[SCM] Samba Shared Repository - branch v4-19-stable updated
Jule Anger
janger at samba.org
Thu Aug 15 12:13:50 UTC 2024
The branch, v4-19-stable has been updated
via 204b0f2d2f7 VERSION: Disable GIT_SNAPSHOT for the 4.19.8 release.
via c992f748904 WHATSNEW: Add release notes for Samba 4.19.8.
via af2360d6973 s3:ntlm_auth: make logs more consistent with length check
via ab535a64d26 wafsamba: Fix ABI symbol name generation
via 4419ccc5778 libcli:security: allow spaces after BAD:
via 2b35eab717b cmdline:burn: list commands to always burn; warn on unknown
via 0c6749b1268 cmdline: samba-tool test for bad option warning
via e35d6aeb4eb cmdline:burn: add a note about short option combinations
via bfdd8d17d00 cmdline:burn: explicitly burn --username
via 0c7a0ff715d cmdline:burn: use allowlist to ensure more passwords burn
via ae462aa71af cmdline: test_cmdline tests more burning
via c01499cde1a cmdline:burn: do not burn options starting --user-*, --password-*
via 83de4276f06 cmdline:burn: localise some variables
via 0285ea8c1ea cmdline:burn: always return true if burnt
via d87b5a9723f cmdline:burn: handle arguments separated from their --options
via 22a6e45541c cmdline:burn: do not retain false memories
via 245fe4d5018 cmdline:tests: extend cmdline_burn tests
via 0b94b86f350 selftest: run the cmdline tests that we already have
via efd989ac3e0 cmdline:burn: '-U' does not imply secrets without '%'
via bd365f688db docs-xml:manpages: allow for longer version strings
via 63c8ed2a386 .gitlab-ci-main.yml: Add safe.directory '*'
via b22c93aca20 gitlab-ci: Also add the git directory for pipeline in the main mirror
via 8d08c814134 third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
via fee232dd9cf third_party: Update socket_wrapper to version 1.4.3
via 9308c3aad44 third_party: Update uid_wrapper to version 1.3.1
via 4180ff4e97b gitlab-ci: Set git safe.directory for devel repo
via 374c5ed2f51 bootstrap: Fix building CentOS 8 Stream container images
via 8d2c6462442 bootstrap: Set git safe.directory
via 179168442a4 bootstrap: Fix runner tags
via 0702547d303 [v4-19-only] selftest: support for MIT krb5 1.21
via e5d3231f205 selftest: Allow MIT Krb5 1.21 to still start to fl2000dc
via 0c14b0c9533 .gitlab-ci: Allow ext4 jobs to run on shared runners
via 37414481259 .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel
via 6107f663046 Fix starvation of pending writes in CTDB queues
via a65eda03caa build: --vendor-suffix instead of --vendor-patch-revision --vendor-name
via fe5f703e428 buildtools: sanitise strange characters in vendor strings
via 2cf809bb1f3 third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
via 86034d86d98 tests/krb5: Add tests for errors produced when logging in with unusable accounts
via 7cc2b7b0288 tests/krb5: Allow creation of disabled accounts for testing
via 2102b619cf6 python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
via 9c64cd3f2e0 tests/krb5: Fix PK-INIT test framework to allow expired password keys
via e65a4281c13 dsdb: Reduce minimum maxPwdAge from 1 day to nil
via a35edbb5302 tests/krb5: Use __slots__ to indicate which attributes are used by classes
via fc8beb134d2 tests/krb5: Add method to perform an armored AS‐REQ
via bb5414a6088 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
via b3519d06b63 auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
via 20fcb8f8bce auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
via b79e3492f80 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
via bfe5ad43a57 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos
via 28fbc8ff19b ctdb/docs: Include ceph rados namespace support in man page
via 0597a2a62ac ctdb/ceph: Add optional namespace support for mutex helper
via ac5efd0302f vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
via 1af40f29c7e s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
via f525d2fef3d script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
via 80655e22136 build: Add --vendor-name --vendor-patch-revision options to ./configure
via 7ccbbb4baf1 s4:nbt_server: simulate nmbd and provide unexpected handling
via 9a9dc998926 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
via a308204aa1b s4:libcli/dgram: make use of socket_address_copy()
via 1d766f29245 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
via e2cec0d2800 libcli/nbt: add nbt_name_send_raw()
via 12a6060eed0 s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
via 8b39131deb4 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
via 8c06b437064 s3:libsmb/unexpected: don't use talloc_tos() in async code
via 5de4ae88ced s3:wscript: LIBNMB requires lp_ functions
via 39789dce2dd s3:include: split out fstring.h
via 7e076141857 s3:include: let nameserv.h be useable on its own
via dfa0b1adb87 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
via 6c86b519936 selftest: Add a python blackbox test for some misc (widelink) DFS tests
via fd58608723f s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
via c29dc6e79b0 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
via 6d3d87babdc s4:dns_server: dns_verify_tsig should return REFUSED on error
via c7188e17464 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
via 288744a74b5 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
via 7a457c6813d s4:dns_server: use the client provided algorithm for the fake TSIG structure
via cbf10a68e1c s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
via 234503e2375 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
via 662c4675666 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
via 4a7d14efe47 python:tests/dns_tkey: add test_update_tsig_record_access_denied()
via d5c6276f534 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
via e50968ed096 python:tests/dns_base: add get_unpriv_creds() helper
via 0ee7660ffe5 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
via 4d4b39c102d python:tests/dns_base: let verify_packet() work against Windows
via 4bc0619b1e2 python:tests/dns_tkey: test bad and changing tsig algorithms
via eb18b228d1b python:tests/dns_tkey: add gss.microsoft.com tsig updates
via f984b281c5f python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
via e120078e2c3 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
via 16c21888ea4 python:tests/dns_base: maintain a dict with tkey related state
via 2741574e32f python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
via 48be174b021 python:tests/dns_base: pass tkey_trans(expected_rcode)
via a086e96f269 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
via b1222378a29 python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
via fdac589752e python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
via 606b7034f5d python:tests/dns_base: add self.assert_echoed_dns_error()
via 313ca15a845 python:tests/dns_base: let dns_transaction_tcp() handle short receives
via 1800543b0ad python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
via 1c807412b88 python:tests/dns_base: generate a real signature in bad_sign_packet()
via fecc211af0e BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs
via 6875787d129 VERSION: Bump version up to Samba 4.19.8...
from bce5c475d12 VERSION: Disable GIT_SNAPSHOT for the 4.19.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 78 +++--
VERSION | 2 +-
WHATSNEW.txt | 104 +++++-
auth/credentials/credentials.c | 5 +
auth/credentials/credentials.h | 1 +
auth/credentials/credentials_secrets.c | 31 +-
auth/credentials/tests/test_creds.c | 37 +-
bootstrap/.gitlab-ci.yml | 6 +-
bootstrap/config.py | 3 +
bootstrap/generated-dists/centos8s/bootstrap.sh | 3 +
bootstrap/sha1sum.txt | 2 +-
buildtools/wafsamba/samba_abi.py | 6 +-
buildtools/wafsamba/samba_third_party.py | 4 +-
buildtools/wafsamba/samba_version.py | 5 +
ctdb/common/ctdb_io.c | 17 +-
ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml | 4 +-
ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c | 50 ++-
docs-xml/xslt/man.xsl | 3 +
lib/cmdline/cmdline.c | 217 ++++++++++--
lib/cmdline/tests/test_cmdline.c | 54 ++-
...pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} | 0
libcli/nbt/libnbt.h | 3 +
libcli/nbt/nbtsocket.c | 44 +++
libcli/security/sddl.c | 5 +
python/samba/tests/blackbox/misc_dfs_widelink.py | 86 +++++
python/samba/tests/dns_base.py | 213 ++++++++----
python/samba/tests/dns_tkey.py | 325 ++++++++++++++++--
python/samba/tests/join.py | 2 +-
python/samba/tests/krb5/kdc_base_test.py | 28 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 117 +++++++
python/samba/tests/krb5/lockout_tests.py | 210 ++++++++++-
python/samba/tests/krb5/pkinit_tests.py | 15 +-
python/samba/tests/krb5/raw_testcase.py | 57 ++-
python/samba/tests/krb5/rfc4120_constants.py | 1 +
python/samba/tests/samba_tool/help.py | 9 +
python/samba/tests/sddl.py | 10 +-
script/autobuild.py | 14 +-
selftest/knownfail_mit_kdc | 237 +------------
selftest/knownfail_mit_kdc_1_21 | 363 ++++++++++++++++++++
selftest/knownfail_mit_kdc_pre_1_20 | 19 -
selftest/knownfail_mit_kdc_pre_1_21 | 236 +++++++++++++
selftest/target/Samba.pm | 2 +
selftest/target/Samba4.pm | 2 +
selftest/tests.py | 3 +
selftest/wscript | 5 +
lib/util/unix_match.h => source3/include/fstring.h | 14 +-
source3/include/includes.h | 5 +-
source3/include/nameserv.h | 380 ++------------------
source3/include/smb.h | 26 +-
source3/libsmb/clidgram.c | 6 +-
source3/libsmb/dsgetdcname.c | 5 +
source3/libsmb/namequery.c | 7 +-
source3/libsmb/nmblib.c | 6 +
source3/libsmb/nmblib.h | 2 +
source3/libsmb/unexpected.c | 18 +-
source3/libsmb/unexpected.h | 2 +
source3/modules/vfs_default.c | 6 +
source3/nmbd/nmbd.h | 382 +++++++++++++++++++++
source3/nmbd/nmbd_packets.c | 1 +
source3/smbd/files.c | 18 +
source3/utils/ntlm_auth.c | 6 +-
source3/wscript_build | 1 +
source4/dns_server/dns_crypto.c | 49 ++-
source4/dns_server/dns_query.c | 27 +-
source4/dns_server/dns_update.c | 11 +
source4/dns_server/dnsserver_common.c | 2 +
source4/dsdb/samdb/ldb_modules/operational.c | 4 +-
source4/libcli/dgram/dgramsocket.c | 40 ++-
source4/libcli/dgram/libdgram.h | 3 +
source4/nbt_server/dgram/request.c | 56 ++-
source4/nbt_server/interfaces.c | 29 ++
source4/nbt_server/nbt_server.c | 143 ++++++++
source4/nbt_server/nbt_server.h | 2 +
source4/nbt_server/wscript_build | 2 +-
source4/selftest/tests.py | 21 +-
source4/torture/smb2/ioctl.c | 64 ++++
testprogs/blackbox/test_ldap_token.sh | 115 +++++++
testprogs/blackbox/test_trust_token.sh | 5 +-
third_party/heimdal/kdc/fast.c | 13 +-
third_party/heimdal/lib/krb5/fast.c | 12 +-
third_party/heimdal/lib/krb5/mcache.c | 2 +-
third_party/socket_wrapper/socket_wrapper.c | 45 ++-
third_party/socket_wrapper/wscript | 3 +-
third_party/uid_wrapper/uid_wrapper.c | 58 +++-
third_party/uid_wrapper/wscript | 4 +-
wscript | 10 +
wscript_configure_system_mitkrb5 | 4 +-
87 files changed, 3341 insertions(+), 906 deletions(-)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} (100%)
create mode 100644 python/samba/tests/blackbox/misc_dfs_widelink.py
create mode 100644 selftest/knownfail_mit_kdc_1_21
create mode 100644 selftest/knownfail_mit_kdc_pre_1_21
copy lib/util/unix_match.h => source3/include/fstring.h (76%)
create mode 100755 testprogs/blackbox/test_ldap_token.sh
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 4e4addf5d1a..f7dfe890032 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: 190a74ee9628f298961d890ba37fcc7d213daae2
+ SAMBA_CI_CONTAINER_TAG: bbc2e41b217a3318c654a45b79d4b5a5af4abeb3
#
# We use the ubuntu2204 image as default as
# it matches what we have on atb-devel-224
@@ -146,7 +146,7 @@ include:
- ccache -z -M 500M
- ccache -s
# We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
- - git config --global --add safe.directory `pwd`
+ - git config --global --add safe.directory '*'
after_script:
- mount
- df -h
@@ -415,41 +415,77 @@ samba-shellcheck:
# settings -> CI/CD -> Environment variables
- if: $SUPPORT_PRIVATE_TEST == "yes"
-.needs_samba-def-build-private:
+.needs_ext4_support:
+ # All runners provide an ext4 filesystem
+ #
+ # Note: we don't use
+ # extends: .shared_template_test_only
+ # as that somehow resets the needs section
+ # and generates problems for something
+ # like this (which is used below)
+ #
+ # .needs_samba-SOME-build-ext4:
+ # extends:
+ # - .needs_samba-SOME-build
+ # - .needs_ext4_support
+ #
+ # So we only set stage again instead...
+ stage: test_only
+
+.needs_5_15_kernel:
+ # Our private runners are based on
+ # ubuntu2204 with a 5.15 kernel.
+ #
+ # And they also provide an ext4 filesystem
+ extends: .private_test_only
+
+.needs_samba-def-build-ext4:
extends:
- .needs_samba-def-build
- - .private_test_only
+ - .needs_ext4_support
-.needs_samba-mit-build-private:
+.needs_samba-mit-build-ext4:
extends:
- .needs_samba-mit-build
- - .private_test_only
+ - .needs_ext4_support
-.needs_samba-h5l-build-private:
+.needs_samba-h5l-build-ext4:
extends:
- .needs_samba-h5l-build
- - .private_test_only
+ - .needs_ext4_support
-.needs_samba-without-smb1-build-private:
+.needs_samba-without-smb1-build-5_15:
+ # Currently this doesn't strictly
+ # require a kernel >= 5.15, but only
+ # ext4 support.
+ #
+ # But we want to make sure that
+ # our private runners keep working
+ # and at least do a single job.
+ #
+ # In future we'll be able to run
+ # tests with io_uring in this
+ # setup, which will requires a
+ # 5.15 kernel in order to be useful.
extends:
- .needs_samba-without-smb1-build
- - .private_test_only
+ - .needs_5_15_kernel
-.needs_samba-nt4-build-private:
+.needs_samba-nt4-build-ext4:
extends:
- .needs_samba-nt4-build
- - .private_test_only
+ - .needs_ext4_support
-.needs_samba-no-opath-build-private:
+.needs_samba-no-opath-build-ext4:
extends:
- .needs_samba-no-opath-build
- - .private_test_only
+ - .needs_ext4_support
samba-fileserver:
- extends: .needs_samba-h5l-build-private
+ extends: .needs_samba-h5l-build-ext4
samba-fileserver-without-smb1:
- extends: .needs_samba-without-smb1-build-private
+ extends: .needs_samba-without-smb1-build-5_15
# This is a full build without the AD DC so we test the build with MIT
# Kerberos from the default system (Ubuntu 22.04 at this stage).
@@ -459,19 +495,19 @@ samba-ktest-mit:
extends: .shared_template
samba-ad-dc-1:
- extends: .needs_samba-def-build-private
+ extends: .needs_samba-def-build-ext4
samba-nt4:
- extends: .needs_samba-nt4-build-private
+ extends: .needs_samba-nt4-build-ext4
samba-addc-mit-1:
- extends: .needs_samba-mit-build-private
+ extends: .needs_samba-mit-build-ext4
samba-no-opath1:
- extends: .needs_samba-no-opath-build-private
+ extends: .needs_samba-no-opath-build-ext4
samba-no-opath2:
- extends: .needs_samba-no-opath-build-private
+ extends: .needs_samba-no-opath-build-ext4
# 'pages' is a special job which can publish artifacts in `public` dir to gitlab pages
pages:
diff --git a/VERSION b/VERSION
index 44318cde503..89a60174790 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index fa27ad5083b..43b8cafa119 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,104 @@
+ ==============================
+ Release Notes for Samba 4.19.8
+ August 15, 2024
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.7
+--------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 15671: Invalid client warning about command line passwords.
+ * BUG 15672: Version string is truncated in manpages.
+ * BUG 15673: --version-* options are still not ergonomic, and they reject
+ tilde characters.
+ * BUG 15674: cmdline_burn does not always burn secrets.
+ * BUG 15685: Samba doesn't parse SDDL found in defaultSecurityDescriptor in
+ AD_DS_Classes_Windows_Server_v1903.ldf.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15654: We have added new options --vendor-name and --vendor-patch-
+ revision arguments to ./configure to allow distributions and packagers to
+ put their name in the Samba version string so that when debugging Samba the
+ source of the binary is obvious.
+ * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
+ Windows computer when user account need to change their own
+ password.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15676: Fix clock skew error message and memory cache clock skew
+ recovery.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 15665: CTDB RADOS mutex helper misses namespace support.
+
+o Pavel Filipenský <pfilipensky at samba.org>
+ * BUG 15660: The images don't build after the git security release and CentOS
+ 8 Stream is EOL.
+
+o Xavi Hernandez <xhernandez at redhat.com>
+ * BUG 15678: Fix unnecessary delays in CTDB while processing requests under
+ high load.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13019: Dynamic DNS updates with the internal DNS are not working.
+ * BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
+ can't use nmb requests instead cldap.
+ * BUG 15660: The images don't build after the git security release and CentOS
+ 8 Stream is EOL.
+ * BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
+ * BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
+ machine account.
+
+o Noel Power <noel.power at suse.com>
+ * BUG 15435: Regression DFS not working with widelinks = true.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15660: The images don't build after the git security release and CentOS
+ 8 Stream is EOL.
+ * BUG 15673: --version-* options are still not ergonomic, and they reject
+ tilde characters.
+
+o Jo Sutton <josutton at catalyst.net.nz>
+ * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
+ Windows computer when user account need to change their own
+ password.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
+ Windows computer when user account need to change their own
+ password.
+
+o Jones Syue <jonessyue at qnap.com>
+ * BUG 15677: ntlm_auth make logs more consistent with length check.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.19.7
June 10, 2024
@@ -59,8 +160,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.19.6
April 08, 2024
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 7a00279b8b4..30ebef8f4dc 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct
return creds->kerberos_state;
}
+_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds)
+{
+ return creds->kerberos_state_obtained;
+}
+
_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
{
return creds->forced_sasl_mech;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index c5ffe536e07..d3979495901 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr
const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8469d6e116f..906f3ff1a21 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
- enum credentials_use_kerberos use_kerberos =
- CRED_USE_KERBEROS_DISABLED;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+ enum credentials_use_kerberos use_kerberos =
+ cli_credentials_get_kerberos_state(cred);
+ enum credentials_obtained use_kerberos_obtained =
+ cli_credentials_get_kerberos_state_obtained(cred);
+ bool is_ad = false;
+
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
switch (server_role) {
@@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
case ROLE_IPA_DC:
- use_kerberos = CRED_USE_KERBEROS_DESIRED;
+ is_ad = true;
break;
}
+
+ if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
+ /*
+ * Keep an explicit selection
+ *
+ * For AD domains we also keep
+ * CRED_USE_KERBEROS_DESIRED
+ */
+ } else if (use_kerberos_obtained <= CRED_SMB_CONF) {
+ /*
+ * Disable kerberos by default within
+ * an NT4 domain.
+ */
+ cli_credentials_set_kerberos_state(cred,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SMB_CONF);
+ }
}
- cli_credentials_set_kerberos_state(cred,
- use_kerberos,
- CRED_SPECIFIED);
+
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 2cb2e6d0e34..e79f08982ad 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state)
TALLOC_CTX *mem_ctx = *state;
struct cli_credentials *creds = NULL;
struct loadparm_context *lp_ctx = NULL;
+ enum credentials_obtained kerberos_state_obtained;
+ enum credentials_use_kerberos kerberos_state;
bool ok;
lp_ctx = loadparm_init_global(true);
@@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state)
creds = cli_credentials_init(mem_ctx);
assert_non_null(creds);
- assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
ok = cli_credentials_set_conf(creds, lp_ctx);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
ok = cli_credentials_guess(creds, lp_ctx);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE);
assert_non_null(creds->ccache);
@@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state)
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
ok = cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SMB_CONF);
assert_false(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
}
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 71c68d9ee14..c68b173f24d 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -6,9 +6,7 @@
# We need to make sure we only use gitlab.com
# runners and not our own runners, as our current runners
# don't allow 'docker build ...' to run.
- - docker
- - gce
- - shared
+ - saas-linux-small-amd64
variables:
SAMBA_CI_IS_BROKEN_IMAGE: "no"
SAMBA_CI_TEST_JOB: "samba-o3"
@@ -47,7 +45,7 @@
diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt
# run smoke test with samba-o3 or samba-fuzz
podman run --volume $(pwd):/src:ro ${ci_image_name} \
- /bin/bash -c "git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
+ /bin/bash -c "git config --global --add safe.directory /src/.git && git clone /src samba && cd samba && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
podman tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG}
podman tag ${ci_image_name} ${ci_image_path}:${timestamp_tag}
# We build all images, but only upload is it's not marked as broken
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 5daf2d3ce54..aeea500aa9f 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -242,6 +242,9 @@ CENTOS8S_YUM_BOOTSTRAP = r"""
{GENERATED_MARKER}
set -xueo pipefail
+sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+
yum update -y
yum install -y dnf-plugins-core
yum install -y epel-release
diff --git a/bootstrap/generated-dists/centos8s/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh
index 6a76d40d70e..5eea6f766a1 100755
--- a/bootstrap/generated-dists/centos8s/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8s/bootstrap.sh
@@ -7,6 +7,9 @@
set -xueo pipefail
+sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
+sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
+
yum update -y
yum install -y dnf-plugins-core
yum install -y epel-release
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 11ab035f572..669804c4545 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-190a74ee9628f298961d890ba37fcc7d213daae2
+bbc2e41b217a3318c654a45b79d4b5a5af4abeb3
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index 682f4e897b5..155559973a0 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -286,7 +286,7 @@ def abi_build_vscript(task):
f.close()
def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
- version = version.replace("-", "_").replace("+","_").upper()
+ version = re.sub(r'[^.\w]', '_', version).upper()
t = bld.SAMBA_GENERATOR(private_vscript,
rule=abi_build_vscript,
--
Samba Shared Repository
More information about the samba-cvs
mailing list