[Pkg-samba-maint] Bug#1033661: unblock: samba/2:4.17.7+dfsg-1
Michael Tokarev
mjt at tls.msk.ru
Wed Mar 29 17:54:05 BST 2023
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security at debian.org, pkg-samba-maint at lists.alioth.debian.org
Please unblock package samba
[ Reason ]
This is a stable security/bugfix release, fixing 3 CVE vulnerabilities
in samba AD-DC code. See the changelog entries below for more information.
The bug has been disclosed today.
[ Impact ]
This impacts samba running as an Active Directory Domain Controller.
Which is quite an important role and is enabled on quite a few installs
worldwide. Since this is a security bugfix, we should provide fixed
version as soon as possible.
[ Tests ]
The samba testsuite does excellent job at catching regressions and
ensuring things stay as best as possible.
[ Risks ]
There's a usual risk of breaking something. Though the testsuite
does good job here.
[ Checklist ]
[*] all changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in testing
[ Other info ]
Unfortunately there's quite a significant portion of the changes
in debdiff which are only about manpage date/version, - for every
manpage shipped. This is in docs/manpages/*.\d and in ctdb/doc/*.\d.
I'll remove whole set of manpages from the upstream source in bookworm+,
- since these are generated anyway, and we're DFSG'ifying the source
already to remove non-free bits.
unblock samba/2:4.17.7+dfsg-1
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.1 samba-4.17.7+dfsg/ctdb/doc/ctdb.1
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.1 2023-03-09 12:19:07.539069200 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.1 2023-03-29 16:24:24.408779900 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.7 samba-4.17.7+dfsg/ctdb/doc/ctdb.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.7 2023-03-09 12:19:09.990867100 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.7 2023-03-29 16:24:27.108780100 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.conf.5 samba-4.17.7+dfsg/ctdb/doc/ctdb.conf.5
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.conf.5 2023-03-09 12:19:09.178933600 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.conf.5 2023-03-29 16:24:26.204779900 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB\&.CONF" "5" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\&.CONF" "5" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdbd.1 samba-4.17.7+dfsg/ctdb/doc/ctdbd.1
--- samba-4.17.6+dfsg/ctdb/doc/ctdbd.1 2023-03-09 12:19:07.823045500 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdbd.1 2023-03-29 16:24:24.688779800 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdbd
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDBD" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDBD" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb_diagnostics.1 samba-4.17.7+dfsg/ctdb/doc/ctdb_diagnostics.1
--- samba-4.17.6+dfsg/ctdb/doc/ctdb_diagnostics.1 2023-03-09 12:19:08.646977400 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb_diagnostics.1 2023-03-29 16:24:25.480780000 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb_diagnostics
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB_DIAGNOSTICS" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB_DIAGNOSTICS" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-etcd.7 samba-4.17.7+dfsg/ctdb/doc/ctdb-etcd.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-etcd.7 2023-03-09 12:19:10.762804500 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-etcd.7 2023-03-29 16:24:28.020780000 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb-etcd
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB\-ETCD" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-ETCD" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7 samba-4.17.7+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7 2023-03-09 12:19:10.998785300 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb_mutex_ceph_rados_helper.7 2023-03-29 16:24:28.288780200 +0300
@@ -2,12 +2,12 @@
.\" Title: Ceph RADOS Mutex
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CEPH RADOS MUTEX" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CEPH RADOS MUTEX" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-script.options.5 samba-4.17.7+dfsg/ctdb/doc/ctdb-script.options.5
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-script.options.5 2023-03-09 12:19:09.454911000 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-script.options.5 2023-03-29 16:24:26.536779900 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb-script.options
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB\-SCRIPT\&.OPTIO" "5" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-SCRIPT\&.OPTIO" "5" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-statistics.7 samba-4.17.7+dfsg/ctdb/doc/ctdb-statistics.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-statistics.7 2023-03-09 12:19:10.254845600 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-statistics.7 2023-03-29 16:24:27.380780000 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb-statistics
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB\-STATISTICS" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-STATISTICS" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb.sysconfig.5 samba-4.17.7+dfsg/ctdb/doc/ctdb.sysconfig.5
--- samba-4.17.6+dfsg/ctdb/doc/ctdb.sysconfig.5 2023-03-09 12:19:09.714889800 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb.sysconfig.5 2023-03-29 16:24:26.816780000 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb.sysconfig
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB\&.SYSCONFIG" "5" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\&.SYSCONFIG" "5" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ctdb-tunables.7 samba-4.17.7+dfsg/ctdb/doc/ctdb-tunables.7
--- samba-4.17.6+dfsg/ctdb/doc/ctdb-tunables.7 2023-03-09 12:19:10.518824300 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ctdb-tunables.7 2023-03-29 16:24:27.656780200 +0300
@@ -2,12 +2,12 @@
.\" Title: ctdb-tunables
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "CTDB\-TUNABLES" "7" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "CTDB\-TUNABLES" "7" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ltdbtool.1 samba-4.17.7+dfsg/ctdb/doc/ltdbtool.1
--- samba-4.17.6+dfsg/ctdb/doc/ltdbtool.1 2023-03-09 12:19:08.087023700 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ltdbtool.1 2023-03-29 16:24:24.980780000 +0300
@@ -2,12 +2,12 @@
.\" Title: ltdbtool
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "LTDBTOOL" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "LTDBTOOL" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/onnode.1 samba-4.17.7+dfsg/ctdb/doc/onnode.1
--- samba-4.17.6+dfsg/ctdb/doc/onnode.1 2023-03-09 12:19:08.922954600 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/onnode.1 2023-03-29 16:24:25.856779800 +0300
@@ -2,12 +2,12 @@
.\" Title: onnode
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "ONNODE" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "ONNODE" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/ctdb/doc/ping_pong.1 samba-4.17.7+dfsg/ctdb/doc/ping_pong.1
--- samba-4.17.6+dfsg/ctdb/doc/ping_pong.1 2023-03-09 12:19:08.339002800 +0300
+++ samba-4.17.7+dfsg/ctdb/doc/ping_pong.1 2023-03-29 16:24:25.236780000 +0300
@@ -2,12 +2,12 @@
.\" Title: ping_pong
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: CTDB - clustered TDB database
.\" Source: ctdb
.\" Language: English
.\"
-.TH "PING_PONG" "1" "03/09/2023" "ctdb" "CTDB \- clustered TDB database"
+.TH "PING_PONG" "1" "03/29/2023" "ctdb" "CTDB \- clustered TDB database"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/debian/changelog samba-4.17.7+dfsg/debian/changelog
--- samba-4.17.6+dfsg/debian/changelog 2023-03-09 12:52:14.000000000 +0300
+++ samba-4.17.7+dfsg/debian/changelog 2023-03-29 17:59:17.000000000 +0300
@@ -1,3 +1,25 @@
+samba (2:4.17.7+dfsg-1) unstable; urgency=high
+
+ * upstream stable/security/bugfix release, fixing the following issues:
+ o CVE-2023-0225: An incomplete access check on dnsHostName allows
+ authenticated but otherwise unprivileged users to delete this
+ attribute from any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+ o CVE-2023-0922: The Samba AD DC administration tool, when operating
+ against a remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+ o CVE-2023-0614: Fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was insufficient and
+ an attacker may be able to obtain confidential BitLocker recovery keys
+ from a Samba AD DC. Installations with such secrets in their Samba AD
+ should assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+ Closes: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614
+ * update libldb symbols and versions
+
+ -- Michael Tokarev <mjt at tls.msk.ru> Wed, 29 Mar 2023 17:59:17 +0300
+
samba (2:4.17.6+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release 4.17.6:
diff -Nru samba-4.17.6+dfsg/debian/libldb2.symbols samba-4.17.7+dfsg/debian/libldb2.symbols
--- samba-4.17.6+dfsg/debian/libldb2.symbols 2023-03-09 12:37:58.000000000 +0300
+++ samba-4.17.7+dfsg/debian/libldb2.symbols 2023-03-29 17:59:17.000000000 +0300
@@ -78,6 +78,7 @@
LDB_2.5.0 at LDB_2.5.0 2:2.5.0
LDB_2.6.0 at LDB_2.6.0 2:2.6.0
LDB_2.6.1 at LDB_2.6.1 2:2.6.1
+ LDB_2.6.2 at LDB_2.6.2 2:2.6.2
ldb_check_critical_controls at LDB_0.9.22 0.9.22
ldb_controls_except_specified at LDB_0.9.22 0.9.22
ldb_control_to_string at LDB_1.0.2 1.0.2~git20110403
@@ -167,6 +168,7 @@
ldb_extended at LDB_0.9.10 0.9.21
ldb_extended_default_callback at LDB_0.9.10 0.9.21
ldb_filter_attrs at LDB_2.0.1 2:2.0.1
+ ldb_filter_attrs_in_place at LDB_2.6.2 2:2.6.2
ldb_filter_from_tree at LDB_0.9.10 0.9.21
ldb_get_config_basedn at LDB_0.9.10 0.9.21
ldb_get_create_perms at LDB_0.9.10 0.9.21
@@ -206,6 +208,7 @@
ldb_match_msg at LDB_0.9.10 0.9.21
ldb_match_msg_error at LDB_0.9.15 0.9.21
ldb_match_msg_objectclass at LDB_0.9.10 0.9.21
+ ldb_match_scope at LDB_2.6.2 2:2.6.2
ldb_mod_register_control at LDB_0.9.10 0.9.21
ldb_modify at LDB_0.9.10 0.9.21
ldb_modify_default_callback at LDB_0.9.12 0.9.21
@@ -230,6 +233,7 @@
ldb_modules_list_from_string at LDB_0.9.10 0.9.21
ldb_modules_load at LDB_0.9.18 0.9.21
ldb_msg_add at LDB_0.9.10 0.9.21
+ ldb_msg_add_distinguished_name at LDB_2.6.2 2:2.6.2
ldb_msg_add_empty at LDB_0.9.10 0.9.21
ldb_msg_add_fmt at LDB_0.9.10 0.9.21
ldb_msg_add_linearized_dn at LDB_0.9.10 0.9.21
@@ -255,6 +259,9 @@
ldb_msg_element_compare at LDB_0.9.10 0.9.21
ldb_msg_element_compare_name at LDB_0.9.10 0.9.21
ldb_msg_element_equal_ordered at LDB_1.1.6 1:1.1.6
+ ldb_msg_element_is_inaccessible at LDB_2.6.2 2:2.6.2
+ ldb_msg_element_mark_inaccessible at LDB_2.6.2 2:2.6.2
+ ldb_msg_elements_take_ownership at LDB_2.6.2 2:2.6.2
ldb_msg_find_attr_as_bool at LDB_0.9.10 0.9.21
ldb_msg_find_attr_as_dn at LDB_0.9.10 0.9.21
ldb_msg_find_attr_as_double at LDB_0.9.10 0.9.21
@@ -272,8 +279,10 @@
ldb_msg_normalize at LDB_0.9.15 0.9.21
ldb_msg_remove_attr at LDB_0.9.10 0.9.21
ldb_msg_remove_element at LDB_0.9.10 0.9.21
+ ldb_msg_remove_inaccessible at LDB_2.6.2 2:2.6.2
ldb_msg_rename_attr at LDB_0.9.10 0.9.21
ldb_msg_sanity_check at LDB_0.9.10 0.9.21
+ ldb_msg_shrink_to_fit at LDB_2.6.2 2:2.6.2
ldb_msg_sort_elements at LDB_0.9.10 0.9.21
ldb_next_del_trans at LDB_0.9.10 0.9.21
ldb_next_end_trans at LDB_0.9.10 0.9.21
@@ -294,12 +303,14 @@
ldb_parse_tree at LDB_0.9.10 0.9.21
ldb_parse_tree_attr_replace at LDB_0.9.10 0.9.21
ldb_parse_tree_copy_shallow at LDB_0.9.10 0.9.21
+ ldb_parse_tree_get_attr at LDB_2.6.2 2:2.6.2
ldb_parse_tree_walk at LDB_1.1.2 1.1.2~
ldb_qsort at LDB_0.9.10 0.9.21
ldb_register_backend at LDB_0.9.10 0.9.21
ldb_register_extended_match_rule at LDB_1.1.19 1:1.1.20
ldb_register_hook at LDB_0.9.18 0.9.21
ldb_register_module at LDB_0.9.10 0.9.21
+ ldb_register_redact_callback at LDB_2.6.2 2:2.6.2
ldb_rename at LDB_0.9.10 0.9.21
ldb_reply_add_control at LDB_0.9.10 0.9.21
ldb_reply_get_control at LDB_0.9.10 0.9.21
diff -Nru samba-4.17.6+dfsg/debian/python3-ldb.symbols.in samba-4.17.7+dfsg/debian/python3-ldb.symbols.in
--- samba-4.17.6+dfsg/debian/python3-ldb.symbols.in 2023-03-09 12:37:58.000000000 +0300
+++ samba-4.17.7+dfsg/debian/python3-ldb.symbols.in 2023-03-29 17:59:17.000000000 +0300
@@ -61,6 +61,7 @@
PYLDB_UTIL_2.5.0 at PYLDB_UTIL_2.5.0 2:2.5.0
PYLDB_UTIL_2.6.0 at PYLDB_UTIL_2.6.0 2:2.6.0
PYLDB_UTIL_2.6.1 at PYLDB_UTIL_2.6.1 2:2.6.1
+ PYLDB_UTIL_2.6.2 at PYLDB_UTIL_2.6.2 2:2.6.2
pyldb_Dn_FromDn at PYLDB_UTIL_1.1.2 2:2.0.7
pyldb_Object_AsDn at PYLDB_UTIL_1.1.2 2:2.0.7
pyldb_check_type at PYLDB_UTIL_2.1.0 2:2.1.0
diff -Nru samba-4.17.6+dfsg/docs/manpages/cifsdd.8 samba-4.17.7+dfsg/docs/manpages/cifsdd.8
--- samba-4.17.6+dfsg/docs/manpages/cifsdd.8 2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/cifsdd.8 2023-03-29 16:24:29.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: cifsdd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "CIFSDD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "CIFSDD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/dbwrap_tool.1 samba-4.17.7+dfsg/docs/manpages/dbwrap_tool.1
--- samba-4.17.6+dfsg/docs/manpages/dbwrap_tool.1 2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/dbwrap_tool.1 2023-03-29 16:24:29.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: dbwrap_tool
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "DBWRAP_TOOL" "1" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "DBWRAP_TOOL" "1" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -317,7 +317,7 @@
Use with caution!
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/eventlogadm.8 samba-4.17.7+dfsg/docs/manpages/eventlogadm.8
--- samba-4.17.6+dfsg/docs/manpages/eventlogadm.8 2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/eventlogadm.8 2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: eventlogadm
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "EVENTLOGADM" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "EVENTLOGADM" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -339,7 +339,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_ad.8 samba-4.17.7+dfsg/docs/manpages/idmap_ad.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_ad.8 2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_ad.8 2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_ad
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_AD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_AD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_autorid.8 samba-4.17.7+dfsg/docs/manpages/idmap_autorid.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_autorid.8 2023-03-09 12:19:12.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_autorid.8 2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_autorid
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_AUTORID" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_AUTORID" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_hash.8 samba-4.17.7+dfsg/docs/manpages/idmap_hash.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_hash.8 2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_hash.8 2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_hash
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_HASH" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_HASH" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_ldap.8 samba-4.17.7+dfsg/docs/manpages/idmap_ldap.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_ldap.8 2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_ldap.8 2023-03-29 16:24:30.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_ldap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_LDAP" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_LDAP" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_nss.8 samba-4.17.7+dfsg/docs/manpages/idmap_nss.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_nss.8 2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_nss.8 2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_nss
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_NSS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_NSS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_rfc2307.8 samba-4.17.7+dfsg/docs/manpages/idmap_rfc2307.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_rfc2307.8 2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_rfc2307.8 2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_rfc2307
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_RFC2307" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_RFC2307" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_rid.8 samba-4.17.7+dfsg/docs/manpages/idmap_rid.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_rid.8 2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_rid.8 2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_rid
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_RID" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_RID" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_script.8 samba-4.17.7+dfsg/docs/manpages/idmap_script.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_script.8 2023-03-09 12:19:13.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_script.8 2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_script
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_SCRIPT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_SCRIPT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_tdb2.8 samba-4.17.7+dfsg/docs/manpages/idmap_tdb2.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_tdb2.8 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_tdb2.8 2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_tdb2
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_TDB2" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_TDB2" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/idmap_tdb.8 samba-4.17.7+dfsg/docs/manpages/idmap_tdb.8
--- samba-4.17.6+dfsg/docs/manpages/idmap_tdb.8 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/idmap_tdb.8 2023-03-29 16:24:31.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: idmap_tdb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "IDMAP_TDB" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "IDMAP_TDB" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/libsmbclient.7 samba-4.17.7+dfsg/docs/manpages/libsmbclient.7
--- samba-4.17.6+dfsg/docs/manpages/libsmbclient.7 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/libsmbclient.7 2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: libsmbclient
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: 7
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "LIBSMBCLIENT" "7" "03/09/2023" "Samba 4\&.17\&.6" "7"
+.TH "LIBSMBCLIENT" "7" "03/29/2023" "Samba 4\&.17\&.7" "7"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -86,7 +86,7 @@
Watch this space for future updates\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/lmhosts.5 samba-4.17.7+dfsg/docs/manpages/lmhosts.5
--- samba-4.17.6+dfsg/docs/manpages/lmhosts.5 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/lmhosts.5 2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: lmhosts
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: File Formats and Conventions
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "LMHOSTS" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "LMHOSTS" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -112,7 +112,7 @@
/usr/local/samba/lib\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbclient\fR(1),
diff -Nru samba-4.17.6+dfsg/docs/manpages/log2pcap.1 samba-4.17.7+dfsg/docs/manpages/log2pcap.1
--- samba-4.17.6+dfsg/docs/manpages/log2pcap.1 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/log2pcap.1 2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: log2pcap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "LOG2PCAP" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "LOG2PCAP" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -107,7 +107,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "BUGS"
.PP
Only SMB data is extracted from the samba logs, no LDAP, NetBIOS lookup or other data\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/mdsearch.1 samba-4.17.7+dfsg/docs/manpages/mdsearch.1
--- samba-4.17.6+dfsg/docs/manpages/mdsearch.1 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/mdsearch.1 2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: mdsearch
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "MDSEARCH" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "MDSEARCH" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -349,7 +349,7 @@
https://developer\&.apple\&.com/library/archive/documentation/Carbon/Conceptual/SpotlightQuery/Concepts/Introduction\&.html
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/mvxattr.1 samba-4.17.7+dfsg/docs/manpages/mvxattr.1
--- samba-4.17.6+dfsg/docs/manpages/mvxattr.1 2023-03-09 12:19:14.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/mvxattr.1 2023-03-29 16:24:32.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: mvxattr
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "MVXATTR" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "MVXATTR" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -76,7 +76,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/net.8 samba-4.17.7+dfsg/docs/manpages/net.8
--- samba-4.17.6+dfsg/docs/manpages/net.8 2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/net.8 2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: net
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "NET" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "NET" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/nmbd.8 samba-4.17.7+dfsg/docs/manpages/nmbd.8
--- samba-4.17.6+dfsg/docs/manpages/nmbd.8 2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/nmbd.8 2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: nmbd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "NMBD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "NMBD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -288,7 +288,7 @@
(SIGUSR[1|2] signals are no longer used since Samba 2\&.2)\&. This is to allow transient problems to be diagnosed, whilst still running at a normally low log level\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBinetd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/nmblookup.1 samba-4.17.7+dfsg/docs/manpages/nmblookup.1
--- samba-4.17.6+dfsg/docs/manpages/nmblookup.1 2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/nmblookup.1 2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: nmblookup
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "NMBLOOKUP" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "NMBLOOKUP" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -330,7 +330,7 @@
would query the WINS server samba\&.org for the domain master browser (1B name type) for the IRIX workgroup\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBnmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/ntlm_auth.1 samba-4.17.7+dfsg/docs/manpages/ntlm_auth.1
--- samba-4.17.6+dfsg/docs/manpages/ntlm_auth.1 2023-03-09 12:19:15.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/ntlm_auth.1 2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: ntlm_auth
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "NTLM_AUTH" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "NTLM_AUTH" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -450,7 +450,7 @@
the Microsoft Knowledge Base article #239869 and follow instructions described there\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/pam_winbind.8 samba-4.17.7+dfsg/docs/manpages/pam_winbind.8
--- samba-4.17.6+dfsg/docs/manpages/pam_winbind.8 2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/pam_winbind.8 2023-03-29 16:24:33.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: pam_winbind
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: 8
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "PAM_WINBIND" "8" "03/09/2023" "Samba 4\&.17\&.6" "8"
+.TH "PAM_WINBIND" "8" "03/29/2023" "Samba 4\&.17\&.7" "8"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -210,7 +210,7 @@
\fBsmb.conf\fR(5)
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of Samba\&.
+This man page is part of version 4\&.17\&.7 of Samba\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/pam_winbind.conf.5 samba-4.17.7+dfsg/docs/manpages/pam_winbind.conf.5
--- samba-4.17.6+dfsg/docs/manpages/pam_winbind.conf.5 2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/pam_winbind.conf.5 2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: pam_winbind.conf
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: 5
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "PAM_WINBIND\&.CONF" "5" "03/09/2023" "Samba 4\&.17\&.6" "5"
+.TH "PAM_WINBIND\&.CONF" "5" "03/29/2023" "Samba 4\&.17\&.7" "5"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -153,7 +153,7 @@
\fBsmb.conf\fR(5)
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of Samba\&.
+This man page is part of version 4\&.17\&.7 of Samba\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/pdbedit.8 samba-4.17.7+dfsg/docs/manpages/pdbedit.8
--- samba-4.17.6+dfsg/docs/manpages/pdbedit.8 2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/pdbedit.8 2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: pdbedit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "PDBEDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "PDBEDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -635,7 +635,7 @@
This command may be used only by root\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbpasswd\fR(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/profiles.1 samba-4.17.7+dfsg/docs/manpages/profiles.1
--- samba-4.17.6+dfsg/docs/manpages/profiles.1 2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/profiles.1 2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: profiles
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "PROFILES" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "PROFILES" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -128,7 +128,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/rpcclient.1 samba-4.17.7+dfsg/docs/manpages/rpcclient.1
--- samba-4.17.6+dfsg/docs/manpages/rpcclient.1 2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/rpcclient.1 2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: rpcclient
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "RPCCLIENT" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "RPCCLIENT" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1958,7 +1958,7 @@
that are incompatible for some commands or services\&. Additionally, the developers are sending reports to Microsoft, and problems found or reported to Microsoft are fixed in Service Packs, which may result in incompatibilities\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba.7 samba-4.17.7+dfsg/docs/manpages/samba.7
--- samba-4.17.6+dfsg/docs/manpages/samba.7 2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba.7 2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: Miscellanea
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA" "7" "03/09/2023" "Samba 4\&.17\&.6" "Miscellanea"
+.TH "SAMBA" "7" "03/29/2023" "Samba 4\&.17\&.7" "Miscellanea"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -231,7 +231,7 @@
you can find a lot of information in the archives and you can subscribe to the samba list and ask for help or discuss things\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "CONTRIBUTIONS"
.PP
If you wish to contribute to the Samba project, then I suggest you join the Samba mailing list at
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba.8 samba-4.17.7+dfsg/docs/manpages/samba.8
--- samba-4.17.6+dfsg/docs/manpages/samba.8 2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba.8 2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -239,7 +239,7 @@
Most messages are reasonably self\-explanatory\&. Unfortunately, at the time this man page was created, there are too many diagnostics available in the source code to warrant describing each and every diagnostic\&. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the diagnostics you are seeing\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBhosts_access\fR(5)
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-bgqd.8 samba-4.17.7+dfsg/docs/manpages/samba-bgqd.8
--- samba-4.17.6+dfsg/docs/manpages/samba-bgqd.8 2023-03-09 12:19:16.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-bgqd.8 2023-03-29 16:24:34.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba-bgqd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA\-BGQD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-BGQD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-dcerpcd.8 samba-4.17.7+dfsg/docs/manpages/samba-dcerpcd.8
--- samba-4.17.6+dfsg/docs/manpages/samba-dcerpcd.8 2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-dcerpcd.8 2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba-dcerpcd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA\-DCERPCD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-DCERPCD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba_downgrade_db.8 samba-4.17.7+dfsg/docs/manpages/samba_downgrade_db.8
--- samba-4.17.6+dfsg/docs/manpages/samba_downgrade_db.8 2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba_downgrade_db.8 2023-03-29 16:24:36.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba_downgrade_db
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA_DOWNGRADE_DB" "8" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SAMBA_DOWNGRADE_DB" "8" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -42,7 +42,7 @@
\fIbefore\fR
the Samba packages can be safely downgraded\&.
.PP
-This tool downgrades a Samba sam\&.ldb database from the format used in version 4\&.17\&.6 to that of version 4\&.7\&. The v4\&.7 database format can safely be read by any version of Samba\&. If necessary, later versions of Samba will repack and reconfigure a v4\&.7\-format database when the samba executable is first started\&.
+This tool downgrades a Samba sam\&.ldb database from the format used in version 4\&.17\&.7 to that of version 4\&.7\&. The v4\&.7 database format can safely be read by any version of Samba\&. If necessary, later versions of Samba will repack and reconfigure a v4\&.7\-format database when the samba executable is first started\&.
.PP
Note that all Samba services must be stopped on the DC before running this tool\&. Once the tool has run, do not restart samba or modify the database before the Samba software package has been downgraded\&.
.SH "OPTIONS"
@@ -58,7 +58,7 @@
.RE
.SH "VERSION"
.PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-regedit.8 samba-4.17.7+dfsg/docs/manpages/samba-regedit.8
--- samba-4.17.6+dfsg/docs/manpages/samba-regedit.8 2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-regedit.8 2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba-regedit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA\-REGEDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-REGEDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -365,7 +365,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/samba-tool.8 samba-4.17.7+dfsg/docs/manpages/samba-tool.8
--- samba-4.17.6+dfsg/docs/manpages/samba-tool.8 2023-03-09 12:19:17.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/samba-tool.8 2023-03-29 16:24:35.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: samba-tool
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SAMBA\-TOOL" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SAMBA\-TOOL" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1196,7 +1196,7 @@
Gives usage information\&.
.SH "VERSION"
.PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/sharesec.1 samba-4.17.7+dfsg/docs/manpages/sharesec.1
--- samba-4.17.6+dfsg/docs/manpages/sharesec.1 2023-03-09 12:19:18.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/sharesec.1 2023-03-29 16:24:36.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: sharesec
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SHARESEC" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SHARESEC" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -358,7 +358,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbcacls.1 samba-4.17.7+dfsg/docs/manpages/smbcacls.1
--- samba-4.17.6+dfsg/docs/manpages/smbcacls.1 2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbcacls.1 2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbcacls
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBCACLS" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCACLS" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1033,7 +1033,7 @@
couldn\*(Aqt connect to the specified server, or there was an error getting or setting the ACLs, an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbclient.1 samba-4.17.7+dfsg/docs/manpages/smbclient.1
--- samba-4.17.6+dfsg/docs/manpages/smbclient.1 2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbclient.1 2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbclient
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBCLIENT" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCLIENT" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -1247,7 +1247,7 @@
The number and nature of diagnostics available depends on the debug level used by the client\&. If you have problems, set the debug level to 3 and peruse the log files\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smb.conf.5 samba-4.17.7+dfsg/docs/manpages/smb.conf.5
--- samba-4.17.6+dfsg/docs/manpages/smb.conf.5 2023-03-09 12:19:19.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smb.conf.5 2023-03-29 16:24:37.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smb.conf
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: File Formats and Conventions
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMB\&.CONF" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "SMB\&.CONF" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -2145,20 +2145,24 @@
\fIseal\fR
are only available if Samba has been compiled against a modern OpenLDAP version (2\&.3\&.x or higher)\&.
.sp
-This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\e
-NTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
+This option is needed firstly to secure the privacy of administrative connections from
+samba\-tool, including in particular new or reset passwords for users\&. For this reason the default is
+\fIseal\fR\&.
.sp
-Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported\&. In this case,
+Additionally,
+winbindd
+and the
+net
+tool can use LDAP to communicate with Domain Controllers, so this option also controls the level of privacy for those connections\&. All supported AD DC versions will enforce the usage of at least signed LDAP connections by default, so a value of at least
\fIsign\fR
-is just an alias for
-\fIseal\fR\&.
+is required in practice\&.
.sp
The default value is
-\fIsign\fR\&. That implies synchronizing the time with the KDC in the case of using
+\fIseal\fR\&. That implies synchronizing the time with the KDC in the case of using
\fIKerberos\fR\&.
.sp
Default:
-\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIsign\fR\fI \fR
+\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIseal\fR\fI \fR
.RE
client max protocol (G)
@@ -14509,7 +14513,7 @@
special sections make life for an administrator easy, but the various combinations of default attributes can be tricky\&. Take extreme care when designing these sections\&. In particular, ensure that the permissions on spool directories are correct\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsamba\fR(7),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbcontrol.1 samba-4.17.7+dfsg/docs/manpages/smbcontrol.1
--- samba-4.17.6+dfsg/docs/manpages/smbcontrol.1 2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbcontrol.1 2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbcontrol
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBCONTROL" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCONTROL" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -332,7 +332,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBnmbd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbcquotas.1 samba-4.17.7+dfsg/docs/manpages/smbcquotas.1
--- samba-4.17.6+dfsg/docs/manpages/smbcquotas.1 2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbcquotas.1 2023-03-29 16:24:38.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbcquotas
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBCQUOTAS" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBCQUOTAS" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -431,7 +431,7 @@
couldn\*(Aqt connect to the specified server, or when there was an error getting or setting the quota(s), an exit status of 1 is returned\&. If there was an error parsing any command line arguments, an exit status of 2 is returned\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbd.8 samba-4.17.7+dfsg/docs/manpages/smbd.8
--- samba-4.17.6+dfsg/docs/manpages/smbd.8 2023-03-09 12:19:20.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbd.8 2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -260,7 +260,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "DIAGNOSTICS"
.PP
Most diagnostics issued by the server are logged in a specified log file\&. The log file name is specified at compile time, but may be overridden on the command line\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbget.1 samba-4.17.7+dfsg/docs/manpages/smbget.1
--- samba-4.17.6+dfsg/docs/manpages/smbget.1 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbget.1 2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbget
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBGET" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBGET" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -189,7 +189,7 @@
Permission denied is returned in some cases where the cause of the error is unknown (such as an illegally formatted smb:// url or trying to get a directory without \-R turned on)\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbgetrc.5 samba-4.17.7+dfsg/docs/manpages/smbgetrc.5
--- samba-4.17.6+dfsg/docs/manpages/smbgetrc.5 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbgetrc.5 2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbgetrc
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: File Formats and Conventions
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBGETRC" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "SMBGETRC" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -87,7 +87,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbget\fR(1)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbpasswd.5 samba-4.17.7+dfsg/docs/manpages/smbpasswd.5
--- samba-4.17.6+dfsg/docs/manpages/smbpasswd.5 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbpasswd.5 2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbpasswd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: File Formats and Conventions
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBPASSWD" "5" "03/09/2023" "Samba 4\&.17\&.6" "File Formats and Conventions"
+.TH "SMBPASSWD" "5" "03/29/2023" "Samba 4\&.17\&.7" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -165,7 +165,7 @@
All other colon separated fields are ignored at this time\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbpasswd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbpasswd.8 samba-4.17.7+dfsg/docs/manpages/smbpasswd.8
--- samba-4.17.6+dfsg/docs/manpages/smbpasswd.8 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbpasswd.8 2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbpasswd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBPASSWD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBPASSWD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -314,7 +314,7 @@
In addition, the smbpasswd command is only useful if Samba has been set up to use encrypted passwords\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbpasswd\fR(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbspool.8 samba-4.17.7+dfsg/docs/manpages/smbspool.8
--- samba-4.17.6+dfsg/docs/manpages/smbspool.8 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbspool.8 2023-03-29 16:24:39.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbspool
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBSPOOL" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBSPOOL" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -173,7 +173,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbspool_krb5_wrapper.8 samba-4.17.7+dfsg/docs/manpages/smbspool_krb5_wrapper.8
--- samba-4.17.6+dfsg/docs/manpages/smbspool_krb5_wrapper.8 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbspool_krb5_wrapper.8 2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbspool_krb5_wrapper
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBSPOOL_KRB5_WRAPPE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "SMBSPOOL_KRB5_WRAPPE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbstatus.1 samba-4.17.7+dfsg/docs/manpages/smbstatus.1
--- samba-4.17.6+dfsg/docs/manpages/smbstatus.1 2023-03-09 12:19:21.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbstatus.1 2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbstatus
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBSTATUS" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBSTATUS" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -483,7 +483,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbtar.1 samba-4.17.7+dfsg/docs/manpages/smbtar.1
--- samba-4.17.6+dfsg/docs/manpages/smbtar.1 2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbtar.1 2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbtar
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBTAR" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBTAR" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -145,7 +145,7 @@
command\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmbd\fR(8),
diff -Nru samba-4.17.6+dfsg/docs/manpages/smbtree.1 samba-4.17.7+dfsg/docs/manpages/smbtree.1
--- samba-4.17.6+dfsg/docs/manpages/smbtree.1 2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/smbtree.1 2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: smbtree
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "SMBTREE" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "SMBTREE" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -244,7 +244,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/testparm.1 samba-4.17.7+dfsg/docs/manpages/testparm.1
--- samba-4.17.6+dfsg/docs/manpages/testparm.1 2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/testparm.1 2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: testparm
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "TESTPARM" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "TESTPARM" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -184,7 +184,7 @@
For certain use cases, SMB protocol requires use of cryptographic algorithms which are known to be weak and already broken\&. DES and ARCFOUR (RC4) ciphers and the SHA1 and MD5 hash algorithms are considered weak but they are required for backward compatibility\&. The testparm utility shows whether the Samba tools will fall back to these weak crypto algorithms if it is not possible to use strong cryptography by default\&. In FIPS mode weak crypto cannot be enabled\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBsmb.conf\fR(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/traffic_learner.7 samba-4.17.7+dfsg/docs/manpages/traffic_learner.7
--- samba-4.17.6+dfsg/docs/manpages/traffic_learner.7 2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/traffic_learner.7 2023-03-29 16:24:40.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: traffic_learner
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "TRAFFIC_LEARNER" "7" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "TRAFFIC_LEARNER" "7" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -115,7 +115,7 @@
The other special packet is "\-", which represents the limit of the conversation\&. In the example, this indicates that one observed conversation ended after this particular ngram\&. This special opcode is also used at the beginning of conversations, which are indicated by the ngram "\-\et\-"\&.
.SH "VERSION"
.PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBtraffic_replay\fR(7)\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/traffic_replay.7 samba-4.17.7+dfsg/docs/manpages/traffic_replay.7
--- samba-4.17.6+dfsg/docs/manpages/traffic_replay.7 2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/traffic_replay.7 2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: traffic_replay
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "TRAFFIC_REPLAY" "7" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "TRAFFIC_REPLAY" "7" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -367,7 +367,7 @@
The users created by the test will have names like STGU\-0\-xyz\&. The groups generated have names like STGG\-0\-xyz\&.
.SH "VERSION"
.PP
-This man page is complete for version 4\&.17\&.6 of the Samba suite\&.
+This man page is complete for version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBtraffic_learner\fR(7)\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_acl_tdb.8 samba-4.17.7+dfsg/docs/manpages/vfs_acl_tdb.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_acl_tdb.8 2023-03-09 12:19:22.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_acl_tdb.8 2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_acl_tdb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_ACL_TDB" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_ACL_TDB" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_acl_xattr.8 samba-4.17.7+dfsg/docs/manpages/vfs_acl_xattr.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_acl_xattr.8 2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_acl_xattr.8 2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_acl_xattr
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_ACL_XATTR" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_ACL_XATTR" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_aio_fork.8 samba-4.17.7+dfsg/docs/manpages/vfs_aio_fork.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_aio_fork.8 2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_aio_fork.8 2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_aio_fork
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_AIO_FORK" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_AIO_FORK" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -62,7 +62,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_aio_pthread.8 samba-4.17.7+dfsg/docs/manpages/vfs_aio_pthread.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_aio_pthread.8 2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_aio_pthread.8 2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_aio_pthread
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_AIO_PTHREAD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_AIO_PTHREAD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -75,7 +75,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_audit.8 2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_audit.8 2023-03-29 16:24:41.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -112,7 +112,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_btrfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_btrfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_btrfs.8 2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_btrfs.8 2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_btrfs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_BTRFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_BTRFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -103,7 +103,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_cacheprime.8 samba-4.17.7+dfsg/docs/manpages/vfs_cacheprime.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_cacheprime.8 2023-03-09 12:19:23.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_cacheprime.8 2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_cacheprime
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_CACHEPRIME" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CACHEPRIME" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -115,7 +115,7 @@
is not a substitute for a general\-purpose readahead mechanism\&. It is intended for use only in very specific environments where disk operations must be aligned and sized to known values (as much as that is possible)\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_cap.8 samba-4.17.7+dfsg/docs/manpages/vfs_cap.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_cap.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_cap.8 2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_cap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_CAP" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CAP" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -63,7 +63,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_catia.8 samba-4.17.7+dfsg/docs/manpages/vfs_catia.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_catia.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_catia.8 2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_catia
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_CATIA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CATIA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_ceph.8 samba-4.17.7+dfsg/docs/manpages/vfs_ceph.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_ceph.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_ceph.8 2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_ceph
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_CEPH" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CEPH" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -109,7 +109,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_ceph_snapshots.8 samba-4.17.7+dfsg/docs/manpages/vfs_ceph_snapshots.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_ceph_snapshots.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_ceph_snapshots.8 2023-03-29 16:24:42.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_ceph_snapshots
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_CEPH_SNAPSHOTS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CEPH_SNAPSHOTS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -107,7 +107,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_commit.8 samba-4.17.7+dfsg/docs/manpages/vfs_commit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_commit.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_commit.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_commit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_COMMIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_COMMIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -116,7 +116,7 @@
may reduce performance\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_crossrename.8 samba-4.17.7+dfsg/docs/manpages/vfs_crossrename.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_crossrename.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_crossrename.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_crossrename
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_CROSSRENAME" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_CROSSRENAME" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -89,7 +89,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_default_quota.8 samba-4.17.7+dfsg/docs/manpages/vfs_default_quota.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_default_quota.8 2023-03-09 12:19:24.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_default_quota.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_default_quota
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_DEFAULT_QUOTA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_DEFAULT_QUOTA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -86,7 +86,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_dirsort.8 samba-4.17.7+dfsg/docs/manpages/vfs_dirsort.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_dirsort.8 2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_dirsort.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_dirsort
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_DIRSORT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_DIRSORT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -59,7 +59,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_expand_msdfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_expand_msdfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_expand_msdfs.8 2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_expand_msdfs.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_expand_msdfs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_EXPAND_MSDFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_EXPAND_MSDFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -56,7 +56,7 @@
With this, clients from network 192\&.168\&.234/24 are redirected to host local\&.samba\&.org, clients from 192\&.168/16 are redirected to remote\&.samba\&.org and all other clients go to default\&.samba\&.org\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_extd_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_extd_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_extd_audit.8 2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_extd_audit.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_extd_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_EXTD_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_EXTD_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -55,7 +55,7 @@
This module is stackable\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_fake_perms.8 samba-4.17.7+dfsg/docs/manpages/vfs_fake_perms.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_fake_perms.8 2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_fake_perms.8 2023-03-29 16:24:43.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_fake_perms
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_FAKE_PERMS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FAKE_PERMS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -58,7 +58,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_fileid.8 samba-4.17.7+dfsg/docs/manpages/vfs_fileid.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_fileid.8 2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_fileid.8 2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_fileid
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_FILEID" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FILEID" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -212,7 +212,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_fruit.8 samba-4.17.7+dfsg/docs/manpages/vfs_fruit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_fruit.8 2023-03-09 12:19:25.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_fruit.8 2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_fruit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_FRUIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FRUIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_full_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_full_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_full_audit.8 2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_full_audit.8 2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_full_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_FULL_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_FULL_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -513,7 +513,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs.8 2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs.8 2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_glusterfs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_GLUSTERFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_GLUSTERFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -129,7 +129,7 @@
With GlusterFS versions >= 9, we silently bypass write\-behind translator during initial connect and failure is avoided\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs_fuse.8 samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs_fuse.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_glusterfs_fuse.8 2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_glusterfs_fuse.8 2023-03-29 16:24:44.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_glusterfs_fuse
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_GLUSTERFS_FUSE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_GLUSTERFS_FUSE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -78,7 +78,7 @@
This module does currently have no further options\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_gpfs.8 samba-4.17.7+dfsg/docs/manpages/vfs_gpfs.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_gpfs.8 2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_gpfs.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_gpfs
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_GPFS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_GPFS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -660,7 +660,7 @@
in gpfs versions newer than 3\&.2\&.1 PTF8\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_io_uring.8 samba-4.17.7+dfsg/docs/manpages/vfs_io_uring.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_io_uring.8 2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_io_uring.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_io_uring
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_IO_URING" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_IO_URING" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -78,7 +78,7 @@
\fBio_uring_setup\fR(2)\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 samba-4.17.7+dfsg/docs/manpages/vfs_linux_xfs_sgid.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 2023-03-09 12:19:26.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_syncops
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_SYNCOPS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SYNCOPS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -64,7 +64,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_media_harmony.8 samba-4.17.7+dfsg/docs/manpages/vfs_media_harmony.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_media_harmony.8 2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_media_harmony.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_media_harmony
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_MEDIA_HARMONY" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_MEDIA_HARMONY" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -138,7 +138,7 @@
is designed to work with Avid editing applications that look in the Avid MediaFiles or OMFI MediaFiles directories for media\&. It is not designed to work as expected in all circumstances for general use\&. For example: It is possible to open a client\-specific file such as msmMMOB\&.mdb_192\&.168\&.1\&.10_userx even though it doesn\*(Aqt show up in a directory listing\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_nfs4acl_xattr.8 samba-4.17.7+dfsg/docs/manpages/vfs_nfs4acl_xattr.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_nfs4acl_xattr.8 2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_nfs4acl_xattr.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_nfs4acl_xattr
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_NFS4ACL_XATTR" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_NFS4ACL_XATTR" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_offline.8 samba-4.17.7+dfsg/docs/manpages/vfs_offline.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_offline.8 2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_offline.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_offline
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_OFFLINE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_OFFLINE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -59,7 +59,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_prealloc.8 samba-4.17.7+dfsg/docs/manpages/vfs_prealloc.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_prealloc.8 2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_prealloc.8 2023-03-29 16:24:45.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_prealloc
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_PREALLOC" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_PREALLOC" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -112,7 +112,7 @@
is not supported on all platforms and filesystems\&. Currently only XFS filesystems on Linux and IRIX are supported\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_preopen.8 samba-4.17.7+dfsg/docs/manpages/vfs_preopen.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_preopen.8 2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_preopen.8 2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_preopen
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_PREOPEN" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_PREOPEN" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -147,7 +147,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_readahead.8 samba-4.17.7+dfsg/docs/manpages/vfs_readahead.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_readahead.8 2023-03-09 12:19:27.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_readahead.8 2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_readahead
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_READAHEAD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_READAHEAD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -115,7 +115,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_readonly.8 samba-4.17.7+dfsg/docs/manpages/vfs_readonly.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_readonly.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_readonly.8 2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_readonly
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_READONLY" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_READONLY" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -81,7 +81,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_recycle.8 samba-4.17.7+dfsg/docs/manpages/vfs_recycle.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_recycle.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_recycle.8 2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_recycle
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_RECYCLE" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_RECYCLE" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -136,7 +136,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy2.8 samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy2.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy2.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy2.8 2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_shadow_copy2
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_SHADOW_COPY2" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SHADOW_COPY2" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -519,7 +519,7 @@
is designed to be an end\-user tool only\&. It does not replace or enhance your backup and archival solutions and should in no way be considered as such\&. Additionally, if you need version control, implement a version control system\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy.8 samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_shadow_copy.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_shadow_copy.8 2023-03-29 16:24:46.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_shadow_copy
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_SHADOW_COPY" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SHADOW_COPY" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -167,7 +167,7 @@
is designed to be an end\-user tool only\&. It does not replace or enhance your backup and archival solutions and should in no way be considered as such\&. Additionally, if you need version control, implement a version control system\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_shell_snap.8 samba-4.17.7+dfsg/docs/manpages/vfs_shell_snap.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_shell_snap.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_shell_snap.8 2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_shell_snap
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_SHELL_SNAP" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SHELL_SNAP" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -214,7 +214,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_snapper.8 samba-4.17.7+dfsg/docs/manpages/vfs_snapper.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_snapper.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_snapper.8 2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_snapper
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_SNAPPER" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SNAPPER" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -84,7 +84,7 @@
The DiskShadow\&.exe FSRVP client initially authenticates as the Active Directory computer account\&. This account must therefore be granted the same permissions as the user account issuing the snapshot creation and deletion requests\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_streams_depot.8 samba-4.17.7+dfsg/docs/manpages/vfs_streams_depot.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_streams_depot.8 2023-03-09 12:19:28.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_streams_depot.8 2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_streams_depot
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_STREAMS_DEPOT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_STREAMS_DEPOT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_streams_xattr.8 samba-4.17.7+dfsg/docs/manpages/vfs_streams_xattr.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_streams_xattr.8 2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_streams_xattr.8 2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_streams_xattr
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_STREAMS_XATTR" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_STREAMS_XATTR" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_syncops.8 samba-4.17.7+dfsg/docs/manpages/vfs_syncops.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_syncops.8 2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_syncops.8 2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_syncops
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_SYNCOPS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_SYNCOPS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -76,7 +76,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfstest.1 samba-4.17.7+dfsg/docs/manpages/vfstest.1
--- samba-4.17.6+dfsg/docs/manpages/vfstest.1 2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfstest.1 2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfstest
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFSTEST" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "VFSTEST" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -797,7 +797,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_time_audit.8 samba-4.17.7+dfsg/docs/manpages/vfs_time_audit.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_time_audit.8 2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_time_audit.8 2023-03-29 16:24:47.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_time_audit
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_TIME_AUDIT" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_TIME_AUDIT" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -72,7 +72,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_tsmsm.8 samba-4.17.7+dfsg/docs/manpages/vfs_tsmsm.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_tsmsm.8 2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_tsmsm.8 2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_tsmsm
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_TSMSM" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_TSMSM" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -83,7 +83,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_unityed_media.8 samba-4.17.7+dfsg/docs/manpages/vfs_unityed_media.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_unityed_media.8 2023-03-09 12:19:29.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_unityed_media.8 2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_unityed_media
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_UNITYED_MEDIA" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_UNITYED_MEDIA" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -111,7 +111,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_virusfilter.8 samba-4.17.7+dfsg/docs/manpages/vfs_virusfilter.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_virusfilter.8 2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_virusfilter.8 2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_virusfilter
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
.\" Source: Samba 4.8
.\" Language: English
.\"
-.TH "VFS_VIRUSFILTER" "8" "03/09/2023" "Samba 4\&.8" "System Administration tools"
+.TH "VFS_VIRUSFILTER" "8" "03/29/2023" "Samba 4\&.8" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_widelinks.8 samba-4.17.7+dfsg/docs/manpages/vfs_widelinks.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_widelinks.8 2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_widelinks.8 2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_widelinks
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_WIDELINKS" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_WIDELINKS" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -53,7 +53,7 @@
No examples listed\&. This module is implicitly loaded by smbd as needed\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_worm.8 samba-4.17.7+dfsg/docs/manpages/vfs_worm.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_worm.8 2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_worm.8 2023-03-29 16:24:48.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_worm
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_WORM" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_WORM" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -68,7 +68,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_xattr_tdb.8 samba-4.17.7+dfsg/docs/manpages/vfs_xattr_tdb.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_xattr_tdb.8 2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_xattr_tdb.8 2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_xattr_tdb
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_XATTR_TDB" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_XATTR_TDB" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Nru samba-4.17.6+dfsg/docs/manpages/vfs_zfsacl.8 samba-4.17.7+dfsg/docs/manpages/vfs_zfsacl.8
--- samba-4.17.6+dfsg/docs/manpages/vfs_zfsacl.8 2023-03-09 12:19:30.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/vfs_zfsacl.8 2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: vfs_zfsacl
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "VFS_ZFSACL" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "VFS_ZFSACL" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -310,7 +310,7 @@
.\}
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/wbinfo.1 samba-4.17.7+dfsg/docs/manpages/wbinfo.1
--- samba-4.17.6+dfsg/docs/manpages/wbinfo.1 2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/wbinfo.1 2023-03-29 16:24:49.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: wbinfo
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "WBINFO" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "WBINFO" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -472,7 +472,7 @@
will always return failure\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
\fBwinbindd\fR(8)
diff -Nru samba-4.17.6+dfsg/docs/manpages/winbindd.8 samba-4.17.7+dfsg/docs/manpages/winbindd.8
--- samba-4.17.6+dfsg/docs/manpages/winbindd.8 2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winbindd.8 2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: winbindd
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: System Administration tools
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "WINBINDD" "8" "03/09/2023" "Samba 4\&.17\&.6" "System Administration tools"
+.TH "WINBINDD" "8" "03/29/2023" "Samba 4\&.17\&.7" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -587,7 +587,7 @@
.RE
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "SEE ALSO"
.PP
nsswitch\&.conf(5),
diff -Nru samba-4.17.6+dfsg/docs/manpages/winbind_krb5_localauth.8 samba-4.17.7+dfsg/docs/manpages/winbind_krb5_localauth.8
--- samba-4.17.6+dfsg/docs/manpages/winbind_krb5_localauth.8 2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winbind_krb5_localauth.8 2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: winbind_krb5_localauth
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: 8
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "WINBIND_KRB5_LOCALAU" "8" "03/09/2023" "Samba 4\&.17\&.6" "8"
+.TH "WINBIND_KRB5_LOCALAU" "8" "03/29/2023" "Samba 4\&.17\&.7" "8"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -66,7 +66,7 @@
.sp
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/winbind_krb5_locator.8 samba-4.17.7+dfsg/docs/manpages/winbind_krb5_locator.8
--- samba-4.17.6+dfsg/docs/manpages/winbind_krb5_locator.8 2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winbind_krb5_locator.8 2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: winbind_krb5_locator
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: 8
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "WINBIND_KRB5_LOCATOR" "8" "03/09/2023" "Samba 4\&.17\&.6" "8"
+.TH "WINBIND_KRB5_LOCATOR" "8" "03/29/2023" "Samba 4\&.17\&.7" "8"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -57,7 +57,7 @@
/etc/krb5\&.conf\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs/manpages/winexe.1 samba-4.17.7+dfsg/docs/manpages/winexe.1
--- samba-4.17.6+dfsg/docs/manpages/winexe.1 2023-03-09 12:19:31.000000000 +0300
+++ samba-4.17.7+dfsg/docs/manpages/winexe.1 2023-03-29 16:24:50.000000000 +0300
@@ -2,12 +2,12 @@
.\" Title: winexe
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
-.\" Date: 03/09/2023
+.\" Date: 03/29/2023
.\" Manual: User Commands
-.\" Source: Samba 4.17.6
+.\" Source: Samba 4.17.7
.\" Language: English
.\"
-.TH "WINEXE" "1" "03/09/2023" "Samba 4\&.17\&.6" "User Commands"
+.TH "WINEXE" "1" "03/29/2023" "Samba 4\&.17\&.7" "User Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -464,7 +464,7 @@
The winexe program returns 0 if the operation succeeded, or 1 if the operation failed\&.
.SH "VERSION"
.PP
-This man page is part of version 4\&.17\&.6 of the Samba suite\&.
+This man page is part of version 4\&.17\&.7 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
diff -Nru samba-4.17.6+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml samba-4.17.7+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
--- samba-4.17.6+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml 2022-08-08 17:15:39.012189400 +0300
+++ samba-4.17.7+dfsg/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml 2023-03-20 12:05:01.312120400 +0300
@@ -18,25 +18,24 @@
</para>
<para>
- This option is needed in the case of Domain Controllers enforcing
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
- LDAP sign and seal can be controlled with the registry key
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
- on the Windows server side.
- </para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
- <para>
- Depending on the used KRB5 library (MIT and older Heimdal versions)
- it is possible that the message "integrity only" is not supported.
- In this case, <emphasis>sign</emphasis> is just an alias for
- <emphasis>seal</emphasis>.
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
</para>
<para>
- The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">sign</value>
+<value type="default">seal</value>
</samba:parameter>
diff -Nru samba-4.17.6+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs samba-4.17.7+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs
--- samba-4.17.6+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs 1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ABI/ldb-2.6.2.sigs 2023-03-20 12:03:45.323654400 +0300
@@ -0,0 +1,301 @@
+ldb_add: int (struct ldb_context *, const struct ldb_message *)
+ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *)
+ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...)
+ldb_attr_casefold: char *(TALLOC_CTX *, const char *)
+ldb_attr_dn: int (const char *)
+ldb_attr_in_list: int (const char * const *, const char *)
+ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *)
+ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *)
+ldb_base64_decode: int (char *)
+ldb_base64_encode: char *(TALLOC_CTX *, const char *, int)
+ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *)
+ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val)
+ldb_binary_encode_string: char *(TALLOC_CTX *, const char *)
+ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *)
+ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t)
+ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t)
+ldb_check_critical_controls: int (struct ldb_control **)
+ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *)
+ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *)
+ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **)
+ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *)
+ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *)
+ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...)
+ldb_debug_add: void (struct ldb_context *, const char *, ...)
+ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level)
+ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...)
+ldb_delete: int (struct ldb_context *, struct ldb_dn *)
+ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...)
+ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...)
+ldb_dn_add_child_val: bool (struct ldb_dn *, const char *, struct ldb_val)
+ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *)
+ldb_dn_check_special: bool (struct ldb_dn *, const char *)
+ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val)
+ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *)
+ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *)
+ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *)
+ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *)
+ldb_dn_get_casefold: const char *(struct ldb_dn *)
+ldb_dn_get_comp_num: int (struct ldb_dn *)
+ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int)
+ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int)
+ldb_dn_get_extended_comp_num: int (struct ldb_dn *)
+ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *)
+ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int)
+ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *)
+ldb_dn_get_linearized: const char *(struct ldb_dn *)
+ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_get_rdn_name: const char *(struct ldb_dn *)
+ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *)
+ldb_dn_has_extended: bool (struct ldb_dn *)
+ldb_dn_is_null: bool (struct ldb_dn *)
+ldb_dn_is_special: bool (struct ldb_dn *)
+ldb_dn_is_valid: bool (struct ldb_dn *)
+ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *)
+ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *)
+ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *)
+ldb_dn_minimise: bool (struct ldb_dn *)
+ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *)
+ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...)
+ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int)
+ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int)
+ldb_dn_remove_extended_components: void (struct ldb_dn *)
+ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *)
+ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val)
+ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *)
+ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *)
+ldb_dn_validate: bool (struct ldb_dn *)
+ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *)
+ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int)
+ldb_errstring: const char *(struct ldb_context *)
+ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **)
+ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *)
+ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *)
+ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *)
+ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_get_create_perms: unsigned int (struct ldb_context *)
+ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_get_event_context: struct tevent_context *(struct ldb_context *)
+ldb_get_flags: unsigned int (struct ldb_context *)
+ldb_get_opaque: void *(struct ldb_context *, const char *)
+ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *)
+ldb_global_init: int (void)
+ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *)
+ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *)
+ldb_handle_use_global_event_context: void (struct ldb_handle *)
+ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *)
+ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *)
+ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *)
+ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *)
+ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *)
+ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **)
+ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *)
+ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *)
+ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *)
+ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *)
+ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **)
+ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *)
+ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *)
+ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *)
+ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *)
+ldb_load_modules: int (struct ldb_context *, const char **)
+ldb_map_add: int (struct ldb_module *, struct ldb_request *)
+ldb_map_delete: int (struct ldb_module *, struct ldb_request *)
+ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *)
+ldb_map_modify: int (struct ldb_module *, struct ldb_request *)
+ldb_map_rename: int (struct ldb_module *, struct ldb_request *)
+ldb_map_search: int (struct ldb_module *, struct ldb_request *)
+ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *)
+ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope)
+ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *)
+ldb_match_msg_objectclass: int (const struct ldb_message *, const char *)
+ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *, enum ldb_scope)
+ldb_mod_register_control: int (struct ldb_module *, const char *)
+ldb_modify: int (struct ldb_context *, const struct ldb_message *)
+ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *)
+ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **)
+ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int)
+ldb_module_flags: uint32_t (struct ldb_context *)
+ldb_module_get_ctx: struct ldb_context *(struct ldb_module *)
+ldb_module_get_name: const char *(struct ldb_module *)
+ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *)
+ldb_module_get_private: void *(struct ldb_module *)
+ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *)
+ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **)
+ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *)
+ldb_module_next: struct ldb_module *(struct ldb_module *)
+ldb_module_popt_options: struct poptOption **(struct ldb_context *)
+ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **)
+ldb_module_send_referral: int (struct ldb_request *, char *)
+ldb_module_set_next: void (struct ldb_module *, struct ldb_module *)
+ldb_module_set_private: void (struct ldb_module *, void *)
+ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type)
+ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *)
+ldb_modules_load: int (const char *, const char *)
+ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int)
+ldb_msg_add_distinguished_name: int (struct ldb_message *)
+ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **)
+ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...)
+ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *)
+ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *)
+ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *)
+ldb_msg_add_string: int (struct ldb_message *, const char *, const char *)
+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **)
+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...)
+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int)
+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int)
+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int)
+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int)
+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int)
+ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *)
+ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *)
+ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
+ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *)
+ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
+ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *)
+ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **)
+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *)
+ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *)
+ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *)
+ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *)
+ldb_msg_element_is_inaccessible: bool (const struct ldb_message_element *)
+ldb_msg_element_mark_inaccessible: void (struct ldb_message_element *)
+ldb_msg_elements_take_ownership: int (struct ldb_message *)
+ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int)
+ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *)
+ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double)
+ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int)
+ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t)
+ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *)
+ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int)
+ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t)
+ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t)
+ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t)
+ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *)
+ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *)
+ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *)
+ldb_msg_new: struct ldb_message *(TALLOC_CTX *)
+ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **)
+ldb_msg_remove_attr: void (struct ldb_message *, const char *)
+ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *)
+ldb_msg_remove_inaccessible: void (struct ldb_message *)
+ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *)
+ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *)
+ldb_msg_shrink_to_fit: void (struct ldb_message *)
+ldb_msg_sort_elements: void (struct ldb_message *)
+ldb_next_del_trans: int (struct ldb_module *)
+ldb_next_end_trans: int (struct ldb_module *)
+ldb_next_init: int (struct ldb_module *)
+ldb_next_prepare_commit: int (struct ldb_module *)
+ldb_next_read_lock: int (struct ldb_module *)
+ldb_next_read_unlock: int (struct ldb_module *)
+ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *)
+ldb_next_request: int (struct ldb_module *, struct ldb_request *)
+ldb_next_start_trans: int (struct ldb_module *)
+ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_options_copy: const char **(TALLOC_CTX *, const char **)
+ldb_options_find: const char *(struct ldb_context *, const char **, const char *)
+ldb_options_get: const char **(struct ldb_context *)
+ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *, uint32_t)
+ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *)
+ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **)
+ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *)
+ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *)
+ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *)
+ldb_parse_tree_get_attr: const char *(const struct ldb_parse_tree *)
+ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *)
+ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t)
+ldb_register_backend: int (const char *, ldb_connect_fn, bool)
+ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *)
+ldb_register_hook: int (ldb_hook_fn)
+ldb_register_module: int (const struct ldb_module_ops *)
+ldb_register_redact_callback: int (struct ldb_context *, ldb_redact_fn, struct ldb_module *)
+ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *)
+ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *)
+ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *)
+ldb_req_get_custom_flags: uint32_t (struct ldb_request *)
+ldb_req_is_untrusted: bool (struct ldb_request *)
+ldb_req_location: const char *(struct ldb_request *)
+ldb_req_mark_trusted: void (struct ldb_request *)
+ldb_req_mark_untrusted: void (struct ldb_request *)
+ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t)
+ldb_req_set_location: void (struct ldb_request *, const char *)
+ldb_request: int (struct ldb_context *, struct ldb_request *)
+ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *)
+ldb_request_done: int (struct ldb_request *, int)
+ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *)
+ldb_request_get_status: int (struct ldb_request *)
+ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *)
+ldb_request_set_state: void (struct ldb_request *, int)
+ldb_reset_err_string: void (struct ldb_context *)
+ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***)
+ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *)
+ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *)
+ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *)
+ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *)
+ldb_schema_attribute_remove: void (struct ldb_context *, const char *)
+ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int)
+ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *)
+ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *)
+ldb_schema_set_override_indexlist: void (struct ldb_context *, bool)
+ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...)
+ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *)
+ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *)
+ldb_set_create_perms: void (struct ldb_context *, unsigned int)
+ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *)
+ldb_set_debug_stderr: int (struct ldb_context *)
+ldb_set_default_dns: void (struct ldb_context *)
+ldb_set_errstring: void (struct ldb_context *, const char *)
+ldb_set_event_context: void (struct ldb_context *, struct tevent_context *)
+ldb_set_flags: void (struct ldb_context *, unsigned int)
+ldb_set_modules_dir: void (struct ldb_context *, const char *)
+ldb_set_opaque: int (struct ldb_context *, const char *, void *)
+ldb_set_require_private_event_context: void (struct ldb_context *)
+ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int)
+ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *)
+ldb_set_utf8_default: void (struct ldb_context *)
+ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t))
+ldb_setup_wellknown_attributes: int (struct ldb_context *)
+ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *)
+ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *)
+ldb_strerror: const char *(int)
+ldb_string_to_time: time_t (const char *)
+ldb_string_utc_to_time: time_t (const char *)
+ldb_timestring: char *(TALLOC_CTX *, time_t)
+ldb_timestring_utc: char *(TALLOC_CTX *, time_t)
+ldb_transaction_cancel: int (struct ldb_context *)
+ldb_transaction_cancel_noerr: int (struct ldb_context *)
+ldb_transaction_commit: int (struct ldb_context *)
+ldb_transaction_prepare_commit: int (struct ldb_context *)
+ldb_transaction_start: int (struct ldb_context *)
+ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *)
+ldb_unpack_data_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, unsigned int)
+ldb_unpack_get_format: int (const struct ldb_val *, uint32_t *)
+ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *)
+ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *)
+ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *)
+ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *)
+ldb_val_string_cmp: int (const struct ldb_val *, const char *)
+ldb_val_to_time: int (const struct ldb_val *, time_t *)
+ldb_valid_attr_name: int (const char *)
+ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list)
+ldb_wait: int (struct ldb_handle *, enum ldb_wait_type)
diff -Nru samba-4.17.6+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs samba-4.17.7+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs
--- samba-4.17.6+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs 1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ABI/pyldb-util-2.6.2.sigs 2023-03-20 12:03:45.323654400 +0300
@@ -0,0 +1,3 @@
+pyldb_Dn_FromDn: PyObject *(struct ldb_dn *)
+pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **)
+pyldb_check_type: bool (PyObject *, const char *)
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_match.c samba-4.17.7+dfsg/lib/ldb/common/ldb_match.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_match.c 2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_match.c 2023-03-20 12:03:45.211653700 +0300
@@ -34,14 +34,15 @@
#include "ldb_private.h"
#include "dlinklist.h"
+#include "ldb_handlers.h"
/*
check if the scope matches in a search result
*/
-static int ldb_match_scope(struct ldb_context *ldb,
- struct ldb_dn *base,
- struct ldb_dn *dn,
- enum ldb_scope scope)
+int ldb_match_scope(struct ldb_context *ldb,
+ struct ldb_dn *base,
+ struct ldb_dn *dn,
+ enum ldb_scope scope)
{
int ret = 0;
@@ -259,20 +260,42 @@
return LDB_SUCCESS;
}
- if (a->syntax->canonicalise_fn(ldb, ldb, &value, &val) != 0) {
- return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ /* No need to just copy this value for a binary match */
+ if (a->syntax->canonicalise_fn != ldb_handler_copy) {
+ if (a->syntax->canonicalise_fn(ldb, ldb, &value, &val) != 0) {
+ return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+ }
+
+ /*
+ * Only set save_p if we allocate (call
+ * a->syntax->canonicalise_fn()), as we
+ * talloc_free(save_p) below to clean up
+ */
+ save_p = val.data;
+ } else {
+ val = value;
}
- save_p = val.data;
cnk.data = NULL;
if ( ! tree->u.substring.start_with_wildcard ) {
+ uint8_t *cnk_to_free = NULL;
chunk = tree->u.substring.chunks[c];
- if (a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto mismatch;
+ /* No need to just copy this value for a binary match */
+ if (a->syntax->canonicalise_fn != ldb_handler_copy) {
+ if (a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) {
+ goto mismatch;
+ }
+
+ cnk_to_free = cnk.data;
+ } else {
+ cnk = *chunk;
+ }
/* This deals with wildcard prefix searches on binary attributes (eg objectGUID) */
if (cnk.length > val.length) {
+ TALLOC_FREE(cnk_to_free);
goto mismatch;
}
/*
@@ -280,32 +303,47 @@
* we can cope with this.
*/
if (cnk.length == 0) {
+ TALLOC_FREE(cnk_to_free);
+ goto mismatch;
+ }
+
+ if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) {
+ TALLOC_FREE(cnk_to_free);
goto mismatch;
}
- if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto mismatch;
val.length -= cnk.length;
val.data += cnk.length;
c++;
- talloc_free(cnk.data);
+ TALLOC_FREE(cnk_to_free);
cnk.data = NULL;
}
while (tree->u.substring.chunks[c]) {
uint8_t *p;
+ uint8_t *cnk_to_free = NULL;
chunk = tree->u.substring.chunks[c];
- if(a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) {
- goto mismatch;
+ /* No need to just copy this value for a binary match */
+ if (a->syntax->canonicalise_fn != ldb_handler_copy) {
+ if (a->syntax->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) {
+ goto mismatch;
+ }
+
+ cnk_to_free = cnk.data;
+ } else {
+ cnk = *chunk;
}
/*
* Empty strings are returned as length 0. Ensure
* we can cope with this.
*/
if (cnk.length == 0) {
+ TALLOC_FREE(cnk_to_free);
goto mismatch;
}
if (cnk.length > val.length) {
+ TALLOC_FREE(cnk_to_free);
goto mismatch;
}
@@ -320,6 +358,8 @@
cmp = memcmp(p,
cnk.data,
cnk.length);
+ TALLOC_FREE(cnk_to_free);
+
if (cmp != 0) {
goto mismatch;
}
@@ -331,15 +371,16 @@
p = memmem((const void *)val.data, val.length,
(const void *)cnk.data, cnk.length);
if (p == NULL) {
+ TALLOC_FREE(cnk_to_free);
goto mismatch;
}
/* move val to the end of the match */
p += cnk.length;
val.length -= (p - val.data);
val.data = p;
+ TALLOC_FREE(cnk_to_free);
}
c++;
- TALLOC_FREE(cnk.data);
}
talloc_free(save_p);
@@ -349,7 +390,6 @@
mismatch:
*matched = false;
talloc_free(save_p);
- talloc_free(cnk.data);
return LDB_SUCCESS;
}
@@ -531,6 +571,26 @@
&tree->u.extended.value, matched);
}
+static bool ldb_must_suppress_match(const struct ldb_message *msg,
+ const struct ldb_parse_tree *tree)
+{
+ const char *attr = NULL;
+ struct ldb_message_element *el = NULL;
+
+ attr = ldb_parse_tree_get_attr(tree);
+ if (attr == NULL) {
+ return false;
+ }
+
+ /* find the message element */
+ el = ldb_msg_find_element(msg, attr);
+ if (el == NULL) {
+ return false;
+ }
+
+ return ldb_msg_element_is_inaccessible(el);
+}
+
/*
Check if a particular message will match the given filter
@@ -555,6 +615,17 @@
return LDB_SUCCESS;
}
+ /*
+ * Suppress matches on confidential attributes (handled
+ * manually in extended matches as these can do custom things
+ * like read other parts of the DB or other attributes).
+ */
+ if (tree->operation != LDB_OP_EXTENDED) {
+ if (ldb_must_suppress_match(msg, tree)) {
+ return LDB_SUCCESS;
+ }
+ }
+
switch (tree->operation) {
case LDB_OP_AND:
for (i=0;i<tree->u.list.num_elements;i++) {
@@ -741,3 +812,15 @@
return LDB_SUCCESS;
}
+int ldb_register_redact_callback(struct ldb_context *ldb,
+ ldb_redact_fn redact_fn,
+ struct ldb_module *module)
+{
+ if (ldb->redact.callback != NULL) {
+ return LDB_ERR_ENTRY_ALREADY_EXISTS;
+ }
+
+ ldb->redact.callback = redact_fn;
+ ldb->redact.module = module;
+ return LDB_SUCCESS;
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_msg.c samba-4.17.7+dfsg/lib/ldb/common/ldb_msg.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_msg.c 2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_msg.c 2023-03-20 12:03:44.611650000 +0300
@@ -795,6 +795,32 @@
return ldb_attr_cmp(el1->name, el2->name);
}
+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el)
+{
+ el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+}
+
+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el)
+{
+ return (el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE) != 0;
+}
+
+void ldb_msg_remove_inaccessible(struct ldb_message *msg)
+{
+ unsigned i;
+ unsigned num_del = 0;
+
+ for (i = 0; i < msg->num_elements; ++i) {
+ if (ldb_msg_element_is_inaccessible(&msg->elements[i])) {
+ ++num_del;
+ } else if (num_del) {
+ msg->elements[i - num_del] = msg->elements[i];
+ }
+ }
+
+ msg->num_elements -= num_del;
+}
+
/*
convenience functions to return common types from a message
these return the first value if the attribute is multi-valued
@@ -1471,6 +1497,22 @@
}
}
+/* Reallocate elements to drop any excess capacity. */
+void ldb_msg_shrink_to_fit(struct ldb_message *msg)
+{
+ if (msg->num_elements > 0) {
+ struct ldb_message_element *elements = talloc_realloc(msg,
+ msg->elements,
+ struct ldb_message_element,
+ msg->num_elements);
+ if (elements != NULL) {
+ msg->elements = elements;
+ }
+ } else {
+ TALLOC_FREE(msg->elements);
+ }
+}
+
/*
return a LDAP formatted GeneralizedTime string
*/
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_pack.c samba-4.17.7+dfsg/lib/ldb/common/ldb_pack.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_pack.c 2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_pack.c 2023-03-20 12:03:44.663650300 +0300
@@ -690,6 +690,7 @@
element->values = NULL;
if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) && element->num_values == 1) {
element->values = &ldb_val_single_array[nelem];
+ element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
} else if (element->num_values != 0) {
element->values = talloc_array(message->elements,
struct ldb_val,
@@ -932,6 +933,7 @@
if ((flags & LDB_UNPACK_DATA_FLAG_NO_VALUES_ALLOC) &&
element->num_values == 1) {
element->values = &ldb_val_single_array[nelem];
+ element->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
} else if (element->num_values != 0) {
element->values = talloc_array(message->elements,
struct ldb_val,
@@ -1096,7 +1098,7 @@
/*
add the special distinguishedName element
*/
-static int msg_add_distinguished_name(struct ldb_message *msg)
+int ldb_msg_add_distinguished_name(struct ldb_message *msg)
{
const char *dn_attr = "distinguishedName";
char *dn = NULL;
@@ -1156,7 +1158,7 @@
/* Shortcuts for the simple cases */
} else if (add_dn && i == 1) {
- if (msg_add_distinguished_name(filtered_msg) != 0) {
+ if (ldb_msg_add_distinguished_name(filtered_msg) != 0) {
goto failed;
}
return 0;
@@ -1236,7 +1238,7 @@
filtered_msg->num_elements = num_elements;
if (add_dn) {
- if (msg_add_distinguished_name(filtered_msg) != 0) {
+ if (ldb_msg_add_distinguished_name(filtered_msg) != 0) {
goto failed;
}
}
@@ -1259,3 +1261,100 @@
TALLOC_FREE(filtered_msg->elements);
return -1;
}
+
+/*
+ * filter the specified list of attributes from msg,
+ * adding requested attributes, and perhaps all for *.
+ * Unlike ldb_filter_attrs(), the DN will not be added
+ * if it is missing.
+ */
+int ldb_filter_attrs_in_place(struct ldb_message *msg,
+ const char *const *attrs)
+{
+ unsigned int i = 0;
+ bool keep_all = false;
+ unsigned int num_del = 0;
+
+ if (attrs) {
+ /* check for special attrs */
+ for (i = 0; attrs[i]; i++) {
+ int cmp = strcmp(attrs[i], "*");
+ if (cmp == 0) {
+ keep_all = true;
+ break;
+ }
+ }
+ if (!keep_all && i == 0) {
+ msg->num_elements = 0;
+ return LDB_SUCCESS;
+ }
+ } else {
+ keep_all = true;
+ }
+
+ for (i = 0; i < msg->num_elements; i++) {
+ bool found = false;
+ unsigned int j;
+
+ if (keep_all) {
+ found = true;
+ } else {
+ for (j = 0; attrs[j]; j++) {
+ int cmp = ldb_attr_cmp(msg->elements[i].name, attrs[j]);
+ if (cmp == 0) {
+ found = true;
+ break;
+ }
+ }
+ }
+
+ if (!found) {
+ ++num_del;
+ } else if (num_del != 0) {
+ msg->elements[i - num_del] = msg->elements[i];
+ }
+ }
+
+ msg->num_elements -= num_del;
+
+ return LDB_SUCCESS;
+}
+
+/* Have an unpacked ldb message take talloc ownership of its elements. */
+int ldb_msg_elements_take_ownership(struct ldb_message *msg)
+{
+ unsigned int i = 0;
+
+ for (i = 0; i < msg->num_elements; i++) {
+ struct ldb_message_element *el = &msg->elements[i];
+ const char *name;
+ unsigned int j;
+
+ name = talloc_strdup(msg->elements,
+ el->name);
+ if (name == NULL) {
+ return -1;
+ }
+ el->name = name;
+
+ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+ struct ldb_val *values = talloc_memdup(msg->elements, el->values,
+ sizeof(struct ldb_val) * el->num_values);
+ if (values == NULL) {
+ return -1;
+ }
+ el->values = values;
+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+ }
+
+ for (j = 0; j < el->num_values; j++) {
+ struct ldb_val val = ldb_val_dup(el->values, &el->values[j]);
+ if (val.data == NULL && el->values[j].length != 0) {
+ return -1;
+ }
+ el->values[j] = val;
+ }
+ }
+
+ return LDB_SUCCESS;
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/common/ldb_parse.c samba-4.17.7+dfsg/lib/ldb/common/ldb_parse.c
--- samba-4.17.6+dfsg/lib/ldb/common/ldb_parse.c 2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/common/ldb_parse.c 2023-03-20 12:03:44.803651300 +0300
@@ -997,3 +997,28 @@
return nt;
}
+
+/* Get the attribute (if any) associated with the top node of a parse tree. */
+const char *ldb_parse_tree_get_attr(const struct ldb_parse_tree *tree)
+{
+ switch (tree->operation) {
+ case LDB_OP_AND:
+ case LDB_OP_OR:
+ case LDB_OP_NOT:
+ return NULL;
+ case LDB_OP_EQUALITY:
+ return tree->u.equality.attr;
+ case LDB_OP_SUBSTRING:
+ return tree->u.substring.attr;
+ case LDB_OP_GREATER:
+ case LDB_OP_LESS:
+ case LDB_OP_APPROX:
+ return tree->u.comparison.attr;
+ case LDB_OP_PRESENT:
+ return tree->u.present.attr;
+ case LDB_OP_EXTENDED:
+ return tree->u.extended.attr;
+ }
+
+ return NULL;
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/include/ldb_module.h samba-4.17.7+dfsg/lib/ldb/include/ldb_module.h
--- samba-4.17.6+dfsg/lib/ldb/include/ldb_module.h 2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/include/ldb_module.h 2023-03-20 12:03:45.131653300 +0300
@@ -102,6 +102,12 @@
*/
#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
+/*
+ * this attribute has been access checked. We know the user has the right to
+ * view it. Used internally in Samba aclread module.
+ */
+#define LDB_FLAG_INTERNAL_ACCESS_CHECKED 0x400
+
/* an extended match rule that always fails to match */
#define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"
@@ -490,6 +496,9 @@
*/
bool ldb_dn_replace_components(struct ldb_dn *dn, struct ldb_dn *new_dn);
+/* Get the attribute (if any) associated with the top node of a parse tree. */
+const char *ldb_parse_tree_get_attr(const struct ldb_parse_tree *tree);
+
/*
walk a parse tree, calling the provided callback on each node
*/
@@ -513,6 +522,15 @@
int ldb_register_extended_match_rule(struct ldb_context *ldb,
const struct ldb_extended_match_rule *rule);
+void ldb_msg_element_mark_inaccessible(struct ldb_message_element *el);
+bool ldb_msg_element_is_inaccessible(const struct ldb_message_element *el);
+void ldb_msg_remove_inaccessible(struct ldb_message *msg);
+
+typedef int (*ldb_redact_fn)(struct ldb_module *, struct ldb_request *, struct ldb_message *);
+int ldb_register_redact_callback(struct ldb_context *ldb,
+ ldb_redact_fn redact_fn,
+ struct ldb_module *module);
+
/*
* these pack/unpack functions are exposed in the library for use by
* ldb tools like ldbdump and for use in tests,
@@ -538,6 +556,19 @@
const struct ldb_message *msg,
const char *const *attrs,
struct ldb_message *filtered_msg);
+
+/*
+ * filter the specified list of attributes from msg,
+ * adding requested attributes, and perhaps all for *.
+ * Unlike ldb_filter_attrs(), the DN will not be added
+ * if it is missing.
+ */
+int ldb_filter_attrs_in_place(struct ldb_message *msg,
+ const char *const *attrs);
+
+/* Have an unpacked ldb message take talloc ownership of its elements. */
+int ldb_msg_elements_take_ownership(struct ldb_message *msg);
+
/*
* Unpack a ldb message from a linear buffer in ldb_val
*
diff -Nru samba-4.17.6+dfsg/lib/ldb/include/ldb_private.h samba-4.17.7+dfsg/lib/ldb/include/ldb_private.h
--- samba-4.17.6+dfsg/lib/ldb/include/ldb_private.h 2022-08-08 17:15:39.080190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/include/ldb_private.h 2023-03-20 12:03:45.211653700 +0300
@@ -119,6 +119,11 @@
struct ldb_extended_match_entry *prev, *next;
} *extended_match_rules;
+ struct {
+ struct ldb_module *module;
+ ldb_redact_fn callback;
+ } redact;
+
/* custom utf8 functions */
struct ldb_utf8_fns utf8_fns;
@@ -317,4 +322,20 @@
const struct ldb_parse_tree *tree,
enum ldb_scope scope, bool *matched);
+/*
+ check if the scope matches in a search result
+*/
+int ldb_match_scope(struct ldb_context *ldb,
+ struct ldb_dn *base,
+ struct ldb_dn *dn,
+ enum ldb_scope scope);
+
+/* Reallocate elements to drop any excess capacity. */
+void ldb_msg_shrink_to_fit(struct ldb_message *msg);
+
+/*
+ add the special distinguishedName element
+*/
+int ldb_msg_add_distinguished_name(struct ldb_message *msg);
+
#endif
diff -Nru samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv.h samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv.h
--- samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv.h 2022-08-08 17:15:39.084190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv.h 2023-03-20 12:03:44.687650400 +0300
@@ -301,10 +301,8 @@
const struct ldb_val ldb_key,
struct ldb_message *msg,
unsigned int unpack_flags);
-int ldb_kv_filter_attrs(struct ldb_context *ldb,
- const struct ldb_message *msg,
- const char *const *attrs,
- struct ldb_message *filtered_msg);
+int ldb_kv_filter_attrs_in_place(struct ldb_message *msg,
+ const char *const *attrs);
int ldb_kv_search(struct ldb_kv_context *ctx);
/*
diff -Nru samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c
--- samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c 2022-08-08 17:15:39.084190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_index.c 2023-03-20 12:03:45.211653700 +0300
@@ -2264,7 +2264,6 @@
{
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
struct ldb_message *msg;
- struct ldb_message *filtered_msg;
unsigned int i;
unsigned int num_keys = 0;
uint8_t previous_guid_key[LDB_KV_GUID_KEY_SIZE] = {0};
@@ -2435,17 +2434,31 @@
*
* LDB_SCOPE_BASE is not passed in by our only caller.
*/
- if (ac->scope == LDB_SCOPE_ONELEVEL &&
- ldb_kv->cache->one_level_indexes &&
- scope_one_truncation == KEY_NOT_TRUNCATED) {
- ret = ldb_match_message(ldb, msg, ac->tree,
- ac->scope, &matched);
- } else {
- ret = ldb_match_msg_error(ldb, msg,
- ac->tree, ac->base,
- ac->scope, &matched);
+ if (ac->scope != LDB_SCOPE_ONELEVEL ||
+ !ldb_kv->cache->one_level_indexes ||
+ scope_one_truncation != KEY_NOT_TRUNCATED)
+ {
+ /*
+ * The redaction callback may be expensive to call if it
+ * fetches a security descriptor. Check the DN early and
+ * bail out if it doesn't match the base.
+ */
+ if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
+ talloc_free(msg);
+ continue;
+ }
}
+ if (ldb->redact.callback != NULL) {
+ ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
+ return ret;
+ }
+ }
+
+ ret = ldb_match_message(ldb, msg, ac->tree,
+ ac->scope, &matched);
if (ret != LDB_SUCCESS) {
talloc_free(keys);
talloc_free(msg);
@@ -2456,27 +2469,31 @@
continue;
}
- filtered_msg = ldb_msg_new(ac);
- if (filtered_msg == NULL) {
- TALLOC_FREE(keys);
- TALLOC_FREE(msg);
+ ret = ldb_msg_add_distinguished_name(msg);
+ if (ret == -1) {
+ talloc_free(msg);
return LDB_ERR_OPERATIONS_ERROR;
}
- filtered_msg->dn = talloc_steal(filtered_msg, msg->dn);
-
/* filter the attributes that the user wants */
- ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg);
+ ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(keys);
+ talloc_free(msg);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- talloc_free(msg);
+ ldb_msg_shrink_to_fit(msg);
- if (ret == -1) {
- TALLOC_FREE(filtered_msg);
+ /* Ensure the message elements are all talloc'd. */
+ ret = ldb_msg_elements_take_ownership(msg);
+ if (ret != LDB_SUCCESS) {
talloc_free(keys);
+ talloc_free(msg);
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = ldb_module_send_entry(ac->req, filtered_msg, NULL);
+ ret = ldb_module_send_entry(ac->req, msg, NULL);
if (ret != LDB_SUCCESS) {
/* Regardless of success or failure, the msg
* is the callbacks responsiblity, and should
diff -Nru samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c
--- samba-4.17.6+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c 2022-08-08 17:15:39.084190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/ldb_key_value/ldb_kv_search.c 2023-03-20 12:03:45.211653700 +0300
@@ -292,15 +292,13 @@
/*
* filter the specified list of attributes from msg,
- * adding requested attributes, and perhaps all for *,
- * but not the DN to filtered_msg.
+ * adding requested attributes, and perhaps all for *.
+ * The DN will not be added if it is missing.
*/
-int ldb_kv_filter_attrs(struct ldb_context *ldb,
- const struct ldb_message *msg,
- const char *const *attrs,
- struct ldb_message *filtered_msg)
+int ldb_kv_filter_attrs_in_place(struct ldb_message *msg,
+ const char *const *attrs)
{
- return ldb_filter_attrs(ldb, msg, attrs, filtered_msg);
+ return ldb_filter_attrs_in_place(msg, attrs);
}
/*
@@ -313,7 +311,7 @@
{
struct ldb_context *ldb;
struct ldb_kv_context *ac;
- struct ldb_message *msg, *filtered_msg;
+ struct ldb_message *msg;
struct timeval now;
int ret, timeval_cmp;
bool matched;
@@ -397,9 +395,27 @@
}
}
+ /*
+ * The redaction callback may be expensive to call if it fetches a
+ * security descriptor. Check the DN early and bail out if it doesn't
+ * match the base.
+ */
+ if (!ldb_match_scope(ldb, ac->base, msg->dn, ac->scope)) {
+ talloc_free(msg);
+ return 0;
+ }
+
+ if (ldb->redact.callback != NULL) {
+ ret = ldb->redact.callback(ldb->redact.module, ac->req, msg);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
+ return ret;
+ }
+ }
+
/* see if it matches the given expression */
- ret = ldb_match_msg_error(ldb, msg,
- ac->tree, ac->base, ac->scope, &matched);
+ ret = ldb_match_message(ldb, msg,
+ ac->tree, ac->scope, &matched);
if (ret != LDB_SUCCESS) {
talloc_free(msg);
ac->error = LDB_ERR_OPERATIONS_ERROR;
@@ -410,25 +426,31 @@
return 0;
}
- filtered_msg = ldb_msg_new(ac);
- if (filtered_msg == NULL) {
- TALLOC_FREE(msg);
+ ret = ldb_msg_add_distinguished_name(msg);
+ if (ret == -1) {
+ talloc_free(msg);
return LDB_ERR_OPERATIONS_ERROR;
}
- filtered_msg->dn = talloc_steal(filtered_msg, msg->dn);
-
/* filter the attributes that the user wants */
- ret = ldb_kv_filter_attrs(ldb, msg, ac->attrs, filtered_msg);
- talloc_free(msg);
+ ret = ldb_kv_filter_attrs_in_place(msg, ac->attrs);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
+ ac->error = LDB_ERR_OPERATIONS_ERROR;
+ return -1;
+ }
- if (ret == -1) {
- TALLOC_FREE(filtered_msg);
+ ldb_msg_shrink_to_fit(msg);
+
+ /* Ensure the message elements are all talloc'd. */
+ ret = ldb_msg_elements_take_ownership(msg);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
ac->error = LDB_ERR_OPERATIONS_ERROR;
return -1;
}
- ret = ldb_module_send_entry(ac->req, filtered_msg, NULL);
+ ret = ldb_module_send_entry(ac->req, msg, NULL);
if (ret != LDB_SUCCESS) {
ac->request_terminated = true;
/* the callback failed, abort the operation */
@@ -491,7 +513,7 @@
static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv,
struct ldb_kv_context *ctx)
{
- struct ldb_message *msg, *filtered_msg;
+ struct ldb_message *msg;
struct ldb_context *ldb = ldb_module_get_ctx(ctx->module);
const char *dn_linearized;
const char *msg_dn_linearized;
@@ -526,6 +548,13 @@
return ret;
}
+ if (ldb->redact.callback != NULL) {
+ ret = ldb->redact.callback(ldb->redact.module, ctx->req, msg);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
+ return ret;
+ }
+ }
/*
* We use this, not ldb_match_msg_error() as we know
@@ -549,12 +578,6 @@
dn_linearized = ldb_dn_get_linearized(ctx->base);
msg_dn_linearized = ldb_dn_get_linearized(msg->dn);
- filtered_msg = ldb_msg_new(ctx);
- if (filtered_msg == NULL) {
- talloc_free(msg);
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
if (strcmp(dn_linearized, msg_dn_linearized) == 0) {
/*
* If the DN is exactly the same string, then
@@ -562,36 +585,42 @@
* returned result, as it has already been
* casefolded
*/
- filtered_msg->dn = ldb_dn_copy(filtered_msg, ctx->base);
+ struct ldb_dn *dn = ldb_dn_copy(msg, ctx->base);
+ if (dn != NULL) {
+ msg->dn = dn;
+ }
}
- /*
- * If the ldb_dn_copy() failed, or if we did not choose that
- * optimisation (filtered_msg is zeroed at allocation),
- * steal the one from the unpack
- */
- if (filtered_msg->dn == NULL) {
- filtered_msg->dn = talloc_steal(filtered_msg, msg->dn);
+ ret = ldb_msg_add_distinguished_name(msg);
+ if (ret == -1) {
+ talloc_free(msg);
+ return LDB_ERR_OPERATIONS_ERROR;
}
/*
* filter the attributes that the user wants.
*/
- ret = ldb_kv_filter_attrs(ldb, msg, ctx->attrs, filtered_msg);
- if (ret == -1) {
+ ret = ldb_kv_filter_attrs_in_place(msg, ctx->attrs);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(msg);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ ldb_msg_shrink_to_fit(msg);
+
+ /* Ensure the message elements are all talloc'd. */
+ ret = ldb_msg_elements_take_ownership(msg);
+ if (ret != LDB_SUCCESS) {
talloc_free(msg);
- filtered_msg = NULL;
return LDB_ERR_OPERATIONS_ERROR;
}
/*
- * Remove any extended components possibly copied in from
- * msg->dn, we just want the casefold components
+ * Remove any extended components, we just want the casefold components
*/
- ldb_dn_remove_extended_components(filtered_msg->dn);
- talloc_free(msg);
+ ldb_dn_remove_extended_components(msg->dn);
- ret = ldb_module_send_entry(ctx->req, filtered_msg, NULL);
+ ret = ldb_module_send_entry(ctx->req, msg, NULL);
if (ret != LDB_SUCCESS) {
/* Regardless of success or failure, the msg
* is the callbacks responsiblity, and should
diff -Nru samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c
--- samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c 1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_in_place_test.c 2023-03-20 12:03:44.667650500 +0300
@@ -0,0 +1,940 @@
+/*
+ * Tests exercising ldb_filter_attrs_in_place().
+ *
+ *
+ * Copyright (C) Catalyst.NET Ltd 2017
+ * Copyright (C) Andrew Bartlett <abartlet at samba.org> 2019
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../include/ldb.h"
+#include "../include/ldb_module.h"
+
+struct ldbtest_ctx {
+ struct tevent_context *ev;
+ struct ldb_context *ldb;
+};
+
+/*
+ * NOTE WELL:
+ *
+ * This test checks the current behaviour of the function, however
+ * this is not in a public ABI and many of the tested behaviours are
+ * not ideal. If the behaviour is deliberatly improved, this test
+ * should be updated without worry to the new better behaviour.
+ *
+ * In particular the test is particularly to ensure the current
+ * behaviour is memory-safe.
+ */
+
+static int setup(void **state)
+{
+ struct ldbtest_ctx *test_ctx;
+
+ test_ctx = talloc_zero(NULL, struct ldbtest_ctx);
+ assert_non_null(test_ctx);
+
+ test_ctx->ev = tevent_context_init(test_ctx);
+ assert_non_null(test_ctx->ev);
+
+ test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev);
+ assert_non_null(test_ctx->ldb);
+
+ *state = test_ctx;
+ return 0;
+}
+
+static int teardown(void **state)
+{
+ talloc_free(*state);
+ return 0;
+}
+
+static void msg_add_dn(struct ldb_message *msg)
+{
+ const char *dn_attr = "distinguishedName";
+ char *dn = NULL;
+ int ret;
+
+ assert_null(ldb_msg_find_element(msg, dn_attr));
+
+ assert_non_null(msg->dn);
+ dn = ldb_dn_alloc_linearized(msg, msg->dn);
+ assert_non_null(dn);
+
+ /*
+ * The message's elements must be talloc allocated to call
+ * ldb_msg_add_steal_string().
+ */
+ msg->elements = talloc_memdup(msg,
+ msg->elements,
+ msg->num_elements * sizeof(msg->elements[0]));
+ assert_non_null(msg->elements);
+
+ ret = ldb_msg_add_steal_string(msg, dn_attr, dn);
+ assert_int_equal(ret, LDB_SUCCESS);
+}
+
+/*
+ * Test against a record with only one attribute, matching the one in
+ * the list
+ */
+static void test_filter_attrs_in_place_one_attr_matched(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"foo", NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+
+ assert_non_null(msg->dn);
+ assert_int_equal(msg->num_elements, 1);
+ assert_string_equal(msg->elements[0].name, "foo");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value, strlen(value));
+}
+
+/*
+ * Test against a record with only one attribute, matching the one of
+ * the multiple attributes in the list
+ */
+static void test_filter_attrs_in_place_one_attr_matched_of_many(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"foo", "bar", "baz", NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+
+ assert_non_null(msg->dn);
+ assert_int_equal(msg->num_elements, 1);
+ assert_string_equal(msg->elements[0].name, "foo");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value, strlen(value));
+}
+
+/*
+ * Test against a record with only one attribute, matching both
+ * attributes in the list
+ */
+static void test_filter_attrs_in_place_two_attr_matched_attrs(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ /* deliberatly the other order */
+ const char *attrs[] = {"bar", "foo", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+
+ /* foo and bar are the other order to in attrs */
+ struct ldb_message_element elements[] = {
+ {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 2);
+
+ assert_non_null(msg->dn);
+
+ /* Assert that DB order is preserved */
+ assert_string_equal(msg->elements[0].name, "foo");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value1));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value1, strlen(value1));
+ assert_string_equal(msg->elements[1].name, "bar");
+ assert_int_equal(msg->elements[1].num_values, 1);
+ assert_int_equal(msg->elements[1].values[0].length,
+ strlen(value2));
+ assert_memory_equal(msg->elements[1].values[0].data,
+ value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, only of which is in
+ * the list
+ */
+static void test_filter_attrs_in_place_two_attr_matched_one_attr(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"bar", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+
+ struct ldb_message_element elements[] = {
+ {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 1);
+
+ assert_non_null(msg->dn);
+
+ /* Assert that DB order is preserved */
+ assert_string_equal(msg->elements[0].name, "bar");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value2));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching the one
+ * specified attribute in the list (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_one_attr(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"bar", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+
+ struct ldb_message_element elements[] = {
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+
+ /* Both elements match the filter */
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 2);
+
+ assert_non_null(msg->dn);
+
+ /* Assert that DB order is preserved */
+ assert_string_equal(msg->elements[0].name, "bar");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value1));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value1, strlen(value1));
+
+ assert_string_equal(msg->elements[1].name, "bar");
+ assert_int_equal(msg->elements[1].num_values, 1);
+ assert_int_equal(msg->elements[1].values[0].length,
+ strlen(value2));
+ assert_memory_equal(msg->elements[1].values[0].data,
+ value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching the one
+ * specified attribute in the list (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_dup(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"bar", "bar", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+
+ struct ldb_message_element elements[] = {
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+
+ /* This does not fail the pidgenhole test */
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 2);
+
+ /* Assert that DB order is preserved */
+ assert_string_equal(msg->elements[0].name, "bar");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value1));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value1, strlen(value1));
+ assert_string_equal(msg->elements[1].name, "bar");
+ assert_int_equal(msg->elements[1].num_values, 1);
+ assert_int_equal(msg->elements[1].values[0].length,
+ strlen(value2));
+ assert_memory_equal(msg->elements[1].values[0].data,
+ value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching one of the
+ * specified attributes in the list (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_one_of_two(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"bar", "foo", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+
+ struct ldb_message_element elements[] = {
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+
+ /* This does not fail the pidgenhole test */
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 2);
+
+ /* Assert that DB order is preserved */
+ assert_string_equal(msg->elements[0].name, "bar");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value1));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value1, strlen(value1));
+ assert_string_equal(msg->elements[1].name, "bar");
+ assert_int_equal(msg->elements[1].num_values, 1);
+ assert_int_equal(msg->elements[1].values[0].length,
+ strlen(value2));
+ assert_memory_equal(msg->elements[1].values[0].data,
+ value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes against * (but not the
+ * other named attribute) (a corrupt record)
+ */
+static void test_filter_attrs_in_place_two_dup_attr_matched_star(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"*", "foo", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+
+ struct ldb_message_element elements[] = {
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+
+ /* This does not fail the pidgenhole test */
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 3);
+
+ /* Assert that DB order is preserved */
+ assert_string_equal(msg->elements[0].name, "bar");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_int_equal(msg->elements[0].values[0].length,
+ strlen(value1));
+ assert_memory_equal(msg->elements[0].values[0].data,
+ value1, strlen(value1));
+ assert_string_equal(msg->elements[1].name, "bar");
+ assert_int_equal(msg->elements[1].num_values, 1);
+ assert_int_equal(msg->elements[1].values[0].length,
+ strlen(value2));
+ assert_memory_equal(msg->elements[1].values[0].data,
+ value2, strlen(value2));
+
+ assert_non_null(msg->dn);
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "distinguishedName",
+ NULL),
+ ldb_dn_get_linearized(msg->dn));
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list
+ */
+static void test_filter_attrs_in_place_one_attr_matched_star(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"*", NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 2);
+
+ assert_non_null(msg->dn);
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "distinguishedName",
+ NULL),
+ ldb_dn_get_linearized(msg->dn));
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "foo",
+ NULL),
+ value);
+}
+
+/*
+ * Test against a record with two attributes, matching the * in
+ * the list
+ */
+static void test_filter_attrs_in_place_two_attr_matched_star(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"*", NULL};
+
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
+ };
+ struct ldb_val value_2 = {
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
+ };
+ struct ldb_message_element elements[] = {
+ {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ },
+ {
+ .name = "bar",
+ .num_values = 1,
+ .values = &value_2
+ }
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 2;
+ msg->elements = elements;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 3);
+
+ assert_non_null(msg->dn);
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "distinguishedName",
+ NULL),
+ ldb_dn_get_linearized(msg->dn));
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "foo",
+ NULL),
+ value1);
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "bar",
+ NULL),
+ value2);
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list, but without the DN being pre-filled. Succeeds, but the
+ * distinguishedName is not added.
+ */
+static void test_filter_attrs_in_place_one_attr_matched_star_no_dn(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"*", NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = NULL;
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_null(msg->dn);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 1);
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list plus requsesting distinguishedName
+ */
+static void test_filter_attrs_in_place_one_attr_matched_star_dn(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"*", "distinguishedName", NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 2);
+
+ assert_non_null(msg->dn);
+
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "distinguishedName",
+ NULL),
+ ldb_dn_get_linearized(msg->dn));
+ assert_string_equal(ldb_msg_find_attr_as_string(msg,
+ "foo",
+ NULL),
+ value);
+}
+
+/*
+ * Test against a record with only one attribute, but returning
+ * distinguishedName from the list (only)
+ */
+static void test_filter_attrs_in_place_one_attr_matched_dn(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {"distinguishedName", NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 1);
+
+ assert_non_null(msg->dn);
+ assert_string_equal(msg->elements[0].name, "distinguishedName");
+ assert_int_equal(msg->elements[0].num_values, 1);
+ assert_string_equal(msg->elements[0].values[0].data,
+ ldb_dn_get_linearized(msg->dn));
+}
+
+/*
+ * Test against a record with only one attribute, not matching the
+ * empty attribute list
+ */
+static void test_filter_attrs_in_place_one_attr_empty_list(void **state)
+{
+ struct ldbtest_ctx *ctx = *state;
+ int ret;
+
+ struct ldb_message *msg = ldb_msg_new(ctx);
+
+ const char *attrs[] = {NULL};
+
+ char value[] = "The value.......end";
+ struct ldb_val value_1 = {
+ .data = (uint8_t *)value,
+ .length = strlen(value)
+ };
+ struct ldb_message_element element_1 = {
+ .name = "foo",
+ .num_values = 1,
+ .values = &value_1
+ };
+
+ assert_non_null(msg);
+ msg->dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org");
+ msg->num_elements = 1;
+ msg->elements = &element_1;
+
+ assert_non_null(msg->dn);
+ msg_add_dn(msg);
+
+ ret = ldb_filter_attrs_in_place(msg, attrs);
+ assert_int_equal(ret, LDB_SUCCESS);
+ assert_int_equal(msg->num_elements, 0);
+ assert_non_null(msg->dn);
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_matched,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_matched_of_many,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_attr_matched_attrs,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_attr_matched_one_attr,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_dup_attr_matched_one_attr,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_dup_attr_matched_dup,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_dup_attr_matched_one_of_two,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_dup_attr_matched_star,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_matched_star,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_two_attr_matched_star,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_matched_star_no_dn,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_matched_star_dn,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_matched_dn,
+ setup,
+ teardown),
+ cmocka_unit_test_setup_teardown(
+ test_filter_attrs_in_place_one_attr_empty_list,
+ setup,
+ teardown),
+ };
+
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff -Nru samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c
--- samba-4.17.6+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c 2022-08-08 17:15:39.108190000 +0300
+++ samba-4.17.7+dfsg/lib/ldb/tests/ldb_filter_attrs_test.c 2023-03-20 12:03:44.559649700 +0300
@@ -36,6 +36,7 @@
#include <stdarg.h>
#include <stddef.h>
#include <stdint.h>
+#include <string.h>
#include <setjmp.h>
#include <cmocka.h>
@@ -96,10 +97,10 @@
const char *attrs[] = {"foo", NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
@@ -130,9 +131,9 @@
assert_string_equal(filtered_msg->elements[0].name, "foo");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value));
+ strlen(value));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value, sizeof(value));
+ value, strlen(value));
}
/*
@@ -148,10 +149,10 @@
const char *attrs[] = {"foo", "bar", "baz", NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
@@ -182,9 +183,9 @@
assert_string_equal(filtered_msg->elements[0].name, "foo");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value));
+ strlen(value));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value, sizeof(value));
+ value, strlen(value));
}
/*
@@ -201,15 +202,15 @@
/* deliberatly the other order */
const char *attrs[] = {"bar", "foo", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
/* foo and bar are the other order to in attrs */
@@ -251,15 +252,15 @@
assert_string_equal(filtered_msg->elements[0].name, "foo");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value1));
+ strlen(value1));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value1, sizeof(value1));
+ value1, strlen(value1));
assert_string_equal(filtered_msg->elements[1].name, "bar");
assert_int_equal(filtered_msg->elements[1].num_values, 1);
assert_int_equal(filtered_msg->elements[1].values[0].length,
- sizeof(value2));
+ strlen(value2));
assert_memory_equal(filtered_msg->elements[1].values[0].data,
- value2, sizeof(value2));
+ value2, strlen(value2));
}
/*
@@ -276,15 +277,15 @@
/* deliberatly the other order */
const char *attrs[] = {"bar", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
/* foo and bar are the other order to in attrs */
@@ -326,9 +327,9 @@
assert_string_equal(filtered_msg->elements[0].name, "bar");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value2));
+ strlen(value2));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value2, sizeof(value2));
+ value2, strlen(value2));
}
/*
@@ -345,15 +346,15 @@
/* deliberatly the other order */
const char *attrs[] = {"bar", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
/* foo and bar are the other order to in attrs */
@@ -400,15 +401,15 @@
const char *attrs[] = {"bar", "bar", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
/* foo and bar are the other order to in attrs */
@@ -445,15 +446,15 @@
assert_string_equal(filtered_msg->elements[0].name, "bar");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value1));
+ strlen(value1));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value1, sizeof(value1));
+ value1, strlen(value1));
assert_string_equal(filtered_msg->elements[1].name, "bar");
assert_int_equal(filtered_msg->elements[1].num_values, 1);
assert_int_equal(filtered_msg->elements[1].values[0].length,
- sizeof(value2));
+ strlen(value2));
assert_memory_equal(filtered_msg->elements[1].values[0].data,
- value2, sizeof(value2));
+ value2, strlen(value2));
}
/*
@@ -469,15 +470,15 @@
const char *attrs[] = {"bar", "foo", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
/* foo and bar are the other order to in attrs */
@@ -514,15 +515,15 @@
assert_string_equal(filtered_msg->elements[0].name, "bar");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value1));
+ strlen(value1));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value1, sizeof(value1));
+ value1, strlen(value1));
assert_string_equal(filtered_msg->elements[1].name, "bar");
assert_int_equal(filtered_msg->elements[1].num_values, 1);
assert_int_equal(filtered_msg->elements[1].values[0].length,
- sizeof(value2));
+ strlen(value2));
assert_memory_equal(filtered_msg->elements[1].values[0].data,
- value2, sizeof(value2));
+ value2, strlen(value2));
}
/*
@@ -538,15 +539,15 @@
const char *attrs[] = {"*", "foo", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
/* foo and bar are the other order to in attrs */
@@ -586,15 +587,15 @@
assert_string_equal(filtered_msg->elements[0].name, "bar");
assert_int_equal(filtered_msg->elements[0].num_values, 1);
assert_int_equal(filtered_msg->elements[0].values[0].length,
- sizeof(value1));
+ strlen(value1));
assert_memory_equal(filtered_msg->elements[0].values[0].data,
- value1, sizeof(value1));
+ value1, strlen(value1));
assert_string_equal(filtered_msg->elements[1].name, "bar");
assert_int_equal(filtered_msg->elements[1].num_values, 1);
assert_int_equal(filtered_msg->elements[1].values[0].length,
- sizeof(value2));
+ strlen(value2));
assert_memory_equal(filtered_msg->elements[1].values[0].data,
- value2, sizeof(value2));
+ value2, strlen(value2));
/*
* assert the ldb_filter_attrs does not modify filtered_msg.dn
* in this case
@@ -619,10 +620,10 @@
const char *attrs[] = {"*", NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
@@ -676,15 +677,15 @@
const char *attrs[] = {"*", NULL};
- uint8_t value1[] = "The value.......end";
- uint8_t value2[] = "The value..MUST.end";
+ char value1[] = "The value.......end";
+ char value2[] = "The value..MUST.end";
struct ldb_val value_1 = {
- .data = value1,
- .length = (sizeof(value1))
+ .data = (uint8_t *)value1,
+ .length = strlen(value1)
};
struct ldb_val value_2 = {
- .data = value2,
- .length = (sizeof(value2))
+ .data = (uint8_t *)value2,
+ .length = strlen(value2)
};
struct ldb_message_element elements[] = {
{
@@ -750,10 +751,10 @@
const char *attrs[] = {"*", NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
@@ -789,10 +790,10 @@
const char *attrs[] = {"*", "distinguishedName", NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
@@ -844,10 +845,10 @@
const char *attrs[] = {"distinguishedName", NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
@@ -894,10 +895,10 @@
const char *attrs[] = {NULL};
- uint8_t value[] = "The value.......end";
+ char value[] = "The value.......end";
struct ldb_val value_1 = {
- .data = value,
- .length = (sizeof(value))
+ .data = (uint8_t *)value,
+ .length = strlen(value)
};
struct ldb_message_element element_1 = {
.name = "foo",
diff -Nru samba-4.17.6+dfsg/lib/ldb/wscript samba-4.17.7+dfsg/lib/ldb/wscript
--- samba-4.17.6+dfsg/lib/ldb/wscript 2022-08-08 17:15:39.116190200 +0300
+++ samba-4.17.7+dfsg/lib/ldb/wscript 2023-03-20 12:03:45.323654400 +0300
@@ -2,7 +2,7 @@
APPNAME = 'ldb'
# For Samba 4.17.x
-VERSION = '2.6.1'
+VERSION = '2.6.2'
import sys, os
@@ -518,6 +518,11 @@
deps='cmocka ldb ldb_tdb_err_map',
install=False)
+ bld.SAMBA_BINARY('ldb_filter_attrs_in_place_test',
+ source='tests/ldb_filter_attrs_in_place_test.c',
+ deps='cmocka ldb ldb_tdb_err_map',
+ install=False)
+
bld.SAMBA_BINARY('ldb_key_value_sub_txn_tdb_test',
bld.SUBDIR('ldb_key_value',
'''ldb_kv_search.c
@@ -627,7 +632,6 @@
'ldb_msg_test',
'ldb_tdb_mod_op_test',
'ldb_tdb_guid_mod_op_test',
- 'ldb_msg_test',
'ldb_tdb_kv_ops_test',
'ldb_tdb_test',
'ldb_match_test',
@@ -637,7 +641,10 @@
# on operations which the TDB backend does not currently
# support
# 'ldb_key_value_sub_txn_tdb_test'
- 'ldb_parse_test']
+ 'ldb_parse_test',
+ 'ldb_filter_attrs_test',
+ 'ldb_filter_attrs_in_place_test',
+ ]
# if LIB_LDAP and LIB_LBER defined, then we can test ldb_ldap backend
# behavior regression for bz#14413
diff -Nru samba-4.17.6+dfsg/lib/ldb-samba/ldb_matching_rules.c samba-4.17.7+dfsg/lib/ldb-samba/ldb_matching_rules.c
--- samba-4.17.6+dfsg/lib/ldb-samba/ldb_matching_rules.c 2022-08-08 17:15:39.064189700 +0300
+++ samba-4.17.7+dfsg/lib/ldb-samba/ldb_matching_rules.c 2023-03-20 12:03:45.303654200 +0300
@@ -67,7 +67,12 @@
* Note also that we don't have the original request
* here, so we can not apply controls or timeouts here.
*/
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
+ ret = dsdb_search_dn(ldb,
+ tmp_ctx,
+ &res,
+ to_visit->dn,
+ attrs,
+ DSDB_MARK_REQ_UNTRUSTED);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
@@ -370,6 +375,11 @@
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"),
struct auth_session_info);
if (session_info == NULL) {
@@ -489,6 +499,11 @@
return LDB_SUCCESS;
}
+ if (ldb_msg_element_is_inaccessible(el)) {
+ *matched = false;
+ return LDB_SUCCESS;
+ }
+
session_info
= talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO),
struct auth_session_info);
diff -Nru samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules.py samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules.py
--- samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules.py 2022-08-08 17:15:39.064189700 +0300
+++ samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules.py 2023-03-20 12:03:45.287654200 +0300
@@ -20,22 +20,35 @@
# Windows appear to preserve casing of the RDN and uppercase the other keys.
-class MatchRulesTests(samba.tests.TestCase):
+class MatchRulesTestsBase(samba.tests.TestCase):
def setUp(self):
- super(MatchRulesTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
+ super().setUp()
+ self.lp = self.sambaopts.get_loadparm()
+ self.creds = self.credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(self.host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
- self.ou = "OU=matchrulestest,%s" % self.base_dn
+ self.ou_rdn = "OU=matchrulestest"
+ self.ou = self.ou_rdn + "," + self.base_dn
self.ou_users = "OU=users,%s" % self.ou
self.ou_groups = "OU=groups,%s" % self.ou
self.ou_computers = "OU=computers,%s" % self.ou
+ try:
+ self.ldb.delete(self.ou, ["tree_delete:1"])
+ except LdbError as e:
+ pass
+
# Add a organizational unit to create objects
self.ldb.add({
"dn": self.ou,
"objectclass": "organizationalUnit"})
+ self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0'])
+
+
# Add the following OU hierarchy and set otherWellKnownObjects,
# which has BinaryDN syntax:
#
@@ -204,6 +217,39 @@
FLAG_MOD_ADD, "member")
self.ldb.modify(m)
+ # Add a couple of ms-Exch-Configuration-Container to test forward-link
+ # attributes without backward link (addressBookRoots2)
+ # e1
+ # |--> e2
+ # | |--> c1
+ self.ldb.add({
+ "dn": "cn=e1,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+ self.ldb.add({
+ "dn": "cn=e2,%s" % self.ou,
+ "objectclass": "msExchConfigurationContainer"})
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
+ m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+ m = Message()
+ m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
+ m["e1"] = MessageElement("cn=e2,%s" % self.ou,
+ FLAG_MOD_ADD, "addressBookRoots2")
+ self.ldb.modify(m)
+
+
+
+class MatchRulesTests(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+
# The msDS-RevealedUsers is owned by system and cannot be modified
# directly. Set the schemaUpgradeInProgress flag as workaround
# and create this hierarchy:
@@ -243,33 +289,6 @@
m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress")
self.ldb.modify(m)
- # Add a couple of ms-Exch-Configuration-Container to test forward-link
- # attributes without backward link (addressBookRoots2)
- # e1
- # |--> e2
- # | |--> c1
- self.ldb.add({
- "dn": "cn=e1,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
- self.ldb.add({
- "dn": "cn=e2,%s" % self.ou,
- "objectclass": "msExchConfigurationContainer"})
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou)
- m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- m = Message()
- m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou)
- m["e1"] = MessageElement("cn=e2,%s" % self.ou,
- FLAG_MOD_ADD, "addressBookRoots2")
- self.ldb.modify(m)
-
- def tearDown(self):
- super(MatchRulesTests, self).tearDown()
- self.ldb.delete(self.ou, controls=['tree_delete:0'])
def test_u1_member_of_g4(self):
# Search without transitive match must return 0 results
@@ -945,8 +964,12 @@
class MatchRuleConditionTests(samba.tests.TestCase):
def setUp(self):
super(MatchRuleConditionTests, self).setUp()
- self.lp = lp
- self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp)
+ self.lp = sambaopts.get_loadparm()
+ self.creds = credopts.get_credentials(self.lp)
+
+ self.ldb = SamDB(host, credentials=self.creds,
+ session_info=system_session(self.lp),
+ lp=self.lp)
self.base_dn = self.ldb.domain_dn()
self.ou = "OU=matchruleconditiontests,%s" % self.base_dn
self.ou_users = "OU=users,%s" % self.ou
@@ -1745,32 +1768,30 @@
self.ou_groups, self.ou_computers))
self.assertEqual(len(res1), 0)
+if __name__ == "__main__":
-parser = optparse.OptionParser("match_rules.py [options] <host>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-
-# use command line creds if available
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-opts, args = parser.parse_args()
-subunitopts = SubunitOptions(parser)
-parser.add_option_group(subunitopts)
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-host = args[0]
-
-lp = sambaopts.get_loadparm()
-creds = credopts.get_credentials(lp)
-
-if "://" not in host:
- if os.path.isfile(host):
- host = "tdb://%s" % host
- else:
- host = "ldap://%s" % host
+ parser = optparse.OptionParser("match_rules.py [options] <host>")
+ sambaopts = options.SambaOptions(parser)
+ parser.add_option_group(sambaopts)
+ parser.add_option_group(options.VersionOptions(parser))
+
+ # use command line creds if available
+ credopts = options.CredentialsOptions(parser)
+ parser.add_option_group(credopts)
+ opts, args = parser.parse_args()
+ subunitopts = SubunitOptions(parser)
+ parser.add_option_group(subunitopts)
+
+ if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+ host = args[0]
+
+ if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s" % host
-TestProgram(module=__name__, opts=subunitopts)
+ TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules_remote.py samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules_remote.py
--- samba-4.17.6+dfsg/lib/ldb-samba/tests/match_rules_remote.py 1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/lib/ldb-samba/tests/match_rules_remote.py 2023-03-20 12:03:45.287654200 +0300
@@ -0,0 +1,104 @@
+#!/usr/bin/env python3
+
+import optparse
+import sys
+import os
+import samba
+import samba.getopt as options
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+from samba.samdb import SamDB
+from samba.auth import system_session
+from samba import sd_utils
+from samba.ndr import ndr_unpack
+from ldb import Message, MessageElement, Dn, LdbError
+from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL
+
+from match_rules import MatchRulesTestsBase
+
+
+class MatchRulesTestsUser(MatchRulesTestsBase):
+ def setUp(self):
+ self.sambaopts = sambaopts
+ self.credopts = credopts
+ self.host = host
+ super().setUp()
+ self.sd_utils = sd_utils.SDUtils(self.ldb)
+
+ self.user_pass = "samba123@"
+ self.match_test_user = "matchtestuser"
+ self.ldb.newuser(self.match_test_user,
+ self.user_pass,
+ userou=self.ou_rdn)
+ user_creds = self.insta_creds(template=self.creds,
+ username=self.match_test_user,
+ userpass=self.user_pass)
+ self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp)
+ token_res = self.user_ldb.search(scope=SCOPE_BASE,
+ base="",
+ attrs=["tokenGroups"])
+ self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid,
+ token_res[0]["tokenGroups"][0])
+
+ self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2"
+
+ def test_with_denied_link(self):
+
+ # add an ACE that denies the user Read Property (RP) access to
+ # the member attr (which is similar to making the attribute
+ # confidential)
+ ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid,
+ self.user_sid)
+ g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups)
+
+ # add the ACE that denies access to the attr under test
+ self.sd_utils.dacl_add_ace(g2_dn, ace)
+
+ # Search without transitive match must return 0 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+ # Search with transitive match must return 1 results
+ res1 = self.ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 1)
+ self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower())
+
+ # Search as a user match must return 0 results as the intermediate link can't be seen
+ res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups,
+ scope=SCOPE_BASE,
+ expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users)
+ self.assertEqual(len(res1), 0)
+
+
+
+parser = optparse.OptionParser("match_rules_remote.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+opts, args = parser.parse_args()
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+
+if "://" not in host:
+ if os.path.isfile(host):
+ host = "tdb://%s" % host
+ else:
+ host = "ldap://%s" % host
+
+TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/lib/param/loadparm.c samba-4.17.7+dfsg/lib/param/loadparm.c
--- samba-4.17.6+dfsg/lib/param/loadparm.c 2022-12-15 19:09:31.709236100 +0300
+++ samba-4.17.7+dfsg/lib/param/loadparm.c 2023-03-20 12:05:01.312120400 +0300
@@ -2992,7 +2992,7 @@
lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
- lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+ lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal");
lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios");
diff -Nru samba-4.17.6+dfsg/libcli/security/access_check.c samba-4.17.7+dfsg/libcli/security/access_check.c
--- samba-4.17.6+dfsg/libcli/security/access_check.c 2022-08-08 17:15:39.184190800 +0300
+++ samba-4.17.7+dfsg/libcli/security/access_check.c 2023-03-20 12:03:44.471649200 +0300
@@ -394,7 +394,7 @@
return NT_STATUS_OK;
}
-static const struct GUID *get_ace_object_type(struct security_ace *ace)
+static const struct GUID *get_ace_object_type(const struct security_ace *ace)
{
if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) {
return &ace->object.object.type.type;
@@ -412,7 +412,7 @@
* rights to the object/attribute
* @returns NT_STATUS_OK, unless access was denied
*/
-static NTSTATUS check_object_specific_access(struct security_ace *ace,
+static NTSTATUS check_object_specific_access(const struct security_ace *ace,
struct object_tree *tree,
bool *grant_access)
{
@@ -505,7 +505,7 @@
uint32_t access_desired,
uint32_t *access_granted,
struct object_tree *tree,
- struct dom_sid *replace_sid)
+ const struct dom_sid *replace_sid)
{
uint32_t i;
uint32_t bits_remaining;
@@ -556,8 +556,8 @@
/* check each ace in turn. */
for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
- struct dom_sid *trustee;
- struct security_ace *ace = &sd->dacl->aces[i];
+ const struct dom_sid *trustee;
+ const struct security_ace *ace = &sd->dacl->aces[i];
NTSTATUS status;
bool grant_access = false;
diff -Nru samba-4.17.6+dfsg/libcli/security/access_check.h samba-4.17.7+dfsg/libcli/security/access_check.h
--- samba-4.17.6+dfsg/libcli/security/access_check.h 2022-08-08 17:15:39.184190800 +0300
+++ samba-4.17.7+dfsg/libcli/security/access_check.h 2023-03-20 12:03:44.471649200 +0300
@@ -74,7 +74,7 @@
uint32_t access_desired,
uint32_t *access_granted,
struct object_tree *tree,
- struct dom_sid *replace_sid);
+ const struct dom_sid *replace_sid);
bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
const struct GUID *guid,
diff -Nru samba-4.17.6+dfsg/libds/common/flags.h samba-4.17.7+dfsg/libds/common/flags.h
--- samba-4.17.6+dfsg/libds/common/flags.h 2022-08-08 17:15:39.204190700 +0300
+++ samba-4.17.7+dfsg/libds/common/flags.h 2023-03-20 12:04:29.063923100 +0300
@@ -258,6 +258,8 @@
#define DS_HR_KVNOEMUW2K 0x00000011
#define DS_HR_TWENTIETH_CHAR 0x00000014
+#define DS_HR_ATTR_AUTHZ_ON_LDAP_ADD 0x0000001C
+#define DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS 0x0000001D
#define DS_HR_THIRTIETH_CHAR 0x0000001E
#define DS_HR_FOURTIETH_CHAR 0x00000028
#define DS_HR_FIFTIETH_CHAR 0x00000032
diff -Nru samba-4.17.6+dfsg/python/samba/tests/auth_log.py samba-4.17.7+dfsg/python/samba/tests/auth_log.py
--- samba-4.17.6+dfsg/python/samba/tests/auth_log.py 2022-08-08 17:15:39.272191300 +0300
+++ samba-4.17.7+dfsg/python/samba/tests/auth_log.py 2023-03-20 12:05:01.312120400 +0300
@@ -470,7 +470,7 @@
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization" and
msg["Authorization"]["serviceDescription"] == "LDAP" and
- msg["Authorization"]["transportProtection"] == "SIGN" and
+ msg["Authorization"]["transportProtection"] == "SEAL" and
msg["Authorization"]["authType"] == "krb5")
self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"],
diff -Nru samba-4.17.6+dfsg/source3/param/loadparm.c samba-4.17.7+dfsg/source3/param/loadparm.c
--- samba-4.17.6+dfsg/source3/param/loadparm.c 2023-01-26 20:45:01.653668600 +0300
+++ samba-4.17.7+dfsg/source3/param/loadparm.c 2023-03-20 12:05:01.312120400 +0300
@@ -756,7 +756,7 @@
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
- Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL;
Globals.ldap_server_require_strong_auth =
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/common/util.c samba-4.17.7+dfsg/source4/dsdb/common/util.c
--- samba-4.17.6+dfsg/source4/dsdb/common/util.c 2023-03-09 12:18:38.361810200 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/common/util.c 2023-03-20 12:03:45.247654000 +0300
@@ -366,6 +366,26 @@
}
/*
+ pull a dom_sid structure from a objectSid in a result set.
+*/
+int samdb_result_dom_sid_buf(const struct ldb_message *msg,
+ const char *attr,
+ struct dom_sid *sid)
+{
+ ssize_t ret;
+ const struct ldb_val *v = NULL;
+ v = ldb_msg_find_ldb_val(msg, attr);
+ if (v == NULL) {
+ return LDB_ERR_NO_SUCH_ATTRIBUTE;
+ }
+ ret = sid_parse(v->data, v->length, sid);
+ if (ret == -1) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ return LDB_SUCCESS;
+}
+
+/*
pull a guid structure from a objectGUID in a result set.
*/
struct GUID samdb_result_guid(const struct ldb_message *msg, const char *attr)
@@ -4858,6 +4878,10 @@
}
}
+ if (dsdb_flags & DSDB_MARK_REQ_UNTRUSTED) {
+ ldb_req_mark_untrusted(req);
+ }
+
return LDB_SUCCESS;
}
diff -Nru samba-4.17.6+dfsg/source4/dsdb/common/util.h samba-4.17.7+dfsg/source4/dsdb/common/util.h
--- samba-4.17.6+dfsg/source4/dsdb/common/util.h 2022-08-08 17:15:39.544193300 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/common/util.h 2023-03-20 12:03:45.247654000 +0300
@@ -43,6 +43,7 @@
#define DSDB_MODIFY_PARTIAL_REPLICA 0x04000
#define DSDB_PASSWORD_BYPASS_LAST_SET 0x08000
#define DSDB_REPLMD_VANISH_LINKS 0x10000
+#define DSDB_MARK_REQ_UNTRUSTED 0x20000
bool is_attr_in_list(const char * const * attrs, const char *attr);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/pydsdb.c samba-4.17.7+dfsg/source4/dsdb/pydsdb.c
--- samba-4.17.6+dfsg/source4/dsdb/pydsdb.c 2022-12-15 19:09:31.749236600 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/pydsdb.c 2023-03-20 12:04:29.087923300 +0300
@@ -1665,6 +1665,36 @@
ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE);
ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_SPN_REGISTRATION);
+ /* dsHeuristics character indexes (see MS-ADTS 7.1.1.2.4.1.2) */
+ ADD_DSDB_FLAG(DS_HR_SUPFIRSTLASTANR);
+ ADD_DSDB_FLAG(DS_HR_SUPLASTFIRSTANR);
+ ADD_DSDB_FLAG(DS_HR_DOLISTOBJECT);
+ ADD_DSDB_FLAG(DS_HR_DONICKRES);
+ ADD_DSDB_FLAG(DS_HR_LDAP_USEPERMMOD);
+ ADD_DSDB_FLAG(DS_HR_HIDEDSID);
+ ADD_DSDB_FLAG(DS_HR_BLOCK_ANONYMOUS_OPS);
+ ADD_DSDB_FLAG(DS_HR_ALLOW_ANON_NSPI);
+ ADD_DSDB_FLAG(DS_HR_USER_PASSWORD_SUPPORT);
+ ADD_DSDB_FLAG(DS_HR_TENTH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_SPECIFY_GUID_ON_ADD);
+ ADD_DSDB_FLAG(DS_HR_NO_STANDARD_SD);
+ ADD_DSDB_FLAG(DS_HR_ALLOW_NONSECURE_PWD_OPS);
+ ADD_DSDB_FLAG(DS_HR_NO_PROPAGATE_ON_NOCHANGE);
+ ADD_DSDB_FLAG(DS_HR_COMPUTE_ANR_STATS);
+ ADD_DSDB_FLAG(DS_HR_ADMINSDEXMASK);
+ ADD_DSDB_FLAG(DS_HR_KVNOEMUW2K);
+
+ ADD_DSDB_FLAG(DS_HR_TWENTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_ATTR_AUTHZ_ON_LDAP_ADD);
+ ADD_DSDB_FLAG(DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS);
+ ADD_DSDB_FLAG(DS_HR_THIRTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_FOURTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_FIFTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_SIXTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_SEVENTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_EIGHTIETH_CHAR);
+ ADD_DSDB_FLAG(DS_HR_NINETIETH_CHAR);
+
ADD_DSDB_FLAG(NTDSCONN_KCC_GC_TOPOLOGY);
ADD_DSDB_FLAG(NTDSCONN_KCC_RING_TOPOLOGY);
ADD_DSDB_FLAG(NTDSCONN_KCC_MINIMIZE_HOPS_TOPOLOGY);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl.c 2022-08-08 17:29:11.377506700 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl.c 2023-03-20 12:04:29.127923500 +0300
@@ -46,11 +46,6 @@
#undef strcasecmp
#undef strncasecmp
-struct extended_access_check_attribute {
- const char *oa_name;
- const uint32_t requires_rights;
-};
-
struct acl_private {
bool acl_search;
const char **password_attrs;
@@ -58,7 +53,6 @@
uint64_t cached_schema_metadata_usn;
uint64_t cached_schema_loaded_usn;
const char **confidential_attrs;
- bool userPassword_support;
};
struct acl_context {
@@ -66,15 +60,12 @@
struct ldb_request *req;
bool am_system;
bool am_administrator;
- bool modify_search;
bool constructed_attrs;
bool allowedAttributes;
bool allowedAttributesEffective;
bool allowedChildClasses;
bool allowedChildClassesEffective;
bool sDRightsEffective;
- bool userPassword;
- const char * const *attrs;
struct dsdb_schema *schema;
};
@@ -83,25 +74,9 @@
struct ldb_context *ldb;
struct acl_private *data;
int ret;
- unsigned int i, n, j;
- TALLOC_CTX *mem_ctx;
- static const char * const attrs[] = { "passwordAttribute", NULL };
- static const char * const secret_attrs[] = {
- DSDB_SECRET_ATTRIBUTES
- };
- struct ldb_result *res;
- struct ldb_message *msg;
- struct ldb_message_element *password_attributes;
ldb = ldb_module_get_ctx(module);
- ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
- if (ret != LDB_SUCCESS) {
- ldb_debug(ldb, LDB_DEBUG_ERROR,
- "acl_module_init: Unable to register control with rootdse!\n");
- return ldb_operr(ldb);
- }
-
data = talloc_zero(module, struct acl_private);
if (data == NULL) {
return ldb_oom(ldb);
@@ -111,91 +86,14 @@
NULL, "acl", "search", true);
ldb_module_set_private(module, data);
- mem_ctx = talloc_new(module);
- if (!mem_ctx) {
- return ldb_oom(ldb);
- }
-
- ret = dsdb_module_search_dn(module, mem_ctx, &res,
- ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
- attrs,
- DSDB_FLAG_NEXT_MODULE |
- DSDB_FLAG_AS_SYSTEM,
- NULL);
- if (ret != LDB_SUCCESS) {
- goto done;
- }
- if (res->count == 0) {
- goto done;
- }
-
- if (res->count > 1) {
- talloc_free(mem_ctx);
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
-
- msg = res->msgs[0];
-
- password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
- if (!password_attributes) {
- goto done;
- }
- data->password_attrs = talloc_array(data, const char *,
- password_attributes->num_values +
- ARRAY_SIZE(secret_attrs) + 1);
- if (!data->password_attrs) {
- talloc_free(mem_ctx);
- return ldb_oom(ldb);
- }
-
- n = 0;
- for (i=0; i < password_attributes->num_values; i++) {
- data->password_attrs[n] = (const char *)password_attributes->values[i].data;
- talloc_steal(data->password_attrs, password_attributes->values[i].data);
- n++;
- }
-
- for (i=0; i < ARRAY_SIZE(secret_attrs); i++) {
- bool found = false;
-
- for (j=0; j < n; j++) {
- if (strcasecmp(data->password_attrs[j], secret_attrs[i]) == 0) {
- found = true;
- break;
- }
- }
-
- if (found) {
- continue;
- }
-
- data->password_attrs[n] = talloc_strdup(data->password_attrs,
- secret_attrs[i]);
- if (data->password_attrs[n] == NULL) {
- talloc_free(mem_ctx);
- return ldb_oom(ldb);
- }
- n++;
- }
- data->password_attrs[n] = NULL;
-
-done:
- talloc_free(mem_ctx);
- ret = ldb_next_init(module);
-
+ ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
if (ret != LDB_SUCCESS) {
- return ret;
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "acl_module_init: Unable to register control with rootdse!\n");
+ return ldb_operr(ldb);
}
- /*
- * Check this after the modules have be initialised so we
- * can actually read the backend DB.
- */
- data->userPassword_support
- = dsdb_user_password_support(module,
- module,
- NULL);
- return ret;
+ return ldb_next_init(module);
}
static int acl_allowedAttributes(struct ldb_module *module,
@@ -900,11 +798,6 @@
NULL
};
- if (el->num_values == 0) {
- return LDB_SUCCESS;
- }
- dnsHostName = &el->values[0];
-
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
@@ -1050,6 +943,13 @@
--account_name_len;
}
+ /* Check for add or replace requests with no value. */
+ if (el->num_values == 0) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb);
+ }
+ dnsHostName = &el->values[0];
+
dnsHostName_str = (const char *)dnsHostName->data;
dns_host_name_len = dnsHostName->length;
@@ -2522,29 +2422,11 @@
ares->controls);
}
- if (data->password_attrs != NULL) {
- for (i = 0; data->password_attrs[i]; i++) {
- if ((!ac->userPassword) &&
- (ldb_attr_cmp(data->password_attrs[i],
- "userPassword") == 0))
- {
- continue;
- }
-
- ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
- }
- }
-
if (ac->am_administrator) {
return ldb_module_send_entry(ac->req, ares->message,
ares->controls);
}
- ret = acl_search_update_confidential_attrs(ac, data);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
-
if (data->confidential_attrs != NULL) {
for (i = 0; data->confidential_attrs[i]; i++) {
ldb_msg_remove_attr(ares->message,
@@ -2569,11 +2451,12 @@
{
struct ldb_context *ldb;
struct acl_context *ac;
- struct ldb_parse_tree *down_tree;
+ struct ldb_parse_tree *down_tree = req->op.search.tree;
struct ldb_request *down_req;
struct acl_private *data;
int ret;
unsigned int i;
+ bool modify_search = true;
if (ldb_dn_is_special(req->op.search.base)) {
return ldb_next_request(module, req);
@@ -2592,13 +2475,11 @@
ac->am_system = dsdb_module_am_system(module);
ac->am_administrator = dsdb_module_am_administrator(module);
ac->constructed_attrs = false;
- ac->modify_search = true;
ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
- ac->userPassword = true;
ac->schema = dsdb_get_schema(ldb, ac);
ac->constructed_attrs |= ac->allowedAttributes;
@@ -2608,13 +2489,13 @@
ac->constructed_attrs |= ac->sDRightsEffective;
if (data == NULL) {
- ac->modify_search = false;
+ modify_search = false;
}
if (ac->am_system) {
- ac->modify_search = false;
+ modify_search = false;
}
- if (!ac->constructed_attrs && !ac->modify_search) {
+ if (!ac->constructed_attrs && !modify_search) {
talloc_free(ac);
return ldb_next_request(module, req);
}
@@ -2624,38 +2505,24 @@
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
"acl_private data is missing");
}
- ac->userPassword = data->userPassword_support;
- ret = acl_search_update_confidential_attrs(ac, data);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
-
- down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
- if (down_tree == NULL) {
- return ldb_oom(ldb);
- }
+ if (!ac->am_system && !ac->am_administrator) {
+ ret = acl_search_update_confidential_attrs(ac, data);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
- if (!ac->am_system && data->password_attrs) {
- for (i = 0; data->password_attrs[i]; i++) {
- if ((!ac->userPassword) &&
- (ldb_attr_cmp(data->password_attrs[i],
- "userPassword") == 0))
- {
- continue;
+ if (data->confidential_attrs != NULL) {
+ down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
+ if (down_tree == NULL) {
+ return ldb_oom(ldb);
}
- ldb_parse_tree_attr_replace(down_tree,
- data->password_attrs[i],
- "kludgeACLredactedattribute");
- }
- }
-
- if (!ac->am_system && !ac->am_administrator && data->confidential_attrs) {
- for (i = 0; data->confidential_attrs[i]; i++) {
- ldb_parse_tree_attr_replace(down_tree,
- data->confidential_attrs[i],
- "kludgeACLredactedattribute");
+ for (i = 0; data->confidential_attrs[i]; i++) {
+ ldb_parse_tree_attr_replace(down_tree,
+ data->confidential_attrs[i],
+ "kludgeACLredactedattribute");
+ }
}
}
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c 2022-08-08 17:15:39.548193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_read.c 2023-03-20 12:03:45.175653500 +0300
@@ -37,20 +37,25 @@
#include "librpc/gen_ndr/ndr_security.h"
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
+#include "lib/util/binsearch.h"
#undef strcasecmp
+struct ldb_attr_vec {
+ const char** attrs;
+ size_t len;
+ size_t capacity;
+};
+
struct aclread_context {
struct ldb_module *module;
struct ldb_request *req;
- const char * const *attrs;
const struct dsdb_schema *schema;
uint32_t sd_flags;
bool added_nTSecurityDescriptor;
bool added_instanceType;
bool added_objectSid;
bool added_objectClass;
- bool indirsync;
bool do_list_object_initialized;
bool do_list_object;
@@ -60,6 +65,11 @@
/* cache on the last parent we checked in this search */
struct ldb_dn *last_parent_dn;
int last_parent_check_ret;
+
+ bool am_administrator;
+
+ bool got_tree_attrs;
+ struct ldb_attr_vec tree_attrs;
};
struct aclread_private {
@@ -68,14 +78,192 @@
/* cache of the last SD we read during any search */
struct security_descriptor *sd_cached;
struct ldb_val sd_cached_blob;
+ const char **password_attrs;
+ size_t num_password_attrs;
};
-static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
- el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+struct access_check_context {
+ struct security_descriptor *sd;
+ struct dom_sid sid_buf;
+ const struct dom_sid *sid;
+ const struct dsdb_class *objectclass;
+};
+
+static void acl_element_mark_access_checked(struct ldb_message_element *el)
+{
+ el->flags |= LDB_FLAG_INTERNAL_ACCESS_CHECKED;
+}
+
+static bool acl_element_is_access_checked(const struct ldb_message_element *el)
+{
+ return (el->flags & LDB_FLAG_INTERNAL_ACCESS_CHECKED) != 0;
+}
+
+static bool attr_in_vec(const struct ldb_attr_vec *vec, const char *attr)
+{
+ const char **found = NULL;
+
+ if (vec == NULL) {
+ return false;
+ }
+
+ BINARY_ARRAY_SEARCH_V(vec->attrs,
+ vec->len,
+ attr,
+ ldb_attr_cmp,
+ found);
+ return found != NULL;
+}
+
+static int acl_attr_cmp_fn(const char *a, const char **b)
+{
+ return ldb_attr_cmp(a, *b);
+}
+
+static int attr_vec_add_unique(TALLOC_CTX *mem_ctx,
+ struct ldb_attr_vec *vec,
+ const char *attr)
+{
+ const char **exact = NULL;
+ const char **next = NULL;
+ size_t next_idx = 0;
+
+ BINARY_ARRAY_SEARCH_GTE(vec->attrs,
+ vec->len,
+ attr,
+ acl_attr_cmp_fn,
+ exact,
+ next);
+ if (exact != NULL) {
+ return LDB_SUCCESS;
+ }
+
+ if (vec->len == SIZE_MAX) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (next != NULL) {
+ next_idx = next - vec->attrs;
+ }
+
+ if (vec->len >= vec->capacity) {
+ const char **attrs = NULL;
+
+ if (vec->capacity == 0) {
+ vec->capacity = 4;
+ } else {
+ if (vec->capacity > SIZE_MAX / 2) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ vec->capacity *= 2;
+ }
+
+ attrs = talloc_realloc(mem_ctx, vec->attrs, const char *, vec->capacity);
+ if (attrs == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ vec->attrs = attrs;
+ }
+ SMB_ASSERT(vec->len < vec->capacity);
+
+ if (next == NULL) {
+ vec->attrs[vec->len++] = attr;
+ } else {
+ size_t count = (vec->len - next_idx) * sizeof (vec->attrs[0]);
+ memmove(&vec->attrs[next_idx + 1],
+ &vec->attrs[next_idx],
+ count);
+
+ vec->attrs[next_idx] = attr;
+ ++vec->len;
+ }
+
+ return LDB_SUCCESS;
+}
+
+static bool ldb_attr_always_present(const char *attr)
+{
+ static const char * const attrs_always_present[] = {
+ "objectClass",
+ "distinguishedName",
+ "name",
+ "objectGUID",
+ NULL
+ };
+
+ return ldb_attr_in_list(attrs_always_present, attr);
+}
+
+static bool ldb_attr_always_visible(const char *attr)
+{
+ static const char * const attrs_always_visible[] = {
+ "isDeleted",
+ "isRecycled",
+ NULL
+ };
+
+ return ldb_attr_in_list(attrs_always_visible, attr);
}
-static bool aclread_is_inaccessible(struct ldb_message_element *el) {
- return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
+/* Collect a list of attributes required to match a given parse tree. */
+static int ldb_parse_tree_collect_acl_attrs(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_attr_vec *attrs,
+ const struct ldb_parse_tree *tree)
+{
+ const char *attr = NULL;
+ unsigned int i;
+ int ret;
+
+ if (tree == NULL) {
+ return 0;
+ }
+
+ switch (tree->operation) {
+ case LDB_OP_OR:
+ case LDB_OP_AND: /* attributes stored in list of subtrees */
+ for (i = 0; i < tree->u.list.num_elements; i++) {
+ ret = ldb_parse_tree_collect_acl_attrs(module, mem_ctx,
+ attrs, tree->u.list.elements[i]);
+ if (ret) {
+ return ret;
+ }
+ }
+ return 0;
+
+ case LDB_OP_NOT: /* attributes stored in single subtree */
+ return ldb_parse_tree_collect_acl_attrs(module, mem_ctx, attrs, tree->u.isnot.child);
+
+ case LDB_OP_PRESENT:
+ /*
+ * If the search filter is checking for an attribute's presence,
+ * and the attribute is always present, we can skip access
+ * rights checks. Every object has these attributes, and so
+ * there's no security reason to hide their presence.
+ * Note: the acl.py tests (e.g. test_search1()) rely on this
+ * exception. I.e. even if we lack Read Property (RP) rights
+ * for a child object, it should still appear as a visible
+ * object in 'objectClass=*' searches, so long as we have List
+ * Contents (LC) rights for the object.
+ */
+ if (ldb_attr_always_present(tree->u.present.attr)) {
+ /* No need to check this attribute. */
+ return 0;
+ }
+
+ FALL_THROUGH;
+ case LDB_OP_EQUALITY:
+ if (ldb_attr_always_visible(tree->u.present.attr)) {
+ /* No need to check this attribute. */
+ return 0;
+ }
+
+ FALL_THROUGH;
+ default: /* single attribute in tree */
+ attr = ldb_parse_tree_get_attr(tree);
+ return attr_vec_add_unique(mem_ctx, attrs, attr);
+ }
}
/*
@@ -262,13 +450,13 @@
*/
static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
- struct ldb_message *acl_res,
+ const struct ldb_message *acl_res,
struct security_descriptor **sd)
{
struct ldb_message_element *sd_element;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
struct aclread_private *private_data
- = talloc_get_type(ldb_module_get_private(ac->module),
+ = talloc_get_type_abort(ldb_module_get_private(ac->module),
struct aclread_private);
enum ndr_err_code ndr_err;
@@ -309,16 +497,11 @@
}
talloc_unlink(private_data, private_data->sd_cached_blob.data);
- if (ac->added_nTSecurityDescriptor) {
- private_data->sd_cached_blob = sd_element->values[0];
- talloc_steal(private_data, sd_element->values[0].data);
- } else {
- private_data->sd_cached_blob = ldb_val_dup(private_data,
- &sd_element->values[0]);
- if (private_data->sd_cached_blob.data == NULL) {
- TALLOC_FREE(*sd);
- return ldb_operr(ldb);
- }
+ private_data->sd_cached_blob = ldb_val_dup(private_data,
+ &sd_element->values[0]);
+ if (private_data->sd_cached_blob.data == NULL) {
+ TALLOC_FREE(*sd);
+ return ldb_operr(ldb);
}
talloc_unlink(private_data, private_data->sd_cached);
@@ -327,6 +510,23 @@
return LDB_SUCCESS;
}
+/* Check whether the attribute is a password attribute. */
+static bool attr_is_secret(const char *attr, const struct aclread_private *private_data)
+{
+ const char **found = NULL;
+
+ if (private_data->password_attrs == NULL) {
+ return false;
+ }
+
+ BINARY_ARRAY_SEARCH_V(private_data->password_attrs,
+ private_data->num_password_attrs,
+ attr,
+ ldb_attr_cmp,
+ found);
+ return found != NULL;
+}
+
/*
* Returns the access mask required to read a given attribute
*/
@@ -362,61 +562,59 @@
return access_mask;
}
-/* helper struct for traversing the attributes in the search-tree */
-struct parse_tree_aclread_ctx {
- struct aclread_context *ac;
- TALLOC_CTX *mem_ctx;
- struct dom_sid *sid;
- struct ldb_dn *dn;
- struct security_descriptor *sd;
- const struct dsdb_class *objectclass;
- bool suppress_result;
-};
-
/*
- * Checks that the user has sufficient access rights to view an attribute
+ * Checks that the user has sufficient access rights to view an attribute, else
+ * marks it as inaccessible.
*/
-static int check_attr_access_rights(TALLOC_CTX *mem_ctx, const char *attr_name,
- struct aclread_context *ac,
- struct security_descriptor *sd,
- const struct dsdb_class *objectclass,
- struct dom_sid *sid, struct ldb_dn *dn)
+static int acl_redact_attr(TALLOC_CTX *mem_ctx,
+ struct ldb_message_element *el,
+ struct aclread_context *ac,
+ const struct aclread_private *private_data,
+ const struct ldb_message *msg,
+ const struct dsdb_schema *schema,
+ const struct security_descriptor *sd,
+ const struct dom_sid *sid,
+ const struct dsdb_class *objectclass)
{
int ret;
const struct dsdb_attribute *attr = NULL;
uint32_t access_mask;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
- attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, attr_name);
+ if (attr_is_secret(el->name, private_data)) {
+ ldb_msg_element_mark_inaccessible(el);
+ return LDB_SUCCESS;
+ }
+
+ /* Look up the attribute in the schema. */
+ attr = dsdb_attribute_by_lDAPDisplayName(schema, el->name);
if (!attr) {
ldb_debug_set(ldb,
- LDB_DEBUG_TRACE,
- "acl_read: %s cannot find attr[%s] in schema,"
- "ignoring\n",
- ldb_dn_get_linearized(dn), attr_name);
- return LDB_SUCCESS;
+ LDB_DEBUG_FATAL,
+ "acl_read: %s cannot find attr[%s] in schema\n",
+ ldb_dn_get_linearized(msg->dn), el->name);
+ return LDB_ERR_OPERATIONS_ERROR;
}
access_mask = get_attr_access_mask(attr, ac->sd_flags);
-
- /* the access-mask should be non-zero. Skip attribute otherwise */
if (access_mask == 0) {
DBG_ERR("Could not determine access mask for attribute %s\n",
- attr_name);
+ el->name);
+ ldb_msg_element_mark_inaccessible(el);
return LDB_SUCCESS;
}
+ /* We must check whether the user has rights to view the attribute. */
+
ret = acl_check_access_on_attribute(ac->module, mem_ctx, sd, sid,
access_mask, attr, objectclass);
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- return ret;
- }
-
- if (ret != LDB_SUCCESS) {
+ ldb_msg_element_mark_inaccessible(el);
+ } else if (ret != LDB_SUCCESS) {
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
"acl_read: %s check attr[%s] gives %s - %s\n",
- ldb_dn_get_linearized(dn), attr_name,
+ ldb_dn_get_linearized(msg->dn), el->name,
ldb_strerror(ret), ldb_errstring(ldb));
return ret;
}
@@ -424,152 +622,112 @@
return LDB_SUCCESS;
}
-/*
- * Returns the attribute name for this particular level of a search operation
- * parse-tree.
- */
-static const char * parse_tree_get_attr(struct ldb_parse_tree *tree)
+static int setup_access_check_context(struct aclread_context *ac,
+ const struct ldb_message *msg,
+ struct access_check_context *ctx)
{
- const char *attr = NULL;
-
- switch (tree->operation) {
- case LDB_OP_EQUALITY:
- case LDB_OP_GREATER:
- case LDB_OP_LESS:
- case LDB_OP_APPROX:
- attr = tree->u.equality.attr;
- break;
- case LDB_OP_SUBSTRING:
- attr = tree->u.substring.attr;
- break;
- case LDB_OP_PRESENT:
- attr = tree->u.present.attr;
- break;
- case LDB_OP_EXTENDED:
- attr = tree->u.extended.attr;
- break;
-
- /* we'll check LDB_OP_AND/_OR/_NOT children later on in the walk */
- default:
- break;
- }
- return attr;
-}
-
-/*
- * Checks a single attribute in the search parse-tree to make sure the user has
- * sufficient rights to view it.
- */
-static int parse_tree_check_attr_access(struct ldb_parse_tree *tree,
- void *private_context)
-{
- struct parse_tree_aclread_ctx *ctx = NULL;
- const char *attr_name = NULL;
int ret;
- static const char * const attrs_always_present[] = {
- "objectClass",
- "distinguishedName",
- "name",
- "objectGUID",
- NULL
- };
-
- ctx = (struct parse_tree_aclread_ctx *)private_context;
/*
- * we can skip any further checking if we already know that this object
- * shouldn't be visible in this user's search
+ * Fetch the schema so we can check which attributes are
+ * considered confidential.
*/
- if (ctx->suppress_result) {
- return LDB_SUCCESS;
- }
+ if (ac->schema == NULL) {
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
- /* skip this level of the search-tree if it has no attribute to check */
- attr_name = parse_tree_get_attr(tree);
- if (attr_name == NULL) {
- return LDB_SUCCESS;
+ /* Cache the schema for later use. */
+ ac->schema = dsdb_get_schema(ldb, ac);
+
+ if (ac->schema == NULL) {
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "aclread_callback: Error obtaining schema.");
+ }
}
+ /* Fetch the object's security descriptor. */
+ ret = aclread_get_sd_from_ldb_message(ac, msg, &ctx->sd);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s: %s\n",
+ ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
+ return LDB_ERR_OPERATIONS_ERROR;
+ } else if (ctx->sd == NULL) {
+ ldb_debug_set(ldb_module_get_ctx(ac->module), LDB_DEBUG_FATAL,
+ "acl_read: cannot get descriptor of %s (attribute not found)\n",
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
/*
- * If the search filter is checking for an attribute's presence, and the
- * attribute is always present, we can skip access rights checks. Every
- * object has these attributes, and so there's no security reason to
- * hide their presence.
- * Note: the acl.py tests (e.g. test_search1()) rely on this exception.
- * I.e. even if we lack Read Property (RP) rights for a child object, it
- * should still appear as a visible object in 'objectClass=*' searches,
- * so long as we have List Contents (LC) rights for the object.
+ * Get the most specific structural object class for the ACL check
*/
- if (tree->operation == LDB_OP_PRESENT &&
- is_attr_in_list(attrs_always_present, attr_name)) {
- return LDB_SUCCESS;
+ ctx->objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+ if (ctx->objectclass == NULL) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+ "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_OPERATIONS_ERROR;
}
- ret = check_attr_access_rights(ctx->mem_ctx, attr_name, ctx->ac,
- ctx->sd, ctx->objectclass, ctx->sid,
- ctx->dn);
-
- /*
- * if the user does not have the rights to view this attribute, then we
- * should not return the object as a search result, i.e. act as if the
- * object doesn't exist (for this particular user, at least)
- */
- if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- ctx->suppress_result = true;
- return LDB_SUCCESS;
+ /* Fetch the object's SID. */
+ ret = samdb_result_dom_sid_buf(msg, "objectSid", &ctx->sid_buf);
+ if (ret == LDB_SUCCESS) {
+ ctx->sid = &ctx->sid_buf;
+ } else if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
+ /* This is expected. */
+ ctx->sid = NULL;
+ } else {
+ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module),
+ "acl_read: Failed to parse objectSid as dom_sid for %s",
+ ldb_dn_get_linearized(msg->dn));
+ return ret;
}
- return ret;
+ return LDB_SUCCESS;
}
/*
- * Traverse the search-tree to check that the user has sufficient access rights
- * to view all the attributes.
+ * Whether this attribute was added to perform access checks and must be
+ * removed.
*/
-static int check_search_ops_access(struct aclread_context *ac,
- TALLOC_CTX *mem_ctx,
- struct security_descriptor *sd,
- const struct dsdb_class *objectclass,
- struct dom_sid *sid, struct ldb_dn *dn,
- bool *suppress_result)
+static bool should_remove_attr(const char *attr, const struct aclread_context *ac)
{
- int ret;
- struct parse_tree_aclread_ctx ctx = { 0 };
- struct ldb_parse_tree *tree = ac->req->op.search.tree;
+ if (ac->added_nTSecurityDescriptor &&
+ ldb_attr_cmp("nTSecurityDescriptor", attr) == 0)
+ {
+ return true;
+ }
+
+ if (ac->added_objectSid &&
+ ldb_attr_cmp("objectSid", attr) == 0)
+ {
+ return true;
+ }
- ctx.ac = ac;
- ctx.mem_ctx = mem_ctx;
- ctx.suppress_result = false;
- ctx.sid = sid;
- ctx.dn = dn;
- ctx.sd = sd;
- ctx.objectclass = objectclass;
+ if (ac->added_instanceType &&
+ ldb_attr_cmp("instanceType", attr) == 0)
+ {
+ return true;
+ }
- /* walk the search tree, checking each attribute as we go */
- ret = ldb_parse_tree_walk(tree, parse_tree_check_attr_access, &ctx);
+ if (ac->added_objectClass &&
+ ldb_attr_cmp("objectClass", attr) == 0)
+ {
+ return true;
+ }
- /* return whether this search result should be hidden to this user */
- *suppress_result = ctx.suppress_result;
- return ret;
+ return false;
}
static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
{
- struct ldb_context *ldb;
struct aclread_context *ac;
- struct ldb_message *ret_msg;
+ struct aclread_private *private_data = NULL;
struct ldb_message *msg;
int ret;
- size_t num_of_attrs = 0;
- unsigned int i, k = 0;
- struct security_descriptor *sd = NULL;
- struct dom_sid *sid = NULL;
- TALLOC_CTX *tmp_ctx;
- const struct dsdb_class *objectclass;
- bool suppress_result = false;
+ unsigned int i;
+ struct access_check_context acl_ctx;
- ac = talloc_get_type(req->context, struct aclread_context);
- ldb = ldb_module_get_ctx(ac->module);
+ ac = talloc_get_type_abort(req->context, struct aclread_context);
if (!ares) {
return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
}
@@ -577,36 +735,10 @@
return ldb_module_done(ac->req, ares->controls,
ares->response, ares->error);
}
- tmp_ctx = talloc_new(ac);
switch (ares->type) {
case LDB_REPLY_ENTRY:
msg = ares->message;
- ret = aclread_get_sd_from_ldb_message(ac, msg, &sd);
- if (ret != LDB_SUCCESS) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: cannot get descriptor of %s: %s\n",
- ldb_dn_get_linearized(msg->dn), ldb_strerror(ret));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- } else if (sd == NULL) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: cannot get descriptor of %s (attribute not found)\n",
- ldb_dn_get_linearized(msg->dn));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
- /*
- * Get the most specific structural object class for the ACL check
- */
- objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
- if (objectclass == NULL) {
- ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
- ldb_dn_get_linearized(msg->dn));
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
- sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
if (!ldb_dn_is_null(msg->dn)) {
/*
* this is a real object, so we have
@@ -614,187 +746,90 @@
*/
ret = aclread_check_object_visible(ac, msg, req);
if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- talloc_free(tmp_ctx);
return LDB_SUCCESS;
} else if (ret != LDB_SUCCESS) {
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
ldb_debug_set(ldb, LDB_DEBUG_FATAL,
"acl_read: %s check parent %s - %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_strerror(ret),
ldb_errstring(ldb));
- goto fail;
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
}
/* for every element in the message check RP */
- for (i=0; i < msg->num_elements; i++) {
- const struct dsdb_attribute *attr;
- bool is_sd, is_objectsid, is_instancetype, is_objectclass;
- uint32_t access_mask;
- attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
- msg->elements[i].name);
- if (!attr) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: %s cannot find attr[%s] in of schema\n",
- ldb_dn_get_linearized(msg->dn),
- msg->elements[i].name);
- ret = LDB_ERR_OPERATIONS_ERROR;
- goto fail;
- }
- is_sd = ldb_attr_cmp("nTSecurityDescriptor",
- msg->elements[i].name) == 0;
- is_objectsid = ldb_attr_cmp("objectSid",
- msg->elements[i].name) == 0;
- is_instancetype = ldb_attr_cmp("instanceType",
- msg->elements[i].name) == 0;
- is_objectclass = ldb_attr_cmp("objectClass",
- msg->elements[i].name) == 0;
- /* these attributes were added to perform access checks and must be removed */
- if (is_objectsid && ac->added_objectSid) {
- aclread_mark_inaccesslible(&msg->elements[i]);
- continue;
- }
- if (is_instancetype && ac->added_instanceType) {
- aclread_mark_inaccesslible(&msg->elements[i]);
- continue;
- }
- if (is_objectclass && ac->added_objectClass) {
- aclread_mark_inaccesslible(&msg->elements[i]);
- continue;
- }
- if (is_sd && ac->added_nTSecurityDescriptor) {
- aclread_mark_inaccesslible(&msg->elements[i]);
+ for (i = 0; i < msg->num_elements; ++i) {
+ struct ldb_message_element *el = &msg->elements[i];
+
+ /* Remove attributes added to perform access checks. */
+ if (should_remove_attr(el->name, ac)) {
+ ldb_msg_element_mark_inaccessible(el);
continue;
}
- access_mask = get_attr_access_mask(attr, ac->sd_flags);
-
- if (access_mask == 0) {
- aclread_mark_inaccesslible(&msg->elements[i]);
+ if (acl_element_is_access_checked(el)) {
+ /* We will have already checked this attribute. */
continue;
}
- ret = acl_check_access_on_attribute(ac->module,
- tmp_ctx,
- sd,
- sid,
- access_mask,
- attr,
- objectclass);
-
/*
- * Dirsync control needs the replpropertymetadata attribute
- * so return it as it will be removed by the control
- * in anycase.
+ * We need to fetch the security descriptor to check
+ * this attribute.
*/
- if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
- bool in_search_filter;
+ break;
+ }
- /* check if attr is part of the search filter */
- in_search_filter = dsdb_attr_in_parse_tree(ac->req->op.search.tree,
- msg->elements[i].name);
-
- if (in_search_filter) {
-
- /*
- * We are doing dirysnc answers
- * and the object shouldn't be returned (normally)
- * but we will return it without replPropertyMetaData
- * so that the dirysync module will do what is needed
- * (remove the object if it is not deleted, or return
- * just the objectGUID if it's deleted).
- */
- if (ac->indirsync) {
- ldb_msg_remove_attr(msg, "replPropertyMetaData");
- break;
- } else {
-
- /* do not return this entry */
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
- }
- } else {
- aclread_mark_inaccesslible(&msg->elements[i]);
- }
- } else if (ret != LDB_SUCCESS) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: %s check attr[%s] gives %s - %s\n",
- ldb_dn_get_linearized(msg->dn),
- msg->elements[i].name,
- ldb_strerror(ret),
- ldb_errstring(ldb));
- goto fail;
- }
+ if (i == msg->num_elements) {
+ /* All elements have been checked. */
+ goto reply_entry_done;
}
- /*
- * check access rights for the search attributes, as well as the
- * attribute values actually being returned
- */
- ret = check_search_ops_access(ac, tmp_ctx, sd, objectclass, sid,
- msg->dn, &suppress_result);
+ ret = setup_access_check_context(ac, msg, &acl_ctx);
if (ret != LDB_SUCCESS) {
- ldb_debug_set(ldb, LDB_DEBUG_FATAL,
- "acl_read: %s check search ops %s - %s\n",
- ldb_dn_get_linearized(msg->dn),
- ldb_strerror(ret), ldb_errstring(ldb));
- goto fail;
+ return ret;
}
- if (suppress_result) {
+ private_data = talloc_get_type_abort(ldb_module_get_private(ac->module),
+ struct aclread_private);
- /*
- * As per the above logic, we strip replPropertyMetaData
- * out of the msg so that the dirysync module will do
- * what is needed (return just the objectGUID if it's,
- * deleted, or remove the object if it is not).
- */
- if (ac->indirsync) {
- ldb_msg_remove_attr(msg, "replPropertyMetaData");
- } else {
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
- }
- }
+ for (/* begin where we left off */; i < msg->num_elements; ++i) {
+ struct ldb_message_element *el = &msg->elements[i];
- for (i=0; i < msg->num_elements; i++) {
- if (!aclread_is_inaccessible(&msg->elements[i])) {
- num_of_attrs++;
- }
- }
- /*create a new message to return*/
- ret_msg = ldb_msg_new(ac->req);
- ret_msg->dn = msg->dn;
- talloc_steal(ret_msg, msg->dn);
- ret_msg->num_elements = num_of_attrs;
- if (num_of_attrs > 0) {
- ret_msg->elements = talloc_array(ret_msg,
- struct ldb_message_element,
- num_of_attrs);
- if (ret_msg->elements == NULL) {
- return ldb_oom(ldb);
+ /* Remove attributes added to perform access checks. */
+ if (should_remove_attr(el->name, ac)) {
+ ldb_msg_element_mark_inaccessible(el);
+ continue;
}
- for (i=0; i < msg->num_elements; i++) {
- bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
- if (!to_remove) {
- ret_msg->elements[k] = msg->elements[i];
- talloc_steal(ret_msg->elements, msg->elements[i].name);
- talloc_steal(ret_msg->elements, msg->elements[i].values);
- k++;
- }
+
+ if (acl_element_is_access_checked(el)) {
+ /* We will have already checked this attribute. */
+ continue;
}
+
/*
- * This should not be needed, but some modules
- * may allocate values on the wrong context...
+ * We need to check whether the attribute is secret,
+ * confidential, or access-controlled.
*/
- talloc_steal(ret_msg->elements, msg);
- } else {
- ret_msg->elements = NULL;
+ ret = acl_redact_attr(ac,
+ el,
+ ac,
+ private_data,
+ msg,
+ ac->schema,
+ acl_ctx.sd,
+ acl_ctx.sid,
+ acl_ctx.objectclass);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
+ }
}
- talloc_free(tmp_ctx);
+
+ reply_entry_done:
+ ldb_msg_remove_inaccessible(msg);
ac->num_entries++;
- return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
+ return ldb_module_send_entry(ac->req, msg, ares->controls);
case LDB_REPLY_REFERRAL:
return ldb_module_send_referral(ac->req, ares->referral);
case LDB_REPLY_DONE:
@@ -813,9 +848,6 @@
}
return LDB_SUCCESS;
-fail:
- talloc_free(tmp_ctx);
- return ldb_module_done(ac->req, NULL, NULL, ret);
}
@@ -825,8 +857,7 @@
int ret;
struct aclread_context *ac;
struct ldb_request *down_req;
- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- uint32_t flags = ldb_req_get_custom_flags(req);
+ bool am_system;
struct ldb_result *res;
struct aclread_private *p;
bool need_sd = false;
@@ -843,11 +874,16 @@
ldb = ldb_module_get_ctx(module);
p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
+ am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;
+ if (!am_system) {
+ am_system = dsdb_module_am_system(module);
+ }
+
/* skip access checks if we are system or system control is supplied
* or this is not LDAP server request */
if (!p || !p->enabled ||
- dsdb_module_am_system(module)
- || as_system || !is_untrusted) {
+ am_system ||
+ !is_untrusted) {
return ldb_next_request(module, req);
}
/* no checks on special dn */
@@ -861,15 +897,6 @@
}
ac->module = module;
ac->req = req;
- ac->schema = dsdb_get_schema(ldb, req);
- if (flags & DSDB_ACL_CHECKS_DIRSYNC_FLAG) {
- ac->indirsync = true;
- } else {
- ac->indirsync = false;
- }
- if (!ac->schema) {
- return ldb_operr(ldb);
- }
attrs = req->op.search.attrs;
if (attrs == NULL) {
@@ -926,7 +953,7 @@
ac->added_nTSecurityDescriptor = true;
}
- ac->attrs = req->op.search.attrs;
+ ac->am_administrator = dsdb_module_am_administrator(module);
/* check accessibility of base */
if (!ldb_dn_is_null(req->op.search.base)) {
@@ -970,19 +997,287 @@
return LDB_ERR_OPERATIONS_ERROR;
}
+ /*
+ * We provide 'ac' as the control value, which is then used by the
+ * callback to avoid double-work.
+ */
+ ret = ldb_request_add_control(down_req, DSDB_CONTROL_ACL_READ_OID, false, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_error(ldb, ret,
+ "acl_read: Error adding acl_read control.");
+ }
+
return ldb_next_request(module, down_req);
}
+/*
+ * Here we mark inaccessible attributes known to be looked for in the
+ * filter. This only redacts attributes found in the search expression. If any
+ * extended attribute match rules examine different attributes without their own
+ * access control checks, a security bypass is possible.
+ */
+static int acl_redact_msg_for_filter(struct ldb_module *module, struct ldb_request *req, struct ldb_message *msg)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct aclread_private *private_data = NULL;
+ struct ldb_control *control = NULL;
+ struct aclread_context *ac = NULL;
+ struct access_check_context acl_ctx;
+ int ret;
+ unsigned i;
+
+ /*
+ * The private data contains a list of attributes which are to be
+ * considered secret.
+ */
+ private_data = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
+ if (private_data == NULL) {
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "aclread_private data is missing");
+ }
+ if (!private_data->enabled) {
+ return LDB_SUCCESS;
+ }
+
+ control = ldb_request_get_control(req, DSDB_CONTROL_ACL_READ_OID);
+ if (control == NULL) {
+ /*
+ * We've bypassed the acl_read module for this request, and
+ * should skip redaction in this case.
+ */
+ return LDB_SUCCESS;
+ }
+
+ ac = talloc_get_type_abort(control->data, struct aclread_context);
+
+ if (!ac->got_tree_attrs) {
+ ret = ldb_parse_tree_collect_acl_attrs(module, ac, &ac->tree_attrs, req->op.search.tree);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ac->got_tree_attrs = true;
+ }
+
+ for (i = 0; i < msg->num_elements; ++i) {
+ struct ldb_message_element *el = &msg->elements[i];
+
+ /* Is the attribute mentioned in the search expression? */
+ if (attr_in_vec(&ac->tree_attrs, el->name)) {
+ /*
+ * We need to fetch the security descriptor to check
+ * this element.
+ */
+ break;
+ }
+
+ /*
+ * This attribute is not in the search filter, so we can leave
+ * handling it till aclread_callback(), by which time we know
+ * this object is a match. This saves work checking ACLs if the
+ * search is unindexed and most objects don't match the filter.
+ */
+ }
+
+ if (i == msg->num_elements) {
+ /* All elements have been checked. */
+ return LDB_SUCCESS;
+ }
+
+ ret = setup_access_check_context(ac, msg, &acl_ctx);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ /* For every element in the message and the parse tree, check RP. */
+
+ for (/* begin where we left off */; i < msg->num_elements; ++i) {
+ struct ldb_message_element *el = &msg->elements[i];
+
+ /* Is the attribute mentioned in the search expression? */
+ if (!attr_in_vec(&ac->tree_attrs, el->name)) {
+ /*
+ * If not, leave it for later and check the next
+ * attribute.
+ */
+ continue;
+ }
+
+ /*
+ * We need to check whether the attribute is secret,
+ * confidential, or access-controlled.
+ */
+ ret = acl_redact_attr(ac,
+ el,
+ ac,
+ private_data,
+ msg,
+ ac->schema,
+ acl_ctx.sd,
+ acl_ctx.sid,
+ acl_ctx.objectclass);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ acl_element_mark_access_checked(el);
+ }
+
+ return LDB_SUCCESS;
+}
+
+static int ldb_attr_cmp_fn(const void *_a, const void *_b)
+{
+ const char * const *a = _a;
+ const char * const *b = _b;
+
+ return ldb_attr_cmp(*a, *b);
+}
+
static int aclread_init(struct ldb_module *module)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ unsigned int i, n, j;
+ TALLOC_CTX *mem_ctx = NULL;
+ int ret;
+ bool userPassword_support;
+ static const char * const attrs[] = { "passwordAttribute", NULL };
+ static const char * const secret_attrs[] = {
+ DSDB_SECRET_ATTRIBUTES
+ };
+ struct ldb_result *res;
+ struct ldb_message *msg;
+ struct ldb_message_element *password_attributes;
struct aclread_private *p = talloc_zero(module, struct aclread_private);
if (p == NULL) {
return ldb_module_oom(module);
}
p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", true);
+
+ ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "acl_module_init: Unable to register sd_flags control with rootdse!\n");
+ return ldb_operr(ldb);
+ }
+
ldb_module_set_private(module, p);
- return ldb_next_init(module);
+
+ mem_ctx = talloc_new(module);
+ if (!mem_ctx) {
+ return ldb_oom(ldb);
+ }
+
+ ret = dsdb_module_search_dn(module, mem_ctx, &res,
+ ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
+ attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ goto done;
+ }
+ if (res->count == 0) {
+ goto done;
+ }
+
+ if (res->count > 1) {
+ talloc_free(mem_ctx);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ msg = res->msgs[0];
+
+ password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
+ if (!password_attributes) {
+ goto done;
+ }
+ p->password_attrs = talloc_array(p, const char *,
+ password_attributes->num_values +
+ ARRAY_SIZE(secret_attrs));
+ if (!p->password_attrs) {
+ talloc_free(mem_ctx);
+ return ldb_oom(ldb);
+ }
+
+ n = 0;
+ for (i=0; i < password_attributes->num_values; i++) {
+ p->password_attrs[n] = (const char *)password_attributes->values[i].data;
+ talloc_steal(p->password_attrs, password_attributes->values[i].data);
+ n++;
+ }
+
+ for (i=0; i < ARRAY_SIZE(secret_attrs); i++) {
+ bool found = false;
+
+ for (j=0; j < n; j++) {
+ if (strcasecmp(p->password_attrs[j], secret_attrs[i]) == 0) {
+ found = true;
+ break;
+ }
+ }
+
+ if (found) {
+ continue;
+ }
+
+ p->password_attrs[n] = talloc_strdup(p->password_attrs,
+ secret_attrs[i]);
+ if (p->password_attrs[n] == NULL) {
+ talloc_free(mem_ctx);
+ return ldb_oom(ldb);
+ }
+ n++;
+ }
+ p->num_password_attrs = n;
+
+ /* Sort the password attributes so we can use binary search. */
+ TYPESAFE_QSORT(p->password_attrs, p->num_password_attrs, ldb_attr_cmp_fn);
+
+ ret = ldb_register_redact_callback(ldb, acl_redact_msg_for_filter, module);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+done:
+ talloc_free(mem_ctx);
+ ret = ldb_next_init(module);
+
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (p->password_attrs != NULL) {
+ /*
+ * Check this after the modules have be initialised so we can
+ * actually read the backend DB.
+ */
+ userPassword_support = dsdb_user_password_support(module,
+ module,
+ NULL);
+ if (!userPassword_support) {
+ const char **found = NULL;
+
+ /*
+ * Remove the userPassword attribute, as it is not
+ * considered secret.
+ */
+ BINARY_ARRAY_SEARCH_V(p->password_attrs,
+ p->num_password_attrs,
+ "userPassword",
+ ldb_attr_cmp,
+ found);
+ if (found != NULL) {
+ size_t found_idx = found - p->password_attrs;
+
+ /* Shift following elements backwards by one. */
+ for (i = found_idx; i < p->num_password_attrs - 1; ++i) {
+ p->password_attrs[i] = p->password_attrs[i + 1];
+ }
+ --p->num_password_attrs;
+ }
+ }
+ }
+ return ret;
}
static const struct ldb_module_ops ldb_aclread_module_ops = {
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c 2022-08-08 17:15:39.548193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/acl_util.c 2023-03-20 12:03:44.507649400 +0300
@@ -97,8 +97,8 @@
int acl_check_access_on_attribute(struct ldb_module *module,
TALLOC_CTX *mem_ctx,
- struct security_descriptor *sd,
- struct dom_sid *rp_sid,
+ const struct security_descriptor *sd,
+ const struct dom_sid *rp_sid,
uint32_t access_mask,
const struct dsdb_attribute *attr,
const struct dsdb_class *objectclass)
@@ -298,7 +298,7 @@
sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
if (sd_control != NULL && sd_control->data != NULL) {
- struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
+ struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);
sd_flags = sdctr->secinfo_flags;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c 2022-08-08 17:15:39.552193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/extended_dn_in.c 2023-03-20 12:03:45.227653700 +0300
@@ -48,6 +48,7 @@
struct extended_search_context {
struct ldb_module *module;
struct ldb_request *req;
+ struct ldb_parse_tree *tree;
struct ldb_dn *basedn;
struct ldb_dn *dn;
char *wellknown_object;
@@ -200,7 +201,7 @@
ldb_module_get_ctx(ac->module), ac->req,
ac->basedn,
ac->req->op.search.scope,
- ac->req->op.search.tree,
+ ac->tree,
ac->req->op.search.attrs,
ac->req->controls,
ac, extended_final_callback,
@@ -422,7 +423,15 @@
guid_val = ldb_dn_get_extended_component(dn, "GUID");
sid_val = ldb_dn_get_extended_component(dn, "SID");
- if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) {
+ /*
+ * Is the attribute indexed? By treating confidential attributes
+ * as unindexed, we force searches to go through the unindexed
+ * search path, avoiding observable timing differences.
+ */
+ if (!guid_val && !sid_val &&
+ (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) &&
+ !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+ {
/* if it is indexed, then fixing the string DN will do
no good here, as we will not find the attribute in
the index. So for now fall through to a standard DN
@@ -515,11 +524,14 @@
*/
static int extended_dn_fix_filter(struct ldb_module *module,
struct ldb_request *req,
- uint32_t default_dsdb_flags)
+ uint32_t default_dsdb_flags,
+ struct ldb_parse_tree **down_tree)
{
struct extended_dn_filter_ctx *filter_ctx;
int ret;
+ *down_tree = NULL;
+
filter_ctx = talloc_zero(req, struct extended_dn_filter_ctx);
if (filter_ctx == NULL) {
return ldb_module_oom(module);
@@ -550,12 +562,12 @@
filter_ctx->test_only = false;
filter_ctx->matched = false;
- req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
- if (req->op.search.tree == NULL) {
+ *down_tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
+ if (*down_tree == NULL) {
return ldb_oom(ldb_module_get_ctx(module));
}
- ret = ldb_parse_tree_walk(req->op.search.tree, extended_dn_filter_callback, filter_ctx);
+ ret = ldb_parse_tree_walk(*down_tree, extended_dn_filter_callback, filter_ctx);
if (ret != LDB_SUCCESS) {
talloc_free(filter_ctx);
return ret;
@@ -572,7 +584,8 @@
static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req, struct ldb_dn *dn)
{
struct extended_search_context *ac;
- struct ldb_request *down_req;
+ struct ldb_request *down_req = NULL;
+ struct ldb_parse_tree *down_tree = NULL;
int ret;
struct ldb_dn *base_dn = NULL;
enum ldb_scope base_dn_scope = LDB_SCOPE_BASE;
@@ -595,7 +608,7 @@
}
if (req->operation == LDB_SEARCH) {
- ret = extended_dn_fix_filter(module, req, dsdb_flags);
+ ret = extended_dn_fix_filter(module, req, dsdb_flags, &down_tree);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -603,7 +616,25 @@
if (!ldb_dn_has_extended(dn)) {
/* Move along there isn't anything to see here */
- return ldb_next_request(module, req);
+ if (down_tree == NULL) {
+ down_req = req;
+ } else {
+ ret = ldb_build_search_req_ex(&down_req,
+ ldb_module_get_ctx(module), req,
+ req->op.search.base,
+ req->op.search.scope,
+ down_tree,
+ req->op.search.attrs,
+ req->controls,
+ req, dsdb_next_callback,
+ req);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ LDB_REQ_SET_LOCATION(down_req);
+ }
+
+ return ldb_next_request(module, down_req);
} else {
/* It looks like we need to map the DN */
const struct ldb_val *sid_val, *guid_val, *wkguid_val;
@@ -690,6 +721,7 @@
ac->module = module;
ac->req = req;
+ ac->tree = (down_tree != NULL) ? down_tree : req->op.search.tree;
ac->dn = dn;
ac->basedn = NULL; /* Filled in if the search finds the DN by SID/GUID etc */
ac->wellknown_object = wellknown_object;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c 2022-08-08 17:15:39.552193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/linked_attributes.c 2023-03-20 12:03:44.487649200 +0300
@@ -104,7 +104,7 @@
* If we are a GC let's remove the control,
* if there is a specified GC check that is us.
*/
- struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data;
+ struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control);
if (samdb_is_gc(ldb)) {
/* Because we can't easily talloc a struct ldb_dn*/
struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2022-10-19 15:14:56.036195800 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2023-03-20 12:03:44.491649400 +0300
@@ -4066,7 +4066,7 @@
ctrl = ldb_request_get_control(ac->req,
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID);
if (ctrl != NULL) {
- ac->change = (struct dsdb_control_password_change *) ctrl->data;
+ ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change);
/* Mark the "change" control as uncritical (done) */
ctrl->critical = false;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/util.c samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/util.c
--- samba-4.17.6+dfsg/source4/dsdb/samdb/ldb_modules/util.c 2022-08-08 17:29:11.377506700 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/ldb_modules/util.c 2023-03-20 12:04:29.063923100 +0300
@@ -1433,6 +1433,46 @@
return result;
}
+bool dsdb_attribute_authz_on_ldap_add(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_request *parent)
+{
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ bool result = false;
+ const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+ tmp_ctx,
+ parent);
+ if (hr_val != NULL && hr_val->length >= DS_HR_ATTR_AUTHZ_ON_LDAP_ADD) {
+ uint8_t val = hr_val->data[DS_HR_ATTR_AUTHZ_ON_LDAP_ADD - 1];
+ if (val != '0' && val != '2') {
+ result = true;
+ }
+ }
+
+ talloc_free(tmp_ctx);
+ return result;
+}
+
+bool dsdb_block_owner_implicit_rights(struct ldb_module *module,
+ TALLOC_CTX *mem_ctx,
+ struct ldb_request *parent)
+{
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ bool result = false;
+ const struct ldb_val *hr_val = dsdb_module_find_dsheuristics(module,
+ tmp_ctx,
+ parent);
+ if (hr_val != NULL && hr_val->length >= DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS) {
+ uint8_t val = hr_val->data[DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS - 1];
+ if (val != '0' && val != '2') {
+ result = true;
+ }
+ }
+
+ talloc_free(tmp_ctx);
+ return result;
+}
+
/*
show the chain of requests, useful for debugging async requests
*/
diff -Nru samba-4.17.6+dfsg/source4/dsdb/samdb/samdb.h samba-4.17.7+dfsg/source4/dsdb/samdb/samdb.h
--- samba-4.17.6+dfsg/source4/dsdb/samdb/samdb.h 2022-08-08 17:29:11.377506700 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/samdb/samdb.h 2023-03-20 12:03:45.135653300 +0300
@@ -232,6 +232,8 @@
*/
#define DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID "1.3.6.1.4.1.7165.4.3.35"
+#define DSDB_CONTROL_ACL_READ_OID "1.3.6.1.4.1.7165.4.3.37"
+
#define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
struct dsdb_extended_replicated_object {
struct ldb_message *msg;
diff -Nru samba-4.17.6+dfsg/source4/dsdb/schema/schema_description.c samba-4.17.7+dfsg/source4/dsdb/schema/schema_description.c
--- samba-4.17.6+dfsg/source4/dsdb/schema/schema_description.c 2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/schema/schema_description.c 2023-03-20 12:03:45.227653700 +0300
@@ -160,6 +160,13 @@
attribute->rangeUpper,
GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID),
GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID),
+ /*
+ * We actually ignore the indexed
+ * flag for confidential
+ * attributes, but we'll include
+ * it for the purposes of
+ * description.
+ */
(attribute->searchFlags & SEARCH_FLAG_ATTINDEX),
attribute->systemOnly);
talloc_free(tmp_ctx);
diff -Nru samba-4.17.6+dfsg/source4/dsdb/schema/schema_init.c samba-4.17.7+dfsg/source4/dsdb/schema/schema_init.c
--- samba-4.17.6+dfsg/source4/dsdb/schema/schema_init.c 2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/schema/schema_init.c 2023-03-20 12:03:45.227653700 +0300
@@ -514,8 +514,15 @@
if (attr->isSingleValued) {
a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE;
}
-
- if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+
+ /*
+ * Is the attribute indexed? By treating confidential attributes as
+ * unindexed, we force searches to go through the unindexed search path,
+ * avoiding observable timing differences.
+ */
+ if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+ !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+ {
a->flags |= LDB_ATTR_FLAG_INDEXED;
}
diff -Nru samba-4.17.6+dfsg/source4/dsdb/schema/schema_set.c samba-4.17.7+dfsg/source4/dsdb/schema/schema_set.c
--- samba-4.17.6+dfsg/source4/dsdb/schema/schema_set.c 2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/schema/schema_set.c 2023-03-20 12:03:45.227653700 +0300
@@ -221,7 +221,14 @@
break;
}
- if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+ /*
+ * Is the attribute indexed? By treating confidential attributes
+ * as unindexed, we force searches to go through the unindexed
+ * search path, avoiding observable timing differences.
+ */
+ if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+ !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+ {
/*
* When preparing to downgrade Samba, we need to write
* out an LDB without the new key word ORDERED_INTEGER.
diff -Nru samba-4.17.6+dfsg/source4/dsdb/tests/python/acl_modify.py samba-4.17.7+dfsg/source4/dsdb/tests/python/acl_modify.py
--- samba-4.17.6+dfsg/source4/dsdb/tests/python/acl_modify.py 1970-01-01 03:00:00.000000000 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/tests/python/acl_modify.py 2023-03-20 12:04:29.103923300 +0300
@@ -0,0 +1,236 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+
+import optparse
+import sys
+sys.path.insert(0, "bin/python")
+import samba
+
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+
+import samba.getopt as options
+
+from ldb import ERR_INSUFFICIENT_ACCESS_RIGHTS
+from ldb import Message, MessageElement, Dn
+from ldb import FLAG_MOD_REPLACE, FLAG_MOD_DELETE
+from samba.dcerpc import security
+
+from samba.auth import system_session
+from samba import gensec, sd_utils
+from samba.samdb import SamDB
+from samba.credentials import Credentials, DONT_USE_KERBEROS
+import samba.tests
+import samba.dsdb
+
+
+parser = optparse.OptionParser("acl.py [options] <host>")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+opts, args = parser.parse_args()
+
+if len(args) < 1:
+ parser.print_usage()
+ sys.exit(1)
+
+host = args[0]
+if "://" not in host:
+ ldaphost = "ldap://%s" % host
+else:
+ ldaphost = host
+ start = host.rindex("://")
+ host = host.lstrip(start + 3)
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
+
+#
+# Tests start here
+#
+
+
+class AclTests(samba.tests.TestCase):
+
+ def setUp(self):
+ super(AclTests, self).setUp()
+
+ strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True)
+ if strict_checking is None:
+ strict_checking = '1'
+ self.strict_checking = bool(int(strict_checking))
+
+ self.ldb_admin = SamDB(ldaphost, credentials=creds, session_info=system_session(lp), lp=lp)
+ self.base_dn = self.ldb_admin.domain_dn()
+ self.domain_sid = security.dom_sid(self.ldb_admin.get_domain_sid())
+ self.user_pass = "samba123@"
+ self.configuration_dn = self.ldb_admin.get_config_basedn().get_linearized()
+ self.sd_utils = sd_utils.SDUtils(self.ldb_admin)
+ self.addCleanup(self.delete_admin_connection)
+ # used for anonymous login
+ self.creds_tmp = Credentials()
+ self.creds_tmp.set_username("")
+ self.creds_tmp.set_password("")
+ self.creds_tmp.set_domain(creds.get_domain())
+ self.creds_tmp.set_realm(creds.get_realm())
+ self.creds_tmp.set_workstation(creds.get_workstation())
+ print("baseDN: %s" % self.base_dn)
+
+ # set AttributeAuthorizationOnLDAPAdd and BlockOwnerImplicitRights
+ self.set_heuristic(samba.dsdb.DS_HR_ATTR_AUTHZ_ON_LDAP_ADD, b'11')
+
+ def set_heuristic(self, index, values):
+ self.assertGreater(index, 0)
+ self.assertLess(index, 30)
+ self.assertIsInstance(values, bytes)
+
+ # Get the old "dSHeuristics" if it was set
+ dsheuristics = self.ldb_admin.get_dsheuristics()
+ # Reset the "dSHeuristics" as they were before
+ self.addCleanup(self.ldb_admin.set_dsheuristics, dsheuristics)
+ # Set the "dSHeuristics" to activate the correct behaviour
+ default_heuristics = b"000000000100000000020000000003"
+ if dsheuristics is None:
+ dsheuristics = b""
+ dsheuristics += default_heuristics[len(dsheuristics):]
+ dsheuristics = (dsheuristics[:index - 1] +
+ values +
+ dsheuristics[index - 1 + len(values):])
+ self.ldb_admin.set_dsheuristics(dsheuristics)
+
+ def get_user_dn(self, name):
+ return "CN=%s,CN=Users,%s" % (name, self.base_dn)
+
+ def get_ldb_connection(self, target_username, target_password):
+ creds_tmp = Credentials()
+ creds_tmp.set_username(target_username)
+ creds_tmp.set_password(target_password)
+ creds_tmp.set_domain(creds.get_domain())
+ creds_tmp.set_realm(creds.get_realm())
+ creds_tmp.set_workstation(creds.get_workstation())
+ creds_tmp.set_gensec_features(creds_tmp.get_gensec_features()
+ | gensec.FEATURE_SEAL)
+ creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop
+ ldb_target = SamDB(url=ldaphost, credentials=creds_tmp, lp=lp)
+ return ldb_target
+
+ # Test if we have any additional groups for users than default ones
+ def assert_user_no_group_member(self, username):
+ res = self.ldb_admin.search(self.base_dn, expression="(distinguishedName=%s)" % self.get_user_dn(username))
+ try:
+ self.assertEqual(res[0]["memberOf"][0], "")
+ except KeyError:
+ pass
+ else:
+ self.fail()
+
+ def delete_admin_connection(self):
+ del self.sd_utils
+ del self.ldb_admin
+
+
+class AclModifyTests(AclTests):
+
+ def setup_computer_with_hostname(self, account_name):
+ ou_dn = f'OU={account_name},{self.base_dn}'
+ dn = f'CN={account_name},{ou_dn}'
+
+ user, password = "mouse", "mus musculus 123!"
+ self.addCleanup(self.ldb_admin.deleteuser, user)
+
+ self.ldb_admin.newuser(user, password)
+ self.ldb_user = self.get_ldb_connection(user, password)
+
+ self.addCleanup(self.ldb_admin.delete, ou_dn,
+ controls=["tree_delete:0"])
+ self.ldb_admin.create_ou(ou_dn)
+
+ self.ldb_admin.add({
+ 'dn': dn,
+ 'objectClass': 'computer',
+ 'sAMAccountName': account_name + '$',
+ })
+
+ host_name = f'{account_name}.{self.ldb_user.domain_dns_name()}'
+
+ m = Message(Dn(self.ldb_admin, dn))
+ m['dNSHostName'] = MessageElement(host_name,
+ FLAG_MOD_REPLACE,
+ 'dNSHostName')
+
+ self.ldb_admin.modify(m)
+ return host_name, dn
+
+ def test_modify_delete_dns_host_name_specified(self):
+ '''Test deleting dNSHostName'''
+ account_name = self.id().rsplit(".", 1)[1][:63]
+ host_name, dn = self.setup_computer_with_hostname(account_name)
+
+ m = Message(Dn(self.ldb_user, dn))
+ m['dNSHostName'] = MessageElement(host_name,
+ FLAG_MOD_DELETE,
+ 'dNSHostName')
+
+ self.assertRaisesLdbError(
+ ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ "User able to delete dNSHostName (with specified name)",
+ self.ldb_user.modify, m)
+
+ def test_modify_delete_dns_host_name_unspecified(self):
+ '''Test deleting dNSHostName'''
+ account_name = self.id().rsplit(".", 1)[1][:63]
+ host_name, dn = self.setup_computer_with_hostname(account_name)
+
+ m = Message(Dn(self.ldb_user, dn))
+ m['dNSHostName'] = MessageElement([],
+ FLAG_MOD_DELETE,
+ 'dNSHostName')
+
+ self.assertRaisesLdbError(
+ ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ "User able to delete dNSHostName (without specified name)",
+ self.ldb_user.modify, m)
+
+ def test_modify_delete_dns_host_name_ldif_specified(self):
+ '''Test deleting dNSHostName'''
+ account_name = self.id().rsplit(".", 1)[1][:63]
+ host_name, dn = self.setup_computer_with_hostname(account_name)
+
+ ldif = f"""
+dn: {dn}
+changetype: modify
+delete: dNSHostName
+dNSHostName: {host_name}
+"""
+ self.assertRaisesLdbError(
+ ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ "User able to delete dNSHostName (with specified name)",
+ self.ldb_user.modify_ldif, ldif)
+
+ def test_modify_delete_dns_host_name_ldif_unspecified(self):
+ '''Test deleting dNSHostName'''
+ account_name = self.id().rsplit(".", 1)[1][:63]
+ host_name, dn = self.setup_computer_with_hostname(account_name)
+
+ ldif = f"""
+dn: {dn}
+changetype: modify
+delete: dNSHostName
+"""
+ self.assertRaisesLdbError(
+ ERR_INSUFFICIENT_ACCESS_RIGHTS,
+ "User able to delete dNSHostName (without specific name)",
+ self.ldb_user.modify_ldif, ldif)
+
+
+ldb = SamDB(ldaphost, credentials=creds, session_info=system_session(lp), lp=lp)
+
+TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/source4/dsdb/tests/python/confidential_attr.py samba-4.17.7+dfsg/source4/dsdb/tests/python/confidential_attr.py
--- samba-4.17.6+dfsg/source4/dsdb/tests/python/confidential_attr.py 2022-08-08 17:15:39.564193500 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/tests/python/confidential_attr.py 2023-03-20 12:03:45.135653300 +0300
@@ -25,6 +25,9 @@
import samba
import os
+import random
+import statistics
+import time
from samba.tests.subunitrun import SubunitOptions, TestProgram
import samba.getopt as options
from ldb import SCOPE_BASE, SCOPE_SUBTREE
@@ -487,7 +490,7 @@
self.make_attr_confidential()
self.assert_conf_attr_searches(has_rights_to=0)
- dc_mode = self.guess_dc_mode()
+ dc_mode = DC_MODE_RETURN_ALL
self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
self.assert_attr_visible(expect_attr=False)
@@ -500,7 +503,7 @@
self.make_attr_confidential()
self.assert_conf_attr_searches(has_rights_to=0)
- dc_mode = self.guess_dc_mode()
+ dc_mode = DC_MODE_RETURN_ALL
self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
self.assert_attr_visible(expect_attr=False)
@@ -563,7 +566,7 @@
self.make_attr_confidential()
self.assert_conf_attr_searches(has_rights_to=0)
- dc_mode = self.guess_dc_mode()
+ dc_mode = DC_MODE_RETURN_ALL
self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
self.assert_attr_visible(expect_attr=False)
@@ -738,7 +741,7 @@
# the user shouldn't be able to see the attribute anymore
self.assert_conf_attr_searches(has_rights_to="deny-one")
- dc_mode = self.guess_dc_mode()
+ dc_mode = DC_MODE_RETURN_ALL
self.assert_negative_searches(has_rights_to="deny-one",
dc_mode=dc_mode)
self.assert_attr_visible(expect_attr=False)
@@ -914,7 +917,7 @@
self.assert_conf_attr_searches(has_rights_to=0)
self.assert_attr_visible(expect_attr=False)
- dc_mode = self.guess_dc_mode()
+ dc_mode = DC_MODE_RETURN_ALL
self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
# as a final sanity-check, make sure the admin can still see the attr
@@ -924,12 +927,12 @@
self.assert_negative_searches(has_rights_to="all",
samdb=self.ldb_admin)
- def get_guid(self, dn):
+ def get_guid_string(self, dn):
"""Returns an object's GUID (in string format)"""
res = self.ldb_admin.search(base=dn, attrs=["objectGUID"],
scope=SCOPE_BASE)
guid = res[0]['objectGUID'][0]
- return self.ldb_admin.schema_format_value("objectGUID", guid)
+ return self.ldb_admin.schema_format_value("objectGUID", guid).decode('utf-8')
def make_attr_preserve_on_delete(self):
"""Marks the attribute under test as being preserve on delete"""
@@ -978,7 +981,7 @@
# deleted objects, but only from this particular test run. We can do
# this by matching lastKnownParent against this test case's OU, which
# will match any deleted child objects.
- ou_guid = self.get_guid(self.ou)
+ ou_guid = self.get_guid_string(self.ou)
deleted_filter = "(lastKnownParent=<GUID={0}>)".format(ou_guid)
# the extra-filter will get combined via AND with the search expression
@@ -1009,7 +1012,7 @@
# check we can't see the objects now, even with using dirsync controls
self.assert_conf_attr_searches(has_rights_to=0)
self.assert_attr_visible(expect_attr=False)
- dc_mode = self.guess_dc_mode()
+ dc_mode = DC_MODE_RETURN_ALL
self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
# now delete the users (except for the user whose LDB connection
@@ -1022,4 +1025,163 @@
self.assert_conf_attr_searches(has_rights_to=0)
self.assert_negative_searches(has_rights_to=0, dc_mode=dc_mode)
+ def test_timing_attack(self):
+ # Create the machine account.
+ mach_name = f'conf_timing_{random.randint(0, 0xffff)}'
+ mach_dn = Dn(self.ldb_admin, f'CN={mach_name},{self.ou}')
+ details = {
+ 'dn': mach_dn,
+ 'objectclass': 'computer',
+ 'sAMAccountName': f'{mach_name}$',
+ }
+ self.ldb_admin.add(details)
+
+ # Get the machine account's GUID.
+ res = self.ldb_admin.search(mach_dn,
+ attrs=['objectGUID'],
+ scope=SCOPE_BASE)
+ mach_guid = res[0].get('objectGUID', idx=0)
+
+ # Now we can create an msFVE-RecoveryInformation object that is a child
+ # of the machine account object.
+ recovery_dn = Dn(self.ldb_admin, str(mach_dn))
+ recovery_dn.add_child('CN=recovery_info')
+
+ secret_pw = 'Secret007'
+ not_secret_pw = 'Secret008'
+
+ secret_pw_utf8 = secret_pw.encode('utf-8')
+
+ # The crucial attribute, msFVE-RecoveryPassword, is a confidential
+ # attribute.
+ conf_attr = 'msFVE-RecoveryPassword'
+
+ m = Message(recovery_dn)
+ m['objectClass'] = 'msFVE-RecoveryInformation'
+ m['msFVE-RecoveryGuid'] = mach_guid
+ m[conf_attr] = secret_pw
+ self.ldb_admin.add(m)
+
+ attrs = [conf_attr]
+
+ # Search for the confidential attribute as administrator, ensuring it
+ # is visible.
+ res = self.ldb_admin.search(recovery_dn,
+ attrs=attrs,
+ scope=SCOPE_BASE)
+ self.assertEqual(1, len(res))
+ pw = res[0].get(conf_attr, idx=0)
+ self.assertEqual(secret_pw_utf8, pw)
+
+ # Repeat the search with an expression matching on the confidential
+ # attribute. This should also work.
+ res = self.ldb_admin.search(
+ recovery_dn,
+ attrs=attrs,
+ expression=f'({conf_attr}={secret_pw})',
+ scope=SCOPE_BASE)
+ self.assertEqual(1, len(res))
+ pw = res[0].get(conf_attr, idx=0)
+ self.assertEqual(secret_pw_utf8, pw)
+
+ # Search for the attribute as an unprivileged user. It should not be
+ # visible.
+ user_res = self.ldb_user.search(recovery_dn,
+ attrs=attrs,
+ scope=SCOPE_BASE)
+ pw = user_res[0].get(conf_attr, idx=0)
+ # The attribute should be None.
+ self.assertIsNone(pw)
+
+ # We use LDAP_MATCHING_RULE_TRANSITIVE_EVAL to create a search
+ # expression that takes a long time to execute, by setting off another
+ # search each time it is evaluated. It makes no difference that the
+ # object on which we're searching has no 'member' attribute.
+ dummy_dn = 'cn=user,cn=users,dc=samba,dc=example,dc=com'
+ slow_subexpr = f'(member:1.2.840.113556.1.4.1941:={dummy_dn})'
+ slow_expr = f'(|{slow_subexpr * 100})'
+
+ # The full search expression. It comprises a match on the confidential
+ # attribute joined by an AND to our slow search expression, The AND
+ # operator is short-circuiting, so if our first subexpression fails to
+ # match, we'll bail out of the search early. Otherwise, we'll evaluate
+ # the slow part; as its subexpressions are joined by ORs, and will all
+ # fail to match, every one of them will need to be evaluated. By
+ # measuring how long the search takes, we'll be able to infer whether
+ # the confidential attribute matched or not.
+
+ # This is bad if we are not an administrator, and are able to use this
+ # to determine the values of confidential attributes. Therefore we need
+ # to ensure we can't observe any difference in timing.
+ correct_expr = f'(&({conf_attr}={secret_pw}){slow_expr})'
+ wrong_expr = f'(&({conf_attr}={not_secret_pw}){slow_expr})'
+
+ def standard_uncertainty_bounds(times):
+ mean = statistics.mean(times)
+ stdev = statistics.stdev(times, mean)
+
+ return (mean - stdev, mean + stdev)
+
+ # Perform a number of searches with both correct and incorrect
+ # expressions, and return the uncertainty bounds for each.
+ def time_searches(samdb):
+ warmup_samples = 3
+ samples = 10
+ matching_times = []
+ non_matching_times = []
+
+ for _ in range(warmup_samples):
+ samdb.search(recovery_dn,
+ attrs=attrs,
+ expression=correct_expr,
+ scope=SCOPE_BASE)
+
+ for _ in range(samples):
+ # Measure the time taken for a search, for both a matching and
+ # a non-matching search expression.
+
+ prev = time.time()
+ samdb.search(recovery_dn,
+ attrs=attrs,
+ expression=correct_expr,
+ scope=SCOPE_BASE)
+ now = time.time()
+ matching_times.append(now - prev)
+
+ prev = time.time()
+ samdb.search(recovery_dn,
+ attrs=attrs,
+ expression=wrong_expr,
+ scope=SCOPE_BASE)
+ now = time.time()
+ non_matching_times.append(now - prev)
+
+ matching = standard_uncertainty_bounds(matching_times)
+ non_matching = standard_uncertainty_bounds(non_matching_times)
+ return matching, non_matching
+
+ def assertRangesDistinct(a, b):
+ a0, a1 = a
+ b0, b1 = b
+ self.assertLess(min(a1, b1), max(a0, b0))
+
+ def assertRangesOverlap(a, b):
+ a0, a1 = a
+ b0, b1 = b
+ self.assertGreaterEqual(min(a1, b1), max(a0, b0))
+
+ # For an administrator, the uncertainty bounds for matching and
+ # non-matching searches should be distinct. This shows that the two
+ # cases are distinguishable, and therefore that confidential attributes
+ # are visible.
+ admin_matching, admin_non_matching = time_searches(self.ldb_admin)
+ assertRangesDistinct(admin_matching, admin_non_matching)
+
+ # The user cannot view the confidential attribute, so the uncertainty
+ # bounds for matching and non-matching searches must overlap. The two
+ # cases must be indistinguishable.
+ user_matching, user_non_matching = time_searches(self.ldb_user)
+ assertRangesOverlap(user_matching, user_non_matching)
+
+
TestProgram(module=__name__, opts=subunitopts)
diff -Nru samba-4.17.6+dfsg/source4/dsdb/tests/python/large_ldap.py samba-4.17.7+dfsg/source4/dsdb/tests/python/large_ldap.py
--- samba-4.17.6+dfsg/source4/dsdb/tests/python/large_ldap.py 2022-08-08 17:15:39.568193400 +0300
+++ samba-4.17.7+dfsg/source4/dsdb/tests/python/large_ldap.py 2023-03-20 12:03:44.451649000 +0300
@@ -32,7 +32,7 @@
import samba.getopt as options
from samba.auth import system_session
-from samba import ldb
+from samba import ldb, sd_utils
from samba.samdb import SamDB
from samba.ndr import ndr_unpack
from samba import gensec
@@ -66,30 +66,32 @@
class ManyLDAPTest(samba.tests.TestCase):
- def setUp(self):
- super(ManyLDAPTest, self).setUp()
- self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
- self.base_dn = self.ldb.domain_dn()
- self.OU_NAME_MANY="many_ou" + format(random.randint(0, 99999), "05")
- self.ou_dn = ldb.Dn(self.ldb, "ou=" + self.OU_NAME_MANY + "," + str(self.base_dn))
+ @classmethod
+ def setUpClass(cls):
+ super().setUpClass()
+ cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+ cls.base_dn = self.ldb.domain_dn()
+ cls.OU_NAME_MANY="many_ou" + format(random.randint(0, 99999), "05")
+ cls.ou_dn = ldb.Dn(self.ldb, "ou=" + self.OU_NAME_MANY + "," + str(self.base_dn))
- samba.tests.delete_force(self.ldb, self.ou_dn,
+ samba.tests.delete_force(cls.ldb, cls.ou_dn,
controls=['tree_delete:1'])
- self.ldb.add({
- "dn": self.ou_dn,
+ cls.ldb.add({
+ "dn": cls.ou_dn,
"objectclass": "organizationalUnit",
- "ou": self.OU_NAME_MANY})
+ "ou": cls.OU_NAME_MANY})
for x in range(2000):
- ou_name = self.OU_NAME_MANY + str(x)
- self.ldb.add({
- "dn": "ou=" + ou_name + "," + str(self.ou_dn),
+ ou_name = cls.OU_NAME_MANY + str(x)
+ cls.ldb.add({
+ "dn": "ou=" + ou_name + "," + str(cls.ou_dn),
"objectclass": "organizationalUnit",
"ou": ou_name})
- def tearDown(self):
- samba.tests.delete_force(self.ldb, self.ou_dn,
+ @classmethod
+ def tearDownClass(cls):
+ samba.tests.delete_force(cls.ldb, self.ou_dn,
controls=['tree_delete:1'])
def test_unindexed_iterator_search(self):
@@ -117,34 +119,38 @@
class LargeLDAPTest(samba.tests.TestCase):
- def setUp(self):
- super(LargeLDAPTest, self).setUp()
- self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
- self.base_dn = self.ldb.domain_dn()
- self.USER_NAME = "large_user" + format(random.randint(0, 99999), "05") + "-"
- self.OU_NAME="large_user_ou" + format(random.randint(0, 99999), "05")
- self.ou_dn = ldb.Dn(self.ldb, "ou=" + self.OU_NAME + "," + str(self.base_dn))
+ @classmethod
+ def setUpClass(cls):
+ cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+ cls.base_dn = cls.ldb.domain_dn()
+
+ cls.sd_utils = sd_utils.SDUtils(cls.ldb)
+ cls.USER_NAME = "large_user" + format(random.randint(0, 99999), "05") + "-"
+ cls.OU_NAME="large_user_ou" + format(random.randint(0, 99999), "05")
+ cls.ou_dn = ldb.Dn(cls.ldb, "ou=" + cls.OU_NAME + "," + str(cls.base_dn))
- samba.tests.delete_force(self.ldb, self.ou_dn,
+
+ samba.tests.delete_force(cls.ldb, cls.ou_dn,
controls=['tree_delete:1'])
- self.ldb.add({
- "dn": self.ou_dn,
+ cls.ldb.add({
+ "dn": cls.ou_dn,
"objectclass": "organizationalUnit",
- "ou": self.OU_NAME})
+ "ou": cls.OU_NAME})
for x in range(200):
- user_name = self.USER_NAME + format(x, "03")
- self.ldb.add({
- "dn": "cn=" + user_name + "," + str(self.ou_dn),
+ user_name = cls.USER_NAME + format(x, "03")
+ cls.ldb.add({
+ "dn": "cn=" + user_name + "," + str(cls.ou_dn),
"objectclass": "user",
"sAMAccountName": user_name,
"jpegPhoto": b'a' * (2 * 1024 * 1024)})
- def tearDown(self):
+ @classmethod
+ def tearDownClass(cls):
# Remake the connection for tear-down (old Samba drops the socket)
- self.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
- samba.tests.delete_force(self.ldb, self.ou_dn,
+ cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
+ samba.tests.delete_force(cls.ldb, cls.ou_dn,
controls=['tree_delete:1'])
def test_unindexed_iterator_search(self):
@@ -246,6 +252,7 @@
self.assertGreater(count, count_jpeg)
def test_timeout(self):
+
policy_dn = ldb.Dn(self.ldb,
'CN=Default Query Policy,CN=Query-Policies,'
'CN=Directory Service,CN=Windows NT,CN=Services,'
@@ -283,9 +290,19 @@
session_info=system_session(lp),
lp=lp)
+ for x in range(200):
+ user_name = self.USER_NAME + format(x, "03")
+ ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x
+ dn = ldb.Dn(self.ldb, "cn=" + user_name + "," + str(self.ou_dn))
+
+ # add an ACE that denies access to the above random attr
+ # for a not-existing user. This makes each SD distinct
+ # and so will slow SD parsing.
+ self.sd_utils.dacl_add_ace(dn, ace)
+
# Create a large search expression that will take a long time to
# evaluate.
- expression = '(anr=l)' * 10000
+ expression = f'(jpegPhoto=*X*)' * 1000
expression = f'(|{expression})'
# Perform the LDAP search.
diff -Nru samba-4.17.6+dfsg/source4/selftest/tests.py samba-4.17.7+dfsg/source4/selftest/tests.py
--- samba-4.17.6+dfsg/source4/selftest/tests.py 2022-12-15 19:09:31.753236500 +0300
+++ samba-4.17.7+dfsg/source4/selftest/tests.py 2023-03-20 12:04:29.107923500 +0300
@@ -1322,6 +1322,7 @@
plantestsuite_loadlist("samba4.urgent_replication.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(DSDB_PYTEST_DIR, "urgent_replication.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '$LOADLIST', '$LISTOPT'])
plantestsuite_loadlist("samba4.ldap.dirsync.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(DSDB_PYTEST_DIR, "dirsync.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
plantestsuite_loadlist("samba4.ldap.match_rules.python", "ad_dc_ntvfs", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/match_rules.py"), '$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+plantestsuite_loadlist("samba4.ldap.match_rules.python", "ad_dc_ntvfs", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/match_rules_remote.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
plantestsuite("samba4.ldap.index.python", "none", [python, os.path.join(srcdir(), "lib/ldb-samba/tests/index.py")])
plantestsuite_loadlist("samba4.ldap.notification.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(DSDB_PYTEST_DIR, "notification.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
plantestsuite_loadlist("samba4.ldap.sites.python(ad_dc_default)", "ad_dc_default", [python, os.path.join(DSDB_PYTEST_DIR, "sites.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
@@ -1417,6 +1418,7 @@
plantestsuite("samba4.ldap.possibleInferiors.python(%s)" % env, env, [python, os.path.join(samba4srcdir, "dsdb/samdb/ldb_modules/tests/possibleinferiors.py"), "ldap://$SERVER", '-U"$USERNAME%$PASSWORD"', "-W$DOMAIN"])
plantestsuite_loadlist("samba4.ldap.secdesc.python(%s)" % env, env, [python, os.path.join(DSDB_PYTEST_DIR, "sec_descriptor.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
plantestsuite_loadlist("samba4.ldap.acl.python(%s)" % env, env, ["STRICT_CHECKING=0", python, os.path.join(DSDB_PYTEST_DIR, "acl.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+ plantestsuite_loadlist("samba4.ldap.acl_modify.python(%s)" % env, env, ["STRICT_CHECKING=0", python, os.path.join(DSDB_PYTEST_DIR, "acl_modify.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
for env in all_fl_envs + ["schema_dc", "ad_dc_no_ntlm"]:
if env != "fl2000dc":
diff -Nru samba-4.17.6+dfsg/source4/setup/schema_samba4.ldif samba-4.17.7+dfsg/source4/setup/schema_samba4.ldif
--- samba-4.17.6+dfsg/source4/setup/schema_samba4.ldif 2022-08-08 17:15:40.424200000 +0300
+++ samba-4.17.7+dfsg/source4/setup/schema_samba4.ldif 2023-03-20 12:03:45.135653300 +0300
@@ -231,6 +231,9 @@
#Allocated: DSDB_CONTROL_INVALID_NOT_IMPLEMENTED 1.3.6.1.4.1.7165.4.3.32
#Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33
#Allocated: DSDB_CONTROL_TRANSACTION_IDENTIFIER_OID 1.3.6.1.4.1.7165.4.3.34
+#Allocated: DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID 1.3.6.1.4.1.7165.4.3.35
+#Allocated: DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID 1.3.6.1.4.1.7165.4.3.36
+#Allocated: DSDB_CONTROL_ACL_READ_OID 1.3.6.1.4.1.7165.4.3.37
# Extended 1.3.6.1.4.1.7165.4.4.x
@@ -243,6 +246,7 @@
#Allocated: DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.4.7
#Allocated: DSDB_EXTENDED_CREATE_OWN_RID_SET 1.3.6.1.4.1.7165.4.4.8
#Allocated: DSDB_EXTENDED_ALLOCATE_RID 1.3.6.1.4.1.7165.4.4.9
+#Allocated: DSDB_EXTENDED_SCHEMA_LOAD 1.3.6.1.4.1.7165.4.4.10
############
diff -Nru samba-4.17.6+dfsg/source4/torture/ldb/ldb.c samba-4.17.7+dfsg/source4/torture/ldb/ldb.c
--- samba-4.17.6+dfsg/source4/torture/ldb/ldb.c 2022-08-08 17:15:40.448200200 +0300
+++ samba-4.17.7+dfsg/source4/torture/ldb/ldb.c 2023-03-20 12:03:44.691650600 +0300
@@ -1634,7 +1634,6 @@
TALLOC_CTX *mem_ctx = talloc_new(torture);
struct ldb_context *ldb;
struct ldb_val data = *discard_const_p(struct ldb_val, data_p);
- struct ldb_message *unpack_msg = ldb_msg_new(mem_ctx);
struct ldb_message *msg = ldb_msg_new(mem_ctx);
const char *lookup_names[] = {"instanceType", "nonexistent",
"whenChanged", "objectClass",
@@ -1649,18 +1648,15 @@
"Failed to init samba");
torture_assert_int_equal(torture,
- ldb_unpack_data(ldb, &data, unpack_msg),
+ ldb_unpack_data(ldb, &data, msg),
0, "ldb_unpack_data failed");
- torture_assert_int_equal(torture, unpack_msg->num_elements, 13,
+ torture_assert_int_equal(torture, msg->num_elements, 13,
"Got wrong count of elements");
- msg->dn = talloc_steal(msg, unpack_msg->dn);
-
torture_assert_int_equal(torture,
- ldb_filter_attrs(ldb, unpack_msg,
- lookup_names, msg),
- 0, "ldb_kv_filter_attrs failed");
+ ldb_filter_attrs_in_place(msg, lookup_names),
+ 0, "ldb_filter_attrs_in_place failed");
/* Compare data in binary form */
torture_assert_int_equal(torture, msg->num_elements, 6,
diff -Nru samba-4.17.6+dfsg/VERSION samba-4.17.7+dfsg/VERSION
--- samba-4.17.6+dfsg/VERSION 2023-03-09 12:18:38.345811800 +0300
+++ samba-4.17.7+dfsg/VERSION 2023-03-29 16:22:38.841019400 +0300
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=17
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
########################################################
# If a official release has a serious bug #
diff -Nru samba-4.17.6+dfsg/WHATSNEW.txt samba-4.17.7+dfsg/WHATSNEW.txt
--- samba-4.17.6+dfsg/WHATSNEW.txt 2023-03-09 12:18:38.345811800 +0300
+++ samba-4.17.7+dfsg/WHATSNEW.txt 2023-03-29 16:22:38.825019600 +0300
@@ -1,4 +1,75 @@
==============================
+ Release Notes for Samba 4.17.7
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.17.6
+--------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <rob at catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+ ==============================
Release Notes for Samba 4.17.6
March 09, 2023
==============================
@@ -58,8 +129,7 @@
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.17.5
January 26, 2023
More information about the Pkg-samba-maint
mailing list