[SCM] Samba Shared Repository - annotated tag tdb-1.4.6 created

Stefan Metzmacher metze at samba.org
Mon Jan 24 12:24:37 UTC 2022


The annotated tag, tdb-1.4.6 has been created
        at  294de0b8779c13cf2137cf3b70d1a5d0e11780c5 (tag)
   tagging  1c776e54cf33b46b2ed73263f093d596a0cdbb2f (commit)
  replaces  tdb-1.4.5
 tagged by  Stefan Metzmacher
        on  Mon Jan 24 13:24:26 2022 +0100

- Log -----------------------------------------------------------------
tdb: tag release tdb-1.4.6
-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmHumnoACgkQR5ORYRMI
QCWvEAgAvdd1Vov9LzJfNzbFgJELxlgZFjQ76MzuCKiUUi/70f6zIW79bv090qU4
dFOnQ6WnOUnQMBTKTOaXkDbLH+DgX8JF9rdg01XHr+oPeENKNHBv1Zn31KpW0N7j
AWn7Kdm3kBRrRR03Zs5c/AK58KbeTbjQB9Xd1yY9hcjxhOI3VKwJesdWOVpiq6c9
xJzz6aSNLXQ8x/WZPUnYR5ucHDmjWfQEmq0Jv3QkWkXEbD76YqLB003Hho57i2Bm
YFkeFpuXBXkQ7JU41rbPhgjNHEhw+SWPNXSXtcXg6yF+Iog/bovE2vBrLArw7G9h
tyan8b0aNzqUXJjHf1Xqv7uGCRpquA==
=frvx
-----END PGP SIGNATURE-----

Alenka Glukhovskaya (1):
      Added russian translate file

Alex Richardson (8):
      Don't use sysconf(_SC_NGROUPS_MAX) on macOS for getgroups()
      charset_macosxfs.c: fix compilation on macOS
      audit_logging.c: fix compilation on macOS
      source3/printing/queue_process.c: fix build on macOS
      sec_ctx.c: Fix -Wunused-function warning on macOS
      source3/smbd/statcache.c: Fix -Wformat build error on macOS
      vfs_preopen.c: Fix -Wformat error on macOS
      Fix detection of rpc/xdr.h on macOS

Alexander Bokovoy (2):
      CVE-2020-25717: Add FreeIPA domain controller role
      IPA DC: add missing checks

Amitay Isaacs (2):
      lib/tsocket: Fix build on Freebsd
      ctdb-tests: Implement srvid_handler for dispatching messages

Andreas Schneider (106):
      bootstrap: Install krb5-workstation on Fedora based distros
      autobuild: Exclude fips envs from samba and samba-mitkrb5
      s3:tests: Add smbclient kerberos tests for ad_dc and ad_dc_fips
      python:waf: Correctly check for python-dateutil
      bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
      lib:cmdline: Use lp_load_global() for servers
      selftest: Re-format long lines in selftesthelpers.py
      selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
      selftest: Add support for setting ENV variables in plantestsuite()
      s3:selftests: Pass env variables to fips tests
      s4:selftests: Pass env variables to fips tests
      selftest: Pass env variables to fips tests
      selftest: Remove fips env variables from client env
      auth:gensec: Use lpcfg_weak_crypto()
      s4:rpc_server: Allow to set user password in FIPS mode
      s4:libnet: Remove trailing whitespaces
      s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
      netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
      selftest: Fix setting environ for plansmbtorture4testsuite()
      s4:selftest: Pass environ to plansmbtorture4testsuite()
      s4:torture: Remove trailing whitespaces in rpc.c
      s4:torture: Add rpc netlogon fips test
      configure: Do not put arguments into double quotes
      s3:winbindd: Add a check for the path length of 'winbindd socket directory'
      gitlab: Use shorter names for Samba AD DC env with MIT KRB5
      mit-samba: Define debug class for kdb module
      mit-samba: Send the logging to the kdc log facility
      mit-samba: Use talloc_get_type_abort() instead of casting
      mit-samba: Only set the function opening bracket once
      s3:winbind: Do not start if the priviliged socket path is too long
      s3:winbindd: Pass the right variable to the debug message
      lib:replace: Remove trailing spaces from testsuite.c
      testsuite: Fix build with gcc >= 11.1.1
      selftest: Add python path for compiled python modules like ldb
      third_party: Add a script to update waf
      third_party: Update waf to version 2.0.22
      s3:utils: Fix format error
      lib:fuzzing: Fix quoting of --fuzz-target-ldflags
      docs-xml: Remove trailing spaces in smb.conf.5.xml
      docs-xml: Use /var/tmp for spooling in smb.conf.5
      waf: Allow building with MIT KRB5 >= 1.20
      Revert "gp: Apply Firewalld Policy"
      Revert "gp: Test Firewalld Group Policy Apply"
      Revert "gp: Add Firewalld ADMX templates"
      testprogs: Use new cmdline option for kerberos
      lib:cmdline: Fix -k option which doesn't expect anything
      third_party: Update pam_wrapper to version 1.1.4
      editorconfig: Heimdal has mixed spaces and tabs with different width
      waf: Fix resolv_wrapper with glibc 2.34
      gitlab-ci: Add Fedora 35 and drop Fedora 33
      CVE-2020-25719 mit-samba: Make ks_get_principal() internally public
      CVE-2020-25719 mit-samba: Add ks_free_principal()
      CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
      CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
      CVE-2020-25719 mit-samba: Handle no DB entry in mit_samba_get_pac()
      CVE-2020-25719 mit-samba: Rework PAC handling in kdb_samba_db_sign_auth_data()
      CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry
      CVE-2020-25719 mit_samba: Create the talloc context earlier
      CVE-2020-25719 s4:kdc: Remove trailing spaces in pac-glue.c
      CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()
      CVE-2020-25719 s4:kdc: Check if the pac is valid before updating it
      auth:creds: Remove trailing spaces
      auth:creds: Guess the username first via getpwuid(my_id)
      docs-xml: Fix smbget manpage
      mit-kdc: Use more strict KDC default settings
      s4:mit-kdb: Reduce includes to only what's needed
      s4:kdc: Remove trailing spaces in db-glue.c
      s3:winbind: Fix possible NULL pointer dereference
      testprogs: Add rpcclient schannel tests
      s3:rpc_client: Remove trailing white spaces from cli_pipe.c
      s3:rpcclient: Remove trailing white spaces in rpcclient.c
      s3:libnet: Remove tailing whitespaces in libnet_join.c
      s3:libsmb: Remove trailing white spaces from passchange.c
      s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel()
      libcli:auth: Allow to connect to netlogon server offering only AES
      s3:param: Remove trailing spaces in loadparm.c
      s3:param: Only include smb_ldap.h for LDAP_* defines
      s4:waf: Fix dependencies for TORTURE_UTIL
      s3:waf: Fix dependendies for libads
      wafsamba: Pass lib to CHECK_DECLS()
      waf:mitkrb5: Detect com_err with pkgconfig first
      waf:mitkrb5: Fix MIT KRB5 detection if not in default system location
      waf:mitkrb5: Always define lib so we get the header include path
      s3:torture: Initialize pointer with NULL
      s4:mitkdc: Initilalize is_error with errno instead of EPERM(1)
      s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
      s4:mitkdc: Reset errno to 0 for com_err messages
      s4:mitkdc: Add support for pac_attrs and requester_sid
      s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
      s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
      s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
      s3:lib: Fix memory leak in netapi examples
      s3:lib: Do not close fd = -1 on fail in netapi example
      lib:util: Check return value of tdb_parse_record()
      s3:libnet: Initialize struct ODJ_POLICY_DNS_DOMAIN_INFO
      ctdb:client: Initialize structs and pointers in ctdb_ctrl_(en|dis)able_node()
      s4:dns_server: Remove less-than-zero comparison of an unsigned value
      s3:winbindd: Remove dead code from sam_rids_to_names()
      lib:krb_wrap: Add missing error check in smb_krb5_salt_principal_str()
      lib:util: Initialize pid
      s3:winbind: Fix using normalized name in sam_name_to_sid()
      python:tests: Don't require an emtpy 'authorization-data' to be present
      python:tests: Don't require an emtpy 'authorization-data' to be present
      s3:smbd: handle --build-options without parsing smb.conf
      gitlab-ci: Use Fedora 34 for Coverity Scan
      autobuild: Fix path for libwbclient ldd checks

Andrew Bartlett (135):
      ktutil: Print the numeric enctype if krb5_enctype_to_string() fails
      samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
      samba-tool: Rework transations/locks to hold a lock during mdb backup
      samba-tool domain backup: Use tdbbackup on metadata.tdb
      autobuild.py: Explain why each job is removed from the default set
      gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
      gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
      autobuild.py: Do not build MIT builds by default (eg sn-devel)
      build: Move minimum MIT krb5 version to 1.19 to align with what is tested
      mit-kdc: Remove build time support for KDB_API < 10
      selftest: Remove skip of samba4.rpc.unixinfo
      selftest: Modernise user_account_control.py tests use a common self.OU
      selftest: Use addCleanup rather than tearDown in user_account_control.py
      pydsdb: Add API to return strings of known UF_ flags
      selftest: Use @DynamicTestCase in user_account_control test_uac_bits_unrelated_modify()
      selftest: Replace internal loop in test_uac_bits_add() using @DynamicTestClass
      selftest: Replace internal loop in test_uac_bits_set() using @DynamicTestClass
      script/autobuild.py: Restore MIT ADDC tests against fl2008*
      bootstrap: Update to get newer krb5 on Fedora 34
      bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
      Update common on currently supported Fedora versions
      tests/krb5: Remove harmful and a-typical return in as_req testcase
      tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
      selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
      selftest: Only run samba_tool_drs_showrepl test once
      dsdb: Be careful to avoid use of the expensive talloc_is_parent()
      selftest: Add a test for LookupSids3 and LookupNames4 in python
      s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
      selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
      docs: Ensure to rebuild manpages if samba.entities or samba.version changes
      docs: Document all the other ways to send a password to smbclient et al
      docs: Avoid duplicate information on USER and PASSWD, reference the common section
      build: Make Python 3.6 the minimum to build now oss-fuzz is upgraded
      heimdal: Remove lex.yy.c file left over from a bug in lexyacc.sh
      bootstrap: Remove last references to Ubuntu 16.04
      selftest: Update user_account_control tests to pass against Windows 2019
      autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
      .gitlab-ci: Ignore errors from missing source files in code coverage
      .gitlab-ci: Allow a 1 hour to build Samba
      samldb: Address birthday paradox adding an RODC
      selftest: Move self.assertRaisesLdbError() to samba.tests.TestCase
      selftest: Use self.assertRaisesLdbError() in user_account_control.py test
      Release ldb 2.4.1
      Release ldb 2.50 for the future samba 4.16 series
      .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
      .gitlab-ci.yml: Restore building most of our jobs
      .gitlab-ci: Avoid duplicate CI on all merge requests
      gitlab-ci: Do not retry for job_execution_timeout
      gitlab-ci: Do not download artifacts of unrelated builds
      selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
      kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
      kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
      selftest: Remove duplicate setup of $base_dn and $ldbmodify
      selftest: Improve error handling and perl style when setting up users in Samba4.pm
      dsdb: Allow special chars like "@" in samAccountName when generating the salt
      lib/krb5_wrap: Fix missing error check in new salt code
      CVE-2020-25722 dsdb: Tests for our known set of privileged attributes
      CVE-2020-25722 dsdb: Move krbtgt password setup after the point of checking if any passwords are changed
      CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify
      CVE-2020-25722 selftest: Extend priv_attrs test - work around UF_NORMAL_ACCOUNT rules on Windows 2019 (requires |UF_PASSWD_NOTREQD or a password) - extend to also cover the sensitive UF_TRUSTED_FOR_DELEGATION
      CVE-2020-25722 selftest: Test combinations of account type and objectclass for creating a user
      CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
      CVE-2020-25722 selftest: Catch possible errors in PasswordSettingsTestCase.test_pso_none_applied()
      CVE-2020-25722 selftest: Catch errors from samdb.modify() in user_account_control tests
      CVE-2020-25722 dsdb: objectclass computer becomes UF_WORKSTATION_TRUST by default
      CVE-2020-25722 dsdb: Improve privileged and unprivileged tests for objectclass/doller/UAC
      CVE-2020-25722 dsdb: Prohibit mismatch between UF_ account types and objectclass.
      CVE-2020-25722 selftest/priv_attrs: Mention that these knownfails are OK (for now)
      CVE-2020-25722 selftest: Adapt selftest to restriction on swapping account types
      CVE-2020-25722 dsdb: samldb_objectclass_trigger() is only called on ADD, so remove indentation
      CVE-2020-25722 dsdb: Add restrictions on computer accounts without a trailing $
      CVE-2020-25722 selftest: Adapt sam.py test_isCriticalSystemObject to new UF_WORKSTATION_TRUST_ACCOUNT default
      CVE-2020-25722 samdb: Fill in isCriticalSystemObject on any account type change
      CVE-2020-25722 selftest: Split test_userAccountControl into unit tests
      CVE-2020-25722 selftest: Adjust sam.py test_userAccountControl_computer_add_trust to new reality
      CVE-2020-25722 selftest: New objects of objectclass=computer are workstations by default now
      CVE-2020-25722 selftest: Adapt sam.py test to userAccountControl/objectclass restrictions
      CVE-2020-25722 selftest: adapt ldap.py/sam.py test_all tests to new default computer behaviour
      CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
      CVE-2020-25722 selftest/user_account_control: Allow a broader set of possible errors
      CVE-2020-25722 selftest/user_account_control: more work to cope with UAC/objectclass defaults and lock
      CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID
      CVE-2020-25722 Check all elements in acl_check_spn() not just the first one
      CVE-2020-25722 Check for all errors from acl_check_extended_right() in acl_check_spn()
      CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob()
      CVE-2020-25718 s4-rpc_server: Change sid list functions to operate on a array of struct dom_sid
      CVE-2020-25718 s4-rpc_server: Obtain the user tokenGroups earlier
      CVE-2020-25718 s4-rpc_server: Put RODC reveal/never reveal logic into a single helper function
      CVE-2020-25718 s4-rpc_server: Put msDS-KrbTgtLinkBL and UF_INTERDOMAIN_TRUST_ACCOUNT RODC checks in common
      CVE-2020-25718 s4-rpc_server: Confirm that the RODC has the UF_PARTIAL_SECRETS_ACCOUNT bit
      CVE-2020-25718 s4-rpc_server: Provide wrapper samdb_confirm_rodc_allowed_to_repl_to()
      CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
      CVE-2020-25718 s4-rpc_server: Explain why we use DSDB_SEARCH_SHOW_EXTENDED_DN in RODC access check
      CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
      CVE-2020-25718 dsdb: Bring sid_helper.c into common code as rodc_helper.c
      CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket
      CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check
      CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
      CVE-2020-25722 Ensure the structural objectclass cannot be changed
      CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain/realm) unless a DC
      Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
      CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
      CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails
      CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing
      CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details
      CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it
      CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts
      heimdal_build: Allow errors integer overflow errors in gen.c (only)
      Allow overflow in lib/hx509.c and lib/gssapi/mech/gss_inquire_cred.c
      heimdal_build: Do not list hx509 files twice
      heimdal_build: Remove memset_s from roken, already in libreplace
      dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object
      build: Only use embedded Heimdal include paths in an embedded Heimdal build
      build: Remove kdc_include except where needed
      heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.
      lib/replace: For heimdal_build: Try to use the OS or compiler provided atomic operators
      heimdal_build: Do not build samba4kinit unless building embedded Heimdal
      build: Add missing dependency on addns
      librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for Heimdal
      s4-auth: Remove unused headers
      s4:heimdal_build: changes required to build after import
      tests: Update latin1 list and ignored file list for new Heimdal import
      s4:kdc: Update samba_wdc_check_client_access() to match updated Heimdal
      s4:kdc: Adapt wamba_wdc_check_client_access() to modern Heimdal
      s4:kdc: Adapt to use new combined windc interface in lorikeet-heimdal
      s4:kdc: Update to match updated Heimdal's new HDB version
      s4:kerberos: adjust smb_krb5_debug_wrapper() to embedded heimdal
      s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour
      s4:kdc/hdb: Store and retrieve a FX-COOKIE value
      s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytab
      s4:kdc: Move calls using the samba4 name to be right after each other
      s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]
      s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
      selftest: Update SimpleKerberosTests now that Samba supports FAST
      selftest: knownfail updates after Heimdal Upgrade

Andrew Walker (1):
      s3:modules:recycle - fix crash in recycle_unlink_internal

Anoop C S (1):
      s3/rpc_server: Remove duplicate dependency listing for RPC_SERVICE

Bernd Kuhls (1):
      lib/util: Add signal.h include

Bjoern Jacke (1):
      util_sock: fix assignment of sa_socklen

Björn Jacke (4):
      ntvfs: add missing COM/LPT ports that are also reserved names
      mangle_hash2: add missing COM/LPT ports that are also reserved names
      mangle_hash2: remove LOCK$ from list of reserved names
      s4:librpc: raise log level for failed connection attempts

Christof Schmitt (30):
      smbd: Update comment explaining streams and file-system sharemodes
      vfs_gpfs: Update comment in vfs_gpfs_kernel_flock
      vfs_gpfs: Remove call to kernel_flock
      vfs_default: Return ENOTSUP for sharemodes flock call
      system: Remove kernel_flock
      wscript: Remove config check for LOCK_MAND
      loadparm: Set default of "kernel share modes" to "no"
      docs-xml: Update manpage for "kernel share modes" option
      WHATSNEW: Document changes for "kernel share modes"
      profile: Remove syscall_kernel_flock profiling
      VFS: Rename kernel_flock to filesystem_sharemode
      VFS: Increase VFS version for renamed function
      examples/VFS/skel_transparent: Rename kernel_flock to filesystem_sharemode
      examples/VFS/skel_opaque: Rename kernel_flock to filesystem_sharemode
      s3: Remove definition of removed kernel_flock function
      vfs_full_audit: Rename kernel_flock to filesystem_sharemode
      docs-xml: Update vfs_full_audit manpage for renamed function
      vfs_ceph: Rename kernel_flock to filesystem_sharemode
      vfs_glusterfs: Rename kernel_flock to filesystem_sharemode
      vfs_time_audit: Rename kernel_flock to filesystem_sharemode
      vfs_time_audit: Fix message for fcntl VFS call
      vfs_gpfs: Rename kernel_flock to filesystem_sharemode
      vfs_streams_xattr: Rename kernel_flock to filesystem_sharemode
      vfs_default: Rename kernel_flock to filesystem_sharemode
      vfs_catia: Rename kernel_flock to filesystem_sharemode
      VFS: Update tracking documents for renamed function
      smbd: Update comment for durable handles
      smbd: Rename return variable for requesting filesystem sharemode
      smbd: Remove return variable for releasing filesystem sharemode
      smbd: Update debug messages for failed sharemode release

David Disseldorp (3):
      smbd: check lp_load_printers before reload via NetShareEnum
      build: reduce fp.write calls for build_options.c generation
      build: reduce printf() calls in generated build_options.c

David Gajewski (1):
      s3: VFS: solarisacl: Fix compile error (missed variable rename).

David Mulder (26):
      gpo: Ensure Network Device Enrollment Service if sscep fails
      gpo: Warn when fetching the supported templates fails
      gpo: Improve debug when extension fails to apply
      gpo: Enable user policy application
      gpo: Enable Scripts ADMX for User Policy
      gpo: Test Group Policy User Scripts
      gpo: Apply Group Policy User Scripts
      gpo: Ignore symlink failure on sscep renew
      gpo: Decode the bytes for cepces-submit failure
      gpo: Print getcert message to debug
      gpo: Test Group Policy Firefox Extension
      gpo: Add Group Policy Firefox Extension
      gpo: Test Chromium Group Policy
      gpo: Add Chromium Group Policy
      gp: Add Firewalld ADMX templates
      gp: Test Firewalld Group Policy Apply
      gp: Apply Firewalld Policy
      samba-tool: Pick local host if calling samba-tool from DC
      Revert "samba-tool: Pick local host if calling samba-tool from DC"
      gp: Add Firewalld ADMX templates
      gp: Test Firewalld Group Policy Apply
      gp: Apply Firewalld Policy
      samba-tool: Add domain member leave
      samba-tool: Create DNS entries on member join
      samba-tool: Test DNS record creation on member join
      Remove stray reference to "ldap ssl ads"

Douglas Bagnall (56):
      pytest/rodc_rwdc: try to avoid race.
      pytest: dynamic tests optionally add __doc__
      pytest: s3_net_join: avoid name clash
      CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
      CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
      CVE-2020-25722 s4/dsdb/cracknames: always free tmp_ctx in spn_alias
      CVE-2020-25722 s4/cracknames: lookup_spn_alias doesn't need krb5 context
      CVE-2020-25722 samba-tool spn: accept -H for database url
      CVE-2020-25722 samba-tool spn add: remove --force option
      CVE-2020-25722 tests: blackbox samba-tool spn non-admin test
      CVE-2020-25722 s4/provision: add host/ SPNs at the start
      CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp
      CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
      CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
      CVE-2020-25722 s4/cracknames: add comment pointing to samldb spn handling
      CVE-2020-25722 s4/dsdb/samldb: add samldb_get_single_valued_attr() helper
      CVE-2020-25722 s4/dsdb/samldb: unique_attr_check uses samldb_get_single_valued_attr()
      CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames
      CVE-2020-25722 s4/dsdb/samldb: check sAMAccountName for illegal characters
      CVE-2020-25722 s4/dsdb/samldb: check for SPN uniqueness, including aliases
      CVE-2020-25722 s4/dsdb/samldb: reject SPN with too few/many components
      CVE-2020-25722 s4/dsdb modules: add dsdb_get_expected_new_values()
      CVE-2020-25722 s4/dsdb/samldb: samldb_get_single_valued_attr() check all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_sam_accountname_valid_check() check all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_linkid() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_schema_add_handle_mapiid() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_prim_group_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_user_account_control_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb _user_account_control_change() always add final value
      CVE-2020-25722 s4/dsdb/samldb: samldb_pwd_last_set_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_lockout_time() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_group_type_change() checks all values
      CVE-2020-25722 s4/dsdb/samldb: samldb_service_principal_names_change checks values
      CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check checks values
      CVE-2020-25722 s4/dsdb/samldb: samldb_fsmo_role_owner_check() wants one value
      CVE-2020-25722 s4/dsdb/pwd_hash: password_hash_bypass gets all values
      CVE-2020-25722 s4/dsdb/pwd_hash: rework pwdLastSet bypass
      CVE-2020-25722 s4/dsdb/util: remove unused dsdb_get_single_valued_attr()
      pytests: check that we don't have bad format characters
      test/bad_chars: ensure our tests could fail
      s3/modules/vfs_acl_common.h: use utf-8
      test/blackbox/test_samba-tool_ntacl: use utf-8
      s4/auth/gensec/gensec_krb5_heimdal: use utf-8
      lib/replace/timegm: use utf-8
      third_party: remove pep8
      pytest/source_chars: forget thirdparty/pep8 test file
      third_party/update: forget pep8
      py/dnsserver: add missing imports
      py/dnsserver: add a missing exception variable
      pytest/dns_aging: use correct variable names
      pytest/dns_aging: remove duplicate tests
      pytest/docs: set_smbconf_arbitrary_opposite() needs param_type
      pytest/docs: better spelling of set_smbconf_arbitrary
      samba-tool domain backup: cope better with dangling symlinks
      samba-tool domain backup: backup but do not follow symlinks
      pytest/source_char: check for mixed direction text

Gary Lockyer (3):
      initial FAST tests
      heimdal_build: Use HAVE___ATTRIBUTE__ for unused, noreturn and unused_result
      s4:kdc: cope with upstream rename of configuration parameters.

Günther Deschner (9):
      s3-torture: give torture test binaries their own wscript_build
      s3-torture: Only install vfstest manpage when vfstest binary gets installed.
      s3-winexe: Fix winexe core dump (use-after-free)
      s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open()
      s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport()
      s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds()
      s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
      pam_winbind: add new pwd_change_prompt option (defaults to off).
      s4:kdc: Do not encode the NTSTATUS error into a PA-DATA, just linearlise it

Isaac Boukris (6):
      kdc: remove KRB5SignedPath, to be replaced with PAC
      kdc: sign ticket using Windows PAC
      krb5: allow NULL parameter to krb5_pac_free()
      krb5: rework PAC validation loop
      s4:mit-kdb: Force canonicalization for looking up principals
      s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED

Jeremy Allison (184):
      s3: smbd: Allow async dosmode to cope with ".." pathnames where we close smb_fname->fsp to prevent meta-data leakage.
      s3: smbd: Don't leak meta-data about the containing directory of the share root.
      s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case.
      s3: smbd: Split out smb2_ioctl_smbtorture() into a separate file.
      s3: libcli: Add FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
      s3: smbd: Add smbd_fsctl_torture_async_sleep() server-side code.
      s3: smbd: Call smbd_fsctl_torture_async_sleep() when we get FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
      s4: torture: Add test for smb2.ioctl.bug14769.
      s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs to the aio list on the file handle.
      s3: selftest: Add a test for vfs_streams_depot with the target path outside of the share.
      s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute stream rootdir into a function.
      s3: VFS: streams_depot: Allow "streams directory" outside of share path to work again.
      s3: smbd: Ensure all returns from OpenDir() correctly set errno.
      s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor.
      s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error.
      s4: ntvfs: Missed comma in 24c09f913d82528ada14013e3d673d277cf04a93, string would be concatenated.
      s3: smbd: Add fifo test for the DISABLE_OPATH case.
      s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.
      s3: auth: Andrew noticed f585f01148ab2d8f84c96b12e018742f5f17bcb0 doesn't keep the same logic.
      s4: process_prefork: Make prefork_restart() use an asynchronous timer event instead of calling sleep(X).
      s3: selftest: Add regression test to show the $cwd cache is misbehaving when we connect as a different user on a share.
      s3: smbd: Ensure when we change security context we delete any $cwd cache.
      s3: VFS: zfsacl: Ensure we use a pathref fd, not an io fd, for getting/setting ZFS ACLs.
      s3: smbspool. Remove last use of 'extern char **environ;'.
      s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2.
      s3: smbd: Fix recursive directory delete of a directory containing veto file and msdfs links.
      s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting.
      s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks.
      s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks.
      s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set.
      s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks.
      s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks.
      s3: docs-xml: Clarify the "delete veto files" paramter.
      s3: smbd: dirfsp is being used uninitialized inside rmdir_internals().
      s3: smbtorture3: Add test for setting delete on close on a directory, then creating a file within to see if delete succeeds.
      s3: smbd: Ensure in the directory scanning loops inside rmdir_internals() we don't overwrite the 'ret' variable.
      s3: smbd: get_real_filename() is actually static to filename.c
      s3: smbd: Add ucf_flags parameter to normalize_filename_case().
      s3: smbd: Ensure normalize_filename_case() doesn't modify posix names.
      s3: smbd: Add case_sensitive, case_preserve, short_case_preserve to state struct.
      s3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.
      s3: smbd: Use state->case_preserve instead of state->conn->case_preserve.
      s3: smbd: Use state->short_case_preserve instead of state->conn->short_case_preserve.
      s3: smbd: Turn on case sensitivity for a posix filename lookup.
      s3: smbd: Add comment to unix_convert() explaining why posix never calls into mangle_is_mangled() here.
      s3: smbd: In unix_convert_step_search_fail() ensure posix names don't call into name mangling functions.
      s3: smbd: In unix_convert() component_was_mangled is always false for posix.
      s3: smbd: Add 'bool case_sensitive' to struct smbd_dirptr_lanman2_state.
      s3: smbd: Use state->case_sensitive instead of state->conn->case_sensitive.
      s3: smbd: Add case_sensitive to struct smb_Dir.
      s3: smbd: Use dir_hnd->case_sensitive instead of conn->case_sensitive.
      s3: smbd: In OpenDir_fsp(), set dir_hnd->case_sensitive to true if FSP_POSIX_FLAGS_OPEN is set.
      s3: smbd: Add dptr_case_sensitive(). Not yet used.
      s3: smbd: Use dptr_case_sensitive() in directory listing code.
      s3: smbd: In open_file(), use a helper variable instead of always checking sp->posix_flags & FSP_POSIX_FLAGS_OPEN.
      s3: smbd: In open_file() use the helper variable to select correct case_sensitive setting to is_in_path().
      s3: smbd: Use a helper variable in smbd_smb2_query_directory_send().
      s3: smbd: Add and use case_sensitive helper variable to unlink_internals().
      s3: smbd: Add and use helper variables case_sensitive, case_preserve in rename_internals_fsp().
      s3: smbd: Add and use helper variable posix_pathname in rename_internals().
      s3: smbd: Ensure we never call mangle_is_mangled() for a posix path.
      s3: smbd: Add and use helper variables for case_sensitive, case_preserve, short_case_preserve to rename_internals().
      s3: smbd: In SMB1 reply_copy(), make req->posix_pathnames a helper variable.
      s3: smbd: SMB1 reply_copy(). Posix pathnames should never call into mangle_is_mangled().
      s3: smbd: SMB1 reply_copy(). Posix pathnames always means case_sensitive = true.
      s3: smbd: In unlink_internals() ensure we never call mangle_is_mangled for a posix path.
      s3: smbd: In SMB1 call_trans2findnext() add and use a helper variable to ensure we don't call mangle_is_mangled() with a posix name.
      s4: libcli: Add smbcli_unlink_wcard().
      s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().
      s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().
      s4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.
      s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
      s4: torture: Use smbcli_unlink_wcard() in base.casetable test.
      s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
      s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
      s3: torture: Add torture_deltree() for setup and teardown.
      s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup and cleanup.
      s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup and cleanup.
      s3: torture: In torture_utable(), use torture_deltree() for setup.
      s3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.
      s3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.
      s3: torture: In run_streamerror(), use torture_deltree() for setup.
      s3: torture: In test_mask(), use torture_deltree() for setup.
      s3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.
      s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename target.
      s4: torture: Remove the wildcard unlink test code.
      s4: torture: Remove the wildcard rename test code.
      s3: torture: Remove the wildcard unlink test code.
      s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
      s3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.
      s3: smbd: Change unlink_internals() to ignore has_wild parameter.
      s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
      s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_mv().
      s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level) prevent destination wildcards.
      s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
      s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destination lookups.
      s3: smbd: In reply_ntrename(), never set dest_has_wcard.
      s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
      s3: smbd: Prepare to remove wildcard matching from rename_internals().
      s3: smbd: Remove dest_has_wild and all associated code from rename_internals()
      s3: smbd: Remove all wildcard code from rename_internals().
      s3: smbd: Remove the commented out resolve_wildcards().
      s3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename code.
      s3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().
      s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
      Update WHATSNEW.txt with removal of wildcard copy, rename and unlink.
      docs-xml: Add "rpc start on demand helpers", true by default.
      WHATSNEW. Added section about samba-dcerpcd.
      s3: smbd: Move setting of dirtype if FILE_ATTRIBUTE_NORMAL to do_unlink().
      s3: smbd: Move to modern debug calls inside do_unlink().
      s3: smbd: Comment out the old unlink_internals(). Rename do_unlink() -> unlink_internals().
      s3: smbd: Remove the old unlink_internals() implementation.
      s3: smbd: Handling SMB_FILE_RENAME_INFORMATION, the destination name is a single component.
      s3: smbd: In rename_internals_fsp(), remove unneeded call to check_name().
      s3: smbd: check_name() is now static to filename.c
      s3: smbd: In rename_internals(), remove the name spliting and re-combining code.
      s3: smbd: Remove split_fname_dir_mask().
      s3: smbd: In call_trans2findfirst() we don't need filename_convert_with_privilege() anymore.
      s3: smbd: Remove filename_convert_with_privilege(). No longer used.
      s3: smbd: In filename_convert_internal(), remove call to check_name_with_privilege().
      s3: smbd: Remove unused check_name_with_privilege().
      s3: smbd: Remove now unused check_reduced_name_with_privilege().
      s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
      s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
      s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
      s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
      s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
      s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
      s3: smbd: dfs_path_lookup() no longer deals with wildcards.
      s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
      s3: smbd: parse_dfs_path() can ignore wildcards.
      s3: smbd: filename_convert() no longer deals with wildcards.
      s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
      s3: smbd: We no longer need determine_path_error().
      s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
      s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
      s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
      s3: smbd: In unix_convert() remove the now unneeded block indentation.
      s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
      s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
      s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
      s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
      s4: torture: In raw.search:test_one_file() remove the leading '\\' in the test filenames.
      s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
      s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
      s4: torture: In raw.search:test_one_file() add a second connection.
      s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
      s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
      s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
      s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
      s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
      s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
      s3: smbd: In check_parent_exists() use utility function vfs_stat().
      s3: smbd: In setup_close_full_information() use vfs_stat() helper function.
      s3: smbd: In stat_cache_lookup(), use vfs_stat() utility function.
      s3: smbd: In smbd_smb2_getinfo_send(), use vfs_stat() utility function.
      s3: smbd: In vfs_stat_smb_basename() use vfs_stat() helper function.
      s3: smbd: In parent_dirname_compatible_open(), use helper function vfs_stat().
      s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QFILEINFO case, use helper function vfs_stat().
      s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO on a named stream case, use helper function vfs_stat().
      s3: smbd: In call_trans2qfilepathinfo(), TRANSACT2_QPATHINFO, use helper function vfs_stat().
      s3: smbd: call_trans2setfilepathinfo(), TRANSACT2_SETFILEINFO case, use helper function vfs_stat().
      s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, ensure we have a VALID_STAT return from filename_convert().
      s3: smbd: Inside call_trans2setfilepathinfo(), for the TRANSACT2_SETPATHINFO case, we don't need to re-stat.
      s3: smbd: In call_trans2qfilepathinfo(), we must have an existing object in the QPATHINFO case.
      s3: smbd: In call_trans2qfilepathinfo(), remove unneeded vfs_stat().
      s3: smbd: In setup_close_full_information(), remove unneeded vfs_stat().
      s3: selftest: Add two tests that show we try and send an SMB1 request over an SMB2 connection to list servers if "-mSMB3" is selected.
      s3: smbclient: In do_host_query(), if we need SMB1, ensure we select NT1 as the client max protocol" before continuing.
      s3: smbd: Add "enum brl_flavour" to struct smbd_lock_element.
      s3: smbd: Move implicit call to lp_posix_cifsu_locktype() out of init_strict_lock_struct().
      s3: smbd: Remove lock_flav parameter from smbd_do_locks_try().
      s3: smbd: In smbd_smb1_do_locks_send() move access of lock_flav until after we know we have locks in the array.
      s3: smbd: Remove lock_flav argument from smbd_smb1_do_locks_send().
      s3: smbd: Remove lock_flav argument from internal function smbd_smb1_do_locks_check()
      s3: smbd: Remove lock_flav argument from smbd_smb1_brl_finish_by_lock().
      s3: smbd: Remove now redundent lock_flav parameter from smbd_do_unlocking().
      tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.
      lib: util: Add a function nt_time_to_unix_timespec_raw().
      s3: smbd: Create and use a common function for generating a fileid - create_clock_itime().
      s3: lib: In create_clock_itime(), use timespec_current() -> clock_gettime(CLOCK_REALTIME..).
      lib: util: Make nt_time_to_unix_timespec() call nt_time_to_unix_timespec_raw() for the conversion.
      lib: util: Make nt_time_to_full_timespec() call nt_time_to_unix_timespec_raw() for the conversion.
      s3: smbd: Add missing pop_sec_ctx() in error code path of close_directory()

Jones Syue (1):
      s3: includes: Make the comments describing itime consistent. Always use "invented" time.

Joseph Sutton (395):
      pygensec: Fix memory leaks
      pygensec: Don't modify Python bytes objects
      tests/krb5: Fix ms_kile_client_principal_lookup_test errors
      tests/krb5: Fix comment typo
      tests/krb5: Fix method name typo
      tests/krb5: formatting
      tests/krb5: Remove unneeded statements
      tests/krb5: Use more compact dict lookup
      tests/krb5: Simplify Python syntax
      tests/krb5: Remove magic constants
      tests/krb5: Fix including enc-authorization-data
      tests/krb5: Fix callback_dict parameter
      tests/krb5: Fix encpart_decryption_key with MIT KDC
      tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
      tests/krb5: Check Kerberos protocol version number
      tests/krb5: Use credentials kvno when creating password key
      tests/krb5: Allow cf2 to automatically use the enctype of the first key
      tests/krb5: Refactor get_pa_data()
      tests/krb5: Add get_enc_timestamp_pa_data_from_key()
      tests/krb5: Add method to return dict containing padata elements
      tests/krb5: Make _test_as_exchange() return value more consistent
      tests/krb5: Add get_EpochFromKerberosTime()
      tests/krb5: Use encryption with admin credentials
      tests/krb5: Allow specifying additional details when creating an account
      tests/krb5: Add more methods for obtaining machine and service credentials
      tests/krb5: Add method to calculate account salt
      tests/krb5: Add check_reply() method to check for AS or TGS reply
      tests/krb5: Always specify expected error code
      tests/krb5: Include kdc_options in kdc_exchange_dict
      tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
      tests/krb5: Ensure in assertElementPresent() that container elements are not empty
      tests/krb5: Assert that more variables are not None
      tests/krb5: Check version number of obtained ticket
      tests/krb5: Make checking less strict
      tests/krb5: Check nonce in EncKDCRepPart
      tests/krb5: Add generate_ap_req() method
      tests/krb5: Ensure generated padata is not None
      tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
      tests/krb5: Add more ASN1 definitions for FAST
      tests/krb5: Add more methods to create ASN1 objects for FAST
      tests/krb5: Add method to generate FAST encrypted challenge padata
      tests/krb5: Add methods to calculate keys for FAST
      tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
      tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
      tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
      tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
      tests/krb5: Allow specifying parameters specific to the outer request body
      tests/krb5: Add method to check PA-FX-FAST-REPLY
      tests/krb5: Add method to verify ticket checksum for FAST
      tests/krb5: Check FAST response
      tests/krb5: Add functions to get dicts of request padata
      tests/krb5: Add methods to determine whether elements were included in the request
      tests/krb5: Check encrypted-pa-data
      tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
      tests/krb5: Include authdata in kdc_exchange_dict
      tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
      tests/krb5: Add check_rep_padata() method to check padata in reply
      tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
      tests/krb5: Remove unused variables
      tests/krb5: Add get_krbtgt_sname() method
      tests/krb5: Check sname is krbtgt for FAST generic error
      tests/krb5: Check reply FAST padata if request included FAST
      tests/krb5: Adjust reply padata checking depending on whether FAST was sent
      tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
      tests/krb5: Check PADATA-FX-COOKIE in reply
      tests/krb5: Make check_rep_padata() also work for checking TGS replies
      tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
      tests/krb5: Check PADATA-PAC-OPTIONS in reply
      tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
      tests/krb5: Check PADATA-FX-ERROR in reply
      tests/krb5: Add FAST tests
      tests/krb5: Make e-data checking less strict
      tests/krb5: Make cname checking less strict
      tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
      CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
      tests/krb5: Check e-data element for TGS-REP errors without FAST
      tests/krb5: Check PADATA-PW-SALT element in e-data
      tests/krb5: Add tests for omitting sname in request
      tests/krb5: Allow specifying parameters specific to the inner FAST request body
      tests/krb5: Add tests for omitting sname in inner request
      tests/krb5: Allow expected_error_mode to be a container type
      dsdb/samdb/ldb_modules: Use correct member of union
      s4/dnsserver: Don't call memcpy() with a NULL pointer
      s4/dnsserver: Fix NULL check
      libcli/smb: Don't call memcpy() with a NULL pointer
      python: Fix usage strings
      Fix Python docstrings
      krb5pac.idl: Add ticket checksum PAC buffer type
      security.idl: Add well-known SIDs for FAST
      tests/krb5: Calculate expected salt if not given explicitly
      tests/krb5: Add methods to obtain the length of checksum types
      tests/krb5: Use signed integers to represent key version numbers in ASN.1
      tests/krb5: Add KDCOptions flag for constrained delegation
      tests/krb5: Use more compact dict lookup
      tests/krb5: Replace expected_cname_private with expected_anon parameter
      tests/krb5: Allow specifying an OU to create accounts in
      tests/krb5: Allow specifying additional User Account Control flags for account
      tests/krb5: Keep track of account DN in credentials object
      tests/krb5: Move padata generation methods to base class
      tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
      tests/krb5: Don't create PAC request manually in as_req_tests
      tests/krb5: Don't create PAC request or options manually in fast_tests
      tests/krb5: Remove magic constants
      tests/krb5: Allow specifying ticket flags expected to be set or reset
      tests/krb5: Make time assertion less strict
      tests/krb5: Allow Kerberos requests to be sent to DC or RODC
      tests/krb5: Check for presence of 'renew-till' element
      tests/krb5: Check 'caddr' element
      tests/krb5: Check for presence of 'key-expiration' element
      tests/krb5: Create testing accounts in appropriate containers
      tests/krb5: Allow specifying status code to be checked
      tests/krb5: Get expected cname from TGT for TGS-REQ messages
      tests/krb5: Get encpart decryption key from kdc_exchange_dict
      tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
      tests/krb5: Generate padata for FAST tests
      pytest:segfault: Add test for ldb.msg_diff()
      ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
      pyldb: Avoid use-after-free in msg_diff()
      tests/krb5: Sign-extend kvno from 32-bit integer
      tests/krb5: Add method to get RODC krbtgt credentials
      tests/krb5: Add get_secrets() method to get the secret attributes of a DN
      tests/krb5: Allow replicating accounts to the RODC
      tests/krb5: Create RODC account for testing
      tests/krb5: Allow replicating accounts to the created RODC
      python: Don't leak file handles
      python/join: Check for correct msDS-KrbTgtLink attribute
      tests/krb5: Add helper method for modifying PACs
      tests/krb5: Check correct flags element
      tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
      tests/krb5: Allow tgs_req() to send additional padata
      tests/krb5: Allow tgs_req() to specify different kdc-options
      tests/krb5: Allow tgs_req() to send requests to the RODC
      tests/krb5: Allow as_req() to specify different kdc-options
      tests/krb5: Use PAC buffer type constants from krb5pac.idl
      tests/krb5: Don't manually create PAC request and options in fast_tests
      tests/krb5: Set DN of created accounts to ldb.Dn type
      tests/krb5: Allow get_service_ticket() to get tickets from the RODC
      tests/krb5: Allow get_tgt() to get tickets from the RODC
      tests/krb5: Allow get_tgt() to specify different kdc-options
      tests/krb5: Allow get_tgt() to specify expected and unexpected flags
      tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
      tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
      tests/krb5: Cache obtained tickets
      tests/krb5: Add methods for creating zeroed checksums and verifying checksums
      tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
      tests/krb5: Add method to verify ticket PAC checksums
      tests/krb5: Add method for modifying a ticket and creating PAC checksums
      tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
      tests/krb5: Make get_default_enctypes() return a set of enctype constants
      tests/krb5: Add methods to convert between enctypes and bitfields
      tests/krb5: Get supported enctypes for credentials from database
      tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
      tests/krb5: Set key version number for all accounts created with create_account()
      tests/krb5: Allow tgs_req() to check the returned ticket enc-part
      tests/krb5: Add method to get DC credentials
      tests/krb5: Fix checking for presence of authorization data
      tests/krb5: Provide ticket enc-part key to tgs_req()
      tests/krb5: Simplify account creation
      tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
      tests/krb5: Verify checksums of tickets obtained from the KDC
      tests/krb5: Add method to determine if principal is krbtgt
      tests/krb5: Add classes for testing invalid checksums
      pytest:segfault: Add test for deleting an ldb.Message dn
      pyldb: Fix deleting an ldb.Message dn
      pytest:segfault: Add test for deleting an ldb.Control critical flag
      pyldb: Fix deleting an ldb.Control critical flag
      s4/torture/drs/python: Fix attribute existence check
      pyldb: Add test for an invalid ldb.Message index type
      pyldb: Raise TypeError for an invalid ldb.Message index
      pyldb: Add tests for ldb.Message containment testing
      pyldb: Make ldb.Message containment testing consistent with indexing
      .gitlab-ci: Increase build timeout
      tests/krb5: Rename method parameter
      tests/krb5: Remove unused parameter
      tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
      tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
      tests/krb5: Fix PA-PAC-OPTIONS checking
      tests/krb5: Rename allowed_to_delegate_to parameter for clarity
      tests/krb5: Allow created accounts to use resource-based constrained delegation
      tests/krb5: Add assertion to make failures clearer
      tests/krb5: Introduce helper method for creating invalid length checksums
      tests/krb5: Fix method for creating invalid length zeroed checksum
      tests/krb5: Fix checksum generation and verification
      tests/krb5: Allow excluding the PAC server checksum
      tests/krb5: Fix handling authdata with missing PAC
      tests/krb5: Fix status code checking
      tests/krb5: Make expected_sname checking more explicit
      tests/krb5: Fix assertElementFlags()
      tests/krb5: Remove unneeded parameters from ticket cache key
      tests/krb5: Fix checking for presence of error data
      tests/krb5: Add expect_claims parameter to kdc_exchange_dict
      heimdal:kdc: Only check for default salt for des-cbc-crc enctype
      tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
      tests/krb5: Check constrained delegation PAC buffer
      tests/krb5: Save account SPN
      tests/krb5: Allow specifying options and expected flags when obtaining a ticket
      tests/krb5: Supply supported account enctypes in tgs_req()
      tests/krb5: Add parameter to enforce presence of ticket checksums
      tests/krb5: Add compatability tests for ticket checksums
      tests/krb5: Use correct principal name type
      tests/krb5: Clarify checksum type assertion message
      tests/krb5: Fix padata checking at functional level 2003
      tests/krb5: Add environment variable to specify KDC FAST support
      tests/krb5: Check padata types when STRICT_CHECKING=0
      tests/krb5: Check logon name in PAC
      tests/krb5: Simplify padata checking
      tests/krb5: Disable debugging output for tests
      tests/krb5: Provide clearer assertion messages for test failures
      tests/krb5: Fix sha1 checksum type
      selftest/dbcheck: Fix up RODC one-way links
      tests/krb5: Add TKT_SIG_SUPPORT environment variable
      tests/krb5: Require ticket checksums if decryption key is available
      tests/krb5: Verify tickets obtained with get_service_ticket()
      tests/krb5: Add constrained delegation tests
      tests/krb5: Don't include empty AD-IF-RELEVANT
      tests/krb5: Allow bypassing cache when creating accounts
      tests/krb5: Fix duplicate account creation
      s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
      s4:kdc: Fix debugging messages
      s4/torture: Expect ticket checksum PAC buffer
      s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
      heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
      s4:kdc: Check ticket signature
      heimdal:kdc: Fix ticket signing without a PAC
      tests/krb5: Allow get_tgt() to request including or omitting a PAC
      tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
      tests/krb5: Add method to get the PAC from a ticket
      tests/krb5: Add tests for requesting a service ticket without a PAC
      tests/krb5: Ensure PAC is not present if expect_pac is false
      tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
      selftest: Increase account lockout windows to make test more realiable
      selftest: krb5 account creation: clarify account type as an enum
      tests/krb5: Decrease length of test account prefix
      tests/krb5: Allow specifying prefix or suffix for test account names
      tests/krb5: Allow creating machine accounts without a trailing dollar
      tests/krb5: Allow specifying the UPN for test accounts
      tests/krb5: Fix account salt calculation to match Windows
      tests/krb5: Add tests for account salt calculation
      tests/krb5: Check account name and SID in PAC for S4U tests
      CVE-2020-25722 dsdb: Add tests for modifying objectClass, userAccountControl and sAMAccountName
      CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
      CVE-2020-25722 tests/krb5: Allow creating server accounts
      CVE-2020-25719 tests/krb5: Add is_tgt() helper method
      CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
      MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
      CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
      CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
      CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
      CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
      CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
      CVE-2020-25719 tests/krb5: Add principal aliasing test
      CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
      CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
      CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
      CVE-2020-25722 Add test for SPN deletion followed by addition
      CVE-2020-25722 s4:dsdb:tests: Add missing self.fail() calls
      CVE-2020-25722 selftest: Adapt ldap.py tests to new objectClass restrictions
      CVE-2020-25718 tests/krb5: Fix indentation
      CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type
      CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type
      CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
      CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
      CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
      CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
      CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
      CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
      CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
      CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
      CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
      CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
      CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
      CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
      CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
      CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
      CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
      CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
      CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
      CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
      CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
      CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
      CVE-2020-25719 s4/torture: Expect additional PAC buffers
      CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
      CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer
      CVE-2020-25719 heimdal:kdc: Require authdata to be present
      CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid
      CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer
      CVE-2020-25719 heimdal:kdc: Check return code
      CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
      CVE-2020-25719 heimdal:kdc: Use sname from request rather than user-to-user TGT client name
      CVE-2020-25719 heimdal:kdc: Check name in request against name in user-to-user TGT
      CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided for user-to-user authentication
      CVE-2020-25719 heimdal:kdc: Require PAC to be present
      CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
      CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
      CVE-2020-25718 heimdal:kdc: Add comment about tests for tickets of users not revealed to an RODC
      CVE-2020-25722 selftest: Add test for duplicate servicePrincipalNames on an add operation
      CVE-2020-25722 selftest: Ensure check for duplicate servicePrincipalNames is not bypassed for an add operation
      CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
      CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts
      CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
      CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
      CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts
      CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration
      CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero
      selftest: Check received LDB error code when STRICT_CHECKING=0
      tests/krb5: Remove unused variable
      tests/krb5: Deduplicate AS-REQ tests
      tests/krb5: Run test_rpc against member server
      tests/krb5: Allow PasswordKey_create() to use s2kparams
      tests/krb5: Split out methods to create renewable or invalid tickets
      tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
      tests/krb5: Remove unnecessary expect_pac arguments
      tests/krb5: Add tests for invalid TGTs
      tests/krb5: Add tests for TGS requests with a non-TGT
      tests/krb5: Add TGS-REQ tests with FAST
      tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
      tests/krb5: Add tests for validation with requester SID PAC buffer
      tests/krb5: Add comments for tests that fail against Windows
      heimdal:kdc: Fix error message for user-to-user
      s4:torture: Fix typo
      heimdal:kdc: Adjust no-PAC error code to match Windows
      kdc: Adjust SID mismatch error code to match Windows
      tests/krb5: Add test for S4U2Self with wrong sname
      kdc: Match Windows error code for mismatching sname
      kdc: Always add the PAC if the header TGT is from an RODC
      tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
      Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
      kdc: Don't include extra PAC buffers in service tickets
      kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
      tests/krb5: Add a test for S4U2Self with no authorization data required
      heimdal:kdc: Always generate a PAC for S4U2Self
      selftest: Properly check extra PAC buffers with Heimdal
      heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
      kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
      tests/krb5: Only create testing accounts once per test run
      tests/krb5: Check logon name in PAC for canonicalization tests
      tests/krb5: Check ticket cname for Heimdal
      tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
      tests/krb5: Add tests for AS-REQ with an SPN
      tests/krb5: Add tests for enterprise principals with canonicalization
      s4:torture: Remove AS_REQ_SELF test stage
      s4:torture: Remove test combination with enterprise principal without canonicalize flag
      s4:torture: Remove pre-send and post-receive callbacks
      kdc: Canonicalize realm for enterprise principals
      tests/krb5: Adjust expected error codes for FAST tests
      tests/krb5: Don't request renewable tickets
      tests/krb5: Add test for AD-fx-fast-armor in enc-authorization-data
      tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
      tests/krb5: Make edata checking less strict
      tests/krb5: Allow additional unexpected padata types
      tests/krb5: Remove magic flag constants
      tests/krb5: Add test for FAST with invalid ticket checksum
      tests/krb5: Adjust unknown critical FAST option test
      tests/krb5: Don't require claims PAC buffers if STRICT_CHECKING=0
      tests/krb5: Allow 'renew-till' element to be present if STRICT_CHECKING=0
      tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
      hdb: Initialise HDB structure
      tests/krb5: Add tests for PAC buffer alignment
      Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
      kdc: Pad UPN_DNS_INFO PAC buffer
      s4:torture: Remove comments that are no longer relevant
      s4:torture: Fix typo
      tests/krb5: Generate unique UPNs for enterprise tests
      tests/krb5: Correctly determine whether tickets are service tickets
      tests/krb5: Add tests for AS-REQ to self with FAST
      netlogon.idl: Add flags for indicating directory service versions
      dsgetdcname: Display new flags in debug output
      dsdb/netlogon: Indicate DC functional level support in samlogon response
      s4:rpc_server/netlogon: adjust the flags logic to MS-NRPC 3.5.4.3.1 DsrGetDcNameEx2
      s4:torture: Make etype list variables static
      s4:torture: Remove netbios realm and lowercase realm tests
      tests/krb5: Generate unique UPNs for AS-REQ enterprise tests
      tests/krb5: Adjust expected error codes
      tests/krb5: Add FAST enc-pa-rep tests
      tests/krb5: Check encrypted-pa-data if present
      tests/krb5: Add AS-REQ PAC tests
      tests/krb5: Update supported enctype checking
      kdc: Fix leak
      netlogon.idl: Add FAST support bits
      s4:kdc: Fix build failure by including <heimbase.h>
      s4:kdc: Adapt samba_wdc_check_client_access() to upstream Heimdal
      s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal
      s4:kdc: Set supported enctypes in KDC entry
      s4:kdc: Return PA-SUPPORTED-ENCTYPES
      tests/krb5: Add option to check reply padata
      selftest: Expect FAST support for both MIT and Heimdal
      s4:torture: Adapt LSA tests to newer Heimdal version
      s4:torture: Fix Orpheus' Lyre tests
      s4:torture: Remove PAC-REQUEST check for RESPONSE_TOO_BIG
      s4:torture: Adapt KDC canon test to Heimdal upstream changes

Luke Howard (6):
      CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
      kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
      krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
      kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
      kdc: use ticket client name when signing PAC
      kdc: correctly generate PAC TGS signature

Martin Schwenke (105):
      ctdb-recoverd: Add a helper variable
      ctdb-recoverd: Update the local node map before pushing out flags
      ctdb-recoverd: Push flags for a node if any remote node disagrees
      ctdb-protocol: Add new controls to disable and enable nodes
      ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
      ctdb-daemon: Add a helper variable
      ctdb-daemon: Factor out a function to get node structure from PNN
      ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
      ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
      ctdb-client: Add client code for disable/enable controls
      ctdb-tools: Use disable and enable controls in tool
      ctdb-daemon: Correct the condition for logging unchanged flags
      ctdb-daemon: Update logging for flag changes
      ctdb-daemon: Modernise remaining debug macro in this function
      ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
      ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
      ctdb-daemon: Simplify ctdb_control_modflags()
      ctdb-daemon: Ignore flag changes for disconnected nodes
      ctdb-daemon: Don't mark a node as unhealthy when connecting to it
      ctdb-tests: Fix typo in ctdb stub comment matching
      ctdb-tests: Drop unused function ctdb_get_all_public_addresses()
      debug: Move header_str and hs_len to state
      debug: Add a level of indirection to ring buffer logging
      debug: Factor out function copy_no_nl()
      debug: Avoid debug header being separated from debug text
      debug: Add length argument to Debug1()
      debug: Push message length argument down to backend log functions
      debug: Rename variable for consistency
      debug: Optimise construction of header_str_no_nl
      debug: Optimise to avoid walking the header string
      debug: Optimise early return when header string buffer is full
      debug: Move msg_no_nl to state
      debug: Optimise construction of msg_no_nl
      bootstrap: Add Debian 11
      bootstrap: Debian 11 has liburing-dev
      debug: Add debug_syslog_format setting
      debug: Add new smb.conf option "debug syslog format"
      ctdb-tests: Add extra IPv6 socket parsing tests
      ctdb-protocol: Print IPv6 sockets with RFC5952 "[2001:db8::1]:80" notation
      ctdb-common: Switch initial debug type to DEBUG_DEFAULT_STDERR
      ctdb-common: Use Samba's DEBUG_FILE logging
      ctdb-common: Separate sock_daemon's SIGHUP and SIGUSR1 handling
      ctdb-common: Add support for reopening logs
      ctdb-daemon: Add basic top-level log reopening
      ctdb-recoverd: Add basic log reopening
      ctdb-daemon: Enable log reopening for recovery daemon
      ctdb-event: Reopen logs on SIGHUP
      ctdb-daemon: Enable log reopening for event daemon
      ctdb-recoverd: Add log reopening on SIGHUP to helpers
      ctdb-recoverd: Record helper PID in recovery daemon context
      ctdb-recoverd: Pass SIGHUP to running helper
      ctdb-recoverd: Factor out and use function this_node_is_leader()
      ctdb-recoverd: Use this_node_is_leader() in an extra context
      ctdb-recoverd: Add PNN to recovery daemon context
      ctdb-recoverd: Simplify arguments to some election functions
      ctdb-recoverd: Simplify arguments to do_recovery()
      ctdb-recoverd: Simplify arguments to verify_local_ip_allocation()
      ctdb-recoverd: Simplify arguments to ctdb_ban_node()
      ctdb-recoverd: Change argument to srvid_disable_and_reply()
      ctdb-recoverd: Use rec->pnn everywhere
      ctdb-recoverd: Rename recmaster field to leader
      ctdb-recoverd: Logging/comments: recovery master -> leader
      ctdb-recoverd: Add and use function this_node_can_be_leader()
      ctdb-recoverd: Only start election if node can be leader
      ctdb-recoverd: Add an explicit flag for election in progress
      ctdb-protocol: Add CTDB_SRVID_LEADER
      ctdb-recoverd: Process leader broadcasts
      ctdb-recoverd: Send leader broadcasts
      ctdb-recoverd: Handle leader broadcast timeout
      ctdb-recoverd: Drop special case for elected-before-connected
      ctdb-recoverd: Drop leader validation
      ctdb-tests: Setup cluster with expected arguments
      ctdb-tests: Avoid a race
      ctdb-recoverd: Factor out function cluster_lock_take()
      ctdb-recoverd: Take cluster lock when election completes
      ctdb-recoverd: Terminology change: recovery lock -> cluster lock
      ctdb-recoverd: Add and use function cluster_lock_enabled()
      ctdb-recoverd: No longer take cluster lock during recovery
      ctdb-recoverd: Simplify some stopped/banned checks to inactive checks
      ctdb-tests: Add leader broadcasts to fake_ctdbd
      ctdb-tests: Factor out getting leader and waiting for leader change
      ctdb-client: Factor out function ctdb_client_wait_func_timeout()
      ctdb-tools: Print "UNKNOWN" when leader PNN is unknown
      ctdb-tools: Handle leader broadcasts in ctdb tool
      ctdb-tools: Factor out get_leader()
      ctdb-tools: Use leader broadcast in get_leader()
      ctdb-tools: recovery master -> leader
      ctdb-recoverd: Drop recovery master verification
      ctdb-recoverd: Drop calls to ctdb_ctrl_setrecmaster()
      ctdb-daemon: Drop unused old client recmaster functions
      ctdb-client: Drop unused recmaster functions
      ctdb-protocol: Drop protocol client functions for recmaster controls
      ctdb-daemon: Drop implementation of {GET,SET}_RECMASTER controls
      ctdb-protocol: Drop marshalling for {GET,SET}_RECMASTER controls
      ctdb-protocol: Mark {GET,SET}_RECMASTER controls obsolete
      ctdb-recoverd: Use race for cluster lock as election when lock is enabled
      ctdb-doc: Update documentation for leader and cluster lock
      ctdb-config: [cluster] recovery lock -> [cluster] cluster lock
      ctdb-config: [legacy] recmaster capability -> [cluster] leader capability
      ctdb-config: Add configuration option [cluster] leader timeout
      ctdb-tests: Support commenting out local daemons configuration options
      ctdb-tests: Improve test coverage for leader role yield and elections
      ctdb-doc: Update example configuration migration script
      ctdb-doc: Remove documentation for recovery process
      WHATSNEW: Document CTDB leader and cluster lock changes

Matthew Grant (4):
      libcli/dns: dns forwarder port doc changes
      lib/tsocket: new function to parse host port strs.
      libcli/dns: smb.conf dns forwarder port support
      libcli/dns.c: dns forwarder port test changes

Michael Adam (1):
      lib:cmdline: fix a comment

Nadezhda Ivanova (2):
      CVE-2020-25722: s4-acl: test Control Access Rights honor the Applies-to attribute
      CVE-2020-25722: s4-acl: Make sure Control Access Rights honor the Applies-to attribute

Nicolas Williams (1):
      krb5: Fix PAC signature leak affecting KDC

Noel Power (3):
      s4: torture: CHECK ret value and fail if false
      s3: smbd: In setup_close_full_information() the posix_open parameter is not needed anymore.
      s3: smbd: In stat_cache_lookup(), remove unused posix_paths param.

Pavel Filipenský (23):
      krb5_wrap: remove unused code
      s3:winbindd: Fix winbindd child logfile name handling
      docs-xml: Update winbindd(8) manpage
      s3:librpc: Improve calling of krb5_kt_end_seq_get()
      s3:modules: VFS CAP symlinkat always fails
      s3:modules: Fix the horrible vfs_crossrename module
      s3:smbd: Fix trailing whitespaces in dosmode.c
      s3:smbd: Fix dereferencing null pointer "fsp"
      s3:rpc_server: Fix possible NULL dereference
      ctdb:utils: Improve error handling of hex_decode()
      s3:libnet: Fix dead code in libnet_join.c
      s3:libnet: Fix dereference of NULL win7
      s3:modules: Fix possible dereference of NULL for fio
      s3:utils: set ads->auth.flags using krb5_state
      s3:libads: Remove trailing spaces from sasl.c
      s3:libads: Disable NTLMSSP for FIPS
      s3:libads: Improve debug messages for SASL bind
      s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
      tests: Add test for disabling NTLMSSP for ldap client connections
      s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap
      s3:winbindd: Remove trailing spaces from winbindd_ads.c
      s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
      s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode

Ralph Boehme (104):
      smbd: drop requirement for full open for READ_CONTROL_ACCESS, WRITE_DAC_ACCESS and WRITE_OWNER_ACCESS
      smbd: only open full fd for directories if needed
      selftest: add a test for the "deadtime" parameter
      s3/rpc_server: track the number of policy handles with a talloc destructor
      libreplace: properly give headers to conf.CHECK_CODE when checking for copy_file_range_syscall
      libreplace: properly execute SYS_copy_file_range check
      vfs_default: detect EOPNOTSUPP and ENOSYS errors from copy_file_range()
      libreplace: remove now unused USE_COPY_FILE_RANGE define
      s3/lib/dbwrap: check if global_messaging_context() succeeded
      registry: check for running as root in clustering mode
      smbd: avoid calling creating a pathref in smb_set_file_dosmode()
      vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code
      vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
      vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
      vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles
      vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
      vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes()
      vfs_gpfs: deal with pathref fsps in vfs_gpfs_fntimes()
      vfs_gpfs: pass fsp to smbd_gpfs_set_times()
      vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fntimes()
      lib/gpfswrap: add gpfs_set_times_path() wrapper
      vfs_gpfs: deal with pathrefs fsps in smbd_gpfs_set_times()
      winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
      winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
      lib/cmdline: add POPT_COMMON_DAEMON daemon popt options
      lib/cmdline: restore pre-4.15 logging behaviour for daemons
      smbd: use POPT_COMMON_DAEMON
      nmbd: use POPT_COMMON_DAEMON
      winbindd: use POPT_COMMON_DAEMON
      s4/samba: POPT_COMMON_DAEMON
      lib/replace: drop runtime copy_file_range() check
      selftest: fix ---configfile option
      manpages: remove duplicate options from smbclient
      lib/cmdline: restore s3 option name --max-protocol for MAXPROTOCOL from 4.14
      selftest: remove unsupported smbcacls option --get
      texpect: don't ignore unknown options
      smbstatus: don't ignore unknown options
      s4/smbclient: don't ignore unknown options
      nmblookup: don't ignore unknown options
      source3/lib/smbconf: don't ignore unknown options
      s3/param: don't ignore unknown options
      rpcclient: don't ignore unknown options
      pdbtest: don't ignore unknown options
      vfstest: don't ignore unknown options
      s3/async-tracker: don't ignore unknown options
      log2pcaphex: don't ignore unknown options
      mvxattr: don't ignore unknown options
      nmblookup: don't ignore unknown options
      ntlm_auth: don't ignore unknown options
      pdbedit: don't ignore unknown options
      profiles: don't ignore unknown options
      regedit: don't ignore unknown options
      sharesec: don't ignore unknown options
      smbcacls: don't ignore unknown options
      smbcquotas: don't ignore unknown options
      smbget: don't ignore unknown options
      smbtree: don't ignore unknown options
      split_tokens: don't ignore unknown options
      testparm: don't ignore unknown options
      s4/cifsdd: don't ignore unknown options
      s4/regdiff: don't ignore unknown options
      s4/regpatch: don't ignore unknown options
      s4/regshell: don't ignore unknown options
      s4/regtree: don't ignore unknown options
      s4/torture/gentest: don't ignore unknown options
      s4/torture/locktest: don't ignore unknown options
      s4/torture/masktest: don't ignore unknown options
      vfs_btrfs: fix btrfs_fget_compression()
      smbd: fix "ea support = no"
      registry: skip root check when running with uid-wrapper enabled
      idl: declare token array of storage_offload_token as in-line
      vfs: Add flags and xferlen args to SMB_VFS_OFFLOAD_READ_RECV
      lib: add sys_block_align[_truncate]()
      vfs: add and use a few SMB_VFS_ODX defines
      ctdb-scripts: filter out comments in public_addresses file
      ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
      selftest: add a test ignored spotlight/elasticsearch mapping failures
      mdssvc: prepare for ignore attribute and type mapping errors
      mdssvc: add options to allow ignoring attribute and type mapping errors
      docs: document new Spotlight Elasticsearch options
      lib: add NTTIME_THAW
      lib: fix null_nttime() tests
      lib: use NTTIME_FREEZE in a null_nttime() test
      lib: update null_nttime() of -1: -1 is NTTIME_FREEZE
      lib: add a test for null_nttime(NTTIME_THAW)
      torture: add a test for NTTIME_FREEZE and NTTIME_THAW
      lib: handle NTTIME_THAW in nt_time_to_full_timespec()
      vfs_fruit: remove a fsp check from ad_fset()
      smbd: early out in is_visible_fsp()
      CI: add a test for bug 14882
      lib/dbwrap: reset deleted record to tdb_null
      CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()
      source3: move lib/substitute.c functions out of proto.h
      samba-bgqd: fix startup and logging
      winbindd: remove is_default_dyn_LOGFILEBASE() logic
      lib/debug: fix fd check before dup'ing to stderr
      lib/debug: in debug_set_logfile() call reopen_logs_internal()
      lib/cmdline: fix indentation
      lib/cmdline: remember config_type in samba_cmdline_init()
      lib/cmdline: setup default file logging for servers
      smbd: get rid of get_file_handle_for_metadata()
      CVE-2020-25717: s3-auth: fix MIT Realm regression
      smbd: s3-dsgetdcname: handle num_ips == 0
      docs: fix documentation for default of "fruit:zero_file_id"

Samuel Cabrero (8):
      s3: rpc_server: Avoid creating new handles when received an empty policy_handle
      pidl:NDR/ServerCompat.pm: Do not register disabled services
      librpc:core: Add a function to register an interface passing the binding handle
      s3:rpc_server: Do not use the default ncalrpc endpoint for external services
      CVE-2020-25717: loadparm: Add new parameter "min domain uid"
      CVE-2020-25717: selftest: Add ad_member_no_nss_wb environment
      CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
      CVE-2020-25717: s3:auth: Check minimum domain uid

Stefan Metzmacher (154):
      gnutls: allow gnutls_aead_cipher_encryptv2 with gcm before 3.6.15
      s4:torture/smb2: add tests to check all signing and encryption algorithms
      s3:smbd: really support AES-256* in the server
      winbindd_pam: add NT4 DC handling into winbind_samlogon_retry_loop()
      s3:libsmb: start encryption as soon as possible after the session setup
      s3:libsmb: close the temporary IPC$ connection in cli_full_connection()
      wafsamba: add support git worktree to vcs_dir_contents()
      script/bisect-test.py: add support git worktree
      wscript: fix installing pre-commit with 'git worktree'
      wafsamba: always generate compile_commands.json again, but only when the samba dependencies changed
      vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
      docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values
      lib/cmdline: fix --configfile handling of POPT_COMMON_CONFIG_ONLY used by ntlm_auth
      smbclient: don't ignore unknown options
      libcli/smb: use MID=0 for SMB2 Cancel with ASYNC_ID and legacy signing algorithms
      netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore result
      selftest/Samba3: remove unused close(USERMAP); calls
      selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
      s3/libsmb: check for global parametric option "libsmb:client_guid"
      CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
      CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings
      CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true
      CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true
      CVE-2020-25717: s4:torture: start with authoritative = 1
      CVE-2020-25717: s4:smb_server: start with authoritative = 1
      CVE-2020-25717: s4:auth_simple: start with authoritative = 1
      CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1
      CVE-2020-25717: s3:torture: start with authoritative = 1
      CVE-2020-25717: s3:rpcclient: start with authoritative = 1
      CVE-2020-25717: s3:auth: start with authoritative = 1
      CVE-2020-25717: auth/ntlmssp: start with authoritative = 1
      CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors
      CVE-2020-25717: s3:auth: we should not try to autocreate the guest account
      CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users
      CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()
      CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()
      CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)
      CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal()
      CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac()
      CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only
      CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo()
      CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid
      CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode
      CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument
      CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
      CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
      CVE-2021-23192: dcesrv_core: add better debugging to dcesrv_fault_disconnect()
      CVE-2021-23192: dcesrv_core: add dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
      CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
      CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
      CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
      CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
      CVE-2021-23192: dcesrv_core: only the first fragment specifies the auth_contexts
      CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
      CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
      CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate to test_DsBind()
      CVE-2021-3738 s4:torture/drsuapi: maintain priv->dc_credentials
      CVE-2021-3738 s4:torture/drsuapi: maintain priv->admin_credentials
      CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* tests
      CVE-2021-3738 auth_util: avoid talloc_tos() in copy_session_info()
      CVE-2021-3738 s4:rpc_server/common: provide assoc_group aware dcesrv_samdb_connect_as_{system,user}() helpers
      CVE-2021-3738 s4:rpc_server/drsuapi: make use of assoc_group aware dcesrv_samdb_connect_as_*() helpers
      CVE-2021-3738 s4:rpc_server/dnsserver: make use of dcesrv_samdb_connect_as_user() helper
      CVE-2021-3738 s4:rpc_server/lsa: make use of dcesrv_samdb_connect_as_user() helper
      CVE-2021-3738 s4:rpc_server/netlogon: make use of dcesrv_samdb_connect_as_*() helper
      CVE-2021-3738 s4:rpc_server/samr: make use of dcesrv_samdb_connect_as_*() helper
      s3:winbindd: fix "allow trusted domains = no" regression
      CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain
      script/autobuild.py: fix "nondevel" builds of 'samba-libs'
      wafsamba: mark SAMBA_MODULE() with private_library=True
      wafsamba: fix '--private-libraries' option when using 'ALL,!something'
      wafsamba: SAMBA_GENERATOR() should not alter the callers dep_vars
      wafsamba: remove unused private_library argument of PRIVATE_NAME()
      wafsamba: use private extentions also for bundled public libraries
      wafsamba: the symbol version string of private libraries should be based on the toplevel project
      wafsamba: assert for *.sigs source files in abi_build_vscript()
      wafsamba: add SAMBA_SUBSYSTEM(force_empty=False)
      wafsamba: let reduce_objects() not remove duplicates of BUILTINS even if there are more than one
      wafsamba: introduce require_builtin_deps/provide_builtin_linking/builtin_cflags to SAMBA_{SUBSYSTEM,LIBRARY}
      wafsamba: introduce SAMBA[3]_PLUGIN()
      wafsamba: allow SAMBA_LIBRARY() to get and use original 'version-script.map' for private libraries
      heimdal_build: remove unused cflags argument of HEIMDAL_LIBRARY()
      heimdal_build: avoid using hardcoded vnum values passed to HEIMDAL_LIBRARY()
      heimdal_build: let HEIMDAL_LIBRARY() use SAMBA_LIBRARY()
      libwbclient: fix strict-overflow warning in wbcSidToString()
      s3:utils: remove notify_msg.c from smbstatus sources
      s3:ntlm_auth: use wbcRequestResponse[Priv]() instead of winbindd_request_response()
      s4:torture/winbind: use wbcRequestResponse() instead of winbindd_request_response()
      nsswitch: move winbindd_free_response() as inline function to winbind_struct_protocol.h
      nsswitch/wbinfo: use wbcRequestResponse() instead of winbindd_request_response()
      nsswitch: explicitly mark magic krb5 plugin symbols as _PUBLIC_
      nsswitch: explicitly mark PAM_EXTERN pam_sm_* symbols as _PUBLIC_
      nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux
      nsswitch: explicitly mark nss_module_register() _PUBLIC_ on FreeBSD
      nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_
      lib/replace: use dlsym(RTLD_DEFAULT,) for {nss,nss_host,uid,socket}_wrapper_enabled()
      nsswitch: reduce dependecies to private libraries and link static/builtin if possible
      script/autobuild.py: make sure nss and pam plugins don't link any samba libraries
      script/autobuild.py: make sure nss, pam and krb5 plugins don't provide unexpected symbols
      vfs_not_implemented: mark all functions with _PUBLIC_
      s4:samba: split out a samba_service_init() helper function
      heimdal_build: consistently pass extra_cflags=cflags to HEIMDAL_CFLAGS()
      libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon*
      s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE
      smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes
      smb2_server: decouple IOCTL check from signing/encryption states
      smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO
      s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL
      smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done()
      s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids
      smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids
      s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share
      smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO
      auth/credentials: Handle ENOENT when obtaining ccache lifetime
      auth/credentials: Fix cli_credentials_shallow_ccache error case
      Revert "python:tests: Don't require an emtpy 'authorization-data' to be present"
      dsdb/common: add dsdb_dc_functional_level() helper
      s4:rpc_server/dnsserver: make use of dsdb_dc_functional_level()
      dsdb/netlogon: make use of dsdb_dc_functional_level() in fill_netlogon_samlogon_response()
      s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()
      selftest/Samba3: enable SMB1 for maptoguest
      s4:torture/libsmbclient: add libsmbclient.noanon_list test
      s4:selftest: run libsmbclient.noanon_list against maptoguest
      s3:libsmb: fix signing regression SMBC_server_internal()
      Happy New Year 2022!
      auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
      s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
      libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
      libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore invalid netapp requests
      s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test
      auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors
      s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack
      s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
      dsdb/schema/tests: let samba4.local.dsdb.syntax call the validate_dn() hook
      dsdb/schema: fix Object(OR-Name) syntax definition
      dsdb/common: dsdb_dn_construct_internal() more strict checking
      dsdb/schema: add no memory checks for {ldb,dsdb}_dn_get_extended_linearized()
      dsdb/schema: let dsdb_syntax_DN_BINARY_drsuapi_to_ldb return WERR_DS_INVALID_ATTRIBUTE_SYNTAX
      s4:heimdal_build: make version_script optional to HEIMDAL_LIBRARY()
      s4:torture: check for pac_blob==NULL in test_generate_session_info_pac() functions
      s4:auth: debug make_user_info_dc_pac() failures in kerberos_pac_to_user_info_dc()
      s4:kdc: improve DEBUG messages in samba_wdc_reget_pac2()
      s4:heimdal_build: include heimdal headers relative to heimdal_build
      s4:heimdal: import lorikeet-heimdal-202201172009 (commit 5a0b45cd723628b3690ea848548b05771c40f14e)
      tests/auth_log: adjust expected authDescription for test_smb_bad_user
      s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface
      selftest: set [libdefaults] fcache_strict_checking = false
      HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
      s4:dsdb/paged_results: fix segfault in paged_results()
      s4:dsdb/vlv_pagination: fix segfault in vlv_results()
      bootstrap: use compat-gnutls37-devel for centos7
      wafsamba: Remove clangdb code which doesn't work
      wafsamba: Add our own implmentation to generate the clangdb
      tdb: version 1.4.6

Uri Simchoni (11):
      fuzzing/oss-fuzz: fix image build recipe for Ubuntu 20.04
      configure: allow configure script to accept parameters with spaces
      fuzzing/oss-fuzz: fix RPATH comments for post-Ubuntu-16.04 era
      fuzzing/oss-fuzz: fix samba build script for Ubuntu 20.04
      fuzzing/oss-fuzz: strip RUNPATH from dependencies
      gitlab-ci: run samba-fuzz autobuild target on Ubuntu 20.04-based image
      selftest: add a unit test for tsocket_address_inet_from_strings
      tsocket: set errno on some failures of tsocket_address_inet_from_strings
      WHATSNEW: document dns forwarder change
      selftest: add more tests for test_address_inet_from_strings
      selftest: test tsocket_address_inet_from_hostport_strings

Viktor Dukhovni (1):
      HEIMDAL:kdc: Fix transit path validation CVE-2017-6594

Volker Lendecke (234):
      samba-bgqd: Fix samba-bgqd with "clustering=yes"/"include=registry"
      docs: Add vfs_expand_msdfs manpage
      rpcclient: Align integer types
      lib: Fix a potential error path memleak
      lib;smbd: Fix the -Os build by initializing variables
      samdb: Fix an uninitialized variable read
      net3: Save a few lines with any_nt_status_not_ok()
      net3: Simplify name_to_sid(): dom_sid_parse checks for "S-" prefix
      net: Align some integer types
      libnetapi: Save lines with any_nt_status_not_ok()
      rpc_client: Simplify rpc_pipe_bind_step_one_done()
      rpc_client: Replace ZERO_STRUCTP with struct assignment
      rpc_client: Simplify create_rpc_bind_req()
      rpc_client: Save 65 .text bytes with -Os
      rpc_client: Avoid two casts with proper printf specifiers
      lib: Use TALLOC_FREE() in data_blob_free()
      libsmbclient: Avoid a call to SMBC_errno() in SMBC_chmod_ctx()
      libsmbclient: Avoid a call to SMBC_errno() in SMBC_open_ctx()
      libsmbclient: Avoid a call to SMBC_errno() in SMBC_read_ctx()
      libsmbclient: Avoid a call to SMBC_errno() in SMBC_splice_ctx()
      libsmbclient: Avoid a call to SMBC_errno() in SMBC_attr_server()
      libsmbclient: Avoid a call to SMBC_errno() in SMBC_notify_ctx()
      net: Use dbwrap_do_locked() in wipedbs_delete_records()
      smbd: Fix fetch_share_mode_send() error return
      smbd: Simplify mark_share_mode_disconnected()
      librpc: Simplify GUID_zero() with a direct struct return
      librpc: Simplify GUID_string2() by using GUID_buf_string()
      librpc: Simplify GUID_hexstring()
      rpc_server: Simplify open_np_file()
      rpc_server: Slightly simplify set_user_info_21()
      rpc_server: Slightly simplify set_user_info_18()
      rpc_server: Remove an unused function declaration
      rpc_server: Align integer types
      rpc_server: Simplify _samr_CreateUser2()
      rpc_server: Fix a comment
      lib: Improve comment wording
      rpc_client: Slightly simplify rpc_transport_np_init_pipe_open()
      libsmb: Fix a typo
      rpc_client: Fix a small memleak
      rpc_client: Early TALLOC_FREE() in prepare_verification_trailer()
      rpc_client: Slightly simplify rpc_api_pipe_req_send()
      rpc_client: Adapt rpc_api_pipe_req_send() to talloc_req conventions
      rpc_client: Avoid ZERO_STRUCTP in prepare_verification_trailer()
      rpc_client: Adapt rpc_pipe_bind_send() to talloc_req conventions
      rpc_client: Use struct init/assignment
      rpc_client: Use ndr_syntax_id_equal() in check_bind_response()
      rpc_client: Adapt rpc_api_pipe_send() to recent coding conventions
      rpc_client: Adapt rpc_write_send() to tevent_req conventions
      winbind: Remove an unused include
      rpc_client: Simplify rpccli_bh_disconnect_recv()
      rpc_client: Use tevent_req_nterror() properly
      rpc_client: Avoid casts
      rpc_client: Simplify rpc_api_pipe_auth3_done()
      rpc_client: Simplify get_complete_frag_got_rest()
      rpc_client: Simplify get_complete_frag_got_header()
      rpc_client: Simplify get_complete_frag_got_header()
      rpc_client: Simplify get_complete_frag_send()
      torture: Remove rpc_open_tcp test program
      rpc_client: Make rpc_pipe_open_tcp() static
      rpc_client: Use tevent_req_nterror() properly in cli_api_pipe
      rpc_client: Align cli_api_pipe_send() with tevent_req() conventions
      winbindd: NULL-initialize a pointer
      rpcclient: Add unixinfo commands
      rpc_server3: Include the right "dcerpc.h" from a SAMBA_SUBSYSTEM
      auth: Simplify is_our_machine_account()
      auth: Fix a typo
      samba-tool: Fix a typo
      samba_dnsupdate: Fix deprecation warnings
      smbtorture: Fix epmapper.Map_full test
      debug: Remove "override_logfile"
      lib: Simplify sid_linearize()
      samba-bgqd: Enable smbcontrol pool-usage
      rpc_server4: Fix a typo
      winbind: Fix a typo
      lib: Add required #includes
      lib: Give util_specialsids.c its own prototype header
      lib: Avoid an "includes.h"
      samba-bgqd: Convert closeall_*() to closefrom_*()
      lib: Move closefrom_except*() to a separate file
      libcli: Remove unused security_token_is_sid_string()
      rpc_server: Move a type check in dcesrv_handle_lookup()
      rpc_server: Simplify dcesrv_handle_lookup()
      mdssvc: Use ndr_policy_handle_empty()
      smbd: Make SID_SAMBA_SMB3 a static SID
      rpc_server3: Avoid a literal number available as a constant
      lsa_server3: Align integer types
      smbd: Avoid ZERO_STRUCT() with a struct init
      samba: Save a line with TALLOC_FREE
      libcli: Remove unused security_token_has_sid_string()
      libcli: Introduce a helper variable in security_session_user_level()
      libcli: Simplify security_session_user_level()
      lib: Avoid a cast in a DBG statement
      lib: Simplify set_privileges with a struct initialization
      lib: Fix a typo in a DEBUG fn prefix by using DBG_
      idmap_script: Save a few lines with str_list_add_printf()
      libcli: Avoid an includes.h
      libcli: Align integer types
      rpc_server3: Remove unused fields from struct dcerpc_ncacn_conn
      winbind: Align an integer type
      lib: Add talloc_asprintf_addbuf()
      librpc: Use talloc_asprintf_addbuf() in dcerpc_binding_string()
      lib: Use talloc_asprintf_addbuf() in utok_string()
      winbind: Simplify winbindd_getsidaliases_recv()
      winbind: Simplify winbindd_getusersids_recv()
      winbind: Simplify winbindd_sids_to_xids_recv()
      dsdb: Simplify schema_attribute_description() & friends
      libcli: Simplify get_sec_mask_str()
      rpc_server3: Remove "pipes_struct->call_id"
      rpc_server3: Remove "pipes_struct->opnum"
      rpc_server3: Remove an outdated comment
      netlogon: Move netlogon_server_pipe_state to netlogon.idl
      rpc_server3: Use dcesrv_iface_state in netlogon3
      rpc_server3: Remove pipes_struct->private_data
      smbd: reopen logs on SIGHUP for notifyd and cleanupd
      smbd: Give smbXsrv_open.c its own header file
      smbd: Remove unused "struct connections_key"
      libsmb: Use cli_ntcreate in cli_chkpath
      smbclient: Use cli_checkpath in "cd" command
      libsmb: Remove "trans_oob()" macro
      libcli: "smb_util.h" needs "ntstatus.h"
      libsmb: Give reparse_symlink.c its own header
      libsmb: Introduce "struct symlink_reparse_struct"
      libsmb: Avoid a talloc_stackframe.c dependency
      libsmb: move reparse_symlink to libcli/smb/
      VFS: Fix a typo
      libcli: Remove NT_STATUS_INACCESSIBLE_SYSTEM_SHORTCUT error code
      lib: Fix a debug typo in g_lock.c
      dbwrap: Remove unused dbwrap_watched_wakeup()
      libsmb: Move cli_qfilename() to its only user in torture.c
      smb.conf.5: Fix a typo for "username map script"
      smbd: Fix a typo
      vfs: Fix a few typos
      libcli4: Remove outdated README file
      lib: Slightly tune cp_smb_filename_nostream()
      smbd: Move "struct fd_handle" into fd_handle.c
      vfs: Use cp_smb_filename_nostream() in vfswrap_parent_pathname()
      smbd: Fix typos
      smbd: Avoid casts
      smbd: Make sure we don't overwrite tmp_buf
      lib: Use a direct struct initialization
      smbd: Convert ret==false into !ret
      selftest: Add reproducer for bug 14908
      lib: Add required includes to source3/include/secrets.h
      cmdline: Add a callback to set the machine account details
      cmdline: Make -P work in clustered mode
      named_pipe_auth: Bump info4 to info5
      named_pipe_auth.idl: Add "need_idle_server"
      librpc: Add named_pipe_auth_req_info5->transport
      auth: Fix a typo in auth/gensec/ncalrpc.c
      librpc: Get transport out of tstream_npa_accept_existing_recv()
      rpc_server: Check info5->transport
      test: Prime the kpasswd server
      s3:services: Disable rcinit-based service control code
      s3:rpc_server: Remove direct registry access from svcctl_init_winreg
      s3:rpc_client: Bump debug level for ncalrpc connect error
      dcesrv_core: Add dcesrv_context_set_callbacks()
      backupkey.idl: Don't listen on \\pipe\ntsvcs
      dcesrv_core: Add dcesrv_loop_next_packet()
      idl: Define messages sent between samba-dcerpcd and rpcd's
      s3:rpc_server: Add samba-dcerpcd
      s3:rpc_client: Add local_np_connect()
      s3:rpc_server: Implement the rpcd_* helper-end of the samba-dcerpc protocol
      s3:rpc_client: Add rpc_pipe_open_local_np()
      smbcontrol: Add rpc-dump-status
      s3:printing: Move pcap_cache_loaded() to load.c
      unittest: Remove test_sambafs_srv_pipe
      s3:rpc_server: Make npa_state_init() public
      s3:winbind: Close internal RPC pipes after 5 idle seconds
      s3:rpc_server: Add samba-dcerpcd helper programs
      s3:rpc_server: Activate samba-dcerpcd
      printing: Remove "start_daemons" from printing_subsystem_init()
      s3:rpc_server: Delete unused code and doc references
      dcesrv_core: Remove unused dcesrv_reinit_context()
      configure: Check for __atomic_add_fetch() and __atomic_load()
      tdb: Use atomic operations for tdb_[increment|get]_seqnum
      tdb: Raw performance torture to beat tdb_increment_seqnum
      smbd: Fix a fd leak when closing a print file
      pysmbd: Fix file descriptor leaks
      vfs_commit: Reset fsp->fd->fd to -1 after SMB_VFS_CLOSE
      smbd: Replace SMB_VFS_CLOSE() calls with fd_close()
      smbd: Assert we don't leak fd's in struct fd_handle
      smbd: Save a few lines by using cp_smb_filename_nostream()
      smbd: Fix a few typos
      smbd: Move fast_string_hash() to mangle_hash.c, the only user
      smbd: Remove an unneeded anonymous struct declaration
      smbd: Avoid some casts
      lib: Avoid a cast
      Remove some unused code
      smbd: Avoid a DEBUGADD statement
      rpc_server3: Inline make_internal_ncacn_conn() into rpc_worker.c
      rpc_server3: Inline make_base_pipes_struct() into rpc_worker.c
      rpc_server3: Remove pipes_struct->local_address
      rpc_server3: Remove pipes_struct->remote_address
      rpc_server3: Inline make_base_pipes_struct()
      rpc_server3: Remove pipes_struct->pipe_bound
      rpc_server3: Remove pipes_struct->session_info
      rpc_server3: Remove pipes_struct->auth
      rpc_server3: No linked list for pipes_struct anymore
      winbind: Don't transfer a pointer that's NULL anyway
      rpc_server3: dcerpc_ncacn_conn->ev_ctx was only set but never used
      rpc_server3: Remove dcerpc_ncacn_conn->msg_ctx
      rpc_server3: Remove dcerpc_ncacn_conn->dce_ctx
      rpc_server3: Remove dcerpc_ncacn_conn->tstream
      rpc_server3: Remove dcerpc_ncacn_conn->remote_client_addr
      rpc_server3: Remove dcerpc_ncacn_conn->local_server_addr
      rpc_server3: Remove dcerpc_ncacn_conn->session_info
      rpc_server3: Inline pipes_struct into dcerpc_ncacn_conn
      rpc_server3: Inline single-use rpcint_binding_handle_ex()
      smbd: Modernize a DEBUG statement
      vfs: Modernize a DEBUG statement
      lib: Fix a typo
      test: Test rpcclient ncacn_ip_tcp:<ip-address>
      rpcclient: Fix ncacn_ip_tcp:<ip-address>
      ctdb-protocol: rindex->strrchr
      ctdb-protocol: Save 50 bytes .text segment
      ctdb-protocol: Allow rfc5952 "[2001:db8::1]:80" ipv6 notation
      profile3: remove an unused include
      printing: Save a few lines with str_list_add_printf()
      smbd: Save a few lines with str_list_add_printf()
      lib: Save a few lines with str_list_add_printf()
      lib: Save a few lines with str_list_add_printf()
      lib: Remove unused tstream_npa_socketpair()
      rpc_host: We have tevent_req_oom() for ENOMEM
      torture3: Align two integer types
      smbd: Fix a typo
      smbd: Align a few integer types
      libsmb: Avoid a cast
      net: Align a few integer types
      libads: Convert sitename_key() to talloc
      winbindd: Replace asprintf() with talloc_asprintf()
      lib: Remove unused asprintf_strupper_m()
      smbd: Remove a duplicate protoype
      libcli/dns: Fix TCP fallback
      build: Without getrandom() require gnutls 3.7.2

eaglegai (1):
      fix undefined-shift in put_res_rec fuzz error: ../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16 places cannot be represented in type 'int'

-----------------------------------------------------------------------


-- 
Samba Shared Repository



More information about the samba-cvs mailing list