summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* ldb: version 2.3.2ldb-2.3.2Stefan Metzmacher2021-11-023-1/+288
| | | | | | | | | | Backport all C code changes from ldb-2.4.1 to be available for Samba 4.14.x Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-14-test): Tue Nov 2 21:47:27 UTC 2021 on sn-devel-184
* lib:ldb-samba: Improve calculate_popt_array_length()Andreas Schneider2021-11-022-6/+23
| | | | | | | | | | | | | | | | | | | | | | Note that memcmp() doesn't work well with padding bytes. So avoid it! (gdb) ptype/o struct poptOption /* offset | size */ type = struct poptOption { /* 0 | 8 */ const char *longName; /* 8 | 1 */ char shortName; /* XXX 3-byte hole */ /* 12 | 4 */ unsigned int argInfo; /* 16 | 8 */ void *arg; /* 24 | 4 */ int val; /* XXX 4-byte hole */ /* 32 | 8 */ const char *descrip; /* 40 | 8 */ const char *argDescrip; /* total size (bytes): 48 */ Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def)
* lib:ldb: Use C99 initializers for builtin_popt_options[]Andreas Schneider2021-11-021-25/+225
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a593065c7f22e17434f33d0132cc6a7073acf414)
* pyldb: fix a typoBjörn Baumbach2021-11-021-1/+1
| | | | | | Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Rowland penny <rpenny@samba.org> (cherry picked from commit 6fcde09f093db5d26c582a3c28531265f06b9fde)
* ldb: improve comments for ldb_module_connect_backend()Douglas Bagnall2021-11-021-5/+9
| | | | | | | | | There is no flags argument. There are more URI forms. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 48068a58df0313cd904f27e2c918ee10275ae373)
* ldb: correct comments in attrib_handers val_to_int64Douglas Bagnall2021-11-021-3/+1
| | | | | | | | c.f. the identical static function in lib/ldb-samba/ldif_handlers.c Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 46e6f6ef8436df7e083f34556c25f66f65ea1ce5)
* ldb.h: remove undefined async_ctx function signaturesDouglas Bagnall2021-11-021-12/+0
| | | | | | | | These functions do not exist. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1a05b58edaf96e7da707f9ad0a237551dbe13eb5)
* lib:ldb: Add missing break in switch statementAndreas Schneider2021-11-021-0/+1
| | | | | | | | error: unannotated fall-through between switch labels [-Werror,-Wimplicit-fallthrough] Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1ffacac547a8ce29c6696dda73991a8db7e34dfd)
* pyldb: Fix Message.items() for a message containing elementsJoseph Sutton2021-11-021-2/+2
| | | | | | | | | | | Previously, message elements were being freed before the call to Py_BuildValue(), resulting in an exception being raised. Additionally, only the first element of the returned list was ever assigned to. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit 3e4ec0a90a222c1cff4a91912afc703ca4cbbb0e)
* ldb_match: remove redundant checkDouglas Bagnall2021-11-021-2/+0
| | | | | | | | | | | | We already ensure the no-trailing-asterisk case ends at the end of the string. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa93339978040eab52b2722c1716028b48d8d084)
* pyldb: catch potential overflow error in py_timestringStefan Metzmacher2021-11-023-0/+27
| | | | | | | | | Pair-Programmed-With: Björn Baumbach <bb@sernet.de> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 71e8b24b8a031de26b21539e36a60f459257d2fd)
* ldb: fix ldb_comparison_fold off-by-one overrunDouglas Bagnall2021-11-021-2/+2
| | | | | | | | | | | We run one character over in comparing all the bytes in two ldb_vals. In almost all circumstances both ldb_vals would have an allocated '\0' in the overrun position, but it is best not to rely on that. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 2b2f4f519454beb6f2a46705675a62274019fc09)
* ldb_match: trailing chunk must match end of stringDouglas Bagnall2021-11-021-45/+35
| | | | | | | | | | | | | | | | | | | | | | | | A wildcard search is divided into chunks by the asterisks. While most chunks match the first suitable string, the last chunk matches the last possible string (unless there is a trailing asterisk, in which case this distinction is moot). We always knew this in our hearts, but we tried to do it in a funny complicated way that stepped through the string, comparing here and there, leading to CVE-2019-3824 and missed matches (bug 14044). With this patch, we just jump to the end of the string and compare it. As well as being correct, this should also improve performance, as the previous algorithm involved a quadratic loop of erroneous memmem()s. See https://tools.ietf.org/html/rfc4517 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Björn Jacke <bjacke@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit cc098f1cad04b2cfec4ddd6b2511cd5a600f31c6)
* ldb/attrib_handler casefold: simplify space droppingDouglas Bagnall2021-11-022-28/+27
| | | | | | | | | | | | | | | | | | | As seen in CVE-2021-20277, ldb_handler_fold() has been making mistakes when collapsing spaces down to a single space. This patch fixes the way it handles internal spaces (CVE-2021-20277 was about leading spaces), and involves a rewrite of the parsing loop. The bug has a detailed description of the problem. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Apr 7 03:16:39 UTC 2021 on sn-devel-184 (cherry picked from commit 24ddc1ca9cad95673bdd8023d99867707b37085f)
* VERSION: Bump version up to Samba 4.14.10...Jule Anger2021-10-271-2/+2
| | | | | | and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <janger@samba.org>
* VERSION: Disable GIT_SNAPSHOT for the 4.14.9 release.samba-4.14.9Jule Anger2021-10-271-1/+1
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* WHATSNEW: Add release notes for Samba 4.14.9.Jule Anger2021-10-271-2/+102
| | | | Signed-off-by: Jule Anger <janger@samba.org>
* ldb: Release ldb 2.3.1ldb-2.3.1Andrew Bartlett2021-10-263-1/+287
| | | | | | | | | | | | | | | | * Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message (bug 14845) * Fix memory handling in ldb.msg_diff (bug 14836) * Corrected python docstrings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184
* pyldb: Make ldb.Message containment testing consistent with indexingJoseph Sutton2021-10-262-4/+21
| | | | | | | | | | | | | | | | | Previously, containment testing using the 'in' operator was handled by performing an equality comparison between the chosen object and each of the message's keys in turn. This behaviour was prone to errors due to not considering differences in case between otherwise equal elements, as the indexing operations do. Containment testing should now be more consistent with the indexing operations and with the get() method of ldb.Message. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69)
* pyldb: Add tests for ldb.Message containment testingJoseph Sutton2021-10-262-0/+27
| | | | | | | | | | | | | These tests verify that the 'in' operator on ldb.Message is consistent with indexing and the get() method. This means that the 'dn' element should always be present, lookups should be case-insensitive, and use of an invalid type should result in a TypeError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8)
* pyldb: Raise TypeError for an invalid ldb.Message indexJoseph Sutton2021-10-262-16/+7
| | | | | | | | | | | Previously, a TypeError was raised and subsequently overridden by a KeyError. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)
* pyldb: Add test for an invalid ldb.Message index typeJoseph Sutton2021-10-262-0/+7
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06)
* s4/torture/drs/python: Fix attribute existence checkJoseph Sutton2021-10-261-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fb758c32e7633178f42dc2c031667b10c2ca6e90)
* pyldb: Fix deleting an ldb.Control critical flagJoseph Sutton2021-10-262-1/+4
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 9d25a21d6024c6c2f8e4634f45e3944d8acbf8b8)
* pytest:segfault: Add test for deleting an ldb.Control critical flagJoseph Sutton2021-10-262-0/+8
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org backported from commit b1adaa517c1237a473bdcf818523f5107df3d6b0 as @no_gdb_backtrace is not in Samba 4.14]
* pyldb: Fix deleting an ldb.Message dnJoseph Sutton2021-10-262-1/+6
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org backported from commit d7af772de88885f46708329ff7bb5798da91d2c7 due to conflicts in knownfail.d/python-segfaults]
* pytest:segfault: Add test for deleting an ldb.Message dnJoseph Sutton2021-10-262-0/+6
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org backported from commit 6a041f6a99c39632d5c32e9d53b06719c20bef2c as other segfaulting tests are listed in knownfail.d/python-segfaults and @no_gdb_backtrace is not in 4.14]
* Fix Python docstringsJoseph Sutton2021-10-264-4/+4
| | | | | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Sep 4 00:55:32 UTC 2021 on sn-devel-184 (cherry picked from commit 02b187303369d3ce0c19dfb72ffa78f86a3911f0)
* lib/krb5_wrap: Fix missing error check in new salt codeAndrew Bartlett2021-10-261-3/+3
| | | | | | | | | | | | | | | | | CID 1492905: Control flow issues (DEADCODE) This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184 (cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
* dsdb: Allow special chars like "@" in samAccountName when generating the saltAndrew Bartlett2021-10-266-66/+195
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184 (cherry picked from commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed)
* tests/krb5: Add tests for account salt calculationJoseph Sutton2021-10-266-0/+466
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> [abartlet@samba.org backported from commit 46039baa81377df10e5b134e4bb064ed246795e4 as the no_preauth side of the testsuite shows differences in enctypes in Samba 4.14. The change is only in salt calculation so this is not vital]
* tests/krb5: Fix account salt calculation to match WindowsJoseph Sutton2021-10-261-2/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
* tests/krb5: Allow specifying the UPN for test accountsJoseph Sutton2021-10-262-0/+11
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 889476d1754f8ce2a41557ed3bf5242c1293584e)
* tests/krb5: Allow creating machine accounts without a trailing dollarJoseph Sutton2021-10-261-4/+8
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit f4785ccfefe7c89f84ad847ca3c12f604172b321)
* tests/krb5: Allow specifying prefix or suffix for test account namesJoseph Sutton2021-10-261-0/+8
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5)
* tests/krb5: Decrease length of test account prefixJoseph Sutton2021-10-261-1/+1
| | | | | | | | | | | This allows us more room to test with different account names. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit a5a6296e57cab2b53617d997c37b4e92d4124cc7)
* selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd ↵Stefan Metzmacher2021-10-261-4/+8
| | | | | | | | | | | | | | | => "offline") This is much more flexible and concentrates the logic in a single place. We'll use winbindd => "offline" in other places soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
* selftest/Samba3: remove unused close(USERMAP); callsStefan Metzmacher2021-10-261-4/+0
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org backported from commit d998f7f8df215866ab32e05be772e24fc0b2131c as offline login tests are not in Samba 4.14]
* waf: Allow building with MIT KRB5 >= 1.20Andreas Schneider2021-10-261-0/+1
| | | | | | | | | | | | | | | | | gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype [-Werror=strict-prototypes] 105 | typedef bool_t (*xdrproc_t)(); | ^~~~~~~ This can't be fixed, as the protoype is variadic. It can take up to three arguments. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 5d8e794551b5df835f07e2bd8348fef746144601)
* selftest: Improve error handling and perl style when setting up users in ↵Andrew Bartlett2021-10-261-19/+53
| | | | | | | | | | | | | | Samba4.pm This catches errors and avoids using global varibles (the old style file handles are global). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 459200caba04fd83ed650b9cdfe5b158cf9a149f)
* selftest: Remove duplicate setup of $base_dn and $ldbmodifyAndrew Bartlett2021-10-261-4/+0
| | | | | | | | | | | | | These are already set up to the same values above for the full DC and correct values for the (strange) s4member environment. By not setting $base_dn again we avoid an error once we start checking for them. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 (cherry picked from commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
* selftest: krb5 account creation: clarify account type as an enumJoseph Sutton2021-10-267-63/+100
| | | | | | | | | | | | This makes the code clearer with a symbolic constant rather than a True/False boolean. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 49306f74eb29a2192019fab9260f9d242f9d5fd9)
* pytest: dynamic tests optionally add __doc__Douglas Bagnall2021-10-261-1/+2
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit aacb18f920349e13b562c7c97901a0be7b273137)
* selftest: Increase account lockout windows to make test more realiableJoseph Sutton2021-10-261-2/+2
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 6292f0597f208d7953382341380921cf0fd0a8a8)
* pytest/rodc_rwdc: try to avoid race.Douglas Bagnall2021-10-261-0/+4
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit a169e013e66bab15e594ce49b805edebfcd503cf)
* HEIMDAL:kdc: Fix transit path validation CVE-2017-6594Viktor Dukhovni2021-10-261-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837) BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184 (cherry picked from commit 7e961f3f7a815960ae25377d5b7515184d439690)
* tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED ↵Joseph Sutton2021-10-262-2/+113
| | | | | | | | | | | | | | | service BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184 (cherry picked from commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef)
* tests/krb5: Ensure PAC is not present if expect_pac is falseJoseph Sutton2021-10-261-7/+7
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
* kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for ↵Andrew Bartlett2021-10-262-16/+26
| | | | | | | | | | | | | | | | | servers UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause the PAC to be stripped not to given an error if the PAC was still present. Tested against Windows 2019 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
* kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principalsAndrew Bartlett2021-10-264-14/+0
| | | | | | | | | | | | | | Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED applies to services only, not to clients. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> [abartlet@samba.org backported from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013 as there was a knownfail conflict with the test_remove_pac case which succeeds on this branch]
View Lorry Controller Status