[SCM] Samba Shared Repository - annotated tag samba-4.14.8 created

Jule Anger janger at samba.org
Tue Oct 5 13:17:54 UTC 2021

The annotated tag, samba-4.14.8 has been created
        at  b88740df312f4fcbd650dcb950ce61b4095170b7 (tag)
   tagging  d1c9330fa69ba6942ab23843e21acc11767d54ee (commit)
  replaces  samba-4.14.7
 tagged by  Jule Anger
        on  Tue Oct 5 15:17:24 2021 +0200

- Log -----------------------------------------------------------------
samba: tag release samba-4.14.8


Andreas Schneider (3):
      selftest: Re-format long lines in selftesthelpers.py
      selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
      selftest: Add support for setting ENV variables in plantestsuite()

Andrew Bartlett (12):
      selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
      selftest: Only run samba_tool_drs_showrepl test once
      dsdb: Be careful to avoid use of the expensive talloc_is_parent()
      selftest: Add a test for LookupSids3 and LookupNames4 in python
      s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
      selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
      selftest: add space after --list in output of selftesthelpers.py
      selftest: Remove knownfail for no_etypes FAST tests
      tests/krb5: Remove harmful and a-typical return in as_req testcase
      tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
      autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
      samldb: Address birthday paradox adding an RODC

Gary Lockyer (2):
      tests python krb5: MS-KILE client principal look-up
      initial FAST tests

Jeremy Allison (6):
      s3: smbd: Ensure all returns from OpenDir() correctly set errno.
      s3: smbd: Fix smbd crash on dangling symlink with posix connection calling several non-posix info levels.
      s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor.
      s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error.
      s3: smbd: Add fifo test for the DISABLE_OPATH case.
      s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.

Joseph Sutton (123):
      auth:creds: Remove unused variable
      auth:creds: Fix parameter in creds.set_named_ccache()
      pygensec: Fix method documentation
      Revert "s4-test: fixed ndrdump test for top level build"
      krb5ccache.idl: Add definition for a Kerberos credentials cache
      librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
      krb5: Add Python functions to create a credentials cache containing a service ticket
      python: Add credentials cache test
      python: Add LDAP credentials cache test
      python: Add RPC credentials cache test
      Revert "libsmb: Use sid_parse()"
      libsmb: Remove overflow check
      libsmb: Avoid undefined behaviour when parsing whoami state
      libsmb: Check to see that whoami is not receiving more data than it requested
      libsmb: Ensure that whoami parses all the data provided to it
      pylibsmb: Add posix_whoami()
      python: Add SMB credentials cache test
      python: Ensure reference counts are properly incremented
      python: Fix erroneous increments of reference counts
      python: Fix ticket timestamp conversion when local timezone is not UTC
      python: Make credentials cache test run against Windows
      tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
      tests/krb5/raw_testcase.py: Add get_admin_creds()
      tests/krb5/kdc_base_test.py: Create database connection only when needed
      tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
      tests/krb5/kdc_base_test.py: Create loadparm only when needed
      tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
      tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
      tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
      tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
      tests/krb5/raw_testcase.py: Cache obtained credentials
      tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
      tests/krb5/raw_testcase.py: Simplify conditionals
      tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
      tests/krb5/as_req_tests.py: Automatically obtain credentials
      tests/krb5/as_req_tests.py: Check the client kvno
      tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
      tests/krb5: Deduplicate 'host' attribute initialisation
      tests/krb5/as_canonicalization_tests.py: Refactor account creation
      tests/krb5: Use admin creds for SamDB rather than user creds
      s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
      pygensec: Fix memory leaks
      pygensec: Don't modify Python bytes objects
      tests/krb5: Fix ms_kile_client_principal_lookup_test errors
      tests/krb5: Fix comment typo
      tests/krb5: Fix method name typo
      tests/krb5: formatting
      tests/krb5: Remove unneeded statements
      tests/krb5: Use more compact dict lookup
      tests/krb5: Simplify Python syntax
      tests/krb5: Remove magic constants
      tests/krb5: Fix including enc-authorization-data
      tests/krb5: Fix callback_dict parameter
      tests/krb5: Fix encpart_decryption_key with MIT KDC
      tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
      tests/krb5: Check Kerberos protocol version number
      tests/krb5: Use credentials kvno when creating password key
      tests/krb5: Allow cf2 to automatically use the enctype of the first key
      tests/krb5: Refactor get_pa_data()
      tests/krb5: Add get_enc_timestamp_pa_data_from_key()
      tests/krb5: Add method to return dict containing padata elements
      tests/krb5: Make _test_as_exchange() return value more consistent
      tests/krb5: Add get_EpochFromKerberosTime()
      tests/krb5: Use encryption with admin credentials
      tests/krb5: Allow specifying additional details when creating an account
      tests/krb5: Add more methods for obtaining machine and service credentials
      tests/krb5: Add method to calculate account salt
      tests/krb5: Add check_reply() method to check for AS or TGS reply
      tests/krb5: Always specify expected error code
      tests/krb5: Include kdc_options in kdc_exchange_dict
      tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
      tests/krb5: Ensure in assertElementPresent() that container elements are not empty
      tests/krb5: Assert that more variables are not None
      tests/krb5: Check version number of obtained ticket
      tests/krb5: Make checking less strict
      tests/krb5: Check nonce in EncKDCRepPart
      tests/krb5: Add generate_ap_req() method
      tests/krb5: Ensure generated padata is not None
      tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
      tests/krb5: Add more ASN1 definitions for FAST
      tests/krb5: Add more methods to create ASN1 objects for FAST
      tests/krb5: Add method to generate FAST encrypted challenge padata
      tests/krb5: Add methods to calculate keys for FAST
      tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
      tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
      tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
      tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
      tests/krb5: Allow specifying parameters specific to the outer request body
      tests/krb5: Add method to check PA-FX-FAST-REPLY
      tests/krb5: Add method to verify ticket checksum for FAST
      tests/krb5: Check FAST response
      tests/krb5: Add functions to get dicts of request padata
      tests/krb5: Add methods to determine whether elements were included in the request
      tests/krb5: Check encrypted-pa-data
      tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
      tests/krb5: Include authdata in kdc_exchange_dict
      tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
      tests/krb5: Add check_rep_padata() method to check padata in reply
      tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
      tests/krb5: Remove unused variables
      tests/krb5: Add get_krbtgt_sname() method
      tests/krb5: Check sname is krbtgt for FAST generic error
      tests/krb5: Check reply FAST padata if request included FAST
      tests/krb5: Adjust reply padata checking depending on whether FAST was sent
      tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
      tests/krb5: Check PADATA-FX-COOKIE in reply
      tests/krb5: Make check_rep_padata() also work for checking TGS replies
      tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
      tests/krb5: Check PADATA-PAC-OPTIONS in reply
      tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
      tests/krb5: Check PADATA-FX-ERROR in reply
      tests/krb5: Add FAST tests
      tests/krb5: Make e-data checking less strict
      tests/krb5: Make cname checking less strict
      CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
      tests/krb5: Check e-data element for TGS-REP errors without FAST
      tests/krb5: Check PADATA-PW-SALT element in e-data
      tests/krb5: Add tests for omitting sname in request
      tests/krb5: Allow specifying parameters specific to the inner FAST request body
      tests/krb5: Allow expected_error_mode to be a container type
      pytest:segfault: Add test for ldb.msg_diff()
      ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
      pyldb: Avoid use-after-free in msg_diff()

Jule Anger (3):
      VERSION: Bump version up to 4.14.8...
      WHATSNEW: Add release notes for Samba 4.14.8.
      VERSION: Disable GIT_SNAPSHOT for the 4.14.8 release.

Luke Howard (2):
      CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
      kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field

Martin Schwenke (19):
      ctdb-recoverd: Add a helper variable
      ctdb-recoverd: Update the local node map before pushing out flags
      ctdb-recoverd: Push flags for a node if any remote node disagrees
      ctdb-protocol: Add new controls to disable and enable nodes
      ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
      ctdb-daemon: Add a helper variable
      ctdb-daemon: Factor out a function to get node structure from PNN
      ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
      ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
      ctdb-client: Add client code for disable/enable controls
      ctdb-tools: Use disable and enable controls in tool
      ctdb-daemon: Correct the condition for logging unchanged flags
      ctdb-daemon: Update logging for flag changes
      ctdb-daemon: Modernise remaining debug macro in this function
      ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
      ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
      ctdb-daemon: Simplify ctdb_control_modflags()
      ctdb-daemon: Ignore flag changes for disconnected nodes
      ctdb-daemon: Don't mark a node as unhealthy when connecting to it

Ralph Boehme (13):
      selftest: add a test for the "deadtime" parameter
      s3/rpc_server: track the number of policy handles with a talloc destructor
      s3/lib/dbwrap: check if global_messaging_context() succeeded
      registry: check for running as root in clustering mode
      vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code
      vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
      vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
      vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles
      vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
      vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes()
      winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
      winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
      vfs_btrfs: fix btrfs_fget_compression()

Stefan Metzmacher (17):
      vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
      auth/credentials: allow credentials.Credentials to act as base class
      Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
      tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
      tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
      tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
      tests/krb5/raw_testcase.py: add assertElement*()
      tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
      tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
      tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
      tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
      tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
      tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
      tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
      tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
      selftest: run new as_req_tests against fl2008r2dc and fl2003dc
      tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test

Volker Lendecke (1):
      librpc: Add py_descriptor_richcmp() equality function


Samba Shared Repository

More information about the samba-cvs mailing list