samba.git/source4/setup, branch talloc-2.4.0 Unnamed repository; edit this file 'description' to name the repository. s4:setup:tests: Use system ldbdump if we build with system ldb 2022-12-23T15:31:31+00:00 Andreas Schneider asn@samba.org 2022-12-22T14:25:49+00:00 08be04bb930f8cdb370ea3d3a31907ab475d8989 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Dec 23 15:31:31 UTC 2022 on sn-devel-184 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 23 15:31:31 UTC 2022 on sn-devel-184
python:tests: Allocate OID range for testing to avoid collisions 2022-08-25T13:55:47+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-08-25T08:21:01+00:00 f99fb9aa120c5a7d499bff717b812d81ddd7e9f1 sid_strings.py used the same OID range as ldap_schema.py, which occasionally led to test failures when the same OID was generated twice. Using a different range, and making use of the expected RID if we have it, should reduce the likelihood of collisions. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Thu Aug 25 13:55:47 UTC 2022 on sn-devel-184 
sid_strings.py used the same OID range as ldap_schema.py, which
occasionally led to test failures when the same OID was generated twice.
Using a different range, and making use of the expected RID if we have
it, should reduce the likelihood of collisions.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Aug 25 13:55:47 UTC 2022 on sn-devel-184
schema_samba4.ldif: Allocate previously added OIDs 2022-08-25T12:59:29+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-08-25T08:15:33+00:00 672ec6135f9ae3d7b5439523a4f456c19fb03a88 DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added to source4/dsdb/samdb/samdb.h in commit c2ab1f4696fa3f52918a126d0b37993a07f68bcb. DSDB_EXTENDED_SCHEMA_LOAD was added in commit 1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added
to source4/dsdb/samdb/samdb.h in commit
c2ab1f4696fa3f52918a126d0b37993a07f68bcb.

DSDB_EXTENDED_SCHEMA_LOAD was added in commit
1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4:setup: Fix shellcheck errors in provision_fileperms.sh 2022-08-22T14:20:36+00:00 Andreas Schneider asn@samba.org 2022-06-10T11:29:19+00:00 b1e80d02c761879ef526d7d80195e3a812b6bffc source4/setup/tests/provision_fileperms.sh:27:14: error: Iterating over ls output is fragile. Use globs. [SC2045] Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
source4/setup/tests/provision_fileperms.sh:27:14: error: Iterating over
ls output is fragile. Use globs. [SC2045]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
 s4:setup: Reformat shell scripts 2022-07-15T12:08:36+00:00 Andreas Schneider asn@samba.org 2022-02-23T11:03:50+00:00 bcd9794d64bbd0639ee6b44fbe62256301e171cf shfmt -f source4/setup/ | xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
shfmt -f source4/setup/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
 s4/dlz: add support for bind 9.18 2022-05-23T00:53:09+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2022-02-23T23:17:00+00:00 03036442deac25f58be4119e6c9ce2586e0abf51 It seems nothing has changed since 9.16 for our purposes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14986 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Andreas Hasenack <andreas@canonical.com> Pair-programmed-with: Andreas Hasenack <andreas@canonical.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Mon May 23 00:53:09 UTC 2022 on sn-devel-184 
It seems nothing has changed since 9.16 for our purposes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14986

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andreas Hasenack <andreas@canonical.com>
Pair-programmed-with: Andreas Hasenack <andreas@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Mon May 23 00:53:09 UTC 2022 on sn-devel-184
s4:provision_users.ldif: Add Protected Users group 2022-03-18T11:55:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-02-01T08:04:40+00:00 fb0f65b0b5f140ee0dd8fc962c744f23162e9d46 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CVE-2020-25722 blackbox/upgrades tests: ignore SPN for ldapcmp 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-10-28T00:07:01+00:00 55752c12cf14b64d981c9a6010ead0fd8d847857 We need to have the SPNs there before someone else nabs them, which makes the re-provisioned old releases different from the reference versions that we keep for this comparison. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We need to have the SPNs there before someone else nabs them, which
makes the re-provisioned old releases different from the reference
versions that we keep for this comparison.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 s4/provision: add host/ SPNs at the start 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-10-27T20:45:36+00:00 0a555cf097a5a8d38c7b61edaee838dd0973a989 There are two reasons for this. Firstly, leaving SPNs unclaimed is dangerous, as someone else could grab them first. Secondly, in some circumstances (self join) we try to add a DNS/ SPN a little bit later in provision. Under the rules we are introducing for CVE-2020-25722, this will make our later attempts to add HOST/ fail. This causes a few errors in samba4.blackbox.dbcheck.* tests, which assert that revivified old domains match stored reference versions. Now they don't, because they have servicePrincipalNames. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.

This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25722 tests: blackbox samba-tool spn non-admin test 2021-11-09T19:45:33+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2021-09-01T06:35:02+00:00 8cde23709050533c0da898ca0a1072bca0845890 It is soon going to be impossible to add duplicate SPNs (short of going behind DSDB's back on the local filesystem). Our test of adding SPNs on non-admin users doubled as the test for adding a duplicate (using --force). As --force is gone, we add these tests on Guest after the SPN on Administrator is gone. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
It is soon going to be impossible to add duplicate SPNs (short of
going behind DSDB's back on the local filesystem). Our test of adding
SPNs on non-admin users doubled as the test for adding a duplicate (using
--force). As --force is gone, we add these tests on Guest after the SPN
on Administrator is gone.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>