[SCM] Samba Shared Repository - branch v4-19-stable updated

Jule Anger janger at samba.org
Mon Feb 19 10:47:06 UTC 2024


The branch, v4-19-stable has been updated
       via  7bef2f7f1c8 VERSION: Disable GIT_SNAPSHOT for the 4.19.5 release.
       via  8ffa5ab1783 WHATSNEW: Add release notes for Samba 4.19.5.
       via  60514eb6836 python:gp: Fix logging with gp
       via  d3061f5e940 gpo: Do not get templates list on first run
       via  90cf23e1cca gpo: Decode base64 root cert before importing
       via  a50016bc7ae gpo: Test certificate policy without NDES
       via  41cd6b95d49 python: Fix invalid escape sequences
       via  84020efb1fe smbd: use dirfsp and atname in open_directory()
       via  4477e23de60 smbd: use safe_symlink_target_path() in symlink_target_below_conn()
       via  cd4df6ae432 smbd: add a directory argument to safe_symlink_target_path()
       via  90ae1e8f625 smbd: pass symlink target path to safe_symlink_target_path()
       via  4c4f086dfdb CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner
       via  1dff1340c12 vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time
       via  445637d0f4c gp: Skip site GP list if no site is found
       via  283ff41ee92 s3:passdb: smbpasswd reset permissions only if not 0600
       via  9c43625c47e system.c: fix fake directory create times
       via  a86c1087681 time.c: fix ctime which was feeded with the mtime seconds
       via  df025598884 python:gp: Print a nice message if cepces-submit can't be found
       via  de32d94ca87 gp: Send list of keys instead of dict to remove
       via  93735e8a9b0 gp: Test disabled enrollment unapplies policy
       via  28b1fe5eac4 gp: Template changes should invalidate cache
       via  dfbe7494683 gp: Test adding new cert templates enforces changes
       via  6dba94a3ab0 gp: Convert CA certificates to base64
       via  9db01a2c729 gp: Test with binary content for certificate data
       via  0dd51b02e8f gp: Change root cert extension suffix
       via  f9975df8414 gp: Support update-ca-trust helper
       via  9ab2eb21141 gp: Support more global trust directories
       via  cfbaab5654c smbd: move access override for previous versions to the SMB layer
       via  0874d3ab3e1 smbd: check for previous versions in check_any_access_fsp()
       via  f5eb449cac8 smbd: use check_any_access_fsp() for all access checks
       via  44396d7bade smbd: replace CHECK_WRITE() macro with calls to check_any_access_fsp()
       via  bfa5f178099 smbd: set fsp->fsp_flags.can_write to false for access to previous-versions
       via  0352aae6ea1 smbd: return correct error when trying to create a hardlink to a VSS file
       via  8318428f3f8 smbd: fix check_any_access_fsp() for non-fsa fsps
       via  0f865a34f1a smbd: rename check_access_fsp() to check_any_access_fsp()
       via  9ee7991d97d smbd: set fsp_flags.is_fsa to true on printer file handles
       via  b8383780249 smbd: return the correct error in can_rename()
       via  a510fc46bcd smbtorture: expand smb2.twrp.write test
       via  bb9aea6a7e6 s4/libcli/raw: implemement RAW_SFILEINFO_LINK_INFORMATION
       via  b6c2c26e9ba selftest: remove error_inject from shadow_write share
       via  b9f60718ccd VERSION: Bump version up to Samba 4.19.5...
      from  95474d8589e VERSION: Disable GIT_SNAPSHOT for the 4.19.4 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                    |   2 +-
 WHATSNEW.txt                               |  66 ++++++-
 lib/util/time.c                            |   2 +-
 python/samba/gp/gp_cert_auto_enroll_ext.py |  79 +++++---
 python/samba/gp/gpclass.py                 |  30 +--
 python/samba/gp/util/logging.py            |   5 +-
 python/samba/graph.py                      |   2 +-
 python/samba/tests/bin/cepces-submit       |   3 +-
 python/samba/tests/gpo.py                  | 300 +++++++++++++++++++++++++----
 python/samba/tests/samba_tool/gpo.py       |   2 +-
 script/autobuild.py                        |   2 +-
 selftest/skip.opath-required               |   4 +
 selftest/target/Samba3.pm                  |   4 +-
 source3/include/proto.h                    |   6 +
 source3/include/smb_macros.h               |   5 -
 source3/lib/system.c                       |   1 +
 source3/modules/offload_token.c            |   7 +-
 source3/modules/vfs_acl_common.c           |   7 +-
 source3/modules/vfs_default.c              |   6 +
 source3/modules/vfs_nfs4acl_xattr.c        |   7 +-
 source3/modules/vfs_shadow_copy2.c         |  30 +--
 source3/passdb/pdb_smbpasswd.c             |  36 +++-
 source3/printing/printspoolss.c            |   1 +
 source3/smbd/dir.c                         |   5 +-
 source3/smbd/dosmode.c                     |  20 +-
 source3/smbd/file_access.c                 |  10 +-
 source3/smbd/filename.c                    |  85 ++++----
 source3/smbd/files.c                       |   3 +
 source3/smbd/notify.c                      |   5 +-
 source3/smbd/open.c                        | 120 ++++++------
 source3/smbd/proto.h                       |   4 +-
 source3/smbd/smb1_reply.c                  |  37 ++--
 source3/smbd/smb2_flush.c                  |   7 +-
 source3/smbd/smb2_getinfo.c                |   8 +-
 source3/smbd/smb2_ioctl_filesys.c          |   6 +-
 source3/smbd/smb2_nttrans.c                |  45 +++--
 source3/smbd/smb2_reply.c                  |  15 +-
 source3/smbd/smb2_trans2.c                 |  80 ++++++--
 source3/smbd/smb2_write.c                  |   6 +-
 source4/libcli/raw/rawsetfileinfo.c        |  14 ++
 source4/torture/smb2/create.c              | 245 ++++++++++++++++++++++-
 41 files changed, 997 insertions(+), 325 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index af4c5a922e2..9151d8de1ce 100644
--- a/VERSION
+++ b/VERSION
@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023"
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1f174e9be54..79abe2da103 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,66 @@
+                   ==============================
+                   Release Notes for Samba 4.19.5
+                         February 19, 2024
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.4
+--------------------
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 13688: Windows 2016 fails to restore previous version of a file from a
+     shadow_copy2 snapshot.
+   * BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before
+     that).
+
+o  Bjoern Jacke <bj at sernet.de>
+   * BUG 12421: Fake directory create times has no effect.
+
+o  Björn Jacke <bjacke at samba.org>
+   * BUG 15550: ctime mixed up with mtime by smbd.
+
+o  David Mulder <dmulder at samba.org>
+   * BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
+
+o  Gabriel Nagy <gabriel.nagy at canonical.com>
+   * BUG 15557: gpupdate: The root cert import when NDES is not available is
+     broken.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 15552: samba-gpupdate should print a useful message if cepces-submit
+     can't be found.
+   * BUG 15558: samba-gpupdate logging doesn't work.
+
+o  Jones Syue <jonessyue at qnap.com>
+   * BUG 15555: smbpasswd reset permissions only if not 0600.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.19.4
                           January 08, 2024
@@ -78,8 +141,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
                    ==============================
                    Release Notes for Samba 4.19.3
                          November 27, 2023
diff --git a/lib/util/time.c b/lib/util/time.c
index c2a77d664d3..9393a754d73 100644
--- a/lib/util/time.c
+++ b/lib/util/time.c
@@ -1450,7 +1450,7 @@ struct timespec get_ctimespec(const struct stat *pst)
 {
 	struct timespec ret;
 
-	ret.tv_sec = pst->st_mtime;
+	ret.tv_sec = pst->st_ctime;
 	ret.tv_nsec = get_ctimensec(pst);
 	return ret;
 }
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index 312c8ddf467..df3b472f5a9 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -45,10 +45,12 @@ cert_wrap = b"""
 -----BEGIN CERTIFICATE-----
 %s
 -----END CERTIFICATE-----"""
-global_trust_dir = '/etc/pki/trust/anchors'
 endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
               '_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
 
+global_trust_dirs = ['/etc/pki/trust/anchors',           # SUSE
+                     '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora
+                     '/usr/local/share/ca-certificates'] # Debian/Ubuntu
 
 def octet_string_to_objectGUID(data):
     """Convert an octet string to an objectGUID."""
@@ -156,7 +158,7 @@ def fetch_certification_authorities(ldb):
     for es in res:
         data = { 'name': get_string(es['cn'][0]),
                  'hostname': get_string(es['dNSHostName'][0]),
-                 'cACertificate': get_string(es['cACertificate'][0])
+                 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0]))
                }
         result.append(data)
     return result
@@ -174,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
         return {'msPKI-Minimal-Key-Size': ['2048']}
 
 def format_root_cert(cert):
-    cert = base64.b64encode(cert.encode())
-    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
+    return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL)
 
 def find_cepces_submit():
     certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',
@@ -184,17 +185,19 @@ def find_cepces_submit():
 
 def get_supported_templates(server):
     cepces_submit = find_cepces_submit()
-    if os.path.exists(cepces_submit):
-        env = os.environ
-        env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
-        p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
-                       env=env, stdout=PIPE, stderr=PIPE)
-        out, err = p.communicate()
-        if p.returncode != 0:
-            data = { 'Error': err.decode() }
-            log.error('Failed to fetch the list of supported templates.', data)
-        return out.strip().split()
-    return []
+    if not cepces_submit or not os.path.exists(cepces_submit):
+        log.error('Failed to find cepces-submit')
+        return []
+
+    env = os.environ
+    env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
+    p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
+              env=env, stdout=PIPE, stderr=PIPE)
+    out, err = p.communicate()
+    if p.returncode != 0:
+        data = {'Error': err.decode()}
+        log.error('Failed to fetch the list of supported templates.', data)
+    return out.strip().split()
 
 
 def getca(ca, url, trust_dir):
@@ -214,10 +217,11 @@ def getca(ca, url, trust_dir):
                  ' installed or not configured.')
         if 'cACertificate' in ca:
             log.warn('Installing the server certificate only.')
+            der_certificate = base64.b64decode(ca['cACertificate'])
             try:
-                cert = load_der_x509_certificate(ca['cACertificate'])
+                cert = load_der_x509_certificate(der_certificate)
             except TypeError:
-                cert = load_der_x509_certificate(ca['cACertificate'],
+                cert = load_der_x509_certificate(der_certificate,
                                                  default_backend())
             cert_data = cert.public_bytes(Encoding.PEM)
             with open(root_cert, 'wb') as w:
@@ -239,7 +243,8 @@ def getca(ca, url, trust_dir):
         certs = load_der_pkcs7_certificates(r.content)
         for i in range(0, len(certs)):
             cert = certs[i].public_bytes(Encoding.PEM)
-            dest = '%s.%d' % (root_cert, i)
+            filename, extension = root_cert.rsplit('.', 1)
+            dest = '%s.%d.%s' % (filename, i, extension)
             with open(dest, 'wb') as w:
                 w.write(cert)
             root_certs.append(dest)
@@ -249,12 +254,29 @@ def getca(ca, url, trust_dir):
     return root_certs
 
 
+def find_global_trust_dir():
+    """Return the global trust dir using known paths from various Linux distros."""
+    for trust_dir in global_trust_dirs:
+        if os.path.isdir(trust_dir):
+            return trust_dir
+    return global_trust_dirs[0]
+
+def update_ca_command():
+    """Return the command to update the CA trust store."""
+    return which('update-ca-certificates') or which('update-ca-trust')
+
+def changed(new_data, old_data):
+    """Return True if any key present in both dicts has changed."""
+    return any((new_data[k] != old_data[k] if k in old_data else False) \
+            for k in new_data.keys())
+
 def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
     """Install the root certificate chain."""
     data = dict({'files': [], 'templates': []}, **ca)
     url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
     root_certs = getca(ca, url, trust_dir)
     data['files'].extend(root_certs)
+    global_trust_dir = find_global_trust_dir()
     for src in root_certs:
         # Symlink the certs to global trust dir
         dst = os.path.join(global_trust_dir, os.path.basename(src))
@@ -273,7 +295,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
             # already exists. Ignore the FileExistsError. Preserve the
             # existing symlink in the unapply data.
             data['files'].append(dst)
-    update = which('update-ca-certificates')
+    update = update_ca_command()
     if update is not None:
         Popen([update]).wait()
     # Setup Certificate Auto Enrollment
@@ -316,7 +338,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
 
 class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
     def __str__(self):
-        return 'Cryptography\AutoEnrollment'
+        return r'Cryptography\AutoEnrollment'
 
     def unapply(self, guid, attribute, value):
         ca_cn = base64.b64decode(attribute)
@@ -337,12 +359,13 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
         # If the policy has changed, unapply, then apply new policy
         old_val = self.cache_get_attribute_value(guid, attribute)
         old_data = json.loads(old_val) if old_val is not None else {}
-        if all([(ca[k] == old_data[k] if k in old_data else False) \
-                    for k in ca.keys()]) or \
-                self.cache_get_apply_state() == GPOSTATE.ENFORCE:
+        templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \
+            if old_val is not None else []
+        new_data = { 'templates': templates, **ca }
+        if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
             self.unapply(guid, attribute, old_val)
-        # If policy is already applied, skip application
-        if old_val is not None and \
+        # If policy is already applied and unchanged, skip application
+        if old_val is not None and not changed(new_data, old_data) and \
                 self.cache_get_apply_state() != GPOSTATE.ENFORCE:
             return
 
@@ -368,7 +391,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
 
         for gpo in changed_gpo_list:
             if gpo.file_sys_path:
-                section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+                section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
                 pol_file = 'MACHINE/Registry.pol'
                 path = os.path.join(gpo.file_sys_path, pol_file)
                 pol_conf = self.parse(path)
@@ -396,7 +419,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
                             # remove any existing policy
                             ca_attrs = \
                                 self.cache_get_all_attribute_values(gpo.name)
-                            self.clean(gpo.name, remove=ca_attrs)
+                            self.clean(gpo.name, remove=list(ca_attrs.keys()))
 
     def __read_cep_data(self, guid, ldb, end_point_information,
                         trust_dir, private_dir):
@@ -488,7 +511,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
     def rsop(self, gpo):
         output = {}
         pol_file = 'MACHINE/Registry.pol'
-        section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+        section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
         if gpo.file_sys_path:
             path = os.path.join(gpo.file_sys_path, pol_file)
             pol_conf = self.parse(path)
diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py
index 617ef79350c..babd8f90748 100644
--- a/python/samba/gp/gpclass.py
+++ b/python/samba/gp/gpclass.py
@@ -866,19 +866,25 @@ def get_gpo_list(dc_hostname, creds, lp, username):
 
     # (S)ite
     if gpo_list_machine:
-        site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
-
         try:
-            log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn)
-            gp_link = get_gpo_link(samdb, site_dn)
-        except ldb.LdbError as e:
-            (enum, estr) = e.args
-            log.debug(estr)
-        else:
-            add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list,
-                                   site_dn, gp_link,
-                                   gpo.GP_LINK_SITE,
-                                   add_only_forced_gpos, token)
+            site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
+
+            try:
+                log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn)
+                gp_link = get_gpo_link(samdb, site_dn)
+            except ldb.LdbError as e:
+                (enum, estr) = e.args
+                log.debug(estr)
+            else:
+                add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list,
+                                       site_dn, gp_link,
+                                       gpo.GP_LINK_SITE,
+                                       add_only_forced_gpos, token)
+        except ldb.LdbError:
+            # [MS-GPOL] 3.2.5.1.4 Site Search: If the method returns
+            # ERROR_NO_SITENAME, the remainder of this message MUST be skipped
+            # and the protocol sequence MUST continue at GPO Search
+            pass
 
     # (L)ocal
     gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy",
diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py
index a74a8707d50..c3de32825db 100644
--- a/python/samba/gp/util/logging.py
+++ b/python/samba/gp/util/logging.py
@@ -24,9 +24,10 @@ import gettext
 import random
 import sys
 
-logger = logging.getLogger()
+logger = logging.getLogger("gp")
+
+
 def logger_init(name, log_level):
-    logger = logging.getLogger(name)
     logger.addHandler(logging.StreamHandler(sys.stdout))
     logger.setLevel(logging.CRITICAL)
     if log_level == 1:
diff --git a/python/samba/graph.py b/python/samba/graph.py
index 537dc661fb3..4c4a07f47ae 100644
--- a/python/samba/graph.py
+++ b/python/samba/graph.py
@@ -192,7 +192,7 @@ def compile_graph_key(key_items, nodes_above=None, elisions=None,
                 short = short[1:]
                 long = long[1:]
             elision_str += ('\nelision%d[shape=plaintext; style=solid; '
-                            'label="\“%s”  means  “%s”\\r"]\n'
+                            'label="\\“%s”  means  “%s”\\r"]\n'
                             % ((i, short, long)))
 
     above_lines = []
diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
index 668682a9f58..de63164692b 100755
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -14,4 +14,5 @@ if __name__ == "__main__":
     assert opts.auth == 'Kerberos'
     if 'CERTMONGER_OPERATION' in os.environ and \
        os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
-        print('Machine') # Report a Machine template
+        templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',')
+        print('\n'.join(templates)) # Report the requested templates
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index e4b75cc62a4..a6a33ea4ba1 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -102,17 +102,21 @@ def dummy_certificate():
 
 # Dummy requests structure for Certificate Auto Enrollment
 class dummy_requests(object):
-    @staticmethod
-    def get(url=None, params=None):
+    class exceptions(object):
+        ConnectionError = Exception
+
+    def __init__(self, want_exception=False):
+        self.want_exception = want_exception
+
+    def get(self, url=None, params=None):
+        if self.want_exception:
+            raise self.exceptions.ConnectionError
+
         dummy = requests.Response()
         dummy._content = dummy_certificate()
         dummy.headers = {'Content-Type': 'application/x-x509-ca-cert'}
         return dummy
 
-    class exceptions(object):
-        ConnectionError = Exception
-cae.requests = dummy_requests
-
 realm = os.environ.get('REALM')
 policies = realm + '/POLICIES'
 realm = realm.lower()
@@ -123,7 +127,7 @@ dspath = 'CN=Policies,CN=System,' + base_dn
 gpt_data = '[General]\nVersion=%d'
 
 gnome_test_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="26" signature="PReg" version="1">
     <Entry type="4" type_name="REG_DWORD">
@@ -260,7 +264,7 @@ b"""
 """
 
 auto_enroll_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="3" signature="PReg" version="1">
         <Entry type="4" type_name="REG_DWORD">
@@ -281,8 +285,30 @@ b"""
 </PolFile>
 """
 
+auto_enroll_unchecked_reg_pol = \
+br"""
+<?xml version="1.0" encoding="utf-8"?>
+<PolFile num_entries="3" signature="PReg" version="1">
+        <Entry type="4" type_name="REG_DWORD">
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+                <ValueName>AEPolicy</ValueName>
+                <Value>0</Value>
+        </Entry>
+        <Entry type="4" type_name="REG_DWORD">
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+                <ValueName>OfflineExpirationPercent</ValueName>
+                <Value>10</Value>
+        </Entry>
+        <Entry type="1" type_name="REG_SZ">
+                <Key>Software\Policies\Microsoft\Cryptography\AutoEnrollment</Key>
+                <ValueName>OfflineExpirationStoreNames</ValueName>
+                <Value>MY</Value>
+        </Entry>
+</PolFile>
+"""
+
 advanced_enroll_reg_pol = \
-b"""
+br"""
 <?xml version="1.0" encoding="utf-8"?>
 <PolFile num_entries="30" signature="PReg" version="1">
     <Entry type="1" type_name="REG_SZ">
@@ -316,122 +342,122 @@ b"""
         <Value>0</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>URL</ValueName>
         <Value>LDAP:</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>PolicyID</ValueName>
         <Value>%s</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>FriendlyName</ValueName>
         <Value>Example</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>Flags</ValueName>
         <Value>16</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>AuthFlags</ValueName>
         <Value>2</Value>
     </Entry>
     <Entry type="4" type_name="REG_DWORD">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
         <ValueName>Cost</ValueName>
         <Value>2147483645</Value>
     </Entry>
     <Entry type="1" type_name="REG_SZ">
-        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+        <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>


-- 
Samba Shared Repository



More information about the samba-cvs mailing list