The branch, v4-6-stable has been updated via a42a92b VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release. via 7f7e329 WHATSNEW: Add release notes for Samba 4.6.7. via f2a0600 s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified via 0ee93fe s4-dsdb/netlogon: allow missing ntver in cldap ping via 38d8f3c s4:torture/ldap: Test netlogon without NtVer via 3a5cf43 s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only) via fd96410 vfs_ceph: fix cephwrap_chdir() via a81b8f2 s3: smbd: Fix a read after free if a chained SMB1 call goes async. via 6155eba s3: libsmb: Fix use-after-free when accessing pointer *p. via 378886b smbd: Fix a connection run-down race condition via c1e5a22 s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init via 8c0f377 ctdb-common: Set close-on-exec when creating PID file via 791b217 vfs_fruit: don't use MS NFS ACEs with Windows clients via 6af5fcc s3:client: The smbspool krb5 wrapper needs negotiate for authentication via 1714d0c vfs_fruit: add fruit:model = <modelname> parametric option via 1ec8c4a idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN via 73550d1 selftest: Do not force run of kcc at start of selftest via 9251372 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join via dd573c0 s3:secrets: remove unused secrets_store_[prev_]machine_password() via d71aa30 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password() via 15a7a36 net: make use of secrets_*_password_change() for "net changesecretpw" via 13a2325 s3:trusts_util: make use the workstation password change more robust via de1faa7 s3:libnet: make use of secrets_store_JoinCtx() via 56403c7 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust via 835cc12 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials via cc67ccb secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts via d80ef0b netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension via 59e23da netlogon.idl: make netr_TrustFlags [public] via b7e7ac3 lsa.idl: make lsa_DnsDomainInfo [public] via fc98574 s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth() via f7c05a3 libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*() via 5d56612 libcli/auth: add const to set_pw_in_buffer() via 29fa179 libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*() via d41f361 s3:trusts_util: pass dcname to trust_pw_change() via 324af75 s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex() via 7481722 s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key via 36ae6bc s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too via fc8506d s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables via bce615d s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete() via c54cf09 s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value via dd0f49a s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync() via 4e649f7 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys via 45ed7f3 s3:secrets: rename secrets_delete() to secrets_delete_entry() via e67bc70 s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync() via f8dc7f3 s3:secrets: add some const to secrets_store_domain_guid() via f297455 s3:secrets: split out a domain_guid_keystr() function via 3341df2 s3:secrets: rework des_salt_key() to take the realm as argument via cfba2c4 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c via f68f8f6 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ() via 0ce8cd8 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry() via bf90563 s3:libnet: make use of kerberos_secrets_fetch_salt_princ() via 14add2c s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ() via 6e1f7e2 s3:libads: provide a simpler kerberos_fetch_salt_princ() function via bfccba4 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback via beb5f2b s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets() via 4e5c9b5 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing() via cb36b61 s3:libnet_join: call do_JoinConfig() after we did remote changes on the server via 1b648aa s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync via b098b48 s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal() via e709972 s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal() via 15cefb9 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx via d353c40 s3:libnet_join: remember the domain_guid for AD domains via 0c9f0d5 s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx via 43cce73 s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing() via b76556f s3:libnet_join: remove dead code from libnet_join_connect_ads() via 691d69f krb5_wrap: add smb_krb5_salt_principal2data() via ea40c72 krb5_wrap: add smb_krb5_salt_principal() via cf5d62e s3:libads: remove unused kerberos_secrets_store_salting_principal() via 5687cb0 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY via 6297a35 idl_types.h: add NDR_SECRET shortcut via 48a9a30 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling via e73f37d librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags via 4e323ae pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint() via ce91c2e s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface() via 8ac00af selftest: add a test for accessing previous version of directories with snapdirseverywhere via 7916e1a s3/smbd: let non_widelink_open() chdir() to directories directly via 80aeac8 dnsserver: Stop dns_name_equal doing OOB read via 04676d6 selftest: Do not enable inbound replication during replica_sync via 7b04fb4 VERSION: Bump version up to 4.6.7... via b528634 Merge branch 'v4-6-stable' into v4-6-test via 05782d5 s3:tests: Do *NOT* flush the complete gencache! via 24a5c45 selftest: Do *NOT* flush the complete gencache! via cb6771c ldb: protect Samba < 4.7 against incompatible ldb versions and require ldb < 1.2.0 via 85dbd4d wafsamba: add maxversion and version_blacklist to CHECK_BUNDLED_SYSTEM[_PKG]() via a971f23 s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab() via eb587fb selftest: Also wait for winbindd to start via 9bf2391 s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send() via d2bf63c auth/spnego: fix gensec_update_ev() argument order for the SPNEGO_FALLBACK case via 545b0c4 s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02" via 18f3dbb samba-tool: fix log message of 'samba-tool user syncpasswords' via 15ed7a9 s3:tests: Do not delete the contets of LOCAL_PATH with tarmode test via f625a63 auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case via 8aea504 s3: smbd: fix regression with non-wide symlinks to directories over SMB3. via 79afb2e s3: smbd: Add regression test for non-wide symlinks to directories fail over SMB3. via c850f47 docs-xml: Sort input file list via fad0c0d s3: libsmb: Correctly save and restore connection tcon in smbclient, smbcacls and smbtorture3. via d2a309b s3: libsmb: Correctly do lifecycle management on cli->smb1.tcon and cli->smb2.tcon. via de0fbbe s3: libsmb: Fix cli_state_has_tcon() to cope with SMB2 connections. via 8edc00e s3: libsmb: Widen cli_state_get_tid() / cli_state_set_tid() to 32-bits. via c519326 s3: smbtorture: Show correct use of cli_state_save_tcon() / cli_state_restore_tcon(). via b17ab94 s3: libsmb: Add cli_state_save_tcon() / cli_state_restore_tcon(). via d261f6d libcli: smb: Add smb2cli_tcon_set_id(). via 0ea8e0b libcli: smb: Add smbXcli_tcon_copy(). via 9d053cf s3: smbd: When deleting an fsp pointer ensure we don't keep any references to it around. via f10ce74 ctdb-recovery: Do not run local ip verification when in recovery via 9f25dff ctdb-recovery: Get recmode unconditionally in the main_loop via 59ac9bf ctdb-recovery: Finish processing for recovery mode ACTIVE first via 7ee7e65 ctdb-recovery: Simplify logging of recovery mode setting via 89ee737 ctdb-recovery: Setting up of recmode should be idempotent via a227893 ctdb-recovery: Assign banning credits if database fails to freeze via 6e11262 ctdb-scripts: Don't send empty argument string to logger via 9670a0d Bug 15852. There are valid paths where conn->lsa_pipe_tcp->transport is NULL. Protect against this. via 8a7d05e s3:tests: Add test for smbclient -UDOMAIN+username via 282560e s3:popt_common: Reparse the username in popt_common_credentials_post() via 8dc2be5 s3:smb2_sesssetup: allow a compound request after a SessionSetup via 6e6fb56d s3:smb2_tcon: allow a compound request after a TreeConnect via 29c2411 s3:libsmb: add cli_state_update_after_sesssetup() helper function via ada73fa libcli/smb: Fix alignment problems of smb_bytes_pull_str() via 5a4f2e0 libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFO via b4e1d73 ctdb-tests: Add more NFS eventscript tests for call-out failures via 6d5c1f6 ctdb-scripts: NFS call-out failures should cause event failure via c08e056 messaging: fix net command failure due to unhandled return code via ad1f953 shadow_copy_get_shadow_copy_data: fix GCC snprintf warning via e550c8a ndr tests: silence a harmless warning via 123bfe0 s4:torture: Fix comparison between pointer and zero character constant via fdcfdcd waf: Do not trhow a format-truncation error for test/snprintf.c via 3afa33b replace: Use the same size as d_name member of struct dirent from 55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 90 +- auth/gensec/spnego.c | 6 +- auth/ntlmssp/ntlmssp_util.c | 21 + buildtools/wafsamba/samba_bundled.py | 21 +- ctdb/common/pidfile.c | 8 + ctdb/config/events.d/60.nfs | 8 +- ctdb/config/functions | 2 +- ctdb/server/ctdb_recover.c | 28 +- ctdb/server/ctdb_recoverd.c | 19 +- ctdb/server/ctdb_recovery_helper.c | 1 + ....nfs.monitor.107.sh => 06.nfs.releaseip.001.sh} | 0 ctdb/tests/eventscripts/06.nfs.releaseip.002.sh | 12 + ...{60.nfs.monitor.107.sh => 06.nfs.takeip.001.sh} | 0 ctdb/tests/eventscripts/06.nfs.takeip.002.sh | 12 + ctdb/tests/eventscripts/60.nfs.monitor.109.sh | 12 + ....nfs.monitor.107.sh => 60.nfs.releaseip.001.sh} | 0 ctdb/tests/eventscripts/60.nfs.releaseip.002.sh | 12 + ...0.nfs.monitor.107.sh => 60.nfs.shutdown.001.sh} | 0 ctdb/tests/eventscripts/60.nfs.shutdown.002.sh | 12 + ...60.nfs.monitor.107.sh => 60.nfs.startup.001.sh} | 0 ctdb/tests/eventscripts/60.nfs.startup.002.sh | 12 + ...{60.nfs.monitor.107.sh => 60.nfs.takeip.001.sh} | 0 ctdb/tests/eventscripts/60.nfs.takeip.002.sh | 12 + docs-xml/Makefile | 2 +- docs-xml/manpages/vfs_fruit.8.xml | 9 + lib/krb5_wrap/krb5_samba.c | 187 +++ lib/krb5_wrap/krb5_samba.h | 10 + lib/ldb/wscript | 19 +- lib/replace/test/os2_delete.c | 2 +- lib/replace/wscript | 3 +- libcli/auth/netlogon_creds_cli.c | 78 +- libcli/auth/netlogon_creds_cli.h | 16 +- libcli/auth/proto.h | 2 +- libcli/auth/smbencrypt.c | 2 +- libcli/smb/smb1cli_session.c | 28 +- libcli/smb/smbXcli_base.c | 52 + libcli/smb/smbXcli_base.h | 3 + libcli/smb/smb_util.h | 3 +- libcli/smb/util.c | 47 +- librpc/idl/idl_types.h | 6 + librpc/idl/lsa.idl | 2 +- librpc/idl/netlogon.idl | 6 +- librpc/ndr/libndr.h | 24 +- librpc/ndr/ndr.c | 23 + librpc/ndr/ndr_basic.c | 44 + pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 + python/samba/netcmd/user.py | 2 +- selftest/target/Samba3.pm | 22 +- selftest/target/Samba4.pm | 75 +- source3/client/client.c | 5 +- source3/client/smbspool_krb5_wrapper.c | 29 +- source3/include/ntioctl.h | 2 +- source3/include/proto.h | 1 + source3/include/secrets.h | 38 +- source3/lib/messages.c | 6 +- source3/lib/popt_common.c | 15 + source3/lib/util_sd.c | 24 +- source3/libads/kerberos.c | 200 --- source3/libads/kerberos_keytab.c | 14 +- source3/libads/kerberos_proto.h | 8 - source3/libads/util.c | 106 +- source3/libnet/libnet_join.c | 127 +- source3/libnet/libnet_keytab.c | 5 +- source3/librpc/crypto/gse_krb5.c | 48 +- source3/librpc/idl/libnet_join.idl | 4 +- source3/librpc/idl/secrets.idl | 92 +- source3/librpc/wscript_build | 2 +- source3/libsmb/cliconnect.c | 97 +- source3/libsmb/clidfs.c | 18 +- source3/libsmb/clientgen.c | 67 +- source3/libsmb/libsmb_dir.c | 6 +- source3/libsmb/proto.h | 7 +- source3/libsmb/trusts_util.c | 276 +++- source3/modules/vfs_ceph.c | 7 - source3/modules/vfs_default.c | 33 +- source3/modules/vfs_fruit.c | 12 +- source3/modules/vfs_shadow_copy.c | 11 +- source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++-- source3/passdb/secrets.c | 25 +- source3/passdb/secrets_lsa.c | 2 +- source3/rpc_client/cli_netlogon.c | 15 +- source3/rpcclient/cmd_netlogon.c | 2 + source3/script/tests/test_shadow_copy.sh | 23 + source3/script/tests/test_smbclient_basic.sh | 62 + source3/script/tests/test_smbclient_s3.sh | 55 + source3/script/tests/test_smbclient_tarmode.sh | 10 +- source3/script/tests/test_wbinfo_sids2xids_int.py | 25 +- source3/selftest/tests.py | 5 +- source3/smbd/files.c | 4 +- source3/smbd/lanman.c | 20 +- source3/smbd/open.c | 54 +- source3/smbd/process.c | 2 +- source3/smbd/reply.c | 2 +- source3/smbd/server.c | 8 +- source3/smbd/smb2_create.c | 43 +- source3/smbd/smb2_ioctl_network_fs.c | 17 + source3/smbd/smb2_sesssetup.c | 1 + source3/smbd/smb2_tcon.c | 2 + source3/torture/test_smb2.c | 8 +- source3/torture/torture.c | 24 +- source3/utils/net.c | 142 +- source3/utils/net_rpc.c | 20 +- source3/utils/smbcacls.c | 26 +- source3/winbindd/idmap_ad.c | 19 +- source3/winbindd/winbindd_cm.c | 8 +- source3/winbindd/winbindd_dual.c | 1 + source3/winbindd/winbindd_dual_srv.c | 2 + source4/dsdb/samdb/ldb_modules/netlogon.c | 6 +- source4/rpc_server/dnsserver/dnsdata.c | 4 +- source4/torture/drs/python/replica_sync.py | 51 - source4/torture/ldap/netlogon.c | 48 + source4/torture/masktest.c | 2 +- source4/torture/ndr/string.c | 20 +- source4/torture/vfs/fruit.c | 8 +- 115 files changed, 3783 insertions(+), 865 deletions(-) copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 06.nfs.releaseip.001.sh} (100%) create mode 100755 ctdb/tests/eventscripts/06.nfs.releaseip.002.sh copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 06.nfs.takeip.001.sh} (100%) create mode 100755 ctdb/tests/eventscripts/06.nfs.takeip.002.sh create mode 100755 ctdb/tests/eventscripts/60.nfs.monitor.109.sh copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.releaseip.001.sh} (100%) create mode 100755 ctdb/tests/eventscripts/60.nfs.releaseip.002.sh copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.shutdown.001.sh} (100%) create mode 100755 ctdb/tests/eventscripts/60.nfs.shutdown.002.sh copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.startup.001.sh} (100%) create mode 100755 ctdb/tests/eventscripts/60.nfs.startup.002.sh copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.takeip.001.sh} (100%) create mode 100755 ctdb/tests/eventscripts/60.nfs.takeip.002.sh create mode 100755 source3/script/tests/test_smbclient_basic.sh Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 8fc1d16..113a562 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=6 +SAMBA_VERSION_RELEASE=7 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 75d90b7..87c4579 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,90 @@ ============================= + Release Notes for Samba 4.6.7 + August 9, 2017 + ============================= + + +This is the latest stable release of the Samba 4.6 release series. + + +Changes since 4.6.6: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async. + +o Andrew Bartlett <abart...@samba.org> + * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return + NETLOGON_NT_VERSION_5 when version unspecified. + +o Ralph Boehme <s...@samba.org> + * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly. + * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from + smbd_notifyd_init. + +o Günther Deschner <g...@samba.org> + * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option. + +o David Disseldorp <dd...@samba.org> + * BUG 12911: vfs_ceph: Fix cephwrap_chdir(). + +o Dustin L. Howett + * BUG 12720: idmap_ad: Retry query_user exactly once if we get + TLDAP_SERVER_DOWN. + +o Thomas Jarosch <thomas.jaro...@intra2net.com> + * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p. + +o Volker Lendecke <v...@samba.org> + * BUG 12925: smbd: Fix a connection run-down race condition. + +o Stefan Metzmacher <me...@samba.org> + * BUG 12782: winbindd changes the local password and gets + NT_STATUS_WRONG_PASSWORD for the remote change. + * BUG 12890: s3:smbd: consistently use talloc_tos() memory for + rpc_pipe_open_interface(). + +o Noel Power <noel.po...@suse.com> + * BUG 12937: smbcacls: Don't fail against a directory on Windows using SMB2. + +o Arvid Requate <requ...@univention.de> + * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 12813: dnsserver: Stop dns_name_equal doing OOB read. + +o Andreas Schneider <a...@samba.org> + * BUG 12886: s3:client: The smbspool krb5 wrapper needs negotiate for + authentication. + +o Martin Schwenke <mar...@meltin.net> + * BUG 12898: ctdb-common: Set close-on-exec when creating PID file. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.6.6 July 12, 2017 ============================= @@ -48,8 +134,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.6.5 diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index f063f7b..21c6cfb 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -366,7 +366,7 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec return nt_status; } nt_status = gensec_update_ev(spnego_state->sub_sec_security, - ev, out_mem_ctx, in, out); + out_mem_ctx, ev, in, out); return nt_status; } DEBUG(1, ("Failed to parse SPNEGO request\n")); @@ -804,8 +804,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA switch (spnego_state->state_position) { case SPNEGO_FALLBACK: - return gensec_update_ev(spnego_state->sub_sec_security, ev, - out_mem_ctx, in, out); + return gensec_update_ev(spnego_state->sub_sec_security, + out_mem_ctx, ev, in, out); case SPNEGO_SERVER_START: { NTSTATUS nt_status; diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c index 4ae6101..9c7325a 100644 --- a/auth/ntlmssp/ntlmssp_util.c +++ b/auth/ntlmssp/ntlmssp_util.c @@ -75,6 +75,27 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state, { uint32_t missing_flags = ntlmssp_state->required_flags; + if (ntlmssp_state->use_ntlmv2) { + /* + * Using NTLMv2 as a client implies + * using NTLMSSP_NEGOTIATE_NTLM2 + * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) + * + * Note that 'use_ntlmv2' is only set + * true in the client case. + * + * Even if the server has a bug and does not announce + * it, we need to assume it's present. + * + * Note that we also have the flag + * in ntlmssp_state->required_flags, + * see gensec_ntlmssp_client_start(). + * + * See bug #12862. + */ + flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + if (flags & NTLMSSP_NEGOTIATE_UNICODE) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE; ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM; diff --git a/buildtools/wafsamba/samba_bundled.py b/buildtools/wafsamba/samba_bundled.py index ea88807..aa6199e 100644 --- a/buildtools/wafsamba/samba_bundled.py +++ b/buildtools/wafsamba/samba_bundled.py @@ -110,6 +110,7 @@ def LIB_MUST_BE_PRIVATE(conf, libname): @conf def CHECK_BUNDLED_SYSTEM_PKG(conf, libname, minversion='0.0.0', + maxversion=None, version_blacklist=[], onlyif=None, implied_deps=None, pkg=None): '''check if a library is available as a system library. @@ -117,12 +118,15 @@ def CHECK_BUNDLED_SYSTEM_PKG(conf, libname, minversion='0.0.0', ''' return conf.CHECK_BUNDLED_SYSTEM(libname, minversion=minversion, + maxversion=maxversion, + version_blacklist=version_blacklist, onlyif=onlyif, implied_deps=implied_deps, pkg=pkg) @conf def CHECK_BUNDLED_SYSTEM(conf, libname, minversion='0.0.0', + maxversion=None, version_blacklist=[], checkfunctions=None, headers=None, checkcode=None, onlyif=None, implied_deps=None, require_headers=True, pkg=None, set_target=True): @@ -181,16 +185,29 @@ def CHECK_BUNDLED_SYSTEM(conf, libname, minversion='0.0.0', minversion = minimum_library_version(conf, libname, minversion) msg = 'Checking for system %s' % libname + msg_ver = [] if minversion != '0.0.0': - msg += ' >= %s' % minversion + msg_ver.append('>=%s' % minversion) + if maxversion is not None: + msg_ver.append('<=%s' % maxversion) + for v in version_blacklist: + msg_ver.append('!=%s' % v) + if msg_ver != []: + msg += " (%s)" % (" ".join(msg_ver)) uselib_store=libname.upper() if pkg is None: pkg = libname + version_checks = '%s >= %s' % (pkg, minversion) + if maxversion is not None: + version_checks += ' %s <= %s' % (pkg, maxversion) + for v in version_blacklist: + version_checks += ' %s != %s' % (pkg, v) + # try pkgconfig first if (conf.CHECK_CFG(package=pkg, - args='"%s >= %s" --cflags --libs' % (pkg, minversion), + args='"%s" --cflags --libs' % (version_checks), msg=msg, uselib_store=uselib_store) and check_functions_headers_code()): if set_target: diff --git a/ctdb/common/pidfile.c b/ctdb/common/pidfile.c index b3f29e3..51c0c25 100644 --- a/ctdb/common/pidfile.c +++ b/ctdb/common/pidfile.c @@ -22,6 +22,8 @@ #include <talloc.h> +#include "lib/util/blocking.h" + #include "common/pidfile.h" struct pidfile_context { @@ -61,6 +63,12 @@ int pidfile_create(TALLOC_CTX *mem_ctx, const char *pidfile, goto fail; } + if (! set_close_on_exec(fd)) { + close(fd); + ret = EIO; + goto fail; + } + pid_ctx->fd = fd; lck = (struct flock) { diff --git a/ctdb/config/events.d/60.nfs b/ctdb/config/events.d/60.nfs index 02d6e2b..98a18c3 100755 --- a/ctdb/config/events.d/60.nfs +++ b/ctdb/config/events.d/60.nfs @@ -256,20 +256,20 @@ is_ctdb_managed_service || exit 0 case "$1" in startup) - nfs_callout "$@" + nfs_callout "$@" || exit $? ;; shutdown) - nfs_callout "$@" + nfs_callout "$@" || exit $? ;; takeip) - nfs_callout "$@" + nfs_callout "$@" || exit $? ctdb_service_set_reconfigure ;; releaseip) - nfs_callout "$@" + nfs_callout "$@" || exit $? ctdb_service_set_reconfigure ;; diff --git a/ctdb/config/functions b/ctdb/config/functions index 7e37bbb..3826324 100755 --- a/ctdb/config/functions +++ b/ctdb/config/functions @@ -150,7 +150,7 @@ script_log () *) # Handle all syslog:* variants here too. There's no tool to do # the lossy things, so just use logger. - logger -t "ctdbd: ${_tag}" "$*" + logger -t "ctdbd: ${_tag}" "$@" ;; esac } diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c index 6bed61c..813a1ad 100644 --- a/ctdb/server/ctdb_recover.c +++ b/ctdb/server/ctdb_recover.c @@ -856,26 +856,24 @@ int32_t ctdb_control_set_recmode(struct ctdb_context *ctdb, struct set_recmode_state *state; struct ctdb_cluster_mutex_handle *h; + if (recmode == ctdb->recovery_mode) { + D_INFO("Recovery mode already set to %s\n", + recmode == CTDB_RECOVERY_NORMAL ? "NORMAL" : "ACTIVE"); + return 0; + } + + D_NOTICE("Recovery mode set to %s\n", + recmode == CTDB_RECOVERY_NORMAL ? "NORMAL" : "ACTIVE"); + /* if we enter recovery but stay in recovery for too long we will eventually drop all our ip addresses */ - if (recmode == CTDB_RECOVERY_NORMAL) { - talloc_free(ctdb->release_ips_ctx); - ctdb->release_ips_ctx = NULL; - } else { + if (recmode == CTDB_RECOVERY_ACTIVE) { if (ctdb_deferred_drop_all_ips(ctdb) != 0) { - DEBUG(DEBUG_ERR,("Failed to set up deferred drop all ips\n")); + D_ERR("Failed to set up deferred drop all ips\n"); } - } - if (recmode != ctdb->recovery_mode) { - DEBUG(DEBUG_NOTICE,(__location__ " Recovery mode set to %s\n", - recmode==CTDB_RECOVERY_NORMAL?"NORMAL":"ACTIVE")); - } - - if (recmode != CTDB_RECOVERY_NORMAL || - ctdb->recovery_mode != CTDB_RECOVERY_ACTIVE) { - ctdb->recovery_mode = recmode; + ctdb->recovery_mode = CTDB_RECOVERY_ACTIVE; return 0; } @@ -884,6 +882,8 @@ int32_t ctdb_control_set_recmode(struct ctdb_context *ctdb, * Therefore, what follows is special handling when setting * recovery mode back to normal */ + TALLOC_FREE(ctdb->release_ips_ctx); + for (ctdb_db = ctdb->db_list; ctdb_db != NULL; ctdb_db = ctdb_db->next) { if (ctdb_db->generation != ctdb->vnn_map->generation) { DEBUG(DEBUG_ERR, diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c index 9ea0f61..d9cc4a2 100644 --- a/ctdb/server/ctdb_recoverd.c +++ b/ctdb/server/ctdb_recoverd.c @@ -2608,6 +2608,13 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec, return; } + ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(), + CTDB_CURRENT_NODE, &ctdb->recovery_mode); + if (ret != 0) { + D_ERR("Failed to read recmode from local node\n"); + return; + } + /* if the local daemon is STOPPED or BANNED, we verify that the databases are also frozen and that the recmode is set to active. */ @@ -2620,10 +2627,6 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec, */ rec->priority_time = timeval_current(); - ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, &ctdb->recovery_mode); - if (ret != 0) { - DEBUG(DEBUG_ERR,(__location__ " Failed to read recmode from local node\n")); - } if (ctdb->recovery_mode == CTDB_RECOVERY_NORMAL) { DEBUG(DEBUG_ERR,("Node is stopped or banned but recovery mode is not active. Activate recovery mode and lock databases\n")); @@ -2667,9 +2670,11 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec, return; } - /* Check if an IP takeover run is needed and trigger one if - * necessary */ - verify_local_ip_allocation(ctdb, rec, pnn, nodemap); + if (ctdb->recovery_mode == CTDB_RECOVERY_NORMAL) { + /* Check if an IP takeover run is needed and trigger one if + * necessary */ + verify_local_ip_allocation(ctdb, rec, pnn, nodemap); + } /* if we are not the recmaster then we do not need to check if recovery is needed diff --git a/ctdb/server/ctdb_recovery_helper.c b/ctdb/server/ctdb_recovery_helper.c index 0222aa0..474b900 100644 --- a/ctdb/server/ctdb_recovery_helper.c +++ b/ctdb/server/ctdb_recovery_helper.c @@ -1627,6 +1627,7 @@ static void recover_db_freeze_done(struct tevent_req *subreq) if (ret2 != 0) { LOG("control FREEZE_DB failed for db %s on node %u," " ret=%d\n", state->db_name, pnn, ret2); + state->ban_credits[pnn] += 1; } else { LOG("control FREEZE_DB failed for db %s, ret=%d\n", state->db_name, ret); diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh similarity index 100% copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh copy to ctdb/tests/eventscripts/06.nfs.releaseip.001.sh diff --git a/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh b/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh new file mode 100755 index 0000000..c0b8939 --- /dev/null +++ b/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. "${TEST_SCRIPTS_DIR}/unit.sh" + +define_test "callout is 'false', causes releaseip-pre to fail" + +setup_nfs + +export CTDB_NFS_CALLOUT="echo releaseip-pre ; false" + +required_result 1 "releaseip-pre" +simple_test diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/06.nfs.takeip.001.sh similarity index 100% copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh copy to ctdb/tests/eventscripts/06.nfs.takeip.001.sh diff --git a/ctdb/tests/eventscripts/06.nfs.takeip.002.sh b/ctdb/tests/eventscripts/06.nfs.takeip.002.sh new file mode 100755 index 0000000..1baf351 --- /dev/null +++ b/ctdb/tests/eventscripts/06.nfs.takeip.002.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. "${TEST_SCRIPTS_DIR}/unit.sh" + +define_test "callout is 'false', causes takeip-pre to fail" + +setup_nfs + +export CTDB_NFS_CALLOUT="echo takeip-pre ; false" + +required_result 1 "takeip-pre" +simple_test diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.109.sh b/ctdb/tests/eventscripts/60.nfs.monitor.109.sh new file mode 100755 index 0000000..a86f6d9 --- /dev/null +++ b/ctdb/tests/eventscripts/60.nfs.monitor.109.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. "${TEST_SCRIPTS_DIR}/unit.sh" + +define_test "callout is 'false', causes monitor-post to fail" + +setup_nfs + +export CTDB_NFS_CALLOUT="echo monitor-post ; false" + +required_result 1 "monitor-post" +simple_test diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/60.nfs.releaseip.001.sh similarity index 100% copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh copy to ctdb/tests/eventscripts/60.nfs.releaseip.001.sh diff --git a/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh b/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh new file mode 100755 index 0000000..68f636f --- /dev/null +++ b/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +. "${TEST_SCRIPTS_DIR}/unit.sh" + +define_test "callout is 'false', causes releaseip to fail" + +setup_nfs + +export CTDB_NFS_CALLOUT="echo releaseip ; false" + +required_result 1 "releaseip" +simple_test diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/60.nfs.shutdown.001.sh similarity index 100% copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh copy to ctdb/tests/eventscripts/60.nfs.shutdown.001.sh diff --git a/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh b/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh -- Samba Shared Repository