samba.git/source4/libcli, branch master Unnamed repository; edit this file 'description' to name the repository. auth: Use secure variant data_blob_talloc_s() to zero sensitive data blobs 2026-03-31T08:15:33+00:00 Pavel Filipenský pfilipensky@samba.org 2026-03-09T07:45:20+00:00 07ca97b30d7bd385c64f95dca96b3378c6da9cba Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 ldb: add "policy hints" controls to be used by password_hash module 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-09-24T23:45:30+00:00 b003beb85a648eae5bfe7e38362abd8d798e8f86 These won't have any effect yet, but soon they will allow a privileged account to perform a password reset that respects constraints on password history, age, and length, as if the reset was an ordinary password change (that is, where the user provides the old password). A normal user can't reset their own password using this, if the organisation is using a remote service (e.g. Entra ID or Keycloak) to manage passwords, that service can use a policy hints control to ensure it follows AD password policy. Entra ID Self Service Password Reset (SSPR) uses the deprecated OID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
These won't have any effect yet, but soon they will allow a privileged
account to perform a password reset that respects constraints on
password history, age, and length, as if the reset was an ordinary
password change (that is, where the user provides the old password).

A normal user can't reset their own password using this, if the
organisation is using a remote service (e.g. Entra ID or Keycloak) to
manage passwords, that service can use a policy hints control to
ensure it follows AD password policy.

Entra ID Self Service Password Reset (SSPR) uses the deprecated OID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
lib: Move a few smb-related constant #defines to common code 2026-01-07T11:00:48+00:00 Volker Lendecke vl@samba.org 2025-09-15T14:04:55+00:00 0c73b793a05aef90ec4284a79e82e584c55132da No need to have two copies in source3 and source4 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 7 11:00:48 UTC 2026 on atb-devel-224 
No need to have two copies in source3 and source4

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan  7 11:00:48 UTC 2026 on atb-devel-224
lib: Don't call a function to initialize an empty DATA_BLOB 2026-01-07T09:57:40+00:00 Volker Lendecke vl@samba.org 2025-12-24T08:41:02+00:00 ff627b2b41eba26a0dbe7744b6a027e001583828 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
lib: Fix some whitespace 2026-01-07T09:57:40+00:00 Volker Lendecke vl@samba.org 2025-12-18T14:36:23+00:00 0f761a956bef95d75f71311b8ac554641c7102a2 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
s4:smb_composite: session_setup_old() handles no password 2025-08-26T22:42:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-02-05T03:49:21+00:00 491bd6c960328e0987351656b3fb73f301fd73d5 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
s4:smb_composite: session_setup_nt1() handles no password 2025-08-26T22:42:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-02-05T03:49:01+00:00 316144621b20d0de0384ae1c66c05dfbec3b68a2 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
libcli/smb2: dump encryption key in format for Wireshark ~/.wireshark/smb2_seskey_list 2025-07-22T14:08:36+00:00 Ralph Boehme slow@samba.org 2025-07-19T12:54:10+00:00 85123e4ad02b8e1c085beea43574417b9cc761d6 This allows dumping the keys and quickly feeding them into Wireshark by adding them to ~/.wireshark/smb2_seskey_list. Example: debug encryption: dumping generated session keys Session Id [0000] 7D 00 00 E8 57 E0 31 01 }...W.1. Session Key [0000] 71 54 77 50 C1 DD 66 68 A8 51 D8 DE 23 F4 91 01 qTwP..fh .Q..#... Signing Key [0000] B1 29 AC EF 41 30 AE D2 43 00 1F 67 87 29 BF DB .)..A0.. C..g.).. App Key [0000] 6A 88 5C 51 51 22 FF 5C 25 95 A2 5C E2 2C FC 5D j.\QQ".\ %..\.,.] ServerIn Key [0000] 20 08 EB A2 14 99 17 03 9C A5 9A BB B8 48 88 3C ....... .....H.< ServerOut Key [0000] 15 AA C2 0D 19 AB 4C 26 64 E8 FC 94 B1 FE 27 5A ......L& d.....'Z Wireshark configuration line 7d0000e857e03101,71547750c1dd6668a851d8de23f49101,15aac20d19ab4c2664e8fc94b1fe275a,2008eba2149917039ca59abbb848883c When setting debug encryption = yes debug encryption:wireshark keyfile = /home/slow/.wireshark/smb2_seskey_list the keys are appended directly to Wireshark's keyfile. Wireshark has to be restarted to pick them up. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> 
This allows dumping the keys and quickly feeding them into Wireshark by adding
them to ~/.wireshark/smb2_seskey_list.

Example:

  debug encryption: dumping generated session keys
  Session Id    [0000] 7D 00 00 E8 57 E0 31 01                             }...W.1.
  Session Key   [0000] 71 54 77 50 C1 DD 66 68   A8 51 D8 DE 23 F4 91 01   qTwP..fh .Q..#...
  Signing Key   [0000] B1 29 AC EF 41 30 AE D2   43 00 1F 67 87 29 BF DB   .)..A0.. C..g.)..
  App Key       [0000] 6A 88 5C 51 51 22 FF 5C   25 95 A2 5C E2 2C FC 5D   j.\QQ".\ %..\.,.]
  ServerIn Key  [0000] 20 08 EB A2 14 99 17 03   9C A5 9A BB B8 48 88 3C    ....... .....H.<
  ServerOut Key [0000] 15 AA C2 0D 19 AB 4C 26   64 E8 FC 94 B1 FE 27 5A   ......L& d.....'Z
  Wireshark configuration line
  7d0000e857e03101,71547750c1dd6668a851d8de23f49101,15aac20d19ab4c2664e8fc94b1fe275a,2008eba2149917039ca59abbb848883c

When setting

    debug encryption = yes
    debug encryption:wireshark keyfile = /home/slow/.wireshark/smb2_seskey_list

the keys are appended directly to Wireshark's keyfile. Wireshark has to be
restarted to pick them up.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
s4/libcli/smb2: dump encryption keys if enabled 2025-07-22T14:08:36+00:00 Ralph Boehme slow@samba.org 2025-07-18T17:28:44+00:00 66fc47ff1daafdf912e42a4fccafac2f2079ac7d Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
s4/libcli/smb2: pass lp_ctx to smb2_session_init() and remember debug encryption settings 2025-07-22T14:08:36+00:00 Ralph Boehme slow@samba.org 2025-07-18T17:27:48+00:00 4824d9096c66be6eea05aa3d62ae6cfd8388bee6 Not yet used, that comes next. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> 
Not yet used, that comes next.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>