samba.git/python, branch master Unnamed repository; edit this file 'description' to name the repository. pytests: dns_packet tests check rcodes match Windows 2026-04-16T00:54:43+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2020-06-03T02:42:41+00:00 cf44e414bde6ed85a1e19e186630759af904c2bf the dns_packet tests originally checked only for a particular DoS situation (CVE-2020-10745) but now we widen them to ensure Samba's replies to invalid packets resembles those of Windows (in particular, Windows 2012r2). We want Samba to reply only when Windows replies, and with the same rcode. At present we fail a lot of these tests. The original CVE-2020-10745 test is retained and widened indirectly -- any test that leaves the server unable to respond within 0.5 seconds will count as a failure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> 
the dns_packet tests originally checked only for a particular DoS
situation (CVE-2020-10745) but now we widen them to ensure Samba's
replies to invalid packets resembles those of Windows (in particular,
Windows 2012r2). We want Samba to reply only when Windows replies, and
with the same rcode.

At present we fail a lot of these tests.

The original CVE-2020-10745 test is retained and widened indirectly --
any test that leaves the server unable to respond within 0.5 seconds
will count as a failure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
subunit: Do not return successful exit code if tests fail or error 2026-04-07T04:17:08+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2026-04-02T03:11:56+00:00 7510bb80054e4b087711522d05895874ec481f29 TestProtocolClient.writeOutcome() removed items from self.errors and self.failures via TestProtocolClient._filterErrors(). This made wasSuccessful() inappropriately return True even if there were errors or failures. subunit.run.runTests() uses wasSuccessful() to determine the exit code. To fix this, do not remove items from self.errors or self.failures, but instead use indices to keep track of how many items we have already processed in each of self.errors and self.failures. This fixes a regression introduced by commit 421dc7fc4d83629d3a5f9e558d378f44c7b9dad3. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15691 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Gary Lockyer <gary@samba.org> Autobuild-Date(master): Tue Apr 7 04:17:08 UTC 2026 on atb-devel-224 
TestProtocolClient.writeOutcome() removed items from self.errors and
self.failures via TestProtocolClient._filterErrors(). This made wasSuccessful()
inappropriately return True even if there were errors or failures.
subunit.run.runTests() uses wasSuccessful() to determine the exit code.

To fix this, do not remove items from self.errors or self.failures, but instead
use indices to keep track of how many items we have already processed in each of
self.errors and self.failures.

This fixes a regression introduced by commit
421dc7fc4d83629d3a5f9e558d378f44c7b9dad3.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15691

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Apr  7 04:17:08 UTC 2026 on atb-devel-224
selftest: Add keywords arguments to addDuration() method 2026-04-07T03:14:34+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2026-04-02T03:09:58+00:00 ccbda51dcc67b296b2e720ed3ea27601d913b969 Without these, the type checker complains: Method "addDuration" overrides class "TestResult" in an incompatible manner. Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Without these, the type checker complains:

Method "addDuration" overrides class "TestResult" in an incompatible manner.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
s4/dns_server: add large dns udp truncated packets tests 2026-04-01T04:05:39+00:00 Andréas Leroux aleroux@tranquil.it 2026-02-13T08:22:32+00:00 d1a309b4e6e7fa24d95e7cf7067ff43dcbb3a070 Large DNS response must be truncated over UDP, though this is not yet done in samba. Test is added as knownfail until implementation BUG: https://bugzilla.samba.org/show_bug.cgi?id=15988 Signed-off-by: Andréas Leroux <aleroux@tranquil.it> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Large DNS response must be truncated over UDP, though this is not yet done in samba. Test is added as knownfail until implementation

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15988

Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
tests:krb5 expired password handling 2026-03-30T23:37:36+00:00 Gary Lockyer gary@catalyst.net.nz 2026-03-26T00:39:45+00:00 f9ca5b75f82e8efbeebdc8520114a5d89dcbbf00 The windows ADDC checks password validity before password expiry. So an incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not KDC_ERR_KEY_EXPIRED. The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to samba. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.

The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
python:tests/krb5: Make PADATA_PK_AS_REP optional in non-strict mode 2026-03-30T10:41:07+00:00 Andreas Schneider asn@samba.org 2026-03-25T11:44:02+00:00 b79df27457e78ec2e8e301865c553fb76a596f9d Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED. This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints in expired-password error responses. Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently when the expired-password code path is exercised against MIT KDC. Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19, so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0) while still being enforced in strict mode. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224 
Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.

Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133).  This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.

Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
python:tests: Fix assertEqual placement in test_device_group_restrictions 2026-03-30T09:37:33+00:00 Andreas Schneider asn@samba.org 2026-03-25T10:37:09+00:00 fed52c9b95cf4f7628749b78843ac4189afa0950 The assertEqual calls checking the exception attributes were incorrectly indented inside the 'with self.assertRaises()' block. When the expected NTSTATUSError is raised by verify_access(), execution exits the block immediately, so those lines were never reached. When the exception is not raised (e.g. with MIT KRB5 1.22 where a spurious FAST error was fixed), execution falls through to the assertEqual inside the block, causing AttributeError because error.exception is only available after the 'with' block exits. The exception returned is NT_STATUS_UNSUCCESSFUL with Heimdal. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
The assertEqual calls checking the exception attributes were incorrectly
indented inside the 'with self.assertRaises()' block. When the expected
NTSTATUSError is raised by verify_access(), execution exits the block
immediately, so those lines were never reached.
When the exception is not raised (e.g. with MIT KRB5 1.22 where a spurious FAST
error was fixed), execution falls through to the assertEqual inside the block,
causing AttributeError because error.exception is only available after the
'with' block exits.

The exception returned is NT_STATUS_UNSUCCESSFUL with Heimdal.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
 test:heimdal:pkinit fixes for SHA1-PUKEY calculation 2026-02-23T20:16:34+00:00 Gary Lockyer gary@catalyst.net.nz 2026-02-19T22:55:59+00:00 76bf9214239759169ff4688b035c3f531e0db1bc The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire certificate not just the public key. BUG https://bugzilla.samba.org/show_bug.cgi?id=16001 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire
certificate not just the public key.

BUG https://bugzilla.samba.org/show_bug.cgi?id=16001

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
s4:kdc:db-glue altSecurityIdentities DN and serial reversed 2026-02-23T20:16:34+00:00 Gary Lockyer gary@catalyst.net.nz 2026-02-18T23:18:38+00:00 580051e5686d9a26d2502eb969f7a80e13519afb When altSecurityIdentities is set by RSAT / ADUC they store the Issuer and Subject DN in last to first order i.e. CN=Common Name, O=Organization, C=Country Need to reverse that to first to last order, i.e. C=Country, O=Organization, CN=Common name Which is how they're stored on the X509 certificates. Also the serial number is stored in reverse order. BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
       CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
       C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.

Also the serial number is stored in reverse order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
CVE-2026-20833: s4:kdc: Make default domain supported enctypes AES by default 2026-02-18T00:49:34+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2026-01-30T02:03:42+00:00 802649fa35ed37de69f6ca0593a39399575ac6e4 If AES keys are available in the domain, assume that service accounts support AES by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
If AES keys are available in the domain, assume that service accounts support
AES by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>