[Pkg-samba-maint] [Git][samba-team/samba][master] 53 commits: VERSION: Bump version up to Samba 4.19.5...

Mon Feb 19 12:23:08 GMT 2024

Michael Tokarev pushed to branch master at Debian Samba Team / samba

Commits:
b9f60718 by Jule Anger at 2024-01-08T15:33:18+01:00
VERSION: Bump version up to Samba 4.19.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
b6c2c26e by Ralph Boehme at 2024-01-09T12:13:13+00:00
selftest: remove error_inject from shadow_write share

Frankly, I can't remember why I added this as part of bug 13688. The
goal of the corresponding test is to verify a write on a read-only
file handle fails. As the file is opened O_RDONLY, the write will fail
anyway and there's no need to inject the error.

To make things worse, having the error injected meant we didn't notice
when the underlying logic of forcing the open to be done with O_RDONLY
was done as O_RDWR, resulting in the write on the handle to succeed.

This happened when we introduced reopen_from_fsp(): the initial
pathref open of a path with a twrp value was correctly detected and
handled by shadow_copy2_openat(). However, when converting the pathref
open to a real one via reopen_from_fsp(), shadow_copy2_openat() only
sees the magic /proc/fd path and has no way of inferring that this was
originating from a prevous version open with a twrp value.

Tl;dr: we can just remove this error injection, it is not needed, the
correct fix is to implement this in the SMB layer which is done in the
subsequent commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 78119edba013583555069271bb61134c12c2c135)

- - - - -
bb9aea6a by Ralph Boehme at 2024-01-09T12:13:13+00:00
s4/libcli/raw: implemement RAW_SFILEINFO_LINK_INFORMATION

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c62484bc2c60ebac42635793d94cb8e62629acbf)

- - - - -
a510fc46 by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbtorture: expand smb2.twrp.write test

Test more modifying operations are blocked and access masks are correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 537eedfe2a79fba2e1f062f14ba7a0c5f8f70a88)

- - - - -
b8383780 by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: return the correct error in can_rename()

This is what Windows returns for this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 276c5bd851ab6ab818a49d9c47f6b96de8024778)

- - - - -
9ee7991d by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: set fsp_flags.is_fsa to true on printer file handles

Printer file handles went through SMB_VFS_CREATE_FILE() and are network
callable, so it makes sense to set this on them.

This ensures that check_access_fsp() doesn't take the codepath calling
smbd_check_access_rights_fsp(), but just checks the request rights from
fsp->access_mask.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 76c8fe16bff36a29fa326355256b50737d04bd85)

- - - - -
0f865a34 by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: rename check_access_fsp() to check_any_access_fsp()

The semantics of the access check in check_access_fsp() itself is to
allow access if *at least* one or more rights of the rights in
access_mask are allowed. The name check_any_access_fsp() better
reflects this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 96b577c380fa914eb1ffa95849c82bdb88aa1ec6)

- - - - -
8318428f by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: fix check_any_access_fsp() for non-fsa fsps

smbd_check_access_rights_fsp() requires *all* rights in access_mask to
be granted by the underlying ACL, but the semantics of this function
is supposed to grant access if any one of the rights in
access_requested is allowed.

Fix this by looping over the requested access mask. If
smbd_check_access_rights_fsp() returns sucess, mask will be non-null
and when assigned to access_granted, the subsequent check will pass,
fail otherwise.

I'm not doing an early exit on purpose because a subsequent commit
adds additional security checks that are done in the subsequent code
path common for fsa and non-fsa fsps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit bf497819e61131cfa6469971596af3aa9bd4bb49)

- - - - -
0352aae6 by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: return correct error when trying to create a hardlink to a VSS file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a0ae45be770a13373c148a689b9761f14c4f942c)

- - - - -
bfa5f178 by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: set fsp->fsp_flags.can_write to false for access to previous-versions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ee3035218df4cfd68b6aab6825c78f2b85234c6c)

- - - - -
44396d7b by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: replace CHECK_WRITE() macro with calls to check_any_access_fsp()

The additional check if fd underlying fd is valid and not -1 should not be done
at this place. I actually would prefer an write to fail with EBADF if this
happens, as it's likely easier to debug why this happened. These days we should
always have a valid fd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 995a31c8d4c1789c16bae6b8196f2565d4b1dfdb)

- - - - -
f5eb449c by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: use check_any_access_fsp() for all access checks

Replaces the direct access to fsp->access_mask with a call to
check_any_access_fsp() which allows doing additional checks if needed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 02ed99343d19fd0845531ad99a46b1dd5b8a7a4f)

- - - - -
0874d3ab by Ralph Boehme at 2024-01-09T12:13:13+00:00
smbd: check for previous versions in check_any_access_fsp()

Now that check_any_access_fsp() is broadly used consistently to
restrict access for all modifying operations, we can add a check for
previous versions to check_any_access_fsp() and it gets enforced
consistently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit fd4e41144a819b4403340e4a28664ac586722b41)

- - - - -
cfbaab56 by Ralph Boehme at 2024-01-09T13:17:12+00:00
smbd: move access override for previous versions to the SMB layer

Doing the previous version access checks and semantics at the SMB
layer means we can simplify the shadow_copy2 and remove the kludge.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Mon Jan  8 16:58:26 UTC 2024 on atb-devel-224

(backported from commit f14a7065690b00e3c6af2c1f0b0aec51c1e0b372)
[slow at samba.org: vfs_shadow_copy2.c: no TALLOC_FREE() in context]
[slow at samba.org: open.c: assign result from calculate_open_access_flags()]

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Jan  9 13:17:12 UTC 2024 on atb-devel-224

- - - - -
9ab2eb21 by Gabriel Nagy at 2024-01-15T10:05:16+00:00
gp: Support more global trust directories

In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).

To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.

In case none is found, fallback to the first option which will produce a
warning as it did previously.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f)

- - - - -
f9975df8 by Gabriel Nagy at 2024-01-15T10:05:16+00:00
gp: Support update-ca-trust helper

This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268)

- - - - -
0dd51b02 by Gabriel Nagy at 2024-01-15T10:05:16+00:00
gp: Change root cert extension suffix

On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b)

- - - - -
9db01a2c by Gabriel Nagy at 2024-01-15T10:05:17+00:00
gp: Test with binary content for certificate data

This fails all GPO-related tests that call `gpupdate --rsop`.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70)

- - - - -
6dba94a3 by Gabriel Nagy at 2024-01-15T10:05:17+00:00
gp: Convert CA certificates to base64

I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:

'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

We found a fix to be encoding the certificate to base64 when
constructing the CA list.

Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5)

- - - - -
dfbe7494 by Gabriel Nagy at 2024-01-15T10:05:17+00:00
gp: Test adding new cert templates enforces changes

Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0)

- - - - -
28b1fe5e by Gabriel Nagy at 2024-01-15T10:05:17+00:00
gp: Template changes should invalidate cache

If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
taken into account.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1)

- - - - -
93735e8a by Gabriel Nagy at 2024-01-15T10:05:17+00:00
gp: Test disabled enrollment unapplies policy

For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3)

- - - - -
de32d94c by Gabriel Nagy at 2024-01-15T10:05:17+00:00
gp: Send list of keys instead of dict to remove

`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: David Mulder <dmulder at samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224

(cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a)

- - - - -
df025598 by Andreas Schneider at 2024-01-15T11:11:30+00:00
python:gp: Print a nice message if cepces-submit can't be found

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
(cherry picked from commit 8eb42425a8eb1b30ca0e94dfc01d8175ae5cde4b)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Jan 15 11:11:31 UTC 2024 on atb-devel-224

- - - - -
a86c1087 by Björn Jacke at 2024-01-22T09:55:16+00:00
time.c: fix ctime which was feeded with the mtime seconds

This bug was introduced with 53a1d034f3e47ed3c in 2020.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15550

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 2df2e34c3c1ccf76bbcc78586cbbb6433b6d30d5)

- - - - -
9c43625c by Bjoern Jacke at 2024-01-22T09:55:16+00:00
system.c: fix fake directory create times

This was broken by c9c3d4312d7281904fc back in 2009 already.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12421

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 56c3dbc2ff8531772bf79eb9da3497767a20ce6f)

- - - - -
283ff41e by Jones Syue at 2024-01-22T10:53:03+00:00
s3:passdb: smbpasswd reset permissions only if not 0600

Browsing files or download files from samba server, smbd would check user's
id to decide whether this user could access these files, by lookup user's
information from the password file (e.g. /usr/local/samba/private/smbpasswd).
smbd might goes through startsmbfilepwent(), this api calls [f]chmod() to
make sure the password file has valid permissions 0600.

Consider a scenario: we are doing a read performance benchmark about
downloading a bunch of files (e.g. a thousand files) from a samba server,
monitoring file system i/o activities counters, and expecting that should
be only read operations on file system because this is just downloading, no
uploading is involved. But actually found that still write operations on file
system, because smbd lookup user and always reset 0600 permissions on password
file while access each file, it makes dirty pages (inode modification) in ram,
later triggered a kernel journal daemon to sync dirty pages into back storage
(e.g. ext3 kjournald, or ext4 jbd2).
This looks like not friendly for read performance benchmark if it happened on
an entry-level systems with much less memory and limited computation power,
because dirty pages syncing in the meantime slows down read performance.

This patch adds fstat() before [f]chmod(), it would check whether password
file has valid permissions 0600 or not. If 0600 smbd would bypass [f]chmod()
to avoid making dirty pages on file systems. If not 0600 smbd would warn and
go through [f]chmod() to set valid permissions 0600 to password file as
earlier days.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15555

Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Thu Jan 18 10:28:19 UTC 2024 on atb-devel-224

(cherry picked from commit c82a267b2a1b7617e818548aa486b7cfbda74657)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Jan 22 10:53:03 UTC 2024 on atb-devel-224

- - - - -
445637d0 by David Mulder at 2024-01-29T10:46:16+00:00
gp: Skip site GP list if no site is found

[MS-GPOL] 3.2.5.1.4 Site Search says if the site
search returns ERROR_NO_SITENAME, the GP site
search should be skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15548

Signed-off-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jan 23 11:20:35 UTC 2024 on atb-devel-224

(cherry picked from commit f05b61b4991e7f51bd184d76a79f8b50114a0ff3)

- - - - -
1dff1340 by Ralph Boehme at 2024-01-29T10:46:16+00:00
vfs_default: allow disabling /proc/fds and RESOLVE_NO_SYMLINK at compile time

This will be used in CI to have a gitlab runner without all modern Linux
features we make use of as part of path processing:

- O_PATH
- openat2() with RESOLVE_NO_SYMLINKS
- somehow safely reopen an O_PATH file handle

That gives what a classix UNIX like AIX or Solaris offers feature wise.

Other OSes support other combinations of those features, but we leave the
exersize of possibly adding more runners supporting those combinations to the
reader.

The following list shows which features are available and used by Samba on a few
OSes:

        | O_PATH         | RESOLVE_NO_SYMLINKS | Safe reopen    | CI covered
--------|----------------|---------------------|----------------------------
        | Supported Used | Supported Used      | Supported Used |
============================================================================
Linux   | +         +    | +         +         | +         +    | +
FreeBSD | +         +    | + [1]     -         | + [2]     -    | -
AIX     | -         -    | -         -         | -         -    | +

[1] via open() flag O_RESOLVE_BENEATH
[2] via open() flag O_EMPTY_PATH

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 5c2f96442a25a1725809a28b3719afbc0bd01830)

- - - - -
4c4f086d by Ralph Boehme at 2024-01-29T10:46:17+00:00
CI: disable /proc/fds and RESOLVE_NO_SYMLINK in samba-no-opath-build runner

This is a more sensible combination of missing Linux specific features:

- O_PATH
- openat2() with RESOLVE_NO_SYMLINKS
- somehow safely reopen an O_PATH file handle

Currently only O_PATH is disabled for these jobs, but that doesn't really match
and know OS.

The following list shows which features are available and used by Samba on a few
OSes:

        | O_PATH         | RESOLVE_NO_SYMLINKS | Safe reopen    | CI covered
--------|----------------|---------------------|----------------------------
        | Supported Used | Supported Used      | Supported Used |
============================================================================
Linux   | +         +    | +         +         | +         +    | +
FreeBSD | +         +    | + [1]     -         | + [2]     -    | -
AIX     | -         -    | -         -         | -         -    | +

So by also disabling RESOLVE_NO_SYMLINKS and Safe Reopen, we cover classic UNIX
systems like AIX.

[1] via open() flag O_RESOLVE_BENEATH
[2] via open() flag O_EMPTY_PATH

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 62cbe145c7e500c4759ed2005c78bd5056c87f43)

- - - - -
90ae1e8f by Ralph Boehme at 2024-01-29T10:46:17+00:00
smbd: pass symlink target path to safe_symlink_target_path()

Moves processing the symlink error response to the caller
filename_convert_dirfsp(). Prepares for using this in
non_widelink_open(), where it will replace symlink_target_below_conn()
with the same functionality.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(back-ported from commit 0515dded4ddb49e5570ae7df51126af1a2d643de)

- - - - -
cd4df6ae by Ralph Boehme at 2024-01-29T10:46:17+00:00
smbd: add a directory argument to safe_symlink_target_path()

Existing caller passes NULL, no change in behaviour. Prepares for
replacing symlink_target_below_conn() in open.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit fc80c72d658a41fe4d93b24b793b52c91b350175)

- - - - -
4477e23d by Ralph Boehme at 2024-01-29T10:46:17+00:00
smbd: use safe_symlink_target_path() in symlink_target_below_conn()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit 1965fc77b3852a0593e13897af08f5304a1ce3a2)

- - - - -
84020efb by Ralph Boehme at 2024-01-29T11:59:41+00:00
smbd: use dirfsp and atname in open_directory()

On systems without /proc/fd support this avoid the expensive chdir()
logic in non_widelink_open(). open_file_ntcreate() already passes
dirfsp and atname to reopen_from_fsp(), it was just missed in the
conversion.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15549

Reviewed-by: Volker Lendecke <vl at samba.org>
Signed-off-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Jan 22 12:00:56 UTC 2024 on atb-devel-224

(cherry picked from commit 2713023250f15cf9971d88620cab9dd4afd0dc73)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Jan 29 11:59:41 UTC 2024 on atb-devel-224

- - - - -
41cd6b95 by Joseph Sutton at 2024-02-05T11:32:09+00:00
python: Fix invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b068592dd0dccce634cb17b66f0659ba60523908)

- - - - -
a50016bc by Gabriel Nagy at 2024-02-05T11:32:09+00:00
gpo: Test certificate policy without NDES

As of 8231eaf856b, the NDES feature is no longer required on Windows, as
cert auto-enroll can use the certificate from the LDAP request.

However, 157335ee93e changed the implementation to convert the LDAP
certificate to base64 due to it failing to cleanly convert to a string.

Because of insufficient test coverage I missed handling the part where
NDES is disabled or not reachable and the LDAP certificate was imported.
The call to load_der_x509_certificate now fails with an error because it
expects binary data, yet it receives a base64 encoded string.

This adds a test to confirm the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0d1ff69936f18ea729fc11fbbb1569a833302572)

- - - - -
90cf23e1 by Gabriel Nagy at 2024-02-05T11:32:09+00:00
gpo: Decode base64 root cert before importing

The reasoning behind this is described in the previous commit message,
but essentially this should either be wrapped in certificate blocks and
imported as PEM, or converted back to binary and imported as DER.

I've opted for the latter since it's how it used to work before it
regressed in 157335ee93e.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06)

- - - - -
d3061f5e by Gabriel Nagy at 2024-02-05T11:32:09+00:00
gpo: Do not get templates list on first run

This is a visual fix and has no impact on functionality apart from
cleaner log messages.

The point of this is to get the list of supported templates in order to
compute a diff between the current applied templates and the updated
list, so we are able to unapply and reapply the policy in case there are
differences.

However this code path is executed on first applies as well, at which
point the root CA is not yet set up. This causes the
`get_supported_templates` call to fail, which is not a hard failure but
still pollutes the logs. In this case it's safe to avoid executing the
command as the policy will be applied regardless.

Signed-off-by: Gabriel Nagy <gabriel.nagy at canonical.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224

(cherry picked from commit 8579340fc540633c13c017d896034904a8dbd55c)

- - - - -
60514eb6 by Andreas Schneider at 2024-02-05T12:34:12+00:00
python:gp: Fix logging with gp

This allows enable INFO level logging with: `samba-gpupdate -d3`

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889)

Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Feb  5 12:34:12 UTC 2024 on atb-devel-224

- - - - -
c390da79 by Michael Tokarev at 2024-02-06T09:03:19+03:00
reformat previous changelog entry to fit in 80cols

- - - - -
5cc4e57e by Michael Tokarev at 2024-02-14T10:28:41+03:00
d/winbind.postrm: stop recursively removing plain files

- - - - -
5b0c0f62 by Michael Tokarev at 2024-02-14T10:28:57+03:00
d/winbind.postrm: winbindd_cache.tdb is in /var/lib now, not in /var/cache

- - - - -
8480944d by Michael Tokarev at 2024-02-14T10:28:57+03:00
d/control: RulesRequiresRoot:no

- - - - -
f15aea67 by Michael Tokarev at 2024-02-14T10:28:57+03:00
d/*.symbols: use #PACKAGE# placeholders where appropriate (or add comments where it is not)

- - - - -
8547ab89 by Michael Tokarev at 2024-02-14T16:23:38+03:00
+silence-can-not-convert-group-sid.diff

- - - - -
8ffa5ab1 by Jule Anger at 2024-02-19T11:42:13+01:00
WHATSNEW: Add release notes for Samba 4.19.5.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
7bef2f7f by Jule Anger at 2024-02-19T11:42:13+01:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.5 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
d3debe1d by Michael Tokarev at 2024-02-19T14:33:00+03:00
New upstream version 4.19.5+dfsg
- - - - -
69f12ae5 by Michael Tokarev at 2024-02-19T14:33:13+03:00
Update upstream source from tag 'upstream/4.19.5+dfsg'

Update to upstream version '4.19.5+dfsg'
with Debian dir 4be4490cb2a9a5a11bb6bbdc9a3793da305809a4
- - - - -
8c61655e by Michael Tokarev at 2024-02-19T15:03:14+03:00
-python-fix-invalid-escape-sequences.patch (applied upstream)

- - - - -
8eb4c81a by Michael Tokarev at 2024-02-19T15:03:14+03:00
d/control: replace pkg-config=>pkgconf in Build-Depends, remove pkg-config from Depends of libldb-dev and python3-ldb-dev

- - - - -
0e3e88dc by Michael Tokarev at 2024-02-19T15:20:23+03:00
d/samba-libs.symbols, d/control: make libsmbldapN a virtual package too, like libndrN

- - - - -
61389a1a by Michael Tokarev at 2024-02-19T15:21:18+03:00
update changelog; upload version 4.19.5+dfsg-1 to unstable

- - - - -

30 changed files:

- VERSION
- WHATSNEW.txt
- debian/changelog
- debian/control
- debian/libsmbclient.symbols
- debian/libwbclient0.symbols
- − debian/patches/python-fix-invalid-escape-sequences.patch
- debian/patches/series
- + debian/patches/silence-can-not-convert-group-sid.diff
- debian/python3-ldb.symbols.in
- debian/rules
- debian/samba-libs.symbols
- debian/winbind.postrm
- lib/util/time.c
- python/samba/gp/gp_cert_auto_enroll_ext.py
- python/samba/gp/gpclass.py
- python/samba/gp/util/logging.py
- python/samba/graph.py
- python/samba/tests/bin/cepces-submit
- python/samba/tests/gpo.py
- python/samba/tests/samba_tool/gpo.py
- script/autobuild.py
- selftest/skip.opath-required
- selftest/target/Samba3.pm
- source3/include/proto.h
- source3/include/smb_macros.h
- source3/lib/system.c
- source3/modules/offload_token.c
- source3/modules/vfs_acl_common.c
- source3/modules/vfs_default.c

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/86eadeb1de7532534d0ddfbc18ffdfcf5139dbb4...61389a1ad4f8a8422958bccd3e3da18d0c403eba

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/86eadeb1de7532534d0ddfbc18ffdfcf5139dbb4...61389a1ad4f8a8422958bccd3e3da18d0c403eba
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20240219/2dab9164/attachment-0001.htm>