[Pkg-samba-maint] [samba] branch upstream_4.3 updated (9b35890 -> 7877404)
Jelmer Vernooij
jelmer at moszumanska.debian.org
Mon May 2 14:50:19 UTC 2016
This is an automated email from the git hooks/post-receive script.
jelmer pushed a change to branch upstream_4.3
in repository samba.
omits 9b35890 Imported Upstream version 4.3.8+dfsg
omits 4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.
omits 10e9011 WHATSNEW: Add release notes for Samba 4.3.8.
omits ad9257b s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
omits caa886e VERSION: Bump version up to 4.3.8...
omits 6597749 VERSION: Disable git snapshots for the 4.3.7 release.
omits 17e1b9f WHATSNEW: Add release notes for Samba 4.3.7.
omits 0e2bcca CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
omits 9ec6afa CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
omits 21fe775 CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
omits a141a37 CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
omits 6ac5ad0 CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
omits 51a4a8f CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
omits cd2911f CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
omits ac0d474 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
omits 4449c51 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
omits 365fffe CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
omits bc001b0 CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
omits 7ab9a8c CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
omits 7f2d791 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
omits 73550f4 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
omits 46ddaf3 CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
omits f3a67c2 CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
omits 278cdd1 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
omits adaf1ae CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
omits 14d97d4 CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
omits dbcd01e CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
omits 3f6a270 CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
omits 11df891 CVE-2015-5370: s3:rpc_server: verify presentation context arrays
omits 9832a22 CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
omits e1b75bc CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
omits 84cbf3d CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
omits d11c5d3 CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
omits 476c2f5 CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
omits 8695339 CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
omits a4a828e CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
omits db297a7 CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
omits 905313c CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
omits 0cf8404 CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
omits e87721a CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
omits 8e691e7 CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
omits f606cfd CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
omits f39183c CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
omits 28d558e CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
omits db30949 CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
omits cce7265 CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
omits 795b44e CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
omits 67e2661 CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
omits f77f9bf CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
omits 3239e26 CVE-2015-5370: s4:rpc_server: check frag_length for requests
omits d249ce6 CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
omits 0e26f3c CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
omits 6ed0ef7 CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
omits 615019f CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
omits e0b58a1 CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
omits cf0a939 CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
omits f0d318f CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
omits 6228c53 CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
omits a7d02ec CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
omits 1d99eec CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
omits 6b2d064 CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
omits 26ad208 CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
omits 2ed603a CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
omits e9511b5 CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
omits 5ab994c CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
omits 6db7571 CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
omits 9f62223 CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
omits 4ea6765 CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
omits 8ba1be0 CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
omits 69e1d93 CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
omits 5eb3b63 CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
omits 3165b23 CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
omits 563d8fe CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
omits fd3b82e CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
omits 1077b50 CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
omits 5325276 CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
omits f8b98b3 CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
omits 16e3a4c CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
omits 308543b CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
omits 08f976d CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
omits 0235d72 CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
omits df2dcc1 CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
omits 443e00f CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
omits 1551c41 CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
omits 9b9d307 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
omits 735d4ba CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
omits 21b9022 CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
omits 821d484 CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
omits 447f9f1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
omits 220e4ca CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
omits e6da619 CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
omits 3df2b07 CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
omits 0899c0a CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
omits 71c2c21 CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
omits e39b737 CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
omits 5be0fb1 CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
omits f64b017 CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
omits 47d8c31 CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
omits 1c7be37 CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
omits 82dd128 CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
omits e96791f CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
omits 6602e7e CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
omits 45a9ca1 CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
omits e9718e2 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
omits 4762d25 CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
omits 1ac5f37 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
omits 3ba93ce CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
omits a2d14bb CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
omits 6045947 CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
omits 8f219a0 CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
omits 7869c5f CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
omits 20e4023 CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
omits ca98500 CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
omits 7b93802 CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
omits e7be37e CVE-2016-2118(<=4.3) docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
omits 979067f CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
omits 101e8e8 CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
omits 9ae9c64 CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
omits d5659c7 CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
omits 0a3d923 CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
omits 9bfa937 CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
omits 5eb6341 CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
omits e8dc268 CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
omits 31e7611 CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
omits fa2630f CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
omits 2d68100 CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
omits cdad358 CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
omits b66500f CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
omits 27c66c4 CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
omits 9339d90 CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
omits 38552d7 CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
omits bdff08d CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
omits 2b23bc3 CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
omits 5859266 CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
omits e0588d9 CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
omits 2220923 CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
omits 60851a0 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
omits 7903203 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
omits c21c9a3 CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
omits 2c13697 CVE-2016-2115(<=4.3): docs-xml: add "client ipc signing" option
omits 668cc85 CVE-2016-2115: docs-xml: add "client ipc signing" option
omits 9fa185c CVE-2016-2115(<=4.3): docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
omits 2f7d773 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
omits 25b05a8 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
omits 8611441 CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
omits 7c6c666 CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
omits 67f8524 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
omits 2217276 CVE-2016-2114: s4:smb2_server: fix session setup with required signing
omits 641cbcc CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
omits d778580 CVE-2016-2113: selftest: use "tls verify peer = no_check"
omits dc4f8d0 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
omits fdac236 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
omits 389b15e CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
omits 54a039d CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
omits c20ee1b CVE-2016-2113(<=4.3): docs-xml: add "tls verify peer" option defaulting to "no_check"
omits fc02668 CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
omits 9ca8e88 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
omits 27f1625 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
omits 104a691 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
omits a027a87 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
omits 8dad04c CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
omits c7f2a10 CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
omits 90cc943 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
omits 963236f CVE-2016-2112(<=4.3): docs-xml: add "ldap server require strong auth" option
omits b012535 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
omits e9cfd12 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
omits 5172192 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
omits 6977700 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
omits e072666 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
omits b723d97 CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
omits a8c60aa CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
omits 60647fa CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
omits dbdd9cb CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
omits ff1e470 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
omits e260f6a CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
omits 3643bc9 CVE-2016-2111(<=4.3): docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
omits 3dbb32c CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
omits eaabdc1 CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
omits f319256 CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
omits f22b75d CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
omits a1ae538 CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
omits 5dbffb8 CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
omits b6899e1 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
omits 8e1e621 CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
omits 9784d68 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
omits 473bbfa CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
omits 984d024 CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
omits 5074d1e CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
omits 7434b8d CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
omits 630e39d CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
omits b9b3b1e CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
omits 2f393b3 CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
omits fb8bb0f CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
omits b76361d CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
omits a6d1056 CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
omits fc9df72 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
omits 95a1c91 CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
omits 39dd2c6 CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
omits 299b49f CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
omits a278c35 CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
omits 1cc7fbe CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
omits 8cae040 CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
omits b5e95cc CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
omits 3ae39af CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
omits f32ad5c CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
omits 3673533 CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
omits 9440fa8 CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
omits efe18dc CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
omits 0e3bb02 CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
omits 8714377 CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
omits 677e214 CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
omits 2ee222b CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
omits a7a0d2e CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
omits d29c945 CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
omits 4e5c214 CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
omits f914050 CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
omits 8df0d59 CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
omits 25f0a4c s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
omits cce2e6a s3:rpc_server/samr: correctly handle session_extract_session_key() failures
omits 343637b s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
omits ba36c3f libads: Fix CID 1356316 Uninitialized pointer read
omits e681d11 libsmb: Fix CID 1356312 Explicit null dereferenced
omits 656795b s3-auth: check for return code of cli_credentials_set_machine_account().
omits 6db7be4 s4-smb_server: check for return code of cli_credentials_set_machine_account().
omits bca3039 s4:rpc_server: require access to the machine account credentials
omits a6e7f49 auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
omits c0beb87 auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
omits 5cdddba s4:torture/rpc/schannel: don't use validation level 6 without privacy
omits 61a09ae s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
omits 1cd3836 s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
omits 8665944 s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
omits 46f52e7 s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
omits 1103a6b s3:test_rpcclient_samlogon.sh: test samlogon with schannel
omits 6a3a45d s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
omits 3f05c5a selftest: setup information of new samba.example.com CA in the client environment
omits 1311631 selftest: set tls crlfile if it exist
omits 739e896 selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
omits 0ad8ef8 selftest: add Samba::prepare_keyblobs() helper function
omits f058da2 selftest: mark commands in manage-CA-samba.example.com.sh as DONE
omits 8be3031 selftest: add CA-samba.example.com (non-binary) files
omits 08976c4 selftest: add config and script to create a samba.example.com CA
omits 158e06d selftest: add some helper scripts to mange a CA
omits f91a66f selftest: s!addc.samba.example.com!addom.samba.example.com!
omits 1346b27 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
omits 663ec33 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
omits 5182c93 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
omits 44e2da8 s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
omits fd1e4ec s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
omits 32ad277 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
omits e09c17a s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
omits 2d6afd9 s3:libsmb: remove unused functions in clispnego.c
omits 979fc6a s3:libsmb: remove unused cli_session_setup_kerberos*() functions
omits 8a1d0a9 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
omits 70d546d s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
omits c4c3bd6 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
omits 1498885 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
omits e8b6ef4 s3:libsmb: unused ntlmssp.c
omits bbc4eb8 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
omits 59b8032 s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
omits d19d039 s3:libads: keep service and hostname separately in ads_service_principal
omits e952e63 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
omits 3d3725b s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
omits 4cbf13e s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
omits c63d32b s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
omits 383d18d s3:libads: add missing TALLOC_FREE(frame) in error path
omits 95461fb s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
omits e2bea35 s4:selftest: simplify the loops over samba4.ldb.ldap
omits ccc1c51 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
omits b000387 s4:libcli/ldap: fix retry authentication after a bad password
omits 58478f4 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
omits debafe8 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
omits 1016c9d auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
omits 294ef73 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
omits 6d08a2a auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
omits 192d5be auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
omits 3136ede librpc/ndr: add ndr_ntlmssp_find_av() helper function
omits 30b4e8f ntlmssp.idl: make AV_PAIR_LIST public
omits 983edc9 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
omits c3392f3 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
omits 00fbd5b auth/ntlmssp: use ntlmssp_version_blob() in the server
omits 3a52567 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
omits 9419ce6 auth/ntlmssp: add ntlmssp_version_blob()
omits a575c5e auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
omits c8059be auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
omits 34ce552 auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
omits 6d18d46 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
omits 3938b90 auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
omits db7e894 s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
omits aea667c winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
omits 6ee35d9 s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
omits 81745b6 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
omits 7303a10 auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
omits 7fcefea auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
omits 3585e41 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
omits 993420f s3:auth_generic: make use of the top level NTLMSSP client code
omits cb7bf55 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
omits c9d2b8d s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
omits 0f54d60 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
omits 2dac558 s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
omits 8800015 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
omits 33f7f44 auth/ntlmssp: add gensec_ntlmssp_server_domain()
omits aa0ed80 auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
omits 14b2a51 s3:auth_generic: add auth_generic_client_start_by_sasl()
omits a0feacf s3:auth_generic: add auth_generic_client_start_by_name()
omits 9e42312 auth/gensec: make gensec_security_by_name() public
omits 35f80cf auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
omits 2e6af15 auth/gensec: keep a pointer to a possible child/sub gensec_security context
omits b474d13 s4:pygensec: make sig_size() and sign/check_packet() available
omits f702a9e s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
omits 5a046d5 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
omits 47272c3 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
omits 2b351b7 s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
omits 91e2717 s3:librpc/gse: fix debug message in gse_init_client()
omits 4357b22 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
omits 88a09dc wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
omits 0555445 s3:libads: remove unused ads_connect_gc()
omits 49a7697 s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
omits 3121494 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
omits e7595fa dcerpc.idl: make WERROR RPC faults available in ndr_print output
omits 0117f64 epmapper.idl: make epm_twr_t available in python bindings
omits 0d53d8a s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
omits 16e14f9 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
omits 7f24c0b lib/util_net: add support for .ipv6-literal.net
omits 6b6fbcf lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
omits a70f620 spnego: Correctly check asn1_tag_remaining retval
omits 5530d91 s4:torture/ntlmssp fix a compiler warning
omits 7019a9c s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
omits 14f4002 s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
omits 97ac363 s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
omits a54b256 s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
omits 109618b s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
omits 1865f12 ntlmssp: when pulling messages it is important to clear memory first.
omits 42c2d63 ntlmssp: properly document version defines in IDL (from MS-NLMP).
omits 1e0e8d6 ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
omits 5b4999a ntlmssp: add some missing defines from MS-NLMP to our IDL.
omits e73cfb9 tls: increase Diffie-Hellman group size to 2048 bits
omits 24c6d42 s3:pam_smbpass: remove unused dependency to LIBNTLMSSP
omits 62e5169 s3:clispnego: fix confusing warning in spnego_gen_krb5_wrap()
omits 5bbf46e s3: smbclient: asn1_extract_blob() stops further asn1 processing by setting has_error.
omits 83b6653 asn1: Make 'struct asn1_data' private
omits 66ea451 asn1: Remove a reference to asn1_data internals
omits c27fd04 libcli: Remove a reference to asn1->ofs
omits 9c89afd lib: Use asn1_current_ofs()
omits 95fa77f asn1: Add asn1_current_ofs()
omits 54aecd7 lib: Use asn1_has_nesting
omits 9ac8312 asn1: Add asn1_has_nesting
omits 2b11481 lib: Use asn1_extract_blob()
omits a44d9bb asn1: Add asn1_extract_blob()
omits 274c9a4 lib: Use asn1_set_error()
omits a330540 asn1: Add asn1_set_error()
omits 89d0afc lib: Use asn1_has_error()
omits 4b04663 asn1: Add asn1_has_error()
omits d51a607 asn1: Make "struct nesting" private
omits 6d2f6e1 asn1: Add some early returns
omits bb6607a asn1: Add overflow check to asn1_write
omits 7ef1333 asn1: Make asn1_peek_full_tag return 0/errno
omits 980785a asn1: Remove an unused asn1 function
omits b5c5fec Prevent a crash in Python modules that try to authenticate by ensuring we reject cases where credendials fields are not intialized.
omits a06c22f VERSION: Bump version up to 4.3.7...
omits c7a93d7 VERSION: Disable git snapshots for the 4.3.6 release.
omits d6bd81e WHATSNEW: Add release notes for Samba 4.3.6.
omits b428ecb CVE-2016-0771: tests/dns: Remove dependencies on env variables
omits 7a11d99 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
omits 0dea999 CVE-2016-0771: tests: rename test getopt to get_opt
omits ad5e885 CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
omits 2b4c7db CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
omits eb46848 CVE-2016-0771: tests/dns: modify tests to check via RPC
omits 63103d1 CVE-2016-0771: tests/dns: Add some more test cases for TXT records
omits 3bca5fc CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
omits 4011a52 CVE-2016-0771: tests/dns: restore formerly segfaulting test
omits 9f7a2a1 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
omits 51ac36e CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
omits 18faca0 CVE-2016-0771: tests/dns: prepare script for further testing
omits 3196b9e CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
omits 1c69840 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
omits df431a3 CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
omits 7693d68 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
omits efaf509 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
omits 7ee8a4c CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
omits c68280d CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
omits ceb6dcc CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
omits 444ba8f CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
omits 25963b1 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
omits 63ae57f CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
omits 062876f CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
omits e27f9a4 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
omits 2907193 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
omits 0be03f1 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
omits 774e210 CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
omits fa1c482 CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
omits 76f6cf5 CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
omits c23f677 VERSION: Bump version up to 4.3.6...
This update removed existing revisions from the reference, leaving the
reference pointing at a previous point in the repository history.
* -- * -- N refs/heads/upstream_4.3 (7877404)
\
O -- O -- O (9b35890)
Any revisions marked "omits" are not gone; other references still
refer to them. Any revisions marked "discards" are gone forever.
No new revisions were added by this update.
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 561 -----
auth/credentials/credentials.h | 5 +-
auth/credentials/credentials_ntlm.c | 12 +-
auth/gensec/gensec.c | 113 +-
auth/gensec/gensec.h | 4 -
auth/gensec/gensec_internal.h | 7 -
auth/gensec/gensec_start.c | 18 +-
auth/gensec/gensec_util.c | 2 +-
auth/gensec/schannel.c | 22 +-
auth/gensec/spnego.c | 301 +--
auth/ntlmssp/gensec_ntlmssp.c | 9 -
auth/ntlmssp/gensec_ntlmssp_server.c | 44 +-
auth/ntlmssp/ntlmssp.c | 91 +-
auth/ntlmssp/ntlmssp.h | 17 -
auth/ntlmssp/ntlmssp_client.c | 534 +---
auth/ntlmssp/ntlmssp_ndr.c | 1 -
auth/ntlmssp/ntlmssp_private.h | 10 +-
auth/ntlmssp/ntlmssp_server.c | 424 +---
auth/ntlmssp/ntlmssp_sign.c | 103 +-
auth/ntlmssp/ntlmssp_util.c | 176 +-
auth/ntlmssp/wscript_build | 2 +-
.../ldap/ldapserverrequirestrongauth.xml | 26 -
.../smbdotconf/protocol/clientipcmaxprotocol.xml | 29 -
.../smbdotconf/protocol/clientipcminprotocol.xml | 29 -
docs-xml/smbdotconf/protocol/clientmaxprotocol.xml | 9 +-
docs-xml/smbdotconf/protocol/clientminprotocol.xml | 6 -
docs-xml/smbdotconf/protocol/clientusespnego.xml | 5 -
.../security/allowdcerpcauthlevelconnect.xml | 27 -
docs-xml/smbdotconf/security/clientipcsigning.xml | 26 -
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 -
docs-xml/smbdotconf/security/clientsigning.xml | 12 +-
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 19 -
docs-xml/smbdotconf/security/serversigning.xml | 2 +-
docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 -
docs/manpages/dbwrap_tool.1 | 4 +-
docs/manpages/eventlogadm.8 | 4 +-
docs/manpages/findsmb.1 | 4 +-
docs/manpages/idmap_ad.8 | 4 +-
docs/manpages/idmap_autorid.8 | 4 +-
docs/manpages/idmap_hash.8 | 4 +-
docs/manpages/idmap_ldap.8 | 4 +-
docs/manpages/idmap_nss.8 | 4 +-
docs/manpages/idmap_rfc2307.8 | 4 +-
docs/manpages/idmap_rid.8 | 4 +-
docs/manpages/idmap_script.8 | 4 +-
docs/manpages/idmap_tdb.8 | 4 +-
docs/manpages/idmap_tdb2.8 | 4 +-
docs/manpages/libsmbclient.7 | 4 +-
docs/manpages/lmhosts.5 | 4 +-
docs/manpages/log2pcap.1 | 4 +-
docs/manpages/net.8 | 4 +-
docs/manpages/nmbd.8 | 4 +-
docs/manpages/nmblookup.1 | 4 +-
docs/manpages/ntlm_auth.1 | 4 +-
docs/manpages/pam_winbind.8 | 4 +-
docs/manpages/pam_winbind.conf.5 | 4 +-
docs/manpages/pdbedit.8 | 4 +-
docs/manpages/profiles.1 | 4 +-
docs/manpages/rpcclient.1 | 4 +-
docs/manpages/samba-regedit.8 | 4 +-
docs/manpages/samba-tool.8 | 4 +-
docs/manpages/samba.7 | 4 +-
docs/manpages/samba.8 | 4 +-
docs/manpages/sharesec.1 | 4 +-
docs/manpages/smb.conf.5 | 227 +-
docs/manpages/smbcacls.1 | 4 +-
docs/manpages/smbclient.1 | 4 +-
docs/manpages/smbcontrol.1 | 4 +-
docs/manpages/smbcquotas.1 | 4 +-
docs/manpages/smbd.8 | 4 +-
docs/manpages/smbget.1 | 4 +-
docs/manpages/smbgetrc.5 | 4 +-
docs/manpages/smbpasswd.5 | 4 +-
docs/manpages/smbpasswd.8 | 4 +-
docs/manpages/smbspool.8 | 4 +-
docs/manpages/smbspool_krb5_wrapper.8 | 4 +-
docs/manpages/smbstatus.1 | 4 +-
docs/manpages/smbta-util.8 | 4 +-
docs/manpages/smbtar.1 | 4 +-
docs/manpages/smbtree.1 | 4 +-
docs/manpages/testparm.1 | 4 +-
docs/manpages/vfs_acl_tdb.8 | 4 +-
docs/manpages/vfs_acl_xattr.8 | 4 +-
docs/manpages/vfs_aio_fork.8 | 4 +-
docs/manpages/vfs_aio_linux.8 | 4 +-
docs/manpages/vfs_aio_pthread.8 | 4 +-
docs/manpages/vfs_audit.8 | 4 +-
docs/manpages/vfs_btrfs.8 | 4 +-
docs/manpages/vfs_cacheprime.8 | 4 +-
docs/manpages/vfs_cap.8 | 4 +-
docs/manpages/vfs_catia.8 | 4 +-
docs/manpages/vfs_ceph.8 | 4 +-
docs/manpages/vfs_commit.8 | 4 +-
docs/manpages/vfs_crossrename.8 | 4 +-
docs/manpages/vfs_default_quota.8 | 4 +-
docs/manpages/vfs_dirsort.8 | 4 +-
docs/manpages/vfs_extd_audit.8 | 4 +-
docs/manpages/vfs_fake_perms.8 | 4 +-
docs/manpages/vfs_fileid.8 | 4 +-
docs/manpages/vfs_fruit.8 | 4 +-
docs/manpages/vfs_full_audit.8 | 4 +-
docs/manpages/vfs_glusterfs.8 | 4 +-
docs/manpages/vfs_gpfs.8 | 4 +-
docs/manpages/vfs_linux_xfs_sgid.8 | 4 +-
docs/manpages/vfs_media_harmony.8 | 4 +-
docs/manpages/vfs_netatalk.8 | 4 +-
docs/manpages/vfs_prealloc.8 | 4 +-
docs/manpages/vfs_preopen.8 | 4 +-
docs/manpages/vfs_readahead.8 | 4 +-
docs/manpages/vfs_readonly.8 | 4 +-
docs/manpages/vfs_recycle.8 | 4 +-
docs/manpages/vfs_scannedonly.8 | 4 +-
docs/manpages/vfs_shadow_copy.8 | 4 +-
docs/manpages/vfs_shadow_copy2.8 | 4 +-
docs/manpages/vfs_shell_snap.8 | 4 +-
docs/manpages/vfs_smb_traffic_analyzer.8 | 4 +-
docs/manpages/vfs_snapper.8 | 4 +-
docs/manpages/vfs_streams_depot.8 | 4 +-
docs/manpages/vfs_streams_xattr.8 | 4 +-
docs/manpages/vfs_syncops.8 | 4 +-
docs/manpages/vfs_time_audit.8 | 4 +-
docs/manpages/vfs_tsmsm.8 | 4 +-
docs/manpages/vfs_unityed_media.8 | 4 +-
docs/manpages/vfs_worm.8 | 4 +-
docs/manpages/vfs_xattr_tdb.8 | 4 +-
docs/manpages/vfs_zfsacl.8 | 4 +-
docs/manpages/vfstest.1 | 4 +-
docs/manpages/wbinfo.1 | 4 +-
docs/manpages/winbind_krb5_locator.7 | 4 +-
docs/manpages/winbindd.8 | 4 +-
lib/param/loadparm.c | 47 +-
lib/param/loadparm.h | 6 -
lib/param/param_table.c | 83 -
lib/util/asn1.c | 109 +-
lib/util/asn1.h | 25 +-
lib/util/tests/asn1_tests.c | 6 +-
lib/util/util_net.c | 247 +-
lib/util/util_net.h | 1 -
libcli/auth/proto.h | 6 -
libcli/auth/smbencrypt.c | 170 +-
libcli/auth/spnego.h | 8 +-
libcli/auth/spnego_parse.c | 55 +-
libcli/cldap/cldap.c | 12 +-
libcli/ldap/ldap_message.c | 32 +-
libcli/smb/smbXcli_base.c | 1 -
libcli/smb/smb_constants.h | 1 -
libcli/smb/smb_signing.c | 4 -
libcli/smb/tstream_smbXcli_np.c | 4 -
librpc/idl/dcerpc.idl | 15 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 48 +-
librpc/idl/security.idl | 9 -
librpc/ndr/ndr_ntlmssp.c | 16 -
librpc/ndr/ndr_ntlmssp.h | 2 -
librpc/rpc/binding.c | 2 +-
librpc/rpc/dcerpc_error.c | 6 +-
librpc/rpc/dcerpc_util.c | 141 +-
librpc/rpc/rpc_common.h | 9 +-
nsswitch/libwbclient/wbc_pam.c | 21 +-
nsswitch/winbind_struct_protocol.h | 1 -
python/samba/tests/__init__.py | 525 ----
python/samba/tests/dcerpc/dnsserver.py | 2 +-
python/samba/tests/dcerpc/raw_protocol.py | 2623 --------------------
selftest/knownfail | 28 -
.../DC-addc.addom.samba.example.com-S02-cert.pem | 191 --
.../DC-addc.addom.samba.example.com-S02-key.pem | 54 -
...DC-addc.addom.samba.example.com-S02-openssl.cnf | 250 --
...ddc.addom.samba.example.com-S02-private-key.pem | 51 -
.../DC-addc.addom.samba.example.com-S02-req.pem | 30 -
.../DC-addc.addom.samba.example.com-cert.pem | 1 -
...DC-addc.addom.samba.example.com-private-key.pem | 1 -
.../DC-localdc.samba.example.com-S00-cert.pem | 190 --
.../DC-localdc.samba.example.com-S00-key.pem | 54 -
.../DC-localdc.samba.example.com-S00-openssl.cnf | 250 --
...C-localdc.samba.example.com-S00-private-key.pem | 51 -
.../DC-localdc.samba.example.com-S00-req.pem | 30 -
.../DC-localdc.samba.example.com-cert.pem | 1 -
.../DC-localdc.samba.example.com-private-key.pem | 1 -
.../manage-ca/CA-samba.example.com/NewCerts/00.pem | 190 --
.../manage-ca/CA-samba.example.com/NewCerts/01.pem | 169 --
.../manage-ca/CA-samba.example.com/NewCerts/02.pem | 191 --
.../manage-ca/CA-samba.example.com/NewCerts/03.pem | 169 --
.../Private/CA-samba.example.com-crlnumber.txt | 1 -
.../Private/CA-samba.example.com-crlnumber.txt.old | 1 -
.../Private/CA-samba.example.com-index.txt | 4 -
.../Private/CA-samba.example.com-index.txt.attr | 1 -
.../CA-samba.example.com-index.txt.attr.old | 1 -
.../Private/CA-samba.example.com-index.txt.old | 3 -
.../Private/CA-samba.example.com-openssl.cnf | 203 --
.../Private/CA-samba.example.com-private-key.pem | 102 -
.../Private/CA-samba.example.com-serial.txt | 1 -
.../Private/CA-samba.example.com-serial.txt.old | 1 -
.../Public/CA-samba.example.com-cert.pem | 62 -
.../Public/CA-samba.example.com-crl.pem | 32 -
...inistrator at addom.samba.example.com-S03-cert.pem | 169 --
...ministrator at addom.samba.example.com-S03-key.pem | 30 -
...strator at addom.samba.example.com-S03-openssl.cnf | 242 --
...tor at addom.samba.example.com-S03-private-key.pem | 27 -
...ministrator at addom.samba.example.com-S03-req.pem | 19 -
...-administrator at addom.samba.example.com-cert.pem | 1 -
...strator at addom.samba.example.com-private-key.pem | 1 -
...ER-administrator at samba.example.com-S01-cert.pem | 169 --
...SER-administrator at samba.example.com-S01-key.pem | 30 -
...administrator at samba.example.com-S01-openssl.cnf | 242 --
...nistrator at samba.example.com-S01-private-key.pem | 27 -
...SER-administrator at samba.example.com-S01-req.pem | 19 -
.../USER-administrator at samba.example.com-cert.pem | 1 -
...administrator at samba.example.com-private-key.pem | 1 -
selftest/manage-ca/manage-CA-samba.example.com.cnf | 21 -
selftest/manage-ca/manage-CA-samba.example.com.sh | 18 -
selftest/manage-ca/manage-ca.sh | 387 ---
.../manage-CA-example.com.cnf | 17 -
.../openssl-BASE-template.cnf | 201 --
.../manage-ca.templates.d/openssl-CA-template.cnf | 2 -
.../manage-ca.templates.d/openssl-DC-template.cnf | 49 -
.../openssl-USER-template.cnf | 41 -
selftest/selftest.pl | 40 -
selftest/target/Samba.pm | 105 -
selftest/target/Samba3.pm | 1 -
selftest/target/Samba4.pm | 232 +-
source3/auth/auth_domain.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 15 -
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 48 +-
source3/lib/netapi/cm.c | 2 +-
source3/lib/tldap.c | 6 +-
source3/libads/ads_proto.h | 1 +
source3/libads/ldap.c | 134 +
source3/libads/sasl.c | 671 +++--
source3/libnet/libnet_join.c | 6 +-
source3/librpc/crypto/gse.c | 81 +-
source3/librpc/rpc/dcerpc.h | 10 +-
source3/librpc/rpc/dcerpc_helpers.c | 98 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 669 +++--
source3/libsmb/clientgen.c | 9 -
source3/libsmb/clispnego.c | 283 ++-
source3/libsmb/ntlmssp.c | 765 ++++++
source3/libsmb/ntlmssp_wrap.c | 135 +
source3/libsmb/passchange.c | 7 +-
source3/pam_smbpass/wscript_build | 2 +-
source3/param/loadparm.c | 43 +-
source3/rpc_client/cli_pipe.c | 314 +--
source3/rpc_server/netlogon/srv_netlog_nt.c | 57 +-
source3/rpc_server/rpc_handles.c | 1 -
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 11 -
source3/rpc_server/rpc_server.c | 12 -
source3/rpc_server/samr/srv_samr_nt.c | 21 +-
source3/rpc_server/srv_pipe.c | 494 ++--
source3/rpcclient/rpcclient.c | 5 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 -
source3/script/tests/test_rpcclient_samlogon.sh | 11 +-
source3/script/tests/test_smbclient_auth.sh | 11 -
source3/selftest/tests.py | 7 +-
source3/smbd/negprot.c | 6 +-
source3/smbd/sesssetup.c | 4 +-
source3/smbd/smb2_negprot.c | 10 +-
source3/smbd/smb2_sesssetup.c | 3 +-
source3/torture/test_ntlm_auth.py | 553 ++---
source3/utils/net_ads.c | 2 +-
source3/utils/net_rpc.c | 2 +-
source3/utils/net_util.c | 2 +-
source3/utils/ntlm_auth.c | 803 +++++-
source3/winbindd/winbindd_ccache_access.c | 44 +-
source3/winbindd/winbindd_cm.c | 6 +-
source3/wscript_build | 10 +-
source4/auth/gensec/gensec_krb5.c | 11 +-
source4/auth/gensec/pygensec.c | 83 -
source4/auth/ntlm/auth_util.c | 4 +-
source4/ldap_server/ldap_bind.c | 50 +-
source4/ldap_server/ldap_server.c | 6 -
source4/ldap_server/ldap_server.h | 2 -
source4/lib/tls/tls.c | 2 +-
source4/lib/tls/tls.h | 23 -
source4/lib/tls/tls_tstream.c | 251 +-
source4/lib/tls/tlscert.c | 18 +-
source4/lib/tls/wscript | 5 -
source4/libcli/cliconnect.c | 2 +-
source4/libcli/ldap/ldap_bind.c | 62 +-
source4/libcli/ldap/ldap_client.c | 9 +-
source4/libcli/ldap/ldap_controls.c | 48 +-
source4/libcli/raw/libcliraw.h | 1 -
source4/libcli/raw/rawnegotiate.c | 11 +-
source4/libcli/smb2/connect.c | 7 +-
source4/libcli/smb_composite/connect.c | 1 -
source4/libcli/smb_composite/sesssetup.c | 35 +-
source4/librpc/rpc/dcerpc.c | 351 +--
source4/librpc/rpc/dcerpc.h | 14 +-
source4/librpc/rpc/dcerpc_auth.c | 93 +-
source4/librpc/rpc/dcerpc_connect.c | 22 -
source4/librpc/rpc/dcerpc_roh.c | 13 +-
source4/librpc/rpc/dcerpc_util.c | 22 +-
source4/param/loadparm.c | 3 +-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 13 +-
source4/rpc_server/common/reply.c | 49 +-
source4/rpc_server/dcerpc_server.c | 812 ++----
source4/rpc_server/dcerpc_server.h | 57 +-
source4/rpc_server/dcesrv_auth.c | 261 +-
source4/rpc_server/dcesrv_mgmt.c | 8 -
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 -
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 8 -
source4/rpc_server/echo/rpc_echo.c | 7 -
source4/rpc_server/epmapper/rpc_epmapper.c | 8 -
source4/rpc_server/handles.c | 8 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 8 -
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 46 +-
source4/rpc_server/remote/dcesrv_remote.c | 8 +-
source4/rpc_server/samr/dcesrv_samr.c | 12 -
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 75 +-
source4/smb_server/smb/negprot.c | 6 +-
source4/smb_server/smb/sesssetup.c | 10 -
source4/smb_server/smb2/negprot.c | 7 +-
source4/smb_server/smb2/sesssetup.c | 8 +
source4/torture/basic/base.c | 20 +-
source4/torture/ndr/ntlmssp.c | 183 +-
source4/torture/raw/samba3misc.c | 7 -
source4/torture/rpc/backupkey.c | 21 +-
source4/torture/rpc/forest_trust.c | 12 +-
source4/torture/rpc/lsa.c | 14 +-
source4/torture/rpc/netlogon.c | 101 +-
source4/torture/rpc/netlogon.h | 7 -
source4/torture/rpc/remote_pac.c | 39 +-
source4/torture/rpc/samba3rpc.c | 61 +-
source4/torture/rpc/samlogon.c | 3 +-
source4/torture/rpc/samr.c | 4 +-
source4/torture/rpc/schannel.c | 29 +-
source4/torture/rpc/testjoin.c | 35 +-
testprogs/blackbox/test_ldb_simple.sh | 41 -
wscript_configure_system_mitkrb5 | 4 +-
334 files changed, 5068 insertions(+), 15513 deletions(-)
delete mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
delete mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
delete mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
delete mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
delete mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
delete mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
delete mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
delete mode 100755 python/samba/tests/dcerpc/raw_protocol.py
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
delete mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
delete mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
delete mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
delete mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
delete mode 100755 selftest/manage-ca/manage-ca.sh
delete mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
delete mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
delete mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
delete mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
delete mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
create mode 100644 source3/libsmb/ntlmssp.c
create mode 100644 source3/libsmb/ntlmssp_wrap.c
delete mode 100755 testprogs/blackbox/test_ldb_simple.sh
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list