[SCM] Samba Shared Repository - branch v4-13-stable updated

Jule Anger janger at samba.org
Wed Sep 22 07:04:32 UTC 2021


The branch, v4-13-stable has been updated
       via  aa756f3f9fc VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release.
       via  4703acc82c8 WHATSNEW: Add release notes for Samba 4.13.12.
       via  b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
       via  7a2a6e0bcb0 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
       via  1e27b45f49c tests/krb5: Allow expected_error_mode to be a container type
       via  57800189c5f tests/krb5: Allow specifying parameters specific to the inner FAST request body
       via  b5e11c10966 tests/krb5: Add tests for omitting sname in request
       via  cabc5b114dc tests/krb5: Check PADATA-PW-SALT element in e-data
       via  8a8872f7070 tests/krb5: Check e-data element for TGS-REP errors without FAST
       via  bd76f6d47e7 tests/krb5: Remove harmful and a-typical return in as_req testcase
       via  d3a611377bd CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
       via  a67cda7159f CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
       via  95de6d138ad tests/krb5: Make cname checking less strict
       via  497b461238b tests/krb5: Make e-data checking less strict
       via  17c7bc10695 selftest: Remove knownfail for no_etypes FAST tests
       via  27e964233a5 tests/krb5: Add FAST tests
       via  576e5ca2e9c initial FAST tests
       via  e7e79028093 tests/krb5: Check PADATA-FX-ERROR in reply
       via  1fd611e9e7f tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
       via  83073237a95 tests/krb5: Check PADATA-PAC-OPTIONS in reply
       via  48199d18cc9 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
       via  8fa99e31658 tests/krb5: Make check_rep_padata() also work for checking TGS replies
       via  e1c4d715a61 tests/krb5: Check PADATA-FX-COOKIE in reply
       via  2391eabfcf2 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
       via  40da4ffbf18 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
       via  0febff53f38 tests/krb5: Check reply FAST padata if request included FAST
       via  ee892faca94 tests/krb5: Check sname is krbtgt for FAST generic error
       via  2356b4d9b75 tests/krb5: Add get_krbtgt_sname() method
       via  be4977249bc tests/krb5: Remove unused variables
       via  fef9198aafc tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
       via  087cf5f9504 tests/krb5: Add check_rep_padata() method to check padata in reply
       via  efe112dfa56 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
       via  bef5024da8c tests/krb5: Include authdata in kdc_exchange_dict
       via  8eaa8e10383 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
       via  8a3b41f0483 tests/krb5: Check encrypted-pa-data
       via  701e5c98399 tests/krb5: Add methods to determine whether elements were included in the request
       via  64b5183a776 tests/krb5: Add functions to get dicts of request padata
       via  cedfc67ede4 tests/krb5: Check FAST response
       via  5d39d4b36e8 tests/krb5: Add method to verify ticket checksum for FAST
       via  b551c801193 tests/krb5: Add method to check PA-FX-FAST-REPLY
       via  de8fbf93111 tests/krb5: Allow specifying parameters specific to the outer request body
       via  3be408a3a83 tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
       via  52eb693ac31 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
       via  25b6681c3cd tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
       via  a57e79c5fce tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
       via  6264ed42420 tests/krb5: Add methods to calculate keys for FAST
       via  b7562c873e8 tests/krb5: Add method to generate FAST encrypted challenge padata
       via  0e33a06673b tests/krb5: Add more methods to create ASN1 objects for FAST
       via  dbeafd158a4 tests/krb5: Add more ASN1 definitions for FAST
       via  1ce82cbc9d6 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
       via  04a6c902ede tests/krb5: Ensure generated padata is not None
       via  a9e421c4bfa tests/krb5: Add generate_ap_req() method
       via  d9f406518ca tests/krb5: Check nonce in EncKDCRepPart
       via  d81a88a78f4 tests/krb5: Make checking less strict
       via  ee9b0a028c2 tests/krb5: Check version number of obtained ticket
       via  1e451d724b0 tests/krb5: Assert that more variables are not None
       via  db6495a2377 tests/krb5: Ensure in assertElementPresent() that container elements are not empty
       via  81408702949 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
       via  cc1f6fcddbc tests/krb5: Include kdc_options in kdc_exchange_dict
       via  d82d3a20d32 tests/krb5: Always specify expected error code
       via  235873ff334 tests/krb5: Add check_reply() method to check for AS or TGS reply
       via  dcd9320cd9c tests/krb5: Add method to calculate account salt
       via  afcf48e752c tests/krb5: Add more methods for obtaining machine and service credentials
       via  caca311af0a tests/krb5: Allow specifying additional details when creating an account
       via  34faed8971c tests/krb5: Use encryption with admin credentials
       via  5cada922527 tests/krb5: Add get_EpochFromKerberosTime()
       via  2e42112ef96 tests/krb5: Make _test_as_exchange() return value more consistent
       via  ce7b1d71142 tests/krb5: Add method to return dict containing padata elements
       via  11001fca4d2 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
       via  ca5b9aff8f9 tests/krb5: Refactor get_pa_data()
       via  70dd144a05f tests/krb5: Allow cf2 to automatically use the enctype of the first key
       via  2ae49840a4f tests/krb5: Use credentials kvno when creating password key
       via  e2d952cfa02 tests/krb5: Check Kerberos protocol version number
       via  e79061f0626 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
       via  2f12714196c tests/krb5: Fix encpart_decryption_key with MIT KDC
       via  a4e70d45d3b tests/krb5: Fix callback_dict parameter
       via  254bd5ad6ed tests/krb5: Fix including enc-authorization-data
       via  d4c3e11e247 tests/krb5: Remove magic constants
       via  cd3b4785b9a tests/krb5: Simplify Python syntax
       via  80757c65b24 tests/krb5: Use more compact dict lookup
       via  c3ffa232c03 tests/krb5: Remove unneeded statements
       via  70f6cf7afce tests/krb5: formatting
       via  fa26a95dda1 tests/krb5: Fix method name typo
       via  c76cf2bc054 tests/krb5: Fix comment typo
       via  7b16ffcb46f tests/krb5: Fix ms_kile_client_principal_lookup_test errors
       via  11cf6255573 pygensec: Don't modify Python bytes objects
       via  52898d56abb pygensec: Fix memory leaks
       via  3e013f04e19 selftest: add option to pass args to tests to planpythontestsuite()
       via  a5a26564a87 selftest: Add support for setting ENV variables in plantestsuite()
       via  f5e4fc453b1 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
       via  e6de4d851c0 selftest: Re-format long lines in selftesthelpers.py
       via  63be60227a8 selftest: add space after --list in output of selftesthelpers.py
       via  e1a4921d5e3 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
       via  07610622027 tests/krb5: Use admin creds for SamDB rather than user creds
       via  09d0e89265c tests/krb5/as_canonicalization_tests.py: Refactor account creation
       via  5a0af3e510e tests/krb5: Deduplicate 'host' attribute initialisation
       via  c76c9f15a78 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
       via  75f534c0ac5 tests/krb5/as_req_tests.py: Check the client kvno
       via  02f3bd6a821 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
       via  9db32a6a456 tests/krb5/as_req_tests.py: Automatically obtain credentials
       via  56b5ceb0c64 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
       via  ea9083dfd63 tests/krb5/raw_testcase.py: Simplify conditionals
       via  d88603f8b5c tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
       via  23496bb7cf3 tests/krb5/raw_testcase.py: Cache obtained credentials
       via  7bd0c7f557b tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
       via  5b209e40ec2 tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
       via  44018e6131c tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
       via  1c0c89ac3bf tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
       via  768f1d71b93 tests/krb5/kdc_base_test.py: Create loadparm only when needed
       via  113fa4ecfd1 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
       via  807773d382b tests/krb5/kdc_base_test.py: Create database connection only when needed
       via  051487c6ab9 tests/krb5/raw_testcase.py: Add get_admin_creds()
       via  fa1a2eb7b9a tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
       via  d371e8688c3 selftest: run new as_req_tests against fl2008r2dc and fl2003dc
       via  99acba0be9e tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
       via  ec49afa5a23 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
       via  1b36e3bd7e2 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
       via  e6682e51206 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
       via  38c4f77b9e4 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
       via  697edd2e1db tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
       via  1ec0efe26ff tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
       via  159384d02fb tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
       via  bf799b23de2 tests/krb5/raw_testcase.py: add assertElement*()
       via  5e69e2d7cd1 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
       via  ce264474d29 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
       via  a83ea43c7ba tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
       via  9d32cb48194 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
       via  019b77dbb85 auth/credentials: allow credentials.Credentials to act as base class
       via  8737c731040 python: Make credentials cache test run against Windows
       via  3a586a81f58 python: Fix ticket timestamp conversion when local timezone is not UTC
       via  9bf0f33ad10 python: Fix erroneous increments of reference counts
       via  73bba60d737 python: Ensure reference counts are properly incremented
       via  b32c1932054 python: Add SMB credentials cache test
       via  ff4d39737c5 pylibsmb: Add posix_whoami()
       via  d75226b9092 libsmb: Ensure that whoami parses all the data provided to it
       via  1208a4dce1e libsmb: Check to see that whoami is not receiving more data than it requested
       via  e80ad4c0f29 libsmb: Avoid undefined behaviour when parsing whoami state
       via  1a3cc9a4e2d libsmb: Remove overflow check
       via  8e70f0c174a Revert "libsmb: Use sid_parse()"
       via  c40a90d7c7a python: Add RPC credentials cache test
       via  bb9ff0e143a python: Add LDAP credentials cache test
       via  848458d1704 python: Add credentials cache test
       via  02bfb9e2daf krb5: Add Python functions to create a credentials cache containing a service ticket
       via  98727cd606c librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
       via  38d622f38ea krb5ccache.idl: Add definition for a Kerberos credentials cache
       via  a47b37c170f Revert "s4-test: fixed ndrdump test for top level build"
       via  1854fc55a30 pygensec: Fix method documentation
       via  522ebd8e7c9 auth:creds: Fix parameter in creds.set_named_ccache()
       via  427185f8a99 auth:creds: Remove unused variable
       via  1748470cc21 tests python krb5: MS-KILE client principal look-up
       via  9e0cf55529a librpc: Add py_descriptor_richcmp() equality function
       via  28dee15ee08 tests python krb5: PEP8 cleanups
       via  03e4bbb8d85 tests python krb5: use key usage constants
       via  d9f914d0820 tests python krb5: Add key usage constants
       via  f38ba415847 tests python krb5: initial TGS tests
       via  81923ea8232 tests python krb5: add test base class
       via  c8f1511ea49 tests python krb5: Add Authorization data ad-type constants
       via  bde787c8484 tests python krb5: Extra canonicalization tests
       via  f719d74eb7e tests python krb5: add arcfour salt tests
       via  f79c7c3217c tests python krb5: refactor compatability tests
       via  82d2ce2a66b tests python krb5: Convert kdc-heimdal to python
       via  ab09ca1b0e9 tests python krb5: raw_testcase permit RC4 salts
       via  7858fd1799d tests python krb5: Refactor compatability test constants
       via  1543efaead3 tests python krb5: Refactor canonicalization test constants
       via  8610d03794e tests python krb5: Add constants module
       via  fb05f15519c tests python krb5: Add python kerberos compatability tests
       via  a142057393f selftest: add heimdal kdc specific known fail
       via  d810539294b selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
       via  ed2c276f765 selftest: Add in encrypted-pa-data from RFC 6806
       via  08a296f9018 selftest: Fix formatting of failure (traceback and options swapped in format string)
       via  657dde3bdf2 selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name
       via  a07052104f3 samdb: Add samdb.domain_netbios_name()
       via  0242419a010 selftest: Make as_canonicalization_tests.py easier to run outside "make test"
       via  d08faae8bd0 selftest: Fix flipped machine and user constants
       via  d7ebc3b7055 selftest: Send enterprise principals tagged as such
       via  ca83a606256 tests python krb5: Add python kerberos canonicalization tests
       via  8536b5f4397 tests python krb5: Add canonicalize flag to ASN1
       via  71f30ca29b4 tests python krb5: Make PrincipalName_create a class method
       via  44841d2b18b selftest: add mit kdc specific known fail
       via  cea68cbf537 ctdb-daemon: Don't mark a node as unhealthy when connecting to it
       via  479fc4fee0c ctdb-daemon: Ignore flag changes for disconnected nodes
       via  cc3ce341ee1 ctdb-daemon: Simplify ctdb_control_modflags()
       via  3ab6be4f7bc ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
       via  7c4daa7ffa0 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
       via  c4d7ed5eac4 ctdb-daemon: Modernise remaining debug macro in this function
       via  3d2313dc906 ctdb-daemon: Update logging for flag changes
       via  85372296a7e ctdb-daemon: Correct the condition for logging unchanged flags
       via  c89f30810d3 ctdb-tools: Use disable and enable controls in tool
       via  75b8b5de3e8 ctdb-client: Add client code for disable/enable controls
       via  ce58aefb4ee ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
       via  7aac8fd9e5e ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
       via  65f9b5520d2 ctdb-daemon: Factor out a function to get node structure from PNN
       via  e3578ea22cb ctdb-daemon: Add a helper variable
       via  3d797b570b0 ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
       via  ac8bbe2d0ae ctdb-protocol: Add new controls to disable and enable nodes
       via  74aa5b204e2 ctdb-recoverd: Push flags for a node if any remote node disagrees
       via  e93c885426d ctdb-recoverd: Update the local node map before pushing out flags
       via  76f8dffb527 ctdb-recoverd: Add a helper variable
       via  4ada6c24a5c selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
       via  33ef89475b0 s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
       via  be4f4f4f594 selftest: Add a test for LookupSids3 and LookupNames4 in python
       via  02c40fd92dc dsdb: Be careful to avoid use of the expensive talloc_is_parent()
       via  49a15402f4d selftest: Only run samba_tool_drs_showrepl test once
       via  a69c7cb30fd selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
       via  a7fe21a0d66 VERSION: Bump version up to Samba 4.13.12...
      from  2119f9f9f66 VERSION: Disable GIT_SNAPSHOT for the 4.13.11 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   81 +-
 auth/credentials/pycredentials.c                   |    8 +-
 ctdb/client/client_control_sync.c                  |   68 +
 ctdb/client/client_sync.h                          |   12 +
 ctdb/include/ctdb_private.h                        |    2 +
 ctdb/protocol/protocol.h                           |    4 +-
 ctdb/protocol/protocol_api.h                       |    6 +
 ctdb/protocol/protocol_client.c                    |   36 +
 ctdb/protocol/protocol_control.c                   |   12 +
 ctdb/protocol/protocol_debug.c                     |    2 +
 ctdb/server/ctdb_control.c                         |   42 +
 ctdb/server/ctdb_daemon.c                          |   35 +-
 ctdb/server/ctdb_monitor.c                         |   67 +-
 ctdb/server/ctdb_recoverd.c                        |  120 +-
 ctdb/server/ctdb_server.c                          |    1 -
 ctdb/tests/UNIT/cunit/protocol_test_101.sh         |    2 +-
 ctdb/tests/src/fake_ctdbd.c                        |   54 +
 ctdb/tests/src/protocol_common_ctdb.c              |   24 +
 ctdb/tests/src/protocol_ctdb_test.c                |    2 +-
 ctdb/tools/ctdb.c                                  |   57 +-
 lib/talloc/pytalloc.c                              |    4 +-
 libgpo/pygpo.c                                     |    2 +-
 librpc/idl/krb5ccache.idl                          |  115 +
 librpc/idl/wscript_build                           |    1 +
 librpc/wscript_build                               |    8 +-
 python/samba/netcmd/user.py                        |   10 +-
 python/samba/samdb.py                              |   15 +
 python/samba/tests/blackbox/ndrdump.py             |   45 +-
 python/samba/tests/dcerpc/lsa.py                   |  333 +++
 python/samba/tests/dsdb_schema_attributes.py       |    6 +-
 .../samba/tests/krb5/as_canonicalization_tests.py  |  434 ++++
 python/samba/tests/krb5/as_req_tests.py            |  218 ++
 python/samba/tests/krb5/compatability_tests.py     |  227 ++
 python/samba/tests/krb5/fast_tests.py              | 1691 +++++++++++++
 python/samba/tests/krb5/kcrypto.py                 |   79 +-
 python/samba/tests/krb5/kdc_base_test.py           |  913 +++++++
 python/samba/tests/krb5/kdc_tests.py               |  228 ++
 python/samba/tests/krb5/kdc_tgs_tests.py           |  213 ++
 .../krb5/ms_kile_client_principal_lookup_tests.py  |  829 +++++++
 .../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}   |    0
 python/samba/tests/krb5/raw_testcase.py            | 2511 +++++++++++++++++---
 python/samba/tests/krb5/rfc4120.asn1               |  187 +-
 python/samba/tests/krb5/rfc4120_constants.py       |  171 ++
 python/samba/tests/krb5/rfc4120_pyasn1.py          |  241 +-
 python/samba/tests/krb5/s4u_tests.py               |   38 +-
 python/samba/tests/krb5/simple_tests.py            |   49 +-
 python/samba/tests/krb5/test_ccache.py             |  135 ++
 python/samba/tests/krb5/test_ldap.py               |   96 +
 python/samba/tests/krb5/test_rpc.py                |   79 +
 python/samba/tests/krb5/test_smb.py                |  110 +
 python/samba/tests/krb5/xrealm_tests.py            |   45 +-
 python/samba/tests/samdb.py                        |   13 +-
 python/samba/tests/usage.py                        |   13 +
 selftest/knownfail                                 |    6 +-
 selftest/knownfail.d/kdc-enterprise                |   63 +
 selftest/knownfail_heimdal_kdc                     |  123 +
 selftest/knownfail_mit_kdc                         |  322 +++
 selftest/selftesthelpers.py                        |   58 +-
 selftest/target/Samba4.pm                          |    2 +-
 selftest/tests.py                                  |    1 +
 selftest/wscript                                   |    5 +
 source3/libsmb/clifsinfo.c                         |   44 +-
 source3/libsmb/pylibsmb.c                          |  138 +-
 source3/passdb/py_passdb.c                         |    4 -
 source3/selftest/ktest-krb5_ccache-2.txt           | 1574 ++++++++++++
 source3/selftest/ktest-krb5_ccache-3.txt           |  832 +++++++
 source4/auth/gensec/gensec_gssapi.c                |    4 +
 source4/auth/gensec/pygensec.c                     |   71 +-
 source4/dsdb/schema/schema_set.c                   |   41 +-
 source4/heimdal/kdc/kerberos5.c                    |    4 +-
 source4/heimdal/kdc/krb5tgs.c                      |    4 +
 source4/librpc/ndr/py_security.c                   |   37 +
 source4/librpc/wscript_build                       |    7 +
 source4/ntvfs/posix/python/pyposix_eadb.c          |    2 +-
 source4/ntvfs/posix/python/pyxattr_native.c        |    4 +-
 source4/ntvfs/posix/python/pyxattr_tdb.c           |    2 +-
 source4/rpc_server/lsa/lsa_lookup.c                |  131 +-
 source4/selftest/tests.py                          |   91 +-
 source4/torture/krb5/kdc-heimdal.c                 |  104 +-
 80 files changed, 12688 insertions(+), 682 deletions(-)
 create mode 100644 librpc/idl/krb5ccache.idl
 create mode 100644 python/samba/tests/dcerpc/lsa.py
 create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py
 create mode 100755 python/samba/tests/krb5/as_req_tests.py
 create mode 100755 python/samba/tests/krb5/compatability_tests.py
 create mode 100755 python/samba/tests/krb5/fast_tests.py
 create mode 100644 python/samba/tests/krb5/kdc_base_test.py
 create mode 100755 python/samba/tests/krb5/kdc_tests.py
 create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py
 create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
 create mode 100644 python/samba/tests/krb5/rfc4120_constants.py
 create mode 100755 python/samba/tests/krb5/test_ccache.py
 create mode 100755 python/samba/tests/krb5/test_ldap.py
 create mode 100755 python/samba/tests/krb5/test_rpc.py
 create mode 100755 python/samba/tests/krb5/test_smb.py
 create mode 100644 selftest/knownfail.d/kdc-enterprise
 create mode 100644 selftest/knownfail_heimdal_kdc
 create mode 100644 selftest/knownfail_mit_kdc
 create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt
 create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 8ab61a550f0..a1632f2e7b1 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4b33797845e..820185349ef 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,81 @@
+                   ===============================
+                   Release Notes for Samba 4.13.12
+                         September 22, 2021
+                   ===============================
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.11
+---------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14806: Address a signifcant performance regression in database access
+     in the AD DC since Samba 4.12.
+   * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+     Samba 4.9 by using an explicit database handle cache.
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+   * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+   * BUG 14819: Address flapping dsdb_schema_attributes test.
+
+o  Björn Baumbach <bb at sernet.de>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ
+
+o  Luke Howard <lukeh at padl.com>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Martin Schwenke <martin at meltin.net>
+   * BUG 14784: Fix CTDB flag/status update race conditions.
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
                    ===============================
                    Release Notes for Samba 4.13.11
                          September 07, 2021
@@ -49,8 +127,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
 
                    ===============================
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a5d0f9e051c..e583b83d9a4 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -603,8 +603,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
 static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
 {
 	char *newval;
-	enum credentials_obtained obt = CRED_SPECIFIED;
-	int _obt = obt;
 	struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
 	if (creds == NULL) {
 		PyErr_Format(PyExc_TypeError, "Credentials expected");
@@ -614,7 +612,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
 	if (!PyArg_ParseTuple(args, "s", &newval)) {
 		return NULL;
 	}
-	obt = _obt;
 
 	cli_credentials_set_forced_sasl_mech(creds, newval);
 	Py_RETURN_NONE;
@@ -766,6 +763,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
 
 	if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
 		return NULL;
+	obt = _obt;
 
 	mem_ctx = talloc_new(NULL);
 	if (mem_ctx == NULL) {
@@ -781,7 +779,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
 
 	ret = cli_credentials_set_ccache(creds,
 					 lp_ctx,
-					 newval, CRED_SPECIFIED,
+					 newval, obt,
 					 &error_string);
 
 	if (ret != 0) {
@@ -1223,7 +1221,7 @@ static struct PyModuleDef moduledef = {
 PyTypeObject PyCredentials = {
 	.tp_name = "credentials.Credentials",
 	.tp_new = py_creds_new,
-	.tp_flags = Py_TPFLAGS_DEFAULT,
+	.tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
 	.tp_methods = py_creds_methods,
 };
 
diff --git a/ctdb/client/client_control_sync.c b/ctdb/client/client_control_sync.c
index e56a2b2f18d..29e0249198c 100644
--- a/ctdb/client/client_control_sync.c
+++ b/ctdb/client/client_control_sync.c
@@ -2718,3 +2718,71 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
 
 	return 0;
 }
+
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+			   struct tevent_context *ev,
+			   struct ctdb_client_context *client,
+			   int destnode,
+			   struct timeval timeout)
+{
+	struct ctdb_req_control request;
+	struct ctdb_reply_control *reply;
+	int ret;
+
+	ctdb_req_control_disable_node(&request);
+	ret = ctdb_client_control(mem_ctx,
+				  ev,
+				  client,
+				  destnode,
+				  timeout,
+				  &request,
+				  &reply);
+	if (ret != 0) {
+		D_ERR("Control DISABLE_NODE failed to node %u, ret=%d\n",
+		      destnode,
+		      ret);
+		return ret;
+	}
+
+	ret = ctdb_reply_control_disable_node(reply);
+	if (ret != 0) {
+		D_ERR("Control DISABLE_NODE failed, ret=%d\n", ret);
+		return ret;
+	}
+
+	return 0;
+}
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+			  struct tevent_context *ev,
+			  struct ctdb_client_context *client,
+			  int destnode,
+			  struct timeval timeout)
+{
+	struct ctdb_req_control request;
+	struct ctdb_reply_control *reply;
+	int ret;
+
+	ctdb_req_control_enable_node(&request);
+	ret = ctdb_client_control(mem_ctx,
+				  ev,
+				  client,
+				  destnode,
+				  timeout,
+				  &request,
+				  &reply);
+	if (ret != 0) {
+		D_ERR("Control ENABLE_NODE failed to node %u, ret=%d\n",
+		      destnode,
+		      ret);
+		return ret;
+	}
+
+	ret = ctdb_reply_control_enable_node(reply);
+	if (ret != 0) {
+		D_ERR("Control ENABLE_NODE failed, ret=%d\n", ret);
+		return ret;
+	}
+
+	return 0;
+}
diff --git a/ctdb/client/client_sync.h b/ctdb/client/client_sync.h
index b29e669fba4..25a9615098c 100644
--- a/ctdb/client/client_sync.h
+++ b/ctdb/client/client_sync.h
@@ -491,6 +491,18 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
 				int destnode, struct timeval timeout,
 				uint64_t tunnel_id);
 
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+			   struct tevent_context *ev,
+			   struct ctdb_client_context *client,
+			   int destnode,
+			   struct timeval timeout);
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+			  struct tevent_context *ev,
+			  struct ctdb_client_context *client,
+			  int destnode,
+			  struct timeval timeout);
+
 /* from client/client_message_sync.c */
 
 int ctdb_message_recd_update_ip(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
diff --git a/ctdb/include/ctdb_private.h b/ctdb/include/ctdb_private.h
index 9ca87332d61..6f4111f1a18 100644
--- a/ctdb/include/ctdb_private.h
+++ b/ctdb/include/ctdb_private.h
@@ -565,6 +565,8 @@ int daemon_deregister_message_handler(struct ctdb_context *ctdb,
 void daemon_tunnel_handler(uint64_t tunnel_id, TDB_DATA data,
 			   void *private_data);
 
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn);
+
 int ctdb_start_daemon(struct ctdb_context *ctdb,
 		      bool interactive,
 		      bool test_mode_enabled);
diff --git a/ctdb/protocol/protocol.h b/ctdb/protocol/protocol.h
index 35543a67cf9..403d66c3972 100644
--- a/ctdb/protocol/protocol.h
+++ b/ctdb/protocol/protocol.h
@@ -137,7 +137,7 @@ struct ctdb_call {
 /* SRVID to inform clients that an IP address has been taken over */
 #define CTDB_SRVID_TAKE_IP 0xF301000000000000LL
 
-/* SRVID to inform recovery daemon of the node flags */
+/* SRVID to inform recovery daemon of the node flags - OBSOLETE */
 #define CTDB_SRVID_SET_NODE_FLAGS 0xF400000000000000LL
 
 /* SRVID to inform recovery daemon to update public ip assignment */
@@ -376,6 +376,8 @@ enum ctdb_controls {CTDB_CONTROL_PROCESS_EXISTS          = 0,
 		    CTDB_CONTROL_VACUUM_FETCH            = 154,
 		    CTDB_CONTROL_DB_VACUUM               = 155,
 		    CTDB_CONTROL_ECHO_DATA               = 156,
+		    CTDB_CONTROL_DISABLE_NODE            = 157,
+		    CTDB_CONTROL_ENABLE_NODE             = 158,
 };
 
 #define MAX_COUNT_BUCKETS 16
diff --git a/ctdb/protocol/protocol_api.h b/ctdb/protocol/protocol_api.h
index bdb4bc0e2ea..b7fcc53dd68 100644
--- a/ctdb/protocol/protocol_api.h
+++ b/ctdb/protocol/protocol_api.h
@@ -615,6 +615,12 @@ void ctdb_req_control_echo_data(struct ctdb_req_control *request,
 				struct ctdb_echo_data *echo_data);
 int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply);
 
+void ctdb_req_control_disable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply);
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply);
+
 /* From protocol/protocol_debug.c */
 
 void ctdb_packet_print(uint8_t *buf, size_t buflen, FILE *fp);
diff --git a/ctdb/protocol/protocol_client.c b/ctdb/protocol/protocol_client.c
index cde544feb52..71d2f0144b3 100644
--- a/ctdb/protocol/protocol_client.c
+++ b/ctdb/protocol/protocol_client.c
@@ -2409,3 +2409,39 @@ int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply)
 
 	return reply->status;
 }
+
+/* CTDB_CONTROL_DISABLE_NODE */
+
+void ctdb_req_control_disable_node(struct ctdb_req_control *request)
+{
+	request->opcode = CTDB_CONTROL_DISABLE_NODE;
+	request->pad = 0;
+	request->srvid = 0;
+	request->client_id = 0;
+	request->flags = 0;
+
+	request->rdata.opcode = CTDB_CONTROL_DISABLE_NODE;
+}
+
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply)
+{
+	return ctdb_reply_control_generic(reply, CTDB_CONTROL_DISABLE_NODE);
+}
+
+/* CTDB_CONTROL_ENABLE_NODE */
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request)
+{
+	request->opcode = CTDB_CONTROL_ENABLE_NODE;
+	request->pad = 0;
+	request->srvid = 0;
+	request->client_id = 0;
+	request->flags = 0;
+
+	request->rdata.opcode = CTDB_CONTROL_ENABLE_NODE;
+}
+
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply)
+{
+	return ctdb_reply_control_generic(reply, CTDB_CONTROL_ENABLE_NODE);
+}
diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c
index 4fd5a5a7d4d..076863278a3 100644
--- a/ctdb/protocol/protocol_control.c
+++ b/ctdb/protocol/protocol_control.c
@@ -419,6 +419,12 @@ static size_t ctdb_req_control_data_len(struct ctdb_req_control_data *cd)
 	case CTDB_CONTROL_ECHO_DATA:
 		len = ctdb_echo_data_len(cd->data.echo_data);
 		break;
+
+	case CTDB_CONTROL_DISABLE_NODE:
+		break;
+
+	case CTDB_CONTROL_ENABLE_NODE:
+		break;
 	}
 
 	return len;
@@ -1418,6 +1424,12 @@ static size_t ctdb_reply_control_data_len(struct ctdb_reply_control_data *cd)
 	case CTDB_CONTROL_ECHO_DATA:
 		len = ctdb_echo_data_len(cd->data.echo_data);
 		break;
+
+	case CTDB_CONTROL_DISABLE_NODE:
+		break;
+
+	case CTDB_CONTROL_ENABLE_NODE:
+		break;
 	}
 
 	return len;
diff --git a/ctdb/protocol/protocol_debug.c b/ctdb/protocol/protocol_debug.c
index 56f14e32b09..2e5ed9f0ced 100644
--- a/ctdb/protocol/protocol_debug.c
+++ b/ctdb/protocol/protocol_debug.c
@@ -245,6 +245,8 @@ static void ctdb_opcode_print(uint32_t opcode, FILE *fp)
 		{ CTDB_CONTROL_VACUUM_FETCH, "VACUUM_FETCH" },
 		{ CTDB_CONTROL_DB_VACUUM, "DB_VACUUM" },
 		{ CTDB_CONTROL_ECHO_DATA, "ECHO_DATA" },
+		{ CTDB_CONTROL_DISABLE_NODE, "DISABLE_NODE" },
+		{ CTDB_CONTROL_ENABLE_NODE, "ENABLE_NODE" },
 		{ MAP_END, "" },
 	};
 
diff --git a/ctdb/server/ctdb_control.c b/ctdb/server/ctdb_control.c
index 95f3b175934..a9d1aa1b438 100644
--- a/ctdb/server/ctdb_control.c
+++ b/ctdb/server/ctdb_control.c
@@ -173,6 +173,40 @@ done:
 	TALLOC_FREE(state);
 }
 
+static int ctdb_control_disable_node(struct ctdb_context *ctdb)
+{
+	struct ctdb_node *node;
+
+	node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+	if (node == NULL) {
+		/* Can't happen */
+		DBG_ERR("Unable to find current node\n");
+		return -1;
+	}
+
+	D_ERR("Disable node\n");
+	node->flags |= NODE_FLAGS_PERMANENTLY_DISABLED;
+
+	return 0;
+}
+
+static int ctdb_control_enable_node(struct ctdb_context *ctdb)
+{
+	struct ctdb_node *node;
+
+	node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+	if (node == NULL) {
+		/* Can't happen */
+		DBG_ERR("Unable to find current node\n");
+		return -1;
+	}
+
+	D_ERR("Enable node\n");
+	node->flags &= ~NODE_FLAGS_PERMANENTLY_DISABLED;
+
+	return 0;
+}
+
 /*
   process a control request
  */
@@ -828,6 +862,14 @@ static int32_t ctdb_control_dispatch(struct ctdb_context *ctdb,
 		return ctdb_control_echo_data(ctdb, c, indata, async_reply);
 	}
 
+	case CTDB_CONTROL_DISABLE_NODE:
+		CHECK_CONTROL_DATA_SIZE(0);
+		return ctdb_control_disable_node(ctdb);
+
+	case CTDB_CONTROL_ENABLE_NODE:
+		CHECK_CONTROL_DATA_SIZE(0);
+		return ctdb_control_enable_node(ctdb);
+
 	default:
 		DEBUG(DEBUG_CRIT,(__location__ " Unknown CTDB control opcode %u\n", opcode));
 		return -1;
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 7ebb419bc1f..f64a0475348 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -1225,28 +1225,51 @@ failed:
 	return -1;	
 }
 
-static void initialise_node_flags (struct ctdb_context *ctdb)
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn)
 {
+	struct ctdb_node *node = NULL;
 	unsigned int i;
 
+	if (pnn == CTDB_CURRENT_NODE) {
+		pnn = ctdb->pnn;
+	}
+
 	/* Always found: PNN correctly set just before this is called */
 	for (i = 0; i < ctdb->num_nodes; i++) {
-		if (ctdb->pnn == ctdb->nodes[i]->pnn) {
-			break;
+		node = ctdb->nodes[i];
+		if (pnn == node->pnn) {
+			return node;
 		}
 	}
 
-	ctdb->nodes[i]->flags &= ~NODE_FLAGS_DISCONNECTED;
+	return NULL;
+}
+
+static void initialise_node_flags (struct ctdb_context *ctdb)
+{
+	struct ctdb_node *node = NULL;
+
+	node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+	/*
+	 * PNN correctly set just before this is called so always
+	 * found but keep static analysers happy...
+	 */
+	if (node == NULL) {
+		DBG_ERR("Unable to find current node\n");
+		return;
+	}
+


-- 
Samba Shared Repository



More information about the samba-cvs mailing list