Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • lts-team/packages/samba
  • thctlo/samba-lintianfix
  • arnaudr/samba
  • jrwren/samba
  • paride/samba
  • athos/samba
  • henrich/samba
  • cnotin/samba
  • mimi89999/samba
  • samba-team/samba
  • ahasenack/samba
  • jrtc27/samba
  • noel/samba
13 results
Show changes
Commits on Source (53)
Showing
with 467 additions and 406 deletions
......@@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023"
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=19
SAMBA_VERSION_RELEASE=4
SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
......
==============================
Release Notes for Samba 4.19.5
February 19, 2024
==============================
This is the latest stable release of the Samba 4.19 release series.
Changes since 4.19.4
--------------------
o Ralph Boehme <slow@samba.org>
* BUG 13688: Windows 2016 fails to restore previous version of a file from a
shadow_copy2 snapshot.
* BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before
that).
o Bjoern Jacke <bj@sernet.de>
* BUG 12421: Fake directory create times has no effect.
o Björn Jacke <bjacke@samba.org>
* BUG 15550: ctime mixed up with mtime by smbd.
o David Mulder <dmulder@samba.org>
* BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
o Gabriel Nagy <gabriel.nagy@canonical.com>
* BUG 15557: gpupdate: The root cert import when NDES is not available is
broken.
o Andreas Schneider <asn@samba.org>
* BUG 15552: samba-gpupdate should print a useful message if cepces-submit
can't be found.
* BUG 15558: samba-gpupdate logging doesn't work.
o Jones Syue <jonessyue@qnap.com>
* BUG 15555: smbpasswd reset permissions only if not 0600.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.19.4
January 08, 2024
......@@ -78,8 +141,7 @@ database (https://bugzilla.samba.org/).
======================================================================
Release notes for older releases follow:
----------------------------------------
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.19.3
November 27, 2023
......
samba (2:4.19.5+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release (4.19.5)
* reformat previous changelog entry to fit in 80cols
* d/winbind.postrm: stop recursively removing plain files
* d/winbind.postrm: winbindd_cache.tdb is in /var/lib now,
not in /var/cache
* d/control: RulesRequiresRoot:no
* d/*.symbols: use #PACKAGE# placeholders where appropriate
(or add comments where it is not)
* +silence-can-not-convert-group-sid.diff -
make another log message less annoying
* -python-fix-invalid-escape-sequences.patch (applied upstream)
* d/control: replace pkg-config=>pkgconf in Build-Depends, remove
pkg-config from Depends of libldb-dev and python3-ldb-dev
* d/samba-libs.symbols, d/control: make libsmbldapN a virtual package
provided by samba-libs too, like libndrN
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 19 Feb 2024 15:21:14 +0300
samba (2:4.19.4+dfsg-3) unstable; urgency=medium
* samba,winbind: remove logrotate scripts
samba does its own log rotation (max log size (=5000 by default) and renaming
to .old). The two clashes with each other in an interesting way.
* d/samba-libs.symbols, d/control: make libndrN a virtual package to ensure rdeps
pick the right dependency
samba does its own log rotation (max log size (=5000 by default) and
renaming to .old). The two clashes with each other in an interesting way.
* d/samba-libs.symbols, d/control: make libndrN a virtual package
to ensure rdeps pick the right dependency
-- Michael Tokarev <mjt@tls.msk.ru> Tue, 30 Jan 2024 12:12:42 +0300
......
......@@ -27,7 +27,7 @@ Build-Depends-Arch:
libtdb-dev (>= 1.4.9~),
python3-tdb (>= 1.4.9~),
# system libraries:
pkg-config,
pkgconf,
libacl1-dev,
libarchive-dev,
libavahi-client-dev,
......@@ -75,7 +75,7 @@ Build-Depends-Arch:
# python3-iso8601 <!nocheck>,
# python3-pyasn1 <!nocheck>,
# tdb-tools <!nocheck>,
Rules-Requires-Root: binary-targets
Rules-Requires-Root: no
Vcs-Browser: https://salsa.debian.org/samba-team/samba
Vcs-Git: https://salsa.debian.org/samba-team/samba.git
......@@ -130,7 +130,7 @@ Pre-Depends: ${misc:Pre-Depends}
Multi-Arch: same
Architecture: any
Section: libs
Provides: libndr3 (= ${binary:Version})
Provides: libndr3 (= ${binary:Version}), libsmbldap2 (= ${binary:Version})
Depends: ${misc:Depends}, ${shlibs:Depends},
# since libldb ABI is incorrectly versioned resulting in breakage like #1021371,
# just require libldb version of the same build
......@@ -583,7 +583,6 @@ Depends: libc6-dev,
libtalloc-dev,
libtevent-dev,
libtdb-dev,
pkg-config,
${misc:Depends}
Description: LDAP-like embedded database - development files
ldb is a LDAP-like embedded database built on top of TDB.
......@@ -613,7 +612,6 @@ Section: libdevel
Architecture: any
Depends: libc6-dev,
libldb-dev,
pkg-config,
python3-ldb (= ${binary:Version}),
${misc:Depends}
Description: LDB Python 3 bindings - development files
......
libsmbclient.so.0 libsmbclient #MINVER#
libsmbclient.so.0 #PACKAGE# #MINVER#
* Build-Depends-Package: libsmbclient-dev
SMBCLIENT_0.1.0@SMBCLIENT_0.1.0 2:4.0.3+dfsg1
SMBCLIENT_0.2.0@SMBCLIENT_0.2.0 2:4.0.3+dfsg1
......
libwbclient.so.0 libwbclient0 #MINVER#
libwbclient.so.0 #PACKAGE# #MINVER#
* Build-Depends-Package: libwbclient-dev
WBCLIENT_0.9@WBCLIENT_0.9 2:4.0.3+dfsg1
WBCLIENT_0.10@WBCLIENT_0.10 2:4.0.3+dfsg1
......
Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/b068592dd0dccce634cb17b66f0659ba60523908
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 25 Aug 2023 13:56:21 +1200
Subject: python: Fix invalid escape sequences
Comment: mjt: remove 1 hunk from python/samba/tests/gpo.py not present in 4.19
Bug-Debian: https://bugs.debian.org/1057668
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +-
python/samba/graph.py | 2 +-
python/samba/tests/gpo.py | 66 +++++++++++-----------
python/samba/tests/samba_tool/gpo.py | 2 +-
4 files changed, 38 insertions(+), 38 deletions(-)
diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
index d626aca0cf2..14fef311348 100644
--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
@@ -335,7 +335,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
def __str__(self):
- return 'Cryptography\AutoEnrollment'
+ return r'Cryptography\AutoEnrollment'
def unapply(self, guid, attribute, value):
ca_cn = base64.b64decode(attribute)
@@ -387,7 +387,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
for gpo in changed_gpo_list:
if gpo.file_sys_path:
- section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+ section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
@@ -507,7 +507,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
def rsop(self, gpo):
output = {}
pol_file = 'MACHINE/Registry.pol'
- section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
+ section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
diff --git a/python/samba/graph.py b/python/samba/graph.py
index 537dc661fb3..4c4a07f47ae 100644
--- a/python/samba/graph.py
+++ b/python/samba/graph.py
@@ -192,7 +192,7 @@ def compile_graph_key(key_items, nodes_above=None, elisions=None,
short = short[1:]
long = long[1:]
elision_str += ('\nelision%d[shape=plaintext; style=solid; '
- 'label="\“%s” means “%s”\\r"]\n'
+ 'label="\\“%s” means “%s”\\r"]\n'
% ((i, short, long)))
above_lines = []
diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py
index 2b6217b702f..d59cb06b565 100644
--- a/python/samba/tests/gpo.py
+++ b/python/samba/tests/gpo.py
@@ -123,7 +123,7 @@ dspath = 'CN=Policies,CN=System,' + base_dn
gpt_data = '[General]\nVersion=%d'
gnome_test_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="26" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -260,7 +260,7 @@ b"""
"""
auto_enroll_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="3" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -304,7 +304,7 @@ b"""
"""
advanced_enroll_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="30" signature="PReg" version="1">
<Entry type="1" type_name="REG_SZ">
@@ -338,122 +338,122 @@ b"""
<Value>0</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>URL</ValueName>
<Value>LDAP:</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>AuthFlags</ValueName>
<Value>2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54</Key>
<ValueName>Cost</ValueName>
<Value>2147483645</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>URL</ValueName>
<Value>https://example2.com/ADPolicyProvider_CEP_Certificate/service.svc/CEP</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>AuthFlags</ValueName>
<Value>8</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\144bdbb8e4717c26e408f3c9a0cb8d6cfacbcbbe</Key>
<ValueName>Cost</ValueName>
<Value>10</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>URL</ValueName>
<Value>https://example0.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example0</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>AuthFlags</ValueName>
<Value>2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\20d46e856e9b9746c0b1265c328f126a7b3283a9</Key>
<ValueName>Cost</ValueName>
<Value>1</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>URL</ValueName>
<Value>https://example1.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>PolicyID</ValueName>
<Value>%s</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>FriendlyName</ValueName>
<Value>Example1</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>Flags</ValueName>
<Value>16</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>AuthFlags</ValueName>
<Value>2</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
- <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
+ <Key>Software\Policies\Microsoft\Cryptography\PolicyServers\855b5246433a48402ac4f5c3427566df26ccc9ac</Key>
<ValueName>Cost</ValueName>
<Value>1</Value>
</Entry>
@@ -2116,7 +2116,7 @@ firefox_json_expected = \
"""
chromium_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="418" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
@@ -3012,12 +3012,12 @@ b"""
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome</Key>
<ValueName>RestrictSigninToPattern</ValueName>
- <Value>.*@example\\.com</Value>
+ <Value>.*@example\.com</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome</Key>
<ValueName>RoamingProfileLocation</ValueName>
- <Value>${roaming_app_data}\\chrome-profile</Value>
+ <Value>${roaming_app_data}\chrome-profile</Value>
</Entry>
<Entry type="4" type_name="REG_DWORD">
<Key>Software\Policies\Google\Chrome</Key>
@@ -3267,7 +3267,7 @@ b"""
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome\AlternativeBrowserParameters</Key>
<ValueName>5</ValueName>
- <Value>%HOME%\\browser_profile</Value>
+ <Value>%HOME%\browser_profile</Value>
</Entry>
<Entry type="1" type_name="REG_SZ">
<Key>Software\Policies\Google\Chrome\AudioCaptureAllowedUrls</Key>
@@ -4973,7 +4973,7 @@ b"""
"""
firewalld_reg_pol = \
-b"""
+br"""
<?xml version="1.0" encoding="utf-8"?>
<PolFile num_entries="6" signature="PReg" version="1">
<Entry type="4" type_name="REG_DWORD">
diff --git a/python/samba/tests/samba_tool/gpo.py b/python/samba/tests/samba_tool/gpo.py
index 70e7e8acdf0..f5adccb88a1 100644
--- a/python/samba/tests/samba_tool/gpo.py
+++ b/python/samba/tests/samba_tool/gpo.py
@@ -1804,7 +1804,7 @@ class GpoCmdTestCase(SambaToolCmdTest):
'The test cse was not enabled')
self.assertIn('UserPolicy : False', out,
'The test cse should not have User policy enabled')
- cse_ext = re.findall('^UniqueGUID\s+:\s+(.*)', out)
+ cse_ext = re.findall(r'^UniqueGUID\s+:\s+(.*)', out)
self.assertEquals(len(cse_ext), 1,
'The test cse GUID was not found')
cse_ext = cse_ext[0]
--
2.39.2
......@@ -22,4 +22,4 @@ fruit-disable-useless-size_t-overflow-check.patch
meaningful-error-if-no-samba-ad-provision.patch
meaningful-error-if-no-python3-markdown.patch
ctdb-use-run-instead-of-var-run.patch
python-fix-invalid-escape-sequences.patch
silence-can-not-convert-group-sid.diff
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Wed, 14 Feb 2024 15:26:29 +0300
Subject: silence "Can not convert group sid" warnings in the log
Forwarded: yes
/var/log/samba/log.winbind is full of messages like:
[2024/02/09 06:25:04.788182, 1, pid=74620] source3/winbindd/winbindd_getgroups.c:259(winbindd_getgroups_recv)
Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
On a busy server these are logged several 1000s times per minute,
making any other messages basically invisible.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index c2603cc7026..f252e14bf95 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -257,5 +257,5 @@ NTSTATUS winbindd_getgroups_recv(struct tevent_req *req,
if (tevent_req_is_nterror(req, &status)) {
struct dom_sid_buf buf;
- D_WARNING("Could not convert sid %s: %s\n",
+ D_DEBUG("Could not convert sid %s: %s\n",
dom_sid_str_buf(&state->sid, &buf),
nt_errstr(status));
#libpyldb-util${DEB_PY3_EXTENSION_SUFFIX}.2 python3-ldb #MINVER#
#libpyldb-util${DEB_PY3_EXTENSION_SUFFIX}.2 #PACKAGE# #MINVER#
# PYLDB_UTIL${DEB_PY3_EXTENSION_UPCASE}_2.5.0@PYLDB_UTIL${DEB_PY3_EXTENSION_UPCASE}_2.5.0 2:2.5.0
PYLDB_UTIL_1.1.2@PYLDB_UTIL_1.1.2 2:2.2.0
PYLDB_UTIL_1.1.3@PYLDB_UTIL_1.1.3 2:2.0.7
......
......@@ -327,7 +327,7 @@ override_dh_makeshlibs:
{ \
suff=$$(${DEB_HOST_MULTIARCH}-python3-config --extension-suffix | tr _ -); \
SUFF=$$(echo "$${suff%.so}" | tr a-z- A-Z_); \
echo "libpyldb-util$${suff}.2 python3-ldb #MINVER#"; \
echo "libpyldb-util$${suff}.2 #PACKAGE# #MINVER#"; \
echo "* Build-Depends-Package: python3-ldb-dev" ; \
echo " PYLDB_UTIL$${SUFF}_${LDB_VERSION}@PYLDB_UTIL$${SUFF}_${LDB_VERSION} ${LDB_EPOCH}${LDB_VERSION}"; \
cat debian/python3-ldb.symbols.in; \
......
# libndrN is a virtual package provided by samba-libs
libndr.so.3 libndr3 #MINVER#
* Build-Depends-Package: samba-dev
GUID_all_zero@NDR_0.0.1 2:4.17.2
......@@ -294,7 +295,8 @@ libndr.so.3 libndr3 #MINVER#
ndr_transfer_syntax_ndr@NDR_0.0.1 2:4.17.2
ndr_zero_memory@NDR_0.2.0 2:4.17.2
libsmbldap.so.2 #PACKAGE# #MINVER#
# libsmbldapN is a virtual package provided by samba-libs
libsmbldap.so.2 libsmbldap2 #MINVER#
* Build-Depends-Package: samba-dev
SMBLDAP_0@SMBLDAP_0 2:4.16.6
SMBLDAP_1@SMBLDAP_1 2:4.16.6
......
......@@ -2,11 +2,13 @@
set -e
if [ "$1" = purge ]; then
winbindd_privileged_socket_directory='/var/lib/samba/winbindd_privileged'
rm -rf /var/cache/samba/netsamlogon_cache.tdb /var/cache/samba/winbindd_cache.tdb
rm -rf "$winbindd_privileged_socket_directory"
rm -rf /var/log/samba/log.winbind* /var/log/samba/log.wb*
rm -rf /run/samba/winbindd.pid
rm -rf /var/lib/samba/winbindd_privileged/
rm -f \
/var/cache/samba/netsamlogon_cache.tdb \
/var/lib/samba/winbindd_cache.tdb \
/var/log/samba/log.winbind* \
/var/log/samba/log.wb* \
/run/samba/winbindd.pid
fi
#DEBHELPER#
......@@ -1450,7 +1450,7 @@ struct timespec get_ctimespec(const struct stat *pst)
{
struct timespec ret;
ret.tv_sec = pst->st_mtime;
ret.tv_sec = pst->st_ctime;
ret.tv_nsec = get_ctimensec(pst);
return ret;
}
......
......@@ -45,10 +45,12 @@ cert_wrap = b"""
-----BEGIN CERTIFICATE-----
%s
-----END CERTIFICATE-----"""
global_trust_dir = '/etc/pki/trust/anchors'
endpoint_re = '(https|HTTPS)://(?P<server>[a-zA-Z0-9.-]+)/ADPolicyProvider' + \
'_CEP_(?P<auth>[a-zA-Z]+)/service.svc/CEP'
global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE
'/etc/pki/ca-trust/source/anchors', # RHEL/Fedora
'/usr/local/share/ca-certificates'] # Debian/Ubuntu
def octet_string_to_objectGUID(data):
"""Convert an octet string to an objectGUID."""
......@@ -156,7 +158,7 @@ def fetch_certification_authorities(ldb):
for es in res:
data = { 'name': get_string(es['cn'][0]),
'hostname': get_string(es['dNSHostName'][0]),
'cACertificate': get_string(es['cACertificate'][0])
'cACertificate': get_string(base64.b64encode(es['cACertificate'][0]))
}
result.append(data)
return result
......@@ -174,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
return {'msPKI-Minimal-Key-Size': ['2048']}
def format_root_cert(cert):
cert = base64.b64encode(cert.encode())
return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL)
def find_cepces_submit():
certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',
......@@ -184,17 +185,19 @@ def find_cepces_submit():
def get_supported_templates(server):
cepces_submit = find_cepces_submit()
if os.path.exists(cepces_submit):
env = os.environ
env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
env=env, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
if p.returncode != 0:
data = { 'Error': err.decode() }
log.error('Failed to fetch the list of supported templates.', data)
return out.strip().split()
return []
if not cepces_submit or not os.path.exists(cepces_submit):
log.error('Failed to find cepces-submit')
return []
env = os.environ
env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
env=env, stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
if p.returncode != 0:
data = {'Error': err.decode()}
log.error('Failed to fetch the list of supported templates.', data)
return out.strip().split()
def getca(ca, url, trust_dir):
......@@ -214,10 +217,11 @@ def getca(ca, url, trust_dir):
' installed or not configured.')
if 'cACertificate' in ca:
log.warn('Installing the server certificate only.')
der_certificate = base64.b64decode(ca['cACertificate'])
try:
cert = load_der_x509_certificate(ca['cACertificate'])
cert = load_der_x509_certificate(der_certificate)
except TypeError:
cert = load_der_x509_certificate(ca['cACertificate'],
cert = load_der_x509_certificate(der_certificate,
default_backend())
cert_data = cert.public_bytes(Encoding.PEM)
with open(root_cert, 'wb') as w:
......@@ -239,7 +243,8 @@ def getca(ca, url, trust_dir):
certs = load_der_pkcs7_certificates(r.content)
for i in range(0, len(certs)):
cert = certs[i].public_bytes(Encoding.PEM)
dest = '%s.%d' % (root_cert, i)
filename, extension = root_cert.rsplit('.', 1)
dest = '%s.%d.%s' % (filename, i, extension)
with open(dest, 'wb') as w:
w.write(cert)
root_certs.append(dest)
......@@ -249,12 +254,29 @@ def getca(ca, url, trust_dir):
return root_certs
def find_global_trust_dir():
"""Return the global trust dir using known paths from various Linux distros."""
for trust_dir in global_trust_dirs:
if os.path.isdir(trust_dir):
return trust_dir
return global_trust_dirs[0]
def update_ca_command():
"""Return the command to update the CA trust store."""
return which('update-ca-certificates') or which('update-ca-trust')
def changed(new_data, old_data):
"""Return True if any key present in both dicts has changed."""
return any((new_data[k] != old_data[k] if k in old_data else False) \
for k in new_data.keys())
def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
"""Install the root certificate chain."""
data = dict({'files': [], 'templates': []}, **ca)
url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
root_certs = getca(ca, url, trust_dir)
data['files'].extend(root_certs)
global_trust_dir = find_global_trust_dir()
for src in root_certs:
# Symlink the certs to global trust dir
dst = os.path.join(global_trust_dir, os.path.basename(src))
......@@ -273,7 +295,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
# already exists. Ignore the FileExistsError. Preserve the
# existing symlink in the unapply data.
data['files'].append(dst)
update = which('update-ca-certificates')
update = update_ca_command()
if update is not None:
Popen([update]).wait()
# Setup Certificate Auto Enrollment
......@@ -316,7 +338,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
def __str__(self):
return 'Cryptography\AutoEnrollment'
return r'Cryptography\AutoEnrollment'
def unapply(self, guid, attribute, value):
ca_cn = base64.b64decode(attribute)
......@@ -337,12 +359,13 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
# If the policy has changed, unapply, then apply new policy
old_val = self.cache_get_attribute_value(guid, attribute)
old_data = json.loads(old_val) if old_val is not None else {}
if all([(ca[k] == old_data[k] if k in old_data else False) \
for k in ca.keys()]) or \
self.cache_get_apply_state() == GPOSTATE.ENFORCE:
templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \
if old_val is not None else []
new_data = { 'templates': templates, **ca }
if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
self.unapply(guid, attribute, old_val)
# If policy is already applied, skip application
if old_val is not None and \
# If policy is already applied and unchanged, skip application
if old_val is not None and not changed(new_data, old_data) and \
self.cache_get_apply_state() != GPOSTATE.ENFORCE:
return
......@@ -368,7 +391,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
for gpo in changed_gpo_list:
if gpo.file_sys_path:
section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
pol_file = 'MACHINE/Registry.pol'
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
......@@ -396,7 +419,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
# remove any existing policy
ca_attrs = \
self.cache_get_all_attribute_values(gpo.name)
self.clean(gpo.name, remove=ca_attrs)
self.clean(gpo.name, remove=list(ca_attrs.keys()))
def __read_cep_data(self, guid, ldb, end_point_information,
trust_dir, private_dir):
......@@ -488,7 +511,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
def rsop(self, gpo):
output = {}
pol_file = 'MACHINE/Registry.pol'
section = 'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
section = r'Software\Policies\Microsoft\Cryptography\AutoEnrollment'
if gpo.file_sys_path:
path = os.path.join(gpo.file_sys_path, pol_file)
pol_conf = self.parse(path)
......
......@@ -866,19 +866,25 @@ def get_gpo_list(dc_hostname, creds, lp, username):
# (S)ite
if gpo_list_machine:
site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
try:
log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn)
gp_link = get_gpo_link(samdb, site_dn)
except ldb.LdbError as e:
(enum, estr) = e.args
log.debug(estr)
else:
add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list,
site_dn, gp_link,
gpo.GP_LINK_SITE,
add_only_forced_gpos, token)
site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
try:
log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn)
gp_link = get_gpo_link(samdb, site_dn)
except ldb.LdbError as e:
(enum, estr) = e.args
log.debug(estr)
else:
add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list,
site_dn, gp_link,
gpo.GP_LINK_SITE,
add_only_forced_gpos, token)
except ldb.LdbError:
# [MS-GPOL] 3.2.5.1.4 Site Search: If the method returns
# ERROR_NO_SITENAME, the remainder of this message MUST be skipped
# and the protocol sequence MUST continue at GPO Search
pass
# (L)ocal
gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy",
......
......@@ -24,9 +24,10 @@ import gettext
import random
import sys
logger = logging.getLogger()
logger = logging.getLogger("gp")
def logger_init(name, log_level):
logger = logging.getLogger(name)
logger.addHandler(logging.StreamHandler(sys.stdout))
logger.setLevel(logging.CRITICAL)
if log_level == 1:
......
......@@ -192,7 +192,7 @@ def compile_graph_key(key_items, nodes_above=None, elisions=None,
short = short[1:]
long = long[1:]
elision_str += ('\nelision%d[shape=plaintext; style=solid; '
'label="\“%s” means “%s”\\r"]\n'
'label="\\“%s” means “%s”\\r"]\n'
% ((i, short, long)))
above_lines = []
......
......@@ -14,4 +14,5 @@ if __name__ == "__main__":
assert opts.auth == 'Kerberos'
if 'CERTMONGER_OPERATION' in os.environ and \
os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
print('Machine') # Report a Machine template
templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',')
print('\n'.join(templates)) # Report the requested templates
This diff is collapsed.