[Pkg-samba-maint] [samba] branch upstream_4.4 updated (0d47877 -> ecc3685)

Wed Apr 27 01:15:39 UTC 2016

This is an automated email from the git hooks/post-receive script.

jelmer pushed a change to branch upstream_4.4
in repository samba.

      from  0d47877   Merge in 4.3 history.
       new  2a33a44   VERSION: Bump version up to 4.0.1...
       new  0c1671a   ntlmssp: add some missing defines from MS-NLMP to our IDL.
       new  9ed62a3   ntlmssp: fix copy/paste typo in CHALLENGE_MESSAGE in IDL.
       new  3b93cf0   ntlmssp: properly document version defines in IDL (from MS-NLMP).
       new  b1f72ca   ntlmssp: when pulling messages it is important to clear memory first.
       new  98466ff   s4-torture: fill in ntlmssp_NEGOTIATE_MESSAGE_check().
       new  dd6b293   s4-torture: activate testing of CHALLENGE and AUTHENTICATE ntlmssp messages.
       new  f39d6d4   s4-torture: flesh out ntlmssp_CHALLENGE_MESSAGE_check().
       new  baa0a10   s4-torture: add ndr pullpush validation for NTLMSSP CHALLENGE and AUTHENTICATE messages.
       new  2e8f4c8   s4-torture: flesh out ntlmssp_AUTHENTICATE_MESSAGE_check().
       new  4d73b84   s4:torture/ntlmssp fix a compiler warning
       new  84f8c9a   spnego: Correctly check asn1_tag_remaining retval
       new  b0c603c   lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
       new  c51b125   lib/util_net: add support for .ipv6-literal.net
       new  338e1a9   s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
       new  557fc14   s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
       new  b6a1b04   epmapper.idl: make epm_twr_t available in python bindings
       new  6ea3642   dcerpc.idl: make WERROR RPC faults available in ndr_print output
       new  d356450   librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
       new  93332f4   s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
       new  1a5f082   s3:libads: remove unused ads_connect_gc()
       new  26d4f25   wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
       new  73f2fa6   s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
       new  b10c1db   s3:librpc/gse: fix debug message in gse_init_client()
       new  55b0f3c   s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
       new  1448dba   s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
       new  8614c6c   s3:librpc/gse: don't log gss_acquire_creds failed at level 0
       new  028c609   s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
       new  9e8749a   s4:pygensec: make sig_size() and sign/check_packet() available
       new  7cad825   auth/gensec: keep a pointer to a possible child/sub gensec_security context
       new  967282e   auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
       new  1317625   auth/gensec: make gensec_security_by_name() public
       new  4f97bcb   s3:auth_generic: add auth_generic_client_start_by_name()
       new  76e22d9   s3:auth_generic: add auth_generic_client_start_by_sasl()
       new  3d0fc91   auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
       new  c6aef8c   auth/ntlmssp: add gensec_ntlmssp_server_domain()
       new  6b766dc   s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
       new  b8eabce   s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
       new  06e6d37   s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
       new  eab2039   s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
       new  6ed7942   winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
       new  17d6b17   s3:auth_generic: make use of the top level NTLMSSP client code
       new  4f94262   s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
       new  4e2e1f6   auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
       new  333e02b   auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
       new  cb0719d   auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
       new  8f69094   s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
       new  b57c0e7   winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
       new  75bdf52   s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
       new  2663f44   auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
       new  2e40c60   auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
       new  3adc8f5   auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
       new  7494612   auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
       new  28725ef   auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
       new  423f193   auth/ntlmssp: add ntlmssp_version_blob()
       new  47cebc5   auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
       new  62d31f6   auth/ntlmssp: use ntlmssp_version_blob() in the server
       new  159be66   security.idl: add LSAP_TOKEN_INFO_INTEGRITY
       new  e2e7ffe   ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
       new  92d7499   ntlmssp.idl: make AV_PAIR_LIST public
       new  5c61712   librpc/ndr: add ndr_ntlmssp_find_av() helper function
       new  c9edc04   auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
       new  eafd97e   auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
       new  2a496ba   auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
       new  8f747f6   auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
       new  482555b   auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
       new  2ace844   s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
       new  f74c031   s4:libcli/ldap: fix retry authentication after a bad password
       new  ff77277   s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
       new  0577097   s4:selftest: simplify the loops over samba4.ldb.ldap
       new  c5da725   s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
       new  52629ac   s3:libads: add missing TALLOC_FREE(frame) in error path
       new  ea56849   s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
       new  468c68c   s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
       new  8e7229d   s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
       new  1571a9f   s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
       new  6507d6f   s3:libads: keep service and hostname separately in ads_service_principal
       new  a16bbec   s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
       new  7767d82   s3:libsmb: make use gensec based SPNEGO/NTLMSSP
       new  20c847f   s3:libsmb: unused ntlmssp.c
       new  4b55e96   s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
       new  a7f8e94   s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
       new  a167728   s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
       new  d1921c6   s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
       new  506ac99   s3:libsmb: remove unused cli_session_setup_kerberos*() functions
       new  5a8126d   s3:libsmb: remove unused functions in clispnego.c
       new  b282ac7   s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
       new  528db7f   s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
       new  fe4cdee   s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
       new  934f731   s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
       new  511dfb4   s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
       new  bb63122   s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
       new  df14c6a   s4:rpc_server: dcesrv_generic_session_key should only work on local transports
       new  da66e65   selftest: s!addc.samba.example.com!addom.samba.example.com!
       new  03479af   selftest: add some helper scripts to mange a CA
       new  6a09084   selftest: add config and script to create a samba.example.com CA
       new  bbb66a9   selftest: add CA-samba.example.com (non-binary) files
       new  91d2c97   selftest: mark commands in manage-CA-samba.example.com.sh as DONE
       new  0e5d2dd   selftest: add Samba::prepare_keyblobs() helper function
       new  5e62983   selftest: use Samba::prepare_keyblobs() and use the certs from the new CA
       new  46fa417   selftest: set tls crlfile if it exist
       new  8b90698   selftest: setup information of new samba.example.com CA in the client environment
       new  ff65d5b   s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic
       new  402d4ac   s3:test_rpcclient_samlogon.sh: test samlogon with schannel
       new  10eda28   s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function
       new  8dea510   s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()
       new  dba5783   s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6
       new  eef3a10   s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP
       new  2c1fa78   s4:torture/rpc/schannel: don't use validation level 6 without privacy
       new  2779ec8   auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE
       new  cbeff28   auth/gensec: split out a gensec_verify_dcerpc_auth_level() function
       new  168b015   s4:rpc_server: require access to the machine account credentials
       new  1b646bb   s4-smb_server: check for return code of cli_credentials_set_machine_account().
       new  9f3ae00   s3-auth: check for return code of cli_credentials_set_machine_account().
       new  9af768f   libsmb: Fix CID 1356312 Explicit null dereferenced
       new  40b3284   libads: Fix CID 1356316 Uninitialized pointer read
       new  54cd107   s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp
       new  b4125aa   s3:rpc_server/samr: correctly handle session_extract_session_key() failures
       new  1437724   s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()
       new  ebd79e5   CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
       new  00d1eaa9  CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
       new  e6e8da9   CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
       new  5b86a85   CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
       new  67787ff   CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2
       new  45a1008   CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features
       new  03ccba7   CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
       new  fc3582b   CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
       new  3a934e1   CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
       new  beb1f96   CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
       new  77d59f1   CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
       new  6a56dd2   CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
       new  ce87fef   CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
       new  6675796   CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
       new  6b0ee68   CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
       new  769eec8   CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
       new  95af5d9   CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()
       new  f77cf81   CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()
       new  d35bc35   CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
       new  c5032e9   CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
       new  4956428   CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)
       new  861b86d   CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)
       new  0654735   CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()
       new  e1101a6   CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()
       new  d960002   CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
       new  1d33ade   CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
       new  aaf3893   CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
       new  ab0e71b   CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
       new  a193154   CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
       new  80401c9   CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
       new  8421d13   CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
       new  54fef0f   CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
       new  b38d560   CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
       new  7f303d7   CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
       new  379604a   CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
       new  dc359da   CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"
       new  7e5966f   CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
       new  acd6697   CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
       new  f5035af   CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
       new  7bad35b   CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction
       new  5d69272   CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
       new  560213f   CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
       new  ae29971   CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
       new  be45c4b   CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
       new  0d2e185   CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
       new  187e32b   CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
       new  76b1826   CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
       new  01acb21   CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
       new  c4f9336   CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
       new  52ae0cc   CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections
       new  483a926   CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
       new  8105ff1   CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
       new  f44664d   CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
       new  d68c225   CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
       new  39c169b   CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options
       new  5fbce21   CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
       new  6db65fb   CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
       new  2d2ab58   CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert
       new  36ec246   CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
       new  5ec881c   CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
       new  cd4b292   CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests
       new  a443abe   CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
       new  660dbb8   CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
       new  5c94dfa   CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
       new  2ced06d   CVE-2016-2113: selftest: use "tls verify peer = no_check"
       new  b2af10b   CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
       new  4177489   CVE-2016-2114: s4:smb2_server: fix session setup with required signing
       new  cc8bbc3   CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
       new  0b05bc9   CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
       new  2c3649c   CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
       new  09a7576   CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
       new  39282d2   CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
       new  863d419   CVE-2016-2115: docs-xml: add "client ipc signing" option
       new  8466fe8   CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
       new  f3da02a   CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
       new  ee4f114   CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
       new  dbe7a43   CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
       new  2c62a54   CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
       new  f1dea29   CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
       new  1309832   CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
       new  afda479   CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
       new  80102ed   CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
       new  0422c64   CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
       new  fdd2807   CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
       new  084b20e   CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
       new  f76e6f9   CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
       new  e7ef30e   CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()
       new  d8c3cf1   CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
       new  3502195   CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context
       new  e1de6ec   CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
       new  778dab9   CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
       new  5d4d8ec   CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
       new  be98e7e   CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
       new  6142767   CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
       new  70ba7b0   CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
       new  d565761   CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
       new  2e9824e   CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
       new  1a3c82e   CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
       new  c98143b   CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
       new  34969d6   CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
       new  6568d5d   CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
       new  4862ee5   CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
       new  36278e3   CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
       new  2e4f09b   CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
       new  3133233   CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
       new  ba69e95   CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
       new  6750ffd   CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default
       new  f425bfd   CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
       new  e675f63   CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
       new  fa0d681   CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
       new  22ab56d   CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
       new  b77eab0   CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
       new  b095508   CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
       new  4867460   CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
       new  32d8e05   CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
       new  3f447f6   CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
       new  25e48af   CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
       new  7ee85d6   CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()
       new  4907895   CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()
       new  245fc41   CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus
       new  33ee36e   CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()
       new  23f4243   CVE-2015-5370: s4:librpc/rpc: simplify checks if gensec is used in dcerpc_ship_next_request()
       new  e05c7dd   CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
       new  d3bb3ef   CVE-2015-5370: s4:librpc/rpc: finally verify the server uses the expected auth_{type,level,context_id} values
       new  ac8910f   CVE-2015-5370: librpc/rpc: add a dcerpc_verify_ncacn_packet_header() helper function
       new  f64f451   CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
       new  94de482   CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
       new  f89c218   CVE-2015-5370: s4:librpc/rpc: make use of dcerpc_map_ack_reason() in dcerpc_bind_recv_handler()
       new  a96543e   CVE-2015-5370: s4:librpc/rpc: handle DCERPC_PKT_FAULT before anything else in dcerpc_alter_context_recv_handler()
       new  50fc638   CVE-2015-5370: s4:librpc/rpc: use dcerpc_verify_ncacn_packet_header() to verify BIND_ACK,ALTER_RESP,RESPONSE pdus
       new  7f348a7   CVE-2015-5370: s4:librpc/rpc: protect dcerpc_request_recv_data() against too large payloads
       new  b0349be   CVE-2015-5370: s4:rpc_server: make use of talloc_zero()
       new  8332714   CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
       new  58b1cdf   CVE-2015-5370: s4:rpc_server: check the result of dcerpc_pull_auth_trailer() in dcesrv_auth_bind()
       new  dc15870   CVE-2015-5370: s4:rpc_server: maintain dcesrv_auth->auth_{type,level,context_id}
       new  1ed3e26   CVE-2015-5370: s4:rpc_server: make use of dce_call->conn->auth_state.auth_* in dcesrv_request()
       new  8ad4695   CVE-2015-5370: s4:rpc_server/lsa: make use of dce_call->conn->auth_state.auth_{level,type}
       new  62f8a54   CVE-2015-5370: s4:rpc_server/samr: make use of dce_call->conn->auth_state.auth_level
       new  08ec7e7   CVE-2015-5370: s4:rpc_server/netlogon: make use of dce_call->conn->auth_state.auth_{level,type}
       new  83d93a8   CVE-2015-5370: s4:rpc_server: correctly maintain dcesrv_connection->max_{recv,xmit}_frag
       new  f9ed1a9   CVE-2015-5370: s4:rpc_server: avoid ZERO_STRUCT() in dcesrv_fault()
       new  7c2984a   CVE-2015-5370: s4:rpc_server: set alloc_hint = 24 in dcesrv_fault()
       new  448435a   CVE-2015-5370: s4:rpc_server: fill context_id in dcesrv_fault()
       new  eb16dfa   CVE-2015-5370: s4:rpc_server: split out a dcesrv_fault_with_flags() helper function
       new  a689216   CVE-2015-5370: s4:rpc_server: add some padding to dcesrv_bind_nak() responses
       new  c8a1adb   CVE-2015-5370: s4:rpc_server: return the correct secondary_address in dcesrv_bind()
       new  b5d0de4   CVE-2015-5370: s4:rpc_server: make dcesrv_process_ncacn_packet() static
       new  e3c1c20   CVE-2015-5370: s4:rpc_server: add infrastructure to terminate a connection after a response
       new  75d9b58   CVE-2015-5370: s4:rpc_server: verify the protocol headers before processing pdus
       new  503d08d   CVE-2015-5370: s4:rpc_server: ensure that the message ordering doesn't violate the spec
       new  af03332e  CVE-2015-5370: s4:rpc_server: maintain in and out struct dcerpc_auth per dcesrv_call_state
       new  e365d16   CVE-2015-5370: s4:rpc_server: make sure alter_context and auth3 can't change auth_{type,level,context_id}
       new  e3775db   CVE-2015-5370: s4:rpc_server: let invalid request fragments disconnect the connection with a protocol error
       new  bf333e9   CVE-2015-5370: s4:rpc_server: remove pointless dcesrv_find_context() from dcesrv_bind()
       new  cace627   CVE-2015-5370: s4:rpc_server: don't derefence an empty ctx_list array in dcesrv_alter()
       new  3d075a4   CVE-2015-5370: s4:rpc_server: changing an existing presentation context via alter_context is a protocol error
       new  9e86b09   CVE-2015-5370: s4:rpc_server: fix the order of error checking in dcesrv_alter()
       new  6a9b4ca   CVE-2015-5370: s4:rpc_server: failing authentication should generate a SEC_PKG_ERROR
       new  a3008ec   CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
       new  d7af609   CVE-2015-5370: s4:rpc_server: disconnect after a failing dcesrv_auth_request()
       new  74347a4   CVE-2015-5370: s4:rpc_server: give the correct reject reasons for invalid auth_level values
       new  d1ffe41   CVE-2015-5370: s4:rpc_server: check frag_length for requests
       new  2fd10be   CVE-2015-5370: s4:rpc_server: limit allocation and alloc_hint to 4 MByte
       new  9625f91   CVE-2015-5370: s4:rpc_server: only allow one fragmented call_id at a time
       new  7e682ed   CVE-2015-5370: s4:rpc_server: the assoc_group is relative to the connection (association)
       new  ddd4d03   CVE-2015-5370: s4:rpc_server: reject DCERPC_PFC_FLAG_PENDING_CANCEL with DCERPC_FAULT_NO_CALL_ACTIVE
       new  b1b538a   CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length == 0 in dcerpc_pull_auth_trailer()
       new  dd2c270   CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
       new  569781f   CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
       new  dfab482   CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
       new  654d8a5   CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
       new  f4ef85f   CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
       new  5c495ab   CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
       new  4c51c89   CVE-2015-5370: s3:rpc_server: make use of dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
       new  8c7d8c8   CVE-2015-5370: s3:rpc_server: let a failing sec_verification_trailer mark the connection as broken
       new  56014f6   CVE-2015-5370: s3:rpc_server: just call pipe_auth_generic_bind() in api_pipe_bind_req()
       new  e6cdac4   CVE-2015-5370: s3:rpc_server: don't ignore failures of dcerpc_push_ncacn_packet()
       new  087b363   CVE-2015-5370: s3:rpc_server: don't allow auth3 if the authentication was already finished
       new  bf4a716   CVE-2015-5370: s3:rpc_server: let a failing auth3 mark the authentication as invalid
       new  198ecf4   CVE-2015-5370: s3:rpc_server: make sure auth_level isn't changed by alter_context or auth3
       new  5148a26   CVE-2015-5370: s3:rpc_server: ensure that the message ordering doesn't violate the spec
       new  218bd4a   CVE-2015-5370: s3:rpc_server: use 'alter' instead of 'bind' for variables in api_pipe_alter_context()
       new  d2c964f   CVE-2015-5370: s3:rpc_server: verify presentation context arrays
       new  6456408   CVE-2015-5370: s3:rpc_server: make use of dcerpc_verify_ncacn_packet_header() to verify incoming pdus
       new  9c2592f   CVE-2015-5370: s3:rpc_server: disconnect the connection after a fatal FAULT pdu
       new  a9c46e8   CVE-2015-5370: s3:rpc_server: let a failing BIND mark the connection as broken
       new  5cfe5ec   CVE-2015-5370: s3:rpc_server: use DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
       new  7b902c3   CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
       new  6fd2714   CVE-2015-5370: s3:rpc_server: check the transfer syntax in check_bind_req() first
       new  e84519d   CVE-2015-5370: s3:rpc_server: don't allow an existing context to be changed in check_bind_req()
       new  57d5a84   CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
       new  6d509e3   CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
       new  a3fc86d   CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
       new  a663ad5   CVE-2015-5370: s3:rpc_server: make use of pipe_auth_data->auth_context_id
       new  518f8bb   CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
       new  49379e4   CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
       new  97a0811   CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
       new  b65429f   CVE-2015-5370: s3:rpc_server: verify auth_context_id in api_pipe_{bind_auth3,alter_context}
       new  45a2445   CVE-2015-5370: libcli/smb: use a max timeout of 1 second in tstream_smbXcli_np_destructor()
       new  4a496d3   CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
       new  9d953e2   CVE-2015-5370: s4:librpc/rpc: call dcerpc_connection_dead() on protocol errors
       new  78b84d5   CVE-2015-5370: python/samba/tests: add infrastructure to do raw protocol tests for DCERPC
       new  2c6f01d   CVE-2015-5370: python/samba/tests: add some dcerpc raw_protocol tests
       new  13e3e81   CVE-2015-5370: s4:selftest: run samba.tests.dcerpc.raw_protocol against ad_dc
       new  bd94b86   WHATSNEW: Add release notes for Samba 4.4.1.
       new  c8180d1   VERSION: Disable git snapshots for the 4.4.1 release.
       new  bfc9525   VERSION: Bump version up to 4.4.2...
       new  87fb3b8   s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5
       new  370b3dd   WHATSNEW: Add release notes for Samba 4.4.2.
       new  71de921   VERSION: Disable git snapshots for the 4.4.2 release.
       new  ecc3685   Imported Upstream version 4.4.2+dfsg

The 330 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |  550 ++++
 auth/credentials/credentials.h                     |    5 +-
 auth/credentials/credentials_ntlm.c                |   12 +-
 auth/gensec/gensec.c                               |  113 +-
 auth/gensec/gensec.h                               |    4 +
 auth/gensec/gensec_internal.h                      |    7 +
 auth/gensec/gensec_start.c                         |   18 +-
 auth/gensec/schannel.c                             |   22 +-
 auth/gensec/spnego.c                               |  289 ++-
 auth/ntlmssp/gensec_ntlmssp.c                      |    9 +
 auth/ntlmssp/gensec_ntlmssp_server.c               |   44 +-
 auth/ntlmssp/ntlmssp.c                             |   91 +-
 auth/ntlmssp/ntlmssp.h                             |   17 +
 auth/ntlmssp/ntlmssp_client.c                      |  513 +++-
 auth/ntlmssp/ntlmssp_ndr.c                         |    1 +
 auth/ntlmssp/ntlmssp_private.h                     |   10 +-
 auth/ntlmssp/ntlmssp_server.c                      |  424 +++-
 auth/ntlmssp/ntlmssp_sign.c                        |  103 +-
 auth/ntlmssp/ntlmssp_util.c                        |  176 +-
 auth/ntlmssp/wscript_build                         |    2 +-
 .../ldap/ldapserverrequirestrongauth.xml           |   26 +
 .../smbdotconf/protocol/clientipcmaxprotocol.xml   |   29 +
 .../smbdotconf/protocol/clientipcminprotocol.xml   |   29 +
 docs-xml/smbdotconf/protocol/clientmaxprotocol.xml |    9 +-
 docs-xml/smbdotconf/protocol/clientminprotocol.xml |    6 +
 docs-xml/smbdotconf/protocol/clientusespnego.xml   |    5 +
 .../security/allowdcerpcauthlevelconnect.xml       |   27 +
 docs-xml/smbdotconf/security/clientipcsigning.xml  |   26 +
 docs-xml/smbdotconf/security/clientntlmv2auth.xml  |    5 +
 docs-xml/smbdotconf/security/clientsigning.xml     |   12 +-
 docs-xml/smbdotconf/security/rawntlmv2auth.xml     |   19 +
 docs-xml/smbdotconf/security/serversigning.xml     |    2 +-
 docs-xml/smbdotconf/security/tlsverifypeer.xml     |   47 +
 docs/manpages/cifsdd.8                             |    4 +-
 docs/manpages/dbwrap_tool.1                        |    4 +-
 docs/manpages/eventlogadm.8                        |    4 +-
 docs/manpages/findsmb.1                            |    4 +-
 docs/manpages/idmap_ad.8                           |    4 +-
 docs/manpages/idmap_autorid.8                      |    4 +-
 docs/manpages/idmap_hash.8                         |    4 +-
 docs/manpages/idmap_ldap.8                         |    4 +-
 docs/manpages/idmap_nss.8                          |    4 +-
 docs/manpages/idmap_rfc2307.8                      |    4 +-
 docs/manpages/idmap_rid.8                          |    4 +-
 docs/manpages/idmap_script.8                       |    4 +-
 docs/manpages/idmap_tdb.8                          |    4 +-
 docs/manpages/idmap_tdb2.8                         |    4 +-
 docs/manpages/libsmbclient.7                       |    4 +-
 docs/manpages/lmhosts.5                            |    4 +-
 docs/manpages/log2pcap.1                           |    4 +-
 docs/manpages/net.8                                |    4 +-
 docs/manpages/nmbd.8                               |    4 +-
 docs/manpages/nmblookup.1                          |    4 +-
 docs/manpages/ntlm_auth.1                          |    4 +-
 docs/manpages/pam_winbind.8                        |    4 +-
 docs/manpages/pam_winbind.conf.5                   |    4 +-
 docs/manpages/pdbedit.8                            |    4 +-
 docs/manpages/profiles.1                           |    4 +-
 docs/manpages/rpcclient.1                          |    4 +-
 docs/manpages/samba-regedit.8                      |    4 +-
 docs/manpages/samba-tool.8                         |    4 +-
 docs/manpages/samba.7                              |    4 +-
 docs/manpages/samba.8                              |    4 +-
 docs/manpages/sharesec.1                           |    4 +-
 docs/manpages/smb.conf.5                           |  227 +-
 docs/manpages/smbcacls.1                           |    4 +-
 docs/manpages/smbclient.1                          |    4 +-
 docs/manpages/smbcontrol.1                         |    4 +-
 docs/manpages/smbcquotas.1                         |    4 +-
 docs/manpages/smbd.8                               |    4 +-
 docs/manpages/smbget.1                             |    4 +-
 docs/manpages/smbgetrc.5                           |    4 +-
 docs/manpages/smbpasswd.5                          |    4 +-
 docs/manpages/smbpasswd.8                          |    4 +-
 docs/manpages/smbspool.8                           |    4 +-
 docs/manpages/smbspool_krb5_wrapper.8              |    4 +-
 docs/manpages/smbstatus.1                          |    4 +-
 docs/manpages/smbtar.1                             |    4 +-
 docs/manpages/smbtree.1                            |    4 +-
 docs/manpages/testparm.1                           |    4 +-
 docs/manpages/vfs_acl_tdb.8                        |    4 +-
 docs/manpages/vfs_acl_xattr.8                      |    4 +-
 docs/manpages/vfs_aio_fork.8                       |    4 +-
 docs/manpages/vfs_aio_linux.8                      |    4 +-
 docs/manpages/vfs_aio_pthread.8                    |    4 +-
 docs/manpages/vfs_audit.8                          |    4 +-
 docs/manpages/vfs_btrfs.8                          |    4 +-
 docs/manpages/vfs_cacheprime.8                     |    4 +-
 docs/manpages/vfs_cap.8                            |    4 +-
 docs/manpages/vfs_catia.8                          |    4 +-
 docs/manpages/vfs_ceph.8                           |    4 +-
 docs/manpages/vfs_commit.8                         |    4 +-
 docs/manpages/vfs_crossrename.8                    |    4 +-
 docs/manpages/vfs_default_quota.8                  |    4 +-
 docs/manpages/vfs_dirsort.8                        |    4 +-
 docs/manpages/vfs_extd_audit.8                     |    4 +-
 docs/manpages/vfs_fake_perms.8                     |    4 +-
 docs/manpages/vfs_fileid.8                         |    4 +-
 docs/manpages/vfs_fruit.8                          |    4 +-
 docs/manpages/vfs_full_audit.8                     |    4 +-
 docs/manpages/vfs_glusterfs.8                      |    4 +-
 docs/manpages/vfs_gpfs.8                           |    4 +-
 docs/manpages/vfs_linux_xfs_sgid.8                 |    4 +-
 docs/manpages/vfs_media_harmony.8                  |    4 +-
 docs/manpages/vfs_netatalk.8                       |    4 +-
 docs/manpages/vfs_offline.8                        |    4 +-
 docs/manpages/vfs_prealloc.8                       |    4 +-
 docs/manpages/vfs_preopen.8                        |    4 +-
 docs/manpages/vfs_readahead.8                      |    4 +-
 docs/manpages/vfs_readonly.8                       |    4 +-
 docs/manpages/vfs_recycle.8                        |    4 +-
 docs/manpages/vfs_shadow_copy.8                    |    4 +-
 docs/manpages/vfs_shadow_copy2.8                   |    4 +-
 docs/manpages/vfs_shell_snap.8                     |    4 +-
 docs/manpages/vfs_snapper.8                        |    4 +-
 docs/manpages/vfs_streams_depot.8                  |    4 +-
 docs/manpages/vfs_streams_xattr.8                  |    4 +-
 docs/manpages/vfs_syncops.8                        |    4 +-
 docs/manpages/vfs_time_audit.8                     |    4 +-
 docs/manpages/vfs_tsmsm.8                          |    4 +-
 docs/manpages/vfs_unityed_media.8                  |    4 +-
 docs/manpages/vfs_worm.8                           |    4 +-
 docs/manpages/vfs_xattr_tdb.8                      |    4 +-
 docs/manpages/vfs_zfsacl.8                         |    4 +-
 docs/manpages/vfstest.1                            |    4 +-
 docs/manpages/wbinfo.1                             |    4 +-
 docs/manpages/winbind_krb5_locator.7               |    4 +-
 docs/manpages/winbindd.8                           |    4 +-
 lib/param/loadparm.c                               |   47 +-
 lib/param/loadparm.h                               |    6 +
 lib/param/param_table.c                            |   27 +
 lib/util/util_net.c                                |  247 +-
 lib/util/util_net.h                                |    1 +
 libcli/auth/proto.h                                |    6 +
 libcli/auth/smbencrypt.c                           |  170 +-
 libcli/auth/spnego.h                               |    8 +-
 libcli/auth/spnego_parse.c                         |    5 +-
 libcli/smb/smbXcli_base.c                          |    1 +
 libcli/smb/smb_constants.h                         |    1 +
 libcli/smb/smb_signing.c                           |    4 +
 libcli/smb/tstream_smbXcli_np.c                    |    4 +
 librpc/idl/dcerpc.idl                              |   15 +-
 librpc/idl/epmapper.idl                            |    2 +-
 librpc/idl/ntlmssp.idl                             |   48 +-
 librpc/idl/security.idl                            |    9 +
 librpc/ndr/ndr_ntlmssp.c                           |   16 +
 librpc/ndr/ndr_ntlmssp.h                           |    2 +
 librpc/rpc/binding.c                               |    2 +-
 librpc/rpc/dcerpc_error.c                          |    6 +-
 librpc/rpc/dcerpc_util.c                           |  141 +-
 librpc/rpc/rpc_common.h                            |    9 +-
 nsswitch/libwbclient/wbc_pam.c                     |   21 +-
 nsswitch/winbind_struct_protocol.h                 |    1 +
 python/samba/tests/__init__.py                     |  525 ++++
 python/samba/tests/dcerpc/dnsserver.py             |    2 +-
 python/samba/tests/dcerpc/raw_protocol.py          | 2623 ++++++++++++++++++++
 selftest/knownfail                                 |   28 +
 .../DC-addc.addom.samba.example.com-S02-cert.pem   |  191 ++
 .../DC-addc.addom.samba.example.com-S02-key.pem    |   54 +
 ...DC-addc.addom.samba.example.com-S02-openssl.cnf |  250 ++
 ...ddc.addom.samba.example.com-S02-private-key.pem |   51 +
 .../DC-addc.addom.samba.example.com-S02-req.pem    |   30 +
 .../DC-addc.addom.samba.example.com-cert.pem       |    1 +
 ...DC-addc.addom.samba.example.com-private-key.pem |    1 +
 .../DC-localdc.samba.example.com-S00-cert.pem      |  190 ++
 .../DC-localdc.samba.example.com-S00-key.pem       |   54 +
 .../DC-localdc.samba.example.com-S00-openssl.cnf   |  250 ++
 ...C-localdc.samba.example.com-S00-private-key.pem |   51 +
 .../DC-localdc.samba.example.com-S00-req.pem       |   30 +
 .../DC-localdc.samba.example.com-cert.pem          |    1 +
 .../DC-localdc.samba.example.com-private-key.pem   |    1 +
 .../manage-ca/CA-samba.example.com/NewCerts/00.pem |  190 ++
 .../manage-ca/CA-samba.example.com/NewCerts/01.pem |  169 ++
 .../manage-ca/CA-samba.example.com/NewCerts/02.pem |  191 ++
 .../manage-ca/CA-samba.example.com/NewCerts/03.pem |  169 ++
 .../Private/CA-samba.example.com-crlnumber.txt     |    1 +
 .../Private/CA-samba.example.com-crlnumber.txt.old |    1 +
 .../Private/CA-samba.example.com-index.txt         |    4 +
 .../Private/CA-samba.example.com-index.txt.attr    |    1 +
 .../CA-samba.example.com-index.txt.attr.old        |    1 +
 .../Private/CA-samba.example.com-index.txt.old     |    3 +
 .../Private/CA-samba.example.com-openssl.cnf       |  203 ++
 .../Private/CA-samba.example.com-private-key.pem   |  102 +
 .../Private/CA-samba.example.com-serial.txt        |    1 +
 .../Private/CA-samba.example.com-serial.txt.old    |    1 +
 .../Public/CA-samba.example.com-cert.pem           |   62 +
 .../Public/CA-samba.example.com-crl.pem            |   32 +
 ...inistrator at addom.samba.example.com-S03-cert.pem |  169 ++
 ...ministrator at addom.samba.example.com-S03-key.pem |   30 +
 ...strator at addom.samba.example.com-S03-openssl.cnf |  242 ++
 ...tor at addom.samba.example.com-S03-private-key.pem |   27 +
 ...ministrator at addom.samba.example.com-S03-req.pem |   19 +
 ...-administrator at addom.samba.example.com-cert.pem |    1 +
 ...strator at addom.samba.example.com-private-key.pem |    1 +
 ...ER-administrator at samba.example.com-S01-cert.pem |  169 ++
 ...SER-administrator at samba.example.com-S01-key.pem |   30 +
 ...administrator at samba.example.com-S01-openssl.cnf |  242 ++
 ...nistrator at samba.example.com-S01-private-key.pem |   27 +
 ...SER-administrator at samba.example.com-S01-req.pem |   19 +
 .../USER-administrator at samba.example.com-cert.pem  |    1 +
 ...administrator at samba.example.com-private-key.pem |    1 +
 selftest/manage-ca/manage-CA-samba.example.com.cnf |   21 +
 selftest/manage-ca/manage-CA-samba.example.com.sh  |   18 +
 selftest/manage-ca/manage-ca.sh                    |  387 +++
 .../manage-CA-example.com.cnf                      |   17 +
 .../openssl-BASE-template.cnf                      |  201 ++
 .../manage-ca.templates.d/openssl-CA-template.cnf  |    2 +
 .../manage-ca.templates.d/openssl-DC-template.cnf  |   49 +
 .../openssl-USER-template.cnf                      |   41 +
 selftest/selftest.pl                               |   40 +
 selftest/target/Samba.pm                           |  105 +
 selftest/target/Samba3.pm                          |    1 +
 selftest/target/Samba4.pm                          |  232 +-
 source3/auth/auth_domain.c                         |    2 +-
 source3/auth/auth_samba4.c                         |    4 +-
 source3/auth/auth_util.c                           |   15 +
 source3/include/auth_generic.h                     |    7 +-
 source3/include/proto.h                            |   48 +-
 source3/lib/netapi/cm.c                            |    2 +-
 source3/libads/ads_proto.h                         |    1 -
 source3/libads/ldap.c                              |  134 -
 source3/libads/sasl.c                              |  671 ++---
 source3/libnet/libnet_join.c                       |    6 +-
 source3/librpc/crypto/gse.c                        |   81 +-
 source3/librpc/rpc/dcerpc.h                        |   10 +-
 source3/librpc/rpc/dcerpc_helpers.c                |   98 +-
 source3/libsmb/auth_generic.c                      |   51 +-
 source3/libsmb/cliconnect.c                        |  669 ++---
 source3/libsmb/clientgen.c                         |    9 +
 source3/libsmb/clispnego.c                         |  282 ---
 source3/libsmb/ntlmssp.c                           |  765 ------
 source3/libsmb/ntlmssp_wrap.c                      |  135 -
 source3/libsmb/passchange.c                        |    7 +-
 source3/param/loadparm.c                           |   43 +-
 source3/rpc_client/cli_pipe.c                      |  314 ++-
 source3/rpc_server/netlogon/srv_netlog_nt.c        |   57 +-
 source3/rpc_server/rpc_handles.c                   |    1 +
 source3/rpc_server/rpc_ncacn_np.c                  |    3 +-
 source3/rpc_server/rpc_pipes.h                     |   11 +
 source3/rpc_server/rpc_server.c                    |   12 +
 source3/rpc_server/samr/srv_samr_nt.c              |   21 +-
 source3/rpc_server/srv_pipe.c                      |  494 ++--
 source3/rpcclient/rpcclient.c                      |    5 +-
 source3/script/tests/test_ntlm_auth_s3.sh          |    2 +
 source3/script/tests/test_rpcclient_samlogon.sh    |   11 +-
 source3/script/tests/test_smbclient_auth.sh        |   11 +
 source3/selftest/tests.py                          |    7 +-
 source3/smbd/negprot.c                             |    6 +-
 source3/smbd/sesssetup.c                           |    4 +-
 source3/smbd/smb2_negprot.c                        |   10 +-
 source3/smbd/smb2_sesssetup.c                      |    3 +-
 source3/torture/test_ntlm_auth.py                  |  553 +++--
 source3/utils/net_ads.c                            |    2 +-
 source3/utils/net_rpc.c                            |    2 +-
 source3/utils/net_util.c                           |    2 +-
 source3/utils/ntlm_auth.c                          |  803 +-----
 source3/winbindd/winbindd_ccache_access.c          |   44 +-
 source3/winbindd/winbindd_cm.c                     |    6 +-
 source3/wscript_build                              |   10 +-
 source4/auth/gensec/pygensec.c                     |   83 +
 source4/auth/ntlm/auth_util.c                      |    4 +-
 source4/ldap_server/ldap_bind.c                    |   50 +-
 source4/ldap_server/ldap_server.c                  |    6 +
 source4/ldap_server/ldap_server.h                  |    2 +
 source4/lib/tls/tls.h                              |   23 +
 source4/lib/tls/tls_tstream.c                      |  249 ++
 source4/lib/tls/tlscert.c                          |   18 +-
 source4/lib/tls/wscript                            |    5 +
 source4/libcli/cliconnect.c                        |    2 +-
 source4/libcli/ldap/ldap_bind.c                    |   62 +-
 source4/libcli/ldap/ldap_client.c                  |    9 +-
 source4/libcli/raw/libcliraw.h                     |    1 +
 source4/libcli/raw/rawnegotiate.c                  |   11 +-
 source4/libcli/smb2/connect.c                      |    7 +-
 source4/libcli/smb_composite/connect.c             |    1 +
 source4/libcli/smb_composite/sesssetup.c           |   35 +-
 source4/librpc/rpc/dcerpc.c                        |  351 ++-
 source4/librpc/rpc/dcerpc.h                        |   14 +-
 source4/librpc/rpc/dcerpc_auth.c                   |   93 +-
 source4/librpc/rpc/dcerpc_connect.c                |   22 +
 source4/librpc/rpc/dcerpc_roh.c                    |   13 +-
 source4/librpc/rpc/dcerpc_util.c                   |   22 +-
 source4/param/loadparm.c                           |    3 +-
 source4/rpc_server/backupkey/dcesrv_backupkey.c    |   13 +-
 .../backupkey/dcesrv_backupkey_heimdal.c           |   12 +-
 source4/rpc_server/common/reply.c                  |   49 +-
 source4/rpc_server/dcerpc_server.c                 |  812 ++++--
 source4/rpc_server/dcerpc_server.h                 |   57 +-
 source4/rpc_server/dcesrv_auth.c                   |  261 +-
 source4/rpc_server/dcesrv_mgmt.c                   |    8 +
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c    |    8 +
 source4/rpc_server/drsuapi/dcesrv_drsuapi.c        |    8 +
 source4/rpc_server/echo/rpc_echo.c                 |    7 +
 source4/rpc_server/epmapper/rpc_epmapper.c         |    8 +
 source4/rpc_server/handles.c                       |    8 +-
 source4/rpc_server/lsa/dcesrv_lsa.c                |    8 +
 source4/rpc_server/lsa/lsa_lookup.c                |   12 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c      |   46 +-
 source4/rpc_server/remote/dcesrv_remote.c          |    8 +-
 source4/rpc_server/samr/dcesrv_samr.c              |   12 +
 source4/rpc_server/samr/samr_password.c            |   25 +-
 source4/selftest/tests.py                          |   75 +-
 source4/smb_server/smb/negprot.c                   |    6 +-
 source4/smb_server/smb/sesssetup.c                 |   10 +
 source4/smb_server/smb2/negprot.c                  |    7 +-
 source4/smb_server/smb2/sesssetup.c                |    8 -
 source4/torture/basic/base.c                       |   20 +-
 source4/torture/ndr/ntlmssp.c                      |  183 +-
 source4/torture/raw/samba3misc.c                   |    7 +
 source4/torture/rpc/backupkey.c                    |   19 +-
 source4/torture/rpc/backupkey_heimdal.c            |   19 +-
 source4/torture/rpc/forest_trust.c                 |   12 +-
 source4/torture/rpc/lsa.c                          |   14 +-
 source4/torture/rpc/netlogon.c                     |  101 +-
 source4/torture/rpc/netlogon.h                     |    7 +
 source4/torture/rpc/remote_pac.c                   |   39 +-
 source4/torture/rpc/samba3rpc.c                    |   61 +-
 source4/torture/rpc/samlogon.c                     |    3 +-
 source4/torture/rpc/samr.c                         |    4 +-
 source4/torture/rpc/schannel.c                     |   29 +-
 source4/torture/rpc/testjoin.c                     |   35 +-
 testprogs/blackbox/test_ldb_simple.sh              |   41 +
 wscript_configure_system_mitkrb5                   |    4 +-
 324 files changed, 15251 insertions(+), 4947 deletions(-)
 create mode 100644 docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
 create mode 100644 docs-xml/smbdotconf/protocol/clientipcmaxprotocol.xml
 create mode 100644 docs-xml/smbdotconf/protocol/clientipcminprotocol.xml
 create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
 create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
 create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
 create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml
 create mode 100755 python/samba/tests/dcerpc/raw_protocol.py
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-S03-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at addom.samba.example.com/USER-administrator at addom.samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-cert.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-openssl.cnf
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-private-key.pem
 create mode 100644 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-S01-req.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-cert.pem
 create mode 120000 selftest/manage-ca/CA-samba.example.com/Users/administrator at samba.example.com/USER-administrator at samba.example.com-private-key.pem
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.cnf
 create mode 100644 selftest/manage-ca/manage-CA-samba.example.com.sh
 create mode 100755 selftest/manage-ca/manage-ca.sh
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
 create mode 100644 selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
 delete mode 100644 source3/libsmb/ntlmssp.c
 delete mode 100644 source3/libsmb/ntlmssp_wrap.c
 create mode 100755 testprogs/blackbox/test_ldb_simple.sh

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git