The branch, v4-3-stable has been updated via 5d9f4f9 VERSION: Release Samba 4.3.0rc3 via 5b3545e WHATSNEW: Update release notes for Samba 4.3.0rc3 via dfa6a2d ctdb-daemon: Correctly process the exit code from failed eventscripts via 37e126d ctdb-tool: Correctly print timed out event scripts output via 88c53b8 s3:lib: fix some corner cases of open_socket_out_cleanup() via 2aff77c s3:smb2_negprot: prefer AES128_CCM if the client supports it via ef11f8d libcli/smb: prefer AES128_CCM via 9da9cf5 release-scripts/build-manpages-nogit: run make realdistclean at the end via 6fc5d55 Revert "ldb-samba: Implement transitive extended matching" via 3f5cd1f Revert "dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN" via ec7f97c ctdb-pmda: Add missing prototype declaration for non-static function via d0c4863 ctdb-daemon: Check if updates are in flight when releasing all IPs via 3c7f3e7 ctdb-banning: If node is already banned, do not run ctdb_local_node_got_banned() via b37340b s3-net: use talloc array in share allowedusers via 0c7e786 s4:torture:vfs_fruit: add a test for stream names via 3c1e7cb s4:torture:vfs_fruit: pass xattr name as arg to torture_setup_local_xattr() via 047cbb3 vfs_catia: run translation on stream names via fe55c949 vfs_streams_xattr: stream names may contain colons via 977be7b python:samba/upgrade.py Fix format string syntax in error condition via 20d00d3 s4:rpc_server/netlogon: Fix for NetApp via 1d3e6b5 WHATSNEW: Add description of improved cross-compilation support via f8b5de9 WHATSNEW: Document CTDB logging and NFS changes via 4fb42e8 WHATSNEW: add a section about samba-tool fsmo via e408235 script/librelease.sh: this is replaced by script/release.sh now via e41e6a5 script/release.sh: This is a new script to do releases via c55e72e WHATSNEW: fix version numbers via 3f010b5 WHATSNEW: Prepare release notes for Samba 4.3.0rc3 via 47f47d9 VERSION: Bump version up to 4.3.0rc3... from dd3c69d VERSION: Release Samba 4.3.0rc2
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 113 ++++- ctdb/server/ctdb_banning.c | 7 +- ctdb/server/ctdb_event_helper.c | 6 +- ctdb/server/ctdb_takeover.c | 18 +- ctdb/tools/ctdb.c | 8 + ctdb/utils/pmda/pmda_ctdb.c | 3 +- lib/ldb-samba/ldb_matching_rules.c | 338 ------------- lib/ldb-samba/ldb_matching_rules.h | 28 -- lib/ldb-samba/ldif_handlers.c | 6 - lib/ldb-samba/wscript_build | 2 +- libcli/smb/smbXcli_base.c | 8 +- python/samba/upgrade.py | 2 +- release-scripts/build-manpages-nogit | 4 + script/librelease.sh | 110 ----- script/release.sh | 615 ++++++++++++++++++++++++ selftest/knownfail | 13 + selftest/target/Samba3.pm | 3 +- selftest/target/Samba4.pm | 3 +- source3/lib/util_sock.c | 3 + source3/modules/vfs_catia.c | 58 ++- source3/modules/vfs_streams_xattr.c | 16 +- source3/smbd/smb2_negprot.c | 18 +- source3/utils/net_rpc.c | 24 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 4 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 +- source4/torture/vfs/fruit.c | 143 +++++- 27 files changed, 1052 insertions(+), 525 deletions(-) delete mode 100644 lib/ldb-samba/ldb_matching_rules.c delete mode 100644 lib/ldb-samba/ldb_matching_rules.h delete mode 100755 script/librelease.sh create mode 100755 script/release.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index cf10465..799aa62 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE=2 +SAMBA_VERSION_RC_RELEASE=3 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f2ff8d4..68ff6ef 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the second release candidate of Samba 4.3. This is *not* +This is the third release candidate of Samba 4.3. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -126,6 +126,12 @@ Both client and server have support for SMB 3.1.1 now. This is the dialect introduced with Windows 10, it improves the secure negotiation of SMB dialects and features. +There's also a new optinal encryption algorithm aes-gcm-128, +but for now this is only selected as fallback and aes-ccm-128 +is preferred because of the better performance. This might change +in future versions when hardware encryption will be supported. +See https://bugzilla.samba.org/show_bug.cgi?id=11451. + New smbclient subcommands ------------------------- @@ -177,6 +183,80 @@ The "tls priority" option can be used to change the supported TLS protocols. The default is to disable SSLv3, which is no longer considered secure. +Samba-tool now supports all 7 FSMO roles +------------------------------------------------------- + +Previously "samba-tool fsmo" could only show, transfer or seize the +five well-known FSMO roles: + + Schema Master + Domain Naming Master + RID Master + PDC Emulator + Infrastructure Master + +It can now also show, transfer or seize the DNS infrastructure roles: + + DomainDnsZones Infrastructure Master + ForestDnsZones Infrastructure Master + +CTDB logging changes +-------------------- + +The destination for CTDB logging is now set via a single new +configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and +CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for +details of CTDB_LOGGING. + +CTDB no longer runs a separate logging daemon. + +CTDB NFS support changes +------------------------ + +CTDB's NFS service management has been combined into a single 60.nfs +event script. This updated 60.nfs script now uses a call-out to +interact with different NFS implementations. See the CTDB_NFS_CALLOUT +option in the ctdbd.conf(5) manual page for details. A default +call-out is provided to interact with the Linux kernel NFS +implementation. The 60.ganesha event script has been removed - a +sample call-out is provided for NFS Ganesha, based on this script. + +The method of configuring NFS RPC checks has been improved. See +ctdb/config/nfs-checks.d/README for details. + +Improved Cross-Compiling Support +-------------------------------- + +A new "hybrid" build configuration mode is added to improve +cross-compilation support. + +A common challenge in cross-compilation is that of obtaining the results +of tests that have to run on the target, during the configuration +phase of the build. The Samba build system already supports the following +means to do so: + + - Executing configure tests using the --cross-execute parameter + - Obtaining the results from an answers file using the --cross-answers + parameter + +The first method has the drawback of inaccurate results if the tests are +run using an emulator, or a need to be connected to a running target +while building, if the tests are to be run on an actual target. The +second method presents a challenge of figuring out the test results. + +The new hybrid mode runs the tests and records the result in an answer file. +To activate this mode, use both --cross-execute and --cross-answers in the +same configure invocation. This mode can be activated once against a +running target, and then the generated answers file can be used in +subsequent builds. + +Also supplied is an example script that can be used as the +cross-execute program. This script copies the test to a running target +and runs the test on the target, obtaining the result. The obtained +results are more accurate than running the test with an emulator, because +they reflect the exact kernel and system libraries that exist on the +target. + ###################################################################### Changes @@ -210,7 +290,36 @@ KNOWN ISSUES Currently none. -CHANGES SINCE 4.2.0rc1 +CHANGES SINCE 4.3.0rc2 +====================== + +o Andrew Bartlett <abart...@samba.org> + * Bug 11436: samba-tool uncaught exception error + * Bug 10493: revert LDAP extended rule 1.2.840.113556.1.4.1941 + LDAP_MATCHING_RULE_IN_CHAIN changes + +o Ralph Boehme <s...@samba.org> + * Bug 11278: Stream names with colon don't work with + fruit:encoding = native + * Bug 11426: net share allowedusers crashes + +o Amitay Isaacs <ami...@gmail.com> + * Bug 11432: Fix crash in nested ctdb banning + * Bug 11434: Cannot build ctdbpmda + * Bug 11431: CTDB's eventscript error handling is broken + +o Stefan Metzmacher <me...@samba.org> + * Bug 11451: Poor SMB3 encryption performance with AES-GCM (part1) + * Bug 11316: tevent_fd needs to be destroyed before closing the fd + +o Arvid Requate <requ...@univention.de> + * Bug 11291: NetApp joined to a Samba/ADDC cannot resolve SIDs + +o Martin Schwenke <mar...@meltin.net> + * Bug 11432: Fix crash in nested ctdb banning + + +CHANGES SINCE 4.3.0rc1 ====================== o Jeremy Allison <j...@samba.org> diff --git a/ctdb/server/ctdb_banning.c b/ctdb/server/ctdb_banning.c index a9d1891..d8f7ab1 100644 --- a/ctdb/server/ctdb_banning.c +++ b/ctdb/server/ctdb_banning.c @@ -80,6 +80,7 @@ void ctdb_local_node_got_banned(struct ctdb_context *ctdb) int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata) { struct ctdb_ban_time *bantime = (struct ctdb_ban_time *)indata.dptr; + bool already_banned; DEBUG(DEBUG_INFO,("SET BAN STATE\n")); @@ -107,9 +108,11 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata) return 0; } + already_banned = false; if (ctdb->banning_ctx != NULL) { talloc_free(ctdb->banning_ctx); ctdb->banning_ctx = NULL; + already_banned = true; } if (bantime->time == 0) { @@ -136,7 +139,9 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata) event_add_timed(ctdb->ev, ctdb->banning_ctx, timeval_current_ofs(bantime->time,0), ctdb_ban_node_event, ctdb); - ctdb_local_node_got_banned(ctdb); + if (!already_banned) { + ctdb_local_node_got_banned(ctdb); + } return 0; } diff --git a/ctdb/server/ctdb_event_helper.c b/ctdb/server/ctdb_event_helper.c index f14e336..a1b5318 100644 --- a/ctdb/server/ctdb_event_helper.c +++ b/ctdb/server/ctdb_event_helper.c @@ -128,7 +128,11 @@ int main(int argc, char *argv[]) exit(1); } if (WIFEXITED(status)) { - output = -WEXITSTATUS(status); + output = WEXITSTATUS(status); + /* Only errors should be returned as -ve values */ + if (output == ENOENT || output == ENOEXEC) { + output = -output; + } sys_write(write_fd, &output, sizeof(output)); exit(0); } diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c index d5d2b39..efc80b1 100644 --- a/ctdb/server/ctdb_takeover.c +++ b/ctdb/server/ctdb_takeover.c @@ -3128,9 +3128,6 @@ void ctdb_takeover_client_destructor_hook(struct ctdb_client *client) } -/* - release all IPs on shutdown - */ void ctdb_release_all_ips(struct ctdb_context *ctdb) { struct ctdb_vnn *vnn; @@ -3149,6 +3146,20 @@ void ctdb_release_all_ips(struct ctdb_context *ctdb) continue; } + /* Don't allow multiple releases at once. Some code, + * particularly ctdb_tickle_sentenced_connections() is + * not re-entrant */ + if (vnn->update_in_flight) { + DEBUG(DEBUG_WARNING, + (__location__ + " Not releasing IP %s/%u on interface %s, an update is already in progess\n", + ctdb_addr_to_str(&vnn->public_address), + vnn->public_netmask_bits, + ctdb_vnn_iface_string(vnn))); + continue; + } + vnn->update_in_flight = true; + DEBUG(DEBUG_INFO,("Release of IP %s/%u on interface %s node:-1\n", ctdb_addr_to_str(&vnn->public_address), vnn->public_netmask_bits, @@ -3160,6 +3171,7 @@ void ctdb_release_all_ips(struct ctdb_context *ctdb) vnn->public_netmask_bits); release_kill_clients(ctdb, &vnn->public_address); ctdb_vnn_unassign_iface(ctdb, vnn); + vnn->update_in_flight = false; count++; } diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c index 4734b26..c6da621 100644 --- a/ctdb/tools/ctdb.c +++ b/ctdb/tools/ctdb.c @@ -1424,6 +1424,14 @@ static int control_one_scriptstatus(struct ctdb_context *ctdb, for (i=0; i<script_status->num_scripts; i++) { const char *status = NULL; + /* The ETIME status is ignored for certain events. + * In that case the status is 0, but endtime is not set. + */ + if (script_status->scripts[i].status == 0 && + timeval_is_zero(&script_status->scripts[i].finished)) { + script_status->scripts[i].status = -ETIME; + } + switch (script_status->scripts[i].status) { case -ETIME: status = "TIMEDOUT"; diff --git a/ctdb/utils/pmda/pmda_ctdb.c b/ctdb/utils/pmda/pmda_ctdb.c index 2beac8f..1145844 100644 --- a/ctdb/utils/pmda/pmda_ctdb.c +++ b/ctdb/utils/pmda/pmda_ctdb.c @@ -23,7 +23,6 @@ #include <pcp/impl.h> #include <pcp/pmda.h> #include "includes.h" -#include "ctdb.h" #include "ctdb_private.h" #include "ctdb_protocol.h" #include "domain.h" @@ -536,6 +535,8 @@ err_out: return ret; } +void pmda_ctdb_init(pmdaInterface *dp); + /* * Initialise the agent */ diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c deleted file mode 100644 index 3a51c29..0000000 --- a/lib/ldb-samba/ldb_matching_rules.c +++ /dev/null @@ -1,338 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - ldb database library - Extended match rules - - Copyright (C) 2014 Samuel Cabrero <samuelcabr...@kernevil.me> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include <ldb_module.h> -#include "dsdb/samdb/samdb.h" -#include "ldb_matching_rules.h" - -static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, - struct ldb_context *ldb, - const char *attr, - const struct dsdb_dn *dn_to_match, - const char *dn_oid, - struct dsdb_dn *to_visit, - struct dsdb_dn **visited, - unsigned int *visited_count, - bool *matched) -{ - TALLOC_CTX *tmp_ctx; - int ret, i, j; - struct ldb_result *res; - struct ldb_message *msg; - struct ldb_message_element *el; - const char *attrs[] = { attr, NULL }; - - tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } - - /* - * Fetch the entry to_visit - * - * NOTE: This is a new LDB search from the TOP of the module - * stack. This means that this search runs the whole stack - * from top to bottom. - * - * This may seem to be in-efficient, but it is also the only - * way to ensure that the ACLs for this search are applied - * correctly. - * - * Note also that we don't have the original request - * here, so we can not apply controls or timeouts here. - */ - ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0); - if (ret != LDB_SUCCESS) { - talloc_free(tmp_ctx); - return ret; - } - if (res->count != 1) { - talloc_free(tmp_ctx); - return LDB_ERR_OPERATIONS_ERROR; - } - msg = res->msgs[0]; - - /* Fetch the attribute to match from the entry being visited */ - el = ldb_msg_find_element(msg, attr); - if (el == NULL) { - /* This entry does not have the attribute to match */ - talloc_free(tmp_ctx); - *matched = false; - return LDB_SUCCESS; - } - - /* - * If the value to match is present in the attribute values of the - * current entry being visited, set matched to true and return OK - */ - for (i=0; i<el->num_values; i++) { - struct dsdb_dn *dn; - dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], dn_oid); - if (dn == NULL) { - talloc_free(tmp_ctx); - *matched = false; - return LDB_ERR_INVALID_DN_SYNTAX; - } - - if (ldb_dn_compare(dn_to_match->dn, dn->dn) == 0) { - talloc_free(tmp_ctx); - *matched = true; - return LDB_SUCCESS; - } - } - - /* - * If arrived here, the value to match is not in the values of the - * entry being visited. Add the entry being visited (to_visit) - * to the visited array. The array is (re)allocated in the parent - * memory context. - */ - if (visited == NULL) { - visited = talloc_array(mem_ctx, struct dsdb_dn *, 1); - if (visited == NULL) { - talloc_free(tmp_ctx); - return LDB_ERR_OPERATIONS_ERROR; - } - visited[0] = to_visit; - (*visited_count) = 1; - } else { - visited = talloc_realloc(mem_ctx, visited, struct dsdb_dn *, - (*visited_count) + 1); - if (visited == NULL) { - talloc_free(tmp_ctx); - return LDB_ERR_OPERATIONS_ERROR; - } - visited[(*visited_count)] = to_visit; - (*visited_count)++; - } - - /* - * steal to_visit into visited array context, as it has to live until - * the array is freed. - */ - talloc_steal(visited, to_visit); - - /* - * Iterate over the values of the attribute of the entry being - * visited (to_visit) and follow them, calling this function - * recursively. - * If the value is in the visited array, skip it. - * Otherwise, follow the link and visit it. - */ - for (i=0; i<el->num_values; i++) { - struct dsdb_dn *next_to_visit; - bool skip = false; - - next_to_visit = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], dn_oid); - if (next_to_visit == NULL) { - talloc_free(tmp_ctx); - *matched = false; - return LDB_ERR_INVALID_DN_SYNTAX; - } - - /* - * If the value is already in the visited array, skip it. - * Note the last element of the array is ignored because it is - * the current entry DN. - */ - for (j=0; j < (*visited_count) - 1; j++) { - struct dsdb_dn *visited_dn = visited[j]; - if (ldb_dn_compare(visited_dn->dn, - next_to_visit->dn) == 0) { - skip = true; - break; - } - } - if (skip) { - talloc_free(next_to_visit); - continue; - } - - /* If the value is not in the visited array, evaluate it */ - ret = ldb_eval_transitive_filter_helper(tmp_ctx, ldb, attr, - dn_to_match, dn_oid, - next_to_visit, - visited, visited_count, - matched); - if (ret != LDB_SUCCESS) { - talloc_free(tmp_ctx); - return ret; - } - if (*matched) { - talloc_free(tmp_ctx); - return LDB_SUCCESS; - } - } - - talloc_free(tmp_ctx); - *matched = false; - return LDB_SUCCESS; -} - -/* - * This function parses the linked attribute value to match, whose syntax - * will be one of the different DN syntaxes, into a ldb_dn struct. - */ -static int ldb_eval_transitive_filter(TALLOC_CTX *mem_ctx, - struct ldb_context *ldb, - const char *attr, - const struct ldb_val *value_to_match, - struct dsdb_dn *current_object_dn, - bool *matched) -{ -- Samba Shared Repository