[SCM] Samba Shared Repository - branch v4-19-stable updated

Jule Anger janger at samba.org
Thu Aug 15 12:13:50 UTC 2024


The branch, v4-19-stable has been updated
       via  204b0f2d2f7 VERSION: Disable GIT_SNAPSHOT for the 4.19.8 release.
       via  c992f748904 WHATSNEW: Add release notes for Samba 4.19.8.
       via  af2360d6973 s3:ntlm_auth: make logs more consistent with length check
       via  ab535a64d26 wafsamba: Fix ABI symbol name generation
       via  4419ccc5778 libcli:security: allow spaces after BAD:
       via  2b35eab717b cmdline:burn: list commands to always burn; warn on unknown
       via  0c6749b1268 cmdline: samba-tool test for bad option warning
       via  e35d6aeb4eb cmdline:burn: add a note about short option combinations
       via  bfdd8d17d00 cmdline:burn: explicitly burn --username
       via  0c7a0ff715d cmdline:burn: use allowlist to ensure more passwords burn
       via  ae462aa71af cmdline: test_cmdline tests more burning
       via  c01499cde1a cmdline:burn: do not burn options starting --user-*, --password-*
       via  83de4276f06 cmdline:burn: localise some variables
       via  0285ea8c1ea cmdline:burn: always return true if burnt
       via  d87b5a9723f cmdline:burn: handle arguments separated from their --options
       via  22a6e45541c cmdline:burn: do not retain false memories
       via  245fe4d5018 cmdline:tests: extend cmdline_burn tests
       via  0b94b86f350 selftest: run the cmdline tests that we already have
       via  efd989ac3e0 cmdline:burn: '-U' does not imply secrets without '%'
       via  bd365f688db docs-xml:manpages: allow for longer version strings
       via  63c8ed2a386 .gitlab-ci-main.yml: Add safe.directory '*'
       via  b22c93aca20 gitlab-ci: Also add the git directory for pipeline in the main mirror
       via  8d08c814134 third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
       via  fee232dd9cf third_party: Update socket_wrapper to version 1.4.3
       via  9308c3aad44 third_party: Update uid_wrapper to version 1.3.1
       via  4180ff4e97b gitlab-ci: Set git safe.directory for devel repo
       via  374c5ed2f51 bootstrap: Fix building CentOS 8 Stream container images
       via  8d2c6462442 bootstrap: Set git safe.directory
       via  179168442a4 bootstrap: Fix runner tags
       via  0702547d303 [v4-19-only] selftest: support for MIT krb5 1.21
       via  e5d3231f205 selftest: Allow MIT Krb5 1.21 to still start to fl2000dc
       via  0c14b0c9533 .gitlab-ci: Allow ext4 jobs to run on shared runners
       via  37414481259 .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel
       via  6107f663046 Fix starvation of pending writes in CTDB queues
       via  a65eda03caa build: --vendor-suffix instead of --vendor-patch-revision --vendor-name
       via  fe5f703e428 buildtools: sanitise strange characters in vendor strings
       via  2cf809bb1f3 third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
       via  86034d86d98 tests/krb5: Add tests for errors produced when logging in with unusable accounts
       via  7cc2b7b0288 tests/krb5: Allow creation of disabled accounts for testing
       via  2102b619cf6 python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
       via  9c64cd3f2e0 tests/krb5: Fix PK-INIT test framework to allow expired password keys
       via  e65a4281c13 dsdb: Reduce minimum maxPwdAge from 1 day to nil
       via  a35edbb5302 tests/krb5: Use __slots__ to indicate which attributes are used by classes
       via  fc8beb134d2 tests/krb5: Add method to perform an armored AS‐REQ
       via  bb5414a6088 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
       via  b3519d06b63 auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
       via  20fcb8f8bce auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
       via  b79e3492f80 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
       via  bfe5ad43a57 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos
       via  28fbc8ff19b ctdb/docs: Include ceph rados namespace support in man page
       via  0597a2a62ac ctdb/ceph: Add optional namespace support for mutex helper
       via  ac5efd0302f vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
       via  1af40f29c7e s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
       via  f525d2fef3d script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
       via  80655e22136 build: Add --vendor-name --vendor-patch-revision options to ./configure
       via  7ccbbb4baf1 s4:nbt_server: simulate nmbd and provide unexpected handling
       via  9a9dc998926 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
       via  a308204aa1b s4:libcli/dgram: make use of socket_address_copy()
       via  1d766f29245 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
       via  e2cec0d2800 libcli/nbt: add nbt_name_send_raw()
       via  12a6060eed0 s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
       via  8b39131deb4 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
       via  8c06b437064 s3:libsmb/unexpected: don't use talloc_tos() in async code
       via  5de4ae88ced s3:wscript: LIBNMB requires lp_ functions
       via  39789dce2dd s3:include: split out fstring.h
       via  7e076141857 s3:include: let nameserv.h be useable on its own
       via  dfa0b1adb87 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
       via  6c86b519936 selftest: Add a python blackbox test for some misc (widelink) DFS tests
       via  fd58608723f s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
       via  c29dc6e79b0 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
       via  6d3d87babdc s4:dns_server: dns_verify_tsig should return REFUSED on error
       via  c7188e17464 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
       via  288744a74b5 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
       via  7a457c6813d s4:dns_server: use the client provided algorithm for the fake TSIG structure
       via  cbf10a68e1c s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
       via  234503e2375 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
       via  662c4675666 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
       via  4a7d14efe47 python:tests/dns_tkey: add test_update_tsig_record_access_denied()
       via  d5c6276f534 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
       via  e50968ed096 python:tests/dns_base: add get_unpriv_creds() helper
       via  0ee7660ffe5 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
       via  4d4b39c102d python:tests/dns_base: let verify_packet() work against Windows
       via  4bc0619b1e2 python:tests/dns_tkey: test bad and changing tsig algorithms
       via  eb18b228d1b python:tests/dns_tkey: add gss.microsoft.com tsig updates
       via  f984b281c5f python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
       via  e120078e2c3 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
       via  16c21888ea4 python:tests/dns_base: maintain a dict with tkey related state
       via  2741574e32f python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
       via  48be174b021 python:tests/dns_base: pass tkey_trans(expected_rcode)
       via  a086e96f269 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
       via  b1222378a29 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
       via  fdac589752e python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
       via  606b7034f5d python:tests/dns_base: add self.assert_echoed_dns_error()
       via  313ca15a845 python:tests/dns_base: let dns_transaction_tcp() handle short receives
       via  1800543b0ad python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
       via  1c807412b88 python:tests/dns_base: generate a real signature in bad_sign_packet()
       via  fecc211af0e BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs
       via  6875787d129 VERSION: Bump version up to Samba 4.19.8...
      from  bce5c475d12 VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 .gitlab-ci-main.yml                                |  78 +++--
 VERSION                                            |   2 +-
 WHATSNEW.txt                                       | 104 +++++-
 auth/credentials/credentials.c                     |   5 +
 auth/credentials/credentials.h                     |   1 +
 auth/credentials/credentials_secrets.c             |  31 +-
 auth/credentials/tests/test_creds.c                |  37 +-
 bootstrap/.gitlab-ci.yml                           |   6 +-
 bootstrap/config.py                                |   3 +
 bootstrap/generated-dists/centos8s/bootstrap.sh    |   3 +
 bootstrap/sha1sum.txt                              |   2 +-
 buildtools/wafsamba/samba_abi.py                   |   6 +-
 buildtools/wafsamba/samba_third_party.py           |   4 +-
 buildtools/wafsamba/samba_version.py               |   5 +
 ctdb/common/ctdb_io.c                              |  17 +-
 ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml        |   4 +-
 ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c     |  50 ++-
 docs-xml/xslt/man.xsl                              |   3 +
 lib/cmdline/cmdline.c                              | 217 ++++++++++--
 lib/cmdline/tests/test_cmdline.c                   |  54 ++-
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} |   0
 libcli/nbt/libnbt.h                                |   3 +
 libcli/nbt/nbtsocket.c                             |  44 +++
 libcli/security/sddl.c                             |   5 +
 python/samba/tests/blackbox/misc_dfs_widelink.py   |  86 +++++
 python/samba/tests/dns_base.py                     | 213 ++++++++----
 python/samba/tests/dns_tkey.py                     | 325 ++++++++++++++++--
 python/samba/tests/join.py                         |   2 +-
 python/samba/tests/krb5/kdc_base_test.py           |  28 +-
 python/samba/tests/krb5/kdc_tgs_tests.py           | 117 +++++++
 python/samba/tests/krb5/lockout_tests.py           | 210 ++++++++++-
 python/samba/tests/krb5/pkinit_tests.py            |  15 +-
 python/samba/tests/krb5/raw_testcase.py            |  57 ++-
 python/samba/tests/krb5/rfc4120_constants.py       |   1 +
 python/samba/tests/samba_tool/help.py              |   9 +
 python/samba/tests/sddl.py                         |  10 +-
 script/autobuild.py                                |  14 +-
 selftest/knownfail_mit_kdc                         | 237 +------------
 selftest/knownfail_mit_kdc_1_21                    | 363 ++++++++++++++++++++
 selftest/knownfail_mit_kdc_pre_1_20                |  19 -
 selftest/knownfail_mit_kdc_pre_1_21                | 236 +++++++++++++
 selftest/target/Samba.pm                           |   2 +
 selftest/target/Samba4.pm                          |   2 +
 selftest/tests.py                                  |   3 +
 selftest/wscript                                   |   5 +
 lib/util/unix_match.h => source3/include/fstring.h |  14 +-
 source3/include/includes.h                         |   5 +-
 source3/include/nameserv.h                         | 380 ++------------------
 source3/include/smb.h                              |  26 +-
 source3/libsmb/clidgram.c                          |   6 +-
 source3/libsmb/dsgetdcname.c                       |   5 +
 source3/libsmb/namequery.c                         |   7 +-
 source3/libsmb/nmblib.c                            |   6 +
 source3/libsmb/nmblib.h                            |   2 +
 source3/libsmb/unexpected.c                        |  18 +-
 source3/libsmb/unexpected.h                        |   2 +
 source3/modules/vfs_default.c                      |   6 +
 source3/nmbd/nmbd.h                                | 382 +++++++++++++++++++++
 source3/nmbd/nmbd_packets.c                        |   1 +
 source3/smbd/files.c                               |  18 +
 source3/utils/ntlm_auth.c                          |   6 +-
 source3/wscript_build                              |   1 +
 source4/dns_server/dns_crypto.c                    |  49 ++-
 source4/dns_server/dns_query.c                     |  27 +-
 source4/dns_server/dns_update.c                    |  11 +
 source4/dns_server/dnsserver_common.c              |   2 +
 source4/dsdb/samdb/ldb_modules/operational.c       |   4 +-
 source4/libcli/dgram/dgramsocket.c                 |  40 ++-
 source4/libcli/dgram/libdgram.h                    |   3 +
 source4/nbt_server/dgram/request.c                 |  56 ++-
 source4/nbt_server/interfaces.c                    |  29 ++
 source4/nbt_server/nbt_server.c                    | 143 ++++++++
 source4/nbt_server/nbt_server.h                    |   2 +
 source4/nbt_server/wscript_build                   |   2 +-
 source4/selftest/tests.py                          |  21 +-
 source4/torture/smb2/ioctl.c                       |  64 ++++
 testprogs/blackbox/test_ldap_token.sh              | 115 +++++++
 testprogs/blackbox/test_trust_token.sh             |   5 +-
 third_party/heimdal/kdc/fast.c                     |  13 +-
 third_party/heimdal/lib/krb5/fast.c                |  12 +-
 third_party/heimdal/lib/krb5/mcache.c              |   2 +-
 third_party/socket_wrapper/socket_wrapper.c        |  45 ++-
 third_party/socket_wrapper/wscript                 |   3 +-
 third_party/uid_wrapper/uid_wrapper.c              |  58 +++-
 third_party/uid_wrapper/wscript                    |   4 +-
 wscript                                            |  10 +
 wscript_configure_system_mitkrb5                   |   4 +-
 87 files changed, 3341 insertions(+), 906 deletions(-)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} (100%)
 create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py
 create mode 100644 selftest/knownfail_mit_kdc_1_21
 create mode 100644 selftest/knownfail_mit_kdc_pre_1_21
 copy lib/util/unix_match.h => source3/include/fstring.h (76%)
 create mode 100755 testprogs/blackbox/test_ldap_token.sh


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 4e4addf5d1a..f7dfe890032 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 190a74ee9628f298961d890ba37fcc7d213daae2
+  SAMBA_CI_CONTAINER_TAG: bbc2e41b217a3318c654a45b79d4b5a5af4abeb3
   #
   # We use the ubuntu2204 image as default as
   # it matches what we have on atb-devel-224
@@ -146,7 +146,7 @@ include:
     - ccache -z -M 500M
     - ccache -s
       # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
-    - git config --global --add safe.directory `pwd`
+    - git config --global --add safe.directory '*'
   after_script:
     - mount
     - df -h
@@ -415,41 +415,77 @@ samba-shellcheck:
       # settings -> CI/CD -> Environment variables
     - if: $SUPPORT_PRIVATE_TEST == "yes"
 
-.needs_samba-def-build-private:
+.needs_ext4_support:
+  # All runners provide an ext4 filesystem
+  #
+  # Note: we don't use
+  # extends: .shared_template_test_only
+  # as that somehow resets the needs section
+  # and generates problems for something
+  # like this (which is used below)
+  #
+  # .needs_samba-SOME-build-ext4:
+  #   extends:
+  #     - .needs_samba-SOME-build
+  #     - .needs_ext4_support
+  #
+  # So we only set stage again instead...
+  stage: test_only
+
+.needs_5_15_kernel:
+  # Our private runners are based on
+  # ubuntu2204 with a 5.15 kernel.
+  #
+  # And they also provide an ext4 filesystem
+  extends: .private_test_only
+
+.needs_samba-def-build-ext4:
   extends:
     - .needs_samba-def-build
-    - .private_test_only
+    - .needs_ext4_support
 
-.needs_samba-mit-build-private:
+.needs_samba-mit-build-ext4:
   extends:
     - .needs_samba-mit-build
-    - .private_test_only
+    - .needs_ext4_support
 
-.needs_samba-h5l-build-private:
+.needs_samba-h5l-build-ext4:
   extends:
     - .needs_samba-h5l-build
-    - .private_test_only
+    - .needs_ext4_support
 
-.needs_samba-without-smb1-build-private:
+.needs_samba-without-smb1-build-5_15:
+  # Currently this doesn't strictly
+  # require a kernel >= 5.15, but only
+  # ext4 support.
+  #
+  # But we want to make sure that
+  # our private runners keep working
+  # and at least do a single job.
+  #
+  # In future we'll be able to run
+  # tests with io_uring in this
+  # setup, which will requires a
+  # 5.15 kernel in order to be useful.
   extends:
     - .needs_samba-without-smb1-build
-    - .private_test_only
+    - .needs_5_15_kernel
 
-.needs_samba-nt4-build-private:
+.needs_samba-nt4-build-ext4:
   extends:
     - .needs_samba-nt4-build
-    - .private_test_only
+    - .needs_ext4_support
 
-.needs_samba-no-opath-build-private:
+.needs_samba-no-opath-build-ext4:
   extends:
     - .needs_samba-no-opath-build
-    - .private_test_only
+    - .needs_ext4_support
 
 samba-fileserver:
-  extends: .needs_samba-h5l-build-private
+  extends: .needs_samba-h5l-build-ext4
 
 samba-fileserver-without-smb1:
-  extends: .needs_samba-without-smb1-build-private
+  extends: .needs_samba-without-smb1-build-5_15
 
 # This is a full build without the AD DC so we test the build with MIT
 # Kerberos from the default system (Ubuntu 22.04 at this stage).
@@ -459,19 +495,19 @@ samba-ktest-mit:
  extends: .shared_template
 
 samba-ad-dc-1:
-  extends: .needs_samba-def-build-private
+  extends: .needs_samba-def-build-ext4
 
 samba-nt4:
-  extends: .needs_samba-nt4-build-private
+  extends: .needs_samba-nt4-build-ext4
 
 samba-addc-mit-1:
-  extends: .needs_samba-mit-build-private
+  extends: .needs_samba-mit-build-ext4
 
 samba-no-opath1:
-  extends: .needs_samba-no-opath-build-private
+  extends: .needs_samba-no-opath-build-ext4
 
 samba-no-opath2:
-  extends: .needs_samba-no-opath-build-private
+  extends: .needs_samba-no-opath-build-ext4
 
 # 'pages' is a special job which can publish artifacts in `public` dir to gitlab pages
 pages:
diff --git a/VERSION b/VERSION
index 44318cde503..89a60174790 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index fa27ad5083b..43b8cafa119 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,104 @@
+                   ==============================
+                   Release Notes for Samba 4.19.8
+                          August 15, 2024
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.7
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 15671: Invalid client warning about command line passwords.
+   * BUG 15672: Version string is truncated in manpages.
+   * BUG 15673: --version-* options are still not ergonomic, and they reject
+     tilde characters.
+   * BUG 15674: cmdline_burn does not always burn secrets.
+   * BUG 15685: Samba doesn't parse SDDL found in defaultSecurityDescriptor in
+     AD_DS_Classes_Windows_Server_v1903.ldf.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 15654: We have added new options --vendor-name and --vendor-patch-
+     revision arguments to ./configure to allow distributions and packagers to
+     put their name in the Samba version string so that when debugging Samba the
+     source of the binary is obvious.
+   * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
+     Windows computer when user account need to change their own
+     password.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 15676: Fix clock skew error message and memory cache clock skew
+     recovery.
+
+o  Günther Deschner <gd at samba.org>
+   * BUG 15665: CTDB RADOS mutex helper misses namespace support.
+
+o  Pavel Filipenský <pfilipensky at samba.org>
+   * BUG 15660: The images don't build after the git security release and CentOS
+     8 Stream is EOL.
+
+o  Xavi Hernandez <xhernandez at redhat.com>
+   * BUG 15678: Fix unnecessary delays in CTDB while processing requests under
+     high load.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
+   * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
+     can't use nmb requests instead cldap.
+   * BUG 15660: The images don't build after the git security release and CentOS
+     8 Stream is EOL.
+   * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
+   * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
+     machine account.
+
+o  Noel Power <noel.power at suse.com>
+   * BUG 15435: Regression DFS not working with widelinks = true.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15660: The images don't build after the git security release and CentOS
+     8 Stream is EOL.
+   * BUG 15673: --version-* options are still not ergonomic, and they reject
+     tilde characters.
+
+o  Jo Sutton <josutton at catalyst.net.nz>
+   * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
+     Windows computer when user account need to change their own
+     password.
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
+     Windows computer when user account need to change their own
+     password.
+
+o  Jones Syue <jonessyue at qnap.com>
+   * BUG 15677: ntlm_auth make logs more consistent with length check.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.19.7
                            June 10, 2024
@@ -59,8 +160,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.19.6
                            April 08, 2024
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 7a00279b8b4..30ebef8f4dc 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct
 	return creds->kerberos_state;
 }
 
+_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds)
+{
+	return creds->kerberos_state_obtained;
+}
+
 _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
 {
 	return creds->forced_sasl_mech;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c5ffe536e07..d3979495901 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr
 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
 const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8469d6e116f..906f3ff1a21 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 	}
 
 	if (secrets_tdb_password_more_recent) {
-		enum credentials_use_kerberos use_kerberos =
-			CRED_USE_KERBEROS_DISABLED;
 		char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
 		cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
 		cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
 		cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
 		if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+			enum credentials_use_kerberos use_kerberos =
+				cli_credentials_get_kerberos_state(cred);
+			enum credentials_obtained use_kerberos_obtained =
+				cli_credentials_get_kerberos_state_obtained(cred);
+			bool is_ad = false;
+
 			cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
 
 			switch (server_role) {
@@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 				FALL_THROUGH;
 			case ROLE_ACTIVE_DIRECTORY_DC:
 			case ROLE_IPA_DC:
-				use_kerberos = CRED_USE_KERBEROS_DESIRED;
+				is_ad = true;
 				break;
 			}
+
+			if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
+				/*
+				 * Keep an explicit selection
+				 *
+				 * For AD domains we also keep
+				 * CRED_USE_KERBEROS_DESIRED
+				 */
+			} else if (use_kerberos_obtained <= CRED_SMB_CONF) {
+				/*
+				 * Disable kerberos by default within
+				 * an NT4 domain.
+				 */
+				cli_credentials_set_kerberos_state(cred,
+						CRED_USE_KERBEROS_DISABLED,
+						CRED_SMB_CONF);
+			}
 		}
-		cli_credentials_set_kerberos_state(cred,
-						   use_kerberos,
-						   CRED_SPECIFIED);
+
 		cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
 		cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
 		cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 2cb2e6d0e34..e79f08982ad 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state)
 	TALLOC_CTX *mem_ctx = *state;
 	struct cli_credentials *creds = NULL;
 	struct loadparm_context *lp_ctx = NULL;
+	enum credentials_obtained kerberos_state_obtained;
+	enum credentials_use_kerberos kerberos_state;
 	bool ok;
 
 	lp_ctx = loadparm_init_global(true);
@@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state)
 
 	creds = cli_credentials_init(mem_ctx);
 	assert_non_null(creds);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
 
 	ok = cli_credentials_set_conf(creds, lp_ctx);
 	assert_true(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
 
 	ok = cli_credentials_guess(creds, lp_ctx);
 	assert_true(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
 	assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE);
 	assert_non_null(creds->ccache);
 
@@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state)
 						CRED_USE_KERBEROS_REQUIRED,
 						CRED_SPECIFIED);
 	assert_true(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
 
 	ok = cli_credentials_set_kerberos_state(creds,
 						CRED_USE_KERBEROS_DISABLED,
 						CRED_SMB_CONF);
 	assert_false(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
 
 }
 
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 71c68d9ee14..c68b173f24d 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -6,9 +6,7 @@
     # We need to make sure we only use gitlab.com
     # runners and not our own runners, as our current runners
     # don't allow 'docker build ...' to run.
-    - docker
-    - gce
-    - shared
+    - saas-linux-small-amd64
   variables:
     SAMBA_CI_IS_BROKEN_IMAGE: "no"
     SAMBA_CI_TEST_JOB: "samba-o3"
@@ -47,7 +45,7 @@
     diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt
     # run smoke test with samba-o3 or samba-fuzz
     podman run --volume $(pwd):/src:ro ${ci_image_name} \
-        /bin/bash -c "git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
+        /bin/bash -c "git config --global --add safe.directory /src/.git && git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
     podman tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG}
     podman tag ${ci_image_name} ${ci_image_path}:${timestamp_tag}
     # We build all images, but only upload is it's not marked as broken
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 5daf2d3ce54..aeea500aa9f 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -242,6 +242,9 @@ CENTOS8S_YUM_BOOTSTRAP = r"""
 {GENERATED_MARKER}
 set -xueo pipefail
 
+sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+
 yum update -y
 yum install -y dnf-plugins-core
 yum install -y epel-release
diff --git a/bootstrap/generated-dists/centos8s/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh
index 6a76d40d70e..5eea6f766a1 100755
--- a/bootstrap/generated-dists/centos8s/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8s/bootstrap.sh
@@ -7,6 +7,9 @@
 
 set -xueo pipefail
 
+sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+
 yum update -y
 yum install -y dnf-plugins-core
 yum install -y epel-release
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 11ab035f572..669804c4545 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-190a74ee9628f298961d890ba37fcc7d213daae2
+bbc2e41b217a3318c654a45b79d4b5a5af4abeb3
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index 682f4e897b5..155559973a0 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -286,7 +286,7 @@ def abi_build_vscript(task):
         f.close()
 
 def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
-    version = version.replace("-", "_").replace("+","_").upper()
+    version = re.sub(r'[^.\w]', '_', version).upper()
     t = bld.SAMBA_GENERATOR(private_vscript,
                             rule=abi_build_vscript,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list