[SCM] Samba Shared Repository - annotated tag ldb-2.2.2 created
Stefan Metzmacher
metze at samba.org
Thu Oct 28 15:43:46 UTC 2021
The annotated tag, ldb-2.2.2 has been created
at 492762c29e2a199d012f1e759468380cfa602dcb (tag)
tagging 74e65d7c06c5eda79105f43d87efcaec09dfbb77 (commit)
replaces samba-4.13.12
tagged by Stefan Metzmacher
on Thu Oct 28 17:43:38 2021 +0200
- Log -----------------------------------------------------------------
ldb: tag release ldb-2.2.2
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmF6xSoACgkQR5ORYRMI
QCXr1ggAhB94suP/riS28w2YURdJeXgbT/RTavV8lONJElCfOQRPOPd8KgnBLKUE
sBnMJg5kFhWn8EAEowAcj2eaZ/rtAHhmIFbZ4L6bT1JjMPhtA5e+5j4owe4CmfcX
lsZTZmRwyx/k18WF38xZWaYRxyN/ODVqFJxkQW9b7kdH9DMqU/M5Hkhhtxd9bbXQ
GOIDhFVU8wst1gTkAe6BO2NZQafMRQKFhvpXnwT4htERJw3/o7LyYLeT/HtxPVcW
OfEfrjHnbf0SkK0dDxoerNfcmIicdus44J/ML5aET1aiWFJNvQiC18S9znX0W5o9
WqiCt6KgO4sh8qM/xDhYje8AAfUToA==
=S2uI
-----END PGP SIGNATURE-----
Andreas Schneider (1):
waf: Allow building with MIT KRB5 >= 1.20
Andrew Bartlett (9):
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
selftest: Remove duplicate setup of $base_dn and $ldbmodify
selftest: Improve error handling and perl style when setting up users in Samba4.pm
dsdb: Allow special chars like "@" in samAccountName when generating the salt
lib/krb5_wrap: Fix missing error check in new salt code
ldb: Release ldb 2.2.1
David Mulder (1):
python: Move dsdb_Dn to samdb
Douglas Bagnall (3):
python/join: use the provided krbtgt link in cleanup_old_accounts
pytest/rodc_rwdc: try to avoid race.
pytest: dynamic tests optionally add __doc__
Isaac Boukris (4):
kdc: remove KRB5SignedPath, to be replaced with PAC
kdc: sign ticket using Windows PAC
krb5: allow NULL parameter to krb5_pac_free()
krb5: rework PAC validation loop
Joseph Sutton (150):
krb5pac.idl: Add ticket checksum PAC buffer type
security.idl: Add well-known SIDs for FAST
tests/krb5: Calculate expected salt if not given explicitly
tests/krb5: Add methods to obtain the length of checksum types
tests/krb5: Use signed integers to represent key version numbers in ASN.1
tests/krb5: Add KDCOptions flag for constrained delegation
tests/krb5: Use more compact dict lookup
tests/krb5: Replace expected_cname_private with expected_anon parameter
tests/krb5: Allow specifying an OU to create accounts in
tests/krb5: Allow specifying additional User Account Control flags for account
tests/krb5: Keep track of account DN in credentials object
tests/krb5: Move padata generation methods to base class
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
tests/krb5: Don't create PAC request manually in as_req_tests
tests/krb5: Don't create PAC request or options manually in fast_tests
tests/krb5: Remove magic constants
tests/krb5: Allow specifying ticket flags expected to be set or reset
tests/krb5: Make time assertion less strict
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
tests/krb5: Check for presence of 'renew-till' element
tests/krb5: Check 'caddr' element
tests/krb5: Check for presence of 'key-expiration' element
tests/krb5: Create testing accounts in appropriate containers
tests/krb5: Allow specifying status code to be checked
tests/krb5: Get expected cname from TGT for TGS-REQ messages
tests/krb5: Get encpart decryption key from kdc_exchange_dict
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
tests/krb5: Generate padata for FAST tests
tests/krb5: Sign-extend kvno from 32-bit integer
tests/krb5: Add method to get RODC krbtgt credentials
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
tests/krb5: Allow replicating accounts to the RODC
tests/krb5: Create RODC account for testing
tests/krb5: Allow replicating accounts to the created RODC
python: Don't leak file handles
python/join: Check for correct msDS-KrbTgtLink attribute
tests/krb5: Add helper method for modifying PACs
tests/krb5: Check correct flags element
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
tests/krb5: Allow tgs_req() to send additional padata
tests/krb5: Allow tgs_req() to specify different kdc-options
tests/krb5: Allow tgs_req() to send requests to the RODC
tests/krb5: Allow as_req() to specify different kdc-options
tests/krb5: Use PAC buffer type constants from krb5pac.idl
tests/krb5: Don't manually create PAC request and options in fast_tests
tests/krb5: Set DN of created accounts to ldb.Dn type
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
tests/krb5: Allow get_tgt() to get tickets from the RODC
tests/krb5: Allow get_tgt() to specify different kdc-options
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
tests/krb5: Cache obtained tickets
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
tests/krb5: Add method to verify ticket PAC checksums
tests/krb5: Add method for modifying a ticket and creating PAC checksums
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
tests/krb5: Make get_default_enctypes() return a set of enctype constants
tests/krb5: Add methods to convert between enctypes and bitfields
tests/krb5: Get supported enctypes for credentials from database
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
tests/krb5: Set key version number for all accounts created with create_account()
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
tests/krb5: Add method to get DC credentials
tests/krb5: Fix checking for presence of authorization data
tests/krb5: Provide ticket enc-part key to tgs_req()
tests/krb5: Simplify account creation
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
tests/krb5: Verify checksums of tickets obtained from the KDC
tests/krb5: Add method to determine if principal is krbtgt
tests/krb5: Add classes for testing invalid checksums
tests/krb5: Rename method parameter
tests/krb5: Remove unused parameter
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
tests/krb5: Fix PA-PAC-OPTIONS checking
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
tests/krb5: Allow created accounts to use resource-based constrained delegation
tests/krb5: Add assertion to make failures clearer
tests/krb5: Introduce helper method for creating invalid length checksums
tests/krb5: Fix method for creating invalid length zeroed checksum
tests/krb5: Fix checksum generation and verification
tests/krb5: Allow excluding the PAC server checksum
tests/krb5: Fix handling authdata with missing PAC
tests/krb5: Fix status code checking
tests/krb5: Make expected_sname checking more explicit
tests/krb5: Fix assertElementFlags()
tests/krb5: Remove unneeded parameters from ticket cache key
tests/krb5: Fix checking for presence of error data
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
tests/krb5: Check constrained delegation PAC buffer
tests/krb5: Save account SPN
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
tests/krb5: Supply supported account enctypes in tgs_req()
tests/krb5: Add parameter to enforce presence of ticket checksums
tests/krb5: Add compatability tests for ticket checksums
tests/krb5: Use correct principal name type
tests/krb5: Clarify checksum type assertion message
tests/krb5: Fix padata checking at functional level 2003
tests/krb5: Add environment variable to specify KDC FAST support
tests/krb5: Check padata types when STRICT_CHECKING=0
tests/krb5: Check logon name in PAC
tests/krb5: Simplify padata checking
tests/krb5: Disable debugging output for tests
tests/krb5: Provide clearer assertion messages for test failures
tests/krb5: Fix sha1 checksum type
selftest/dbcheck: Fix up RODC one-way links
tests/krb5: Add TKT_SIG_SUPPORT environment variable
tests/krb5: Require ticket checksums if decryption key is available
tests/krb5: Verify tickets obtained with get_service_ticket()
tests/krb5: Add constrained delegation tests
tests/krb5: Don't include empty AD-IF-RELEVANT
tests/krb5: Allow bypassing cache when creating accounts
tests/krb5: Fix duplicate account creation
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
s4:kdc: Fix debugging messages
s4/torture: Expect ticket checksum PAC buffer
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
s4:kdc: Check ticket signature
heimdal:kdc: Fix ticket signing without a PAC
tests/krb5: Allow get_tgt() to request including or omitting a PAC
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
tests/krb5: Add method to get the PAC from a ticket
tests/krb5: Add tests for requesting a service ticket without a PAC
tests/krb5: Ensure PAC is not present if expect_pac is false
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
selftest: Increase account lockout windows to make test more realiable
selftest: krb5 account creation: clarify account type as an enum
tests/krb5: Decrease length of test account prefix
tests/krb5: Allow specifying prefix or suffix for test account names
tests/krb5: Allow creating machine accounts without a trailing dollar
tests/krb5: Allow specifying the UPN for test accounts
tests/krb5: Fix account salt calculation to match Windows
tests/krb5: Add tests for account salt calculation
pytest:segfault: Add test for ldb.msg_diff()
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
pyldb: Avoid use-after-free in msg_diff()
Fix Python docstrings
pytest:segfault: Add test for deleting an ldb.Message dn
pyldb: Fix deleting an ldb.Message dn
pytest:segfault: Add test for deleting an ldb.Control critical flag
pyldb: Fix deleting an ldb.Control critical flag
s4/torture/drs/python: Fix attribute existence check
pyldb: Add test for an invalid ldb.Message index type
pyldb: Raise TypeError for an invalid ldb.Message index
pyldb: Add tests for ldb.Message containment testing
pyldb: Make ldb.Message containment testing consistent with indexing
Jule Anger (1):
VERSION: Bump version up to Samba 4.13.13...
Luke Howard (4):
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
kdc: use ticket client name when signing PAC
kdc: correctly generate PAC TGS signature
Nicolas Williams (1):
krb5: Fix PAC signature leak affecting KDC
Stefan Metzmacher (5):
wafsamba: add support git worktree to vcs_dir_contents()
script/bisect-test.py: add support git worktree
wscript: fix installing pre-commit with 'git worktree'
selftest/Samba3: remove unused close(USERMAP); calls
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
Viktor Dukhovni (1):
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list