[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Wed Oct 27 12:57:05 UTC 2021
The branch, v4-15-stable has been updated
via 5850ae94ba6 VERSION: Disable GIT_SNAPSHOT for the 4.15.1 release.
via 3caf4af915a WHATSNEW: Add release notes for Samba 4.15.1.
via a795e0c8459 Release ldb 2.4.1
via 9e2da222f7f pyldb: Make ldb.Message containment testing consistent with indexing
via b4601d0db20 pyldb: Add tests for ldb.Message containment testing
via 2311987af25 pyldb: Raise TypeError for an invalid ldb.Message index
via bef676475fe pyldb: Add test for an invalid ldb.Message index type
via ba4032b73a4 s4/torture/drs/python: Fix attribute existence check
via d32f732c796 pyldb: Fix deleting an ldb.Control critical flag
via 3b6c8bd55b3 pytest:segfault: Add test for deleting an ldb.Control critical flag
via 6db664a07da pyldb: Fix deleting an ldb.Message dn
via f4ca03b0cc2 pytest:segfault: Add test for deleting an ldb.Message dn
via 34d50f415ae Fix Python docstrings
via 753e0dfc6c9 lib/krb5_wrap: Fix missing error check in new salt code
via c72b210cdca dsdb: Allow special chars like "@" in samAccountName when generating the salt
via b1dbaecb2ec tests/krb5: Add tests for account salt calculation
via 798ac7ff1ba tests/krb5: Fix account salt calculation to match Windows
via fcd11a480e7 tests/krb5: Allow specifying the UPN for test accounts
via 8c0296c8956 tests/krb5: Allow creating machine accounts without a trailing dollar
via 4cedeb32538 tests/krb5: Allow specifying prefix or suffix for test account names
via cd1b3cbce50 tests/krb5: Decrease length of test account prefix
via 3affd02a83a selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
via 057e6d872db selftest/Samba3: remove unused close(USERMAP); calls
via f901e3dc08c waf: Allow building with MIT KRB5 >= 1.20
via 28630a31be8 selftest: Improve error handling and perl style when setting up users in Samba4.pm
via cd04ce50ac3 selftest: Remove duplicate setup of $base_dn and $ldbmodify
via 175dde8ab48 pytest: s3_net_join: avoid name clash
via 63e688099b4 selftest: krb5 account creation: clarify account type as an enum
via c4b15874037 pytest: dynamic tests optionally add __doc__
via e17d54554c9 selftest: Increase account lockout windows to make test more realiable
via 140ec12e25e pytest/rodc_rwdc: try to avoid race.
via dc768d84f02 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
via a7dcff14bdd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
via 54d9b9e0406 tests/krb5: Ensure PAC is not present if expect_pac is false
via 19e770f04ea kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
via 30b2a47af03 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
via ce53ffc660e tests/krb5: Add tests for requesting a service ticket without a PAC
via 3f89f5d3e09 tests/krb5: Add method to get the PAC from a ticket
via 3c2cf8200d2 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via 34e3b8e09f4 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via bab70b995a1 heimdal:kdc: Fix ticket signing without a PAC
via af42d3fa44c selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
via 9a25efd54aa gitlab-ci: Do not download artifacts of unrelated builds
via 64f81e2e589 gitlab-ci: Do not retry for job_execution_timeout
via 2cf612f8096 krb5: Fix PAC signature leak affecting KDC
via 276820695a9 s4:kdc: Check ticket signature
via 1d764175725 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
via 03ababc0de6 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
via e735b36fcc1 kdc: correctly generate PAC TGS signature
via 329054bc433 kdc: use ticket client name when signing PAC
via 4cdcbc761c3 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
via 7df64eb0189 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
via 764c7d74090 krb5: rework PAC validation loop
via 060abb2f1b4 krb5: allow NULL parameter to krb5_pac_free()
via 4b2890412c9 kdc: sign ticket using Windows PAC
via 79278289cf3 kdc: remove KRB5SignedPath, to be replaced with PAC
via 2e20aefce2c s4/torture: Expect ticket checksum PAC buffer
via 8ba2b8aef8a s4:kdc: Fix debugging messages
via 9edf3d6d810 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
via d8871802eb2 tests/krb5: Fix duplicate account creation
via 7b8d569aefc tests/krb5: Allow bypassing cache when creating accounts
via f90bc484f49 tests/krb5: Don't include empty AD-IF-RELEVANT
via bc71b3c179d tests/krb5: Add constrained delegation tests
via 571991a319c tests/krb5: Verify tickets obtained with get_service_ticket()
via 6b5a223e42f tests/krb5: Require ticket checksums if decryption key is available
via 904e0855c86 tests/krb5: Add TKT_SIG_SUPPORT environment variable
via f7e487fc4d0 selftest/dbcheck: Fix up RODC one-way links
via 5284920767d tests/krb5: Fix sha1 checksum type
via e7f75340b62 tests/krb5: Provide clearer assertion messages for test failures
via 25895e26fc4 tests/krb5: Disable debugging output for tests
via 41e4c3a8ae1 tests/krb5: Simplify padata checking
via 5f07249a6b8 tests/krb5: Check logon name in PAC
via c2a5111e71f tests/krb5: Check padata types when STRICT_CHECKING=0
via cdef6a8416c tests/krb5: Add environment variable to specify KDC FAST support
via 0f4886d4db2 tests/krb5: Fix padata checking at functional level 2003
via 7b44f8db99d tests/krb5: Clarify checksum type assertion message
via fe35ca21cfc tests/krb5: Use correct principal name type
via 5fca67c7188 tests/krb5: Add compatability tests for ticket checksums
via 53d4a46fcd2 tests/krb5: Add parameter to enforce presence of ticket checksums
via 41cbe50ac93 tests/krb5: Supply supported account enctypes in tgs_req()
via ea64b0fde2f tests/krb5: Allow specifying options and expected flags when obtaining a ticket
via e35ae2d57d8 tests/krb5: Save account SPN
via d4404ecb951 tests/krb5: Check constrained delegation PAC buffer
via 5a43b4ec548 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
via eea7988e67f tests/krb5: Add expect_claims parameter to kdc_exchange_dict
via 4955aacc2ea tests/krb5: Fix checking for presence of error data
via 768e7ec7734 tests/krb5: Remove unneeded parameters from ticket cache key
via 71b3142aba7 tests/krb5: Fix assertElementFlags()
via c4580eb131b tests/krb5: Make expected_sname checking more explicit
via 97be9339ca2 tests/krb5: Fix status code checking
via e7dbc8e26e6 tests/krb5: Fix handling authdata with missing PAC
via 7cb8c699284 tests/krb5: Allow excluding the PAC server checksum
via ae1bada6c1b tests/krb5: Fix checksum generation and verification
via b09fd767916 tests/krb5: Fix method for creating invalid length zeroed checksum
via fccb0a6ecbc tests/krb5: Introduce helper method for creating invalid length checksums
via db559680c42 tests/krb5: Add assertion to make failures clearer
via bfccdc3827f tests/krb5: Allow created accounts to use resource-based constrained delegation
via e6eca4a04ee tests/krb5: Rename allowed_to_delegate_to parameter for clarity
via 825aef9f8c7 tests/krb5: Fix PA-PAC-OPTIONS checking
via e669b561b8b tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
via 9b781f1ca03 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
via eaf9f8d9ebe tests/krb5: Remove unused parameter
via a1228650b68 tests/krb5: Rename method parameter
via 1c1c1a04991 .gitlab-ci: Avoid duplicate CI on all merge requests
via 60419689f3e .gitlab-ci.yml: Restore building most of our jobs
via 2c36f7c67ed .gitlab-ci: Increase build timeout
via 44ad4dc8b77 .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
via aa08c5cfbf7 tests/krb5: Add classes for testing invalid checksums
via 2988bc51788 tests/krb5: Add method to determine if principal is krbtgt
via 5ec45f3068a tests/krb5: Verify checksums of tickets obtained from the KDC
via 6270587045f tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 50a5116cff2 tests/krb5: Simplify account creation
via 7dba3ae4b59 tests/krb5: Provide ticket enc-part key to tgs_req()
via 2ef8022937f tests/krb5: Fix checking for presence of authorization data
via 3787c21f2b7 tests/krb5: Add method to get DC credentials
via 8eda339691a tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 0da5e1029ec tests/krb5: Set key version number for all accounts created with create_account()
via 8ff67351802 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via 2bfcb3f6b00 tests/krb5: Get supported enctypes for credentials from database
via 320847972df tests/krb5: Add methods to convert between enctypes and bitfields
via 73f27f9ddb0 tests/krb5: Make get_default_enctypes() return a set of enctype constants
via 8ab6d2f0bdd tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via 53b793b9e7c tests/krb5: Add method for modifying a ticket and creating PAC checksums
via eed5b13f4af tests/krb5: Add method to verify ticket PAC checksums
via 6fe3f55476b tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via f817cbc6815 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via 182bf696e32 tests/krb5: Cache obtained tickets
via 0cad7ba2032 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via 5125f9c1a1b tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via 1e44488b58d tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via cfb16b40c74 tests/krb5: Allow get_tgt() to specify different kdc-options
via 3022340bf22 tests/krb5: Allow get_tgt() to get tickets from the RODC
via 8416eb2a884 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via ca0123d86a4 tests/krb5: Set DN of created accounts to ldb.Dn type
via 56a567be0e4 tests/krb5: Don't manually create PAC request and options in fast_tests
via 278eff6115f tests/krb5: Use PAC buffer type constants from krb5pac.idl
via c8a724118e6 tests/krb5: Allow as_req() to specify different kdc-options
via 3c77ef9dbb5 tests/krb5: Allow tgs_req() to send requests to the RODC
via 063f1cbdbe7 tests/krb5: Allow tgs_req() to specify different kdc-options
via e4b278566af tests/krb5: Allow tgs_req() to send additional padata
via 3e3d205df7c tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via cba0b1a6c48 tests/krb5: Check correct flags element
via 159d451d817 tests/krb5: Add helper method for modifying PACs
via 77227799d98 python/join: Check for correct msDS-KrbTgtLink attribute
via c8bb7750c86 python: Don't leak file handles
via 7b6a5c97092 tests/krb5: Allow replicating accounts to the created RODC
via f2d6361dc33 tests/krb5: Create RODC account for testing
via b0339d5a1a8 tests/krb5: Allow replicating accounts to the RODC
via d413e7d79a3 tests/krb5: Add get_secrets() method to get the secret attributes of a DN
via 56f49f117bf tests/krb5: Add method to get RODC krbtgt credentials
via f730c68834c tests/krb5: Sign-extend kvno from 32-bit integer
via 2af3293f67d tests/krb5: Generate padata for FAST tests
via 1d2d30748a9 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
via f44a5b984b7 tests/krb5: Get encpart decryption key from kdc_exchange_dict
via 336725dc79f tests/krb5: Get expected cname from TGT for TGS-REQ messages
via bc7bdc5b7e0 tests/krb5: Allow specifying status code to be checked
via 01b16673af8 tests/krb5: Create testing accounts in appropriate containers
via 2bf5265847d tests/krb5: Check for presence of 'key-expiration' element
via 6f04bd793ec tests/krb5: Check 'caddr' element
via 9ff47e13441 tests/krb5: Check for presence of 'renew-till' element
via a1face49c70 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
via 5a546788f45 tests/krb5: Make time assertion less strict
via 22e1b694879 tests/krb5: Allow specifying ticket flags expected to be set or reset
via 53336347494 tests/krb5: Remove magic constants
via 6bf8e3cb537 tests/krb5: Don't create PAC request or options manually in fast_tests
via 2c1a8950b5e tests/krb5: Don't create PAC request manually in as_req_tests
via f6c3497e9f9 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
via 138ac8a3a70 tests/krb5: Move padata generation methods to base class
via ebecaf715d3 tests/krb5: Keep track of account DN in credentials object
via b8485a79791 tests/krb5: Allow specifying additional User Account Control flags for account
via 4f47721d599 tests/krb5: Allow specifying an OU to create accounts in
via dda665b918b tests/krb5: Replace expected_cname_private with expected_anon parameter
via 31e990533c1 tests/krb5: Use more compact dict lookup
via 6df25780147 tests/krb5: Add KDCOptions flag for constrained delegation
via c625e16ffa6 tests/krb5: Use signed integers to represent key version numbers in ASN.1
via 7bb3ac920f9 tests/krb5: Add methods to obtain the length of checksum types
via a08b603d822 tests/krb5: Calculate expected salt if not given explicitly
via 487b57cd34e security.idl: Add well-known SIDs for FAST
via aef886c7787 krb5pac.idl: Add ticket checksum PAC buffer type
via be8fb0218af heimdal:kdc: Only check for default salt for des-cbc-crc enctype
via cb768d624eb libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
via b299897ab58 docs-xml: Update winbindd(8) manpage
via b8c8c2017db s3:winbindd: Fix winbindd child logfile name handling
via 9257b637f14 debug: Remove "override_logfile"
via 57ffd32d455 s3: smbspool. Remove last use of 'extern char **environ;'.
via d3b3aa9e19f Fix detection of rpc/xdr.h on macOS
via 0d59b1fb326 vfs_preopen.c: Fix -Wformat error on macOS
via 3ded98767d3 source3/smbd/statcache.c: Fix -Wformat build error on macOS
via 4c89d9169a4 sec_ctx.c: Fix -Wunused-function warning on macOS
via 0daa3af7042 source3/printing/queue_process.c: fix build on macOS
via 80e9d89a97b audit_logging.c: fix compilation on macOS
via 448f2acdcea charset_macosxfs.c: fix compilation on macOS
via d3df31162f0 ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
via 63a3b7838e1 ctdb-tests: Fix typo in ctdb stub comment matching
via 36621069e26 ctdb-scripts: filter out comments in public_addresses file
via dffca59ded1 s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs.
via f2455a9023c s3: smbd: Ensure when we change security context we delete any $cwd cache.
via a55d4fe2208 s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share.
via 86738410826 .gitlab-ci: Allow a 1 hour to build Samba
via c9514648060 samldb: Address birthday paradox adding an RODC
via eb28bd54ac5 pyldb: Avoid use-after-free in msg_diff()
via e52ddfbe572 ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
via db294baff36 pytest:segfault: Add test for ldb.msg_diff()
via 4b1e8535610 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
via 4c85e56501b Bump version up to Samba 4.15.1...
from fc8342bd26d VERSION: Disable GIT_SNAPSHOT for the 4.15.0 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-default.yml | 1 +
.gitlab-ci-main.yml | 52 +-
VERSION | 2 +-
WHATSNEW.txt | 105 ++
auth/credentials/credentials_krb5.c | 12 +-
ctdb/config/events/legacy/10.interface.script | 3 +-
ctdb/config/functions | 3 +
ctdb/tests/UNIT/eventscripts/scripts/local.sh | 1 +
ctdb/tests/UNIT/eventscripts/stubs/ctdb | 2 +-
docs-xml/manpages/winbindd.8.xml | 20 +-
lib/audit_logging/audit_logging.c | 2 +-
lib/krb5_wrap/krb5_samba.c | 192 ++-
lib/krb5_wrap/krb5_samba.h | 13 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.1.sigs} | 0
...pyldb-util-2.1.0.sigs => pyldb-util-2.4.1.sigs} | 0
lib/ldb/common/ldb_msg.c | 6 +-
lib/ldb/pyldb.c | 69 +-
lib/ldb/tests/python/api.py | 29 +
lib/ldb/wscript | 2 +-
lib/tdb/pytdb.c | 2 +-
lib/tevent/pytevent.c | 2 +-
lib/util/charset/charset_macosxfs.c | 3 +-
lib/util/debug.c | 10 -
libcli/smb/smb2_signing.c | 12 +-
libcli/smb/smbXcli_base.c | 6 +-
librpc/idl/krb5pac.idl | 7 +-
librpc/idl/security.idl | 3 +
python/samba/__init__.py | 12 +-
python/samba/join.py | 7 +-
python/samba/ms_schema.py | 6 +-
python/samba/schema.py | 9 +-
python/samba/tests/__init__.py | 3 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 11 +-
python/samba/tests/krb5/as_req_tests.py | 57 +-
python/samba/tests/krb5/compatability_tests.py | 48 +-
python/samba/tests/krb5/fast_tests.py | 486 +++----
python/samba/tests/krb5/kcrypto.py | 28 +-
python/samba/tests/krb5/kdc_base_test.py | 1099 +++++++++++++--
python/samba/tests/krb5/kdc_tests.py | 4 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 137 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 93 +-
python/samba/tests/krb5/raw_testcase.py | 1461 +++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
python/samba/tests/krb5/rodc_tests.py | 73 +
python/samba/tests/krb5/s4u_tests.py | 1074 +++++++++++++-
python/samba/tests/krb5/salt_tests.py | 327 +++++
python/samba/tests/krb5/simple_tests.py | 4 +-
python/samba/tests/krb5/test_ccache.py | 15 +-
python/samba/tests/krb5/test_ldap.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 4 +-
python/samba/tests/krb5/test_smb.py | 4 +-
python/samba/tests/krb5/xrealm_tests.py | 4 +-
python/samba/tests/s3_net_join.py | 2 +-
python/samba/tests/segfault.py | 26 +
python/samba/tests/usage.py | 2 +
script/autobuild.py | 9 +-
selftest/knownfail.d/kdc-salt | 1 +
selftest/knownfail_heimdal_kdc | 29 +-
selftest/knownfail_mit_kdc | 54 +
selftest/target/Samba3.pm | 43 +-
selftest/target/Samba4.pm | 76 +-
source3/client/smbspool_krb5_wrapper.c | 5 +-
source3/modules/vfs_preopen.c | 2 +-
source3/modules/vfs_zfsacl.c | 17 +-
source3/nmbd/nmbd.c | 4 +-
source3/passdb/machine_account_secrets.c | 10 +-
source3/printing/queue_process.c | 2 -
source3/script/tests/test_chdir_cache.sh | 102 ++
source3/selftest/tests.py | 9 +
source3/smbd/sec_ctx.c | 28 +-
source3/smbd/statcache.c | 2 +-
source3/winbindd/winbindd.c | 4 +-
source3/winbindd/winbindd_cm.c | 1 -
source3/winbindd/winbindd_dual.c | 21 +-
source3/wscript | 2 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 23 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 4 +-
source4/dsdb/tests/python/rodc_rwdc.py | 8 +-
source4/heimdal/kdc/kerberos5.c | 150 +-
source4/heimdal/kdc/krb5tgs.c | 665 +++------
source4/heimdal/kdc/windc.c | 15 +-
source4/heimdal/kdc/windc_plugin.h | 5 +-
source4/heimdal/lib/asn1/krb5.asn1 | 21 -
source4/heimdal/lib/krb5/authdata.c | 124 ++
source4/heimdal/lib/krb5/pac.c | 484 ++++++-
source4/heimdal/lib/krb5/version-script.map | 5 +
source4/heimdal_build/wscript_build | 2 +-
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 10 +-
source4/kdc/pac-glue.h | 3 +-
source4/kdc/wdc-samba4.c | 356 +++--
source4/kdc/wscript_build | 1 +
source4/librpc/ndr/py_security.c | 2 +-
source4/selftest/tests.py | 84 +-
source4/torture/drs/python/replica_sync.py | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
testprogs/blackbox/dbcheck.sh | 2 +-
99 files changed, 6026 insertions(+), 1965 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.1.sigs} (100%)
create mode 100755 python/samba/tests/krb5/rodc_tests.py
create mode 100755 python/samba/tests/krb5/salt_tests.py
create mode 100644 selftest/knownfail.d/kdc-salt
create mode 100755 source3/script/tests/test_chdir_cache.sh
create mode 100644 source4/heimdal/lib/krb5/authdata.c
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-default.yml b/.gitlab-ci-default.yml
index d0831017d9b..e6089183674 100644
--- a/.gitlab-ci-default.yml
+++ b/.gitlab-ci-default.yml
@@ -3,6 +3,7 @@ variables:
# "--enable-coverage" or ""
# See .gitlab-ci-coverage.yml
SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: ""
+ AUTOBUILD_SKIP_SAMBA_O3: "0"
include:
- /.gitlab-ci-default-runners.yml
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 4b2f17938c8..0cbcc17c94c 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -83,6 +83,13 @@ include:
interruptible: true
timeout: 2h
+ # Otherwise we run twice, once on push and once on MR
+ # https://forum.gitlab.com/t/new-rules-syntax-and-detached-pipelines/37292
+ rules:
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+ - when: on_success
+
variables:
AUTOBUILD_JOB_NAME: $CI_JOB_NAME
stage: build
@@ -90,6 +97,16 @@ include:
key: ccache.${CI_JOB_NAME}.${SAMBA_CI_JOB_IMAGE}.${SAMBA_CI_FLAVOR}
paths:
- ccache
+
+ # This is overridden in many cases, but ensures none of the other
+ # main jobs start until and unless this build finishes. However
+ # this also ensures we do not download artifacts from any build
+ # unless we specifically depend on it, saving bandwidth
+
+ needs:
+ - job: samba-def-build
+ artifacts: false
+
before_script:
- uname -a
- lsb_release -a
@@ -141,7 +158,6 @@ include:
- api_failure
- runner_unsupported
- stale_schedule
- - job_execution_timeout
- archived_failure
- scheduler_failure
- data_integrity_failure
@@ -169,7 +185,8 @@ others:
.shared_template_build_only:
extends: .shared_template
- timeout: 45m
+ timeout: 2h
+ needs:
artifacts:
expire_in: 1 week
paths:
@@ -353,13 +370,16 @@ samba-fips:
.private_test_only:
extends: .private_runner_test
stage: test_private
- only:
- variables:
+ rules:
+ # See above, to avoid a duplicate CI on the MR (these rules override the others)
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+
# These jobs are only run if the gitlab repo has private runners available.
# To enable private jobs, you must add the following var and value to
# your gitlab repo by navigating to:
# settings -> CI/CD -> Environment variables
- - $SUPPORT_PRIVATE_TEST == "yes"
+ - if: $SUPPORT_PRIVATE_TEST == "yes"
.needs_samba-def-build-private:
extends:
@@ -514,16 +534,30 @@ ubuntu1804-samba-o3:
AUTOBUILD_JOB_NAME: samba-o3
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804}
SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage"
+ rules:
+ # See above, to avoid a duplicate CI on the MR (these rules override the others)
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+ # do not run o3 builds (which run a lot of VMs) if told not to
+ # (this uses the same variable as autobuild.py)
+ - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+ when: never
# All other jobs do not want code coverage.
.samba-o3-template:
extends: .shared_template
variables:
AUTOBUILD_JOB_NAME: samba-o3
- only:
- variables:
- # do not run o3 for coverage since they are using different images
- - $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
+ rules:
+ # See above, to avoid a duplicate CI on the MR (these rules override the others)
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+ # do not run o3 builds (which run a lot of VMs) if told not to
+ # (this uses the same variable as autobuild.py)
+ - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+ when: never
+ # do not run o3 for coverage since they are using different images
+ - if: $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
ubuntu2004-samba-o3:
extends: .samba-o3-template
diff --git a/VERSION b/VERSION
index 0e58d4b399b..4c07d646431 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 18cc15dcff5..73cc1613bef 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,108 @@
+ ==============================
+ Release Notes for Samba 4.15.1
+ October 27, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.0
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
+ * BUG 14685: Log clutter from filename_convert_internal.
+ * BUG 14862: MacOSX compilation fixes.
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 14868: rodc_rwdc test flaps.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
+ * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+o Viktor Dukhovni <viktor at twosigma.com>
+ * BUG 12998: Fix transit path validation.
+
+o Pavel Filipenský <pfilipen at redhat.com>
+ * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
+ log.wb-<DOMAIN>.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14855: SMB3 cancel requests should only include the MID together with
+ AsyncID when AES-128-GMAC is used.
+
+o Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
+ * BUG 14862: MacOSX compilation fixes.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+ * BUG 14845: "in" operator on ldb.Message is case sensitive.
+ * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
+ * BUG 14868: rodc_rwdc test flaps.
+ * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+ * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+ Heimdal.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.15.0
September 20, 2021
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c03d80ac440..d2e7a76a69e 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1200,12 +1200,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
break;
}
- ret = smb_krb5_salt_principal(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
index 72e0c101d47..d87f6c52c58 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -25,7 +25,8 @@ fi
get_all_interfaces ()
{
# Get all the interfaces listed in the public_addresses file
- all_interfaces=$(sed -e 's/^[^\t ]*[\t ]*//' \
+ all_interfaces=$(sed -e '/^#.*/d' \
+ -e 's/^[^\t ]*[\t ]*//' \
-e 's/,/ /g' \
-e 's/[\t ]*$//' "$ctdb_public_addresses")
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 2395d8d4dc8..a4e73ad0594 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -611,6 +611,9 @@ drop_all_public_ips ()
# _x is intentionally ignored
# shellcheck disable=SC2034
while read _ip _x ; do
+ case "$_ip" in
+ \#*) continue ;;
+ esac
drop_ip "$_ip"
done <"${CTDB_BASE}/public_addresses"
}
diff --git a/ctdb/tests/UNIT/eventscripts/scripts/local.sh b/ctdb/tests/UNIT/eventscripts/scripts/local.sh
index 0f78fcb3845..7460bf9748e 100644
--- a/ctdb/tests/UNIT/eventscripts/scripts/local.sh
+++ b/ctdb/tests/UNIT/eventscripts/scripts/local.sh
@@ -282,6 +282,7 @@ setup_public_addresses ()
echo "Setting up public addresses in ${_f}"
cat >"$_f" <<EOF
+# This is a comment
10.0.0.1/24 dev123
10.0.0.2/24 dev123
10.0.0.3/24 dev123
diff --git a/ctdb/tests/UNIT/eventscripts/stubs/ctdb b/ctdb/tests/UNIT/eventscripts/stubs/ctdb
index 12627de16a5..fc7bd4fdd84 100755
--- a/ctdb/tests/UNIT/eventscripts/stubs/ctdb
+++ b/ctdb/tests/UNIT/eventscripts/stubs/ctdb
@@ -425,7 +425,7 @@ ctdb_ifaces()
# Assume -Y.
echo "|Name|LinkStatus|References|"
while read _ip _iface ; do
- case "_$ip" in
+ case "$_ip" in
\#*) : ;;
*)
_status=1
diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
index 3b7487c1b1c..7a643b8879c 100644
--- a/docs-xml/manpages/winbindd.8.xml
+++ b/docs-xml/manpages/winbindd.8.xml
@@ -195,7 +195,25 @@ hosts: files wins
</para></listitem>
</varlistentry>
- &cmdline.common.samba.server;
+ &cmdline.common.debug.server;
+ &cmdline.common.config.server;
+ &cmdline.common.option;
+
+ <varlistentry>
+ <term>-l|--log-basename=logdirectory</term>
+ <listitem>
+ <para>
+ Base directory name for log/debug files. The parent process
+ uses filename log.winbindd, the child process uses filename
+ log.wb-<name>. The log file is never removed by winbindd.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ &cmdline.common.samba.leakreport;
+ &cmdline.common.samba.leakreportfull;
+ &cmdline.version;
+
&popt.autohelp;
</variablelist>
diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c
index 9fe2d3ba45d..87378e1bb95 100644
--- a/lib/audit_logging/audit_logging.c
+++ b/lib/audit_logging/audit_logging.c
@@ -70,7 +70,7 @@ char* audit_get_timestamp(TALLOC_CTX *frame)
strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
strftime(tz, sizeof(tz)-1, "%Z", tm_info);
- ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
+ ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, (long)tv.tv_usec, tz);
if (ts == NULL) {
DBG_ERR("Out of memory formatting time stamp\n");
}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
*
* @see smb_krb5_salt_principal2data
*/
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal)
+ krb5_principal *salt_princ)
{
TALLOC_CTX *frame = talloc_stackframe();
char *upper_realm = NULL;
const char *principal = NULL;
int principal_len = 0;
+ krb5_error_code krb5_ret;
- *_salt_principal = NULL;
+ *salt_princ = NULL;
if (sAMAccountName == NULL) {
TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
*/
if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
- char *tmp = NULL;
computer_len = strlen(sAMAccountName);
if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
}
if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- principal = talloc_asprintf(frame, "krbtgt/%*.*s",
- computer_len, computer_len,
- sAMAccountName);
- if (principal == NULL) {
+ const char *krbtgt = "krbtgt";
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(krbtgt),
+ krbtgt,
+ computer_len,
+ sAMAccountName,
+ 0);
+ if (krb5_ret != 0) {
TALLOC_FREE(frame);
- return ENOMEM;
+ return krb5_ret;
}
} else {
-
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
+ const char *host = "host";
+ char *tmp = NULL;
+ char *tmp_lower = NULL;
+
+ tmp = talloc_asprintf(frame, "%*.*s.%s",
+ computer_len,
+ computer_len,
+ sAMAccountName,
+ realm);
if (tmp == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
+ tmp_lower = strlower_talloc(frame, tmp);
+ if (tmp_lower == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- }
- principal_len = strlen(principal);
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(host),
+ host,
+ strlen(tmp_lower),
+ tmp_lower,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+ }
} else if (userPrincipalName != NULL) {
- char *p;
+ /*
+ * We parse the name not only to allow an easy
+ * replacement of the realm (no matter the realm in
+ * the UPN, the salt comes from the upper-case real
+ * realm, but also to correctly provide a salt when
+ * the UPN is host/foo.bar
+ *
+ * This can fail for a UPN of the form foo at bar@REALM
+ * (which is accepted by windows) however.
+ */
+ krb5_ret = krb5_parse_name(krb5_ctx,
+ userPrincipalName,
+ salt_princ);
- principal = userPrincipalName;
- p = strchr(principal, '@');
- if (p != NULL) {
- principal_len = PTR_DIFF(p, principal);
- } else {
- principal_len = strlen(principal);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+
+ /*
+ * No matter what realm (including none) in the UPN,
--
Samba Shared Repository
More information about the samba-cvs
mailing list