[SCM] Samba Shared Repository - annotated tag ldb-2.4.1 created
Stefan Metzmacher
metze at samba.org
Wed Oct 27 11:20:16 UTC 2021
The annotated tag, ldb-2.4.1 has been created
at dd3f1a38d3836348f0d409429742ac14a2066237 (tag)
tagging a795e0c84597aa045d011e663dbad3cdabf0f1e6 (commit)
replaces samba-4.15.0
tagged by Stefan Metzmacher
on Wed Oct 27 13:20:09 2021 +0200
- Log -----------------------------------------------------------------
ldb: tag release ldb-2.4.1
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF5NekACgkQR5ORYRMI
QCU1qggAr6napVnbmKReHpm1viIPigOlZReiU2sEe86+rHWcoM4Gd1k1lI35tMt6
iJI03Di4M3uhCMl+mqqngtJaqh0XDUgxAis8gj+b2mF7D0VkkO3VND6GGK/DgPXh
YRlgctBiGJ5G8cwuqdhY9KPQ6U8Z+WTl5Qvf4M4irCiZ854RNFc6GbgemQt7t/c8
BLvFnuXcR2jE1LD4SlS9hvCvSeCvDDvLNdZYRwWLTiLivOlSMfbb0hMcsjRmugX2
zZyoW6uUswuutXEDSvEPAhf4ocVdrLr/HVnZv/5WvY6NE7qrPFBVtfz7q5heiKQJ
v1oh5twnq+v2LgS8FU3jydAqHFD7TQ==
=fxZP
-----END PGP SIGNATURE-----
Alex Richardson (7):
charset_macosxfs.c: fix compilation on macOS
audit_logging.c: fix compilation on macOS
source3/printing/queue_process.c: fix build on macOS
sec_ctx.c: Fix -Wunused-function warning on macOS
source3/smbd/statcache.c: Fix -Wformat build error on macOS
vfs_preopen.c: Fix -Wformat error on macOS
Fix detection of rpc/xdr.h on macOS
Andreas Schneider (1):
waf: Allow building with MIT KRB5 >= 1.20
Andrew Bartlett (16):
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
samldb: Address birthday paradox adding an RODC
.gitlab-ci: Allow a 1 hour to build Samba
.gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
.gitlab-ci.yml: Restore building most of our jobs
.gitlab-ci: Avoid duplicate CI on all merge requests
gitlab-ci: Do not retry for job_execution_timeout
gitlab-ci: Do not download artifacts of unrelated builds
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
selftest: Remove duplicate setup of $base_dn and $ldbmodify
selftest: Improve error handling and perl style when setting up users in Samba4.pm
dsdb: Allow special chars like "@" in samAccountName when generating the salt
lib/krb5_wrap: Fix missing error check in new salt code
Release ldb 2.4.1
Douglas Bagnall (3):
pytest/rodc_rwdc: try to avoid race.
pytest: dynamic tests optionally add __doc__
pytest: s3_net_join: avoid name clash
Isaac Boukris (4):
kdc: remove KRB5SignedPath, to be replaced with PAC
kdc: sign ticket using Windows PAC
krb5: allow NULL parameter to krb5_pac_free()
krb5: rework PAC validation loop
Jeremy Allison (4):
s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share.
s3: smbd: Ensure when we change security context we delete any $cwd cache.
s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs.
s3: smbspool. Remove last use of 'extern char **environ;'.
Joseph Sutton (152):
pytest:segfault: Add test for ldb.msg_diff()
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
pyldb: Avoid use-after-free in msg_diff()
heimdal:kdc: Only check for default salt for des-cbc-crc enctype
krb5pac.idl: Add ticket checksum PAC buffer type
security.idl: Add well-known SIDs for FAST
tests/krb5: Calculate expected salt if not given explicitly
tests/krb5: Add methods to obtain the length of checksum types
tests/krb5: Use signed integers to represent key version numbers in ASN.1
tests/krb5: Add KDCOptions flag for constrained delegation
tests/krb5: Use more compact dict lookup
tests/krb5: Replace expected_cname_private with expected_anon parameter
tests/krb5: Allow specifying an OU to create accounts in
tests/krb5: Allow specifying additional User Account Control flags for account
tests/krb5: Keep track of account DN in credentials object
tests/krb5: Move padata generation methods to base class
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
tests/krb5: Don't create PAC request manually in as_req_tests
tests/krb5: Don't create PAC request or options manually in fast_tests
tests/krb5: Remove magic constants
tests/krb5: Allow specifying ticket flags expected to be set or reset
tests/krb5: Make time assertion less strict
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
tests/krb5: Check for presence of 'renew-till' element
tests/krb5: Check 'caddr' element
tests/krb5: Check for presence of 'key-expiration' element
tests/krb5: Create testing accounts in appropriate containers
tests/krb5: Allow specifying status code to be checked
tests/krb5: Get expected cname from TGT for TGS-REQ messages
tests/krb5: Get encpart decryption key from kdc_exchange_dict
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
tests/krb5: Generate padata for FAST tests
tests/krb5: Sign-extend kvno from 32-bit integer
tests/krb5: Add method to get RODC krbtgt credentials
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
tests/krb5: Allow replicating accounts to the RODC
tests/krb5: Create RODC account for testing
tests/krb5: Allow replicating accounts to the created RODC
python: Don't leak file handles
python/join: Check for correct msDS-KrbTgtLink attribute
tests/krb5: Add helper method for modifying PACs
tests/krb5: Check correct flags element
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
tests/krb5: Allow tgs_req() to send additional padata
tests/krb5: Allow tgs_req() to specify different kdc-options
tests/krb5: Allow tgs_req() to send requests to the RODC
tests/krb5: Allow as_req() to specify different kdc-options
tests/krb5: Use PAC buffer type constants from krb5pac.idl
tests/krb5: Don't manually create PAC request and options in fast_tests
tests/krb5: Set DN of created accounts to ldb.Dn type
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
tests/krb5: Allow get_tgt() to get tickets from the RODC
tests/krb5: Allow get_tgt() to specify different kdc-options
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
tests/krb5: Cache obtained tickets
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
tests/krb5: Add method to verify ticket PAC checksums
tests/krb5: Add method for modifying a ticket and creating PAC checksums
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
tests/krb5: Make get_default_enctypes() return a set of enctype constants
tests/krb5: Add methods to convert between enctypes and bitfields
tests/krb5: Get supported enctypes for credentials from database
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
tests/krb5: Set key version number for all accounts created with create_account()
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
tests/krb5: Add method to get DC credentials
tests/krb5: Fix checking for presence of authorization data
tests/krb5: Provide ticket enc-part key to tgs_req()
tests/krb5: Simplify account creation
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
tests/krb5: Verify checksums of tickets obtained from the KDC
tests/krb5: Add method to determine if principal is krbtgt
tests/krb5: Add classes for testing invalid checksums
.gitlab-ci: Increase build timeout
tests/krb5: Rename method parameter
tests/krb5: Remove unused parameter
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
tests/krb5: Fix PA-PAC-OPTIONS checking
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
tests/krb5: Allow created accounts to use resource-based constrained delegation
tests/krb5: Add assertion to make failures clearer
tests/krb5: Introduce helper method for creating invalid length checksums
tests/krb5: Fix method for creating invalid length zeroed checksum
tests/krb5: Fix checksum generation and verification
tests/krb5: Allow excluding the PAC server checksum
tests/krb5: Fix handling authdata with missing PAC
tests/krb5: Fix status code checking
tests/krb5: Make expected_sname checking more explicit
tests/krb5: Fix assertElementFlags()
tests/krb5: Remove unneeded parameters from ticket cache key
tests/krb5: Fix checking for presence of error data
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
tests/krb5: Check constrained delegation PAC buffer
tests/krb5: Save account SPN
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
tests/krb5: Supply supported account enctypes in tgs_req()
tests/krb5: Add parameter to enforce presence of ticket checksums
tests/krb5: Add compatability tests for ticket checksums
tests/krb5: Use correct principal name type
tests/krb5: Clarify checksum type assertion message
tests/krb5: Fix padata checking at functional level 2003
tests/krb5: Add environment variable to specify KDC FAST support
tests/krb5: Check padata types when STRICT_CHECKING=0
tests/krb5: Check logon name in PAC
tests/krb5: Simplify padata checking
tests/krb5: Disable debugging output for tests
tests/krb5: Provide clearer assertion messages for test failures
tests/krb5: Fix sha1 checksum type
selftest/dbcheck: Fix up RODC one-way links
tests/krb5: Add TKT_SIG_SUPPORT environment variable
tests/krb5: Require ticket checksums if decryption key is available
tests/krb5: Verify tickets obtained with get_service_ticket()
tests/krb5: Add constrained delegation tests
tests/krb5: Don't include empty AD-IF-RELEVANT
tests/krb5: Allow bypassing cache when creating accounts
tests/krb5: Fix duplicate account creation
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
s4:kdc: Fix debugging messages
s4/torture: Expect ticket checksum PAC buffer
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
s4:kdc: Check ticket signature
heimdal:kdc: Fix ticket signing without a PAC
tests/krb5: Allow get_tgt() to request including or omitting a PAC
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
tests/krb5: Add method to get the PAC from a ticket
tests/krb5: Add tests for requesting a service ticket without a PAC
tests/krb5: Ensure PAC is not present if expect_pac is false
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
selftest: Increase account lockout windows to make test more realiable
selftest: krb5 account creation: clarify account type as an enum
tests/krb5: Decrease length of test account prefix
tests/krb5: Allow specifying prefix or suffix for test account names
tests/krb5: Allow creating machine accounts without a trailing dollar
tests/krb5: Allow specifying the UPN for test accounts
tests/krb5: Fix account salt calculation to match Windows
tests/krb5: Add tests for account salt calculation
Fix Python docstrings
pytest:segfault: Add test for deleting an ldb.Message dn
pyldb: Fix deleting an ldb.Message dn
pytest:segfault: Add test for deleting an ldb.Control critical flag
pyldb: Fix deleting an ldb.Control critical flag
s4/torture/drs/python: Fix attribute existence check
pyldb: Add test for an invalid ldb.Message index type
pyldb: Raise TypeError for an invalid ldb.Message index
pyldb: Add tests for ldb.Message containment testing
pyldb: Make ldb.Message containment testing consistent with indexing
Jule Anger (1):
Bump version up to Samba 4.15.1...
Luke Howard (4):
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
kdc: use ticket client name when signing PAC
kdc: correctly generate PAC TGS signature
Martin Schwenke (1):
ctdb-tests: Fix typo in ctdb stub comment matching
Nicolas Williams (1):
krb5: Fix PAC signature leak affecting KDC
Pavel Filipenský (2):
s3:winbindd: Fix winbindd child logfile name handling
docs-xml: Update winbindd(8) manpage
Ralph Boehme (2):
ctdb-scripts: filter out comments in public_addresses file
ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
Stefan Metzmacher (3):
libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
selftest/Samba3: remove unused close(USERMAP); calls
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
Viktor Dukhovni (1):
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Volker Lendecke (1):
debug: Remove "override_logfile"
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list