[Pkg-samba-maint] [Git][samba-team/samba][master] 69 commits: VERSION: Bump version up to Samba 4.20.3...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Fri Aug 2 16:51:38 BST 2024
Michael Tokarev pushed to branch master at Debian Samba Team / samba
Commits:
eeae9fe4 by Jule Anger at 2024-06-19T16:19:36+02:00
VERSION: Bump version up to Samba 4.20.3...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
4e57b8a5 by Andrew Bartlett at 2024-07-03T08:49:13+00:00
dsdb: Reduce minimum maxPwdAge from 1 day to nil
This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 3669479f22f2109a64250ffabd1f6453882d29f1)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
- - - - -
c1433f82 by Jo Sutton at 2024-07-03T08:49:13+00:00
tests/krb5: Fix PK-INIT test framework to allow expired password keys
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cc8f455191faacf32efc474c27e99d45ef2e024)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
- - - - -
50a417a2 by Andrew Bartlett at 2024-07-03T08:49:13+00:00
python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(backported from commit b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
[jsutton at samba.org Fixed conflicting import statements in
python/samba/tests/krb5/pkinit_tests.py]
- - - - -
d4c1e215 by Jo Sutton at 2024-07-03T08:49:13+00:00
tests/krb5: Allow creation of disabled accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(backported from commit 6dc6168719cf232ac2c1d747f10aad9b13300c02)
[jsutton at samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]
- - - - -
41c8a42c by Jo Sutton at 2024-07-03T08:49:13+00:00
tests/krb5: Add tests for errors produced when logging in with unusable accounts
Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c5ee0b60b20011aeaa60c2f549c2a78269c97c8f)
- - - - -
bff728a8 by Jo Sutton at 2024-07-03T10:06:32+00:00
third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
This lets us match the Windows FAST reply when the password is expired.
Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit fe90576871b5d644b9e888fd7a0b0351feaba750)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Wed Jul 3 10:06:33 UTC 2024 on atb-devel-224
- - - - -
5531ef4d by Douglas Bagnall at 2024-07-09T08:38:11+00:00
buildtools: sanitise strange characters in vendor strings
There is no reason to think '-' and '+' are the only characters that
might sneak into a vendor string; Debian habitually use '~'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 0bc5b6f29307ce758774c1b2f48ce62315fdc7f9)
- - - - -
95058b97 by Douglas Bagnall at 2024-07-09T08:38:11+00:00
build: --vendor-suffix instead of --vendor-patch-revision --vendor-name
In practice there isn't a use for two options, and neither quite
matched what people thought they were doing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 673c8e6ca5994973e4887641c3599707a66a608c)
- - - - -
63b47dc0 by Xavi Hernandez at 2024-07-09T09:43:01+00:00
Fix starvation of pending writes in CTDB queues
CTDB uses a queue to receive requests and send answers. It works
asynchronously using the tevent framework. However there was an issue
that gave priority to the receiving side so, when a request was
processed and the answer posted to the queue, if another incoming
request arrived, it was served before sending the previous answer.
This scenario could repeat for long periods of time if the frequency of
incoming requests was high enough.
Eventually, a small time gap between incoming request gave a chance to
process the pending output queue, sending many answers in a burst.
This patch makes sure that both queues (input and output) are processed
if the event contains the appropriate flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15678
RN: Fix unnecessary delays in CTDB while processing requests under high
load.
Signed-off-by: Xavi Hernandez <xhernandez at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Jul 1 09:17:43 UTC 2024 on atb-devel-224
(cherry picked from commit 60550fbe184a5cefa55a8f0bab508f70def7a684)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Tue Jul 9 09:43:01 UTC 2024 on atb-devel-224
- - - - -
52fc6551 by Douglas Bagnall at 2024-07-09T09:54:15+00:00
selftest: move some more expected failures to expectedfail.d
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224
(cherry picked from commit 60df2a09a4394d2b494224ad3d33314079e73066)
- - - - -
07e707c4 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8007569e9f7d374456a3fbd172a905173462eb5f)
- - - - -
5545d934 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2435ab1ad7092c004df72c2cb033eb94e5bf8274)
- - - - -
39ffaf05 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8deba427e2697501f10e80a2ac0325a657635b92)
- - - - -
461f1425 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 68f6a461e1706f03007d3c5cfc68c71383b4ff28)
- - - - -
52adc59a by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: remove tstream_tls_push_trigger_write step
At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
2.4.1 -> broken
2.4.2 -> broken
2.6.0 -> broken
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK
These seemed to be the fixes in gnutls upstream.
Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=28fb34099edaf62e5472cc6e5e2749fed369ea01
Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0d07d8432d57805a8354ebd6c1e7829f3ab159cb
This shouldn't be a problem with recent (>= 3.6) versions of gnutls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5844ef27aa46cba3d343035ccd35b03525db9843)
- - - - -
c117f54c by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.
Otherwise we'll have a problem if another tevent_context is used
after the handshake.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6688945fa03f4a448708f729083ea4a1cdd1ab88)
- - - - -
3e90d30b by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: assert that event contexts are not mixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ac4bca77039cbc31323fb10b3706ed959a0cbbcd)
- - - - -
0c8fd43c by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: split out tstream_tls_prepare_gnutls()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 60b11645b0d1c8304eabbb2aeca8a6b5190a3a2e)
- - - - -
a55356b7 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
We require gnutls 3.6.13
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ecdd76919132430372ef04b03304fc51d6014e2f)
- - - - -
1f0e6a44 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: include a TLS server name indication in the client handshake
This is not strictly needed, but it might be useful
for load balancers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 15fb8fcc7b98c3eba8eab79b227127b4b71b096c)
- - - - -
f1ca22f5 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: split out tstream_tls_verify_peer() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3186cdce85a58451e9d5a05468029a13621128c3)
- - - - -
8989c3cd by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: add tstream_tls_params_client_lpcfg()
This will be able simplify the callers a lot...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 604413b98a23f28288ec4af11023717a9239e0fe)
- - - - -
7a6ce2be by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b8b874ef5e40d266a54501ba4523c6af7032ca00)
- - - - -
254fa504 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 493d35a6910d9d9b70f55c2273f4e8a6c93a3bf5)
- - - - -
b2f44b81 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c200cf1b5f430f686b39df8513a6b7e3c592ed43)
- - - - -
6fec41bd by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
is only available with gnutls 3.7.2, but we still want to
support older gnutls versions and that's easily doable...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2f2af3aa8a0366e6502751415a08413bf28ba0cb)
- - - - -
20d5335d by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:lib/tls: add tstream_tls_channel_bindings()
This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.
For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it was easy to re-implement.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cbd7ce44121246167e0c8a6d905180d82df1a2ef)
- - - - -
c86e8742 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
See also:
https://github.com/heimdal/heimdal/pull/1234
https://github.com/heimdal/heimdal/pull/1238
https://github.com/heimdal/heimdal/pull/1240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9b92cbacac11fb64cca2c4770cbdce789525b87a)
- - - - -
2668243d by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
See https://github.com/heimdal/heimdal/pull/1234 and
https://github.com/krb5/krb5/pull/1329.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 546e39a6fa122e6a40d1e62724e1712882ce3bce)
- - - - -
c41feb6c by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
auth/gensec: add gensec_set_channel_bindings() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e912ba579b1469c78ca65345ec1fe8376c74272c)
- - - - -
1219bf38 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
auth/ntlmssp: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f1d34a430d227e685e2fe983b14c74136d9c8a8e)
- - - - -
7b62c5f7 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:gensec_gssapi: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1831006b77749dda902ae4ced0a96e5f14d89adb)
- - - - -
64d4c1cd by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s3:crypto/gse: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 811d04fea7d329a7f3c8e01ac20bfad48ac9cd4f)
- - - - -
7f2e3839 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6c17e3d2800723bafebd1986ab59a9422c881f0b)
- - - - -
7c6c7421 by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.
And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7acb15a53c061344ffdbd58f9b2f01f8b0233f4e)
- - - - -
ac22551d by Stefan Metzmacher at 2024-07-09T09:54:15+00:00
selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6794cc476249452c415881396bce4df663fc4fba)
- - - - -
16b430e7 by Stefan Metzmacher at 2024-07-09T10:53:40+00:00
s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 065da873296c23ef3b9051fba39be097cfff60fa)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Tue Jul 9 10:53:40 UTC 2024 on atb-devel-224
- - - - -
f4604a86 by Ralph Boehme at 2024-07-10T09:14:10+00:00
third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
Fix clock skew error message and memory cache clock skew recovery
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Jul 5 10:02:26 UTC 2024 on atb-devel-224
(cherry picked from commit e4d6a19e49260af22bffd2a417119489719ba364)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Wed Jul 10 09:14:10 UTC 2024 on atb-devel-224
- - - - -
6b0b6d06 by Andreas Schneider at 2024-07-11T10:39:16+00:00
gitlab-ci: Also add the git directory for pipeline in the main mirror
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jul 4 08:08:49 UTC 2024 on atb-devel-224
(cherry picked from commit 93a3dd48d66786cb8765d3ce84ca9f3ad419ac88)
- - - - -
f5920cee by Pavel Filipenský at 2024-07-11T11:45:35+00:00
.gitlab-ci-main.yml: Add safe.directory '*'
This is to fix the error when pushing to personal gitlab repo:
2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba'
Cloning into '/builds/samba-testbase/master'...
fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git'
To add an exception for this directory, call:
git config --global --add safe.directory /builds/pfilipen/samba/.git
fatal: Could not read from remote repository.
Instead of adding more and more explicit repositories
we should just allow any, we're in an isolated environment...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224
(cherry picked from commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36)
Autobuild-User(v4-20-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-20-test): Thu Jul 11 11:45:35 UTC 2024 on atb-devel-224
- - - - -
73207ff8 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
docs-xml:manpages: allow for longer version strings
The default value (30) truncates "Samba 4.21.0pre1-DEVELOPERBUILD" to
"Samba 4.21.0pre1-DEVELOPE" in the bottom left corner of the man page.
("Samba 4.21.0pre1-DEVELOPE" is only 25 bytes long, not 30, but let's
not worry about that).
On narrow terminals (< ~75 columns) this makes it more likely that
the version string will run into the date string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15672
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 7fb38aee129789cce28ddf54bd7234f8c5f57d97)
- - - - -
5d99875b by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: '-U' does not imply secrets without '%'
We return true from this function when a secret has been erased,
and were accidentally treating as if it had secrets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15671
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f3b240da5c209a51fa43de23e8ecfea2f32bbfd5)
- - - - -
9cbb5bdd by Douglas Bagnall at 2024-07-23T07:33:12+00:00
selftest: run the cmdline tests that we already have
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f17a2b1b25f2ffa5e3caeb8f81101e66b843cc29)
- - - - -
f900e532 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:tests: extend cmdline_burn tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 05128a1f5f17c55a8d8da42c6c52c4235adf36d4)
- - - - -
25329b38 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: do not retain false memories
If argv contains a secret option without an '=' (or in the case of
"-U", the username is separated by space), we will get to the
`if (strlen(p) == ulen) { continue; }` without resetting the found
and is_user variables. This *sometimes* has the right effect, because
the next string in argv ought to contain the secret.
But in a case like {"--password", "1234567890"}, where the secret
string is the same length as the option, we *again* take that branch
and the password is not redacted, though the argument after it will be
unless it is also of the same length.
If we always set the flags at the start we avoid this. This makes
things worse in the short term for secrets that are not the same
length as their options, but we'll get to that in another commit soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 2f6020cf3dadf484251701040e09a10fba2f644e)
- - - - -
916d5bde by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: handle arguments separated from their --options
We weren't treating "--password secret" the same as "--password=secret",
which sometimes led to secrets not being redacted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 53a1184525279741e116350a9b53da15cb2f41d0)
- - - - -
1315b61e by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: always return true if burnt
Before we have been trying to cram three cases into a boolean return
value:
* cmdline had secrets, we burnt them -> true
* cmdline had no secrets, all good -> false
* cmdline has NULL string, WTF! emergency! -> false
This return value is only used by Python which wants to know whether to
go to the trouble of replacing the command line. If samba_cmdline_burn()
returns false, no action is taken.
If samba_cmdline_burn() burns a password and then hits a NULL, it would
be better not to do nothing. It would be better to crash. And that is
what Python will end up doing, by some talloc returning NULL triggering
a MemoryError.
What about the case like {"--foo", NULL, "-Ua%b"} where the secret comes
after the NULL? That will still be ignored by Python, as it is by all C
tools, but we are hoping that can't happen anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit d3d8dffc0212662456a6251baee5afd432160fa2)
- - - - -
66da2345 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: localise some variables
As this function increases in complexity, it helps to keep things close.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f5233ddf974f9649d8a12b151b6843412eab489c)
- - - - -
0d89d096 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: do not burn options starting --user-*, --password-*
We have options that start with --user or --password that we don't
want to burn. Some grepping says:
2 --user1
1 --user2
10 --user-allowed-to-authenticate-from
6 --user-allowed-to-authenticate-to
2 --user-allow-ntlm-auth
25 --user-authentication-policy
1 --user-config
4 --user-domgroups
5 --user-ext-name
2 --user-groups
6 --user-info
27 --username
1 --username2
2 --userou
1 --users
2 --user-sidinfo
6 --user-sids
14 --user-tgt-lifetime-mins
2 --password2
118 --password-file
2 --password-from-stdin
# from here, grepping for strings around POPT_ constants
5 "user"
2 "user1"
2 "user2"
1 "userd"
1 "user-domgroups"
1 "user-groups"
1 "user-info"
2 "username"
1 "user-sidinfo"
1 "user-sids"
1 passwordd
4 "password"
Not all of these use lib/cmdline, but I think most do, via Python
which defers to cmdline_burn().
Note that there are options we should burn that aren't on this list,
like --adminpass. That's another matter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 6effed31899a1be8194a851e5a4023276b8a5f38)
- - - - -
6bcdbdab by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline: test_cmdline tests more burning
We have more secret arguments, like --client-password, --adminpass,
so we are going to use an allowlist for options containing 'pass', but
we don't want to burn the likes of --group=passionfruit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit c4df89e9640c1306aa390cdacaa974c870c3f5bb)
- - - - -
481eb6ab by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: use allowlist to ensure more passwords burn
We treat any option containing 'pass' with suspicion, unless we know it
is OK.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f1fbba6dc609590854c0d7c5e72b58fabc356695)
- - - - -
8560c854 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: explicitly burn --username
This is the long form of -U in samba-tool.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
(cherry picked from commit 63a83fb7bb312731047f361f89766e0be492f83e)
- - - - -
957654eb by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: add a note about short option combinations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 97be45f9ea3410392cd37eab5cfafd3ad00cfe57)
- - - - -
93d34546 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline: samba-tool test for bad option warning
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
(cherry picked from commit d2b119e34b4e523a3bc6699e4d8a370bf8403d0b)
- - - - -
d6f01009 by Douglas Bagnall at 2024-07-23T07:33:12+00:00
cmdline:burn: list commands to always burn; warn on unknown
We burn arguments to all unknown options containing "pass" (e.g.
"--passionate=false") in case they are a password option, but is bad
in the case where the unknown option takes no argument but the next
option *is* a password (like "--overpass --password2 barney". In that
case "--password2" would be burnt and not "barney".
The burning behaviour doesn't change with this commit, but users will now
see an error message explaining that the option was unknown. This is not
so much aimed at end users -- for who an invalid option will hopefully
lead to --help like output -- but to developers who add a new "pass"
option.
This also slightly speeds up the processing of known password options,
which is a little bit important because we are in a race to replace the
command line in /proc before an attacker sees it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Jul 10 06:28:08 UTC 2024 on atb-devel-224
(cherry picked from commit 86843685419921e28c37f3c1b33011f14940e02f)
- - - - -
4cf9af91 by Andreas Schneider at 2024-07-23T08:56:24+00:00
s3:printing: Allow to run samba-bgqd as a standalone systemd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15683
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
(cherry picked from commit 0a532378322661b23b3393eb2ebde29402a16e62)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Tue Jul 23 08:56:24 UTC 2024 on atb-devel-224
- - - - -
f8e50d04 by Douglas Bagnall at 2024-07-29T13:29:27+00:00
libcli:security: allow spaces after BAD:
In AD_DS_Classes_Windows_Server_v1903.ldf from
https://www.microsoft.com/en-us/download/details.aspx?id=23782, we see
defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15685
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Jul 25 06:27:27 UTC 2024 on atb-devel-224
(cherry picked from commit 8903876f65d5721d30186875d391889d1ddcd52c)
Autobuild-User(v4-20-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-20-test): Mon Jul 29 13:29:27 UTC 2024 on atb-devel-224
- - - - -
47c99181 by Michael Tokarev at 2024-08-02T13:43:07+03:00
Revert "update changelog; upload version 4.20.2+dfsg-12 to unstable"
This reverts commit 717035db1eefb711d698aeb9bc0a1c9f134c06ce.
- - - - -
63a883c3 by Michael Tokarev at 2024-08-02T13:43:09+03:00
Revert "d/rules: use the same epoch number for libldb as for samba itself"
This reverts commit f47ff9bb2733c2eec12ec747fb72451013110912.
- - - - -
ae38f745 by Michael Tokarev at 2024-08-02T14:17:54+03:00
d/samba-ad-dc.lintian-overrides: add systemd-diversion override too
- - - - -
a13bed3b by Stefan Metzmacher at 2024-08-02T13:47:14+02:00
WHATSNEW: Add release notes for Samba 4.20.3.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
803665cb by Stefan Metzmacher at 2024-08-02T13:49:07+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.20.3 release.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
5b88b71a by Michael Tokarev at 2024-08-02T18:17:50+03:00
New upstream version 4.20.3+dfsg
- - - - -
85478db3 by Michael Tokarev at 2024-08-02T18:18:01+03:00
Update upstream source from tag 'upstream/4.20.3+dfsg'
Update to upstream version '4.20.3+dfsg'
with Debian dir 48ef9a280e969199004fee7703a2983fe5f7e236
- - - - -
6763d663 by Michael Tokarev at 2024-08-02T18:21:54+03:00
d/rules: s/vendor-name/vendor-suffix/
- - - - -
386c8f41 by Michael Tokarev at 2024-08-02T18:29:14+03:00
d/*.symbols: add new variant of version marks (with underscore)
- - - - -
300b84ad by Michael Tokarev at 2024-08-02T18:33:45+03:00
tilde-in-version.diff: remove (not needed anymore)
- - - - -
a0650673 by Michael Tokarev at 2024-08-02T18:33:58+03:00
update changelog; upload version 4.20.3+dfsg-1 to unstable
- - - - -
30 changed files:
- .gitlab-ci-main.yml
- VERSION
- WHATSNEW.txt
- auth/gensec/gensec.c
- auth/gensec/gensec.h
- auth/gensec/gensec_internal.h
- auth/gensec/gensec_start.c
- auth/ntlmssp/ntlmssp_client.c
- auth/ntlmssp/ntlmssp_private.h
- auth/ntlmssp/ntlmssp_server.c
- auth/ntlmssp/ntlmssp_util.c
- buildtools/wafsamba/samba_abi.py
- ctdb/common/ctdb_io.c
- debian/changelog
- debian/libldb2.symbols
- debian/libsmbclient0.symbols
- debian/libwbclient0.symbols
- debian/patches/series
- − debian/patches/tilde-in-version.diff
- debian/rules
- debian/samba-ad-dc.lintian-overrides
- debian/samba-libs.symbols
- docs-xml/smbdotconf/ldap/ldapserverrequirestrongauth.xml
- docs-xml/xslt/man.xsl
- lib/cmdline/cmdline.c
- lib/cmdline/tests/test_cmdline.c
- lib/crypto/gnutls_helpers.h
- + lib/crypto/gnutls_server_end_point_cb.c
- lib/crypto/wscript
- lib/ldb-samba/ldb_ildap.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/717035db1eefb711d698aeb9bc0a1c9f134c06ce...a0650673209bddccc54cb0e60ea014e3dc9721b0
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/717035db1eefb711d698aeb9bc0a1c9f134c06ce...a0650673209bddccc54cb0e60ea014e3dc9721b0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20240802/bbda1d8f/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list