[SCM] Samba Shared Repository - annotated tag talloc-2.4.2 created

Jule Anger janger at samba.org
Mon Jan 29 16:18:30 UTC 2024


The annotated tag, talloc-2.4.2 has been created
        at  a5a070980d6ae59f73b31fdd7c634f04252088b6 (tag)
   tagging  f28966c1638806a5af1fa4e451b668af638491ce (commit)
  replaces  tevent-0.16.0
 tagged by  Jule Anger
        on  Mon Jan 29 17:18:17 2024 +0100

- Log -----------------------------------------------------------------
talloc: tag release talloc-2.4.2
-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmW3z8kACgkQR5ORYRMI
QCWYKgf/VC0HKvlpusnMw0lgfZQ3TANB+wMEfxB3ausZCHYTLoTHGfuIZwxSy4hA
JJvBLNRKQ+jNVvpfnQZe7VNQLBwLYseweospw9fXryCNE7l2ez18lSZev7De1Yms
sQQF2bcpEy2qh0U5A+H7fBHCNi4rpHTva0NAEKG3wldrDYOPdoUjeUZbVAMMGh/B
Czs7u1nkL0kNabtYU5hDhNrls4+Ht+Uno268gHB9cEhkT2Hz5lRLwOtNERf0ZLTS
HMf4EokMcdhuL6E1eKDUBeQiyLOTNhHTp5YKsyTsGX/JhrVFKFmpU4uXlFBnNswS
RZqVZgZX8z0Y8Zj6E6NgxaR9nBZDtA==
=8bqN
-----END PGP SIGNATURE-----

Andreas Schneider (88):
      s4:torture: Increase multichannel timeout
      s3:utils: Call gfree_all() before exit in net
      s3:utils: Call gfree_all() before exit in ntlm_auth
      s3:utils: Call gfree_all() before exit in pdbedit
      s3:utils: Call gfree_all() before exit in regedit
      s3:utils: Call gfree_all() before exit in sharesec
      s3:utils: Call gfree_all() before exit in smbcacls
      s3:utils: Call gfree_all() before exit in smbcontrol
      s3:utils: Call gfree_all() before exit in smbcquotas
      s3:utils: Remove trailing white spaces in smbfilter.c
      s3:utils: Call gfree_all() before exit in smbfilter
      s3:utils: Call gfree_all() before exit in smbget
      s3:utils: Remove trailing white spaces in smbpasswd.c
      s3:utils: Call gfree_all before exit in smbpasswd
      s3:utils: Call gfree_all() before exit in smbtree
      s3:client: Call gfree_all() before exit in smbclient
      s3:client: Call gfree_all() before exit in smbspool
      s3:param: Use a talloc stackframe in pyparam
      s3:param: Use the memory context we just created instead of tos
      s3:param: Make init_globals() public
      lib:param: Set a memory context for the globals if not initialized yet
      s3:utils: Initialize row variable in wspsearch
      lib:util: Add boolean return type for memcache_add()
      lib:util: Add boolean return type for memcache_add_talloc()
      s3:passdb: Do not leak memory if memcache add fails
      lib:util: Add a gfree_memcache()
      s3:util: Add gfree_memcache() to gfree_all()
      s3:utils: Initialize the memcache for smbpasswd
      lib:replace: Add python.h
      Use python.h from libreplace
      third_party: Build pypamtest with -Wno-error=declaration-after-statement
      python:tests: Fix assertEquals which doesn't exist in Python 3.12
      python:tests: SHA1 is no longer supported by cryptography module
      gitlab-ci: Update Fedora to version 39
      s4:rpc_server: Remove trailing white spaces from lsa_init.c
      s4:torture: Adapt LSA tests for newer Windows versions
      s4:rpc_server: Implement dcesrv_lsa_OpenPolicy3()
      s3:rpc_server: Implement _lsa_OpenPolicy3()
      s4:torture: Implement lsa_OpenPolicy3 tests
      s3:rpc_client: Implement dcerpc_lsa_open_policy3()
      s3:rpc_client: Implement dcerpc_lsa_open_policy_fallback()
      s3:rpc_server: Use dcerpc_lsa_open_policy_fallback() for netlogon
      s3:utils: Use dcerpc_lsa_open_policy_fallback() in net_rpc_trust.c
      s3:libnetapi: Use dcerpc_lsa_open_policy_fallback() in localgroup.c
      s3:rpcclient: Remove trailing white spaces from cmd_lsarpc.c
      s3:rpcclient: Use dcerpc_lsa_open_policy_fallback() in cmd_lsarpc.c
      s3:utils: Use dcerpc_lsa_open_policy_fallback() in net_rpc.c
      s3:utils: Use dcerpc_lsa_open_policy_fallback() in net_rpc_rights.c
      s3:utils: Use goto to close the policy in rpc_rights_grant_internal()
      s3:utils: Use any_nt_status_not_ok() in rpc_rights_grant_internal()
      s3:winbind: Use dcerpc_lsa_open_policy_fallback() in winbindd_cm.c
      s3:winbind: Always close the policy handle we opened
      s3:rpc_client: Remove unused rpccli_lsa_open_policy2()
      third_party: Update waf to version 2.0.26
      lib:crypto: Use bytearray macros
      selftest: Show that 'allow trusted domains = no' firewalls Unix User|Group
      s3:auth: Remove trailing white spaces from auth_util.c
      s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token
      s3:tests: Add smbget test for smb://DOAMIN;user%password@server/share/file
      s3:utils: Fix setting the debug level
      s3:tests: Fix authentication with smbget_user in smbget tests
      selftest: Remove trailing tabs/white spaces in Samba4.pm
      selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables
      s3:tests: Pass down a normal domain user for test_smbget.sh
      s3:tests: Fix test_kerberos in smbget tests
      s3:tests: Fix the test_kerberos_trust in smbget testsuite
      s3:tests: Remove the non-working test_kerberos_upn_denied of smbget
      s3:tests: Fix smbget test
      auth:creds:tests: Add test for password callback
      auth:creds: Fix cli_credentials_get_password_and_obtained() with callback
      auth:creds: Add cli_credentials_get_domain_and_obtained()
      s3:tests: Add interactive smbget test for password entry
      s3:utils: Fix auth callback with smburl
      s3:utils: Handle the domain before username and password
      s3:utils: Fix the auth function to print correct values to the user
      s3:rpc_server: Mark _lsa_CreateTrustedDomain as NOT_IMPLMENTED
      s3:rpc_server: Mark _lsa_CreateTrustedDomainEx as NOT_IMPLMENTED
      python:gp: Print a nice message if cepces-submit can't be found
      docs: Update idmap_ad.8 that rfc2307 is the default
      s3:passdb: Do not leak memory in pdb_tdb
      s3:libads: Fix memory leaks in ads_create_machine_acct()
      s3:passdb: Fix memory leak caused by recursion of get_global_sam_sid()
      python:gp: Avoid path check for cepces-submit
      python:gp: Improve logging for certificate enrollment
      python:gp: Do not print an error, if CA already exists
      python:gp: Do not print an error if template already exists
      python:gp: Log an error if update fails
      python:gp: Improve working of log messages to avoid confusion

Andrew Bartlett (36):
      codespell: Ignore .git
      librpc/ndr: Remove confusing case where returned string pointer "as" could be NULL
      librpc/ndr: Add support for LIBNDR_FLAG_STR_NO_EMBEDDED_NUL
      libcli/security: conditional aces: don't allow U+0000 in unicode
      s4-scripting/devel: Fix repl_cleartext_pwd to use built-in RC4
      s4-scripting/devel: Fix str() vs bytes() issue in repl_cleartext_pwd.py
      s4-scripting: Remove repl_cleartext_pwd.py
      docs-xml: Improve and consolidate "samba-tool domain auth policy create/modify" docs
      samba-tool: Improve help messages for "samba-tool domain auth policy"
      third_party/heimdal: Provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags() (import lorikeet-heimdal-202311290114 (commit 4c8517e161396330c76240bf09609a0dd5f9ea20))
      build: Add build time detection for the MIT FAST ccache API
      auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST
      auth/credentials: Add Python bindings for association of a connection for FAST
      python/tests: Import samba.gensec, not gensec
      python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi
      python/tests: Add test for creds.set_krb5_fast_credentials()
      s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials
      selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5
      python: Use constants from hresult.h for python constants
      python: Correct Python2 super() calls that called the wrong class
      python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py
      python/samba/tests: Fix incorrect super-class in cred_opt.py setUp()
      third_party/heimdal: import lorikeet-heimdal-202311290849 (commit 84fb4579594a5fd8f8462450777eb24d5832be07)
      pycredentials: Properly check type in creds.set_nt_hash() and samr.encrypt_samr_password()
      selftest: Avoid assertTrue() and assertFalse() where a better test exists
      samba-tool: Prepare to allow samba-tool user getpasswords to operate against a remote server
      samba-tool user getpassword: Use UTF16_MUNGED charcnv to map "UTF16" to UTF8
      samba-tool: Add support for getting the generated unicodePwd for a gMSA account
      selftest: Modify expected output of 'samba-tool user getpassword' to be more consistant
      samba-tool user getpassword: Prepare to support a ;previous=1 option, change behaviour for ;rounds=
      samba-tool: Make samba-tool user getpassword support a ';previous=1' option
      WHATSNEW: Add entry for "samba-tool user getpassword" changes
      python/netcmd: Add "samba-tool user get-kerberos-ticket" to get a ticket for a gMSA
      python/netcmd: Improve documentation for "samba-tool user getpassword"
      selftest: Add tests for "samba-tool user get-kerberos-ticket"
      WHATSNEW: Add entry for "samba-tool user get-kerberos-ticket"

Anoop C S (13):
      vfs_ceph: Add path based fallback mechanism for SMB_VFS_CHOWN
      vfs_ceph: Fix a comment in cephwrap_fchmod()
      vfs_ceph: Fix the comment quoting module usage
      vfs_ceph: Replace libceph with libcephfs in comments
      docs-xml: Fix a usage for case sensitive parameter
      vfs_ceph: Fix some uninitialized structs and pointers
      source3/lib: Properly log the change in capability
      Revert "vfs_acl_xattr.c: prefer capabilities over become_root"
      vfs_ceph: Fix a usage in comments
      vfs_ceph: Indicate a successful connection in logs
      source3/wscript: Announce deprecation of old Ceph version support
      vfs_ceph: Implement SMB_VFS_FSTATAT
      vfs_ceph: Use ceph_fdopendir() when available for SMB_VFS_FDOPENDIR

Bjoern Jacke (1):
      system.c: fix fake directory create times

Björn Jacke (50):
      system.c: fall back to become_root if CAP_DAC_OVERRIDE isn't usable
      dosmode.c: prefer use of capabilities at two places over become_root
      token_util.c: prefer capabilities over become_root
      nfs4_acls.c: prefer capabilities over become_root
      vfs_acl_common.c: prefer capabilities over become_root
      vfs_acl_xattr.c: prefer capabilities over become_root
      vfs_default.c: prefer capabilities over become_root
      vfs_posix_eadb.c: prefer capabilities over become_root
      vfs_recycle.c: prefer capabilities over become_root
      open.c: prefer capabilities over become_root
      posix_acls.c: prefer capabilities over become_root
      lib/util: move copyright define to copyright.h
      debug.h: introduce DEBUG_STARTUP_NOTICE
      logging: use DBG_STARTUP_NOTICE for startup message
      README.Coding.md: add DBG_STARTUP_NOTICE macro
      lib/util/become_daemon.c: use DBG_STARTUP_NOTICE
      source3/nmbd/nmbd.c: use DBG_STARTUP_NOTICE
      profile: issues info message with lower log level
      s4/server.c: move some log messages from ERR to NOTICE
      libgpo: fix wrong lineending in admx files
      dosmode: prefer capabilities over become_root
      doc-xml: fix name of vfs_linux_xfs man page
      docs-xml: use XML_CATALOG_FILES env var if defined
      winbind_nss_netbsd: fix missing semicolon
      s4/ldap_backend: fix a NULL dereference
      s4/ldap_backend: change a printf %d to %u for results
      s4/ldap_backend: encode: use modern DBG_ macro
      s4/ldap_backend: unwilling: use modern DBG_ macro
      s4/ldap_backend: SearchRequest: use modern DBG_ macro
      s4/ldap_backend: modifyrequest: use modern DBG_ macro
      s4/ldap_backend: addrequest: use modern DBG macros
      s4/ldap_backend: delrequest: use modern DBG macros
      s4/ldap_backend: modifydnrequest: use modern DBG macros
      s4/ldap_backend: CompareRequest: use modern DBG macros
      s4/ldap_backend: abandonrequest: use modern DBG macros
      s4/ldap_backend: do_call: use modern DBG macros
      set_process_capability: log which capability was set or failed to be set
      vfs_worm: add connect function to cache parameters
      selftest: let list_servers.NT1 really use NT1 protocol
      test_smbget.sh: reduce sleep time
      time.c: fix ctime which was feeded with the mtime seconds
      tests: add a test for vfs_recycle
      vfs_recycle: add connect function to cache parameters
      vfs_worm: factor out readonly check
      vfs_worm: move write_access_flags to global
      vfs_worm: add some more vfs functions that worm needs to take care of
      vfs_worm: add my copyright
      vfs_worm: add FILE_WRITE_EA to write access mask
      tests: add test for vfs_worm
      tests: add a test for "fake directory create times"

Christof Schmitt (17):
      build: Add 'make printversion' to provide version string
      vfs_gpfs: Use O_PATH for opening dirfd for stat with CAP_DAC_OVERRIDE
      vfs_gpfs: Move fstatat with DAC_CAP_OVERRIDE to helper function
      vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstat
      vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat
      nfs4_acls: Implement fstat with DAC_CAP_OVERRIDE
      vfs_gpfs: Move fstatat_with_cap_dac_override to nfs4_acls.c
      vfs_gpfs: Move stat_with_capability to nfs4_acls.c and rename function
      vfs_gpfs: Move vfs_gpfs_stat to nfs4_acls.c and rename function
      vfs_gpfs: Move vfs_gpfs_fstat to nfs4_acls.c and rename function
      vfs_gpfs: Move vfs_gpfs_lstat to nfs4_acls.c and rename function
      vfs_gpfs: Move vfs_gpfs_fstatat to nfs4_acls.c and rename function
      nfs4_acls: Make fstatat_with_cap_dac_override static
      nfs4_acls: Make stat_with_cap_dac_override static
      nfs4_acls: Make fstat_with_cap_dac_override static
      vfs_aixacl2: Call stat DAC_CAP_OVERRIDE functions
      vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions

David Mulder (3):
      gpupdate: Test Drive Maps Client Side Extension
      gpdupate: Implement Drive Maps Client Side Extension
      gp: Skip site GP list if no site is found

Douglas Bagnall (121):
      lib/util/charset: @param typos
      util/charset: disambiguate docs for convert_string twins
      idl/spoolss: fix spelling of UTF16 charset
      librpc/ndr_basic: attempt only IPv4 addresses in push_ipv4
      s4/dsdb: try not to leak on access check failure
      s4:dns_server: loudly warn when a tombstone record has other records
      docs/manpages: fix links to mod_ntlm_winbind and squid
      s4/torture/gentest: remove redundant op entry
      util/convert string: remove inaccurate misspelt comment
      s4/torture/gentest: explain seemingly redundant initialisation
      util/charset/torture: test convert_string_talloc with emptyish strings
      libutil/iconv: don't allow wtf-8 surrogate pairs
      libutil/iconv: avoid overflow in surrogate pairs
      libcli/security: SDDL accepts lowercase "s-" in SIDs
      libcli/security: sddl: check a talloc_zero
      libcli/security: sddl_conditional_ace: ensure message is talloced
      libcli/security: add sddl_decode_err_msg()
      libcli/security: sddl_decode_ace/acl pass through messages
      libcli/security: sddl: remove unreachable debug
      libcli/security: sddl: guard against inconsistent msg pointers
      libcli/security: conditional ace err messages don't hardcode offset
      lib/ldb: py LDBError avoids leak and checks for alloc failure
      lib/ldb: pyldb search iterator avoids exception leak
      ndr/py_security: mod patch reports errors
      s4/librpc/py_security: add SDDLValueError
      pytest: sid_strings: handle SDDLValueError
      pytest:security_descriptors: handle SDDLValueError
      pytest:sddl: handle SDDLValueError
      s4/librpc/py_security: use SDDLValueError for better error messages
      pytest:sddl: assert SDDLValueError values make sense
      samba-tool: try to present diagnostics for SDDL errors.
      pytest: samba_tool domain auth policy fix for SDDL err msg
      pytest:samba-tool domain test policy: test SDDL diagnostics
      pytests: sid_strings: do not fail if epoch ending has zeros
      libcli/security:sddl_decode_err_msg(): don't pretend msg is optional (CID1548624)
      pytest:samba-tool domain auth policy: expect error message detail
      libcli/security:sddl_decode_ace: turn DBG_WARNINGs into messages
      libcli/security: adjust log verbosity in sddl_decode
      libcli/security:sddl_decode_ace: add more messages
      libcl/security:sddl_decode_acl: add a message
      libcli/security:sddl_decode_ace: fix ';' count message
      libcl/security:sddl_decode_acl: expand a comment
      libcli/security:sddl_parse: add some top level error messages
      libcli/security/test_sddl_conditional_ace: add message tests
      libcli/security:sddl_decode message offset safety latch
      pytest: security_descriptors tests get enumerator in name
      libcli/security: initialise conditional ACE token flags
      libcli/security:sddl_condtional_ace: log compiler errors at some debug levels
      libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests
      libcli/security: un-invert parse_resource_attr_list, check type first
      libcli/security: sddl_conditional_ace: add parse_uint for RA aces
      libcli/security: sddl_conditional_ace: add parse_bool for RA aces
      libcli/security: sddl_conditional_ace: remove check_resource_attr_type()
      libcli/security: add a parser for resource attribute ACE byte strings
      libcli/security/sddl: write RA octet strings the Windows way
      libcli/security: parse resource attribute ace SIDs separately
      libcli/security: conditional ACE sid parser no longer expects RA ACEs
      libcli/security: improve error messages in RA ACE SDDL
      libcli/security:sddl: remove vestiges of shared conditional/resource ACE SID parsing
      libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs
      libcli/security/tests: gunzip the oversized-acls test vectors
      libcli/security: avoid leak when converting SID claims
      libcli/security: remove redundant claim SID size check
      librpc/idl:conditional_ace: make a flags field 32 bit
      librpc/idl:condtional_ace: shift CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR to last bit
      librpc/idl:security: add a couple of claims flags
      librpc/idl:security: add claims flag indicating orderly and unique members
      libcli/security: test_run_conditional_ace can set debug levels
      libcli/security: test_run_conditional_ace tests more comparisons
      libcli/security: add test_claims_conversion
      libcli/security: CA: tokens_are_comparable() considers the obvious
      lib/security:CA: tokens_are_comparable() accepts NULL operator
      libcli/security: conditional ACE sddl writers take const tokens
      libcli/security: sddl_conditional_ace: check a talloc_new()
      pytest: token_factory separate out list_to_claim() helper
      pytest: token_factory claims can have case_sensitive flag
      pytest: token_factory copes with empty claims
      pytest: token_factory note that a flag is not set
      pytest: conditional_ace_claims: write_c_test_on_failure() copes with claims
      libcli/security/sddl: improve some SDDL error messages
      pytest: conditional_ace_claims tests large composite comparisons
      libcli/security: simplify wire claim conversion mem, 1/3: avoid NULL parent
      libcli/security: simplify wire claim conversion mem, 2/3: one tree
      libcli/security: simplify wire claim conversion mem, 3/3: rm tmp_ctx
      libcli/security: int wire claims drop uniqueness check
      libcli/security: wire claims conversion: remove strings uniqueness check
      libcli/security: don't allow two NULL string claims
      libcli/security: begin claim_v1_check_and_sort with Boolean checks
      libcli/security: claim_v1_check_and_sort(): add all types
      libcli/security: wire claim conversion uses claim_v1_check_and_sort()
      libcli/security: resource attribute claims use claim_v1_check_and_sort()
      libcli/security: add_claim_to_token() re-sorts/checks claims
      libcli/security: claim_v1_to_ace_token(): avoid unnecessary re-sort
      libcli/security: avoid leak on SDDL encode failure
      libcli/security: separate out claim_v1_to_ace_composite_unchecked()
      libcli/security: improve conditional ACE composite comparison
      libcli/security: add shortcuts for conditional ACE compare
      libcli/security: shift comparability check to shortcut exits
      libcli/security: comparability check: claim members are of one type
      libcli/security: note suboptimality of conditional ACE Contains operators
      selftest: add an expectedfail directory
      selftest/knownfail.d: README memntions expectedfail.d
      selftest/knownfail.d: remove empty files
      selftest/knownfail.d: move labdc to expectedfail.d
      selftest/knownfail.d: move samba-4.5-emulation to expectedfail.d
      selftest/knownfail.d: move ntlmv1-restrictions to expectedfail.d
      selftest/knownfail.d: move encrypted_secrets to expectedfail.d
      selftest/knownfail: move some parts to expectedfail.d/ntlm-auth
      selftest/knownfail: move more parts to expectedfail.d/ntlm-auth
      libcli/security: SDDL decode stops earlier with too many ACEs
      libcli/security: don't allow conditional ACE SIDs to have trailing bytes
      libcli/security: clarify tests for SDDL round trips
      libcli/security: fix tests for SDDL conditional ACE round-trip
      libcli/security: tests for conditional ACE integer base persistence
      libcli/security: allow round-trip for conditional ACE octal integers
      libcli/security: allow round-trip for conditional ACE hex integers
      libcli/security: allow SDDL conditional ACE round-trip for -00 and -0x0
      libcli/security: tests for signed zeros in sddl condtional ACEs
      libcli/security: rearrange conditional ACE sddl_write_int
      libcli/security: sddl conditional ACE: write -0 when asked
      fuzz: allow max size conditional ACE round-trip failure

Gabriel Nagy (6):
      gp_pol: Test empty multi_sz roundtrip
      gp_pol: Allow null data for REG_MULTI_SZ
      gp_pol: Test multiple values multi_sz roundtrip
      gpo: Test certificate policy without NDES
      gpo: Decode base64 root cert before importing
      gpo: Do not get templates list on first run

Günther Deschner (14):
      svcctl: unify operation names and always prefix with svcctl_
      svcctl: rename SERVICE_FAILURE_ACTIONS to SERVICE_FAILURE_ACTIONSW
      librpc: add various new commands and types to SVCCTL IDL.
      librpc: use SERVICE_CONTROL enum in ControlService calls
      s4-torture: add test for svcctl_QueryServiceConfigEx
      librpc: add svcctl_ServiceStopReason enums
      s4-torture: add test for svcctl_ControlServiceExW()
      librpc: add missing service control defines
      pidl: include scompat headers and servers in s3 server template
      s3-rpcclient: add winreg_enumval command
      s4-torture: add torture_assert_werr_equal_goto and torture_assert_werr_ok_goto macros
      s4-torture: add test to check for Windows behavior of EnumValue call
      s3-winreg: fix _winreg_EnumValue behavior
      s4-winreg: fix dcesrv_winreg_EnumValue behavior

Jeremy Allison (1):
      s3: smbd: Allow fchmod from the NFS-style mode ACL in set_nt_acl() for a SMB2 POSIX handle.

Jones Syue (2):
      s3:smbd multichannel: always refresh the network information
      s3:passdb: smbpasswd reset permissions only if not 0600

Joseph Sutton (426):
      buildtools: Don’t call normpath() repeatedly
      buildtools: Correctly raise exception
      tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD
      tests/krb5: Expect a status code with policy errors
      tests/krb5: Fix tests that crash Windows
      tests/krb5: Don’t expect groups if we’re expecting an error
      tests/krb5: Fix ASN.1 source
      s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667)
      s4:kdc: Make ‘struct user_info_dc’ members const
      s4:kdc: Explicitly initialize SDBFlags structures
      s4:kdc: Remove unused function int2SDBFlags()
      s4:torture: Check return values of talloc functions
      s4:torture: Fix leaks
      s4:torture: Check return values of gnutls functions (CID 1547212)
      tests/krb5: Remove marker
      tests/krb5: Fix comment
      tests/krb5: Add ‘expect_edata’ parameter to _user2user()
      tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code
      tests/krb5: Correctly pass arguments to _modify_tgt()
      tests/krb5: Have _modify_tgt() accept only keyword arguments
      tests/krb5: Update method names to be consistent with other tests
      tests/krb5: Remove incorrect functional level check
      tests/krb5: Move assignments closer to where the variables are used
      tests/krb5: Use None for the default values of parameters
      tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used
      tests/krb5: Don’t expect edata if no error is expected
      tests/krb5: Make ‘keybytes’ a bytes object rather than a list
      tests/krb5: Fix DES3CBC random_to_key()
      tests/krb5: Remove unused imports
      tests/krb5: Remove unnecessary f‐strings
      tests/krb5: Fix RC4‐only Protected Users tests
      tests/krb5: Remove unreachable exception handlers
      tests/krb5: Make ‘services’ parameter required
      tests/krb5: Delete connection variable
      s4:dsdb: Remove reference to non‐existent code
      s4:kdc: Always regard device info when the client performs RBCD
      s4:kdc: Use HDB flag constants instead of SDB ones
      s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified
      s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation
      tests/krb5: Remove unnecessary target_creds variables
      tests/krb5: Work around Samba’s incorrect krbtgt principal handling
      tests/krb5: Test whether the device belongs to some default groups
      s4:kdc: Make a copy of the device SIDs to be placed in the security token
      s4:kdc: Add a flag indicating that the device should be added to the default groups
      s4:kdc: Add device to default groups for authentication policy evaluation
      s4:kdc: Add a flag indicating that the device should be added to Authenticated Users
      s4:kdc: Add device to Authenticated Users for authentication policy evaluation
      lib/torture: Use portable format specifiers
      lib/torture: Add torture_assert_size_*() macros
      s4:torture: Produce more output to help debug smb2.multichannel.bugs.bug_15346
      s3:rpc_server: Correctly reset DEVMODE bit
      .gitattributes: Treat file containing test SDDL as binary
      libcli/security: Fix leak on reallocation failure in pull_composite()
      libcli/security: Fix leak on reallocation failure in conditional_ace_encode_binary()
      python: Remove unnecessary f‐strings
      python:tests: Remove unnecessary f‐strings
      tests/krb5: Don’t pass parameters unnecessarily
      tests/krb5: Sort imports
      s3:libads: Update code reference in comment
      s3:passdb: Fix code formatting
      s4:dsdb:tests: Remove unnecessary f‐strings
      s4:ntvfs: Avoid signed integer overflow
      selftest: Remove ubsan suppressions
      tests/krb5: Add more tests of the device belonging to certain groups
      tests/krb5: Add tests for group membership with RBCD
      s4:kdc: Add device to default groups for RBCD conditions evaluation
      s4:kdc: Add device to Authenticated Users for RBCD conditions evaluation
      SECURITY.md: Fix spelling
      auth: Fix code spelling
      docs-xml: Fix documentation
      examples: Fix code spelling
      ldb: Fix code spelling
      lib/fuzzing: Fix code spelling
      talloc: Fix documentation
      tevent: Fix code spelling
      lib/util: Fix comment
      libcli/security: Fix code spelling
      libcli: Fix code spelling
      security.idl: Fix code spelling
      librpc:ndr: Fix code spelling
      pidl: Fix code spelling
      python:tests: Fix code spelling
      tests/krb5: Fix code spelling
      s3:auth: Add missing word to comment
      s3:lib: Fix code spelling
      s3:libads: Fix code spelling
      s3:libsmb: Fix code spelling
      s3:passdb: Fix code spelling
      s3:rpc_server: Fix code spelling
      s3:smbd: Fix code spelling
      s3:utils: Fix code spelling
      s4:auth: Fix code spelling
      s4:dsdb: Fix code spelling
      s4:kdc: Fix code spelling
      s4:lib: Fix code spelling
      s4:librpc: Fix code spelling
      s4:ntvfs: Fix code spelling
      s4:rpc_server: Fix code spelling
      s4:torture: Fix code spelling
      script: Fix code spelling
      testdata: Fix spelling
      third_party/heimdal_build: Fix spelling
      tests/krb5: Also consider single‐component krbtgt principals to be TGS principals
      tests/krb5: Add tests for single‐component krbtgt principals
      lib/krb5_wrap: Check return value of krb5_principal_get_comp_string()
      s4:dsdb: Initialize pointers to NULL
      s4:kdc: Have smb_krb5_principal_get_comp_string() properly indicate an error
      s4:kdc: Change signature of is_kadmin_changepw() to accommodate failure cases
      s4:kdc: Make use of smb_krb5_principal_is_tgs()
      third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670