/param/loadparm.c                           |    6 +-
 source3/passdb/lookup_sid.c                        |   52 +-
 source3/passdb/machine_account_secrets.c           |    7 +-
 source3/registry/reg_backend_prod_options.c        |    1 +
 source3/rpc_client/cli_pipe.c                      |    1 +
 source3/rpc_client/rpc_transport_np.c              |    1 +
 source3/rpc_server/dssetup/srv_dssetup_nt.c        |    1 +
 source3/rpc_server/rpc_ncacn_np.c                  |    1 +
 source3/rpcclient/cmd_netlogon.c                   |    2 +-
 source3/smbd/server.c                              |    2 +-
 source3/torture/pdbtest.c                          |    2 +-
 source3/torture/test_idmap_tdb_common.c            |   50 +-
 source3/utils/ntlm_auth.c                          |   95 +-
 source3/utils/ntlm_auth_diagnostics.c              |   10 +-
 source3/winbindd/idmap.c                           |    6 +-
 source3/winbindd/idmap_ad.c                        |    2 +-
 source3/winbindd/idmap_ad_nss.c                    |    6 +-
 source3/winbindd/idmap_autorid.c                   |    8 +-
 source3/winbindd/idmap_hash/idmap_hash.c           |   39 +-
 source3/winbindd/idmap_ldap.c                      |   31 +-
 source3/winbindd/idmap_nss.c                       |    3 +-
 source3/winbindd/idmap_passdb.c                    |    7 +-
 source3/winbindd/idmap_proto.h                     |    2 +-
 source3/winbindd/idmap_rfc2307.c                   |    2 +-
 source3/winbindd/idmap_rid.c                       |    2 +-
 source3/winbindd/idmap_rw.c                        |   32 +-
 source3/winbindd/idmap_script.c                    |    2 +-
 source3/winbindd/idmap_tdb.c                       |    2 +-
 source3/winbindd/idmap_tdb2.c                      |    2 +-
 source3/winbindd/idmap_tdb_common.c                |   22 +-
 source3/winbindd/nss_info.c                        |    7 +-
 source3/winbindd/wb_queryuser.c                    |   66 +-
 source3/winbindd/wb_sids2xids.c                    |  561 ++++--
 source3/winbindd/wb_xids2sids.c                    |  267 +--
 source3/winbindd/winbindd.h                        |   13 +
 source3/winbindd/winbindd_allocate_uid.c           |   44 +-
 source3/winbindd/winbindd_cm.c                     |   12 +-
 source3/winbindd/winbindd_dual.c                   |   10 +-
 source3/winbindd/winbindd_dual_srv.c               |   15 +-
 source3/winbindd/winbindd_getgroups.c              |    7 +
 source3/winbindd/winbindd_idmap.c                  |  378 +++-
 source3/winbindd/winbindd_irpc.c                   |    7 +
 source3/winbindd/winbindd_misc.c                   |    2 +-
 source3/winbindd/winbindd_pam.c                    |   15 +-
 source3/winbindd/winbindd_pam_auth_crap.c          |    9 +-
 source3/winbindd/winbindd_proto.h                  |    7 +
 source3/winbindd/winbindd_util.c                   |   47 +-
 source3/wscript_build                              |    8 +-
 source4/auth/auth.h                                |   12 -
 source4/auth/ntlm/auth.c                           |   99 +-
 source4/auth/ntlm/auth_anonymous.c                 |   66 +-
 source4/auth/ntlm/auth_developer.c                 |   61 +-
 source4/auth/ntlm/auth_sam.c                       |   81 +-
 source4/auth/ntlm/auth_simple.c                    |    2 +-
 source4/auth/ntlm/auth_unix.c                      |   85 +-
 source4/auth/ntlm/wscript_build                    |    4 +-
 source4/auth/sam.c                                 |    5 +-
 source4/dsdb/common/rodc_helper.c                  |  284 +++
 source4/dsdb/common/util.c                         |   11 +
 source4/dsdb/pydsdb.c                              |   30 +
 source4/dsdb/samdb/cracknames.c                    |   19 +-
 source4/dsdb/samdb/ldb_modules/acl.c               |  120 +-
 source4/dsdb/samdb/ldb_modules/acl_util.c          |   40 +
 source4/dsdb/samdb/ldb_modules/dirsync.c           |   13 +-
 source4/dsdb/samdb/ldb_modules/objectclass.c       |   36 +
 source4/dsdb/samdb/ldb_modules/password_hash.c     |  164 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            | 1923 +++++++++++++++++---
 source4/dsdb/samdb/ldb_modules/util.c              |  119 +-
 source4/dsdb/tests/python/acl.py                   |   97 +
 source4/dsdb/tests/python/ldap.py                  |   49 +-
 source4/dsdb/tests/python/linked_attributes.py     |   21 -
 source4/dsdb/tests/python/password_settings.py     |   30 +-
 source4/dsdb/tests/python/priv_attrs.py            |  398 ++++
 source4/dsdb/tests/python/sam.py                   |   94 +-
 source4/dsdb/tests/python/subtree_rename.py        |   25 -
 source4/dsdb/tests/python/user_account_control.py  |  855 +++++++--
 source4/dsdb/wscript_build                         |    2 +-
 source4/heimdal/kdc/kerberos5.c                    |   23 +-
 source4/heimdal/kdc/krb5tgs.c                      |  292 ++-
 source4/heimdal/kdc/windc.c                        |    7 +-
 source4/heimdal/kdc/windc_plugin.h                 |    2 +
 source4/heimdal/lib/hdb/hdb.h                      |    2 +-
 source4/kdc/db-glue.c                              |   77 +-
 source4/kdc/db-glue.h                              |    5 +-
 source4/kdc/hdb-samba4.c                           |   43 +-
 source4/kdc/kdc-heimdal.c                          |    1 +
 source4/kdc/mit-kdb/kdb_samba.h                    |    7 +
 source4/kdc/mit-kdb/kdb_samba_policies.c           |  185 +-
 source4/kdc/mit-kdb/kdb_samba_principals.c         |   60 +-
 source4/kdc/mit_samba.c                            |   62 +-
 source4/kdc/mit_samba.h                            |    2 +
 source4/kdc/pac-glue.c                             |  473 ++++-
 source4/kdc/pac-glue.h                             |   31 +-
 source4/kdc/wdc-samba4.c                           |  132 +-
 source4/libcli/smb_composite/sesssetup.c           |   14 +
 source4/librpc/rpc/dcerpc.c                        |    3 +
 source4/librpc/rpc/dcerpc_roh_channel_out.c        |    1 +
 .../librpc/tests/krb5pac_upn_dns_info_ex.b64.txt   |    1 +
 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt   |  220 +++
 .../krb5pac_upn_dns_info_ex_not_supported.b64.txt  |    1 +
 .../krb5pac_upn_dns_info_ex_not_supported.txt      |  213 +++
 source4/librpc/wscript_build                       |   21 +-
 source4/rpc_server/common/server_info.c            |  121 +-
 source4/rpc_server/common/sid_helper.c             |  134 --
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c    |   11 +-
 source4/rpc_server/drsuapi/dcesrv_drsuapi.c        |   55 +-
 source4/rpc_server/drsuapi/getncchanges.c          |   71 +-
 source4/rpc_server/lsa/lsa_init.c                  |    7 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c      |  191 +-
 source4/rpc_server/samr/dcesrv_samr.c              |   21 +-
 source4/rpc_server/samr/samr_password.c            |   33 +-
 source4/rpc_server/wscript_build                   |    9 +-
 source4/selftest/tests.py                          |  110 +-
 source4/setup/provision_self_join.ldif             |    9 +-
 source4/setup/tests/blackbox_spn.sh                |    7 +-
 source4/setup/tests/blackbox_upgradeprovision.sh   |    8 +-
 source4/smb_server/smb/sesssetup.c                 |    4 +-
 source4/torture/rpc/drsuapi.c                      |  202 +-
 source4/torture/rpc/drsuapi.h                      |    3 +-
 source4/torture/rpc/drsuapi_cracknames.c           |    2 +-
 source4/torture/rpc/remote_pac.c                   |   24 +-
 source4/torture/rpc/samlogon.c                     |    4 +-
 source4/torture/rpc/schannel.c                     |    2 +-
 testprogs/blackbox/dbcheck-oldrelease.sh           |    4 +-
 testprogs/blackbox/functionalprep.sh               |    2 +-
 testprogs/blackbox/upgradeprovision-oldrelease.sh  |    4 +-
 206 files changed, 15176 insertions(+), 3358 deletions(-)
 create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml
 create mode 100644 librpc/rpc/dcerpc_pkt_auth.c
 create mode 100644 librpc/rpc/dcerpc_pkt_auth.h
 create mode 100644 librpc/rpc/dcerpc_util.h
 create mode 100644 python/samba/tests/dsdb_api.py
 create mode 100755 python/samba/tests/krb5/alias_tests.py
 create mode 100755 python/samba/tests/krb5/spn_tests.py
 create mode 100755 python/samba/tests/krb5/test_min_domain_uid.py
 create mode 100644 python/samba/tests/ldap_spn.py
 create mode 100644 python/samba/tests/ldap_upn_sam_account.py
 create mode 100644 selftest/knownfail.d/ldap_spn
 create mode 100644 selftest/knownfail.d/priv_attr
 create mode 100644 selftest/knownfail.d/uac_objectclass_restrict
 create mode 100644 source4/dsdb/common/rodc_helper.c
 create mode 100644 source4/dsdb/tests/python/priv_attrs.py
 create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.b64.txt
 create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex.txt
 create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.b64.txt
 create mode 100644 source4/librpc/tests/krb5pac_upn_dns_info_ex_not_supported.txt
 delete mode 100644 source4/rpc_server/common/sid_helper.c


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index b2cca84b9c5..15f13761633 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=14
+SAMBA_VERSION_RELEASE=15
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 575ae48705f..40753b2b500 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,112 @@
+                   ===============================
+                   Release Notes for Samba 4.13.14
+                           November 9, 2021
+                   ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2124:  SMB1 client connections can be downgraded to plaintext
+                  authentication.
+                  https://www.samba.org/samba/security/CVE-2016-2124.html
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+                  https://www.samba.org/samba/security/CVE-2020-25717.html
+                  (PLEASE READ! There are important behaviour changes described)
+
+o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
+                  by an RODC.
+                  https://www.samba.org/samba/security/CVE-2020-25718.html
+
+o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
+                  tickets.
+                  https://www.samba.org/samba/security/CVE-2020-25719.html
+
+o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
+                  (eg objectSid).
+                  https://www.samba.org/samba/security/CVE-2020-25721.html
+
+o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
+                  checking of data stored.
+                  https://www.samba.org/samba/security/CVE-2020-25722.html
+
+o CVE-2021-3738:  Use after free in Samba AD DC RPC server.
+                  https://www.samba.org/samba/security/CVE-2021-3738.html
+
+o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
+                  https://www.samba.org/samba/security/CVE-2021-23192.html
+
+
+Changes since 4.13.13
+---------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * CVE-2020-25722
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * CVE-2020-25718
+   * CVE-2020-25719
+   * CVE-2020-25721
+   * CVE-2020-25722
+
+o  Ralph Boehme <slow at samba.org>
+   * CVE-2020-25717
+
+o  Alexander Bokovoy <ab at samba.org>
+   * CVE-2020-25717
+
+o  Samuel Cabrero <scabrero at samba.org>
+   * CVE-2020-25717
+
+o  Nadezhda Ivanova <nivanova at symas.com>
+   * CVE-2020-25722
+
+o  Stefan Metzmacher <metze at samba.org>
+   * CVE-2016-2124
+   * CVE-2020-25717
+   * CVE-2020-25719
+   * CVE-2020-25722
+   * CVE-2021-23192
+   * CVE-2021-3738
+   * ldb: version 2.2.3
+
+o  Andreas Schneider <asn at samba.org>
+   * CVE-2020-25719
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * CVE-2020-17049
+   * CVE-2020-25718
+   * CVE-2020-25719
+   * CVE-2020-25721
+   * CVE-2020-25722
+   * MS CVE-2020-17049
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
                    ===============================
                    Release Notes for Samba 4.13.13
                           October 29, 2021
@@ -94,8 +203,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
                    ===============================
                    Release Notes for Samba 4.13.12
                          September 22, 2021
diff --git a/auth/auth_util.c b/auth/auth_util.c
index f3586f1fc1e..fe01babd107 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -26,26 +26,28 @@
 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 					    const struct auth_session_info *src)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
 	struct auth_session_info *dst;
 	DATA_BLOB blob;
 	enum ndr_err_code ndr_err;
 
 	ndr_err = ndr_push_struct_blob(
 		&blob,
-		talloc_tos(),
+		frame,
 		src,
 		(ndr_push_flags_fn_t)ndr_push_auth_session_info);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
 			"failed: %s\n",
 			ndr_errstr(ndr_err));
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
 	dst = talloc(mem_ctx, struct auth_session_info);
 	if (dst == NULL) {
 		DBG_ERR("talloc failed\n");
-		TALLOC_FREE(blob.data);
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
@@ -54,15 +56,16 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 		dst,
 		dst,
 		(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
-	TALLOC_FREE(blob.data);
 
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
 			"failed: %s\n",
 			ndr_errstr(ndr_err));
 		TALLOC_FREE(dst);
+		TALLOC_FREE(frame);
 		return NULL;
 	}
 
+	TALLOC_FREE(frame);
 	return dst;
 }
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index 8bee6f96c62..b6b65a56c75 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -90,7 +90,8 @@ class BindTests(samba.tests.TestCase):
         # this test to detect when the LDAP DN is being double-parsed
         # but must be in the user at realm style to allow the account to
         # be created
-        self.ldb.add_ldif("""
+        try:
+            self.ldb.add_ldif("""
 dn: """ + self.virtual_user_dn + """
 cn: frednurk@""" + self.realm + """
 displayName: Fred Nurk
@@ -103,13 +104,21 @@ objectClass: person
 objectClass: top
 objectClass: user
 """)
+        except LdbError as e:
+            (num, msg) = e.args
+            self.fail(f"Failed to create e-mail user: {msg}")
+
         self.addCleanup(delete_force, self.ldb, self.virtual_user_dn)
-        self.ldb.modify_ldif("""
+        try:
+            self.ldb.modify_ldif("""
 dn: """ + self.virtual_user_dn + """
 changetype: modify
 replace: unicodePwd
 unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
 """)
+        except LdbError as e:
+            (num, msg) = e.args
+            self.fail(f"Failed to set password on e-mail user: {msg}")
 
         self.ldb.enable_account('distinguishedName=%s' % self.virtual_user_dn)
 
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index e185acc0c20..694661b53b5 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -25,6 +25,8 @@
 #include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
 #include "../lib/util/asn1.h"
+#include "param/param.h"
+#include "libds/common/roles.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
 	if (!pac_blob) {
-		if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
-			DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
-				  principal_string));
-			return NT_STATUS_ACCESS_DENIED;
+		enum server_role server_role =
+			lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+		/*
+		 * For any domain setup (DC or member) we require having
+		 * a PAC, as the service ticket comes from an AD DC,
+		 * which will always provide a PAC, unless
+		 * UF_NO_AUTH_DATA_REQUIRED is configured for our
+		 * account, but that's just an invalid configuration,
+		 * the admin configured for us!
+		 *
+		 * As a legacy case, we still allow kerberos tickets from an MIT
+		 * realm, but only in standalone mode. In that mode we'll only
+		 * ever accept a kerberos authentication with a keytab file
+		 * being explicitly configured via the 'keytab method' option.
+		 */
+		if (server_role != ROLE_STANDALONE) {
+			DBG_WARNING("Unable to find PAC in ticket from %s, "
+				    "failing to allow access\n",
+				    principal_string);
+			return NT_STATUS_NO_IMPERSONATION_TOKEN;
 		}
 		DBG_NOTICE("Unable to find PAC for %s, resorting to local "
 			   "user lookup\n", principal_string);
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 001238278d7..939aa0ef4aa 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq)
 	struct gensec_security *gensec_security = state->gensec_security;
 	struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp;
 	struct auth4_context *auth_context = gensec_security->auth_context;
-	uint8_t authoritative = 0;
+	uint8_t authoritative = 1;
 	NTSTATUS status;
 
 	status = auth_context->check_ntlm_password_recv(subreq,
diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml
new file mode 100644
index 00000000000..46ae795d730
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mindomainuid.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="min domain uid"
+                 type="integer"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    The integer parameter specifies the minimum uid allowed when mapping a
+    local account to a domain account.
+  </para>
+
+  <para>
+    Note that this option interacts with the configured <emphasis>idmap ranges</emphasis>!
+  </para>
+</description>
+
+<value type="default">1000</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
index 9511c61c96d..b8b83a127b5 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,6 +78,13 @@
     url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
     HOWTO</ulink></para>
 
+    <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
+
+    <para>This mode of operation runs Samba in a hybrid mode for IPA
+    domain controller, providing forest trust to Active Directory.
+    This role requires special configuration performed by IPA installers
+    and should not be used manually by any administrator.
+    </para>
 </description>
 
 <related>security</related>
diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
index 1374040fb29..f70f11df757 100644
--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
@@ -80,6 +80,9 @@
 		authoritative for a unix ID to SID mapping, so it must be set
 		for each individually configured domain and for the default
 		configuration. The configured ranges must be mutually disjoint.
+		</para>
+		<para>
+		Note that the low value interacts with the <smbconfoption name="min domain uid"/> option!
 		</para></listitem>
 		</varlistentry>
 
@@ -115,4 +118,5 @@
 	</programlisting>
 	
 </description>
+<related>min domain uid</related>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 006caabc092..d2f6e6241ad 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3079,6 +3079,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(
 		lp_ctx, "ldap max search request size", "256000");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "min domain uid",
+				  "1000");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 7a6bc770723..a78d1ab9cf3 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -42,6 +42,7 @@ static const struct srv_role_tab {
 	{ ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
 	{ ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
 	{ ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
+	{ ROLE_IPA_DC, "ROLE_IPA_DC"},
 	{ 0, NULL }
 };
 
@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
 	case ROLE_DOMAIN_PDC:
 	case ROLE_DOMAIN_BDC:
 	case ROLE_ACTIVE_DIRECTORY_DC:
+	case ROLE_IPA_DC:
 		if (security == SEC_USER) {
 			valid = true;
 		}
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 47b85de1f87..780252017d2 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -111,6 +111,7 @@ static const struct enum_list enum_server_role[] = {
 	{ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"},
 	{ROLE_ACTIVE_DIRECTORY_DC, "domain controller"},
 	{ROLE_ACTIVE_DIRECTORY_DC, "dc"},
+	{ROLE_IPA_DC, "IPA primary domain controller"},
 	{-1, NULL}
 };
 
diff --git a/lib/param/util.c b/lib/param/util.c
index cd8e74b9d8f..9a0fc102de8 100644
--- a/lib/param/util.c
+++ b/lib/param/util.c
@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx)
 	case ROLE_DOMAIN_BDC:
 	case ROLE_DOMAIN_PDC:
 	case ROLE_ACTIVE_DIRECTORY_DC:
+	case ROLE_IPA_DC:
 		return lpcfg_workgroup(lp_ctx);
 	default:
 		return lpcfg_netbios_name(lp_ctx);
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 2a6a7468e45..24ab68fac1e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -30,7 +30,15 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
 
 bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
         source='netlogon_creds_cli.c',
-        deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
+        deps='''
+        dbwrap
+        util_tdb
+        tevent-util
+        samba-hostconfig
+        gensec
+        RPC_NDR_NETLOGON
+        NDR_NETLOGON
+        '''
         )
 
 bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
index 239503e85b6..59af460dc4e 100644
--- a/libcli/netlogon/netlogon.c
+++ b/libcli/netlogon/netlogon.c
@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
 		if (ndr->offset < ndr->data_size) {
 			TALLOC_FREE(ndr);
 			/*
-			 * We need to handle a bug in FreeIPA (at least <= 4.1.2).
+			 * We need to handle a bug in IPA (at least <= 4.1.2).
 			 *
 			 * They include the ip address information without setting
 			 * NETLOGON_NT_VERSION_5EX_WITH_IP, while using
diff --git a/libds/common/flag_mapping.c b/libds/common/flag_mapping.c
index ddc8ec5c198..020922db659 100644
--- a/libds/common/flag_mapping.c
+++ b/libds/common/flag_mapping.c
@@ -164,3 +164,53 @@ uint32_t ds_uf2prim_group_rid(uint32_t uf)
 
 	return prim_group_rid;
 }
+
+#define FLAG(x) { .name = #x, .uf = x }
+struct {
+	const char *name;
+	uint32_t uf;
+} user_account_control_name_map[] = {
+	FLAG(UF_SCRIPT),
+	FLAG(UF_ACCOUNTDISABLE),
+	FLAG(UF_00000004),
+	FLAG(UF_HOMEDIR_REQUIRED),
+	FLAG(UF_LOCKOUT),
+	FLAG(UF_PASSWD_NOTREQD),
+	FLAG(UF_PASSWD_CANT_CHANGE),
+	FLAG(UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED),
+
+	FLAG(UF_TEMP_DUPLICATE_ACCOUNT),
+	FLAG(UF_NORMAL_ACCOUNT),
+	FLAG(UF_00000400),
+	FLAG(UF_INTERDOMAIN_TRUST_ACCOUNT),
+
+	FLAG(UF_WORKSTATION_TRUST_ACCOUNT),
+	FLAG(UF_SERVER_TRUST_ACCOUNT),
+	FLAG(UF_00004000),
+	FLAG(UF_00008000),
+
+	FLAG(UF_DONT_EXPIRE_PASSWD),
+	FLAG(UF_MNS_LOGON_ACCOUNT),
+	FLAG(UF_SMARTCARD_REQUIRED),
+	FLAG(UF_TRUSTED_FOR_DELEGATION),
+
+	FLAG(UF_NOT_DELEGATED),
+	FLAG(UF_USE_DES_KEY_ONLY),
+	FLAG(UF_DONT_REQUIRE_PREAUTH),
+	FLAG(UF_PASSWORD_EXPIRED),
+	FLAG(UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION),
+	FLAG(UF_NO_AUTH_DATA_REQUIRED),
+	FLAG(UF_PARTIAL_SECRETS_ACCOUNT),
+	FLAG(UF_USE_AES_KEYS)
+};
+
+const char *dsdb_user_account_control_flag_bit_to_string(uint32_t uf)
+{
+	int i;
+	for (i=0; i < ARRAY_SIZE(user_account_control_name_map); i++) {
+		if (uf == user_account_control_name_map[i].uf) {
+			return user_account_control_name_map[i].name;
+		}
+	}
+	return NULL;


-- 
Samba Shared Repository

