[SCM] Samba Shared Repository - branch v4-17-stable updated

Stefan Metzmacher metze at samba.org
Wed Jul 27 13:06:11 UTC 2022


The branch, v4-17-stable has been updated
       via  3ddc9344c2f CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
       via  a60863458dc CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
       via  3029d9bf350 CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
       via  958f2bce695 CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
       via  0d8995910f9 CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
       via  6a10e890a08 CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
       via  fc03cf9f454 CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
       via  52dd9f8f835 CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
       via  484c6980bef CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
       via  2d3bd2d9ab1 s4:kdc: Remove kadmin mode from HDB plugin
       via  827dc6a61e6 CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
       via  09e54a7b1d1 CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
       via  be239c71687 CVE-2022-2031 tests/krb5: Test truncated forms of server principals
       via  bbad8f1de43 CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
       via  ffb599050ae CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
       via  018bdbc29db CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
       via  3e773a3954f CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
       via  c0282bbbc13 CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
       via  186f0c6e486 CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
       via  c6d93504911 CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
       via  23a03911a7f CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
       via  a8068e32a02 CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
       via  d6580f35724 s4:kpasswd: Restructure code for clarity
       via  ce3b7b27a37 CVE-2022-2031 s4:kpasswd: Require an initial ticket
       via  bbfbbb9f648 CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
       via  e0c135e6c14 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
       via  4e2e767a78b CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
       via  f89e5eff5f5 CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
       via  1f7d94b5fce CVE-2022-2031 s4:kpasswd: Correctly generate error strings
       via  86698b313e7 CVE-2022-2031 tests/krb5: Add tests for kpasswd service
       via  192d597c2f2 CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20
       via  4212037a6a3 CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
       via  6a2ec50bfdb CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
       via  332fd6032a8 CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
       via  1e80767c1d2 tests/krb5: Add option for creating accounts with expired passwords
       via  2bb1f40b9a4 tests/krb5: Fix enum typo
       via  18bd6dafb57 CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
       via  888d58f4334 CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
       via  a5a2fc4259c CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
       via  48eb3354c5f CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
       via  ebccd0440aa CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
       via  a118881f4fb CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
       via  f152afa74e8 CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
       via  714cadfc404 CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
       via  b423c370b9b CVE-2022-2031 s4:kpasswd: Account for missing target principal
       via  2872ccc931c CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
       via  9881491023e CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
       via  aa728dfcc96 CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
       via  4a31c48057e CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
       via  4ec784e0a91 CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
       via  f4eb4e6478d CVE-2022-32746 ldb: Release LDB 2.6.1
       via  0a3aa5f908e CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
       via  df487eb2d71 CVE-2022-32746 ldb: Add functions for appending to an ldb_message
       via  a2bb5beee82 CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
       via  7efe8182c16 CVE-2022-32746 ldb: Add flag to mark message element values as shared
       via  3e4439565b6 CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  e8ebdb99369 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  e3b00264135 CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  41b1fe6d4ae CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
       via  99b805e4cbe CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
       via  64258fd8b12 CVE-2022-32746 s4:torture: Fix LDB flags comparison
       via  d178a061405 CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
       via  852a79c63c9 CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
       via  a45ba891829 CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
      from  d5c7e2e2738 s3:dbwrap_watch: call dbwrap_watched_trigger_wakeup() outside of the low level record lock

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-stable


- Log -----------------------------------------------------------------
commit 3ddc9344c2fa7461336899fbddb0bb80995e9170
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 7 09:53:08 2022 -0700

    CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
    
    Fixes the raw.write.bad-write test.
    
    NB. We need the two (==0) changes in source3/smbd/smb2_reply.c
    as the gcc optimizer now knows that the return from
    smbreq_bufrem() can never be less than zero.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
    
    Remove knownfail.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>
    
    Autobuild-User(master): Jule Anger <janger at samba.org>
    Autobuild-Date(master): Wed Jul 27 11:46:46 UTC 2022 on sn-devel-184

commit a60863458dc6b60a09aa8d31fada6c36f5043c76
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jun 7 09:40:45 2022 -0700

    CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
    
    Reproduces the test code in:
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
    
    Add knownfail.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: David Disseldorp <ddiss at samba.org>

commit 3029d9bf350e2ab34514975452def269efc3ed96
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Jun 23 13:59:11 2022 +1200

    CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
    
    We ensure that the KDC does not reject a TGS-REQ with our short-lived
    TGT over an incoming trust.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 958f2bce695c3721a23cd7e81575da181be83828
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:18:53 2022 +1200

    CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
    
    If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
    authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
    are not supposed to be cached, but using this flaw, a stolen credentials
    cache containing a TGT may be used to change that account's password,
    and thus is made more valuable to an attacker.
    
    Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
    service tickets without it, we assert the absence of this buffer to
    ensure we're not accepting a TGT.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 0d8995910f9846d38f705abcaa19dede98294f58
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:18:35 2022 +1200

    CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
    
    We use the presence or absence of a REQUESTER_SID PAC buffer to
    determine whether the ticket is a TGT. We will later use this to reject
    TGTs where a service ticket is expected.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6a10e890a086b4dc05d460ef3e0c2cd9cd8f1f42
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:18:07 2022 +1200

    CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
    
    This field may be used to convey whether we were provided with a TGT or
    a non-TGT. We ensure both structures are zeroed out to avoid incorrect
    results being produced by an uninitialised field.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit fc03cf9f4547bf8164f61138d0211b866d36a956
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 10 19:17:11 2022 +1200

    CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
    
    The kpasswd service should require a kpasswd service ticket, and
    disallow TGTs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 52dd9f8f835bc23415ec51dcc344478497e208c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 30 19:16:02 2022 +1200

    CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
    
    To ensure that, when decrypting the kpasswd ticket, we look up the
    correct principal and don't trust the sname from the ticket, we should
    pass the principal name of the kpasswd service into krb5_rd_req_ctx().
    However, gensec_krb5_update_internal() will pass in NULL unless the
    principal in our credentials is CRED_SPECIFIED.
    
    At present, our principal will be considered obtained as CRED_SMB_CONF
    (from the cli_credentials_set_conf() a few lines up), so we explicitly
    set the realm again, but this time as CRED_SPECIFIED. Now the value of
    server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
    be NULL.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 484c6980befb86f7d81d708829ed4ceb819538eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:39:20 2022 +1200

    CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
    
    This plugin is now only used by the kpasswd service. Thus, ensuring we
    only look up the kadmin/changepw principal means we can't be fooled into
    accepting tickets for other service principals. We make sure not to
    specify a specific kvno, to ensure that we do not accept RODC-issued
    tickets.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2d3bd2d9ab16732d936da58109f7c977505dccd7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 8 13:53:29 2022 +1200

    s4:kdc: Remove kadmin mode from HDB plugin
    
    It appears we no longer require it.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 827dc6a61e6bd01531da0cc8e10f1e54ad400359
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:36:30 2022 +1200

    CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
    
    This makes explicitly clear the purpose of this keytab.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 09e54a7b1d18f2fdb3ebe47dadcea12c52bd8810
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 25 20:00:55 2022 +1200

    CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
    
    We would only compare the first 'n' characters, where 'n' is the length
    of the principal component string, so 'k at REALM' would erroneously be
    considered equal to 'krbtgt at REALM'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit be239c716874aadea7591fbe06652c449a350c3a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 15:23:55 2022 +1200

    CVE-2022-2031 tests/krb5: Test truncated forms of server principals
    
    We should not be able to use krb at REALM instead of krbtgt at REALM.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit bbad8f1de43d643e20f1a71c3466f08ed7c9d480
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 17:52:05 2022 +1200

    CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
    
    A fallback in krb5_rd_req_ctx() means that Samba's kpasswd service will
    try many inappropriate keys to decrypt the ticket supplied to it. For
    example, it will accept a ticket encrypted with the Administrator's key,
    when it should rather accept only tickets encrypted with the krbtgt's
    key (and not an RODC krbtgt). To fix this, declare the HDB keytab using
    the HDBGET ops, which do not support iteration.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ffb599050ae2c1b9d0746addfdac1e41866aa819
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 30 19:18:17 2022 +1200

    CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
    
    For Heimdal, this now matches the behaviour of Windows. The object of
    this requirement is to ensure we don't allow kpasswd tickets, not having
    a lifetime of more than two minutes, to be passed off as TGTs.
    
    An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
    suffices to prevent kpasswd ticket misuse, so this is just an additional
    precaution on top.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 018bdbc29db035e14019f0f58aba035cc86b534e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 22 20:01:12 2022 +1200

    CVE-2022-2031 third_party/heimdal: Add function to get current KDC time
    
    This allows the plugin to check the endtime of a ticket against the
    KDC's current time, to see if the ticket will expire in the next two
    minutes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 3e773a3954ff95c4ec9daeedf2739a5edd81e8dc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 17:53:49 2022 +1200

    CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
    
    This matches the behaviour of Windows.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c0282bbbc132f0409d97f5745ad34eec99176f5d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:56:01 2022 +1200

    CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
    
    Since this principal goes through the samba_kdc_fetch_server() path,
    setting the canonicalisation flag would cause the principal to be
    replaced with the sAMAccountName; this meant requests to
    kadmin/changepw at REALM would result in a ticket to krbtgt at REALM. Now we
    properly handle canonicalisation for the kadmin/changepw principal.
    
    View with 'git show -b'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 186f0c6e4869237acb296bd17c5de0102f0653ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 25 17:19:58 2022 +1200

    CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
    
    This eliminates some duplicate branches.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Pair-Programmed-With: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit c6d93504911696ee1062d87d5a8108c65f5b9f3e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:56:01 2022 +1200

    CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 23a03911a7fd65d4c2f0e6f2c7da646d079b2923
Author: Andreas Schneider <asn at samba.org>
Date:   Tue May 24 09:54:18 2022 +0200

    CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit a8068e32a02d4f399f91c41427778d588b2b7b6a
Author: Andreas Schneider <asn at samba.org>
Date:   Thu May 19 16:35:28 2022 +0200

    CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT kpasswd
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit d6580f35724a3b1202b77f607fa4e9d342d62b8a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 17:11:49 2022 +1200

    s4:kpasswd: Restructure code for clarity
    
    View with 'git show -b'.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ce3b7b27a370e1f1299e8a60bf776082e2057a87
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:52:41 2022 +1200

    CVE-2022-2031 s4:kpasswd: Require an initial ticket
    
    Ensure that for password changes the client uses an AS-REQ to get the
    ticket to kpasswd, and not a TGS-REQ.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit bbfbbb9f6483d113c7b428109ee00c1c1aab4b02
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:06:31 2022 +1200

    CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an initial ticket
    
    This will be used in the kpasswd service to ensure that the client has
    an initial ticket to kadmin/changepw, and not a service ticket.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit e0c135e6c146b4bbbfbf9642c1b9c2d05c091963
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:49:43 2022 +1200

    CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
    
    If we attempt to return an error code outside of Heimdal's allowed range
    [KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC
    error, and the error text will be set to the meaningless result of
    krb5_get_error_message(). Avoid this by ensuring the error code is in
    the correct range.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 4e2e767a78b5e94ecc8833ea6cd05f875c37dfed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri May 27 19:29:34 2022 +1200

    CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
    
    The error code passed in will be an offset from ERROR_TABLE_BASE_krb5,
    so we need to subtract that before creating the error. Heimdal does this
    internally, so it isn't needed there.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit f89e5eff5f5c910b06fab3d1a57fabd53b66f9f0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed May 18 16:48:59 2022 +1200

    CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 1f7d94b5fcef8e2879f5fe19b9e2bbb979ab7a96
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri May 27 19:21:06 2022 +1200

    CVE-2022-2031 s4:kpasswd: Correctly generate error strings
    
    The error_data we create already has an explicit length, and should not
    be zero-terminated, so we omit the trailing null byte. Previously,
    Heimdal builds would leave a superfluous trailing null byte on error
    strings, while MIT builds would omit the final character.
    
    The two bytes added to the string's length are for the prepended error
    code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 86698b313e74c37ba75da22d69b740b812b1c10c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:59:16 2022 +1200

    CVE-2022-2031 tests/krb5: Add tests for kpasswd service
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 192d597c2f2025845c3cd478fab9d72299c075bd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 31 19:23:06 2022 +1200

    CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20
    
    With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
    tickets to principals such as kpasswd/changepw, as they are encrypted
    with the krbtgt's key.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 4212037a6a37080206c8459920087b1a113c3fb5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:35:03 2022 +1200

    CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 6a2ec50bfdb1b1178e764c6395e6220a1400c51f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:57:57 2022 +1200

    CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
    
    Now we can test the kpasswd service from Python.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 332fd6032a8a9ccc482c5df4eff82a7d24e5a7ed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:34:59 2022 +1200

    CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 1e80767c1d29ec7c2466622c386786931afb76e0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:30:12 2022 +1200

    tests/krb5: Add option for creating accounts with expired passwords
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2bb1f40b9a46d36af5604b1ac69079ad066b42fe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:26:56 2022 +1200

    tests/krb5: Fix enum typo
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 18bd6dafb576a58440d5c4ba6fff86dfe510bd98
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:20:28 2022 +1200

    CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
    
    This allows us to send and receive kpasswd messages, while avoiding the
    existing logic for encoding and decoding other Kerberos message types.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 888d58f43344afd6c199cd62be5e56f0f6174720
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:21:37 2022 +1200

    CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
    
    This allows us to use the kpasswd port, 464.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit a5a2fc4259ccdd9409e604756e36ee380c30f896
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:17:45 2022 +1200

    CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 48eb3354c5f823715755c74a96f34c7607e400d3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:13:54 2022 +1200

    CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit ebccd0440aa6739a46e057dac738dc13a7d9a42a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue May 24 19:06:53 2022 +1200

    CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accounts
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit a118881f4fbbc926566b359ef944369ab948d5de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 20:52:04 2022 +1200

    CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
    
    This allows us to make use of it in other tests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit f152afa74e8ea118e1ff1e526b3855aaaa5e575c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu May 26 16:34:01 2022 +1200

    CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
    
    The environment variable is a string, but we expect an integer.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 714cadfc4049454d76e37932377cfa3d9a6f464d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 30 19:17:41 2022 +1200

    CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
    
    The target principal and realm fields of the setpw structure are
    supposed to be optional, but in MIT Kerberos they are mandatory. For
    better compatibility and ease of testing, fall back to parsing the
    simpler (containing only the new password) structure if the MIT function
    fails to decode it.
    
    Although the target principal and realm fields should be optional, one
    is not supposed to specified without the other, so we don't have to deal
    with the case where only one is specified.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit b423c370b9b0f2350f0cc46f0bcb9a3ad57a0fe6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri May 27 19:17:02 2022 +1200

    CVE-2022-2031 s4:kpasswd: Account for missing target principal
    
    This field is supposed to be optional.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andreas Schneider <asn at samba.org>

commit 2872ccc931c9b601807f91cadc614dcf7c174c8f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Jun 16 15:32:49 2022 +1200

    CVE-2022-2031 third_party/heimdal: Check generate_pac() return code
    
    If the function fails, we should not issue a ticket missing the PAC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 9881491023eb1ece27bd7a24ed41902bb15dbff2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Jun 3 16:16:31 2022 +1200

    CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
    
    To use memcpy(), we need to specify the number of bytes to copy, rather
    than the number of ldb_val structures.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit aa728dfcc9684748818412231e865fbd9112b565
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Feb 17 11:13:38 2022 +1300

    CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
    
    Doing so is undefined behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Feb 17 11:11:53 2022 +1300

    CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
    
    Currently, we can crash the server by sending a large number of values
    of a specific attribute (such as sAMAccountName) spread across a few
    message elements. If val_count is larger than the total number of
    elements, we get an access beyond the elements array.
    
    Similarly, we can include unrelated message elements prior to the
    message elements of the attribute in question, so that not all of the
    attribute's values are copied into the returned elements values array.
    This can cause the server to access uninitialised data, likely resulting
    in a crash or unexpected behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 4ec784e0a91e572801a47be36a1729b92cb4140b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 17:03:10 2022 +1300

    CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
    
    This avoids potentially trying to access the first element of an empty
    array.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit f4eb4e6478db2b41acf426a7a6ba2e7130b69b29
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jun 14 15:43:26 2022 +1200

    CVE-2022-32746 ldb: Release LDB 2.6.1
    
    * CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>

commit 0a3aa5f908e351201dc9c4d4807b09ed9eedff77
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 16:27:37 2022 +1300

    CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
    
    This aims to minimise usage of the error-prone pattern of searching for
    a just-added message element in order to make modifications to it (and
    potentially finding the wrong element).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit df487eb2d713e817660dd3b56bb26ba715fadfea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 16:30:03 2022 +1300

    CVE-2022-32746 ldb: Add functions for appending to an ldb_message
    
    Currently, there are many places where we use ldb_msg_add_empty() to add
    an empty element to a message, and then call ldb_msg_add_value() or
    similar to add values to that element. However, this performs an
    unnecessary search of the message's elements to locate the new element.
    Moreover, if an element with the same attribute name already exists
    earlier in the message, the values will be added to that element,
    instead of to the intended newly added element.
    
    A similar pattern exists where we add values to a message, and then call
    ldb_msg_find_element() to locate that message element and sets its flags
    to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
    search, and may locate the wrong message element for setting the flags.
    
    To avoid these problems, add functions for appending a value to a
    message, so that a particular value can be added to the end of a message
    in a single operation.
    
    For ADD requests, it is important that no two message elements share the
    same attribute name, otherwise things will break. (Normally,
    ldb_msg_normalize() is called before processing the request to help
    ensure this.) Thus, we must be careful not to append an attribute to an
    ADD message, unless we are sure (e.g. through ldb_msg_find_element())
    that an existing element for that attribute is not present.
    
    These functions will be used in the next commit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit a2bb5beee82fd9c4c29decc07024057febeaf1b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 12:35:13 2022 +1300

    CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect original message
    
    Using the newly added ldb flag, we can now detect when a message has
    been shallow-copied so that its elements share their values with the
    original message elements. Then when adding values to the copied
    message, we now make a copy of the shared values array first.
    
    This should prevent a use-after-free that occurred in LDB modules when
    new values were added to a shallow copy of a message by calling
    talloc_realloc() on the original values array, invalidating the 'values'
    pointer in the original message element. The original values pointer can
    later be used in the database audit logging module which logs database
    requests, and potentially cause a crash.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 7efe8182c165fbf17d2f88c173527a7a554e214b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Feb 21 16:10:32 2022 +1300

    CVE-2022-32746 ldb: Add flag to mark message element values as shared
    
    When making a shallow copy of an ldb message, mark the message elements
    of the copy as sharing their values with the message elements in the
    original message.
    
    This flag value will be heeded in the next commit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 3e4439565b655135246491a2b43f69817bf20161
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 21:12:39 2022 +1200

    CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit e8ebdb99369c8d073190e467d1ede0f5b938a284
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 21:11:33 2022 +1200

    CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit e3b002641357ab7ee447999a3ffad8512d2bbb9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 19:49:19 2022 +1200

    CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Feb 16 12:43:52 2022 +1300

    CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality check
    
    Now unrelated flags will no longer affect the result.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 99b805e4cbeec232c65adb1a6f3fb326b55c4496
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 15:22:47 2022 +1200

    CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
    
    LDB_FLAG_MOD_* values are not actually flags, and the previous
    comparison was equivalent to
    
    (el->flags & LDB_FLAG_MOD_MASK) == 0
    
    which is only true if none of the LDB_FLAG_MOD_* values are set, so we
    would not successfully return if the element was a DELETE. Correct the
    expression to what it was intended to be.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 64258fd8b128970f0198b3f804311a0ca8fd48a1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 14:49:51 2022 +1200

    CVE-2022-32746 s4:torture: Fix LDB flags comparison
    
    LDB_FLAG_MOD_* values are not actually flags, and the previous
    comparison was equivalent to
    
    (el->flags & LDB_FLAG_MOD_MASK) == 0
    
    which is only true if none of the LDB_FLAG_MOD_* values are set. Correct
    the expression to what it was probably intended to be.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit d178a0614057e75c957a77607df34ad81d8f1207
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 14:41:02 2022 +1200

    CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
    
    LDB_FLAG_MOD_* values are not actually flags, and the previous
    comparison was equivalent to
    
    (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0
    
    which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
    the expression to what it was probably intended to be.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit 852a79c63c965b9861a1bd319948a51f116b7e9a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 21 15:37:15 2022 +1200

    CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
    
    If an account has an SPN that requires Write Property to set, we should
    still be able to delete it with just Validated Write.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit a45ba891829b2f76a7d92998b8d96d7096e03c38
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 14 21:09:53 2022 +1200

    CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_sam_reply.c                              |    2 +-
 auth/auth_util.c                                   |    2 +-
 lib/krb5_wrap/krb5_samba.c                         |    2 +-
 lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.6.1.sigs}     |    8 +
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.6.1.sigs} |    0
 lib/ldb/common/ldb_msg.c                           |  260 ++++-
 lib/ldb/include/ldb.h                              |   30 +
 lib/ldb/include/ldb_module.h                       |    6 +
 lib/ldb/ldb_map/ldb_map.c                          |    5 +-
 lib/ldb/ldb_map/ldb_map_inbound.c                  |    9 +-
 lib/ldb/modules/rdn_name.c                         |   24 +-
 lib/ldb/wscript                                    |    2 +-
 librpc/idl/auth.idl                                |   23 +
 python/samba/tests/krb5/as_req_tests.py            |   30 +-
 python/samba/tests/krb5/kdc_base_test.py           |  126 ++-
 python/samba/tests/krb5/kdc_tgs_tests.py           |   84 --
 python/samba/tests/krb5/kpasswd_tests.py           | 1049 ++++++++++++++++++++
 python/samba/tests/krb5/raw_testcase.py            |  453 ++++++++-
 python/samba/tests/krb5/rfc4120.asn1               |    6 +
 python/samba/tests/krb5/rfc4120_constants.py       |   13 +
 python/samba/tests/krb5/rfc4120_pyasn1.py          |   13 +-
 python/samba/tests/usage.py                        |    1 +
 selftest/knownfail_mit_kdc                         |    6 +
 source3/include/smb_macros.h                       |    2 +-
 source3/passdb/pdb_samba_dsdb.c                    |   14 +-
 source3/smbd/smb2_reply.c                          |    4 +-
 source4/auth/gensec/gensec_krb5.c                  |   20 +-
 source4/auth/gensec/gensec_krb5_helpers.c          |   72 ++
 .../auth/gensec/gensec_krb5_helpers.h              |   25 +-
 .../auth/gensec/gensec_krb5_internal.h             |   37 +-
 source4/auth/gensec/wscript_build                  |    4 +
 source4/auth/kerberos/kerberos_pac.c               |   44 +
 source4/auth/ntlm/auth_developer.c                 |    2 +-
 source4/auth/sam.c                                 |    2 +-
 source4/auth/session.c                             |    2 +
 source4/auth/system_session.c                      |    6 +-
 source4/dns_server/dnsserver_common.c              |   12 +-
 source4/dsdb/common/util.c                         |  134 ++-
 source4/dsdb/samdb/ldb_modules/acl.c               |    5 +-
 source4/dsdb/samdb/ldb_modules/descriptor.c        |   10 +-
 source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |    2 +-
 source4/dsdb/samdb/ldb_modules/objectguid.c        |   20 +-
 source4/dsdb/samdb/ldb_modules/partition.c         |    4 +-
 source4/dsdb/samdb/ldb_modules/partition_init.c    |   14 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c    |   32 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            |   82 +-
 .../dsdb/samdb/ldb_modules/tombstone_reanimate.c   |   16 +-
 source4/dsdb/samdb/ldb_modules/util.c              |   14 +-
 source4/dsdb/tests/python/acl.py                   |   26 +
 source4/kdc/db-glue.c                              |  242 +++--
 source4/kdc/hdb-samba4-plugin.c                    |   37 +-
 source4/kdc/hdb-samba4.c                           |   66 ++
 source4/kdc/kdc-glue.h                             |    3 +
 source4/kdc/kdc-heimdal.c                          |    6 +-
 source4/kdc/kdc-server.h                           |    2 +-
 source4/kdc/kdc-service-mit.c                      |    4 +-
 source4/kdc/kpasswd-helper.c                       |   33 +-
 source4/kdc/kpasswd-helper.h                       |    2 +
 source4/kdc/kpasswd-service-heimdal.c              |   76 +-
 source4/kdc/kpasswd-service-mit.c                  |  146 ++-
 source4/kdc/kpasswd-service.c                      |   36 +-
 source4/kdc/mit-kdb/kdb_samba_principals.c         |    1 -
 source4/kdc/samba_kdc.h                            |    2 +
 source4/kdc/wdc-samba4.c                           |   26 +
 source4/kdc/wscript_build                          |    1 +
 source4/lib/registry/ldb.c                         |    2 +-
 source4/nbt_server/wins/winsdb.c                   |   13 +-
 source4/rpc_server/lsa/dcesrv_lsa.c                |   55 +-
 source4/selftest/tests.py                          |   11 +
 source4/torture/drs/rpc/dssync.c                   |    4 +-
 source4/torture/raw/write.c                        |   89 ++
 source4/winbind/idmap.c                            |   10 +-
 testprogs/blackbox/test_kinit_trusts_heimdal.sh    |    6 +-
 testprogs/blackbox/test_kpasswd_heimdal.sh         |   35 +-
 third_party/heimdal/kdc/kerberos5.c                |    4 +-
 third_party/heimdal/kdc/libkdc-exports.def         |    1 +
 third_party/heimdal/kdc/process.c                  |    6 +
 third_party/heimdal/kdc/version-script.map         |    1 +
 78 files changed, 3019 insertions(+), 660 deletions(-)
 copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.6.1.sigs} (96%)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.6.1.sigs} (100%)
 create mode 100755 python/samba/tests/krb5/kpasswd_tests.py
 create mode 100644 source4/auth/gensec/gensec_krb5_helpers.c
 copy source3/include/srvstr.h => source4/auth/gensec/gensec_krb5_helpers.h (65%)
 copy libcli/smbreadline/smbreadline.h => source4/auth/gensec/gensec_krb5_internal.h (51%)


Changeset truncated at 500 lines:

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index fda014c87d5..173a5132964 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_LEVEL;
 	}
 
-	user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+	user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 
 	/*
diff --git a/auth/auth_util.c b/auth/auth_util.c
index fe01babd107..ec9094d0f15 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	dst = talloc(mem_ctx, struct auth_session_info);
+	dst = talloc_zero(mem_ctx, struct auth_session_info);
 	if (dst == NULL) {
 		DBG_ERR("talloc failed\n");
 		TALLOC_FREE(frame);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 2b9dc97a1bc..2873c386410 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -237,7 +237,7 @@ krb5_error_code smb_krb5_mk_error(krb5_context context,
 		return code;
 	}
 
-	errpkt.error = error_code;
+	errpkt.error = error_code - ERROR_TABLE_BASE_krb5;
 
 	errpkt.text.length = 0;
 	if (e_text != NULL) {
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.6.1.sigs
similarity index 96%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.6.1.sigs
index 5049dc64ce1..40388d9e330 100644
--- a/lib/ldb/ABI/ldb-2.0.5.sigs
+++ b/lib/ldb/ABI/ldb-2.6.1.sigs
@@ -155,7 +155,14 @@ ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_d
 ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *)
 ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *)
 ldb_msg_add_string: int (struct ldb_message *, const char *, const char *)
+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int)
 ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **)
+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...)
+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int)
+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int)
+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int)
+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int)
 ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *)
 ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *)
 ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
@@ -163,6 +170,7 @@ ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *)
 ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
 ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *)
 ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **)
+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *)
 ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *)
 ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *)
 ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.6.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.6.1.sigs
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 57dfc5a04c2..9cd7998e21c 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg,
 	return LDB_SUCCESS;
 }
 
+/*
+ * add a value to a message element
+ */
+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
+			      struct ldb_message_element *el,
+			      const struct ldb_val *val)
+{
+	struct ldb_val *vals;
+
+	if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+		/*
+		 * Another message is using this message element's values array,
+		 * so we don't want to make any modifications to the original
+		 * message, or potentially invalidate its own values by calling
+		 * talloc_realloc(). Make a copy instead.
+		 */
+		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+
+		vals = talloc_array(mem_ctx, struct ldb_val,
+				    el->num_values + 1);
+		if (vals == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		if (el->values != NULL) {
+			memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val));
+		}
+	} else {
+		vals = talloc_realloc(mem_ctx, el->values, struct ldb_val,
+				      el->num_values + 1);
+		if (vals == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+	}
+	el->values = vals;
+	el->values[el->num_values] = *val;
+	el->num_values++;
+
+	return LDB_SUCCESS;
+}
+
 /*
   add a value to a message
 */
@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg,
 		      struct ldb_message_element **return_el)
 {
 	struct ldb_message_element *el;
-	struct ldb_val *vals;
 	int ret;
 
 	el = ldb_msg_find_element(msg, attr_name);
@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg,
 		}
 	}
 
-	vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
-			      el->num_values+1);
-	if (!vals) {
-		return LDB_ERR_OPERATIONS_ERROR;
+	ret = ldb_msg_element_add_value(msg->elements, el, val);
+	if (ret != LDB_SUCCESS) {
+		return ret;
 	}
-	el->values = vals;
-	el->values[el->num_values] = *val;
-	el->num_values++;
 
 	if (return_el) {
 		*return_el = el;
@@ -473,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
 
 
 /*
-  add a string element to a message
+  add a string element to a message, specifying flags
 */
-int ldb_msg_add_string(struct ldb_message *msg,
-		       const char *attr_name, const char *str)
+int ldb_msg_add_string_flags(struct ldb_message *msg,
+			     const char *attr_name, const char *str,
+			     int flags)
 {
 	struct ldb_val val;
+	int ret;
+	struct ldb_message_element *el = NULL;
 
 	val.data = discard_const_p(uint8_t, str);
 	val.length = strlen(str);
@@ -488,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg,
 		return LDB_SUCCESS;
 	}
 
-	return ldb_msg_add_value(msg, attr_name, &val, NULL);
+	ret = ldb_msg_add_value(msg, attr_name, &val, &el);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (flags != 0) {
+		el->flags = flags;
+	}
+
+	return LDB_SUCCESS;
+}
+
+/*
+  add a string element to a message
+*/
+int ldb_msg_add_string(struct ldb_message *msg,
+		       const char *attr_name, const char *str)
+{
+	return ldb_msg_add_string_flags(msg, attr_name, str, 0);
 }
 
 /*
@@ -550,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg,
 	return ldb_msg_add_steal_value(msg, attr_name, &val);
 }
 
+static int ldb_msg_append_value_impl(struct ldb_message *msg,
+				     const char *attr_name,
+				     const struct ldb_val *val,
+				     int flags,
+				     struct ldb_message_element **return_el)
+{
+	struct ldb_message_element *el = NULL;
+	int ret;
+
+	ret = ldb_msg_add_empty(msg, attr_name, flags, &el);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = ldb_msg_element_add_value(msg->elements, el, val);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (return_el != NULL) {
+		*return_el = el;
+	}
+
+	return LDB_SUCCESS;
+}
+
+/*
+  append a value to a message
+*/
+int ldb_msg_append_value(struct ldb_message *msg,
+			 const char *attr_name,
+			 const struct ldb_val *val,
+			 int flags)
+{
+	return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL);
+}
+
+/*
+  append a value to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_value(struct ldb_message *msg,
+			       const char *attr_name,
+			       struct ldb_val *val,
+			       int flags)
+{
+	int ret;
+	struct ldb_message_element *el = NULL;
+
+	ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el);
+	if (ret == LDB_SUCCESS) {
+		talloc_steal(el->values, val->data);
+	}
+	return ret;
+}
+
+/*
+  append a string element to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_string(struct ldb_message *msg,
+				const char *attr_name, char *str,
+				int flags)
+{
+	struct ldb_val val;
+
+	val.data = (uint8_t *)str;
+	val.length = strlen(str);
+
+	if (val.length == 0) {
+		/* allow empty strings as non-existent attributes */
+		return LDB_SUCCESS;
+	}
+
+	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
+/*
+  append a string element to a message
+*/
+int ldb_msg_append_string(struct ldb_message *msg,
+			  const char *attr_name, const char *str, int flags)
+{
+	struct ldb_val val;
+
+	val.data = discard_const_p(uint8_t, str);
+	val.length = strlen(str);
+
+	if (val.length == 0) {
+		/* allow empty strings as non-existent attributes */
+		return LDB_SUCCESS;
+	}
+
+	return ldb_msg_append_value(msg, attr_name, &val, flags);
+}
+
+/*
+  append a DN element to a message
+  WARNING: this uses the linearized string from the dn, and does not
+  copy the string.
+*/
+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
+				 struct ldb_dn *dn, int flags)
+{
+	char *str = ldb_dn_alloc_linearized(msg, dn);
+
+	if (str == NULL) {
+		/* we don't want to have unknown DNs added */
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	return ldb_msg_append_steal_string(msg, attr_name, str, flags);
+}
+
+/*
+  append a printf formatted element to a message
+*/
+int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
+		       const char *attr_name, const char *fmt, ...)
+{
+	struct ldb_val val;
+	va_list ap;
+	char *str = NULL;
+
+	va_start(ap, fmt);
+	str = talloc_vasprintf(msg, fmt, ap);
+	va_end(ap);
+
+	if (str == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	val.data   = (uint8_t *)str;
+	val.length = strlen(str);
+
+	return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
 /*
   compare two ldb_message_element structures
   assumes case sensitive comparison
@@ -833,11 +1026,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
 		       ldb_msg_element_compare_name);
 }
 
-/*
-  shallow copy a message - copying only the elements array so that the caller
-  can safely add new elements without changing the message
-*/
-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
 					 const struct ldb_message *msg)
 {
 	struct ldb_message *msg2;
@@ -863,6 +1052,35 @@ failed:
 	return NULL;
 }
 
+/*
+  shallow copy a message - copying only the elements array so that the caller
+  can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+					 const struct ldb_message *msg)
+{
+	struct ldb_message *msg2;
+	unsigned int i;
+
+	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+	if (msg2 == NULL) {
+		return NULL;
+	}
+
+	for (i = 0; i < msg2->num_elements; ++i) {
+		/*
+		 * Mark this message's elements as sharing their values with the
+		 * original message, so that we don't inadvertently modify or
+		 * free them. We don't mark the original message element as
+		 * shared, so the original message element should not be
+		 * modified or freed while the shallow copy lives.
+		 */
+		struct ldb_message_element *el = &msg2->elements[i];
+		el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
+	}
+
+        return msg2;
+}
 
 /*
   copy a message, allocating new memory for all parts
@@ -873,7 +1091,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	struct ldb_message *msg2;
 	unsigned int i, j;
 
-	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 
 	if (msg2->dn != NULL) {
@@ -894,6 +1112,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 				goto failed;
 			}
 		}
+
+                /*
+                 * Since we copied this element's values, we can mark them as
+                 * not shared.
+		 */
+		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
 	}
 
 	return msg2;
diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h
index bc44157eaf4..63d8aedd672 100644
--- a/lib/ldb/include/ldb.h
+++ b/lib/ldb/include/ldb.h
@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg,
 		int flags,
 		struct ldb_message_element **return_el);
 
+/**
+   add a value to a message element
+*/
+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
+			      struct ldb_message_element *el,
+			      const struct ldb_val *val);
 /**
    add a element to a ldb_message
 */
@@ -1996,12 +2002,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
 		      struct ldb_val *val);
 int ldb_msg_add_steal_string(struct ldb_message *msg,
 			     const char *attr_name, char *str);
+int ldb_msg_add_string_flags(struct ldb_message *msg,
+			     const char *attr_name, const char *str,
+			     int flags);
 int ldb_msg_add_string(struct ldb_message *msg,
 		       const char *attr_name, const char *str);
 int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name,
 			      struct ldb_dn *dn);
 int ldb_msg_add_fmt(struct ldb_message *msg,
 		    const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
+/**
+   append a element to a ldb_message
+*/
+int ldb_msg_append_value(struct ldb_message *msg,
+			 const char *attr_name,
+			 const struct ldb_val *val,
+			 int flags);
+int ldb_msg_append_steal_value(struct ldb_message *msg,
+			       const char *attr_name,
+			       struct ldb_val *val,
+			       int flags);
+int ldb_msg_append_steal_string(struct ldb_message *msg,
+				const char *attr_name, char *str,
+				int flags);
+int ldb_msg_append_string(struct ldb_message *msg,
+			  const char *attr_name, const char *str,
+			  int flags);
+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name,
+				 struct ldb_dn *dn, int flags);
+int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
+		       const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5);
 
 /**
    compare two message elements - return 0 on match
diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h
index 8c1e5ee7936..4c7c85a17f0 100644
--- a/lib/ldb/include/ldb_module.h
+++ b/lib/ldb/include/ldb_module.h
@@ -96,6 +96,12 @@ struct ldb_module;
  */
 #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100
 
+/*
+ * indicates that this element's values are shared with another element (for
+ * example, in a shallow copy of an ldb_message) and should not be freed
+ */
+#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
+
 /* an extended match rule that always fails to match */
 #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"
 
diff --git a/lib/ldb/ldb_map/ldb_map.c b/lib/ldb/ldb_map/ldb_map.c
index b453dff80d2..c7b0c228631 100644
--- a/lib/ldb/ldb_map/ldb_map.c
+++ b/lib/ldb/ldb_map/ldb_map.c
@@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac,
 	if ( ! dn || ! ldb_dn_validate(msg->dn)) {
 		goto failed;
 	}
-	if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
-		goto failed;
-	}
-	if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) {
+	if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) {
 		goto failed;
 	}
 
diff --git a/lib/ldb/ldb_map/ldb_map_inbound.c b/lib/ldb/ldb_map/ldb_map_inbound.c
index 324295737da..50b9427c26c 100644


-- 
Samba Shared Repository



More information about the samba-cvs mailing list