The branch, v4-3-stable has been updated
via 5d9f4f9 VERSION: Release Samba 4.3.0rc3
via 5b3545e WHATSNEW: Update release notes for Samba 4.3.0rc3
via dfa6a2d ctdb-daemon: Correctly process the exit code from failed
eventscripts
via 37e126d ctdb-tool: Correctly print timed out event scripts output
via 88c53b8 s3:lib: fix some corner cases of open_socket_out_cleanup()
via 2aff77c s3:smb2_negprot: prefer AES128_CCM if the client supports it
via ef11f8d libcli/smb: prefer AES128_CCM
via 9da9cf5 release-scripts/build-manpages-nogit: run make
realdistclean at the end
via 6fc5d55 Revert "ldb-samba: Implement transitive extended matching"
via 3f5cd1f Revert "dsdb: Only parse
SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN"
via ec7f97c ctdb-pmda: Add missing prototype declaration for non-static
function
via d0c4863 ctdb-daemon: Check if updates are in flight when releasing
all IPs
via 3c7f3e7 ctdb-banning: If node is already banned, do not run
ctdb_local_node_got_banned()
via b37340b s3-net: use talloc array in share allowedusers
via 0c7e786 s4:torture:vfs_fruit: add a test for stream names
via 3c1e7cb s4:torture:vfs_fruit: pass xattr name as arg to
torture_setup_local_xattr()
via 047cbb3 vfs_catia: run translation on stream names
via fe55c949 vfs_streams_xattr: stream names may contain colons
via 977be7b python:samba/upgrade.py Fix format string syntax in error
condition
via 20d00d3 s4:rpc_server/netlogon: Fix for NetApp
via 1d3e6b5 WHATSNEW: Add description of improved cross-compilation
support
via f8b5de9 WHATSNEW: Document CTDB logging and NFS changes
via 4fb42e8 WHATSNEW: add a section about samba-tool fsmo
via e408235 script/librelease.sh: this is replaced by script/release.sh
now
via e41e6a5 script/release.sh: This is a new script to do releases
via c55e72e WHATSNEW: fix version numbers
via 3f010b5 WHATSNEW: Prepare release notes for Samba 4.3.0rc3
via 47f47d9 VERSION: Bump version up to 4.3.0rc3...
from dd3c69d VERSION: Release Samba 4.3.0rc2
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 113 ++++-
ctdb/server/ctdb_banning.c | 7 +-
ctdb/server/ctdb_event_helper.c | 6 +-
ctdb/server/ctdb_takeover.c | 18 +-
ctdb/tools/ctdb.c | 8 +
ctdb/utils/pmda/pmda_ctdb.c | 3 +-
lib/ldb-samba/ldb_matching_rules.c | 338 -------------
lib/ldb-samba/ldb_matching_rules.h | 28 --
lib/ldb-samba/ldif_handlers.c | 6 -
lib/ldb-samba/wscript_build | 2 +-
libcli/smb/smbXcli_base.c | 8 +-
python/samba/upgrade.py | 2 +-
release-scripts/build-manpages-nogit | 4 +
script/librelease.sh | 110 -----
script/release.sh | 615 ++++++++++++++++++++++++
selftest/knownfail | 13 +
selftest/target/Samba3.pm | 3 +-
selftest/target/Samba4.pm | 3 +-
source3/lib/util_sock.c | 3 +
source3/modules/vfs_catia.c | 58 ++-
source3/modules/vfs_streams_xattr.c | 16 +-
source3/smbd/smb2_negprot.c | 18 +-
source3/utils/net_rpc.c | 24 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 4 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 +-
source4/torture/vfs/fruit.c | 143 +++++-
27 files changed, 1052 insertions(+), 525 deletions(-)
delete mode 100644 lib/ldb-samba/ldb_matching_rules.c
delete mode 100644 lib/ldb-samba/ldb_matching_rules.h
delete mode 100755 script/librelease.sh
create mode 100755 script/release.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index cf10465..799aa62 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=2
+SAMBA_VERSION_RC_RELEASE=3
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f2ff8d4..68ff6ef 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the second release candidate of Samba 4.3. This is *not*
+This is the third release candidate of Samba 4.3. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -126,6 +126,12 @@ Both client and server have support for SMB 3.1.1 now.
This is the dialect introduced with Windows 10, it improves the secure
negotiation of SMB dialects and features.
+There's also a new optinal encryption algorithm aes-gcm-128,
+but for now this is only selected as fallback and aes-ccm-128
+is preferred because of the better performance. This might change
+in future versions when hardware encryption will be supported.
+See https://bugzilla.samba.org/show_bug.cgi?id=11451.
+
New smbclient subcommands
-------------------------
@@ -177,6 +183,80 @@ The "tls priority" option can be used to change the
supported TLS
protocols. The default is to disable SSLv3, which is no longer
considered secure.
+Samba-tool now supports all 7 FSMO roles
+-------------------------------------------------------
+
+Previously "samba-tool fsmo" could only show, transfer or seize the
+five well-known FSMO roles:
+
+ Schema Master
+ Domain Naming Master
+ RID Master
+ PDC Emulator
+ Infrastructure Master
+
+It can now also show, transfer or seize the DNS infrastructure roles:
+
+ DomainDnsZones Infrastructure Master
+ ForestDnsZones Infrastructure Master
+
+CTDB logging changes
+--------------------
+
+The destination for CTDB logging is now set via a single new
+configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and
+CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for
+details of CTDB_LOGGING.
+
+CTDB no longer runs a separate logging daemon.
+
+CTDB NFS support changes
+------------------------
+
+CTDB's NFS service management has been combined into a single 60.nfs
+event script. This updated 60.nfs script now uses a call-out to
+interact with different NFS implementations. See the CTDB_NFS_CALLOUT
+option in the ctdbd.conf(5) manual page for details. A default
+call-out is provided to interact with the Linux kernel NFS
+implementation. The 60.ganesha event script has been removed - a
+sample call-out is provided for NFS Ganesha, based on this script.
+
+The method of configuring NFS RPC checks has been improved. See
+ctdb/config/nfs-checks.d/README for details.
+
+Improved Cross-Compiling Support
+--------------------------------
+
+A new "hybrid" build configuration mode is added to improve
+cross-compilation support.
+
+A common challenge in cross-compilation is that of obtaining the results
+of tests that have to run on the target, during the configuration
+phase of the build. The Samba build system already supports the following
+means to do so:
+
+ - Executing configure tests using the --cross-execute parameter
+ - Obtaining the results from an answers file using the --cross-answers
+ parameter
+
+The first method has the drawback of inaccurate results if the tests are
+run using an emulator, or a need to be connected to a running target
+while building, if the tests are to be run on an actual target. The
+second method presents a challenge of figuring out the test results.
+
+The new hybrid mode runs the tests and records the result in an answer file.
+To activate this mode, use both --cross-execute and --cross-answers in the
+same configure invocation. This mode can be activated once against a
+running target, and then the generated answers file can be used in
+subsequent builds.
+
+Also supplied is an example script that can be used as the
+cross-execute program. This script copies the test to a running target
+and runs the test on the target, obtaining the result. The obtained
+results are more accurate than running the test with an emulator, because
+they reflect the exact kernel and system libraries that exist on the
+target.
+
######################################################################
Changes
@@ -210,7 +290,36 @@ KNOWN ISSUES
Currently none.
-CHANGES SINCE 4.2.0rc1
+CHANGES SINCE 4.3.0rc2
+======================
+
+o Andrew Bartlett <abart...@samba.org>
+ * Bug 11436: samba-tool uncaught exception error
+ * Bug 10493: revert LDAP extended rule 1.2.840.113556.1.4.1941
+ LDAP_MATCHING_RULE_IN_CHAIN changes
+
+o Ralph Boehme <s...@samba.org>
+ * Bug 11278: Stream names with colon don't work with
+ fruit:encoding = native
+ * Bug 11426: net share allowedusers crashes
+
+o Amitay Isaacs <ami...@gmail.com>
+ * Bug 11432: Fix crash in nested ctdb banning
+ * Bug 11434: Cannot build ctdbpmda
+ * Bug 11431: CTDB's eventscript error handling is broken
+
+o Stefan Metzmacher <me...@samba.org>
+ * Bug 11451: Poor SMB3 encryption performance with AES-GCM (part1)
+ * Bug 11316: tevent_fd needs to be destroyed before closing the fd
+
+o Arvid Requate <requ...@univention.de>
+ * Bug 11291: NetApp joined to a Samba/ADDC cannot resolve SIDs
+
+o Martin Schwenke <mar...@meltin.net>
+ * Bug 11432: Fix crash in nested ctdb banning
+
+
+CHANGES SINCE 4.3.0rc1
======================
o Jeremy Allison <j...@samba.org>
diff --git a/ctdb/server/ctdb_banning.c b/ctdb/server/ctdb_banning.c
index a9d1891..d8f7ab1 100644
--- a/ctdb/server/ctdb_banning.c
+++ b/ctdb/server/ctdb_banning.c
@@ -80,6 +80,7 @@ void ctdb_local_node_got_banned(struct ctdb_context *ctdb)
int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata)
{
struct ctdb_ban_time *bantime = (struct ctdb_ban_time *)indata.dptr;
+ bool already_banned;
DEBUG(DEBUG_INFO,("SET BAN STATE\n"));
@@ -107,9 +108,11 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context
*ctdb, TDB_DATA indata)
return 0;
}
+ already_banned = false;
if (ctdb->banning_ctx != NULL) {
talloc_free(ctdb->banning_ctx);
ctdb->banning_ctx = NULL;
+ already_banned = true;
}
if (bantime->time == 0) {
@@ -136,7 +139,9 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context
*ctdb, TDB_DATA indata)
event_add_timed(ctdb->ev, ctdb->banning_ctx,
timeval_current_ofs(bantime->time,0), ctdb_ban_node_event, ctdb);
- ctdb_local_node_got_banned(ctdb);
+ if (!already_banned) {
+ ctdb_local_node_got_banned(ctdb);
+ }
return 0;
}
diff --git a/ctdb/server/ctdb_event_helper.c b/ctdb/server/ctdb_event_helper.c
index f14e336..a1b5318 100644
--- a/ctdb/server/ctdb_event_helper.c
+++ b/ctdb/server/ctdb_event_helper.c
@@ -128,7 +128,11 @@ int main(int argc, char *argv[])
exit(1);
}
if (WIFEXITED(status)) {
- output = -WEXITSTATUS(status);
+ output = WEXITSTATUS(status);
+ /* Only errors should be returned as -ve values */
+ if (output == ENOENT || output == ENOEXEC) {
+ output = -output;
+ }
sys_write(write_fd, &output, sizeof(output));
exit(0);
}
diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
index d5d2b39..efc80b1 100644
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@@ -3128,9 +3128,6 @@ void ctdb_takeover_client_destructor_hook(struct
ctdb_client *client)
}
-/*
- release all IPs on shutdown
- */
void ctdb_release_all_ips(struct ctdb_context *ctdb)
{
struct ctdb_vnn *vnn;
@@ -3149,6 +3146,20 @@ void ctdb_release_all_ips(struct ctdb_context *ctdb)
continue;
}
+ /* Don't allow multiple releases at once. Some code,
+ * particularly ctdb_tickle_sentenced_connections() is
+ * not re-entrant */
+ if (vnn->update_in_flight) {
+ DEBUG(DEBUG_WARNING,
+ (__location__
+ " Not releasing IP %s/%u on interface %s, an
update is already in progess\n",
+ ctdb_addr_to_str(&vnn->public_address),
+ vnn->public_netmask_bits,
+ ctdb_vnn_iface_string(vnn)));
+ continue;
+ }
+ vnn->update_in_flight = true;
+
DEBUG(DEBUG_INFO,("Release of IP %s/%u on interface %s
node:-1\n",
ctdb_addr_to_str(&vnn->public_address),
vnn->public_netmask_bits,
@@ -3160,6 +3171,7 @@ void ctdb_release_all_ips(struct ctdb_context *ctdb)
vnn->public_netmask_bits);
release_kill_clients(ctdb, &vnn->public_address);
ctdb_vnn_unassign_iface(ctdb, vnn);
+ vnn->update_in_flight = false;
count++;
}
diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c
index 4734b26..c6da621 100644
--- a/ctdb/tools/ctdb.c
+++ b/ctdb/tools/ctdb.c
@@ -1424,6 +1424,14 @@ static int control_one_scriptstatus(struct ctdb_context
*ctdb,
for (i=0; i<script_status->num_scripts; i++) {
const char *status = NULL;
+ /* The ETIME status is ignored for certain events.
+ * In that case the status is 0, but endtime is not set.
+ */
+ if (script_status->scripts[i].status == 0 &&
+ timeval_is_zero(&script_status->scripts[i].finished)) {
+ script_status->scripts[i].status = -ETIME;
+ }
+
switch (script_status->scripts[i].status) {
case -ETIME:
status = "TIMEDOUT";
diff --git a/ctdb/utils/pmda/pmda_ctdb.c b/ctdb/utils/pmda/pmda_ctdb.c
index 2beac8f..1145844 100644
--- a/ctdb/utils/pmda/pmda_ctdb.c
+++ b/ctdb/utils/pmda/pmda_ctdb.c
@@ -23,7 +23,6 @@
#include <pcp/impl.h>
#include <pcp/pmda.h>
#include "includes.h"
-#include "ctdb.h"
#include "ctdb_private.h"
#include "ctdb_protocol.h"
#include "domain.h"
@@ -536,6 +535,8 @@ err_out:
return ret;
}
+void pmda_ctdb_init(pmdaInterface *dp);
+
/*
* Initialise the agent
*/
diff --git a/lib/ldb-samba/ldb_matching_rules.c
b/lib/ldb-samba/ldb_matching_rules.c
deleted file mode 100644
index 3a51c29..0000000
--- a/lib/ldb-samba/ldb_matching_rules.c
+++ /dev/null
@@ -1,338 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- ldb database library - Extended match rules
-
- Copyright (C) 2014 Samuel Cabrero <samuelcabr...@kernevil.me>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include <ldb_module.h>
-#include "dsdb/samdb/samdb.h"
-#include "ldb_matching_rules.h"
-
-static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx,
- struct ldb_context *ldb,
- const char *attr,
- const struct dsdb_dn *dn_to_match,
- const char *dn_oid,
- struct dsdb_dn *to_visit,
- struct dsdb_dn **visited,
- unsigned int *visited_count,
- bool *matched)
-{
- TALLOC_CTX *tmp_ctx;
- int ret, i, j;
- struct ldb_result *res;
- struct ldb_message *msg;
- struct ldb_message_element *el;
- const char *attrs[] = { attr, NULL };
-
- tmp_ctx = talloc_new(mem_ctx);
- if (tmp_ctx == NULL) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- /*
- * Fetch the entry to_visit
- *
- * NOTE: This is a new LDB search from the TOP of the module
- * stack. This means that this search runs the whole stack
- * from top to bottom.
- *
- * This may seem to be in-efficient, but it is also the only
- * way to ensure that the ACLs for this search are applied
- * correctly.
- *
- * Note also that we don't have the original request
- * here, so we can not apply controls or timeouts here.
- */
- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0);
- if (ret != LDB_SUCCESS) {
- talloc_free(tmp_ctx);
- return ret;
- }
- if (res->count != 1) {
- talloc_free(tmp_ctx);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- msg = res->msgs[0];
-
- /* Fetch the attribute to match from the entry being visited */
- el = ldb_msg_find_element(msg, attr);
- if (el == NULL) {
- /* This entry does not have the attribute to match */
- talloc_free(tmp_ctx);
- *matched = false;
- return LDB_SUCCESS;
- }
-
- /*
- * If the value to match is present in the attribute values of the
- * current entry being visited, set matched to true and return OK
- */
- for (i=0; i<el->num_values; i++) {
- struct dsdb_dn *dn;
- dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], dn_oid);
- if (dn == NULL) {
- talloc_free(tmp_ctx);
- *matched = false;
- return LDB_ERR_INVALID_DN_SYNTAX;
- }
-
- if (ldb_dn_compare(dn_to_match->dn, dn->dn) == 0) {
- talloc_free(tmp_ctx);
- *matched = true;
- return LDB_SUCCESS;
- }
- }
-
- /*
- * If arrived here, the value to match is not in the values of the
- * entry being visited. Add the entry being visited (to_visit)
- * to the visited array. The array is (re)allocated in the parent
- * memory context.
- */
- if (visited == NULL) {
- visited = talloc_array(mem_ctx, struct dsdb_dn *, 1);
- if (visited == NULL) {
- talloc_free(tmp_ctx);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- visited[0] = to_visit;
- (*visited_count) = 1;
- } else {
- visited = talloc_realloc(mem_ctx, visited, struct dsdb_dn *,
- (*visited_count) + 1);
- if (visited == NULL) {
- talloc_free(tmp_ctx);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- visited[(*visited_count)] = to_visit;
- (*visited_count)++;
- }
-
- /*
- * steal to_visit into visited array context, as it has to live until
- * the array is freed.
- */
- talloc_steal(visited, to_visit);
-
- /*
- * Iterate over the values of the attribute of the entry being
- * visited (to_visit) and follow them, calling this function
- * recursively.
- * If the value is in the visited array, skip it.
- * Otherwise, follow the link and visit it.
- */
- for (i=0; i<el->num_values; i++) {
- struct dsdb_dn *next_to_visit;
- bool skip = false;
-
- next_to_visit = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i],
dn_oid);
- if (next_to_visit == NULL) {
- talloc_free(tmp_ctx);
- *matched = false;
- return LDB_ERR_INVALID_DN_SYNTAX;
- }
-
- /*
- * If the value is already in the visited array, skip it.
- * Note the last element of the array is ignored because it is
- * the current entry DN.
- */
- for (j=0; j < (*visited_count) - 1; j++) {
- struct dsdb_dn *visited_dn = visited[j];
- if (ldb_dn_compare(visited_dn->dn,
- next_to_visit->dn) == 0) {
- skip = true;
- break;
- }
- }
- if (skip) {
- talloc_free(next_to_visit);
- continue;
- }
-
- /* If the value is not in the visited array, evaluate it */
- ret = ldb_eval_transitive_filter_helper(tmp_ctx, ldb, attr,
- dn_to_match, dn_oid,
- next_to_visit,
- visited, visited_count,
- matched);
- if (ret != LDB_SUCCESS) {
- talloc_free(tmp_ctx);
- return ret;
- }
- if (*matched) {
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
- }
- }
-
- talloc_free(tmp_ctx);
- *matched = false;
- return LDB_SUCCESS;
-}
-
-/*
- * This function parses the linked attribute value to match, whose syntax
- * will be one of the different DN syntaxes, into a ldb_dn struct.
- */
-static int ldb_eval_transitive_filter(TALLOC_CTX *mem_ctx,
- struct ldb_context *ldb,
- const char *attr,
- const struct ldb_val *value_to_match,
- struct dsdb_dn *current_object_dn,
- bool *matched)
-{
--
Samba Shared Repository
