[Pkg-samba-maint] [Git][samba-team/samba][debian_4.19] 102 commits: VERSION: Bump version up to Samba 4.19.8...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Sat Aug 17 11:56:02 BST 2024
Michael Tokarev pushed to branch debian_4.19 at Debian Samba Team / samba
Commits:
6875787d by Jule Anger at 2024-06-10T17:26:01+02:00
VERSION: Bump version up to Samba 4.19.8...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
fecc211a by Stefan Metzmacher at 2024-07-03T08:36:32+00:00
BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs
This should have been in commit:
6ca4df6374136d1d205de689618dc8fce5177d14
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(v4-19-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-19-test): Wed Jul 3 08:36:32 UTC 2024 on atb-devel-224
- - - - -
1c807412 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: generate a real signature in bad_sign_packet()
We just destroy the signature bytes but keep the header unchanged.
This makes it easier to look at it in wireshark.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae23d512a724650ae2de1178ac43deff8266aa56)
- - - - -
1800543b by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c594cbad4af97031bb7b5b0eb2fb228b00acf646)
- - - - -
313ca15a by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: let dns_transaction_tcp() handle short receives
With socket_wrapper we only get 1500 byte chunks...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c741d0f3969abe821e8ee2a10f848159eb2749fe)
- - - - -
606b7034 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: add self.assert_echoed_dns_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce591464cb12ab00a5d5752a7cea5f909c3c3f1b)
- - - - -
fdac5897 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
Failed DNS updates just echo the request flaged as response,
all other elements are unchanged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6e997f93d53ac45af79aec030bad73f51bdc5629)
- - - - -
b1222378 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f8dfa9b33bdedffbe2e3b6e229ffae4beb3c712e)
- - - - -
a086e96f by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
It's possible to put the additional into the answers section,
so we should be able to test that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cd747307d845f3cff723a7916aeeb31458f19202)
- - - - -
48be174b by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: pass tkey_trans(expected_rcode)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 27d92fa808c6617353c36fdb230504e880f4925b)
- - - - -
2741574e by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1b1e7e06cf6ebd283de73c351267d53b42663d2f)
- - - - -
16c21888 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: maintain a dict with tkey related state
This will allow tests to backup the whole state
and mix them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b0af60e7850e656ef98edeac657c66b853080dab)
- - - - -
e120078e by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 740bda87a80b97816d892e8f7aae28759f6916ec)
- - - - -
f984b281 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
Also test using the additional record in the answers section.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3c7cb85eaf8371be55a371601cc354440dab7a94)
- - - - -
eb18b228 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: add gss.microsoft.com tsig updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b9b03ca503c43c7ee06df6c331839bd47f9eac8c)
- - - - -
4bc0619b by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: test bad and changing tsig algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit de4ed363d378f2065a4634f94af80ea0e3965c96)
- - - - -
4d4b39c1 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: let verify_packet() work against Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8324d0739dfdd0a081c403e298a9038ee7df681f)
- - - - -
0ee7660f by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 848318338b2972f331e067bf1c8d6c7dac0748c8)
- - - - -
e50968ed by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_base: add get_unpriv_creds() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 88457da00d4110b419f7a7ccabcd542fa77e463f)
- - - - -
d5c6276f by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 753428a3b6c488c4aacea04d2ddb9ea73244695a)
- - - - -
4a7d14ef by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
python:tests/dns_tkey: add test_update_tsig_record_access_denied()
This demonstrates that access_denied is only generated if the client
really generates a change in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 708a6fae6978e1462e1a53f4ee08f11b51a5637a)
- - - - -
662c4675 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a56627b0d125ef7b456bebe307087f324f1f0422)
- - - - -
234503e2 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa0f23e69eaf4f475bc9dc9aa0e23c7bd5208250)
- - - - -
cbf10a68 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3467d1491490830d61d16cb6278051daf48466fc)
- - - - -
7a457c68 by Stefan Metzmacher at 2024-07-03T08:48:11+00:00
s4:dns_server: use the client provided algorithm for the fake TSIG structure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bd0235cd515d5602ed9501bfc810a2487364ea10)
- - - - -
288744a7 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae7538af04435658d2ba6dcab109beecb6c5f13e)
- - - - -
c7188e17 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7)
- - - - -
6d3d87ba by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:dns_server: dns_verify_tsig should return REFUSED on error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit db350bc573b378fb0615bdd8592cc9c62f6db146)
- - - - -
c29dc6e7 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.
Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 76fec2668e73b9d15447abee551d5c04148aaf27)
- - - - -
fd586087 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224
(cherry picked from commit ed61c57e02309b738e73fb12877a0a565b627724)
- - - - -
6c86b519 by Noel Power at 2024-07-03T08:48:12+00:00
selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link
e.g. cd dfslink (works)
cd dfslink/another_dfslink (fails)
[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
enabled share
Add knownfails for tests 1 and 3
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
(cherry picked from commit 7f1de90f72d6e8287aec6ab1d9f7776b7df624e5)
[noel.power at suse.com backported to Samba 4.19 changed knownfails because
test_ci_chdir doen't fail in 4.19 but test_enumerate_dfs_link does]
- - - - -
dfa0b1ad by Noel Power at 2024-07-03T08:48:12+00:00
s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
This patch also removes known fail for existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224
(cherry picked from commit 788ef8f07c75d5e6eca5b8f18d93d96f31574267)
[noel.power at suse.com backported to Samba 4.19 changed test of errno
after return from widelink_openat to ENOENT because ELOOP isn't set
for msdfs links in 4.19, ENOENT is set instead. Also minor change
to use 4.19 create_open_symlink_err fn instead of read_symlink_reparse]
- - - - -
7e076141 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s3:include: let nameserv.h be useable on its own
A lot of stuff is private to nmbd and can
be moved from nameserv.h.
This allows move required types from smb.h to
nameserv.h, so that this can be standalone.
Including it from smb.h is not a huge problem
as nmbd internals are gone from nameserv.h.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7f96c21029e3b94d38bd871c79cabf872ad77fae)
- - - - -
39789dce by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s3:include: split out fstring.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 105247c90007474947e2314b63be72fb21f09811)
- - - - -
5de4ae88 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s3:wscript: LIBNMB requires lp_ functions
We need to make this explicit in order to let LIBNMB be used
in source4 code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 011f68ae5ddc3fae8b453744aeb95766d885915e)
- - - - -
8c06b437 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s3:libsmb/unexpected: don't use talloc_tos() in async code
It's not needed and it requires the caller to setup a
stackframe...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f90cf0822d6e66426d72f92bd585119066e2a9c3)
- - - - -
8b39131d by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
This will allow source4/nbt_server to make use of
nb_packet_server_create().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 696505a1efbcc9803a287d8c267fed9d04bf8885)
- - - - -
12a6060e by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
In 2024 we always want an active directory response...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42)
- - - - -
e2cec0d2 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
libcli/nbt: add nbt_name_send_raw()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cca373b806e01fc57bd5316d3f8a17578b4b6531)
- - - - -
1d766f29 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8)
- - - - -
a308204a by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:libcli/dgram: make use of socket_address_copy()
This avoids talloc_reference...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2)
- - - - -
9a9dc998 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1)
- - - - -
7ccbbb4b by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:nbt_server: simulate nmbd and provide unexpected handling
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f)
- - - - -
80655e22 by Andrew Bartlett at 2024-07-03T08:48:12+00:00
build: Add --vendor-name --vendor-patch-revision options to ./configure
These options are for packagers and vendors to set so that when
Samba developers are debugging an issue, we know exactly which
package is in use, and so have an idea if any patches have been
applied.
This is included in the string that a Samba backtrace gives,
as part of the PANIC message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654
REF: https://lists.samba.org/archive/samba-technical/2024-May/138992.html
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 651fb94c374c7f84405d960a9e0a0fd7fcb285dd)
- - - - -
f525d2fe by Andrew Bartlett at 2024-07-03T08:48:12+00:00
script/autobuild.py: Add test for --vendor-name and --vendor-patch-revision
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15654
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
RN: We have added new options --vendor-name and --vendor-patch-revision arguments
to ./configure to allow distributions and packagers to put their name in the Samba
version string so that when debugging Samba the source of the binary is obvious.
[abartlet at samba.org adapted to 4.20 still having the seperate LDB build system
from commit 72112d4814eb3872016c1168c477531be835a1f9]
- - - - -
1af40f29 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
(cherry picked from commit 372476aeb003e9c608cd2c0a78a9c577b57ba8f4)
- - - - -
ac5efd03 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send
If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224
(cherry picked from commit 462b74da79c51f9ba6dbd24e603aa904485d5123)
- - - - -
0597a2a6 by Günther Deschner at 2024-07-03T08:48:12+00:00
ctdb/ceph: Add optional namespace support for mutex helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665
RADOS objects within a pool can be associated to a namespace for
logical separation. librados already provides an API to configure
such a namespace with respect to a context. Make use of it as an
optional argument to the helper binary.
Pair-Programmed-With: Anoop C S <anoopcs at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
(cherry picked from commit d8c52995f68fe088dd2174562faee69ed1c95edd)
- - - - -
28fbc8ff by Günther Deschner at 2024-07-03T08:48:12+00:00
ctdb/docs: Include ceph rados namespace support in man page
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15665
Document the new optional argument to specify the namespace to be
associated with RADOS objects in a pool.
Pair-Programmed-With: Anoop C S <anoopcs at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: David Disseldorp <ddiss at samba.org>
Autobuild-User(master): Anoop C S <anoopcs at samba.org>
Autobuild-Date(master): Fri Jun 14 07:42:25 UTC 2024 on atb-devel-224
(cherry picked from commit 35f6c3f3d4a5521e6576fcc0dd7dd3bbcea041b2)
- - - - -
bfe5ad43 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cda8beea45303a77080c64bb2391d22c59672deb)
- - - - -
b79e3492 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
This shows that they are ignored for machine accounts as domain member.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit db2c576f329675e8d66e19c336fe04ccba918b4a)
- - - - -
20fcb8f8 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c715ac5e496ddde119212d3b880ff0e68c2da67b)
- - - - -
b3519d06 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit eeb60574b6bf1a5209b85a8af843b93300550ba7)
- - - - -
bb5414a6 by Stefan Metzmacher at 2024-07-03T08:48:12+00:00
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
We only turn desired into off in the NT4 domain member case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224
(cherry picked from commit 5b40cdf6e8885c9db6c5ffa972112f3516e4130a)
- - - - -
fc8beb13 by Joseph Sutton at 2024-07-03T08:48:12+00:00
tests/krb5: Add method to perform an armored AS‐REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 849ee959845832b206ae315ab5911c623ea61148)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
- - - - -
a35edbb5 by Joseph Sutton at 2024-07-03T08:48:12+00:00
tests/krb5: Use __slots__ to indicate which attributes are used by classes
These should help to catch mistaken attempts to set invalid attributes.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2b69e1e7c316e634090aad1d97ecadf8cdf529f3)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
- - - - -
e65a4281 by Andrew Bartlett at 2024-07-03T08:48:12+00:00
dsdb: Reduce minimum maxPwdAge from 1 day to nil
This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 3669479f22f2109a64250ffabd1f6453882d29f1)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
- - - - -
9c64cd3f by Jo Sutton at 2024-07-03T08:48:12+00:00
tests/krb5: Fix PK-INIT test framework to allow expired password keys
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cc8f455191faacf32efc474c27e99d45ef2e024)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
- - - - -
2102b619 by Andrew Bartlett at 2024-07-03T08:48:12+00:00
python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(backported from commit b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
[jsutton at samba.org Fixed conflicting import statements in
python/samba/tests/krb5/pkinit_tests.py]
[jsutton at samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]
- - - - -
7cc2b7b0 by Jo Sutton at 2024-07-03T08:48:12+00:00
tests/krb5: Allow creation of disabled accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(backported from commit 6dc6168719cf232ac2c1d747f10aad9b13300c02)
[jsutton at samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]
[jsutton at samba.org Fixed conflicting import statements in
python/samba/tests/krb5/kdc_base_test.py]
- - - - -
86034d86 by Jo Sutton at 2024-07-03T08:48:12+00:00
tests/krb5: Add tests for errors produced when logging in with unusable accounts
Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(backported from commit c5ee0b60b20011aeaa60c2f549c2a78269c97c8f)
[jsutton at samba.org Fixed conflicts in selftest/knownfail_heimdal_kdc]
- - - - -
2cf809bb by Jo Sutton at 2024-07-03T09:56:13+00:00
third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54)
This lets us match the Windows FAST reply when the password is expired.
Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(backported from commit fe90576871b5d644b9e888fd7a0b0351feaba750)
[jsutton at samba.org Fixed conflicts in knownfails and
third_party/heimdal/kdc/fast.c]
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Wed Jul 3 09:56:13 UTC 2024 on atb-devel-224
- - - - -
fe5f703e by Douglas Bagnall at 2024-07-09T07:49:17+00:00
buildtools: sanitise strange characters in vendor strings
There is no reason to think '-' and '+' are the only characters that
might sneak into a vendor string; Debian habitually use '~'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 0bc5b6f29307ce758774c1b2f48ce62315fdc7f9)
- - - - -
a65eda03 by Douglas Bagnall at 2024-07-09T07:49:17+00:00
build: --vendor-suffix instead of --vendor-patch-revision --vendor-name
In practice there isn't a use for two options, and neither quite
matched what people thought they were doing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 673c8e6ca5994973e4887641c3599707a66a608c)
- - - - -
6107f663 by Xavi Hernandez at 2024-07-09T08:46:54+00:00
Fix starvation of pending writes in CTDB queues
CTDB uses a queue to receive requests and send answers. It works
asynchronously using the tevent framework. However there was an issue
that gave priority to the receiving side so, when a request was
processed and the answer posted to the queue, if another incoming
request arrived, it was served before sending the previous answer.
This scenario could repeat for long periods of time if the frequency of
incoming requests was high enough.
Eventually, a small time gap between incoming request gave a chance to
process the pending output queue, sending many answers in a burst.
This patch makes sure that both queues (input and output) are processed
if the event contains the appropriate flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15678
RN: Fix unnecessary delays in CTDB while processing requests under high
load.
Signed-off-by: Xavi Hernandez <xhernandez at redhat.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Mon Jul 1 09:17:43 UTC 2024 on atb-devel-224
(cherry picked from commit 60550fbe184a5cefa55a8f0bab508f70def7a684)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Jul 9 08:46:54 UTC 2024 on atb-devel-224
- - - - -
37414481 by Stefan Metzmacher at 2024-07-09T13:27:12+00:00
.gitlab-ci: make it explicit that some tests require ext4/5.15 kernel
This is better then requiring private runners,
as we'll be able to use shared runners for ext4 soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b1e83b6cede6ad50e417a6cff583a9ab25f8c980)
- - - - -
0c14b0c9 by Andrew Bartlett at 2024-07-09T13:27:12+00:00
.gitlab-ci: Allow ext4 jobs to run on shared runners
At the time of this commit, GitLab shared runners
tagged "gce" were 2x AMD EPYC 7B12 with 8GB ram.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 19fb9a97dff2c0222d89a19bc9b0cd27f0306408)
- - - - -
e5d3231f by Andrew Bartlett at 2024-07-09T13:27:12+00:00
selftest: Allow MIT Krb5 1.21 to still start to fl2000dc
This is the simplest way to keep this test environment alive.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit 4ae3e9b208d4badee5765eddd832b258e84665b2)
- - - - -
0702547d by Stefan Metzmacher at 2024-07-09T13:27:12+00:00
[v4-19-only] selftest: support for MIT krb5 1.21
This copes with the differences between MIT 1.20 and 1.21
during gitlab pipeline selftest.
We need this because Fedora 38 upgraded from 1.20.1 to 1.21.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Stefan Metzmacher <metze at samba.org>
- - - - -
17916844 by Andreas Schneider at 2024-07-09T13:27:12+00:00
bootstrap: Fix runner tags
See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 84fb5cc8451c0af354850f39ae6debf388849ebb)
- - - - -
8d2c6462 by Andreas Schneider at 2024-07-09T13:27:12+00:00
bootstrap: Set git safe.directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d00e9482a50b5a756f4847cde977c40c80e179c5)
- - - - -
374c5ed2 by Andreas Schneider at 2024-07-09T13:27:12+00:00
bootstrap: Fix building CentOS 8 Stream container images
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f3af6e860800d0f837cdf6c2d16d1cd12feb08df)
- - - - -
4180ff4e by Andreas Schneider at 2024-07-09T13:27:12+00:00
gitlab-ci: Set git safe.directory for devel repo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 54fed589cca245c716492bcc78b574c30378b19c)
- - - - -
9308c3aa by Andreas Schneider at 2024-07-09T13:27:12+00:00
third_party: Update uid_wrapper to version 1.3.1
This fixes issues with bind compiled with jemalloc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f88e60644e76c6310088934439f9c0da0f63905f)
- - - - -
fee232dd by Andreas Schneider at 2024-07-09T14:24:35+00:00
third_party: Update socket_wrapper to version 1.4.3
This fixes issues with bind compiled with jemalloc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jun 13 08:41:39 UTC 2024 on atb-devel-224
(cherry picked from commit 8ae180e1678fc8565b8074d4886f7d3676a0f950)
Autobuild-User(v4-19-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-19-test): Tue Jul 9 14:24:35 UTC 2024 on atb-devel-224
- - - - -
8d08c814 by Ralph Boehme at 2024-07-10T13:29:02+00:00
third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0)
Fix clock skew error message and memory cache clock skew recovery
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676
Signed-off-by: Ralph Boehme <slow at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Fri Jul 5 10:02:26 UTC 2024 on atb-devel-224
(cherry picked from commit e4d6a19e49260af22bffd2a417119489719ba364)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Wed Jul 10 13:29:02 UTC 2024 on atb-devel-224
- - - - -
b22c93ac by Andreas Schneider at 2024-07-11T12:23:08+00:00
gitlab-ci: Also add the git directory for pipeline in the main mirror
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jul 4 08:08:49 UTC 2024 on atb-devel-224
(cherry picked from commit 93a3dd48d66786cb8765d3ce84ca9f3ad419ac88)
- - - - -
63c8ed2a by Pavel Filipenský at 2024-07-11T13:22:43+00:00
.gitlab-ci-main.yml: Add safe.directory '*'
This is to fix the error when pushing to personal gitlab repo:
2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba'
Cloning into '/builds/samba-testbase/master'...
fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git'
To add an exception for this directory, call:
git config --global --add safe.directory /builds/pfilipen/samba/.git
fatal: Could not read from remote repository.
Instead of adding more and more explicit repositories
we should just allow any, we're in an isolated environment...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224
(cherry picked from commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36)
Autobuild-User(v4-19-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-19-test): Thu Jul 11 13:22:43 UTC 2024 on atb-devel-224
- - - - -
bd365f68 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
docs-xml:manpages: allow for longer version strings
The default value (30) truncates "Samba 4.21.0pre1-DEVELOPERBUILD" to
"Samba 4.21.0pre1-DEVELOPE" in the bottom left corner of the man page.
("Samba 4.21.0pre1-DEVELOPE" is only 25 bytes long, not 30, but let's
not worry about that).
On narrow terminals (< ~75 columns) this makes it more likely that
the version string will run into the date string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15672
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 7fb38aee129789cce28ddf54bd7234f8c5f57d97)
- - - - -
efd989ac by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: '-U' does not imply secrets without '%'
We return true from this function when a secret has been erased,
and were accidentally treating as if it had secrets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15671
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f3b240da5c209a51fa43de23e8ecfea2f32bbfd5)
- - - - -
0b94b86f by Douglas Bagnall at 2024-07-23T07:32:13+00:00
selftest: run the cmdline tests that we already have
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f17a2b1b25f2ffa5e3caeb8f81101e66b843cc29)
[jsutton at samba.org Fixed conflict in selftest/tests.py]
- - - - -
245fe4d5 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:tests: extend cmdline_burn tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 05128a1f5f17c55a8d8da42c6c52c4235adf36d4)
- - - - -
22a6e455 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: do not retain false memories
If argv contains a secret option without an '=' (or in the case of
"-U", the username is separated by space), we will get to the
`if (strlen(p) == ulen) { continue; }` without resetting the found
and is_user variables. This *sometimes* has the right effect, because
the next string in argv ought to contain the secret.
But in a case like {"--password", "1234567890"}, where the secret
string is the same length as the option, we *again* take that branch
and the password is not redacted, though the argument after it will be
unless it is also of the same length.
If we always set the flags at the start we avoid this. This makes
things worse in the short term for secrets that are not the same
length as their options, but we'll get to that in another commit soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 2f6020cf3dadf484251701040e09a10fba2f644e)
- - - - -
d87b5a97 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: handle arguments separated from their --options
We weren't treating "--password secret" the same as "--password=secret",
which sometimes led to secrets not being redacted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 53a1184525279741e116350a9b53da15cb2f41d0)
- - - - -
0285ea8c by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: always return true if burnt
Before we have been trying to cram three cases into a boolean return
value:
* cmdline had secrets, we burnt them -> true
* cmdline had no secrets, all good -> false
* cmdline has NULL string, WTF! emergency! -> false
This return value is only used by Python which wants to know whether to
go to the trouble of replacing the command line. If samba_cmdline_burn()
returns false, no action is taken.
If samba_cmdline_burn() burns a password and then hits a NULL, it would
be better not to do nothing. It would be better to crash. And that is
what Python will end up doing, by some talloc returning NULL triggering
a MemoryError.
What about the case like {"--foo", NULL, "-Ua%b"} where the secret comes
after the NULL? That will still be ignored by Python, as it is by all C
tools, but we are hoping that can't happen anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit d3d8dffc0212662456a6251baee5afd432160fa2)
- - - - -
83de4276 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: localise some variables
As this function increases in complexity, it helps to keep things close.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f5233ddf974f9649d8a12b151b6843412eab489c)
- - - - -
c01499cd by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: do not burn options starting --user-*, --password-*
We have options that start with --user or --password that we don't
want to burn. Some grepping says:
2 --user1
1 --user2
10 --user-allowed-to-authenticate-from
6 --user-allowed-to-authenticate-to
2 --user-allow-ntlm-auth
25 --user-authentication-policy
1 --user-config
4 --user-domgroups
5 --user-ext-name
2 --user-groups
6 --user-info
27 --username
1 --username2
2 --userou
1 --users
2 --user-sidinfo
6 --user-sids
14 --user-tgt-lifetime-mins
2 --password2
118 --password-file
2 --password-from-stdin
# from here, grepping for strings around POPT_ constants
5 "user"
2 "user1"
2 "user2"
1 "userd"
1 "user-domgroups"
1 "user-groups"
1 "user-info"
2 "username"
1 "user-sidinfo"
1 "user-sids"
1 passwordd
4 "password"
Not all of these use lib/cmdline, but I think most do, via Python
which defers to cmdline_burn().
Note that there are options we should burn that aren't on this list,
like --adminpass. That's another matter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 6effed31899a1be8194a851e5a4023276b8a5f38)
- - - - -
ae462aa7 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline: test_cmdline tests more burning
We have more secret arguments, like --client-password, --adminpass,
so we are going to use an allowlist for options containing 'pass', but
we don't want to burn the likes of --group=passionfruit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit c4df89e9640c1306aa390cdacaa974c870c3f5bb)
- - - - -
0c7a0ff7 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: use allowlist to ensure more passwords burn
We treat any option containing 'pass' with suspicion, unless we know it
is OK.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit f1fbba6dc609590854c0d7c5e72b58fabc356695)
- - - - -
bfdd8d17 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: explicitly burn --username
This is the long form of -U in samba-tool.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
(cherry picked from commit 63a83fb7bb312731047f361f89766e0be492f83e)
- - - - -
e35d6aeb by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline:burn: add a note about short option combinations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
(cherry picked from commit 97be45f9ea3410392cd37eab5cfafd3ad00cfe57)
- - - - -
0c6749b1 by Douglas Bagnall at 2024-07-23T07:32:13+00:00
cmdline: samba-tool test for bad option warning
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
(cherry picked from commit d2b119e34b4e523a3bc6699e4d8a370bf8403d0b)
- - - - -
2b35eab7 by Douglas Bagnall at 2024-07-23T08:43:59+00:00
cmdline:burn: list commands to always burn; warn on unknown
We burn arguments to all unknown options containing "pass" (e.g.
"--passionate=false") in case they are a password option, but is bad
in the case where the unknown option takes no argument but the next
option *is* a password (like "--overpass --password2 barney". In that
case "--password2" would be burnt and not "barney".
The burning behaviour doesn't change with this commit, but users will now
see an error message explaining that the option was unknown. This is not
so much aimed at end users -- for who an invalid option will hopefully
lead to --help like output -- but to developers who add a new "pass"
option.
This also slightly speeds up the processing of known password options,
which is a little bit important because we are in a race to replace the
command line in /proc before an attacker sees it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Jul 10 06:28:08 UTC 2024 on atb-devel-224
(cherry picked from commit 86843685419921e28c37f3c1b33011f14940e02f)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Jul 23 08:43:59 UTC 2024 on atb-devel-224
- - - - -
4419ccc5 by Douglas Bagnall at 2024-07-29T13:17:42+00:00
libcli:security: allow spaces after BAD:
In AD_DS_Classes_Windows_Server_v1903.ldf from
https://www.microsoft.com/en-us/download/details.aspx?id=23782, we see
defaultSecurityDescriptor: O:BAG:BAD: (A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPLCLORC;;;AU)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15685
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Thu Jul 25 06:27:27 UTC 2024 on atb-devel-224
(cherry picked from commit 8903876f65d5721d30186875d391889d1ddcd52c)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Jul 29 13:17:42 UTC 2024 on atb-devel-224
- - - - -
ab535a64 by Andreas Schneider at 2024-08-06T11:44:00+00:00
wafsamba: Fix ABI symbol name generation
Commit 0bc5b6f29307ce758774c1b2f48ce62315fdc7f9 changed the script
for generating the ABI symbol version. It broke the ABI by changing all
dots to underscores.
This reverts the commit partially to preserve the dots in the version
part.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Tue Aug 6 00:42:56 UTC 2024 on atb-devel-224
(cherry picked from commit 46215ab1b34aa79c4c831ea1c12f73eacf1e8a12)
Autobuild-User(v4-19-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-19-test): Tue Aug 6 11:44:00 UTC 2024 on atb-devel-224
- - - - -
af2360d6 by Jones Syue at 2024-08-15T07:56:59+00:00
s3:ntlm_auth: make logs more consistent with length check
Run ntlm_auth with options --lm-response/--nt-response/--challenge, and pass
wrong length to these options, got error prompted logs about 'only got xxx
bytes', which are not consistent with length check. This patch revise logs
for length check to make it more consistent.
For example --lm-response requires exact 24 hex, let us input three kinds
of length 23 24 25, prompted logs said 'only got 25 bytes' seems confusing.
script:
for length in 23 24 25; \
do \
ntlm_auth --username=${un} --password=${pw} \
--lm-response="`openssl rand -hex ${length}`"; \
done;
output:
hex decode of 04db772593f5e6023d0ab4bc67a942c9179963477eb49d failed! (only got 23 bytes)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 1e57749feb46bedcf969af6cbbe10e21d0232e35c27eb07294 failed! (only got 25 bytes)
After patch it shows 'got 25 bytes, expected 24' seems more consistent:
hex decode of e13e70c9cf2ac1e20015657c4bec53435b1b948febb63f failed! (got 23 bytes, expected 24)
NT_STATUS_OK: The operation completed successfully. (0x0)
hex decode of 64647005243092b036856f572faad262e0b69386d095d60f54 failed! (got 25 bytes, expected 24)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15677
Signed-off-by: Jones Syue <jonessyue at qnap.com>
Reviewed-by: David Mulder <dmulder at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Jul 6 00:52:02 UTC 2024 on atb-devel-224
(cherry picked from commit 90c9d0d98d3c80c77764dbcaf9c24d7c4ea31b4a)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Thu Aug 15 07:56:59 UTC 2024 on atb-devel-224
- - - - -
c992f748 by Jule Anger at 2024-08-15T13:56:30+02:00
WHATSNEW: Add release notes for Samba 4.19.8.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
204b0f2d by Jule Anger at 2024-08-15T13:56:30+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.8 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
8b3f193e by Michael Tokarev at 2024-08-16T09:54:18+03:00
New upstream version 4.19.8+dfsg
- - - - -
87a9d64f by Michael Tokarev at 2024-08-16T09:54:45+03:00
Update upstream source from tag 'upstream/4.19.8+dfsg'
Update to upstream version '4.19.8+dfsg'
with Debian dir 65e2c27a2deb5eeb5155c385b239f59dbffa16a5
- - - - -
6f8122f0 by Michael Tokarev at 2024-08-16T10:18:17+03:00
drop python3-ldb-dev package (internal to samba build)
python3-ldb-dev contains development files for C bindings
for python3 bindings to libldb. The files in there are
used during samba build but not elsewhere. More, since
the library *name* is python-arch-version-dependent, it
is quite difficutl to use these bindings outside wafsamba
anyway.
This package is left here since the time when libldb were
built from its own sources instead of from samba sources.
Drop this package, temporarily replacing it with a empty
transitional package just in case someone has it installed
(since it depends on the same binary version of python3-ldb).
To be removed after trixie.
Also drop symbols for pyldb-utils.so which is used internally
(linked to from python extensions) and contains just 3 symbols.
- - - - -
85fd93ab by Michael Tokarev at 2024-08-16T10:19:23+03:00
update changelog; upload version 4.19.8+dfsg-1 to unstable
- - - - -
30 changed files:
- .gitlab-ci-main.yml
- VERSION
- WHATSNEW.txt
- auth/credentials/credentials.c
- auth/credentials/credentials.h
- auth/credentials/credentials_secrets.c
- auth/credentials/tests/test_creds.c
- bootstrap/.gitlab-ci.yml
- bootstrap/config.py
- bootstrap/generated-dists/centos8s/bootstrap.sh
- bootstrap/sha1sum.txt
- buildtools/wafsamba/samba_abi.py
- buildtools/wafsamba/samba_third_party.py
- buildtools/wafsamba/samba_version.py
- ctdb/common/ctdb_io.c
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7.xml
- ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
- debian/changelog
- debian/control
- debian/not-installed
- − debian/python3-ldb-dev.install
- − debian/python3-ldb-dev.lintian-overrides
- − debian/python3-ldb.symbols.in
- debian/rules
- docs-xml/xslt/man.xsl
- lib/cmdline/cmdline.c
- lib/cmdline/tests/test_cmdline.c
- + lib/ldb/ABI/pyldb-util-2.8.1.sigs
- libcli/nbt/libnbt.h
- libcli/nbt/nbtsocket.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/6260b1d736690b9209a2a7856e1012567f1ef073...85fd93ab4f1cade74ad4bc33065334957b8a31a8
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/6260b1d736690b9209a2a7856e1012567f1ef073...85fd93ab4f1cade74ad4bc33065334957b8a31a8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20240817/addf4423/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list