The branch, v4-6-stable has been updated
       via  a42a92b VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release.
       via  7f7e329 WHATSNEW: Add release notes for Samba 4.6.7.
       via  f2a0600 s4-cldap/netlogon: Match Windows 2012R2 and return 
NETLOGON_NT_VERSION_5 when version unspecified
       via  0ee93fe s4-dsdb/netlogon: allow missing ntver in cldap ping
       via  38d8f3c s4:torture/ldap: Test netlogon without NtVer
       via  3a5cf43 s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 
(windows only)
       via  fd96410 vfs_ceph: fix cephwrap_chdir()
       via  a81b8f2 s3: smbd: Fix a read after free if a chained SMB1 call goes 
async.
       via  6155eba s3: libsmb: Fix use-after-free when accessing pointer *p.
       via  378886b smbd: Fix a connection run-down race condition
       via  c1e5a22 s3/notifyd: ensure notifyd doesn't return from 
smbd_notifyd_init
       via  8c0f377 ctdb-common: Set close-on-exec when creating PID file
       via  791b217 vfs_fruit: don't use MS NFS ACEs with Windows clients
       via  6af5fcc s3:client: The smbspool krb5 wrapper needs negotiate for 
authentication
       via  1714d0c vfs_fruit: add fruit:model = <modelname> parametric option
       via  1ec8c4a idmap_ad: Retry query_user exactly once if we get 
TLDAP_SERVER_DOWN
       via  73550d1 selftest: Do not force run of kcc at start of selftest
       via  9251372 selftest:Samba3: call "net primarytrust dumpinfo" 
setup_nt4_member() after the join
       via  dd573c0 s3:secrets: remove unused 
secrets_store_[prev_]machine_password()
       via  d71aa30 s3:libads: make use of secrets_*_password_change() in 
ads_change_trust_account_password()
       via  15a7a36 net: make use of secrets_*_password_change() for "net 
changesecretpw"
       via  13a2325 s3:trusts_util: make use the workstation password change 
more robust
       via  de1faa7 s3:libnet: make use of secrets_store_JoinCtx()
       via  56403c7 net: add "net primarytrust dumpinfo" command that dumps the 
details of the workstation trust
       via  835cc12 s3:secrets: add infrastructure to use secrets_domain_infoB 
to store credentials
       via  cc67ccb secrets.idl: add secrets_domain_info that will be used in 
secrets.tdb for machine account trusts
       via  d80ef0b netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in 
netr_trust_extension
       via  59e23da netlogon.idl: make netr_TrustFlags [public]
       via  b7e7ac3 lsa.idl: make lsa_DnsDomainInfo [public]
       via  fc98574 s3:trusts_util: also pass the previous_nt_hash to 
netlogon_creds_cli_auth()
       via  f7c05a3 libcli/auth: pass the cleartext blob to 
netlogon_creds_cli_ServerPasswordSet*()
       via  5d56612 libcli/auth: add const to set_pw_in_buffer()
       via  29fa179 libcli/auth: pass an array of nt_hashes to 
netlogon_creds_cli_auth*()
       via  d41f361 s3:trusts_util: pass dcname to trust_pw_change()
       via  324af75 s3:secrets: use secrets_delete for all keys in 
secrets_delete_machine_password_ex()
       via  7481722 s3:secrets: let secrets_delete_machine_password_ex() also 
remove the des_salt key
       via  36ae6bc s3:secrets: let secrets_delete_machine_password_ex() remove 
SID and GUID too
       via  fc8506d s3:secrets: rewrite secrets_delete_machine_password_ex() 
using helper variables
       via  bce615d s3:secrets: replace secrets_delete_prev_machine_password() 
by secrets_delete()
       via  c54cf09 s3:secrets: let secrets_store_machine_pw_sync() delete the 
des_salt_key when there's no value
       via  dd0f49a s3:secrets: make use of secrets_delete() in 
secrets_store_machine_pw_sync()
       via  4e649f7 s3:secrets: re-add secrets_delete() helper to simplify 
deleting optional keys
       via  45ed7f3 s3:secrets: rename secrets_delete() to 
secrets_delete_entry()
       via  e67bc70 s3:secrets: make use of des_salt_key() in 
secrets_store_machine_pw_sync()
       via  f8dc7f3 s3:secrets: add some const to secrets_store_domain_guid()
       via  f297455 s3:secrets: split out a domain_guid_keystr() function
       via  3341df2 s3:secrets: rework des_salt_key() to take the realm as 
argument
       via  cfba2c4 s3:secrets: move kerberos_secrets_*salt related functions 
to machine_account_secrets.c
       via  f68f8f6 s3:libads: remove unused 
kerberos_fetch_salt_princ_for_host_princ()
       via  0ce8cd8 s3:libads: make use of kerberos_secrets_fetch_salt_princ() 
in ads_keytab_add_entry()
       via  bf90563 s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
       via  14add2c s3:gse_krb5: simplify fill_keytab_from_password() by using 
kerberos_fetch_salt_princ()
       via  6e1f7e2 s3:libads: provide a simpler kerberos_fetch_salt_princ() 
function
       via  bfccba4 s3:libads: remove 
kerberos_secrets_fetch_salting_principal() fallback
       via  beb5f2b s3:libnet_join: move kerberos_secrets_store_des_salt() to 
libnet_join_joindomain_store_secrets()
       via  4e5c9b5 s3:libnet_join: move libnet_join_joindomain_store_secrets() 
to libnet_join_post_processing()
       via  cb36b61 s3:libnet_join: call do_JoinConfig() after we did remote 
changes on the server
       via  1b648aa s3:libnet_join: split libnet_join_post_processing_ads() 
into modify/sync
       via  b098b48 s3:libnet_join: move kerberos_secrets_store_des_salt() out 
of libnet_join_derive_salting_principal()
       via  e709972 s3:libnet_join: remember r->out.krb5_salt in 
libnet_join_derive_salting_principal()
       via  15cefb9 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
       via  d353c40 s3:libnet_join: remember the domain_guid for AD domains
       via  0c9f0d5 s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
       via  43cce73 s3:libnet_join: calculate r->out.account_name in 
libnet_join_pre_processing()
       via  b76556f s3:libnet_join: remove dead code from 
libnet_join_connect_ads()
       via  691d69f krb5_wrap: add smb_krb5_salt_principal2data()
       via  ea40c72 krb5_wrap: add smb_krb5_salt_principal()
       via  cf5d62e s3:libads: remove unused 
kerberos_secrets_store_salting_principal()
       via  5687cb0 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
       via  6297a35 idl_types.h: add NDR_SECRET shortcut
       via  48a9a30 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
       via  e73f37d librpc/ndr: align the definition of LIBNDR_STRING_FLAGS 
with currently defined flags
       via  4e323ae pidl:NDR/Parser: add missing {start,end}_flags() to 
ParseElementPrint()
       via  ce91c2e s3:smbd: consistently use talloc_tos() memory for 
rpc_pipe_open_interface()
       via  8ac00af selftest: add a test for accessing previous version of 
directories with snapdirseverywhere
       via  7916e1a s3/smbd: let non_widelink_open() chdir() to directories 
directly
       via  80aeac8 dnsserver: Stop dns_name_equal doing OOB read
       via  04676d6 selftest: Do not enable inbound replication during 
replica_sync
       via  7b04fb4 VERSION: Bump version up to 4.6.7...
       via  b528634 Merge branch 'v4-6-stable' into v4-6-test
       via  05782d5 s3:tests: Do *NOT* flush the complete gencache!
       via  24a5c45 selftest: Do *NOT* flush the complete gencache!
       via  cb6771c ldb: protect Samba < 4.7 against incompatible ldb versions 
and require ldb < 1.2.0
       via  85dbd4d wafsamba: add maxversion and version_blacklist to 
CHECK_BUNDLED_SYSTEM[_PKG]()
       via  a971f23 s3:gse_krb5: fix a possible crash in 
fill_mem_keytab_from_system_keytab()
       via  eb587fb selftest: Also wait for winbindd to start
       via  9bf2391 s3:smb2_create: avoid reusing the 'tevent_req' within 
smbd_smb2_create_send()
       via  d2bf63c auth/spnego: fix gensec_update_ev() argument order for the 
SPNEGO_FALLBACK case
       via  545b0c4 s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with 
"server max protocol = SMB2_02"
       via  18f3dbb samba-tool: fix log message of 'samba-tool user 
syncpasswords'
       via  15ed7a9 s3:tests: Do not delete the contets of LOCAL_PATH with 
tarmode test
       via  f625a63 auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the 
NTLMv2 client case
       via  8aea504 s3: smbd: fix regression with non-wide symlinks to 
directories over SMB3.
       via  79afb2e s3: smbd: Add regression test for non-wide symlinks to 
directories fail over SMB3.
       via  c850f47 docs-xml: Sort input file list
       via  fad0c0d s3: libsmb: Correctly save and restore connection tcon in 
smbclient, smbcacls and smbtorture3.
       via  d2a309b s3: libsmb: Correctly do lifecycle management on 
cli->smb1.tcon and cli->smb2.tcon.
       via  de0fbbe s3: libsmb: Fix cli_state_has_tcon() to cope with SMB2 
connections.
       via  8edc00e s3: libsmb: Widen cli_state_get_tid() / cli_state_set_tid() 
to 32-bits.
       via  c519326 s3: smbtorture: Show correct use of cli_state_save_tcon() / 
cli_state_restore_tcon().
       via  b17ab94 s3: libsmb: Add cli_state_save_tcon() / 
cli_state_restore_tcon().
       via  d261f6d libcli: smb: Add smb2cli_tcon_set_id().
       via  0ea8e0b libcli: smb: Add smbXcli_tcon_copy().
       via  9d053cf s3: smbd: When deleting an fsp pointer ensure we don't keep 
any references to it around.
       via  f10ce74 ctdb-recovery: Do not run local ip verification when in 
recovery
       via  9f25dff ctdb-recovery: Get recmode unconditionally in the main_loop
       via  59ac9bf ctdb-recovery: Finish processing for recovery mode ACTIVE 
first
       via  7ee7e65 ctdb-recovery: Simplify logging of recovery mode setting
       via  89ee737 ctdb-recovery: Setting up of recmode should be idempotent
       via  a227893 ctdb-recovery: Assign banning credits if database fails to 
freeze
       via  6e11262 ctdb-scripts: Don't send empty argument string to logger
       via  9670a0d Bug 15852. There are valid paths where 
conn->lsa_pipe_tcp->transport is NULL. Protect against this.
       via  8a7d05e s3:tests: Add test for smbclient -UDOMAIN+username
       via  282560e s3:popt_common: Reparse the username in 
popt_common_credentials_post()
       via  8dc2be5 s3:smb2_sesssetup: allow a compound request after a 
SessionSetup
       via  6e6fb56d s3:smb2_tcon: allow a compound request after a TreeConnect
       via  29c2411 s3:libsmb: add cli_state_update_after_sesssetup() helper 
function
       via  ada73fa libcli/smb: Fix alignment problems of smb_bytes_pull_str()
       via  5a4f2e0 libcli:smb2: Gracefully handle not supported for 
FSCTL_VALIDATE_NEGOTIATE_INFO
       via  b4e1d73 ctdb-tests: Add more NFS eventscript tests for call-out 
failures
       via  6d5c1f6 ctdb-scripts: NFS call-out failures should cause event 
failure
       via  c08e056 messaging: fix net command failure due to unhandled return 
code
       via  ad1f953 shadow_copy_get_shadow_copy_data: fix GCC snprintf warning
       via  e550c8a ndr tests: silence a harmless warning
       via  123bfe0 s4:torture: Fix comparison between pointer and zero 
character constant
       via  fdcfdcd waf: Do not trhow a format-truncation error for 
test/snprintf.c
       via  3afa33b replace: Use the same size as d_name member of struct dirent
      from  55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   90 +-
 auth/gensec/spnego.c                               |    6 +-
 auth/ntlmssp/ntlmssp_util.c                        |   21 +
 buildtools/wafsamba/samba_bundled.py               |   21 +-
 ctdb/common/pidfile.c                              |    8 +
 ctdb/config/events.d/60.nfs                        |    8 +-
 ctdb/config/functions                              |    2 +-
 ctdb/server/ctdb_recover.c                         |   28 +-
 ctdb/server/ctdb_recoverd.c                        |   19 +-
 ctdb/server/ctdb_recovery_helper.c                 |    1 +
 ....nfs.monitor.107.sh => 06.nfs.releaseip.001.sh} |    0
 ctdb/tests/eventscripts/06.nfs.releaseip.002.sh    |   12 +
 ...{60.nfs.monitor.107.sh => 06.nfs.takeip.001.sh} |    0
 ctdb/tests/eventscripts/06.nfs.takeip.002.sh       |   12 +
 ctdb/tests/eventscripts/60.nfs.monitor.109.sh      |   12 +
 ....nfs.monitor.107.sh => 60.nfs.releaseip.001.sh} |    0
 ctdb/tests/eventscripts/60.nfs.releaseip.002.sh    |   12 +
 ...0.nfs.monitor.107.sh => 60.nfs.shutdown.001.sh} |    0
 ctdb/tests/eventscripts/60.nfs.shutdown.002.sh     |   12 +
 ...60.nfs.monitor.107.sh => 60.nfs.startup.001.sh} |    0
 ctdb/tests/eventscripts/60.nfs.startup.002.sh      |   12 +
 ...{60.nfs.monitor.107.sh => 60.nfs.takeip.001.sh} |    0
 ctdb/tests/eventscripts/60.nfs.takeip.002.sh       |   12 +
 docs-xml/Makefile                                  |    2 +-
 docs-xml/manpages/vfs_fruit.8.xml                  |    9 +
 lib/krb5_wrap/krb5_samba.c                         |  187 +++
 lib/krb5_wrap/krb5_samba.h                         |   10 +
 lib/ldb/wscript                                    |   19 +-
 lib/replace/test/os2_delete.c                      |    2 +-
 lib/replace/wscript                                |    3 +-
 libcli/auth/netlogon_creds_cli.c                   |   78 +-
 libcli/auth/netlogon_creds_cli.h                   |   16 +-
 libcli/auth/proto.h                                |    2 +-
 libcli/auth/smbencrypt.c                           |    2 +-
 libcli/smb/smb1cli_session.c                       |   28 +-
 libcli/smb/smbXcli_base.c                          |   52 +
 libcli/smb/smbXcli_base.h                          |    3 +
 libcli/smb/smb_util.h                              |    3 +-
 libcli/smb/util.c                                  |   47 +-
 librpc/idl/idl_types.h                             |    6 +
 librpc/idl/lsa.idl                                 |    2 +-
 librpc/idl/netlogon.idl                            |    6 +-
 librpc/ndr/libndr.h                                |   24 +-
 librpc/ndr/ndr.c                                   |   23 +
 librpc/ndr/ndr_basic.c                             |   44 +
 pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm           |    4 +
 python/samba/netcmd/user.py                        |    2 +-
 selftest/target/Samba3.pm                          |   22 +-
 selftest/target/Samba4.pm                          |   75 +-
 source3/client/client.c                            |    5 +-
 source3/client/smbspool_krb5_wrapper.c             |   29 +-
 source3/include/ntioctl.h                          |    2 +-
 source3/include/proto.h                            |    1 +
 source3/include/secrets.h                          |   38 +-
 source3/lib/messages.c                             |    6 +-
 source3/lib/popt_common.c                          |   15 +
 source3/lib/util_sd.c                              |   24 +-
 source3/libads/kerberos.c                          |  200 ---
 source3/libads/kerberos_keytab.c                   |   14 +-
 source3/libads/kerberos_proto.h                    |    8 -
 source3/libads/util.c                              |  106 +-
 source3/libnet/libnet_join.c                       |  127 +-
 source3/libnet/libnet_keytab.c                     |    5 +-
 source3/librpc/crypto/gse_krb5.c                   |   48 +-
 source3/librpc/idl/libnet_join.idl                 |    4 +-
 source3/librpc/idl/secrets.idl                     |   92 +-
 source3/librpc/wscript_build                       |    2 +-
 source3/libsmb/cliconnect.c                        |   97 +-
 source3/libsmb/clidfs.c                            |   18 +-
 source3/libsmb/clientgen.c                         |   67 +-
 source3/libsmb/libsmb_dir.c                        |    6 +-
 source3/libsmb/proto.h                             |    7 +-
 source3/libsmb/trusts_util.c                       |  276 +++-
 source3/modules/vfs_ceph.c                         |    7 -
 source3/modules/vfs_default.c                      |   33 +-
 source3/modules/vfs_fruit.c                        |   12 +-
 source3/modules/vfs_shadow_copy.c                  |   11 +-
 source3/passdb/machine_account_secrets.c           | 1661 ++++++++++++++++++--
 source3/passdb/secrets.c                           |   25 +-
 source3/passdb/secrets_lsa.c                       |    2 +-
 source3/rpc_client/cli_netlogon.c                  |   15 +-
 source3/rpcclient/cmd_netlogon.c                   |    2 +
 source3/script/tests/test_shadow_copy.sh           |   23 +
 source3/script/tests/test_smbclient_basic.sh       |   62 +
 source3/script/tests/test_smbclient_s3.sh          |   55 +
 source3/script/tests/test_smbclient_tarmode.sh     |   10 +-
 source3/script/tests/test_wbinfo_sids2xids_int.py  |   25 +-
 source3/selftest/tests.py                          |    5 +-
 source3/smbd/files.c                               |    4 +-
 source3/smbd/lanman.c                              |   20 +-
 source3/smbd/open.c                                |   54 +-
 source3/smbd/process.c                             |    2 +-
 source3/smbd/reply.c                               |    2 +-
 source3/smbd/server.c                              |    8 +-
 source3/smbd/smb2_create.c                         |   43 +-
 source3/smbd/smb2_ioctl_network_fs.c               |   17 +
 source3/smbd/smb2_sesssetup.c                      |    1 +
 source3/smbd/smb2_tcon.c                           |    2 +
 source3/torture/test_smb2.c                        |    8 +-
 source3/torture/torture.c                          |   24 +-
 source3/utils/net.c                                |  142 +-
 source3/utils/net_rpc.c                            |   20 +-
 source3/utils/smbcacls.c                           |   26 +-
 source3/winbindd/idmap_ad.c                        |   19 +-
 source3/winbindd/winbindd_cm.c                     |    8 +-
 source3/winbindd/winbindd_dual.c                   |    1 +
 source3/winbindd/winbindd_dual_srv.c               |    2 +
 source4/dsdb/samdb/ldb_modules/netlogon.c          |    6 +-
 source4/rpc_server/dnsserver/dnsdata.c             |    4 +-
 source4/torture/drs/python/replica_sync.py         |   51 -
 source4/torture/ldap/netlogon.c                    |   48 +
 source4/torture/masktest.c                         |    2 +-
 source4/torture/ndr/string.c                       |   20 +-
 source4/torture/vfs/fruit.c                        |    8 +-
 115 files changed, 3783 insertions(+), 865 deletions(-)
 copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 
06.nfs.releaseip.001.sh} (100%)
 create mode 100755 ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
 copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 06.nfs.takeip.001.sh} 
(100%)
 create mode 100755 ctdb/tests/eventscripts/06.nfs.takeip.002.sh
 create mode 100755 ctdb/tests/eventscripts/60.nfs.monitor.109.sh
 copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 
60.nfs.releaseip.001.sh} (100%)
 create mode 100755 ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
 copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.shutdown.001.sh} 
(100%)
 create mode 100755 ctdb/tests/eventscripts/60.nfs.shutdown.002.sh
 copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.startup.001.sh} 
(100%)
 create mode 100755 ctdb/tests/eventscripts/60.nfs.startup.002.sh
 copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.takeip.001.sh} 
(100%)
 create mode 100755 ctdb/tests/eventscripts/60.nfs.takeip.002.sh
 create mode 100755 source3/script/tests/test_smbclient_basic.sh


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 8fc1d16..113a562 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 75d90b7..87c4579 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,90 @@
                    =============================
+                   Release Notes for Samba 4.6.7
+                           August 9, 2017
+                   =============================
+
+
+This is the latest stable release of the Samba 4.6 release series.
+
+
+Changes since 4.6.6:
+---------------------
+
+o  Jeremy Allison <j...@samba.org>
+   * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes 
async.
+
+o  Andrew Bartlett <abart...@samba.org>
+   * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return
+     NETLOGON_NT_VERSION_5 when version unspecified.
+
+o  Ralph Boehme <s...@samba.org>
+   * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories 
directly.
+   * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
+     smbd_notifyd_init.
+
+o  G√ľnther Deschner <g...@samba.org>
+   * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option.
+
+o  David Disseldorp <dd...@samba.org>
+   * BUG 12911: vfs_ceph: Fix cephwrap_chdir().
+
+o  Dustin L. Howett
+   * BUG 12720: idmap_ad: Retry query_user exactly once if we get
+     TLDAP_SERVER_DOWN.
+
+o  Thomas Jarosch <thomas.jaro...@intra2net.com>
+   * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
+
+o  Volker Lendecke <v...@samba.org>
+   * BUG 12925: smbd: Fix a connection run-down race condition.
+
+o  Stefan Metzmacher <me...@samba.org>
+   * BUG 12782: winbindd changes the local password and gets
+     NT_STATUS_WRONG_PASSWORD for the remote change.
+   * BUG 12890: s3:smbd: consistently use talloc_tos() memory for
+     rpc_pipe_open_interface().
+
+o  Noel Power <noel.po...@suse.com>
+   * BUG 12937: smbcacls: Don't fail against a directory on Windows using SMB2.
+
+o  Arvid Requate <requ...@univention.de>
+   * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
+
+o  Garming Sam <garm...@catalyst.net.nz>
+   * BUG 12813: dnsserver: Stop dns_name_equal doing OOB read.
+
+o  Andreas Schneider <a...@samba.org>
+   * BUG 12886: s3:client: The smbspool krb5 wrapper needs negotiate for
+     authentication.
+
+o  Martin Schwenke <mar...@meltin.net>
+   * BUG 12898: ctdb-common: Set close-on-exec when creating PID file.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.6.6
                             July 12, 2017
                    =============================
@@ -48,8 +134,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.6.5
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f063f7b..21c6cfb 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -366,7 +366,7 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct 
gensec_security *gensec
                        return nt_status;
                }
                nt_status = gensec_update_ev(spnego_state->sub_sec_security,
-                                         ev, out_mem_ctx, in, out);
+                                            out_mem_ctx, ev, in, out);
                return nt_status;
        }
        DEBUG(1, ("Failed to parse SPNEGO request\n"));
@@ -804,8 +804,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security 
*gensec_security, TA
 
        switch (spnego_state->state_position) {
        case SPNEGO_FALLBACK:
-               return gensec_update_ev(spnego_state->sub_sec_security, ev,
-                                    out_mem_ctx, in, out);
+               return gensec_update_ev(spnego_state->sub_sec_security,
+                                       out_mem_ctx, ev, in, out);
        case SPNEGO_SERVER_START:
        {
                NTSTATUS nt_status;
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 4ae6101..9c7325a 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -75,6 +75,27 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state 
*ntlmssp_state,
 {
        uint32_t missing_flags = ntlmssp_state->required_flags;
 
+       if (ntlmssp_state->use_ntlmv2) {
+               /*
+                * Using NTLMv2 as a client implies
+                * using NTLMSSP_NEGOTIATE_NTLM2
+                * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+                *
+                * Note that 'use_ntlmv2' is only set
+                * true in the client case.
+                *
+                * Even if the server has a bug and does not announce
+                * it, we need to assume it's present.
+                *
+                * Note that we also have the flag
+                * in ntlmssp_state->required_flags,
+                * see gensec_ntlmssp_client_start().
+                *
+                * See bug #12862.
+                */
+               flags |= NTLMSSP_NEGOTIATE_NTLM2;
+       }
+
        if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
                ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
                ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
diff --git a/buildtools/wafsamba/samba_bundled.py 
b/buildtools/wafsamba/samba_bundled.py
index ea88807..aa6199e 100644
--- a/buildtools/wafsamba/samba_bundled.py
+++ b/buildtools/wafsamba/samba_bundled.py
@@ -110,6 +110,7 @@ def LIB_MUST_BE_PRIVATE(conf, libname):
 
 @conf
 def CHECK_BUNDLED_SYSTEM_PKG(conf, libname, minversion='0.0.0',
+        maxversion=None, version_blacklist=[],
         onlyif=None, implied_deps=None, pkg=None):
     '''check if a library is available as a system library.
 
@@ -117,12 +118,15 @@ def CHECK_BUNDLED_SYSTEM_PKG(conf, libname, 
minversion='0.0.0',
     '''
     return conf.CHECK_BUNDLED_SYSTEM(libname,
                                      minversion=minversion,
+                                     maxversion=maxversion,
+                                     version_blacklist=version_blacklist,
                                      onlyif=onlyif,
                                      implied_deps=implied_deps,
                                      pkg=pkg)
 
 @conf
 def CHECK_BUNDLED_SYSTEM(conf, libname, minversion='0.0.0',
+                         maxversion=None, version_blacklist=[],
                          checkfunctions=None, headers=None, checkcode=None,
                          onlyif=None, implied_deps=None,
                          require_headers=True, pkg=None, set_target=True):
@@ -181,16 +185,29 @@ def CHECK_BUNDLED_SYSTEM(conf, libname, 
minversion='0.0.0',
     minversion = minimum_library_version(conf, libname, minversion)
 
     msg = 'Checking for system %s' % libname
+    msg_ver = []
     if minversion != '0.0.0':
-        msg += ' >= %s' % minversion
+        msg_ver.append('>=%s' % minversion)
+    if maxversion is not None:
+        msg_ver.append('<=%s' % maxversion)
+    for v in version_blacklist:
+        msg_ver.append('!=%s' % v)
+    if msg_ver != []:
+        msg += " (%s)" % (" ".join(msg_ver))
 
     uselib_store=libname.upper()
     if pkg is None:
         pkg = libname
 
+    version_checks = '%s >= %s' % (pkg, minversion)
+    if maxversion is not None:
+        version_checks += ' %s <= %s' % (pkg, maxversion)
+    for v in version_blacklist:
+        version_checks += ' %s != %s' % (pkg, v)
+
     # try pkgconfig first
     if (conf.CHECK_CFG(package=pkg,
-                      args='"%s >= %s" --cflags --libs' % (pkg, minversion),
+                      args='"%s" --cflags --libs' % (version_checks),
                       msg=msg, uselib_store=uselib_store) and
         check_functions_headers_code()):
         if set_target:
diff --git a/ctdb/common/pidfile.c b/ctdb/common/pidfile.c
index b3f29e3..51c0c25 100644
--- a/ctdb/common/pidfile.c
+++ b/ctdb/common/pidfile.c
@@ -22,6 +22,8 @@
 
 #include <talloc.h>
 
+#include "lib/util/blocking.h"
+
 #include "common/pidfile.h"
 
 struct pidfile_context {
@@ -61,6 +63,12 @@ int pidfile_create(TALLOC_CTX *mem_ctx, const char *pidfile,
                goto fail;
        }
 
+       if (! set_close_on_exec(fd)) {
+               close(fd);
+               ret = EIO;
+               goto fail;
+       }
+
        pid_ctx->fd = fd;
 
        lck = (struct flock) {
diff --git a/ctdb/config/events.d/60.nfs b/ctdb/config/events.d/60.nfs
index 02d6e2b..98a18c3 100755
--- a/ctdb/config/events.d/60.nfs
+++ b/ctdb/config/events.d/60.nfs
@@ -256,20 +256,20 @@ is_ctdb_managed_service || exit 0
 
 case "$1" in
 startup)
-       nfs_callout "$@"
+       nfs_callout "$@" || exit $?
        ;;
 
 shutdown)
-        nfs_callout "$@"
+       nfs_callout "$@" || exit $?
        ;;
 
 takeip)
-       nfs_callout "$@"
+       nfs_callout "$@" || exit $?
        ctdb_service_set_reconfigure
        ;;
 
 releaseip)
-       nfs_callout "$@"
+       nfs_callout "$@" || exit $?
        ctdb_service_set_reconfigure
        ;;
 
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 7e37bbb..3826324 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -150,7 +150,7 @@ script_log ()
        *)
            # Handle all syslog:* variants here too.  There's no tool to do
            # the lossy things, so just use logger.
-           logger -t "ctdbd: ${_tag}" "$*"
+           logger -t "ctdbd: ${_tag}" "$@"
            ;;
     esac
 }
diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c
index 6bed61c..813a1ad 100644
--- a/ctdb/server/ctdb_recover.c
+++ b/ctdb/server/ctdb_recover.c
@@ -856,26 +856,24 @@ int32_t ctdb_control_set_recmode(struct ctdb_context 
*ctdb,
        struct set_recmode_state *state;
        struct ctdb_cluster_mutex_handle *h;
 
+       if (recmode == ctdb->recovery_mode) {
+               D_INFO("Recovery mode already set to %s\n",
+                      recmode == CTDB_RECOVERY_NORMAL ? "NORMAL" : "ACTIVE");
+               return 0;
+       }
+
+       D_NOTICE("Recovery mode set to %s\n",
+                recmode == CTDB_RECOVERY_NORMAL ? "NORMAL" : "ACTIVE");
+
        /* if we enter recovery but stay in recovery for too long
           we will eventually drop all our ip addresses
        */
-       if (recmode == CTDB_RECOVERY_NORMAL) {
-               talloc_free(ctdb->release_ips_ctx);
-               ctdb->release_ips_ctx = NULL;
-       } else {
+       if (recmode == CTDB_RECOVERY_ACTIVE) {
                if (ctdb_deferred_drop_all_ips(ctdb) != 0) {
-                       DEBUG(DEBUG_ERR,("Failed to set up deferred drop all 
ips\n"));
+                       D_ERR("Failed to set up deferred drop all ips\n");
                }
-       }
 
-       if (recmode != ctdb->recovery_mode) {
-               DEBUG(DEBUG_NOTICE,(__location__ " Recovery mode set to %s\n", 
-                        recmode==CTDB_RECOVERY_NORMAL?"NORMAL":"ACTIVE"));
-       }
-
-       if (recmode != CTDB_RECOVERY_NORMAL ||
-           ctdb->recovery_mode != CTDB_RECOVERY_ACTIVE) {
-               ctdb->recovery_mode = recmode;
+               ctdb->recovery_mode = CTDB_RECOVERY_ACTIVE;
                return 0;
        }
 
@@ -884,6 +882,8 @@ int32_t ctdb_control_set_recmode(struct ctdb_context *ctdb,
         * Therefore, what follows is special handling when setting
         * recovery mode back to normal */
 
+       TALLOC_FREE(ctdb->release_ips_ctx);
+
        for (ctdb_db = ctdb->db_list; ctdb_db != NULL; ctdb_db = ctdb_db->next) 
{
                if (ctdb_db->generation != ctdb->vnn_map->generation) {
                        DEBUG(DEBUG_ERR,
diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c
index 9ea0f61..d9cc4a2 100644
--- a/ctdb/server/ctdb_recoverd.c
+++ b/ctdb/server/ctdb_recoverd.c
@@ -2608,6 +2608,13 @@ static void main_loop(struct ctdb_context *ctdb, struct 
ctdb_recoverd *rec,
                return;
        }
 
+       ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(),
+                                  CTDB_CURRENT_NODE, &ctdb->recovery_mode);
+       if (ret != 0) {
+               D_ERR("Failed to read recmode from local node\n");
+               return;
+       }
+
        /* if the local daemon is STOPPED or BANNED, we verify that the 
databases are
           also frozen and that the recmode is set to active.
        */
@@ -2620,10 +2627,6 @@ static void main_loop(struct ctdb_context *ctdb, struct 
ctdb_recoverd *rec,
                 */
                rec->priority_time = timeval_current();
 
-               ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(), 
CTDB_CURRENT_NODE, &ctdb->recovery_mode);
-               if (ret != 0) {
-                       DEBUG(DEBUG_ERR,(__location__ " Failed to read recmode 
from local node\n"));
-               }
                if (ctdb->recovery_mode == CTDB_RECOVERY_NORMAL) {
                        DEBUG(DEBUG_ERR,("Node is stopped or banned but 
recovery mode is not active. Activate recovery mode and lock databases\n"));
 
@@ -2667,9 +2670,11 @@ static void main_loop(struct ctdb_context *ctdb, struct 
ctdb_recoverd *rec,
                return;
        }
 
-       /* Check if an IP takeover run is needed and trigger one if
-        * necessary */
-       verify_local_ip_allocation(ctdb, rec, pnn, nodemap);
+       if (ctdb->recovery_mode == CTDB_RECOVERY_NORMAL) {
+               /* Check if an IP takeover run is needed and trigger one if
+                * necessary */
+               verify_local_ip_allocation(ctdb, rec, pnn, nodemap);
+       }
 
        /* if we are not the recmaster then we do not need to check
           if recovery is needed
diff --git a/ctdb/server/ctdb_recovery_helper.c 
b/ctdb/server/ctdb_recovery_helper.c
index 0222aa0..474b900 100644
--- a/ctdb/server/ctdb_recovery_helper.c
+++ b/ctdb/server/ctdb_recovery_helper.c
@@ -1627,6 +1627,7 @@ static void recover_db_freeze_done(struct tevent_req 
*subreq)
                if (ret2 != 0) {
                        LOG("control FREEZE_DB failed for db %s on node %u,"
                            " ret=%d\n", state->db_name, pnn, ret2);
+                       state->ban_credits[pnn] += 1;
                } else {
                        LOG("control FREEZE_DB failed for db %s, ret=%d\n",
                            state->db_name, ret);
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh 
b/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/06.nfs.releaseip.001.sh
diff --git a/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh 
b/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
new file mode 100755
index 0000000..c0b8939
--- /dev/null
+++ b/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes releaseip-pre to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo releaseip-pre ; false"
+
+required_result 1 "releaseip-pre"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh 
b/ctdb/tests/eventscripts/06.nfs.takeip.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/06.nfs.takeip.001.sh
diff --git a/ctdb/tests/eventscripts/06.nfs.takeip.002.sh 
b/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
new file mode 100755
index 0000000..1baf351
--- /dev/null
+++ b/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes takeip-pre to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo takeip-pre ; false"
+
+required_result 1 "takeip-pre"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.109.sh 
b/ctdb/tests/eventscripts/60.nfs.monitor.109.sh
new file mode 100755
index 0000000..a86f6d9
--- /dev/null
+++ b/ctdb/tests/eventscripts/60.nfs.monitor.109.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes monitor-post to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo monitor-post ; false"
+
+required_result 1 "monitor-post"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh 
b/ctdb/tests/eventscripts/60.nfs.releaseip.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/60.nfs.releaseip.001.sh
diff --git a/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh 
b/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
new file mode 100755
index 0000000..68f636f
--- /dev/null
+++ b/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes releaseip to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo releaseip ; false"
+
+required_result 1 "releaseip"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh 
b/ctdb/tests/eventscripts/60.nfs.shutdown.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/60.nfs.shutdown.001.sh
diff --git a/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh 
b/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh


-- 
Samba Shared Repository

Reply via email to