[SCM] Samba Shared Repository - annotated tag tdb-1.4.11 created
Jule Anger
janger at samba.org
Mon Jul 29 11:30:28 UTC 2024
The annotated tag, tdb-1.4.11 has been created
at 27acad2f3efe5b40ef546f58dead15de6fe54d07 (tag)
tagging 93a6656c13facdb8565f90954428c4cf800bfc36 (commit)
replaces samba-4.20.0rc1
tagged by Jule Anger
on Mon Jul 29 13:30:01 2024 +0200
- Log -----------------------------------------------------------------
tdb: tag release tdb-1.4.11
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmanfTkACgkQR5ORYRMI
QCX/Nwf+NMtaC5JH345fphhijhy82+D5NDGdd0AbvIbIArr2pLALALmnPAZ/e3hD
vDMV++RVQaZlqpXxrZhMWUZyWpJs5EIiiibs/xSfoyIavIQ/v2PwoE4nwPWSItc9
10LJvUJjtpawbEChSGkXUUp3KqfeQoh6WTC2m471nZtVzGxcXY9tFRvGGIYkInnJ
5Wy5jcaSN6XpxXIH7xj+rUD3m7q9IBPkPeAgt/ODLCasHVroG/OJvnxwtwtdhaOq
gIbVHcZA91D1zXYeQpZdZVRxAf/LWEer5iimmqOv4YF57Xj9/q7qOGuaes3UCKeL
HTyvM/lD3lBq86IpQvl9SnxDqiejCg==
=5EbB
-----END PGP SIGNATURE-----
Alexander Bokovoy (1):
Do not fail checksums for RFC8009 types
Andreas Schneider (189):
python:gp: Fix logging with gp
librpc:idl: Make netlogon_samlogon_response public
python:gp: Implement client site lookup in site_dn_for_machine()
libgpo: Fix trailing spaces in pygpo.c
libgpo: Do not segfault if we don't have a valid security descriptor
packaging: Provide a systemd service file for samba-bgqd
python:tests: Improve keytab comparison of dckeytab
buildtools: Fix PYTHONPATH and print it
python:samba: Rename trust_utils.py to lsa_utils.py
python: Implement OpenPolicyFallback()
python:tests: Rename createtrustrelax.py to lsa_utils.py
python:tests: Clean lsa_utils.py code according to Python standards
python: Set parameter types for CreateTrustedDomainRelax()
python: Use secrets.token_bytes instead of random
python: Add aead_aes_256_cbc_hmac_sha512()
python: Implement CreateTrustedDomainFallback()
python: Use OpenPolicyFallback() in trust.py
librpc:rpc: Add dcerpc_lsa.h
s4:torture: Use init_lsa_String() from init_lsa.h
s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info()
s4:torture: Use rpc_lsa_encrypt_trustdom_info()
s4:torture: Use dcerpc_lsa_OpenPolicy3_r()
s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c
s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain()
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck()
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common()
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain
s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3()
s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3()
s4:torture: Add test for lsa_CreateTrustedDomainEx3
s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes()
s3:rpc_client: Implement createtrustdomex2 command
s3:rpc_client: Implement createtrustdomex3 command
s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2()
s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck()
s3:rpc_server: Implement lsa_CreateTrustedDomain_common()
s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3()
s3:auth: Remove trailing spaces
s3:auth: Re-format auth3_generate_session_info_pac()
s3:auth: Split auth3_generate_session_info_pac() into functions
s3:auth: Add support standalone server with MIT Keberos 1.21
python: Fix NtVer check for site_dn_for_machine()
s3:libsmb: Pass a memory context to cli_connect_nb_recv()
s3:nmbd: Remove trailing spaces in nmbd_synclists.c
s3:torture: Remove trailing spaces in torture.c
s3:libsmb: Pass memory context to cli_connect_nb()
s3:libsmb: Pass a memory context to cli_start_connection_recv()
s3:libsmb: Pass a memory context to cli_start_connection()
s3:libsmb: Pass memory context to cli_full_connection_creds_recv()
s3:libsmb: Pass memory context to cli_full_connection_creds()
s3:libnet: Fix memory leak in libnet_join_connect_dc_ipc()
s3:libsmb: Make get_ipc_connect() static
s3:libsmb: Pass a memory context to get_ipc_connect()
lib:tdb: Remove trailing spaces from pytdb.c
lib:tdb: Add missing overflow check for num_values in pytdb.c
lib:ldb: Add missing overflow check in ldb_msg_normalize()
lib:ldb: Use correct integer types for sizes
s4:dsdb: Fix stack use after scope in gkdi_create_root_key()
auth:creds: Add test for cli_credentials_get_principal_obtained()
auth:creds: Add test for cli_credentials_get_password_obtained()
auth:creds: Add test for cli_credentials_get_username_obtained()
lib:krb5_wrap: Implement smb_gss_mech_import_cred()
s3:gse: Use smb_gss_mech_import_cred() in gse_init_server()
s3:gse: Implement gensec_gse_security_by_oid()
s3:gse: Pass down the mech to gse_context_init()
docs-xml: Add smb.conf option 'dns hostname'
s3:utils: Use lp_dns_hostname() for 'net' dns updates
s3:librpc: Use lp_dns_hostname() for creating the fqdn
s3:lib: Remove obsolete name_to_fqdn()
s3:libnet: Use lp_dns_hostname() in libnet_join.c
s3:libnet: Convert myalias to lower case
s3:utils: Use lp_dnsdomain() in net_ads.c
python:tests: Ignore case for group_name comparison
s3:rpc_server: Use lpcfg_dns_hostname() in srv_witness_nt.c
s4:dfs_server: Use lpcfg_dns_hostname() in dfs_server_ad.c
s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c
s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c
s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c
s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c
s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c
auth:ntlmssp: Remove trailing spaces
auth:ntlmssp: Use lpcfg_dns_hostname()
WHATSNEW: Add 'dns hostname'
s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP
s3:libads: Do not fail if we don't get an IP passed down
s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
python:netcmd: Only put regular files into the tarball
python:netcmd: Create a SHA256SUM file with checksums
python: Add test for checking the SHA256SUM
s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish()
s3:utils: Use a destructor in rpc_trustdom_establish()
s3:util: Use a talloc stackframe in rpc_trustdom_establish()
s3:utils: Use talloc instead of malloc functions
bootstrap: Fix runner tags
bootstrap: Set git safe.directory
bootstrap: Fix building CentOS 8 Stream container images
gitlab-ci: Set git safe.directory for devel repo
third_party: Update uid_wrapper to version 1.3.1
third_party: Update socket_wrapper to version 1.4.3
lib:util: Remove tailing spaces in util.c
lib:util: Fix size of tmp array
s4:torture: Add missing NULL checks in spoolss.c
selftest: Create the cmd outside of the loop
selftest: Set NSS_WRAPPER_HOSTS for smbclient
gitlab-ci: Remove CentOS7 which is EOL
gitlab-ci: Add CentOS 9 Stream
gitlab-ci: Update image to Fedora 40
nsswitch:krb5_plugin: Avoid a possible double free
s3:lib: Remove trailing spaces in sharesec.c
s3:lib: Make sure struct security_ace is fully initialized
s3:rpc_server: Make sure struct security_ace is initialized
s3:utils: Fix get_window_height() return value
s4:torture: Remove trailing spaces in winsreplication.c
s4:torture: Initialize struct wrepl_wins_name
s4:dsdb: Remove trailing spaces in schema_query.c
s4:dsdb: Avoid possible underflows with new_len
s3:registry: Remove trailing spaces in reg_perfcount.c
s3:registry: Avoid possible double frees
s3:registry: Add missing return value checks
packaging: Add missing quotes in smbprint
s3:torture: Remove trailing spaces in query.c
s4:torture: Initialize struct nbt_name_query
s4:torture: Initialize struct smb2_handle
s3:auth: Remove trailing spaces in pampass.c
s3:auth: Avoid passing freed pamh pointer to funcitons using it
s4:torture: Initialize struct wrepl_wins_name
s3:rpc_client: Check for array size instead of UINT16_MAX
s4:torture: Fully initialize struct samr_OpenUser
examples: Use cp with force option
examples: Initialize char arrays
s4:torture: Initialize struct wrepl_wins_name
winexe: Make sure specificError is initialized
examples: Make sure the array is probably initialized
s3:smbd: Remove trailing spaces in posix_acls.c
s3:smbd: Make sure struct security_ace is initialized
s4:torture: Make sure struct smb2_handle is initialized
s3:rpc_client: Initialize struct security_ace
s4:torture: Initialize struct netr_LogonSamLogonEx
s4:torture: Initialize struct smb2_handle
s4:torture: Initialize pointers
s3:libsmb: Check if we have a valid file descriptor
s3:smbd: Make sure struct security_ace is initialized
s3:winbind: Fix integer type of len
s4:torture: Remove trailing spaces from gentest.c
s4:torture: Initialize param arrays
gitlab-ci: Also add the git directory for pipeline in the main mirror
third_party: Update nss_wrapper to version 1.1.16
s3:registry: Check for integer overflow
s3:registry: Use correct integer sizes
s3:smbd: Remove trailing spaces in smb1_process.c
s3:smbd: Remove trailing spaces in seal.c
s3:smbd: Fix invalid memory free
examples: Initialize char arrays
s4:torture: Initialize pointer with NULL
s3:rpc_server: Initialize array
python:tests: Use assertMultiLineEqual() to get better failure output
s4:torture: Initialize struct netr_IdentityInfo
s4:torture: Initialize union smb_open
libcli:nbt: Initialize struct nbt_name_register
lib:util: Move open() of /dev/null into the if-clause
s4:torture: Initialize struct smb2_create
s4:torture: Remove tailing spaces in scanner.c
s4:torture: Initialize struct smb_nttrans
libgpo: Initialize struct security_ace array
s3:modules: Rename thistime to chunk
s3:modules: Move chunk out of the loop
s3:modules: Make nread a size_t and check for possible overflow
s4:torture: Remove tailing spaces in forest_trust.c
s3:services: Initialize struct security_ace array
lib:param: Add missing return code check
s4:torture: Do not set sr.in.info to info be we queried the info
selftest: Remove samba4.rpc.lsa.forest.trust from knownfail
s4:torture: Split out a new LSA test_set_forest_trust_info() function
s4:torture: Add new LSA test_query_forest_trust_info()
s3:smbd: Initialize struct security_ace array
s4:torture: Initialize pointer with NULL
examples:winexe: Fully initialize EXPLICIT_ACCESS
s4:torture: Initialize union spoolss_KeyNames
auth:gensec: Fully initialize struct spnego_data
examples:winexe: Initialize integer
nsswitch: Fix integer size types in winbind_write_sock()
s4:torture: Initialize struct netr_LogonSamLogonEx
s4:torture: Remove trailing spaces from cldapbench.c
s4:torture: Initialize struct cldap_netlogon
s3:printing: Allow to run samba-bgqd as a standalone systemd service
third_party: Update pam_wrapper to version 1.1.7
Andrew Bartlett (152):
python/samba/samdb: Only do caching of well known DNs in dbcheck
librpc/idl: Add a parser for a FILE: format keytab
librpc/idl: Check protocol version number in Kerberos ccache parser
python/tests: Add test for new krb5 keytab parser
python/tests: Convert dckeytab test to use new NDR keytab parser
python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab
third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d)
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
samba-tool user getpassword: Do not show preview of gMSA password
python/samba/tests: Include more detail on invoication in test of "samba-tool user show"
samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes
samba-tool user getpassword: Also return the time a GMSA password is valid until
samba-tool user getpassword: Clarify success wording
selftest: Ignore msKds-DomainID in ldapcmp_restoredc.sh and samba.tests.domain_backup_offline
ldb: Move tests to selftest/tests.py and out of standlone build
sefltest: Remove duplicate run of ldb.python.crash and ldb.python.repack
ldb: Prepare ldb tests for subunit output
selftest: Move LDB cmocka based unit tests to Samba testsuite
selftest: Always and only run ldb test-tdb test in Samba selftest
selftest: Bring ldb test defintions into one place in selftest/tests.py
ldb: Make pyldb-util always a private library
build: Ensure that a forced-private library has no public headers
build: Allow --private-libraries to include a default
ldb: Honour --private-library=!ldb as meaning build as a public library
autobuild: Move autobuild to expecting ldb to build as part of Samba
build: Call conf.CHECK_XSLTPROC_MANPAGES() directly in wscript
build: Remove duplicated check for -Wl,-no-undefined on OpenBSD
ldb: Remove the ability for Samba to compile against a system LDB
build: Move --with-ldap/--without-ldap from source3 build to top level
lib/ldb: Always build standalone
lib/ldb: Adapt pkg-config files to being build from the main build.
lib/ldb: bld.CONFIG_SET(USING_SYSTEM_LDB) is now never set
lib/ldb: Remove references to conf.env.standalone_ldb
ldb: Remove remaining components of independent ldb build system
lib/ldb: Remove duplicate aspects of build system
ldb: Rename VERSION to LDB_VERSION to avoid confusion
ldb: Remove "private_library" variable with just one user
ldb: Unconditionally set LDB_PACKAGE_VERSION
build: Allow --with-ldbmodulesdir to override location of LDB modules
WHATSNEW: Add information on LDB no longer available standalone
ldb/pyldb: Check errors from PyLdbMessage_FromMessage
ldb/pyldb: Call Py_DECREF(list) on failure in PyLdbResult_FromResult()
dsdb: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE()
dsdb: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE()
dns: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE()
dns: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE()
pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h
pyldb: Use "O!" to specify the type of py_ldb
pyldb: Remove last caller to and definition of PyLdb_Check()
pyldb: Improve docstric for whoami(), which takes no arguments.
pyldb: Remove unused and broken Python access to LDB module API
selftest: Assert that the provision KDS root key is already valid for use
python/samba/provision: Ensure KDS root key is usable as soon as provision is complete
lib/ldb: Allocate opaque on ldb_ctx
lib/ldb-samba: Align py_ldb_set_opaque_integer() with pyldb_set_opaque() and use "unsigned long long"
dsdb: Remove calls to ldb.set_opaque_integer()
lib/ldb-samba: Remove unused ldb.set_opaque_integer()
python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal
libnet: Prepare to allow "samba-tool domain exportkeytab to support -H
samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb
s4-auth/kerberos: Remove unused paremters to create_keytab()
s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES
s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()
Make "samba-tool domain exportkeytab" prune old keys
s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA
auth/credentials: Add bindings for getting and setting the salt principal
auth/credentials: Use salt on credentials object for Creds.get_aes256_key()
auth/credentials: Dynamically calculate the salt principal (unless speccified)
s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy()
auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob
auth/credentials: Make cli_credentials_get_aes256_key into generic key access
auth/credentials: Allow generation of old Kerberos keys also
s4-kdc: Prepare for gMSA support by recording it on the entry
s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"
auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong
python/tests: Add test that gMSA keytab export works and matches direct keytab export
lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry()
lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export
samba-tool domain exportkeytab: Raise a proper CommandError
selftest: Add tests for "samba-tool domain exportkeytab" with existing files"
selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour
s4-auth/kerberos: Do not add true duplicates to exported keytab
s4-libnet: Prepare for a "rolling update" keytab export
samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
selftest: Run samba.tests.segfault with TALLOC_FREE_FILL
pyldb: Fix documentation comment on Message.from_dict() method
plydb: Keep talloc_reference() to the DN in PyDict_AsMessage
pyldb: Consolidate PyErr_SetLdbError() using the pyldb version
dsdb: Add API tests for new_gkdi_root_key()
pyldb: Improve search for error string in PyErr_SetLdbError
s4-dsdb: Populate new GKDI root keys from the server configuration object
s4-dsdb: Indent DH parameters table in gkdi_create_root_key()
s4-dsdb: Create KdfParameters at runtime
auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials
python/samba/krb5: Allow client address (caddr) to be missing or empty
python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
python/tests/krb5: Allow getting a TGT in pkinit tests
python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash
python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED
python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change
auth/credentials: Read managed_password.passwords.query_interval only after parsing
selftest: Add tests that demonstrate the issues with ldb use after free
pyldb: Include a reference to the Ldb in objects that use
pyldb: Add ldb.disconnect() method to ensure DB handles are closed
samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup
ldb: Add more segfault tests DN handling
selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv
selftest: Move some KDS root key tests around to prepare for gMSA server side
s4-gmsa: Do not attempt password set on remote LDAP connections
.gitlab-ci: Remove tags no longer provided by gitlab.com
build: Add --vendor-name --vendor-patch-revision options to ./configure
script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
s4-libnet: Split up samba-net into samba-net and samba-net-join
build: Remove incorrect pyembed=True from samba-policy
build: Make "samba4" public libraries provided (mostly) for OpenChange private
dsdb: Make argument order of dsdb_update_gmsa_{entry_,}keys() consistant with other uses
s4-auth: Update comment to mention 60mins in the NTLM grace period
s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check
python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to allow broader use
python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works
python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED
python/tests/krb5: Remove unused utf16pw variable
python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED accounts
python/tests/krb5: Move check_ticket_times() to kdc_base_test.py
python/test/krb5: Use assertAlmostEqual in check_ticket_times()
python/samba/tests/krb5: PKINIT tests of passwords that are naturally expired
dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode
dsdb: Reduce minimum maxPwdAge from 1 day to nil
dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured!
dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed
dsdb: Prepare to handle smartcard password rollover
kdc: Remove confusing duplicate open of sam.ldb to find RODC status
ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
kdc: Mark KDC sam.ldb as not to use ldb_wrap cache
kdc: Use a consistent, stable time throughout the Heimdal KDC
s4-auth: Use consistant externally-supplied time in auth stack
kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords
kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts
kdc: Rotate smart-card only underlying password in 2nd half of lifetime
selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set
provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default
WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour
python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done
python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal
python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expired on NTLM
python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS
Andréas Leroux (1):
ldap_server: Add a ldapsrv debug class to log LDAP queries
Anna Popova (1):
s3:utils: Fix Inherit-Only flag being automatically propagated to children
Anoop C S (12):
docs-xml: Build and install man page for wspsearch
source4/torture: Add SEC_STD_DELETE to enable proper cleanup
s4/torture: Fix misplaced positional arguments for u64 comparison
source3/smbd: Update timestamps after a successful SMB_VFS_FNTIMES
vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to preserve create_time
vfs_ceph: Simplify SMB_VFS_FGET_DOS_ATTRIBUTES
vfs_ceph: Implement SMB_VFS_FSET_DOS_ATTRIBUTES for precise btime
s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
s4/torture: Remove already existing test_dir
source3/wscript: Remove long pending unsupported option
ctdb/wscript: Remove long pending unsupported option
vfs_ceph: Disable the module on unsupported Ceph versions
Björn Baumbach (1):
ctdb-failover: omit "restrict" optimization keyword
Björn Jacke (10):
Revert "dosmode: prefer capabilities over become_root"
Revert "posix_acls.c: prefer capabilities over become_root"
Revert "open.c: prefer capabilities over become_root"
Revert "vfs_recycle.c: prefer capabilities over become_root"
Revert "vfs_posix_eadb.c: prefer capabilities over become_root"
Revert "vfs_default.c: prefer capabilities over become_root"
Revert "vfs_acl_common.c: prefer capabilities over become_root"
Revert "nfs4_acls.c: prefer capabilities over become_root"
Revert "dosmode.c: prefer use of capabilities at two places over become_root"
Revert "token_util.c: prefer capabilities over become_root"
Christof Schmitt (5):
tdb: Return failure as exit status from test_tdbbackup.sh
tdb: Add test for tdbdump command
tdb: Add tdbdump option to output all data as hex values
tdb: Add test for tdbdump -x
docs: Document new tdbdump -x option
David Mulder (1):
winbind: Log NOT_IMPLEMENTED as debug
Douglas Bagnall (300):
perftest:ndr_pack: rename SD tests with object ACEs
perftest: ndr_pack_performance gets more SD types
perftest:ndr_pack: slightly reduce python overhead
perftest:ndr_pack_performance: remove irrelevant imports, options
perftest:ndr_pack: use a valid dummy SID
perftest:ndr_pack: spin in do_nothing for a while
perftest: ndr_pack runs in none environment
pidl: calculate subcontext_size only once per pull
ndr: shift ndr_pull_security_ace to manual code
ndr: short-circuit ace coda if no bytes left
ndr: make security_ace push manual
ndr: ACE push avoids no-op coda pushes
ndr: skip talloc when pulling empty DATA_BLOB
ndr: mark invalid pull ndr_flags as unlikely
ndr: do not push ACE->coda.ignored blob
ndr: avoid object ACE pull overhead for non-object ACE
ndr: avoid object ACE push overhead for non-object ACE
ndr: ndr_push_security_ace: calculate coda size once
ndr: ignore trailing bytes in ndr_pull_security_ace()
samba-tool domain claim: use secrets module for token
samba-tool domain level: avoid using assert
samba-tool: avoid mutable Command class values
samba-tool: add self.print_json_status() helper
samba-tool: instances remember whether --json was requested
samba-tool: with --json, error messages are in JSON
pylibs: add string_is_guid() helper.
pytest:auth_log_base: use string_is_guid()
pytest:audit_log_base: use string_is_guid()
pyldb: add a macro to free when raising exceptions
pyldb: free things more often on error
pyldb: free some finished requests
pyldb: catch some talloc failures
s4:pydsdb: add not-implemented raising functions to when appropriate
ldb: ldb_string_to_time reports more errors
pyldb: try to turn ldb_string_to_time() errors into exceptions
py:nt_time: add nt_time_from_string()
python:nt_time: add string_from_nt_time
python:nt_time: add a nt_now() function
python/nt_time: have a go at using 1_000_000 number separators.
samba-tool domain: add kds sub-branch
samba-tool domain kds: add root key sub-command
samba-tool domain kds root_key
s4:pydsdb: python bindings for gkdi_new_root_key()
python:samdb: wrapper for _dsdb_create_gkdi_root_key()
ldb:pyldb exposes Result type
samba-tool domain: add LDB Result to json encoders
samba-tool user delete: use account type constant
pytest:samba-tool: add a flag to print more in runcmd
pytest:gkdi: shift create_root_key into a function
pytest:dsdb: check that there is a gkdi root key
provision: add a default root key
samba-tool: don't error if there are no sub-commands
samba-tool: add `samba-tool domain kds root_key list`
samba-tool: add `samba-tool domain kds root_key view`
samba-tool: add `samba-tool domain kds root_key create`
samba-tool: add `samba-tool domain kds root_key delete`
pytests: samba-tool domain kds root_key
samba-tool: tidy up uncaught insufficient rights LdbError
pytest:samba-tool domain kds root-key: test with normal user
libcli/security: claims_conversions: check for NULL in claims array
libcli/security: check again for NULL values
selftest/gdb_backtrace: print python traceback if available
selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread
selftest/gdb_backtrace: print `info threads` and some signpost headers
py:samdb: make SamDB.__str__ show the URL and ID
pytest:segfault: prevent @no_gdb_backtrace smearing on exception
pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset
pyldb: catch errors in ldb_db_get_casefold
pyldb: py_ldb_init() uses py_ldb_connect() for connecting
ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is unset
ldb:pytests: test duplicate connections fail
lib/ldb: don't allow repeated connections
ldb:pyldb.h: include some headers that are used
pyldb_utils: pyldb_Object_AsDn() sets TypeError more often
pyldb: add a FIXME for a non-transitive compare
ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare()
pyldb: ldb_msg_richcmp: avoid one intransitive compare
ldb_dn: make LDB_FREE, TALLOC_FREE
fuzzing: fuzz_ndr_X ndr_print does printing
fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail
fuzz:_conditional_ace_blob discards a const
ldb-samba: matching rules: notify of search failure in transitive filter
fuzz:fuzz_ndr_X: don't skip printing on push error
ndr: always attempt ACE coda pull if ACE type suggests a coda
pytest:krb5/lockout: associate user DN with the ldb it is used with
ldb:pytests: test ldb.connect() works after .disconnect()
pytest:segfault: some more ldb crashes
ldb:pyldb: PyErr_LDB_DN_OR_RAISE makes more rigourous checks
pyldb: adapt some simple dn methods to use LDB_DN_OR_RAISE()
pyldb: py_ldb_dn_get_extended_component uses PyErr_LDB_DN_OR_RAISE()
pyldb: py_ldb_dn_get_casefold() uses PyErr_LDB_DN_OR_RAISE()
pyldb: py_ldb_dn_extended_str() uses PyErr_LDB_DN_OR_RAISE()
pyldb: py_ldb_dn_get_extended_component() uses PyErr_LDB_DN_OR_RAISE
pyldb: py_ldb_dn_richcmp() uses PyErr_LDB_DN_OR_RAISE
pyldb: py_ldb_dn_get_parent() uses PyErr_LDB_DN_OR_RAISE
pyldb: py_ldb_dn_add_child() uses PyErr_LDB_DN_OR_RAISE
pyldb: make py_ldb_dn_add_child() a bit less leaky
pyldb: py_ldb_dn_add_base() uses PyErr_LDB_DN_OR_RAISE
pyldb: make py_ldb_dn_add_base() a bit less leaky
pyldb: py_ldb_dn_len checks dn and ldb validity
pyldb: py_ldb_dn_concat() uses PyErr_LDB_DN_OR_RAISE
pyldb: catch up with README.Coding for some `PyArg_ParseTuple`s
pyldb: add PyErr_LDB_MESSAGE_OR_RAISE() macro
pyldb: use PyErr_LDB_MESSAGE_OR_RAISE() in various functions
pyldb: py_ldb_msg_richcmp() uses PyErr_LDB_MESSAGE_OR_RAISE()
pyldb: py_ldb_msg_keys() uses PyErr_LDB_MESSAGE_OR_RAISE
pyldb: py_ldb_msg_contains() checks ldb equality
pldb: py_ldb_msg_items uses PyErr_LDB_MESSAGE_OR_RAISE
pyldb: py_ldb_msg_items checks for more errors
pyldb: py_ldb_msg_elements uses PyErr_LDB_MESSAGE_OR_RAISE
pyldb: py_ldb_msg_set_dn checks dn ldb equality
ldb:pyldb: reorder structs for possible type-punning
pyldb: normalise name of pyldb_Message_Check
pyldb: add PyErr_internal_LDB_DN_OR_RAISE
pyldb: add Dn.ldb accessor
pyldb: add Message.ldb accessor
s4:samba_upgradeprovision: align DN ownership
pyldb: add dn.copy() python method.
python:upgrade/upgradeprovision: use dn.copy to align ldbs
pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb
selftest: move some more expected failures to expectedfail.d
ldb: avoid out of bounds read and write in ldb_qsort()
lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename
util:tsort.h: add a macro for safely comparing numbers
ldb: add NUMERIC_CMP macro to ldb.h
ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base()
ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare()
s4:ntvfs: use NUMERIC_CMP in stream_name_cmp
s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare
s4: use numeric_cmp in dns_common_sort_zones()
util:binsearch: user NUMERIC_CMP()
torture:charset: use < and > assertions for strcasecmp_m
torture:charset: use < and > assertions for strncasecmp_m
torture:charset: test more of strcasecmp_m
util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle
util:test: test_ms_fn_match_protocol_no_wildcard: allow -1
util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP()
util:charset:codepoints: codepoint_cmpi warning about non-transitivity
s3:libsmb:namequery: note intransitivity in addr_compare()
s3:libsmb:namequery: use NUMERIC_CMP in addr_compare
lib/torture: add assert_int_{less,greater} macros
util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle
ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP()
ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP()
util:datablob: avoid non-transitive comparison in data_blob_cmp()
ldb: avoid non-transitive comparison in ldb_val_cmp()
ldb: reduce non-transitive comparisons in ldb_msg_element_compare()
libcli/security: use NUMERIC_CMP in dom_sid_compare()
libcli/security: use NUMERIC_CMP in dom_sid_compare_auth()
s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp()
s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP()
s4:dns_server: use NUMERIC_CMP in rec_cmp()
s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list()
s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP()
s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort()
s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP()
s3:smbcacls: use NUMERIC_CMP in ace_compare
s3:util:sharesec ace_compare() uses NUMERIC_CMP()
s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP()
s4:dns_server: less noisy, more informative debug messages
ldb:mod:sort: rearrange NULL checks
ldb:sort: check that elements have values
ldb:sort: generalise both-NULL check to equality check
ldb:dn: make ldb_dn_compare() self-consistent
s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
gensec: sort_gensec uses NUMERIC_CMP
lib/socket: rearrange iface_comp() to use NUMERIC_CMP
s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
s4:rpcsrv:samr: improve a comment in compare_msgRid
ldb: comment for ldb_dn_compare_base
s4:dsdb: fix spelling in comment
ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure
ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure
ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects
ldb-samba:ldif_handlers: dn_link_comparison leaks less
ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
ldb:pytests: test for Turkic i-dots in ldb_comparison_fold
ldb:attrib_handlers: use ldb_ascii_toupper() in first loop
ldb:utf8: ldb_ascii_toupper() avoids real toupper()
ldb: avoid NULL deref in ldb_db_compare
ldb:tests: add a test for dotted i uppercase
s4:dsdb:util_trusts: describe dns_cmp return values
s4:dsdb:util_trusts: simplify the NULL case in dns_cmp
ldb:tools: ldbsearch doesn't need ldb_qsort()
s4:dsdb:mod: repl_md: make message_sort transitive
s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort()
s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort()
s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
lib:util:tests: more tests for codepoint_cmpi
lib:util: codepoint_cmpi: be transitive and case-insensitive
ldb-samba: ldif_write_schemaInfo() uses correct size
pytest: sid_strings: use more reliable well known SID
pytest: sid_strings: Windows does allow lowercase s-1-... SIDs
pytest: sid_strings: adjust to match Windows 2016
pytest: sid_strings: Samba DN object refuses sub-auth overflow
ldb-samba: simplify ldif_comparison_objectSid()
ldb-samba: simplify ldif_canonicalise_objectSid()
ldb-samba: simplify extended_dn_read_SID()
ldb-samba: remove unused ldif_comparision_objectSid_isString()
ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold
ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold
ldb: note a transitivity problem in ldb_comparison_fold
lib/fuzzing: add fuzz_stable_sort_r_unstable
ldb-samba: ldif_read_objectSid() short-circuits without 'S'
ldb-samba: ldif_read_objectSid avoids VLA
spelling: fix spelling of privilege.ldb in comments
spelling: comments: synthax -> syntax
lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun
s3:smbcacls: fix ace_compare
ldb: add test_ldb_comparison_fold
lib/util/charset: be explicit about INVALID_CODEPOINT value
ldb: add a utf-8 comparison fold callback
ldb: move ldb_comparison_fold guts into a separate function
ldb: add ldb_set_utf8_functions() for setting casefold functions
ldb: ldb_comparison_fold uses the utf-8 casecmp function
ldb: add ldb_comparison_fold_ascii() for default comparisons
ldb: ldb_comparison_fold_ascii sorts unsigned
ldb: ldb_set_utf8_default() sets comparison function
util:charset: add strncasecmp_ldb()
util:charset: strncasecmp_ldb degrades to ASCII strncasecmp
util:charset: strncasecmp_ldb avoids iconv for ASCII
ldb-samba: add ldb_comparison_fold_utf8, wrapping strncasecmp_ldb
ldb-samba: use ldb_comparison_fold_utf8()
ldb: ldb_comparison_fold always uses the casecmp function
ldb: remove old ldb_comparison_fold_utf8_broken()
ldb: deprecate ldb_set_utf8_fns
ldb: ldb_set_utf8_functions follows README.Coding
ldb: don't cast to unsigned for ldb_ascii_toupper()
lib/fuzzing: add fuzz_strncasecmp_ldb
s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
ldb: move struct ldb_utf8_fns to ldb_private.h
ldb: move struct ldb_debug_ops to ldb_private.h
selftest:dnshub: remove py2 compatibility code
tdb:pytdb:_tdb_text: remove Py2 compatibility code
talloc:pytest: remove tests that only test Python 2
ldb-samba:pytest: remove unused variable
tdb:pytests: remove unused Py2 test branches
buildtools: remove Python2 compatibility
python/common: remove verbiage about old python versions
python:smb tests: remove py2 compatibility code
pidl:Typelist: resolveType(): don't mistake a reference for a name
pidl:python: properly raise exception in ConvertObjectFromPythonData
pidl:python: Exception if unconvertable in ConvertObjectToPythonLevel
buildtools:pidl: avoid hash randomisation in pidl
examples:winexe: more efficient C array generation, no py2
examples:winexe: reproducible builds with zero timestamp
examples:winexe: embed Samba version as exe timestamp
s3/torture: local_rbtree: avoid birthday collisions
fuzzing: fix fuzz_stable_sort_r_unstable comparison
samba-tool user readpasswords: avoid `assert` for validation
s4/pytest: remove py2 str/bytes workaround in getnc_exop
pytest: remove py2 str/bytes workaround in py_credentials
pytest: remove py2 str/bytes workaround in dns_base
pytest: remove py2 str/bytes workaround in lsa_utils
pytest: remove py2 str/bytes workaround in samr_change_password
pytest: remove py2 str/bytes workaround in auth_log_samlogon
py:emulate: remove py2 str/bytes workaround in traffic
py:emulate: remove py2 str/bytes workaround in traffic_packets
python:join: avoid useless use of py2-compat string_to_byte_array
python:lsa_utils: avoid useless use of py2-compat string_to_byte_array
samba-tool domain trust: avoid useless use of string_to_byte_array
pytest: simplify and fix HEXDUMP_FILTER used in hexdumps
samba-tool ldapcmp: remove a dodgy unused method
python: remove string_to_byte_array()
buildtools: sanitise strange characters in vendor strings
build: --vendor-suffix instead of --vendor-patch-revision --vendor-name
docs-xml:manpages: allow for longer version strings
cmdline:burn: '-U' does not imply secrets without '%'
selftest: run the cmdline tests that we already have
cmdline:tests: extend cmdline_burn tests
cmdline:burn: do not retain false memories
cmdline:burn: handle arguments separated from their --options
cmdline:burn: always return true if burnt
cmdline:burn: localise some variables
cmdline:burn: do not burn options starting --user-*, --password-*
cmdline: test_cmdline tests more burning
cmdline:burn: use allowlist to ensure more passwords burn
cmdline:burn: explicitly burn --username
cmdline:burn: add a note about short option combinations
cmdline: samba-tool test for bad option warning
cmdline:burn: list commands to always burn; warn on unknown
libcli:security: allow spaces after BAD:
tdb: fix compilation with TDB_TRACE=1
tdb: allow tracing of internal tdb
ldb_kv_cache: always initialise dn_list.strict
ldb:ldb_kv_dn_list_find_val: check for int overflow
ldb_kv_index: dn_list load sub transaction can re-use keys
ldb:kv_index: realloc away old dn list
ldb:kv_index: don't recalculate a length
ldb:kv_index: subtransaction_cancel: check for nested tdb
ldb:kv_index: use subtransaction_cancel in transaction_cancel
Earl Chew (4):
Augment library_flags() to return libraries
Improve CHECK_LIB interaction with CHECK_PKG
Combine ICU libraries icu-i18n and icu-uc into a single dependency
Restore empty string default for conf.env['icu-libs']
Günther Deschner (5):
s3-librpc: merge two PIDL lists
pidl: fix trailing double-quote on last line of s3 server stubs
pidl: add "return ENOTSUP" for int return type in s3 template
ctdb/ceph: Add optional namespace support for mutex helper
ctdb/docs: Include ceph rados namespace support in man page
Jeremy Allison (3):
s3: smbd: smb2-posix: Add SAMBA_XATTR_REPARSE_ATTRIB "user.SmbReparse" name.
s3/torture: Add test for widelink case insensitivity on a MSDFS share.
s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.
Jo Sutton (267):
python: Remove ‘typing.Final’
ldb: Fix code spelling
lib:util: Remove trailing whitespace
libcli/security: Make ‘replace_sid’ parameter const
librpc:idl: Remove trailing whitespace
librpc:idl: Fix code spelling
s3:smbd: Fix code spelling
s4:dsdb: Remove duplicate userAccountControl array entry
s4:libcli: Remove unnecessary uses of discard_const_p()
s4:auth: Fix code spelling
s4:dsdb: Remove trailing whitespace
s4:dsdb: Fix code spelling
s4:dsdb: Correct NDR push error message
s4:dsdb: Remove trailing whitespace
s4:dsdb: Correct reference to source file
s4:dsdb: Mark hash returned by samdb_result_hash() as secret
s4:dsdb: Avoid buffer overflow in samdb_result_hashes()
s4:dsdb: Fix code formatting
selftest: Fix code spelling
python:tests: Produce more helpful error message for future GKIDs
lib:crypto: Fix code formatting
lib:crypto: Export gkid_key_type() and gkid_is_valid()
lib:crypto: Comment on GKDI definitions
lib:crypto: Explicitly check for zero
s4:dsdb: Add helper functions to get GKDI root key DNs
python:tests: Fix code spelling
python:tests: Pass correct arguments to set_named_ccache()
samba-tool: Display friendlier error message if no password is available
testprogs:blackbox: Fix code spelling
s3:libads: Remove ‘unicodePwd’ attribute from ads_find_machine_acct() search
lib:util: Remove inaccurate comment
ldb: Remove trailing whitespace
ldb: Simplify ldb_errstring()
ldb: Fix code spelling
python: Reformat nt_time.py
lib:compression: Update my name
s4:kdc: Remove ‘attrs’ parameter from samba_kdc_lookup_server()
python:tests: Remove unused imports
s4:dsdb: Check return value of talloc_new()
s4:dsdb: Undefine helper macro
s4:dsdb: Allocate NT hash on to more appropriate memory context
s4:dsdb: Split out function to create a ‘password set’ ldb request
s4:dsdb: Remove reference to now‐gone lmNewHash parameter
s4:dsdb: Remove unused ‘domain_dn’ parameter
mailmap: Associate my identity with my old email address
s4:dsdb: Remove duplicate word
s4:dsdb: Remove trailing whitespace
s4:dsdb: Make array static
s4:dsdb: Add ‘ares’ parameter to operational attribute constructor functions
s4:dsdb: Fix code formatting
s4:setup: Remove empty line
s4:dsdb: Add dsdb control indicating that gMSA passwords are to be updated
s4:dsdb: Include missing headers
s4:dsdb: Add search flag indicating that gMSA passwords are to be updated
s4:dsdb: Add dsdb_werror() macro
ldb: Remove trailing whitespace
ldb: Correct copy‐and‐pasted comments
ldb: Split out ldb_controls_get_control() to search a list of controls
ldb: Fix documentation typos
lib:crypto: Add more GKDI functions
lib:crypto: Add functions for deriving gMSA passwords
lib:crypto: Add test for GMSA password derivation
pidl: Do not call mapTypeName() on expression
s3:passdb: Remove trailing whitespace
s3:passdb: Make array of strings static
s3:passdb: Reformat array of strings
s3:passdb: Reformat long line
s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts
s4:dsdb: Remove unused includes
s4:dsdb: Add function to create a GMSA password update request
s4:dsdb: Remove redundant include
s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h
s4:dsdb: Add function to determine whether we have system access
s4:dsdb: Make use of dsdb_have_system_access()
s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password
libcli/security: Include missing headers
s4:ldap_server: Remove trailing whitespace
libcli/security: Make ‘session_info’ parameter const
s4:dsdb: Fix grammar
tests/krb5: type hinting
tests/krb5: Move assertLocalSamDB() into RawKerberosTest
python: Fail the test if we don’t receive an NTSTATUSError
s4:rpc_server: Remove trailing whitespace
lib:util: Correctly determine whether a character needs to be escaped
lib:util: Fix printing hex‐escaped characters
s4:rpc_server: Make some arrays static
third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2)
lib:crypto: Add error checking to GKDI key start time calculation
lib:crypto: Correct GKDI interval start time calculation
lib:crypto: Check for overflow in GKDI rollover interval calculation
s4:dsdb: Add functions for GKDI root key creation
ldb: Add tests for Python set_opaque() and get_opaque()
ldb: Pass a supported opaque type to ldb.set_opaque()
ldb: Remove trailing whitespace
ldb: Update ldb.set_opaque() to accept only supported types
ldb: Update ldb.get_opaque() to return talloc‐managed opaque values
s4:auth: Fix grammar in error message
python:tests: Use Managed Service Accounts well‐known GUID
python:tests: Simplify expression
s4:auth: Allocate strings on shorter‐lived memory context
python:tests: Fix code spelling
python: Correctly qualify strptime()
python: Type ‘format’ parameter as optional
s4:libnet: Fix code spelling
python: Correct time conversion function name
python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew
tests/krb5: Allow specifying SamDB to use when creating an account
auth:credentials: Remove trailing line
auth:credentials: Remove unused include
s4:auth: Update error messages
tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ
tests/krb5: Fix PK-INIT test framework to allow expired password keys
s4:ldap_server: Remove trailing whitespace
s4:ldap_server: Fix code spelling
s4:ldap_server: Rename privileged ops to indicate they are used for ldapi
s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections
s4:ldap_server: Store whether an LDAP connection is over ldapi
s4:ldap_server: Consider ldapi connections to be encrypted
python:tests: Replace deprecated method assertRaisesRegexp()
python:tests: Fix set declaration
python:tests: Reformat code
python:tests: Fix typo
tests/krb5: Remove unused import
tests/krb5: Fix code spelling
tests/krb5: Remove unused variable
tests/krb5: Make use of ‘expect_edata’ parameter
tests/gkdi: Allow current time to be overridden
tests/gkdi: Remove implicit clock skew offset
tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’
python:gkdi: Add notes on GKDI time periods
python:gkdi: Add Gkdi.from_key_envelope() method
python:gkdi: Reformat code with ‘ruff’
python:nt_time: Add NT_TIME_MAX constant
tests/krb5: Add tests for gMSAs
lib:crypto: Reformat source code
s4:dsdb: Factor out a function to remove all password related attributes
s4:dsdb: Add functions for Group Managed Service Accounts implementation
s4:dsdb: Set up passwords and password IDs of new gMSAs
selftest: Expand out knownfails for gMSA getpassword tests
python:tests: Catch failures to authenticate with gMSA managed passwords
s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL
s4:dsdb: Implement msDS-ManagedPassword attribute
ldb: Check result of py_ldb_msg_keys()
tests/krb5: Skip loop iteration if attribute has no values
tests/krb5: Extract method to unpack supplementalCredentials blob
tests/krb5: Import MAX_CLOCK_SKEW more directly
tests/krb5: Add tests that gMSA keys are updated in the database when appropriate
s4:dsdb: Explicitly return success error code
s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to dsdb_search_dn()
s4:dsdb: Add a note that administrators should not set the clock too far in the future
s4:dsdb: Only reuse the current password ID as the previous password ID when appropriate
s4:dsdb: Store account DN as part of gMSA update structure
s4:dsdb: Store found managed password ID as part of gMSA update structure
s4:dsdb: Indicate to the LDAP server physical passwords that need to be refreshed
s4:dsdb: Move the responsibility for determining whether an account is a gMSA out of gmsa_recalculate_managed_pwd()
s4:dsdb: Add dsdb_update_gmsa_keys()
python: Reformat code
auth:credentials: Fix code spelling
auth:credentials: Remove unnecessary declaration
s4:kdc: Fix grammar
pyglue: Remove unnecessary declaration
s4:kdc: Remove unnecessary cast
tests/krb5: Fix malapropism
tests/krb5: Note that lockout tests use password checks
s4:kdc: Correctly extract older NT hash
s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
lib:crypto: Add more unit tests for GKDI functions
s4:dsdb:tests: Make use of ‘ldb’ parameter
s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified
tests/krb5: Test retrieving a denied gMSA password over an unsealed connection
ctdb: Ensure ‘ret’ is always initialized
ctdb: Report errors from getline()
lib:crypto: Fix Coverity build
ldb: Remove unnecessary declaration
tests/krb5: Check that updated NT hashes of gMSAs have the values we expect
s4:auth: Export AES128 gMSA keys along with AES256 keys by default
python: Move get_admin_sid() to SamDB
s4:kdc: Pass ldb context into samba_kdc_message2entry_keys()
s4:kdc: Add helper variable indicating whether we think we are performing a keytab export
python:gkdi: Add helper methods returning previous and next GKIDs
python:tests: Store keys as bytes rather than as tuples
python:tests: Rewrite condition of while loop
python:tests: Store keys as bytes rather than as lists of ints
auth:credentials: Check for NT hash being NULL
lib:fuzzing: Remove unused variable
lib:fuzzing: Fix undefined shift
s4:dsdb: Remove trailing whitespace
s4:dsdb: Fix code spelling
s4:setup: Update name of dsdb password change control
s4:libcli: Fix code spelling
s4:libcli: Add more controls to our list of known controls
python:tests: Remove unused netlogon connection parameter
python:tests: Remove unnecessary ‘pass’ statement
python:tests: Pass ServerPasswordSet2() parameters in correct order
tests/krb5: Read current time from correct SamDB
tests/krb5: Add quantized_time() method
tests/krb5: Make use of gmsa_series_for_account() method
tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon()
tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection
s4:dsdb: Let dsdb gMSA time influence pwdLastSet
s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period
tests/krb5: Test performing NTLMSSP logons at different times
tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter
tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons
tests/krb5: Test viewing gMSA passwords after performing simple binds
tests/krb5: Add more tests for gMSAs
s4:libnet: Remove trailing whitespace
s4:libnet: Remove unnecessary declarations
lib:crypto: Add constant denoting maximum GKDI clock skew in minutes
s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change
s4:dsdb: Remove redundant user flags macro
s4:dsdb: Add userAccountControl helper function
s4:dsdb: Make use of userAccountControl helper function
s4:dsdb: Do not set lockoutTime for trust accounts
s4:dsdb: Make map containing default attribute values static
s4:kdc: Initialize pointer variable just in case (CID 1596762)
s4:kdc: Free target principal string to avoid memory leak (CID 1596760)
s4:kdc: Initialize local variable just in case (CID 1596759)
tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs
third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f)
s4:kdc: Remove trailing whitespace
s4:kdc: Implement KDC plugin hardware authentication policy
third_party/heimdal: Import lorikeet-heimdal-202405220400 (commit 8276d6311146b8ab5d57d092bc5d5fa28282a900)
python:tests: Rename ‘keytab_as_set’ variable to be distinct from keytab_as_set() method
python:tests: Manually raise AssertionError
python:tests: Extract keytab_as_set() function to be usable by other tests
s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry()
s4:libnet: Update export_keytab() docstring
s4:libnet: Allow simulating AS‐REQ flags combination for keytab export
tests/krb5: Test that previous keys are counted as current keys following a gMSA key rollover
s4:kdc: Merge current and previous gMSA keys during period when both are valid
s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts
s3:rpc_server: Check function code according to MS-NRPC
s3:rpc_server: Check query level according to MS-NRPC
ldb: Fix typo
tests/krb5: Make use of update_password() method
s4:dsdb: Use talloc_get_type_abort()
tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion
tests/krb5: Calculate correct gMSA password to fix flapping test
ldb: Attach appropriate ldb context to returned result
s4:auth: Add common out path to authsam_reread_user_logon_data()
s4:auth: Add temporary memory context to authsam_reread_user_logon_data()
s4:dsdb: Remove trailing whitespace
s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)
tests/krb5: Allow creation of disabled accounts for testing
tests/krb5: Add tests for errors produced when logging in with unusable accounts
third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
third_party/heimdal: Import lorikeet-heimdal-202406270253 (commit cbd2c0b8ec604686dc7b363d1dcec69bf5f7a7ec)
tests/krb5: Fix type errors by giving ‘pwd_last_set’ an appropriate type
tests/krb5: Simplify code using dict.get()
s3:param: Check return value of strlower_m() (CID 1598446)
s4:auth: Use appropriate type for userAccountControl flags
s4:dsdb: Use appropriate type for userAccountControl flags
pyglue: Remove global variables used in only one place
s3:rpc_server: Update deprecated directives
perftest:ndr_pack_performance: Remove unused import
perftest:ndr_pack_performance: Remove obselete comment
lib:crypto: Remove unused macro definitions
s3:rpc_server: Fix code spelling
s4:auth: Correct order of parameters in documentation
lib:krb5_wrap: Fix code spelling
s4:dsdb: Remove unnecessary MIN()
s3:smbd: Avoid compiler warning for unused label
selftest: Consolidate MIT Kerberos knownfails into a single file
selftest: Move Heimdal Kerberos knownfails to separate files in their own directory
selftest: Move MIT Kerberos knownfails to separate files in their own directory
John Thacker (15):
pidl:Wireshark Use proto_tree_add_bitmask_with_flags
pidl:Wireshark Fix array of pointers NULL termination
pidl:Wireshark Get rid of Boolean "flags" with no bit set
pidl:Wireshark Rename tvb_new_subset()
pidl:Wireshark Fix the type of array of pointerse to hf_ values
Revert "pidl: Use non-existent function dissect_ndr_int64()"
pidl: Update Wireshark generated DRSUAPI code
pidl: Wireshark: Remove init of proto variables
pidl: Wireshark: Don't initialise static hf and ett variables.
pidl: Wireshark: Const-ify dcerpc_sub_dissector structures.
pidl: Wireshark: Update test for removal of ett initialization
pidl: Wireshark: Convert the pidl dissector generation code to C99 types
pidl: Wireshark: Remove init of proto variables
pidl: Wireshark: Don't assign hash undef, assign it an empty array
pidl: Wireshark: Another C99 type conversion
Jones Syue (1):
s3:ntlm_auth: make logs more consistent with length check
Jule Anger (6):
VERSION: Bump version up to 4.21.0pre1...
WHATSNEW: Start release notes for Samba 4.21.0pre1.
ldb: change the version to 2.10.0 for Samba 4.21
samba-tool: add "samba-tool user list --locked-only"
selftest: add tests for "samba-tool user list --locked-only"
tdb: version 1.4.11
Martin Schwenke (47):
ctdb-protocol: Add missing push support for new controls
ctdb-tests: Limit red-black tree test to 5s of random inserts
ctdb-daemon: Use ctdb_event_to_string()
ctdb-common: Remove unused variable ctdb_eventscript_call_names.
ctdb-common: Remove old runstate/string translation functions
ctdb-scripts: Do not de-duplicate the interfaces list
ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
ctdb-scripts: Avoid ShellCheck warning SC2162
ctdb-scripts: Improve documentation
ctdb-scripts: Reformat with shfmt -w -p -i 0 -fn
ctdb-scripts: Move ctdb.tdb attach to statd-callout
ctdb-scripts: Avoid globally changing to queue directory
ctdb-scripts: Move state directory creation to "startup" action
ctdb-scripts: Add caching function for public IPs
ctdb-tests: Default PNN is 0
ctdb-scripts: Avoid connecting to ctdbd in add-client/del-client
ctdb-scripts: Set ownership of statd-callout state directory
ctdb-scripts: Use find_statd_sm_dir() in one more place
ctdb-scripts: No longer run statd-callout under sudo
ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn"
ctdb-scripts: Quote variable expansions
ctdb-scripts: Change NFS-Ganesha PID file location
ctdb-scripts: Fix usage message
ctdb-scripts: Add script option CTDB_NFS_EXPORTS_FILE
ctdb-scripts: Improve NFS-Ganesha export path extraction
ctdb-scripts: Improve service PID check
ctdb-scripts: Check NFS-Ganesha is running before attempting grace
ctdb-scripts: Protect against races when starting grace period
ctdb-scripts: Add service_stats_command variable to NFS checks
ctdb-scripts: Implement NFS statistics retrieval for NFS-Ganesha
ctdb-doc: Add example for NFS-Ganesha RPC checking
ctdb-scripts: Fail monitoring after 1 x NFS-Ganesha not running
ctdb-doc: Drop unnecessary, broken attempt at rpc.statd stack trace
ctdb-failover: Split statd_callout add-client/del-client
ctdb-conf: Move all conf files to new conf/ subdirectory
ctdb-conf: Move conf.[ch] to conf/ subdirectory
ctdb-conf: Rename config loading to not be daemon-specific
ctdb-tests: Add more reloadnodes unit tests
ctdb-tests: Correctly handle adding a deleted node at the end
ctdb-build: Remove unused dependencies on ctdb-util
ctdb-protocol: Move definition of CTDB_PORT to protocol
ctdb-conf: Add a common node address handling module
ctdb-tools: Use ctdb_read_nodes() in the ctdb tool
ctdb-tests: Use ctdb_read_nodes() in the fake ctdbd
ctdb-protocol: Move ctdb_node_map_* to protocol_api.h
ctdb-daemon: Use ctdb_read_nodes() in ctdbd
ctdb-daemon: Use ctdb_parse_node_address() in ctdbd
MikeLiu (1):
smbd: Ensure we grant owner sid in check_parent_access_fsp()
Noel Power (25):
librpc/wsp: Unknown property used in 'current directory' searches
librpc/idl: fix typo in wsp_csort member
librpc/idl: remove duplicate definitition
s3/rpc_client: change type of offset to uint64_t
s3/rpc_client: Remove stray unnecessary comment
s3/utils: use full 64 bit address for getrows (with 64bit offsets)
s3/rpc_client: cleanup unmarshalling of variant types from row columns
idl: Add constant for max rows buffer size
s3/rpc_client: Ensure max possible row buffer size is not exceeded
s3/rpc_client: Fix array offset check
s3/smbd: If we fail to close file_handle ensure we should reset the fd
Add simple http_client for use in black box tests (in following commits)
selftest: Add basic content-lenght http tests
libcli/http: Optimise reading for content-length
tests: add test for chunked encoding with http cli library
libcli/http: Handle http chunked transfer encoding
selftest: fix potential reference before assigned error
selftest: Add new test for testing non-chunk transfer encoding
libcli/http: Detect unsupported Transfer-encoding type
s4/torture: Prepare to handle Level 4 check with unknown func code
s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function
s3/rpc_server: Fix dereference of client pointer
selftest: Add a python blackbox test for some misc (widelink) DFS tests
s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
doc: Update codeing guidelines for struct initialisation
Oliver Mihatsch (1):
Extended the documentation for the "tls certfile" parameter in the smb.conf.
Pavel Filipenský (51):
s3:libads: Trace ldap search base/filter/scope
docs-xml: Add parameter all_groupmem to idmap_ad
s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad
selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad
tests: Add a test for "all_groups=no" to test_idmap_ad.sh
s3:libsmb: Fix panic in cliconnect.c
smbdotconf: Enable "winbind debug traceid" by default
python/tests: Fix nlink test in smb3unix on btrfs filesystem
s3:winbindd: Use TDB_REPLACE in tdb_store
s3:winbindd: Update non cache entries keys (non_centry_keys)
s3:utils: Initialize DATA_BLOB blob
s3:rpcclient: Initialize spoolss_DriverDirectoryInfo info
s3:registry: Initialize struct security_ace ace[]
s4:torture: Initialize struct smb2_handle consistently in lease.c
s3:rpc_server: Initialize array struct security_ace ace[]
.gitlab-ci-main.yml: Add safe.directory '*'
docs-xml: Mention winbind consistently in samba-dcerpcd.8
python:tests: Fix spelling in to test_samba_dnsupdate_no_change
s3:librpc: Fix a typo in DEBUG text
libnet: Fix debug text
s3:lib: Fix a typo in MACRO
s3:lib: Merge library trusts_util into library ads
docs:smbdotconf: Add parameter 'sync machine password to keytab'
docs:smbdotconf: Add parameter 'sync machine password script'
s3:testparm: Add check for "sync machine password to keytab" to testparm
krb5_wrap: Add TRACE SUPPORT for keys operations
s3:libads: Use the TRACE SUPPORT for keys operations
s3:libads: Request "msDS-KeyVersionNumber" from ads_find_machine_acct()
s3:lib: Sync machine password to keytab: helper functions
s3:ads: Do not update system keytab from "net ads changetrustpw"
s3:ads: Remove 'kerberos method' warning for 'net ads keytab' functions
s3: Sync machine account password in secrets_{prepare,finish}_password_change
s3:libnet: Sync keytab during libnet_join_create_keytab()
s3:utils: Change net_ads_keytab_create() to call sync_pw2keytabs()
selftest: Add "sync machine password to keytab" to env. ad_member_idmap_nss
selftest: Add tests for keytab update
testprogs: Remove "keytab add", "keytab delete" and "keytab add_apdate_ads" related tests from test_net_ads.sh
testprogs: Remove upn related test from test_net_ads.sh
testprogs: Use "HOST' instead of 'host' in test_net_ads.sh
testprogs: Remove dnshostname related test from test_net_ads.sh
testprogs: Remove alias test from test_net_ads.sh
s3:libads: Remove ads_keytab_create_default & friends
s3:utils: Remove from "net ads keytab": "add", "delete" and "add_update_ads"
s3:libads: Call 'sync machine password script' when machine password is updated
ctdb:events: Add 46.update-keytabs.script for 'recovered' event
s3:script: clustered samba: Add script updatekeytab.sh
script: clustered samba: Build samba-ctdb with ad-dc support
selftest: Rename nt4_dc_vars -> dcvars in setup_clusteredmember
selftest: setup clusteredmember with kerberos, change dependency to "ad_dc"
selftest: Add tests for keytab update in clustered samba
WHATSNEW: Automatic keytab update after machine password changes
Ralph Boehme (37):
smbd: simplify handling of failing fstat() after unlinking file
third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
selftest: remove check for $no_delete_prefix
selftest: setup "simpleserver" testenv specific directories after calling provision()
selftest: setup "fileserver" testenv specific directories after calling provision()
selftest: ensure the "fileserver" test environment is removed before provisioning
selftest: remove net groupmap delete stuff
s3/lib: remove name_compare_entry typedef
s3/lib: move path_to_strv() to util_path.c
s3/lib: modernize set_namearray()
smbd: move target code out of loop body
smbd: prepare free_conn_session_info_if_unused() for more cleanup logic
smbd: maintain veto_list and hide_list in the vuid cache
s3/lib: move set_namearray() to util_namearray.c
selftest: add groups "group1" and "group2" to Samba3
smbd: move token_contains_name() to util_namearray.c and make it public
s3/lib: add per-user support to set_namearray()
CI: fix test file cleanup
CI: add a test for per-user (and per-group) veto files
winbindd: rename variable old_status to was_online in wb_cache_name_to_sid()
winbindd: reformatting
winbindd: collapse two if expressions
winbindd: properly initialize sid and type in wb_cache_name_to_sid()
libwbclient: add error WBC_ERR_NOT_MAPPED
libwbclient: prepare wbcCtxLookupName() for dealing with WBC_SID_NAME_UNKNOWN
winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names
s3/rpc_client: fix handling of NT_STATUS_SOME_NOT_MAPPED
s3-errormap: move map_nt_error_from_wbcErr() back into errormap.c
s3-errormap: add WBC_ERR_NOT_MAPPED -> NT_STATUS_NONE_MAPPED
s3/passdb: add winbind_lookup_name_ex()
s3/passdb: use winbind_lookup_name_ex() in lookup_name() instead of winbind_lookup_name()
s3/passdb: factor out lookup_name_internal()
s3/passdb: add lookup_name_smbconf_ex() using lookup_name_internal()
s3/lib: use lookup_name_smbconf_ex() in token_contains_name()
smbd: return errors from token_contains_name()
s3/lib: return error from set_namearray()
WHATSNEW.txt: document "veto files" and "hide files"
Rob van der Linde (146):
python: do not make use of typing.Final for python 3.6
netcmd: models: fix docstring was missing param
netcmd: models: enums and constants also brought forward
netcmd: models: change import style to use brackets
netcmd: models: check for None in build_expression instead
netcmd: models: EnumField now also supports IntFlag
netcmd: models: add AccountType IntFlag field
netcmd: models: add AccountType enum to User model
netcmd: models: move expression code to Field class
netcmd: models: fix BooleanField filtering didn't work on FALSE value
netcmd: models: fix build_expression did not work with EnumField
netcmd: models: fix build_expression on SIDField handles security.dom_sid
netcmd: models: move enum import to correct place
netcmd: models: model field DateTimeField returns datetime in UTC
netcmd: models: add new NtTimeField model field
netcmd: models: tests: add tests for NtTimeField
netcmd: models: mark some hidden fields on the base Model as readonly
libds: remove unreachable break statements after return
netcmd: support hyphens in top-level commands and convert to underscore
netcmd: json encoder supports security descriptor objects
netcmd: bugfix: json encoder failed to call super method
netcmd: delegation: pep8 fix blank lines
netcmd: delegation: move line down where it gets used
netcmd: delegation: initial value not required because of raise below
netcmd: delegation: don't use assert but raise CommandError
netcmd: models: SDDLField parses to object instead of string
netcmd: models: SDDLField move line down where it gets used
netcmd: models: rename DoesNotExist exception to NotFound
netcmd: models: stop using LookupError exception and change it to NotFound
netcmd: models: add Computer model subclass of User
netcmd: models: make Group.system_flags a flags based EnumField
netcmd: models: add missing enum fields to Group model
netcmd: models: add missing fields to User model
netcmd: models: add GroupManagedServiceAccount model
netcmd: models: add default SDDL to group_msa_membership
netcmd: models: Remove unused groups_sddl method from User model
netcmd: models: avoid fetching each user in trustees method
netcmd: models: make GroupManagedServiceAccount.trustees a property
netcmd: models: gmsa trustees property only looks at allowed aces
netcmd: models: gmsa trustees update docstring and incorrect return type
netcmd: models: gmsa move GroupManagedServiceAccount model to gmsa.py
netcmd: models: gmsa GroupManagedServiceAccount inherits from Computer
netcmd: models: gmsa move find method to Computer model
netcmd: models: update docstring of Computer.find method
netcmd: models: move MODELS constant to constants.py to avoid import loop
netcmd: models: make MODELS constant keyed by object class instead
netcmd: shell: show Models subheading
netcmd: models: move group msa membership default to constants
netcmd: models: set the default for managed password interval on the model
netcmd: models: Query.first and Query.last should use count from instance
netcmd: models: Model.get_object_class returns top instead of None
netcmd: models: ModelMeta no longer needs to inherit from ABCMeta
netcmd: models: bring Model class forward into module
netcmd: models: move object_sid field from User to base Model
netcmd: models: ModelMeta needs to also set fields and meta if class is Model
netcmd: models: Model.query adds optional polymorphic flag for returning specific class types
netcmd: models: setting kwarg to None should use field default
netcmd: models: model __json__ method should call as_dict instead
netcmd: add newline before epilog so there is a space between
netcmd: properly show command name in show help
python: sd_utils: pep8 fix spacing around
python: sd_utils: remove redundant brackets around simple assert statements
python: sd_utils: pep8 import sorting
selftest: aces: use constant from samba.security
selftest: aces: fix mutable default args in assemble_ace
python: models: Computer constructor automatically adds "$" to account name
netcmd: gmsa: base cli commands for group managed service accounts
netcmd: gmsa: cli commands for managing group msa membership
netcmd: tests: add tests for service-account commands
netcmd: models: move add trustee code to the GMSA model
netcmd: models: move remove trustee code to the GMSA model
netcmd: silos: silo and auth policy commands use print
netcmd: silos: silo and auth policy commands use Query class better
netcmd: models: Model.from_message should be internal
netcmd: models: Rename method to Query._from_message for consistency
netcmd: models: Add a repr method to Query for help in the shell
netcmd: models: Add Person and OrganizationalPerson
netcmd: models: Add optional base_dn argument to Model.query method
netcmd: models: Rename username to account_name for consistency
netcmd: models: rename lookup methods to find for consistency
netcmd: claims: tidy up, avoid setting enabled twice
netcmd: models: ClaimType: move all dunder methods to the top for consistency
netcmd: models: Create ClaimType in the model layer instead
python: samdb: Move get_connecting_user_sid to samdb
python: samdb: Make connecting_user_sid a property
netcmd: models: User.find also tries object_sid
netcmd: models: add User.get_sid_for_principal helper
netcmd: models: allow scope to be overridden in query
netcmd: models: improve Computer constructor adding "$" handling
netcmd: gmsa: create should allow custom SDDL
netcmd: gmsa: fix typo if trustee is not found
netcmd: gmsa: add_trustee and remove_trustee change argument to sid
netcmd: gmsa: add and remove don't fetch trustee if it is a SID
netcmd: gmsa: show viewers also works if SID is not found
python: create domain module to move models into
python: move models out of the netcmd package
python: pep8: fix import sorting after move
python: models: add kwargs to __json__ and as_dict methods
python: models: add Container model
python: fix json encoder should handle Exception
tests: samdb: Make use of the domain_sid property
tests: user: gmsa dNSHostName is a required field
tests: user: fix PEP8 spacing around operator
tests: user: create gmsa with models
tests: models: fix username should be account_name
tests: models: test additional Computer constructor cases
tests: gmsa blackbox tests
python: domain: models: as_dict() should also exclude empty list fields
python: tests: computer model tests should clean up
python: tests: write a test for the Model.as_dict method
python: domain: models: add children method to return a models direct children
python: domain: models: MODELS lookup does need to include base Model for shell command
python: domain: models: move MODELS to registry.py because it's not really a constant
python: domain: models: move OrganizationalPerson to org.py
python: domain: models: add OrganizationalUnit container model
netcmd: gmsa: improve descriptions of --dns-host-name and match docs
netcmd: docs: add documentation for service-account base command
netcmd: docs: add documentation for service-account group-msa-membership commands
netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device"
netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing
netcmd: docs: consistently put <constant> around GROUP and SILO
netcmd: docs: add section headings for auth policies and silos
netcmd: auth silo: turn silo.py into module
netcmd: auth silo: move silo_member.py into silo module
netcmd: auth silo: extract silo base commands into silo.py
netcmd: auth policy: turn policy.py into module
netcmd: auth policy: extract policy base commands into policy.py
netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands
netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group
netcmd: auth policy: add user-allowed-to-authenticate-to subcommands
netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group
netcmd: auth policy: add service-allowed-to-authenticate-to subcommands
netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group
netcmd: auth policy: add user-allowed-to-authenticate-from subcommands
netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group
netcmd: auth policy: add service-allowed-to-authenticate-from subcommands
netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group
netcmd: docs: update documentation for new auth policy command structure
python: tests: fix closing quote in docstring example
python: tests: type check should always use "is" or "is not"
python: lint: remove unused imports in claims and gmsa commands
python: lint: fix pylint R1720 unnecessary "raise" after "else"
netcmd: fix broken shell command missing Model
python: models: rename argument ldb to samdb
python: models: add get_primary_group method to User model
selftest: add test for User.get_primary_group method
Shachar Sharon (8):
vfs_ceph: improve readability of cephwrap_realpath
vfs_ceph: align lines-length with coding standard
vfs_ceph: re-map unimplemented hooks
vfs_ceph: use talloc in realpath hook
vfs_ceph: replace WRAP_RETURN macro with convenience helpers
vfs_ceph: adjust code-style of cephwrap_disk_free
vfs_ceph: explicit cast to uint64_t upon failure of ceph_statfs
vfs_ceph: use consistent code style when setting errno
Shaleen Bathla (4):
s3: winbindd: remove double initialization
s3: winbindd: reduce scope of a variable
s3: winbindd: assign rangenum member after NULL check
s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs
Stefan Metzmacher (295):
ctdb/events: use 'service "$CTDB_SERVICE_NMB" status' in 48.netbios.script
ctdb/events: add 47.samba-dcerpcd.script
s3:utils: fix help string for 'net witness force-response'
docs-xml: add details for 'net witness'
smb2_tcon: only announce SMB2_SHARE_CAP_CLUSTER if rpcd_witness can run
smb2_tcon: only announce SMB3 related share capabilities if SMB3 is used
docs-xml: document "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}"
s3:include: let nameserv.h be useable on its own
s3:include: split out fstring.h
s3:wscript: LIBNMB requires lp_ functions
s3:libsmb/unexpected: don't use talloc_tos() in async code
s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
libcli/nbt: add nbt_name_send_raw()
s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
s4:libcli/dgram: make use of socket_address_copy()
s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
s4:nbt_server: simulate nmbd and provide unexpected handling
s3:libads: avoid changing ADS->server.workgroup
s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages
s3:winbindd: use better debug messages than 'talloc_strdup failed'
s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
auth/credentials: don't call talloc_free(ccache_name) on callers memory
s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
s3:rpc_client: implement bind time feature negotiation
tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
s4:lib/tls: remove tstream_tls_push_trigger_write step
s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
s4:lib/tls: assert that event contexts are not mixed
s4:lib/tls: split out tstream_tls_prepare_gnutls()
s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
s4:lib/tls: include a TLS server name indication in the client handshake
s4:lib/tls: split out tstream_tls_verify_peer() helper
s4:lib/tls: add tstream_tls_params_client_lpcfg()
s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
s4:lib/tls: add tstream_tls_channel_bindings()
third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
auth/gensec: add gensec_set_channel_bindings() function
auth/ntlmssp: implement channel binding support
s4:gensec_gssapi: implement channel binding support
s3:crypto/gse: implement channel binding support
s4:ldap_server: add support for tls channel bindings
s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
WHATSNEW: document ldap_server ldaps/tls channel binding support
s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c
s3:libads: remove unused include of gensec_internal.h
s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code
s4:ldap_server: remove unused include of gensec_internal.h
docs-xml: add 'tls trust system cas' and 'tls ca directories' options
s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()
s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag()
s3:tldap: simplify tldap_gensec_bind.h
s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead
s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv
s3:tldap: store plain and gensec tstream
s3:tldap: add tldap_extended*
s3:tldap: make tldap_gensec_bind_send/recv public
s3:tldap: add support for [START]TLS
s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms
s3:libads: directly use kerberos without asking the server
s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind()
s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind()
s3:libads: use the correct struct sockbuf_io_desc type for 'sbiod' pointer
s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF
s4:lib/tls: add tstream_tls_sync_setup()
s3:libads: add tls_wrapping into openldap
s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
s3:libads: call gensec_set_channel_bindings() for tls connections
smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}
s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND
blackbox/test_net_ads_search_server: also test ldaps/starttls
s3:torture: add '-T 'option=value' this is similar to '--option='=value'
s3:torture: add ldaps/starttls support to run_tldap()
s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls
auth/gensec: remove useless client_use_spnego_principal usage
s4:selftest: remove useless 'client use spnego principal' tests
smbdotconf: finally remove unused "client use spnego principal" option
WHATSNEW: document ldaps/tls related option changes
auth/credentials: add cli_credentials_get_principal_obtained()
auth/credentials: add cli_credentials_get_ccache_name_obtained()
lib/cmdline: skip the password prompt if we have a valid krb5 ccache
auth/credentials: add cli_credentials_get_password_obtained()
auth/credentials: add cli_credentials_get_username_obtained()
s3:client: avoid cli_credentials_get_password() to check for a specified password
auth/gensec: add gensec_kerberos_possible() helper
auth/gensec: add gensec_get_unparsed_target_principal() helper
s4:gensec_gssapi: make use of gensec_kerberos_possible()
s3:gse: make use of gensec_kerberos_possible()
s3:gse: avoid prompting for a password that we don't use in the end
s3:gse: don't call krb5_cc_resolve() as server
lib/krb5_wrap: add smb_krb5_cc_new_unique_memory()
lib/krb5_wrap: make use of smb_krb5_cc_new_unique_memory() in smb_krb5_kinit_s4u2_ccache()
auth/credentials: use smb_krb5_cc_new_unique_memory() in krb5_cc_remove_cred_wrap()
auth/credentials: use smb_krb5_cc_new_unique_memory() in smb_gss_krb5_copy_ccache()
auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_shallow_ccache()
auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_new_ccache()
s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac()
s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache
s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos'
.gitlab-ci-main.yml: debug kernel details of the current runner
tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
s3:libsmb: allow store_cldap_reply() to work with a ipv6 response
s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login()
s3:libads: don't allow ads_kdestroy(NULL) anymore
blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME
tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username
tests/ntlm_auth: Do not set a client_password
s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given
s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password
s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare()
s3:gse: get an explicit ccache_name from creds and kinit if required
s3:libsmb: remove unused cli_session_creds_prepare_krb5()
s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping()
s3:libads: remove unused LIBADS_CCACHE_NAME define
s3:libads: split out ads_legacy_creds()
s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state()
s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end
s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name()
s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds()
s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf
s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND
s3:libads: add ads_connect_cldap_only() helper
s3:libsmb: make use of ads_connect_cldap_only()
s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int()
s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads()
s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password()
testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh
s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp
s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect()
s3:libads: remove unused ads->auth.renewable
s3:libads: we only need to gensec_expire_time()...
s3:libads: move ads->auth.time_offset to ads->config.time_offset
s3:libads: fix compiler warning in ads_mod_ber()
s3:libads: add ads_connect_creds() helper
s3:libads: add ads_set_reconnect_fn() and only reconnect if we can get creds
s3:winbindd: make winbindd_get_trust_credentials() public
s3:winbindd: use winbindd_get_trust_credentials()/ads_connect_creds() in winbindd_ads.c
s3:winbindd: make use of samba_sockaddr to avoid compiler warnings
s3:winbindd: make use of winbindd_get_trust_credentials() in _winbind_LogonControl_TC_VERIFY()
s3:winbindd: make use of winbindd_get_trust_credentials() in idmap_ad.c
s3:utils: let net_update_dns_internal() set status before goto done in all cases
lib/addns: rewrite signed dns update code to use gensec instead of plain gssapi
s3:libads: add ads_connect_simple_anon() helper
s3:libads: make use of ads_connect_simple_anon() in ldap.c where possible
s3:libads: add ads_simple_creds() helper
s3:libads: add ads_connect_machine() helper
s3:printing: make use of ads_connect_machine()
libgpo/pygpo: make use of ads_connect_{creds,machine}()
s3:lib/netapi: add libnetapi_get_creds()
s3:lib/netapi: make use of ads_simple_creds/libnetapi_get_creds in NetGetJoinableOUs_l
s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx()
s3:net_offlinejoin: we don't need to call libnetapi_set_use_kerberos() as we already passed cli_credentials
s3:net: correctly implement --use-ccache as legacy for --use-winbind-ccache for 'net'
s3:net: add net_context->explicit_credentials to check if credentials were passed
s3:net: make use of c->explicit_credentials in order to check for valid credentials
s3:net_rpc: make use of !c->explicit_credentials for NET_FLAGS_ANONYMOUS
s3:net: remove useless net_prompt_pass() wrapper
s3:net_ads: use cli_credentials_get_principal() in order to call kerberos functions
s3:net_ads: use ADS_SASL_SEAL by default, so that we always get encryption
s3:net_ads: require kerberos if we use ads_krb5_set_password() in ads_user_add()
s3:libads: remove unused kdc_host argument of ads_krb5_set_password()
s3:libads: remove krb5_set_real_time() from ads_krb5_set_password()
s3:libads: remove unused kdc_host and time_offset arguments to ads_krb5_chg_password()
s3:libads: remove unused kdc_host and time_offset arguments to kerberos_set_password()
s3:libads: kerberos_set_password() don't need to kinit before ads_krb5_chg_password()
s3:libads: let ads_krb5_set_password() require an explicit krb5 ccache to operate on
s3:net_ads: make use of ads_connect_{cldap_only,creds}() in ads_startup_int()
s3:net_ads: remove unused use_in_memory_ccache()
s3:include: remove unused krb5_env.h
s3:net: remove unused net_context->opt_kerberos
s3:net: remove unused net_context->smb_encrypt
s3:net: finally remove net_context->opt_{user_specified,user_name,password}
s3:libads: finally remove unused ads_connect[_user_creds]() and related code
krb5_wrap: let ads_krb5_cli_get_ticket() require an explicit krb5 ccache
s3:libads: let kerberos_kinit_password_ext() require an explicit krb5 ccache
krb5_wrap: add smb_force_krb5_cc_default[_name]() wrappers
krb5_wrap: let smb_krb5_renew_ticket() use smb_force_krb5_cc_default_name()
smbspool_krb5_wrapper: remove unused includes
smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name()
smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name()
auth/credentials_krb5: use system/{gssapi,kerberos}.h
auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default()
lib/replace: make sure krb5_cc_default[_name]() is no longer used directly
s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash
s3:libnet: split out parse_user() in libnet_dssync_keytab.c
s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c
s3:libnet: add support for trusted domains in libnet_dssync_keytab.c
s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries()
s4:kdc: split out samba_kdc_fill_trust_keys() helper
s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP
s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry()
s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry()
s4:kdc: split out samba_kdc_fill_trust_keys() helper
s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA
s4:kdc: also provide cross-realm keys via samba_kdc_seq()
s4:libnet_export_keytab: add only_current_keys option
samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep()
samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option
test_kinit_export_keytab: reset pw of the test account and test --only-current-keys
s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env variables
smbXcli_base: add hacks to test anonymous signing and encryption
s4:libcli/smb2: add hack to test anonymous signing and encryption
s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
s3:utils: remove unused signing_flags in connections_forall()
s3:lib: let sessionid_traverse_read() report if the session was authenticated
s3:utils: let connections_forall_read() report if the session was authenticated
s3:utils: let smbstatus also report AES-256 encryption types for tcons
s3:utils: let smbstatus also report partial tcon signing/encryption
s3:smbd: allow anonymous encryption after one authenticated session setup
s3:utils: let smbstatus report anonymous signing/encryption explicitly
lib/addns: remove unused kerberos/gssapi includes in dns.h
python:tests/dns_base: generate a real signature in bad_sign_packet()
python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
python:tests/dns_base: let dns_transaction_tcp() handle short receives
python:tests/dns_base: add self.assert_echoed_dns_error()
python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
python:tests/dns_base: pass tkey_trans(expected_rcode)
python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
python:tests/dns_base: maintain a dict with tkey related state
python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
python:tests/dns_tkey: add gss.microsoft.com tsig updates
python:tests/dns_tkey: test bad and changing tsig algorithms
python:tests/dns_base: let verify_packet() work against Windows
python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
python:tests/dns_base: add get_unpriv_creds() helper
s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
python:tests/dns_tkey: add test_update_tsig_record_access_denied()
s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
s4:dns_server: use the client provided algorithm for the fake TSIG structure
s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
s4:dns_server: dns_verify_tsig should return REFUSED on error
s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c
s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads'
s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
test_recycle.sh: make sure we don't see panics on the log files
TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()
vfs_recycle: don't unlink on allocation failure
vfs_recycle: directly allocate smb_fname_final->base_name
vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal()
vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA()
vfs_recycle: fix memory hierarchy
Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()"
vfs_recycle: remember resolved config->repository in vfs_recycle_connect()
testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos
testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
smbd: correctly restore ENOENT if fstatfs() modifies it
python:tests: pass bytes.decode() instead of str(bytes) to assertMultiLineEqual() to get better failure output
libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2()
selftest:Samba3: add simpleserver globals before include = global_inject.conf
selftest:Samba3: allow lanman auth in setup_nt4_member
s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests
s3:passdb: don't clear the LM HASH without a password change
third_party/pam_wrapper: add pam_matrix module
s3:auth: let smb_pam_conv() handle resp=NULL
selftest: setup pam_matrix in the simpleserver env
s3:auth: allow real plaintext authentication
python:tests: make test_export_keytab_nochange_update() more reliable
selftest:Samba3: don't use PAM_WRAPPER_KEEP_DIR and PAM_WRAPPER_DEBUGLEVEL
s3:tests: let modprinter.pl use $TMPDIR
Vinit Agnihotri (26):
ctdb-protocol: Add new event startipreallocate
ctdb-daemon: Implement startipreallocate event
ctdb-protocol: Add new control CTDB_CONTROL_START_IPREALLOCATE
ctdb-server: Implement CTDB_CONTROL_START_IPREALLOCATE
ctdb-takeover: Use CTDB_CONTROL_START_IPREALLOCATE
ctdb: send a CTDB_SRVID_START_IPREALLOCATE message after CTDB_EVENT_START_IPREALLOCATE
ctdb-scripts: Add handling for startipreallocate
ctdb-client: Remove unused function
ctdb-doc: Factor out grace period function
ctdb-doc: Put NFS in grace on startipreallocate
ctdb-scripts: Remove unnecessary 06.nfs.script
ctdb-scripts: Remove usage of releaseip-pre, takeip-pre pseudo-events
smbd-server: Set event callback for interface change notification
lib-addrchange: Change API to fill up if_index value from netlink msg
lib-interface: Add new API to validate interface info for given interface index
smbd-server: Open socket for additional ip address
smbd-server: Handle ip drop event and close listening socket
messaging: Add new SMBD message
smbd-server: Use MSG_SMB_IP_DROPPED
param: Add additional key 'options' for interfaces
lib-interface: Add extra parameter 'options' to interface definition
lib-interface: Add parsing for interface 'options'
lib-interface: Change API for interface 'options'
smbd-server: Process ip add/drop events for options:dynamic only
ctdb-scripts: Rename and relocate function get_all_interfaces()
ctdb-scripts: Add options to generate smb.conf interfaces include file
Volker Lendecke (233):
smbd: Remove unused declarations in smbXsrv.idl
smbd: Simplify fsp_fullbasepath()
smbd: Modernize a DEBUG statement
smbd: Add conn_protocol()
smbd: Remove the last use of get_Protocol()
smbd: Remove get_Protocol()
lib: Make GUID_to_ndr_buf() return void
libsmb: Simplify an if-condition
lib: Simplify copy_unix_token()
torture: Fix an error message
smbd: Add parentheses for easier readability
lib: Simplify _hexcharval
smbXsrv_version: Modernize DEBUG statements
smbXsrv_version: Use a struct assignment instead of ZERO_STRUCT
smbXsrv_version: Remove unused smbXsrv_version_global0->db_rec
smbXsrv_version: Use a struct assignment
smbd: Fix a comment
auth: Simplify smb_krb5_send_to_kdc_state_destructor()
vfs: Fix a typo
smbd: Give smbXsrv_session.c its own header file
smbd: Fix and modernize a few DBG statements
smbd: Fix a typo
tools: Fix whitespace
smbd: Avoid a ZERO_STRUCT() with direct struct initialization
smbd: Fix a DBG message
ctdb: Remove an unnecessary cast
lib: Remove timeval_until()
lib: Remove timeval_set()
smbd: Simplify users of fsp_fullbasepath()
smbd: Make read_symlink_reparse() return a reparse_data_buffer
smbd: Fix returning symlink stat info in the NO_OPATH case
smbd: Remove "st" from struct open_symlink_err
smbd: Remove "unparsed" from struct open_symlink_err
smbd: Remove struct open_symlink_err
smbd: Remove an outdated comment
lib: Fix whitespace
lib: Give tallocmsg.c its own header
lib: Fix dbwrap_tdb.h prerequisites
lib: Fix whitespace
lib: Use struct initialization in imessaging_client_init()
smbXsrv_session: Use struct initialization
smbXsrv_session: Remove two implicit NULL initializations
smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB
smbXsrv_session: Remove a "can't happen" NULL check
smbd: Remove an obsolete comment
smbd: Save 3 lines
smbd: Simplify an if-condition
lib: Give lib/util/util_file.c its own header file
lib: Add fdopen_keepfd()
rpc_server3: Use fdopen_keepfd()
lib: Use fdopen_keepfd()
ctdb: Use stdio's getline() in ctdb_connection_list_read()
ctdb: Remove common/line.[ch]
ctdb: Modernize a few DEBUGs
smbd: Change protocol selection to not use "sconn->using_smb2"
smbd: Add conn_using_smb2()
smbd: Remove sconn->using_smb2
lib: Remove an obsolete comment
smbd: Simplify call_trans2qpathinfo()
smbd: Simplify smb_q_posix_symlink()
smbd: Simplify smb_set_file_unix_link()
smbd: Slightly simplify notifyd_send_delete()
Fix a few "might be uninitialized" errors
smbd: Save a few bytes of .text
libsmb: Remove unused setup_stat_from_stat_ex()
lib: Fix whitespace
smbd: Some README.Coding in smbXsrv_session
smbd: Simplify an if-condition
smbd: Simplify smbXsrv_open_purge_replay_cache()
smbd: Simplify smbXsrv_open_clear_replay_cache()
smbd: Do an early TALLOC_FREE in smbXsrv_client_global_init()
smbd: Save a few lines in smbXsrv_client_global_init()
smbd: Use direct struct initialization in smbXsrv_client
smbd: Fix a copy&paste error in smbXsrv_client_remove()
libsmb: Slightly simplify py_cli_list()
pylibsmb: Return reparse_tag from directory listing
pylibsmb: clang-format for the calls to Py_BuildValue()
pylibsmb: Avoid talloc()
passdb: Use getline(3) to read our old machine sid
vfs: Convert return_data from char * to uint8_t
lib: Convert push_file_id_16 to take uint8_t instead of char
smbd: Simplify sending oplock_break_message
smbd: Fix a typo
smbd: Use struct oplock_break_message for MSG_CLOSE_FILE
smbd: Remove message_to_share_mode_entry and vice versa
smbd: Use struct oplock_break_message for MSG_SMB_KERNEL_BREAK
smbd: Remove unused [push_pull]_file_id_24
smbd: Return FILE_ATTRIBUTE_REPARSE_POINT from "user.DOSATTRIB"
reparse: Tighten reparse point length check
smbd: Change the output of fsctl_get_reparse_point to uint8
smbd: Prepare to return the reparse tag from fsctl_get_reparse_point
smbd: Use reparse_buffer_check() in fsctl_set_reparse_point()
selftest: Default to "tmp" share in reparsepoints.py
tests: Clarify a reparse point test
tests: Codify IO_REPARSE_TAG_MISMATCH behaviour
tests: Clean up behind ourselves in test_create_reparse
smbd: Implement fsctl_get_reparse_point
smbd: Implement fsctl_set_reparse_point
tests: Expected failures in reparse point tests should not be errors
tests: Run reparse tests
tests: Test FSCTL_DELETE_REPARSE_POINT
smbd: Implement FSCTL_DELETE_REPARSE_POINT
test: Align integer types
smbd: Modernize a DEBUG
libsmb: Use SMB2_0_INFO_SECURITY instead of the raw "3"
libsmb: Use SMB2_0_INFO_FILE instead of the raw "1"
libsmb: Convert cli_qfileinfo to use FSCC levels
libsmb: Add a tevent_req_received() where appropriate
libsmb: Add smb2 branch to cli_qfileinfo
libsmb: Remove smb2 branch from cli_qfileinfo_basic_send
pylibsmb: Add FSCC QUERY_INFO levels
pylibsmb: Add py_cli_qfileinfo
tests: get TAG_INFORMATION
smbd: Fix a DBG
smbd: Return reparse tag as of MS-FSCC 2.4.6
smbd: Add DEBUG message got get_reparse_point
libsmb: Use the direct FSCC_FILE_ALL_INFORMATION define
libsmb: Cap max_rdata at UINT16_MAX
smbd: Modernize a few DEBUGs
smbd: Add fsctl_get_reparse_tag() helper function
smbd: Use fsctl_get_reparse_tag in fsctl_set_reparse_point
smbd: Use fsctl_get_reparse_tag in fsctl_del_reparse_point
smbd: Test reparse tag in smb3_posix_cc_info
smbd: Add reparse tag to smb3_posix_cc_info
smbd: Remove an obsolete comment
smbd: Simplify check_parent_access_fsp()
g_lock: Fix buffer length check in g_lock_parse()
smbd: Modernize a few DEBUGs
smbd: Fix a typo in a few places
smbd: Modernize a few DEBUGs
smbd: Move a DBG_DEBUG up
smbd: Fix whitespace
smbd: Remove the ZERO_ZERO define
smbd: Use direct struct initialization
smbd: Return correct error for fallback sendfile
smbd: Remove an unnecessary else branch
smbd: Remove a no-op call to init_strict_lock_struct
smbd: Remove an unnecessary else
smbd: Remove an unused function parameter
libsmb: Use the direct FSCC_ infolevels
libsmb: Avoid pointless intermediate variables
lib: Fix a typo
libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT
libsmb: Use SMB2_0_INFO_ constants instead of magic numbers
libsmb: Remove unused cli_list_trans()
libsmb: Remove an unneeded NULL check
libsmb: Remove a talloc_strdup()
lib: Use struct initialization
smbd: Simplify request_timed_out
libsmb: Remove file_info->[ug]id
libsmb: Slightly simplify cli_session_creds_init
creds: Add cli_credentials_add_gensec_features
lib: Use cli_credentials_add_gensec_features in a few places
torture: Remove some pointless local variables
gensec: Simplify gensec_security_by_*
gensec: Refactor gensec_security_mechs()
gensec: Filter out disabled mechs in gensec_security_mechs()
gensec: Simplify gensec_security_by_fn()
libsmb: Use SMB2_0_INFO_SECURITY instead of raw "3"
smbd: Fix whitespace
winbind: Modernize a few DEBUGs
wbclient: Fix a typo
lib: gensec.h references NTTIME, add time.h
lib: Use unsigned long in ber_write_OID_String
lib: Use talloc_asprintf_addbufin _ber_read_OID_String_impl
lib: Fix an error path memleak
lib: Align an integer type
tests: Check that query_directory lists the reparse tag
smbd: list reparse tag in QUERY_DIRECTORY
torture4: Fix some whitespace
heimdal_build: Fix whitespace
tdb: Fix a typo
lib: Remove pointless \ line endings
libsmb: "clang-format" for an if-condition
gse: Avoid explicit ZERO_STRUCT in gse_errstr()
gse: Simplify gse_errstr() with talloc_asprintf_addbuf()
gensec: Fix whitespace
spnego: Fix typos
credentials: Protect the cred's nt hash with talloc_keep_secret
smbd: Fix DEBUG messages
tdb: Update times in tdb_transaction_commit per fd, not per name
lib: Move 286 bytes from R/W data to R/O text segment
lib: Avoid an includes.h
smbd: Simplify smbd_do_qfilepathinfo()
lib: Align an integer type
smbd: Modernize a DEBUG
smbd: Simplify notify_filter_string
smbd: Simplify callers of notify_filter_string
smbd: Fix crossing automounter mount points
smbd: Modernize a DEBUG
smbd: Align an integer type
smbd: Don't leave a pointer variable uninitialized
vfs: Fix typos
smbd: Modernize a DEBUG
smbd: Simplify copy_stat_ex_timestamps
smbd: Simplify init_smb_file_time
smbd: Remove an obsolete comment
smbd: Simplify filename_convert_dirfsp_nosymlink
smbd: Simplify fdos_mode
smbd: Simplify dos_mode_from_sbuf
smbd: Print reparse_point in dos_mode_debug_print
smbd: Avoid a cast
smbd: Remove some unused code
smbd: Simplify reopen_from_fsp
smbd: Simplify smbd_do_qfsinfo with direct struct initialization
librpc: Make NDR_PRINT_DEBUG call just one DEBUG
smbd: Fix cached dos attributes
smbd: Rename symlink_target_path to _symlink_target_path
libcli: New routine symlink_target_path for [MS-SMB2] 2.2.2.2.1.1
smbd: Use new symlink_target_path routine
docs: "share:fake_fscaps" is per share, not global
lib: Remove unused strnrchr_m
lib: Remove unused strnrchr_w
lib: Remove a few duplicate prototypes
smbd: Don't talloc_zero where we assign the struct a line below
lib: Add general py_reparse_get parsing routine
tests: Remove a pointless ;
tests: Use the general py_reparse_get
lib: Remove unused py_reparse_symlink_get
vfs: xattr calls give EBADF for sockets
tests: Run reparsepoint tests in fileserver_smb1
tests: FIFOs should be shown as NFS reparse points
smbd: Add DBG to return tag for SMB_FILE_ATTRIBUTE_TAG_INFORMATION
smbd: Turn file type handling in fdos_mode into a switch
smbd: Show fifos as reparse points in fdos_mode
smbd: Turn an if-statement getting reparse points into a switch
smbd: Report FIFOs as NFS style reparse points
tests: Factor out do_test_nfs_reparse
tests: Sockets should be shown as NFS reparse points
smbd: Show sockets as reparse points in fdos_mode
smbd: Factor out fsctl_get_reparse_point_int
smbd: Report sockets as NFS style reparse points
smbd: Show blk and chr devices as nfs reparse points
Xavi Hernandez (1):
Fix starvation of pending writes in CTDB queues
yuzu367 (1):
python/samba/tests/blackbox: Add tests for Inherit-only flag propagation
-----------------------------------------------------------------------
--
Samba Shared Repository
More information about the samba-cvs
mailing list