[SCM] Samba Shared Repository - branch v4-15-stable updated

Jule Anger janger at samba.org
Wed Oct 27 12:57:05 UTC 2021


The branch, v4-15-stable has been updated
       via  5850ae94ba6 VERSION: Disable GIT_SNAPSHOT for the 4.15.1 release.
       via  3caf4af915a WHATSNEW: Add release notes for Samba 4.15.1.
       via  a795e0c8459 Release ldb 2.4.1
       via  9e2da222f7f pyldb: Make ldb.Message containment testing consistent with indexing
       via  b4601d0db20 pyldb: Add tests for ldb.Message containment testing
       via  2311987af25 pyldb: Raise TypeError for an invalid ldb.Message index
       via  bef676475fe pyldb: Add test for an invalid ldb.Message index type
       via  ba4032b73a4 s4/torture/drs/python: Fix attribute existence check
       via  d32f732c796 pyldb: Fix deleting an ldb.Control critical flag
       via  3b6c8bd55b3 pytest:segfault: Add test for deleting an ldb.Control critical flag
       via  6db664a07da pyldb: Fix deleting an ldb.Message dn
       via  f4ca03b0cc2 pytest:segfault: Add test for deleting an ldb.Message dn
       via  34d50f415ae Fix Python docstrings
       via  753e0dfc6c9 lib/krb5_wrap: Fix missing error check in new salt code
       via  c72b210cdca dsdb: Allow special chars like "@" in samAccountName when generating the salt
       via  b1dbaecb2ec tests/krb5: Add tests for account salt calculation
       via  798ac7ff1ba tests/krb5: Fix account salt calculation to match Windows
       via  fcd11a480e7 tests/krb5: Allow specifying the UPN for test accounts
       via  8c0296c8956 tests/krb5: Allow creating machine accounts without a trailing dollar
       via  4cedeb32538 tests/krb5: Allow specifying prefix or suffix for test account names
       via  cd1b3cbce50 tests/krb5: Decrease length of test account prefix
       via  3affd02a83a selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
       via  057e6d872db selftest/Samba3: remove unused close(USERMAP); calls
       via  f901e3dc08c waf: Allow building with MIT KRB5 >= 1.20
       via  28630a31be8 selftest: Improve error handling and perl style when setting up users in Samba4.pm
       via  cd04ce50ac3 selftest: Remove duplicate setup of $base_dn and $ldbmodify
       via  175dde8ab48 pytest: s3_net_join: avoid name clash
       via  63e688099b4 selftest: krb5 account creation: clarify account type as an enum
       via  c4b15874037 pytest: dynamic tests optionally add __doc__
       via  e17d54554c9 selftest: Increase account lockout windows to make test more realiable
       via  140ec12e25e pytest/rodc_rwdc: try to avoid race.
       via  dc768d84f02 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
       via  a7dcff14bdd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
       via  54d9b9e0406 tests/krb5: Ensure PAC is not present if expect_pac is false
       via  19e770f04ea kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
       via  30b2a47af03 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
       via  ce53ffc660e tests/krb5: Add tests for requesting a service ticket without a PAC
       via  3f89f5d3e09 tests/krb5: Add method to get the PAC from a ticket
       via  3c2cf8200d2 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
       via  34e3b8e09f4 tests/krb5: Allow get_tgt() to request including or omitting a PAC
       via  bab70b995a1 heimdal:kdc: Fix ticket signing without a PAC
       via  af42d3fa44c selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
       via  9a25efd54aa gitlab-ci: Do not download artifacts of unrelated builds
       via  64f81e2e589 gitlab-ci: Do not retry for job_execution_timeout
       via  2cf612f8096 krb5: Fix PAC signature leak affecting KDC
       via  276820695a9 s4:kdc: Check ticket signature
       via  1d764175725 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
       via  03ababc0de6 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
       via  e735b36fcc1 kdc: correctly generate PAC TGS signature
       via  329054bc433 kdc: use ticket client name when signing PAC
       via  4cdcbc761c3 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
       via  7df64eb0189 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
       via  764c7d74090 krb5: rework PAC validation loop
       via  060abb2f1b4 krb5: allow NULL parameter to krb5_pac_free()
       via  4b2890412c9 kdc: sign ticket using Windows PAC
       via  79278289cf3 kdc: remove KRB5SignedPath, to be replaced with PAC
       via  2e20aefce2c s4/torture: Expect ticket checksum PAC buffer
       via  8ba2b8aef8a s4:kdc: Fix debugging messages
       via  9edf3d6d810 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
       via  d8871802eb2 tests/krb5: Fix duplicate account creation
       via  7b8d569aefc tests/krb5: Allow bypassing cache when creating accounts
       via  f90bc484f49 tests/krb5: Don't include empty AD-IF-RELEVANT
       via  bc71b3c179d tests/krb5: Add constrained delegation tests
       via  571991a319c tests/krb5: Verify tickets obtained with get_service_ticket()
       via  6b5a223e42f tests/krb5: Require ticket checksums if decryption key is available
       via  904e0855c86 tests/krb5: Add TKT_SIG_SUPPORT environment variable
       via  f7e487fc4d0 selftest/dbcheck: Fix up RODC one-way links
       via  5284920767d tests/krb5: Fix sha1 checksum type
       via  e7f75340b62 tests/krb5: Provide clearer assertion messages for test failures
       via  25895e26fc4 tests/krb5: Disable debugging output for tests
       via  41e4c3a8ae1 tests/krb5: Simplify padata checking
       via  5f07249a6b8 tests/krb5: Check logon name in PAC
       via  c2a5111e71f tests/krb5: Check padata types when STRICT_CHECKING=0
       via  cdef6a8416c tests/krb5: Add environment variable to specify KDC FAST support
       via  0f4886d4db2 tests/krb5: Fix padata checking at functional level 2003
       via  7b44f8db99d tests/krb5: Clarify checksum type assertion message
       via  fe35ca21cfc tests/krb5: Use correct principal name type
       via  5fca67c7188 tests/krb5: Add compatability tests for ticket checksums
       via  53d4a46fcd2 tests/krb5: Add parameter to enforce presence of ticket checksums
       via  41cbe50ac93 tests/krb5: Supply supported account enctypes in tgs_req()
       via  ea64b0fde2f tests/krb5: Allow specifying options and expected flags when obtaining a ticket
       via  e35ae2d57d8 tests/krb5: Save account SPN
       via  d4404ecb951 tests/krb5: Check constrained delegation PAC buffer
       via  5a43b4ec548 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
       via  eea7988e67f tests/krb5: Add expect_claims parameter to kdc_exchange_dict
       via  4955aacc2ea tests/krb5: Fix checking for presence of error data
       via  768e7ec7734 tests/krb5: Remove unneeded parameters from ticket cache key
       via  71b3142aba7 tests/krb5: Fix assertElementFlags()
       via  c4580eb131b tests/krb5: Make expected_sname checking more explicit
       via  97be9339ca2 tests/krb5: Fix status code checking
       via  e7dbc8e26e6 tests/krb5: Fix handling authdata with missing PAC
       via  7cb8c699284 tests/krb5: Allow excluding the PAC server checksum
       via  ae1bada6c1b tests/krb5: Fix checksum generation and verification
       via  b09fd767916 tests/krb5: Fix method for creating invalid length zeroed checksum
       via  fccb0a6ecbc tests/krb5: Introduce helper method for creating invalid length checksums
       via  db559680c42 tests/krb5: Add assertion to make failures clearer
       via  bfccdc3827f tests/krb5: Allow created accounts to use resource-based constrained delegation
       via  e6eca4a04ee tests/krb5: Rename allowed_to_delegate_to parameter for clarity
       via  825aef9f8c7 tests/krb5: Fix PA-PAC-OPTIONS checking
       via  e669b561b8b tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
       via  9b781f1ca03 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
       via  eaf9f8d9ebe tests/krb5: Remove unused parameter
       via  a1228650b68 tests/krb5: Rename method parameter
       via  1c1c1a04991 .gitlab-ci: Avoid duplicate CI on all merge requests
       via  60419689f3e .gitlab-ci.yml: Restore building most of our jobs
       via  2c36f7c67ed .gitlab-ci: Increase build timeout
       via  44ad4dc8b77 .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
       via  aa08c5cfbf7 tests/krb5: Add classes for testing invalid checksums
       via  2988bc51788 tests/krb5: Add method to determine if principal is krbtgt
       via  5ec45f3068a tests/krb5: Verify checksums of tickets obtained from the KDC
       via  6270587045f tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
       via  50a5116cff2 tests/krb5: Simplify account creation
       via  7dba3ae4b59 tests/krb5: Provide ticket enc-part key to tgs_req()
       via  2ef8022937f tests/krb5: Fix checking for presence of authorization data
       via  3787c21f2b7 tests/krb5: Add method to get DC credentials
       via  8eda339691a tests/krb5: Allow tgs_req() to check the returned ticket enc-part
       via  0da5e1029ec tests/krb5: Set key version number for all accounts created with create_account()
       via  8ff67351802 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
       via  2bfcb3f6b00 tests/krb5: Get supported enctypes for credentials from database
       via  320847972df tests/krb5: Add methods to convert between enctypes and bitfields
       via  73f27f9ddb0 tests/krb5: Make get_default_enctypes() return a set of enctype constants
       via  8ab6d2f0bdd tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
       via  53b793b9e7c tests/krb5: Add method for modifying a ticket and creating PAC checksums
       via  eed5b13f4af tests/krb5: Add method to verify ticket PAC checksums
       via  6fe3f55476b tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
       via  f817cbc6815 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
       via  182bf696e32 tests/krb5: Cache obtained tickets
       via  0cad7ba2032 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
       via  5125f9c1a1b tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
       via  1e44488b58d tests/krb5: Allow get_tgt() to specify expected and unexpected flags
       via  cfb16b40c74 tests/krb5: Allow get_tgt() to specify different kdc-options
       via  3022340bf22 tests/krb5: Allow get_tgt() to get tickets from the RODC
       via  8416eb2a884 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
       via  ca0123d86a4 tests/krb5: Set DN of created accounts to ldb.Dn type
       via  56a567be0e4 tests/krb5: Don't manually create PAC request and options in fast_tests
       via  278eff6115f tests/krb5: Use PAC buffer type constants from krb5pac.idl
       via  c8a724118e6 tests/krb5: Allow as_req() to specify different kdc-options
       via  3c77ef9dbb5 tests/krb5: Allow tgs_req() to send requests to the RODC
       via  063f1cbdbe7 tests/krb5: Allow tgs_req() to specify different kdc-options
       via  e4b278566af tests/krb5: Allow tgs_req() to send additional padata
       via  3e3d205df7c tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
       via  cba0b1a6c48 tests/krb5: Check correct flags element
       via  159d451d817 tests/krb5: Add helper method for modifying PACs
       via  77227799d98 python/join: Check for correct msDS-KrbTgtLink attribute
       via  c8bb7750c86 python: Don't leak file handles
       via  7b6a5c97092 tests/krb5: Allow replicating accounts to the created RODC
       via  f2d6361dc33 tests/krb5: Create RODC account for testing
       via  b0339d5a1a8 tests/krb5: Allow replicating accounts to the RODC
       via  d413e7d79a3 tests/krb5: Add get_secrets() method to get the secret attributes of a DN
       via  56f49f117bf tests/krb5: Add method to get RODC krbtgt credentials
       via  f730c68834c tests/krb5: Sign-extend kvno from 32-bit integer
       via  2af3293f67d tests/krb5: Generate padata for FAST tests
       via  1d2d30748a9 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
       via  f44a5b984b7 tests/krb5: Get encpart decryption key from kdc_exchange_dict
       via  336725dc79f tests/krb5: Get expected cname from TGT for TGS-REQ messages
       via  bc7bdc5b7e0 tests/krb5: Allow specifying status code to be checked
       via  01b16673af8 tests/krb5: Create testing accounts in appropriate containers
       via  2bf5265847d tests/krb5: Check for presence of 'key-expiration' element
       via  6f04bd793ec tests/krb5: Check 'caddr' element
       via  9ff47e13441 tests/krb5: Check for presence of 'renew-till' element
       via  a1face49c70 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
       via  5a546788f45 tests/krb5: Make time assertion less strict
       via  22e1b694879 tests/krb5: Allow specifying ticket flags expected to be set or reset
       via  53336347494 tests/krb5: Remove magic constants
       via  6bf8e3cb537 tests/krb5: Don't create PAC request or options manually in fast_tests
       via  2c1a8950b5e tests/krb5: Don't create PAC request manually in as_req_tests
       via  f6c3497e9f9 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
       via  138ac8a3a70 tests/krb5: Move padata generation methods to base class
       via  ebecaf715d3 tests/krb5: Keep track of account DN in credentials object
       via  b8485a79791 tests/krb5: Allow specifying additional User Account Control flags for account
       via  4f47721d599 tests/krb5: Allow specifying an OU to create accounts in
       via  dda665b918b tests/krb5: Replace expected_cname_private with expected_anon parameter
       via  31e990533c1 tests/krb5: Use more compact dict lookup
       via  6df25780147 tests/krb5: Add KDCOptions flag for constrained delegation
       via  c625e16ffa6 tests/krb5: Use signed integers to represent key version numbers in ASN.1
       via  7bb3ac920f9 tests/krb5: Add methods to obtain the length of checksum types
       via  a08b603d822 tests/krb5: Calculate expected salt if not given explicitly
       via  487b57cd34e security.idl: Add well-known SIDs for FAST
       via  aef886c7787 krb5pac.idl: Add ticket checksum PAC buffer type
       via  be8fb0218af heimdal:kdc: Only check for default salt for des-cbc-crc enctype
       via  cb768d624eb libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
       via  b299897ab58 docs-xml: Update winbindd(8) manpage
       via  b8c8c2017db s3:winbindd: Fix winbindd child logfile name handling
       via  9257b637f14 debug: Remove "override_logfile"
       via  57ffd32d455 s3: smbspool. Remove last use of 'extern char **environ;'.
       via  d3b3aa9e19f Fix detection of rpc/xdr.h on macOS
       via  0d59b1fb326 vfs_preopen.c: Fix -Wformat error on macOS
       via  3ded98767d3 source3/smbd/statcache.c: Fix -Wformat build error on macOS
       via  4c89d9169a4 sec_ctx.c: Fix -Wunused-function warning on macOS
       via  0daa3af7042 source3/printing/queue_process.c: fix build on macOS
       via  80e9d89a97b audit_logging.c: fix compilation on macOS
       via  448f2acdcea charset_macosxfs.c: fix compilation on macOS
       via  d3df31162f0 ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
       via  63a3b7838e1 ctdb-tests: Fix typo in ctdb stub comment matching
       via  36621069e26 ctdb-scripts: filter out comments in public_addresses file
       via  dffca59ded1 s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs.
       via  f2455a9023c s3: smbd: Ensure when we change security context we delete any $cwd cache.
       via  a55d4fe2208 s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share.
       via  86738410826 .gitlab-ci: Allow a 1 hour to build Samba
       via  c9514648060 samldb: Address birthday paradox adding an RODC
       via  eb28bd54ac5 pyldb: Avoid use-after-free in msg_diff()
       via  e52ddfbe572 ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
       via  db294baff36 pytest:segfault: Add test for ldb.msg_diff()
       via  4b1e8535610 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
       via  4c85e56501b Bump version up to Samba 4.15.1...
      from  fc8342bd26d VERSION: Disable GIT_SNAPSHOT for the 4.15.0 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 .gitlab-ci-default.yml                             |    1 +
 .gitlab-ci-main.yml                                |   52 +-
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |  105 ++
 auth/credentials/credentials_krb5.c                |   12 +-
 ctdb/config/events/legacy/10.interface.script      |    3 +-
 ctdb/config/functions                              |    3 +
 ctdb/tests/UNIT/eventscripts/scripts/local.sh      |    1 +
 ctdb/tests/UNIT/eventscripts/stubs/ctdb            |    2 +-
 docs-xml/manpages/winbindd.8.xml                   |   20 +-
 lib/audit_logging/audit_logging.c                  |    2 +-
 lib/krb5_wrap/krb5_samba.c                         |  192 ++-
 lib/krb5_wrap/krb5_samba.h                         |   13 +-
 lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.1.sigs}     |    0
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.4.1.sigs} |    0
 lib/ldb/common/ldb_msg.c                           |    6 +-
 lib/ldb/pyldb.c                                    |   69 +-
 lib/ldb/tests/python/api.py                        |   29 +
 lib/ldb/wscript                                    |    2 +-
 lib/tdb/pytdb.c                                    |    2 +-
 lib/tevent/pytevent.c                              |    2 +-
 lib/util/charset/charset_macosxfs.c                |    3 +-
 lib/util/debug.c                                   |   10 -
 libcli/smb/smb2_signing.c                          |   12 +-
 libcli/smb/smbXcli_base.c                          |    6 +-
 librpc/idl/krb5pac.idl                             |    7 +-
 librpc/idl/security.idl                            |    3 +
 python/samba/__init__.py                           |   12 +-
 python/samba/join.py                               |    7 +-
 python/samba/ms_schema.py                          |    6 +-
 python/samba/schema.py                             |    9 +-
 python/samba/tests/__init__.py                     |    3 +-
 .../samba/tests/krb5/as_canonicalization_tests.py  |   11 +-
 python/samba/tests/krb5/as_req_tests.py            |   57 +-
 python/samba/tests/krb5/compatability_tests.py     |   48 +-
 python/samba/tests/krb5/fast_tests.py              |  486 +++----
 python/samba/tests/krb5/kcrypto.py                 |   28 +-
 python/samba/tests/krb5/kdc_base_test.py           | 1099 +++++++++++++--
 python/samba/tests/krb5/kdc_tests.py               |    4 +-
 python/samba/tests/krb5/kdc_tgs_tests.py           |  137 +-
 .../krb5/ms_kile_client_principal_lookup_tests.py  |   93 +-
 python/samba/tests/krb5/raw_testcase.py            | 1461 +++++++++++++++-----
 python/samba/tests/krb5/rfc4120.asn1               |    3 +-
 python/samba/tests/krb5/rfc4120_constants.py       |   11 +
 python/samba/tests/krb5/rfc4120_pyasn1.py          |    3 +-
 python/samba/tests/krb5/rodc_tests.py              |   73 +
 python/samba/tests/krb5/s4u_tests.py               | 1074 +++++++++++++-
 python/samba/tests/krb5/salt_tests.py              |  327 +++++
 python/samba/tests/krb5/simple_tests.py            |    4 +-
 python/samba/tests/krb5/test_ccache.py             |   15 +-
 python/samba/tests/krb5/test_ldap.py               |    4 +-
 python/samba/tests/krb5/test_rpc.py                |    4 +-
 python/samba/tests/krb5/test_smb.py                |    4 +-
 python/samba/tests/krb5/xrealm_tests.py            |    4 +-
 python/samba/tests/s3_net_join.py                  |    2 +-
 python/samba/tests/segfault.py                     |   26 +
 python/samba/tests/usage.py                        |    2 +
 script/autobuild.py                                |    9 +-
 selftest/knownfail.d/kdc-salt                      |    1 +
 selftest/knownfail_heimdal_kdc                     |   29 +-
 selftest/knownfail_mit_kdc                         |   54 +
 selftest/target/Samba3.pm                          |   43 +-
 selftest/target/Samba4.pm                          |   76 +-
 source3/client/smbspool_krb5_wrapper.c             |    5 +-
 source3/modules/vfs_preopen.c                      |    2 +-
 source3/modules/vfs_zfsacl.c                       |   17 +-
 source3/nmbd/nmbd.c                                |    4 +-
 source3/passdb/machine_account_secrets.c           |   10 +-
 source3/printing/queue_process.c                   |    2 -
 source3/script/tests/test_chdir_cache.sh           |  102 ++
 source3/selftest/tests.py                          |    9 +
 source3/smbd/sec_ctx.c                             |   28 +-
 source3/smbd/statcache.c                           |    2 +-
 source3/winbindd/winbindd.c                        |    4 +-
 source3/winbindd/winbindd_cm.c                     |    1 -
 source3/winbindd/winbindd_dual.c                   |   21 +-
 source3/wscript                                    |    2 +-
 source4/dsdb/samdb/ldb_modules/password_hash.c     |   23 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            |    4 +-
 source4/dsdb/tests/python/rodc_rwdc.py             |    8 +-
 source4/heimdal/kdc/kerberos5.c                    |  150 +-
 source4/heimdal/kdc/krb5tgs.c                      |  665 +++------
 source4/heimdal/kdc/windc.c                        |   15 +-
 source4/heimdal/kdc/windc_plugin.h                 |    5 +-
 source4/heimdal/lib/asn1/krb5.asn1                 |   21 -
 source4/heimdal/lib/krb5/authdata.c                |  124 ++
 source4/heimdal/lib/krb5/pac.c                     |  484 ++++++-
 source4/heimdal/lib/krb5/version-script.map        |    5 +
 source4/heimdal_build/wscript_build                |    2 +-
 source4/kdc/mit_samba.c                            |   14 +-
 source4/kdc/pac-glue.c                             |   10 +-
 source4/kdc/pac-glue.h                             |    3 +-
 source4/kdc/wdc-samba4.c                           |  356 +++--
 source4/kdc/wscript_build                          |    1 +
 source4/librpc/ndr/py_security.c                   |    2 +-
 source4/selftest/tests.py                          |   84 +-
 source4/torture/drs/python/replica_sync.py         |    2 +-
 source4/torture/rpc/remote_pac.c                   |   14 +-
 testprogs/blackbox/dbcheck.sh                      |    2 +-
 99 files changed, 6026 insertions(+), 1965 deletions(-)
 copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.1.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.1.sigs} (100%)
 create mode 100755 python/samba/tests/krb5/rodc_tests.py
 create mode 100755 python/samba/tests/krb5/salt_tests.py
 create mode 100644 selftest/knownfail.d/kdc-salt
 create mode 100755 source3/script/tests/test_chdir_cache.sh
 create mode 100644 source4/heimdal/lib/krb5/authdata.c


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-default.yml b/.gitlab-ci-default.yml
index d0831017d9b..e6089183674 100644
--- a/.gitlab-ci-default.yml
+++ b/.gitlab-ci-default.yml
@@ -3,6 +3,7 @@ variables:
   # "--enable-coverage" or ""
   # See .gitlab-ci-coverage.yml
   SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: ""
+  AUTOBUILD_SKIP_SAMBA_O3: "0"
 
 include:
   - /.gitlab-ci-default-runners.yml
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 4b2f17938c8..0cbcc17c94c 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -83,6 +83,13 @@ include:
   interruptible: true
   timeout: 2h
 
+  # Otherwise we run twice, once on push and once on MR
+  # https://forum.gitlab.com/t/new-rules-syntax-and-detached-pipelines/37292
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    - when: on_success
+
   variables:
     AUTOBUILD_JOB_NAME: $CI_JOB_NAME
   stage: build
@@ -90,6 +97,16 @@ include:
     key: ccache.${CI_JOB_NAME}.${SAMBA_CI_JOB_IMAGE}.${SAMBA_CI_FLAVOR}
     paths:
       - ccache
+
+  # This is overridden in many cases, but ensures none of the other
+  # main jobs start until and unless this build finishes.  However
+  # this also ensures we do not download artifacts from any build
+  # unless we specifically depend on it, saving bandwidth
+
+  needs:
+    - job: samba-def-build
+      artifacts: false
+
   before_script:
     - uname -a
     - lsb_release -a
@@ -141,7 +158,6 @@ include:
       - api_failure
       - runner_unsupported
       - stale_schedule
-      - job_execution_timeout
       - archived_failure
       - scheduler_failure
       - data_integrity_failure
@@ -169,7 +185,8 @@ others:
 
 .shared_template_build_only:
   extends: .shared_template
-  timeout: 45m
+  timeout: 2h
+  needs:
   artifacts:
     expire_in: 1 week
     paths:
@@ -353,13 +370,16 @@ samba-fips:
 .private_test_only:
   extends: .private_runner_test
   stage: test_private
-  only:
-    variables:
+  rules:
+      # See above, to avoid a duplicate CI on the MR (these rules override the others)
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+
       # These jobs are only run if the gitlab repo has private runners available.
       # To enable private jobs, you must add the following var and value to
       # your gitlab repo by navigating to:
       # settings -> CI/CD -> Environment variables
-      - $SUPPORT_PRIVATE_TEST == "yes"
+    - if: $SUPPORT_PRIVATE_TEST == "yes"
 
 .needs_samba-def-build-private:
   extends:
@@ -514,16 +534,30 @@ ubuntu1804-samba-o3:
     AUTOBUILD_JOB_NAME: samba-o3
     SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804}
     SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage"
+  rules:
+    # See above, to avoid a duplicate CI on the MR (these rules override the others)
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    # do not run o3 builds (which run a lot of VMs) if told not to
+    # (this uses the same variable as autobuild.py)
+    - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+      when: never
 
 # All other jobs do not want code coverage.
 .samba-o3-template:
   extends: .shared_template
   variables:
     AUTOBUILD_JOB_NAME: samba-o3
-  only:
-    variables:
-      # do not run o3 for coverage since they are using different images
-      - $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
+  rules:
+    # See above, to avoid a duplicate CI on the MR (these rules override the others)
+    - if: $CI_MERGE_REQUEST_ID
+      when: never
+    # do not run o3 builds (which run a lot of VMs) if told not to
+    # (this uses the same variable as autobuild.py)
+    - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+      when: never
+    # do not run o3 for coverage since they are using different images
+    - if: $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
 
 ubuntu2004-samba-o3:
   extends: .samba-o3-template
diff --git a/VERSION b/VERSION
index 0e58d4b399b..4c07d646431 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 18cc15dcff5..73cc1613bef 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,108 @@
+                   ==============================
+                   Release Notes for Samba 4.15.1
+                          October 27, 2021
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+
+
+Changes since 4.15.0
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 14682: vfs_shadow_copy2: core dump in make_relative_path.
+   * BUG 14685: Log clutter from filename_convert_internal.
+   * BUG 14862: MacOSX compilation fixes.
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 14868: rodc_rwdc test flaps.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+     bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+     Heimdal.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+   * BUG 14845: "in" operator on ldb.Message is case sensitive.
+   * BUG 14848: Release LDB 2.4.1 for Samba 4.15.1.
+   * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
+   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+   * BUG 14874: Allow special chars like "@" in samAccountName when generating
+     the salt.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o  Isaac Boukris <iboukris at gmail.com>
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+     bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+     Heimdal.
+
+o  Viktor Dukhovni <viktor at twosigma.com>
+   * BUG 12998: Fix transit path validation.
+
+o  Pavel Filipenský <pfilipen at redhat.com>
+   * BUG 14852: Fix that child winbindd logs to log.winbindd instead of
+     log.wb-<DOMAIN>.
+
+o  Luke Howard <lukeh at padl.com>
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+     bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+     Heimdal.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 14855: SMB3 cancel requests should only include the MID together with
+     AsyncID when AES-128-GMAC is used.
+
+o  Alex Richardson <Alexander.Richardson at cl.cam.ac.uk>
+   * BUG 14862: MacOSX compilation fixes.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+
+o  Martin Schwenke <martin at meltin.net>
+   * BUG 14826: Correctly ignore comments in CTDB public addresses file.
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+     bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+     Heimdal.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+   * BUG 14845: "in" operator on ldb.Message is case sensitive.
+   * BUG 14864: Heimdal prefers RC4 over AES for machine accounts.
+   * BUG 14868: rodc_rwdc test flaps.
+   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+   * BUG 14874: Allow special chars like "@" in samAccountName when generating
+     the salt.
+
+o  Nicolas Williams <nico at twosigma.com>
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+     bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded
+     Heimdal.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.15.0
                          September 20, 2021
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c03d80ac440..d2e7a76a69e 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1200,12 +1200,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
 		break;
 	}
 
-	ret = smb_krb5_salt_principal(realm,
-				      username, /* sAMAccountName */
-				      upn, /* userPrincipalName */
-				      uac_flags,
-				      mem_ctx,
-				      &salt_principal);
+	ret = smb_krb5_salt_principal_str(realm,
+					  username, /* sAMAccountName */
+					  upn, /* userPrincipalName */
+					  uac_flags,
+					  mem_ctx,
+					  &salt_principal);
 	if (ret) {
 		talloc_free(mem_ctx);
 		return ret;
diff --git a/ctdb/config/events/legacy/10.interface.script b/ctdb/config/events/legacy/10.interface.script
index 72e0c101d47..d87f6c52c58 100755
--- a/ctdb/config/events/legacy/10.interface.script
+++ b/ctdb/config/events/legacy/10.interface.script
@@ -25,7 +25,8 @@ fi
 get_all_interfaces ()
 {
     # Get all the interfaces listed in the public_addresses file
-    all_interfaces=$(sed -e 's/^[^\t ]*[\t ]*//' \
+    all_interfaces=$(sed -e '/^#.*/d' \
+			 -e 's/^[^\t ]*[\t ]*//' \
 			 -e 's/,/ /g' \
 			 -e 's/[\t ]*$//' "$ctdb_public_addresses")
 
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 2395d8d4dc8..a4e73ad0594 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -611,6 +611,9 @@ drop_all_public_ips ()
 	# _x is intentionally ignored
 	# shellcheck disable=SC2034
 	while read _ip _x ; do
+		case "$_ip" in
+		\#*) continue ;;
+		esac
 		drop_ip "$_ip"
 	done <"${CTDB_BASE}/public_addresses"
 }
diff --git a/ctdb/tests/UNIT/eventscripts/scripts/local.sh b/ctdb/tests/UNIT/eventscripts/scripts/local.sh
index 0f78fcb3845..7460bf9748e 100644
--- a/ctdb/tests/UNIT/eventscripts/scripts/local.sh
+++ b/ctdb/tests/UNIT/eventscripts/scripts/local.sh
@@ -282,6 +282,7 @@ setup_public_addresses ()
 
 	echo "Setting up public addresses in ${_f}"
 	cat >"$_f" <<EOF
+# This is a comment
 10.0.0.1/24 dev123
 10.0.0.2/24 dev123
 10.0.0.3/24 dev123
diff --git a/ctdb/tests/UNIT/eventscripts/stubs/ctdb b/ctdb/tests/UNIT/eventscripts/stubs/ctdb
index 12627de16a5..fc7bd4fdd84 100755
--- a/ctdb/tests/UNIT/eventscripts/stubs/ctdb
+++ b/ctdb/tests/UNIT/eventscripts/stubs/ctdb
@@ -425,7 +425,7 @@ ctdb_ifaces()
 	# Assume -Y.
 	echo "|Name|LinkStatus|References|"
 	while read _ip _iface ; do
-		case "_$ip" in
+		case "$_ip" in
 		\#*) : ;;
 		*)
 			_status=1
diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
index 3b7487c1b1c..7a643b8879c 100644
--- a/docs-xml/manpages/winbindd.8.xml
+++ b/docs-xml/manpages/winbindd.8.xml
@@ -195,7 +195,25 @@ hosts:		files wins
 		</para></listitem>
 		</varlistentry>
 
-		&cmdline.common.samba.server;
+		&cmdline.common.debug.server;
+		&cmdline.common.config.server;
+		&cmdline.common.option;
+
+		<varlistentry>
+			<term>-l|--log-basename=logdirectory</term>
+			<listitem>
+				<para>
+					Base directory name for log/debug files. The parent process
+					uses filename log.winbindd, the child process uses filename
+					log.wb-<name>. The log file is never removed by winbindd.
+				</para>
+			</listitem>
+		</varlistentry>
+
+		&cmdline.common.samba.leakreport;
+		&cmdline.common.samba.leakreportfull;
+		&cmdline.version;
+
 		&popt.autohelp;
 
 	</variablelist>
diff --git a/lib/audit_logging/audit_logging.c b/lib/audit_logging/audit_logging.c
index 9fe2d3ba45d..87378e1bb95 100644
--- a/lib/audit_logging/audit_logging.c
+++ b/lib/audit_logging/audit_logging.c
@@ -70,7 +70,7 @@ char* audit_get_timestamp(TALLOC_CTX *frame)
 
 	strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
 	strftime(tz, sizeof(tz)-1, "%Z", tm_info);
-	ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
+	ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, (long)tv.tv_usec, tz);
 	if (ts == NULL) {
 		DBG_ERR("Out of memory formatting time stamp\n");
 	}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
  *
  * @see smb_krb5_salt_principal2data
  */
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+			    const char *realm,
 			    const char *sAMAccountName,
 			    const char *userPrincipalName,
 			    uint32_t uac_flags,
-			    TALLOC_CTX *mem_ctx,
-			    char **_salt_principal)
+			    krb5_principal *salt_princ)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	char *upper_realm = NULL;
 	const char *principal = NULL;
 	int principal_len = 0;
+	krb5_error_code krb5_ret;
 
-	*_salt_principal = NULL;
+	*salt_princ = NULL;
 
 	if (sAMAccountName == NULL) {
 		TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
 	 */
 	if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
 		int computer_len = 0;
-		char *tmp = NULL;
 
 		computer_len = strlen(sAMAccountName);
 		if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
 		}
 
 		if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
-			principal = talloc_asprintf(frame, "krbtgt/%*.*s",
-						    computer_len, computer_len,
-						    sAMAccountName);
-			if (principal == NULL) {
+			const char *krbtgt = "krbtgt";
+			krb5_ret = krb5_build_principal_ext(krb5_ctx,
+							    salt_princ,
+							    strlen(upper_realm),
+							    upper_realm,
+							    strlen(krbtgt),
+							    krbtgt,
+							    computer_len,
+							    sAMAccountName,
+							    0);
+			if (krb5_ret != 0) {
 				TALLOC_FREE(frame);
-				return ENOMEM;
+				return krb5_ret;
 			}
 		} else {
-
-			tmp = talloc_asprintf(frame, "host/%*.*s.%s",
-					      computer_len, computer_len,
-					      sAMAccountName, realm);
+			const char *host = "host";
+			char *tmp = NULL;
+			char *tmp_lower = NULL;
+
+			tmp = talloc_asprintf(frame, "%*.*s.%s",
+					      computer_len,
+					      computer_len,
+					      sAMAccountName,
+					      realm);
 			if (tmp == NULL) {
 				TALLOC_FREE(frame);
 				return ENOMEM;
 			}
 
-			principal = strlower_talloc(frame, tmp);
-			TALLOC_FREE(tmp);
-			if (principal == NULL) {
+			tmp_lower = strlower_talloc(frame, tmp);
+			if (tmp_lower == NULL) {
 				TALLOC_FREE(frame);
 				return ENOMEM;
 			}
-		}
 
-		principal_len = strlen(principal);
+			krb5_ret = krb5_build_principal_ext(krb5_ctx,
+							    salt_princ,
+							    strlen(upper_realm),
+							    upper_realm,
+							    strlen(host),
+							    host,
+							    strlen(tmp_lower),
+							    tmp_lower,
+							    0);
+			if (krb5_ret != 0) {
+				TALLOC_FREE(frame);
+				return krb5_ret;
+			}
+		}
 
 	} else if (userPrincipalName != NULL) {
-		char *p;
+		/*
+		 * We parse the name not only to allow an easy
+		 * replacement of the realm (no matter the realm in
+		 * the UPN, the salt comes from the upper-case real
+		 * realm, but also to correctly provide a salt when
+		 * the UPN is host/foo.bar
+		 *
+		 * This can fail for a UPN of the form foo at bar@REALM
+		 * (which is accepted by windows) however.
+		 */
+		krb5_ret = krb5_parse_name(krb5_ctx,
+					   userPrincipalName,
+					   salt_princ);
 
-		principal = userPrincipalName;
-		p = strchr(principal, '@');
-		if (p != NULL) {
-			principal_len = PTR_DIFF(p, principal);
-		} else {
-			principal_len = strlen(principal);
+		if (krb5_ret != 0) {
+			TALLOC_FREE(frame);
+			return krb5_ret;
+		}
+
+		/*
+		 * No matter what realm (including none) in the UPN,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list