[SCM] Samba Shared Repository - branch v4-16-stable updated

Jule Anger janger at samba.org
Tue Mar 8 14:57:22 UTC 2022


The branch, v4-16-stable has been updated
       via  3a2c1b12f84 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc5 release.
       via  c3ee2db15a8 WHATSNEW: Add release notes for Samba 4.16.0rc5.
       via  4b6a6af868c s4:kdc: redirect pre-authentication failures to an RWDC
       via  b8e20583b05 s4:kdc: let pac functions in wdc-samba4.c take astgs_request_t
       via  302f9acb4a0 third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab)
       via  9df5283f3d9 s3:utils: assign ids to struct to list shares correctly
       via  364b16068b1 s3:tests: Add a test to check the output of smbstatus.
       via  de8fc990b21 s3: smbd: Fix our leases code to return the correct error in the non-dynamic share case.
       via  7995e03b39e s4: torture: Add new SMB2 lease test test_lease_duplicate_open().
       via  423bbea002e s4: torture: Add new SMB2 lease test test_lease_duplicate_create().
       via  5caac70d8d4 s3:trusts_utils: use a password length of 120 for machine accounts
       via  a31721982fe upgradehelpers.py: add a comment to update_krbtgt_account_password()
       via  8c9bb2cafd6 provision: add a comment that the value of krbtgtpass is ignored in the backend
       via  66d8622b646 upgradehelpers.py: let update_machine_account_password() use 120 character passwords
       via  4872e1af2c1 provision: use 120 characters for the dns account password
       via  e13a72df5f2 samba-tool/join_member: let py_net_join_member() choose the password
       via  ac61afa5022 s3:py_net: allow machinepass=None to py_net_join_member()
       via  c240b977dbe s4/auth/simple_bind: correctly report TLS state
       via  5dee3a6834c pytest:auth_log: expect TLS connections when using ldaps
       via  5b6ca18e020 s4:kdc: hdb_samba4_audit() is only called once per request
       via  794c717ba75 s4-kdc: Adapt to move from HDB auditing to KDC auditing constants
       via  71912b630e9 s4:kdc: Adapt to removal of publicly accessible request structure members
       via  12a61bb7416 s4:kdc: Adapt to hdb_entry_ex removal
       via  f90e729e01e s4:kdc: Increment plugin minor version
       via  8ae5ce46e57 third_party/heimdal_build: Don't generate .x source files
       via  5493c1a5df6 s4:kdc: Explicitly set plugin minor version
       via  0918e692fac third_party/heimdal_build: Add SFU source file
       via  b6e2028f277 s4:kdc: Adapt to removal of auth audit event types
       via  9e763005266 s4:kdc: Rename windc to kdc plugin
       via  b88d8924980 s4:kdc: Add referral policy callback
       via  cef9e6f8514 s4:kdc: Add 'not authorised' auth events
       via  115d8e493fe s4:kdc: Adapt to removal of auth event details
       via  9627ee616b5 s4:kdc: Refactor HDB API
       via  26880578a5f third_party/heimdal_build: Add source files to build
       via  e26fbf420e4 third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)
       via  c9a77ff43e0 third_party/heimdal_build: Define fallthrough macro for switch statements
       via  947ad1581a6 third_party/heimdal_build: Determine whether time_t is signed
       via  97011aa3ce1 s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer()
       via  77ed10e2ff8 third_party/heimdal_build: Add KDC_LIB macro definitions
       via  635c8b730f7 auth: Cope with NULL upn_name in PAC
       via  b668c076722 s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
       via  9fd10105530 smbd: Fix a use-after-free
       via  91c7a2cb662 VERSION: Bump version up to Samba 4.16.0rc5...
      from  3b4041236d1 VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc4 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   33 +-
 auth/auth_sam_reply.c                              |   12 +-
 buildtools/wafsamba/samba_autoconf.py              |   17 +
 python/samba/netcmd/domain.py                      |    2 -
 python/samba/provision/__init__.py                 |    5 +-
 python/samba/tests/auth_log.py                     |    8 +-
 python/samba/upgradehelpers.py                     |   11 +-
 selftest/knownfail                                 |    1 -
 source3/libsmb/trusts_util.c                       |   14 +-
 source3/script/tests/test_smbstatus.sh             |   98 ++
 source3/smbd/filename.c                            |    7 +
 source3/smbd/open.c                                |   38 +-
 source3/utils/conn_tdb.c                           |    2 +
 source3/utils/py_net.c                             |    2 +-
 source4/auth/ntlm/auth_simple.c                    |    4 +-
 source4/auth/sam.c                                 |   19 +-
 source4/dsdb/tests/python/rodc_rwdc.py             |    3 +-
 source4/kdc/hdb-samba4.c                           |  258 ++--
 source4/kdc/kdc-glue.c                             |    4 +-
 source4/kdc/kdc-glue.h                             |    4 +-
 source4/kdc/kdc-heimdal.c                          |   22 +-
 source4/kdc/pac-glue.c                             |    5 +-
 source4/kdc/sdb_to_hdb.c                           |   26 +-
 source4/kdc/wdc-samba4.c                           |  104 +-
 source4/kdc/wscript_build                          |    2 +-
 source4/torture/smb2/lease.c                       |  124 ++
 third_party/heimdal/.github/workflows/build.yml    |   67 -
 third_party/heimdal/.gitignore                     |  236 +++-
 third_party/heimdal/Makefile.am                    |    1 -
 third_party/heimdal/README.md                      |    9 +-
 third_party/heimdal/admin/change.c                 |    1 -
 third_party/heimdal/appl/afsutil/afslog.c          |    2 +-
 third_party/heimdal/appl/gssmask/gssmask.c         |    2 +
 third_party/heimdal/appl/kf/kf.c                   |    4 +-
 third_party/heimdal/appl/otp/otp.c                 |   12 +-
 third_party/heimdal/appl/test/gssapi_server.c      |   23 +-
 third_party/heimdal/appl/test/uu_server.c          |    7 +
 third_party/heimdal/appveyor.yml                   |   72 +-
 third_party/heimdal/cf/Makefile.am.common          |   19 +-
 third_party/heimdal/cf/ax_check_sign.m4            |   54 +
 third_party/heimdal/cf/check-compile-flag.m4       |   53 +
 third_party/heimdal/cf/db.m4                       |    6 +-
 third_party/heimdal/cf/krb-prog-yacc.m4            |   12 +-
 third_party/heimdal/cf/roken-frag.m4               |    6 -
 third_party/heimdal/configure.ac                   |   38 +-
 third_party/heimdal/import-lorikeet.sh             |   22 +-
 third_party/heimdal/include/Makefile.am            |   33 +-
 third_party/heimdal/include/bits.c                 |   51 +-
 third_party/heimdal/include/config.h.w32           |   37 +-
 third_party/heimdal/kadmin/add-random-users.c      |    2 +-
 third_party/heimdal/kadmin/add_enctype.c           |    4 +-
 third_party/heimdal/kadmin/ank.c                   |   40 +-
 third_party/heimdal/kadmin/cpw.c                   |   16 +-
 third_party/heimdal/kadmin/del.c                   |   12 +-
 third_party/heimdal/kadmin/ext.c                   |    2 +-
 third_party/heimdal/kadmin/get.c                   |    2 +
 third_party/heimdal/kadmin/init.c                  |  202 ++-
 third_party/heimdal/kadmin/kadm_conn.c             |    9 +-
 third_party/heimdal/kadmin/kadmin.1                |   33 +-
 third_party/heimdal/kadmin/kadmind.c               |    2 +
 third_party/heimdal/kadmin/load.c                  |   54 +-
 third_party/heimdal/kadmin/mod.c                   |   15 +-
 third_party/heimdal/kadmin/rpc.c                   |    4 +-
 third_party/heimdal/kadmin/server.c                |  315 ++---
 third_party/heimdal/kadmin/stash.c                 |    5 +-
 third_party/heimdal/kcm/cache.c                    |   10 +-
 third_party/heimdal/kcm/client.c                   |   37 +
 third_party/heimdal/kcm/glue.c                     |    2 +-
 third_party/heimdal/kcm/protocol.c                 |   24 +-
 third_party/heimdal/kdc/Makefile.am                |   14 +-
 third_party/heimdal/kdc/NTMakefile                 |   18 +-
 .../heimdal/kdc/altsecid_gss_preauth_authorizer.c  |   85 +-
 third_party/heimdal/kdc/bx509d.c                   |  170 ++-
 third_party/heimdal/kdc/ca.c                       |    4 +-
 third_party/heimdal/kdc/cjwt_token_validator.c     |    9 +-
 third_party/heimdal/kdc/config.c                   |    2 +-
 third_party/heimdal/kdc/connect.c                  |   19 +-
 third_party/heimdal/kdc/csr_authorizer.c           |    2 +-
 third_party/heimdal/kdc/default_config.c           |    5 +-
 third_party/heimdal/kdc/digest-service.c           |    9 +-
 third_party/heimdal/kdc/digest.c                   |   46 +-
 third_party/heimdal/kdc/fast.c                     |   55 +-
 third_party/heimdal/kdc/gss_preauth.c              |   78 +-
 .../heimdal/kdc/gss_preauth_authorizer_plugin.h    |    6 +-
 third_party/heimdal/kdc/headers.h                  |    3 +-
 third_party/heimdal/kdc/hprop.8                    |    1 -
 third_party/heimdal/kdc/hprop.c                    |   23 +-
 third_party/heimdal/kdc/hprop.h                    |   18 +-
 third_party/heimdal/kdc/hpropd.8                   |    3 -
 third_party/heimdal/kdc/hpropd.c                   |   11 +-
 third_party/heimdal/kdc/httpkadmind.c              |   73 +-
 third_party/heimdal/kdc/ipc_csr_authorizer.c       |   20 +-
 third_party/heimdal/kdc/kdc-accessors.h            |  369 ++++++
 .../gssapi/mech/mech_locl.h => kdc/kdc-audit.h}    |   71 +-
 third_party/heimdal/kdc/kdc-plugin.c               |  654 ++++++++++
 third_party/heimdal/kdc/kdc-plugin.h               |  134 ++
 third_party/heimdal/kdc/kdc-replay.c               |    2 +
 third_party/heimdal/kdc/kdc.h                      |  168 +--
 third_party/heimdal/kdc/kdc_locl.h                 |  114 +-
 third_party/heimdal/kdc/kerberos5.c                |  704 +++++------
 third_party/heimdal/kdc/krb5tgs.c                  |  965 +++++----------
 third_party/heimdal/kdc/kstash.c                   |    2 +
 third_party/heimdal/kdc/kx509.c                    |  130 +-
 third_party/heimdal/kdc/libkdc-exports.def         |   86 +-
 third_party/heimdal/kdc/log.c                      |   10 +-
 third_party/heimdal/kdc/misc.c                     |  103 +-
 third_party/heimdal/kdc/mit_dump.c                 |    6 +-
 third_party/heimdal/kdc/mssfu.c                    |  567 +++++++++
 .../heimdal/kdc/negotiate_token_validator.c        |    2 -
 third_party/heimdal/kdc/pkinit.c                   |   30 +-
 third_party/heimdal/kdc/process.c                  |  204 +++-
 third_party/heimdal/kdc/rx.h                       |   79 --
 third_party/heimdal/kdc/set_dbinfo.c               |    2 +-
 third_party/heimdal/kdc/simple_csr_authorizer.c    |   24 +-
 third_party/heimdal/kdc/string2key.c               |    6 +-
 third_party/heimdal/kdc/test_kdc_ca.c              |    5 +-
 third_party/heimdal/kdc/token_validator.c          |    2 +-
 third_party/heimdal/kdc/version-script.map         |   81 +-
 third_party/heimdal/kdc/windc.c                    |  252 ----
 third_party/heimdal/kdc/windc_plugin.h             |   92 --
 third_party/heimdal/kpasswd/kpasswdd.c             |    2 +
 third_party/heimdal/kuser/generate-requests.c      |    2 +-
 third_party/heimdal/kuser/kgetcred.c               |    3 +
 third_party/heimdal/kuser/kimpersonate.c           |   27 +-
 third_party/heimdal/kuser/kinit.c                  |   34 +-
 third_party/heimdal/kuser/klist.c                  |   15 +-
 third_party/heimdal/kuser/kswitch.c                |    5 +-
 third_party/heimdal/kuser/kuser_locl.h             |    4 +
 third_party/heimdal/lib/asn1/MANUAL.md             | 1287 ++++++++++++++++++++
 third_party/heimdal/lib/asn1/Makefile.am           |  361 +++---
 third_party/heimdal/lib/asn1/NTMakefile            |  281 +++--
 third_party/heimdal/lib/asn1/README.md             |  326 +++--
 third_party/heimdal/lib/asn1/asn1-template.h       |   75 +-
 third_party/heimdal/lib/asn1/asn1_compile.1        |  263 +++-
 third_party/heimdal/lib/asn1/asn1_print.c          |   32 +-
 third_party/heimdal/lib/asn1/asn1parse.y           |  141 ++-
 third_party/heimdal/lib/asn1/check-common.h        |    3 +-
 third_party/heimdal/lib/asn1/check-der.c           |    2 +
 third_party/heimdal/lib/asn1/check-gen.c           |  144 ++-
 third_party/heimdal/lib/asn1/check-gen.h           |    9 +
 third_party/heimdal/lib/asn1/check-template.c      |   13 +
 third_party/heimdal/lib/asn1/der_copy.c            |  103 +-
 third_party/heimdal/lib/asn1/der_get.c             |   92 +-
 third_party/heimdal/lib/asn1/der_put.c             |   68 +-
 third_party/heimdal/lib/asn1/extra.c               |    8 +-
 third_party/heimdal/lib/asn1/gen.c                 |  186 ++-
 third_party/heimdal/lib/asn1/gen_copy.c            |   47 +-
 third_party/heimdal/lib/asn1/gen_decode.c          |    6 +-
 third_party/heimdal/lib/asn1/gen_encode.c          |   29 +-
 third_party/heimdal/lib/asn1/gen_free.c            |   55 +-
 third_party/heimdal/lib/asn1/gen_glue.c            |   11 +-
 third_party/heimdal/lib/asn1/gen_locl.h            |   17 +-
 third_party/heimdal/lib/asn1/gen_template.c        |  172 ++-
 third_party/heimdal/lib/asn1/krb5.asn1             |  100 +-
 third_party/heimdal/lib/asn1/krb5.opt              |    2 +
 third_party/heimdal/lib/asn1/libasn1-exports.def   |   31 +
 third_party/heimdal/lib/asn1/main.c                |  240 +++-
 third_party/heimdal/lib/asn1/oid_resolution.c      |   75 +-
 third_party/heimdal/lib/asn1/symbol.h              |    5 +-
 third_party/heimdal/lib/asn1/template.c            |   56 +-
 third_party/heimdal/lib/asn1/test.asn1             |   12 +-
 third_party/heimdal/lib/asn1/test.opt              |    6 +
 third_party/heimdal/lib/base/array.c               |    4 +-
 third_party/heimdal/lib/base/bsearch.c             |   24 +-
 third_party/heimdal/lib/base/data.c                |    9 +-
 third_party/heimdal/lib/base/db.c                  |   24 +-
 third_party/heimdal/lib/base/dict.c                |    8 +-
 third_party/heimdal/lib/base/dll.c                 |    3 +-
 third_party/heimdal/lib/base/error.c               |    4 +-
 third_party/heimdal/lib/base/error_string.c        |    7 +-
 third_party/heimdal/lib/base/expand_path.c         |   58 +-
 third_party/heimdal/lib/base/heimbase-svc.h        |    8 +-
 third_party/heimdal/lib/base/heimbase.c            |   35 +-
 third_party/heimdal/lib/base/heimbase.h            |    9 +-
 third_party/heimdal/lib/base/heimbasepriv.h        |    3 +-
 third_party/heimdal/lib/base/log.c                 |  363 ++++--
 third_party/heimdal/lib/base/number.c              |   22 +-
 third_party/heimdal/lib/base/plugin.c              |   16 +-
 third_party/heimdal/lib/base/string.c              |    6 +-
 third_party/heimdal/lib/base/test_base.c           |    6 +-
 third_party/heimdal/lib/base/version-script.map    |    7 +
 third_party/heimdal/lib/com_err/Makefile.am        |    2 +-
 third_party/heimdal/lib/gss_preauth/pa_client.c    |    3 +-
 third_party/heimdal/lib/gss_preauth/pa_common.c    |    5 -
 third_party/heimdal/lib/gssapi/Makefile.am         |   55 +-
 third_party/heimdal/lib/gssapi/NTMakefile          |   38 +-
 third_party/heimdal/lib/gssapi/gss-token.c         |   11 +-
 third_party/heimdal/lib/gssapi/gssapi/gssapi.h     |   16 +-
 .../heimdal/lib/gssapi/gssapi/gssapi_krb5.h        |    2 +
 .../heimdal/lib/gssapi/krb5/accept_sec_context.c   |  140 +--
 third_party/heimdal/lib/gssapi/krb5/acquire_cred.c |   52 +-
 third_party/heimdal/lib/gssapi/krb5/arcfour.c      |   13 +-
 third_party/heimdal/lib/gssapi/krb5/copy_ccache.c  |    5 +-
 .../heimdal/lib/gssapi/krb5/export_sec_context.c   |    2 +-
 third_party/heimdal/lib/gssapi/krb5/external.c     |   19 +-
 third_party/heimdal/lib/gssapi/krb5/import_name.c  |   35 +-
 .../heimdal/lib/gssapi/krb5/init_sec_context.c     |   41 +-
 third_party/heimdal/lib/gssapi/krb5/name_attrs.c   | 1171 ++++++++++++++++++
 third_party/heimdal/lib/gssapi/krb5/store_cred.c   |    5 +-
 third_party/heimdal/lib/gssapi/krb5/test_kcred.c   |    6 +-
 .../heimdal/lib/gssapi/libgssapi-exports.def       |    2 +-
 .../heimdal/lib/gssapi/mech/gss_compare_name.c     |   10 +-
 third_party/heimdal/lib/gssapi/mech/gss_cred.c     |    6 +-
 .../lib/gssapi/mech/gss_export_sec_context.c       |    4 +
 .../heimdal/lib/gssapi/mech/gss_import_name.c      |   82 +-
 .../lib/gssapi/mech/gss_import_sec_context.c       |    6 +-
 third_party/heimdal/lib/gssapi/mech/gss_krb5.c     |    7 +-
 .../heimdal/lib/gssapi/mech/gss_mech_switch.c      |   47 +-
 .../heimdal/lib/gssapi/mech/gss_pname_to_uid.c     |    4 +
 third_party/heimdal/lib/gssapi/mech/mech_locl.h    |   11 +-
 .../heimdal/lib/gssapi/ntlm/accept_sec_context.c   |    2 +
 third_party/heimdal/lib/gssapi/ntlm/creds.c        |    4 -
 third_party/heimdal/lib/gssapi/ntlm/crypto.c       |    5 +-
 .../heimdal/lib/gssapi/ntlm/delete_sec_context.c   |    6 +
 .../heimdal/lib/gssapi/ntlm/init_sec_context.c     |   22 +-
 third_party/heimdal/lib/gssapi/ntlm/kdc.c          |    1 +
 third_party/heimdal/lib/gssapi/sanon/import_name.c |   25 +-
 .../heimdal/lib/gssapi/spnego/accept_sec_context.c |    1 +
 third_party/heimdal/lib/gssapi/spnego/negoex_ctx.c |   28 +-
 third_party/heimdal/lib/gssapi/test_context.c      |  168 ++-
 third_party/heimdal/lib/gssapi/test_kcred.c        |   18 +-
 third_party/heimdal/lib/gssapi/test_names.c        |  464 ++++++-
 third_party/heimdal/lib/gssapi/version-script.map  |    2 +-
 third_party/heimdal/lib/hcrypto/Makefile.am        |   27 +-
 third_party/heimdal/lib/hcrypto/bn.c               |    8 +-
 third_party/heimdal/lib/hcrypto/des.c              |    1 +
 third_party/heimdal/lib/hcrypto/dh-ltm.c           |   57 +-
 third_party/heimdal/lib/hcrypto/dh.c               |    2 +-
 third_party/heimdal/lib/hcrypto/engine.c           |   35 +-
 third_party/heimdal/lib/hcrypto/evp.c              |    9 +-
 third_party/heimdal/lib/hcrypto/hmac.c             |   28 +-
 third_party/heimdal/lib/hcrypto/hmac.h             |    2 +-
 .../lib/hcrypto/libtommath/bn_mp_set_double.c      |    2 +-
 .../lib/hcrypto/libtommath/bn_s_mp_rand_platform.c |    2 +-
 .../heimdal/lib/hcrypto/libtommath/demo/test.c     |    2 +-
 .../heimdal/lib/hcrypto/libtommath/etc/tune.c      |    2 +-
 third_party/heimdal/lib/hcrypto/rsa-ltm.c          |    7 +-
 third_party/heimdal/lib/hcrypto/rsa.c              |    7 +-
 third_party/heimdal/lib/hcrypto/test_hmac.c        |    6 +-
 third_party/heimdal/lib/hcrypto/validate.c         |    3 +-
 third_party/heimdal/lib/hdb/Makefile.am            |   67 +-
 third_party/heimdal/lib/hdb/NTMakefile             |   12 +-
 third_party/heimdal/lib/hdb/common.c               |  375 ++++--
 third_party/heimdal/lib/hdb/db.c                   |   22 +-
 third_party/heimdal/lib/hdb/db3.c                  |   22 +-
 third_party/heimdal/lib/hdb/ext.c                  |    4 +-
 third_party/heimdal/lib/hdb/hdb-keytab.c           |   22 +-
 third_party/heimdal/lib/hdb/hdb-ldap.c             |  363 +++---
 third_party/heimdal/lib/hdb/hdb-mdb.c              |   22 +-
 third_party/heimdal/lib/hdb/hdb-mitdb.c            |   89 +-
 third_party/heimdal/lib/hdb/hdb-sqlite.c           |   39 +-
 third_party/heimdal/lib/hdb/hdb.asn1               |    2 +-
 third_party/heimdal/lib/hdb/hdb.c                  |   98 +-
 third_party/heimdal/lib/hdb/hdb.h                  |  175 +--
 third_party/heimdal/lib/hdb/hdb.opt                |    5 +
 third_party/heimdal/lib/hdb/keys.c                 |    2 +-
 third_party/heimdal/lib/hdb/keytab.c               |   50 +-
 third_party/heimdal/lib/hdb/libhdb-exports.def     |    1 -
 third_party/heimdal/lib/hdb/ndbm.c                 |   53 +-
 third_party/heimdal/lib/hdb/print.c                |   20 +-
 third_party/heimdal/lib/hdb/test_concurrency.c     |   58 +-
 third_party/heimdal/lib/hdb/test_namespace.c       |  162 ++-
 third_party/heimdal/lib/hdb/version-script.map     |    1 -
 third_party/heimdal/lib/hx509/Makefile.am          |    3 +-
 third_party/heimdal/lib/hx509/ca.c                 |   21 +-
 third_party/heimdal/lib/hx509/cert.c               |   42 +-
 third_party/heimdal/lib/hx509/cms.c                |    6 +-
 third_party/heimdal/lib/hx509/collector.c          |    3 +-
 third_party/heimdal/lib/hx509/crypto.c             |    4 +
 third_party/heimdal/lib/hx509/error.c              |   66 +-
 third_party/heimdal/lib/hx509/file.c               |   12 +-
 third_party/heimdal/lib/hx509/hxtool.c             |   28 +-
 third_party/heimdal/lib/hx509/keyset.c             |    5 +-
 third_party/heimdal/lib/hx509/ks_file.c            |   29 +-
 third_party/heimdal/lib/hx509/name.c               |   71 +-
 third_party/heimdal/lib/hx509/print.c              |    5 +
 third_party/heimdal/lib/hx509/req.c                |   22 +-
 third_party/heimdal/lib/hx509/revoke.c             |    4 +
 third_party/heimdal/lib/hx509/sel-gram.y           |    4 +
 third_party/heimdal/lib/hx509/softp11.c            |    8 +-
 third_party/heimdal/lib/ipc/Makefile.am            |    4 +
 third_party/heimdal/lib/ipc/server.c               |   15 +-
 third_party/heimdal/lib/kadm5/ad.c                 |    2 +
 third_party/heimdal/lib/kadm5/chpass_s.c           |   56 +-
 third_party/heimdal/lib/kadm5/context_s.c          |   16 +-
 third_party/heimdal/lib/kadm5/create_s.c           |   32 +-
 third_party/heimdal/lib/kadm5/delete_s.c           |    8 +-
 third_party/heimdal/lib/kadm5/ent_setup.c          |   78 +-
 third_party/heimdal/lib/kadm5/get_princs_s.c       |    8 +-
 third_party/heimdal/lib/kadm5/get_s.c              |  143 +--
 third_party/heimdal/lib/kadm5/init_c.c             |   12 +-
 third_party/heimdal/lib/kadm5/init_s.c             |    6 +-
 third_party/heimdal/lib/kadm5/iprop-log.c          |   67 +-
 third_party/heimdal/lib/kadm5/ipropd_common.c      |    1 +
 third_party/heimdal/lib/kadm5/ipropd_master.c      |   31 +-
 third_party/heimdal/lib/kadm5/ipropd_slave.c       |    8 +-
 third_party/heimdal/lib/kadm5/log.c                |  172 ++-
 third_party/heimdal/lib/kadm5/marshall.c           |  254 ++--
 third_party/heimdal/lib/kadm5/modify_s.c           |   12 +-
 third_party/heimdal/lib/kadm5/prune_s.c            |   10 +-
 third_party/heimdal/lib/kadm5/randkey_c.c          |    2 +-
 third_party/heimdal/lib/kadm5/randkey_s.c          |   26 +-
 third_party/heimdal/lib/kadm5/rename_s.c           |   32 +-
 third_party/heimdal/lib/kadm5/set_keys.c           |    2 +
 third_party/heimdal/lib/kadm5/setkey3_s.c          |   28 +-
 third_party/heimdal/lib/kafs/Makefile.am           |    2 +
 third_party/heimdal/lib/kafs/afskrb5.c             |    2 -
 third_party/heimdal/lib/kafs/afssys.c              |    2 +
 third_party/heimdal/lib/kafs/rxkad_kdf.c           |    8 +-
 third_party/heimdal/lib/krb5/Makefile.am           |    4 +-
 third_party/heimdal/lib/krb5/NTMakefile            |    2 +
 third_party/heimdal/lib/krb5/acache.c              |   27 +-
 third_party/heimdal/lib/krb5/acl.c                 |    2 +-
 third_party/heimdal/lib/krb5/addr_families.c       |   19 +-
 third_party/heimdal/lib/krb5/aes-test.c            |   22 +-
 third_party/heimdal/lib/krb5/asn1_glue.c           |   94 +-
 third_party/heimdal/lib/krb5/auth_context.c        |    5 +-
 third_party/heimdal/lib/krb5/cache.c               |   25 +-
 third_party/heimdal/lib/krb5/context.c             |   15 +-
 third_party/heimdal/lib/krb5/crypto-evp.c          |    7 +-
 third_party/heimdal/lib/krb5/crypto.c              |    7 +-
 third_party/heimdal/lib/krb5/data.c                |    7 +-
 third_party/heimdal/lib/krb5/dcache.c              |   14 +-
 third_party/heimdal/lib/krb5/deprecated.c          |   10 +-
 third_party/heimdal/lib/krb5/enomem.c              |    2 +-
 third_party/heimdal/lib/krb5/error_string.c        |   19 +-
 third_party/heimdal/lib/krb5/expand_path.c         |    4 +-
 third_party/heimdal/lib/krb5/fast.c                |   13 +-
 third_party/heimdal/lib/krb5/fcache.c              |   15 +-
 third_party/heimdal/lib/krb5/generate_subkey.c     |    2 +-
 third_party/heimdal/lib/krb5/get_cred.c            |   54 +-
 third_party/heimdal/lib/krb5/get_in_tkt.c          |    2 +-
 third_party/heimdal/lib/krb5/init_creds_pw.c       |  147 +--
 third_party/heimdal/lib/krb5/kcm.c                 |  267 +++-
 third_party/heimdal/lib/krb5/keytab.c              |   68 +-
 third_party/heimdal/lib/krb5/keytab_file.c         |    3 +-
 third_party/heimdal/lib/krb5/keytab_keyfile.c      |    2 +-
 third_party/heimdal/lib/krb5/krb5.conf.5           |    6 -
 third_party/heimdal/lib/krb5/krb5.h                |  120 +-
 third_party/heimdal/lib/krb5/krb5_locl.h           |    2 +
 third_party/heimdal/lib/krb5/krbhst-test.c         |   17 +-
 third_party/heimdal/lib/krb5/krbhst.c              |   24 +-
 third_party/heimdal/lib/krb5/krcache.c             |   31 +-
 third_party/heimdal/lib/krb5/kx509.c               |   62 +-
 .../heimdal/lib/krb5/libkrb5-exports.def.in        |    7 +
 third_party/heimdal/lib/krb5/mcache.c              |    4 +-
 third_party/heimdal/lib/krb5/mk_cred.c             |   15 +-
 third_party/heimdal/lib/krb5/pac.c                 |  137 ++-
 third_party/heimdal/lib/krb5/pkinit.c              |   21 +-
 third_party/heimdal/lib/krb5/principal.c           |   42 +-
 third_party/heimdal/lib/krb5/rd_cred.c             |    2 +-
 third_party/heimdal/lib/krb5/rd_req.c              |   66 +-
 third_party/heimdal/lib/krb5/replay.c              |    4 +-
 third_party/heimdal/lib/krb5/salt-arcfour.c        |    6 +-
 third_party/heimdal/lib/krb5/scache.c              |   91 +-
 third_party/heimdal/lib/krb5/send_to_kdc.c         |   14 +-
 third_party/heimdal/lib/krb5/sp800-108-kdf.c       |    5 +-
 third_party/heimdal/lib/krb5/store.c               |   24 +-
 third_party/heimdal/lib/krb5/store_emem.c          |   25 +-
 third_party/heimdal/lib/krb5/store_stdio.c         |    2 +
 third_party/heimdal/lib/krb5/test_alname.c         |    2 +-
 third_party/heimdal/lib/krb5/test_ap-req.c         |    1 +
 third_party/heimdal/lib/krb5/test_cc.c             |   10 +-
 third_party/heimdal/lib/krb5/test_hostname.c       |    4 +-
 third_party/heimdal/lib/krb5/test_rfc3961.c        |    1 +
 third_party/heimdal/lib/krb5/test_set_kvno0.c      |    5 +-
 third_party/heimdal/lib/krb5/ticket.c              |   91 +-
 third_party/heimdal/lib/krb5/transited.c           |   19 +-
 third_party/heimdal/lib/krb5/verify_user.c         |   13 +-
 third_party/heimdal/lib/krb5/version-script.map    |    7 +
 third_party/heimdal/lib/ntlm/digest.c              |    2 +-
 third_party/heimdal/lib/ntlm/ntlm.c                |   75 +-
 third_party/heimdal/lib/otp/otp_md.c               |    4 +-
 third_party/heimdal/lib/roken/Makefile.am          |    6 +-
 third_party/heimdal/lib/roken/base32-test.c        |    3 +-
 third_party/heimdal/lib/roken/base32.c             |   12 +-
 third_party/heimdal/lib/roken/base64-test.c        |    3 +-
 third_party/heimdal/lib/roken/base64.c             |    4 +-
 third_party/heimdal/lib/roken/copyhostent.c        |    3 +-
 third_party/heimdal/lib/roken/detach.c             |    3 +-
 third_party/heimdal/lib/roken/dirent-test.c        |    6 +-
 third_party/heimdal/lib/roken/environment.c        |   15 +-
 third_party/heimdal/lib/roken/fnmatch.c            |    2 +-
 third_party/heimdal/lib/roken/freeaddrinfo.c       |    2 +-
 third_party/heimdal/lib/roken/freehostent.c        |    2 +-
 third_party/heimdal/lib/roken/getaddrinfo.c        |   10 +-
 third_party/heimdal/lib/roken/getcap.c             |  996 ---------------
 third_party/heimdal/lib/roken/getipnodebyaddr.c    |    2 +-
 third_party/heimdal/lib/roken/getipnodebyname.c    |    2 +-
 third_party/heimdal/lib/roken/getnameinfo.c        |    8 +-
 third_party/heimdal/lib/roken/getuserinfo.c        |   30 +-
 third_party/heimdal/lib/roken/hex-test.c           |   35 +-
 third_party/heimdal/lib/roken/hex.c                |   28 +-
 third_party/heimdal/lib/roken/mergesort_r.c        |    4 +-
 third_party/heimdal/lib/roken/ndbm_wrap.c          |    2 +
 third_party/heimdal/lib/roken/net_write.c          |    7 +-
 third_party/heimdal/lib/roken/resolve-test.c       |    2 +-
 third_party/heimdal/lib/roken/roken-common.h       |    6 +
 third_party/heimdal/lib/roken/roken.h.in           |   60 +-
 third_party/heimdal/lib/roken/snprintf.c           |    2 +-
 third_party/heimdal/lib/roken/socket.c             |   29 +-
 third_party/heimdal/lib/roken/strftime.c           |    7 +-
 third_party/heimdal/lib/roken/strptime.c           |    2 +-
 third_party/heimdal/lib/roken/strtoll.c            |    3 +
 third_party/heimdal/lib/roken/strtoull.c           |    3 +
 third_party/heimdal/lib/roken/test-getuserinfo.c   |    3 +-
 third_party/heimdal/lib/roken/test-mini_inetd.c    |    2 +-
 third_party/heimdal/lib/roken/timeval.c            |  215 +++-
 third_party/heimdal/lib/roken/version-script.map   |    5 +-
 third_party/heimdal/lib/roken/vis.c                |   17 +-
 third_party/heimdal/lib/sl/Makefile.am             |    2 +-
 third_party/heimdal/lib/sl/sl.c                    |    2 +
 third_party/heimdal/lib/sl/slc-gram.y              |    1 +
 third_party/heimdal/lib/wind/idn-lookup.c          |    6 +-
 third_party/heimdal/lib/wind/utf8.c                |   18 +-
 .../heimdal/packages/windows/installer/NTMakefile  |   33 +-
 .../windows/installer/heimdal-installer.wxs        |   20 +-
 third_party/heimdal/tests/bin/setup-env.in         |    1 +
 third_party/heimdal/tests/gss/Makefile.am          |    2 +
 third_party/heimdal/tests/gss/check-basic.in       |    4 +-
 third_party/heimdal/tests/gss/check-context.in     |   12 +-
 third_party/heimdal/tests/gss/check-gssmask.in     |    4 +-
 third_party/heimdal/tests/gss/check-ntlm.in        |    4 +-
 third_party/heimdal/tests/gss/check-spnego.in      |    4 +-
 third_party/heimdal/tests/gss/krb5.conf.in         |   15 +
 third_party/heimdal/tests/java/check-kinit.in      |    2 +-
 third_party/heimdal/tests/kdc/Makefile.am          |   32 +-
 third_party/heimdal/tests/kdc/check-bx509.in       |    5 +-
 third_party/heimdal/tests/kdc/check-canon.in       |    2 +-
 third_party/heimdal/tests/kdc/check-cc.in          |   47 +-
 third_party/heimdal/tests/kdc/check-delegation.in  |    2 +-
 third_party/heimdal/tests/kdc/check-des.in         |    2 +-
 third_party/heimdal/tests/kdc/check-digest.in      |    2 +-
 third_party/heimdal/tests/kdc/check-fast.in        |    2 +-
 third_party/heimdal/tests/kdc/check-hdb-mitdb.in   |    2 +-
 third_party/heimdal/tests/kdc/check-httpkadmind.in |    2 +-
 third_party/heimdal/tests/kdc/check-iprop.in       |    2 +-
 third_party/heimdal/tests/kdc/check-kadmin.in      |    2 +-
 third_party/heimdal/tests/kdc/check-kdc.in         |    9 +-
 third_party/heimdal/tests/kdc/check-kinit.in       |    2 +-
 third_party/heimdal/tests/kdc/check-kpasswdd.in    |    2 +-
 third_party/heimdal/tests/kdc/check-pkinit.in      |    4 +-
 third_party/heimdal/tests/kdc/check-referral.in    |    2 +-
 third_party/heimdal/tests/kdc/check-tester.in      |    3 +
 third_party/heimdal/tests/kdc/check-uu.in          |    2 +-
 .../tests/kdc/{krb5.conf.in => krb5-kcm.conf.in}   |   18 +-
 third_party/heimdal/tests/kdc/krb5.conf.in         |    3 +
 third_party/heimdal/tests/ldap/check-ldap.in       |    2 +-
 third_party/heimdal/tests/plugin/Makefile.am       |    6 +-
 third_party/heimdal/tests/plugin/check-pac.in      |    6 +-
 third_party/heimdal/tests/plugin/kdc_test_plugin.c |  207 ++++
 third_party/heimdal/tests/plugin/krb5.conf.in      |   15 +
 third_party/heimdal/tests/plugin/windc.c           |  161 ---
 third_party/heimdal/windows/NTMakefile.sdk         |  130 ++
 third_party/heimdal/windows/NTMakefile.w32         |    7 +-
 third_party/heimdal_build/config.h                 |    2 +
 third_party/heimdal_build/krb5/kdc-plugin.h        |    1 +
 third_party/heimdal_build/krb5/windc_plugin.h      |    1 -
 third_party/heimdal_build/wscript_build            |   59 +-
 third_party/heimdal_build/wscript_configure        |    2 +
 461 files changed, 15122 insertions(+), 7784 deletions(-)
 delete mode 100644 third_party/heimdal/.github/workflows/build.yml
 create mode 100644 third_party/heimdal/cf/ax_check_sign.m4
 create mode 100644 third_party/heimdal/cf/check-compile-flag.m4
 create mode 100644 third_party/heimdal/kdc/kdc-accessors.h
 copy third_party/heimdal/{lib/gssapi/mech/mech_locl.h => kdc/kdc-audit.h} (51%)
 create mode 100644 third_party/heimdal/kdc/kdc-plugin.c
 create mode 100644 third_party/heimdal/kdc/kdc-plugin.h
 create mode 100644 third_party/heimdal/kdc/mssfu.c
 delete mode 100644 third_party/heimdal/kdc/rx.h
 delete mode 100644 third_party/heimdal/kdc/windc.c
 delete mode 100644 third_party/heimdal/kdc/windc_plugin.h
 create mode 100644 third_party/heimdal/lib/asn1/MANUAL.md
 create mode 100644 third_party/heimdal/lib/asn1/check-gen.h
 create mode 100644 third_party/heimdal/lib/gssapi/krb5/name_attrs.c
 create mode 100644 third_party/heimdal/lib/hdb/hdb.opt
 delete mode 100644 third_party/heimdal/lib/roken/getcap.c
 copy third_party/heimdal/tests/kdc/{krb5.conf.in => krb5-kcm.conf.in} (91%)
 create mode 100644 third_party/heimdal/tests/plugin/kdc_test_plugin.c
 delete mode 100644 third_party/heimdal/tests/plugin/windc.c
 create mode 100644 third_party/heimdal/windows/NTMakefile.sdk
 create mode 100644 third_party/heimdal_build/krb5/kdc-plugin.h
 delete mode 100644 third_party/heimdal_build/krb5/windc_plugin.h


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index f667b0d2f2d..762aee3b49c 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1                      #
 #  ->  "3.0.0rc1"                                      #
 ########################################################
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=5
 
 ########################################################
 # To mark SVN snapshots this should be set to 'yes'    #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e511e17c4c8..83d77b5c028 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
 Release Announcements
 =====================
 
-This is the fourth release candidate of Samba 4.16.  This is *not*
+This is the fifth release candidate of Samba 4.16.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
@@ -174,6 +174,37 @@ smb.conf changes
   rpc start on demand helpers             Added           true
 
 
+CHANGES SINCE 4.16.0rc4
+=======================
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 14737: Samba does not response STATUS_INVALID_PARAMETER when opening 2
+     objects with same lease key.
+
+o  Jule Anger <janger at samba.org>
+   * BUG 14999: Listing shares with smbstatus no longer works.
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 14996: Fix ldap simple bind with TLS auditing.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 14989: Fix a use-after-free in SMB1 server.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 14865: Uncached logon on RODC always fails once.
+   * BUG 14984: Changing the machine password against an RODC likely destroys
+     the domain join.
+   * BUG 14993: authsam_make_user_info_dc() steals memory from its struct
+     ldb_message *msg argument.
+   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * BUG 14995: Use Heimdal 8.0 (pre) rather than an earlier snapshot.
+
+
 CHANGES SINCE 4.16.0rc3
 =======================
 
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index b5b6362dc93..fda014c87d5 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -616,11 +616,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 	}
 
 	if (pac_upn_dns_info != NULL) {
-		user_info_dc->info->user_principal_name =
-			talloc_strdup(user_info_dc->info,
-				      pac_upn_dns_info->upn_name);
-		if (user_info_dc->info->user_principal_name == NULL) {
-			return NT_STATUS_NO_MEMORY;
+		if (pac_upn_dns_info->upn_name != NULL) {
+			user_info_dc->info->user_principal_name =
+				talloc_strdup(user_info_dc->info,
+					      pac_upn_dns_info->upn_name);
+			if (user_info_dc->info->user_principal_name == NULL) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 
 		user_info_dc->info->dns_domain_name =
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 8b499825230..78927d85193 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -343,6 +343,23 @@ def CHECK_SIZEOF(conf, vars, headers=None, define=None, critical=True):
             sys.exit(1)
     return ret
 
+ at conf
+def CHECK_SIGN(conf, v, headers=None):
+    '''check the sign of a type'''
+    define_name = v.upper().replace(' ', '_')
+    for op, signed in [('<', 'signed'),
+                       ('>', 'unsigned')]:
+        if CHECK_CODE(conf,
+                      f'static int test_array[1 - 2 * !((({v})-1) {op} 0)];',
+                      define=f'{define_name}_{signed.upper()}',
+                      quote=False,
+                      headers=headers,
+                      local_include=False,
+                      msg=f"Checking if '{v}' is {signed}"):
+            return True
+
+    return False
+
 @conf
 def CHECK_VALUEOF(conf, v, headers=None, define=None):
     '''check the value of a variable/define'''
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 1bdc0ee535a..e814a47233d 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -691,8 +691,6 @@ class cmd_domain_join(Command):
                     os.rename(f.name, smb_conf)
                 s3_lp = s3param.get_context()
                 s3_lp.load(smb_conf)
-                if machinepass is None:
-                    machinepass = samba.generate_random_machine_password(14, 40)
                 s3_net = s3_Net(creds, s3_lp, server=server)
                 (sid, domain_name) = s3_net.join_member(netbios_name,
                                                         machinepass=machinepass,
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 1723d9935d4..ff9b8fac916 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1924,11 +1924,14 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
         invocationid = str(uuid.uuid4())
 
     if krbtgtpass is None:
+        # Note that the machinepass value is ignored
+        # as the backend (password_hash.c) will generate its
+        # own random values for the krbtgt keys
         krbtgtpass = samba.generate_random_machine_password(128, 255)
     if machinepass is None:
         machinepass = samba.generate_random_machine_password(120, 120)
     if dnspass is None:
-        dnspass = samba.generate_random_password(128, 255)
+        dnspass = samba.generate_random_password(120, 120)
 
     samdb.transaction_start()
     try:
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index d1e102bdcab..9949b0abe4d 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -565,7 +565,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertEqual("NT_STATUS_OK", msg["Authentication"]["status"])
         self.assertEqual("LDAP",
                           msg["Authentication"]["serviceDescription"])
-        self.assertEqual("simple bind",
+        self.assertEqual("simple bind/TLS",
                           msg["Authentication"]["authDescription"])
         self.assertEqual(
             EVT_ID_SUCCESSFUL_LOGON, msg["Authentication"]["eventId"])
@@ -579,7 +579,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                     (msg["Authentication"]["status"] ==
                         "NT_STATUS_WRONG_PASSWORD") and
                     (msg["Authentication"]["authDescription"] ==
-                        "simple bind") and
+                        "simple bind/TLS") and
                     (msg["Authentication"]["eventId"] ==
                         EVT_ID_UNSUCCESSFUL_LOGON) and
                     (msg["Authentication"]["logonType"] ==
@@ -611,7 +611,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                     (msg["Authentication"]["status"] ==
                         "NT_STATUS_NO_SUCH_USER") and
                     (msg["Authentication"]["authDescription"] ==
-                        "simple bind") and
+                        "simple bind/TLS") and
                     (msg["Authentication"]["eventId"] ==
                         EVT_ID_UNSUCCESSFUL_LOGON) and
                     (msg["Authentication"]["logonType"] ==
@@ -641,7 +641,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
                     (msg["Authentication"]["status"] ==
                         "NT_STATUS_NO_SUCH_USER") and
                     (msg["Authentication"]["authDescription"] ==
-                        "simple bind") and
+                        "simple bind/TLS") and
                     (msg["Authentication"]["eventId"] ==
                         EVT_ID_UNSUCCESSFUL_LOGON) and
                     (msg["Authentication"]["logonType"] ==
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index 7f92b45f3fb..c853668058e 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -582,7 +582,7 @@ def update_machine_account_password(samdb, secrets_ldb, names):
         assert(len(res) == 1)
 
         msg = ldb.Message(res[0].dn)
-        machinepass = samba.generate_random_machine_password(128, 255)
+        machinepass = samba.generate_random_machine_password(120, 120)
         mputf16 = machinepass.encode('utf-16-le')
         msg["clearTextPassword"] = ldb.MessageElement(mputf16,
                                                       ldb.FLAG_MOD_REPLACE,
@@ -658,9 +658,12 @@ def update_krbtgt_account_password(samdb):
     assert(len(res) == 1)
 
     msg = ldb.Message(res[0].dn)
-    machinepass = samba.generate_random_machine_password(128, 255)
-    mputf16 = machinepass.encode('utf-16-le')
-    msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+    # Note that the machinepass value is ignored
+    # as the backend (password_hash.c) will generate its
+    # own random values for the krbtgt keys
+    krbtgtpass = samba.generate_random_machine_password(128, 255)
+    kputf16 = krbtgtpass.encode('utf-16-le')
+    msg["clearTextPassword"] = ldb.MessageElement(kputf16,
                                                   ldb.FLAG_MOD_REPLACE,
                                                   "clearTextPassword")
 
diff --git a/selftest/knownfail b/selftest/knownfail
index 2a5287cba2d..7e897dd026d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -377,7 +377,6 @@
 ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\)
 # We currently don't send referrals for LDAP modify of non-replicated attrs
 ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos
 # NETLOGON is disabled in any non-DC environments
 ^samba.tests.netlogonsvc.python\(ad_member\)
 ^samba.tests.netlogonsvc.python\(simpleserver\)
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 55e3c74494a..71e1a35eba7 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -55,10 +55,18 @@ char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
 			 int security)
 {
 	/*
-	 * use secure defaults.
+	 * use secure defaults, which match
+	 * what windows uses for computer passwords.
+	 *
+	 * We used to have min=128 and max=255 here, but
+	 * it's a bad idea because of bugs in the Windows
+	 * RODC/RWDC PasswordUpdateForward handling via
+	 * NetrLogonSendToSam.
+	 *
+	 * See https://bugzilla.samba.org/show_bug.cgi?id=14984
 	 */
-	size_t min = 128;
-	size_t max = 255;
+	size_t min = 120;
+	size_t max = 120;
 
 	switch (sec_channel_type) {
 	case SEC_CHAN_WKSTA:
diff --git a/source3/script/tests/test_smbstatus.sh b/source3/script/tests/test_smbstatus.sh
index b29ba15c377..20846f6d4ed 100755
--- a/source3/script/tests/test_smbstatus.sh
+++ b/source3/script/tests/test_smbstatus.sh
@@ -144,6 +144,100 @@ EOF
     return 0
 }
 
+test_smbstatus_output()
+{
+    local cmdfile=$PREFIX/smbclient_commands
+    local tmpfile=$PREFIX/smbclient_lock_file
+    local file=smbclient_lock_file
+    local status_shares=smbstatus_output_shares
+    local status_processes=smbstatus_output_processes
+    local status_locks=smbstatus_output_locks
+
+    cat > $tmpfile <<EOF
+Hello World!
+EOF
+    cat > $cmdfile <<EOF
+lcd $PREFIX_ABS
+put $file
+open $file
+!UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $SMBSTATUS --shares > $status_shares
+!UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $SMBSTATUS --processes > $status_processes
+!UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $SMBSTATUS --locks > $status_locks
+close 1
+rm $file
+quit
+EOF
+
+
+    cmd="CLI_FORCE_INTERACTIVE=yes $SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/tmp -I $SERVER_IP $ADDARGS --quiet < $cmdfile 2>&1"
+    eval echo "$cmd"
+    out=$(eval $cmd)
+    ret=$?
+
+    rm -f $cmpfile
+    rm -f $tmpfile
+
+    if [ $ret -ne 0 ] ; then
+       echo "Failed to run smbclient with error $ret"
+       echo "$out"
+       return 1
+    fi
+
+    out=$(cat $PREFIX/$status_processes)
+    echo "$out" | grep -c 'PID *Username'
+    ret=$?
+    if [ $ret -eq 1 ] ; then
+       echo "Failed: Could not start smbstatus"
+       echo "$out"
+       return 1
+    fi
+    echo "$out" | grep -c "$USERNAME"
+    ret=$?
+    if [ $ret -eq 1 ] ; then
+       echo "Failed: open connection not found"
+       echo "$out"
+       return 1
+    fi
+
+    out=$(cat $PREFIX/$status_shares)
+    echo "$out" | grep -c 'Service *pid'
+    ret=$?
+    if [ $ret -eq 1 ] ; then
+       echo "Failed: Could not start smbstatus"
+       echo "$out"
+       return 1
+    fi
+    echo "$out" | grep -c "tmp"
+    ret=$?
+    if [ $ret -eq 1 ] ; then
+       echo "Failed: shares not found"
+       echo "$out"
+       return 1
+    fi
+
+    out=$(cat $PREFIX/$status_locks)
+    echo "$out" | grep -c "Locked files:"
+    ret=$?
+    if [ $ret -eq 1 ] ; then
+       echo "Failed: locked file not found"
+       echo "$out"
+       return 1
+    fi
+    echo "$out" | grep -c "$file"
+    ret=$?
+    if [ $ret -eq 1 ] ; then
+       echo "Failed: wrong file locked"
+       echo "$out"
+       return 1
+    fi
+
+    rm $PREFIX/$status_shares
+    rm $PREFIX/$status_processes
+    rm $PREFIX/$status_locks
+
+    return 0
+}
+
 testit "plain" \
     test_smbstatus || \
     failed=`expr $failed + 1`
@@ -152,4 +246,8 @@ testit "resolve_uids" \
     test_smbstatus || \
     failed=`expr $failed + 1`
 
+testit "test_output" \
+    test_smbstatus_output || \
+    failed=`expr $failed + 1`
+
 testok $0 $failed
diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
index ef382b43bd6..9146bf07ddc 100644
--- a/source3/smbd/filename.c
+++ b/source3/smbd/filename.c
@@ -1133,6 +1133,13 @@ NTSTATUS unix_convert(TALLOC_CTX *mem_ctx,
 					  &state->name,
 					  state->smb_fname->twrp,
 					  &state->smb_fname->st);
+		/*
+		 * stat_cache_lookup() allocates on talloc_tos() even
+		 * when !found, reparent correctly
+		 */
+		talloc_steal(state->smb_fname, state->smb_fname->base_name);
+		talloc_steal(state->mem_ctx, state->dirpath);
+
 		if (found) {
 			goto done;
 		}
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index a5664b319ad..5a3ac2c064a 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -5302,8 +5302,42 @@ static void lease_match_parser(
 
 		/* Everything should be the same. */
 		if (!file_id_equal(&state->id, &f->id)) {
-			/* This should catch all dynamic share cases. */
-			state->match_status = NT_STATUS_OPLOCK_NOT_GRANTED;
+			/*
+			 * The client asked for a lease on a
+			 * file that doesn't match the file_id
+			 * in the database.
+			 *
+			 * Maybe this is a dynamic share, i.e.
+			 * a share where the servicepath is
+			 * different for different users (e.g.
+			 * the [HOMES] share.
+			 *
+			 * If the servicepath is different, but the requested
+			 * file name + stream name is the same then this is
+			 * a dynamic share, the client is using the same share
+			 * name and doesn't know that the underlying servicepath
+			 * is different. It was expecting a lease on the
+			 * same file. Return NT_STATUS_OPLOCK_NOT_GRANTED
+			 * to break leases
+			 *
+			 * Otherwise the client has messed up, or is
+			 * testing our error codes, so return
+			 * NT_STATUS_INVALID_PARAMETER.
+			 */
+			if (!strequal(f->servicepath, state->servicepath) &&
+			    strequal(f->base_name, state->fname->base_name) &&
+			    strequal(f->stream_name, state->fname->stream_name))
+			{
+				/*
+				 * Name is the same but servicepath is
+				 * different, dynamic share. Break leases.
+				 */
+				state->match_status =
+					NT_STATUS_OPLOCK_NOT_GRANTED;
+			} else {
+				state->match_status =
+					NT_STATUS_INVALID_PARAMETER;
+			}
 			break;
 		}
 		if (!strequal(f->servicepath, state->servicepath)) {
diff --git a/source3/utils/conn_tdb.c b/source3/utils/conn_tdb.c
index 24fd460c081..1d19d04f1aa 100644
--- a/source3/utils/conn_tdb.c
+++ b/source3/utils/conn_tdb.c
@@ -120,6 +120,8 @@ static int traverse_tcon_fn(struct smbXsrv_tcon_global0 *global,
 
 	ZERO_STRUCT(data);
 
+	data.pid = global->server_id;
+	data.cnum = global->tcon_global_id;
 	fstrcpy(data.servicename, global->share_name);
 	data.uid = sess.uid;
 	data.gid = sess.gid;
diff --git a/source3/utils/py_net.c b/source3/utils/py_net.c
index 3142f83bc7f..0d774bcb805 100644
--- a/source3/utils/py_net.c
+++ b/source3/utils/py_net.c
@@ -88,7 +88,7 @@ static PyObject *py_net_join_member(py_net_Object *self, PyObject *args, PyObjec
 		return NULL;
 	}
 
-	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|ssssssspp:Join",
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|sssssszpp:Join",
 					 discard_const_p(char *, kwnames),
 					 &r->in.dnshostname,
 					 &r->in.upn,
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 8301aec519c..b2e76381395 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -88,9 +88,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
 	user_info->service_description = "LDAP";
 
 	if (using_tls) {
-		user_info->auth_description = "simple bind";
-	} else {
 		user_info->auth_description = "simple bind/TLS";
+	} else {
+		user_info->auth_description = "simple bind";
 	}
 
 	user_info->password_state = AUTH_PASSWORD_PLAIN;
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 93b41be3b21..8b233bab3ad 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -454,12 +454,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 	user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 
-	info->account_name = talloc_steal(info,
-		ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
+	str = ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL);
+	info->account_name = talloc_strdup(info, str);
+	if (info->account_name == NULL) {
+		TALLOC_FREE(user_info_dc);
+		return NT_STATUS_NO_MEMORY;
+	}
 
-	info->user_principal_name = talloc_steal(info,
-		ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL));
-	if (info->user_principal_name == NULL && dns_domain_name != NULL) {
+	str = ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL);
+	if (str == NULL && dns_domain_name != NULL) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list