samba.git/source4/setup, branch talloc-2.3.4 Unnamed repository; edit this file 'description' to name the repository. s4/dlz: add support for bind 9.18 2022-05-23T00:53:09+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2022-02-23T23:17:00+00:00 03036442deac25f58be4119e6c9ce2586e0abf51 It seems nothing has changed since 9.16 for our purposes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14986 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Andreas Hasenack <andreas@canonical.com> Pair-programmed-with: Andreas Hasenack <andreas@canonical.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Mon May 23 00:53:09 UTC 2022 on sn-devel-184 
It seems nothing has changed since 9.16 for our purposes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14986

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andreas Hasenack <andreas@canonical.com>
Pair-programmed-with: Andreas Hasenack <andreas@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon May 23 00:53:09 UTC 2022 on sn-devel-184
s4:provision_users.ldif: Add Protected Users group 2022-03-18T11:55:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-01T08:04:40+00:00 fb0f65b0b5f140ee0dd8fc962c744f23162e9d46 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-10-28T00:07:01+00:00 55752c12cf14b64d981c9a6010ead0fd8d847857 We need to have the SPNs there before someone else nabs them, which makes the re-provisioned old releases different from the reference versions that we keep for this comparison. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 s4/provision: add host/ SPNs at the start 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-10-27T20:45:36+00:00 0a555cf097a5a8d38c7b61edaee838dd0973a989 There are two reasons for this. Firstly, leaving SPNs unclaimed is dangerous, as someone else could grab them first. Secondly, in some circumstances (self join) we try to add a DNS/ SPN a little bit later in provision. Under the rules we are introducing for CVE-2020-25722, this will make our later attempts to add HOST/ fail. This causes a few errors in samba4.blackbox.dbcheck.* tests, which assert that revivified old domains match stored reference versions. Now they don't, because they have servicePrincipalNames. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.

This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-09-01T06:35:02+00:00 8cde23709050533c0da898ca0a1072bca0845890 It is soon going to be impossible to add duplicate SPNs (short of going behind DSDB's back on the local filesystem). Our test of adding SPNs on non-admin users doubled as the test for adding a duplicate (using --force). As --force is gone, we add these tests on Guest after the SPN on Administrator is gone. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
It is soon going to be impossible to add duplicate SPNs (short of
going behind DSDB's back on the local filesystem). Our test of adding
SPNs on non-admin users doubled as the test for adding a duplicate (using
--force). As --force is gone, we add these tests on Guest after the SPN
on Administrator is gone.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 samba-tool spn add: remove --force option 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-08-26T23:36:42+00:00 72a2c21f3f51d1b56b41c9401419b69b2c916ddf This did not actually *force* the creation of a duplicate SPN, it just ignored the client-side check for the existing copy. Soon we are going to enforce SPN uniqueness on the server side, and this --force will not work. This will make the --force test fail, and if that tests fail, so will others that depend the duplicate values. So we remove those tests. It is wrong-headed to try to make duplicate SPNs in any case, which is probably why there is no sign of anyone ever having used this option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.

It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:samba: Migrate samba daemon to new cmdline option parser 2021-04-29T03:58:37+00:00 Andreas Schneider asn@samba.org 2021-01-14T08:50:10+00:00 236c35f702d21fde5db7834ffaeab3f3032a2136 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests: Use --configfile instead of -s 2021-04-28T03:43:34+00:00 Andreas Schneider asn@samba.org 2021-04-14T09:44:51+00:00 f291b8f157156024fe6726ddf16218529b39f5e9 We should use long options in tests to make clear what we are trying to do. Also the -s short option will be removed for --configfile later. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We should use long options in tests to make clear what we are trying to
do.

Also the -s short option will be removed for --configfile later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests: Use ldbsearch '--scope instead of '-s' 2021-04-28T03:43:34+00:00 Andreas Schneider asn@samba.org 2020-12-17T11:25:15+00:00 fca9c56836cd28875d67eef6e33628f8a51ebd88 We should use long options in tests to make clear what we are trying to do. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We should use long options in tests to make clear what we are trying to
do.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
test samba-tool group listmembers: test listing contacts as group members 2021-04-26T12:32:35+00:00 Björn Baumbach bb@sernet.de 2021-04-23T16:01:33+00:00 86f2b8dab1102974d32275282dfe69f4af5b6834 Make sure that contacts are listed as group members, even if the --hide-expired option is used. Expect failure. Fix follows up. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14692 Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Rowland penny <rpenny@samba.org> 
Make sure that contacts are listed as group members, even if the
--hide-expired option is used.

Expect failure. Fix follows up.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14692

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Rowland penny <rpenny@samba.org>