The branch, v4-8-test has been updated via 80a1b2b VERSION: Bump version up to 4.8.0rc2... via e5f4aff VERSION: Bump version up to 4.8.0rc1... via 59a07e3 WHATSNEW: Add release notes for Samba 4.8.0rc1. via 0580a23 s4:torture: Improve error message in whoami test via 8d90f2a s3:test: Always validate the join after changing the secret via e131ce4 waf: Remove build system info (uname -a) via c69938e systemd: Fix kill path via a653b62 systemd: Add documentation to Unit files via df68af9 systemd: syslog.target is obsolete via 0abe16a torture: Add test for channel sequence number handling via cd288a0 smbXcli: Add "force_channel_sequence" via 0b57434 smbd: Fix channel sequence number checks for long-running requests via 03f65a7 smbd: Remove a "!" from an if-condition for easier readability via 71cee27 torture4: Fix typos via e8636e7 smbd: Fix a typo via 9b423fe winbindd: set routing_domain when enumerating trusts via 0eec2b6 docs: Remove reference to environment variables for now via 2ca73cb gpo: Add the winbind call to gpupdate via fb5241a Revert "gpo: Create the gpo update service" via 88152ad gpo: Continue parsing GPOs even if one fails via ef49d0b gpo: Fix crashes in gpo unapply via 08651a0 samba_kcc: do not commit new nTDSConnection, if we are rodc via a00312d samba_kcc: simplify NCReplica.set_instantiated_flags() via 81484f3 samba_kcc: simplify NCReplica constructor via 315f445 samba_kcc: clarify readonly logging, removing now unused function via d3f4429 samba_kcc: remove unused functions via d3c5420 samba_kcc: fix dot_file_dir documentation via a090d7e samba_kcc: remove an unused function via c6294c3 samba-tool visualize for understanding AD DC behaviour via ba2306f samba_kcc: use new graph module for writing dot files via cebad22 python/graph: module for generating ASCII and graphviz visualisations via b4a90a6 samba_kcc: respect kcc.read_only flag on RODC via e579d5b samba_kcc: kcc.debug module defers to samba.colour via a46c4a3 python: module containing ANSI colour sequences via f2762d0 python tests: assert string equality, with diff via 3f2762d samba_kcc: documentation fix via 6678f33 s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local() via 4b17d36 WHATSNEW: document some more new options via b4e1e30 winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration via 9fb3637 winbindd: add more trust types to get_trust_type_string via 95e3307 libwbclient: add more trust types via 05558dd wbinfo: support for local, workstation and routed trust types via ec85579 libwbclient: add trust routing and more trust-types via f12a43f winbindd: fix trust_is_oubound() via 09021f9 winbindd: fix trust_is_inbound() via a39cf19 winbindd: transitive trust logic in trust_is_transitive() via 939592c winbindd: use add_trusted_domain_from_auth via f4d27f2 winbindd: add add_trusted_domain_from_auth via b2ea360 winbindd: add set_routing_domain() via 2e644af winbindd: add find_default_route_domain() via 40c9115 winbindd: avoid automatic enumerating trusts on DCs via 29e6d55 winbindd: load the trusted domains on a DC already in init_domain_list() via fa3b81b pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX via f8bcd37 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain via a556437 pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain via 3091ea3 pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions via 6f9232e pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms() via f362387 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function via 8fde1c6 s3/torture/pdbtest: delete trusted domain at test end via f1bd7c8 s3/torture/pdbtest: creating a trusted domain requires a valid SID via 4b0641b winbindd: use find_trust_from_name_noinit when we require a direct trust via 2385e71 winbindd: add find_trust_from_{name,sid}_noinit() via b724e01 winbindd: remember the secure_channel_type in winbindd_domain via 5bf2979 winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc() via 8587445 winbindd: initialize some stack pointers to NULL via 126d6ce winbindd: rename alternative_name to dns_name via 5ffade7 winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc() via c7c06fd winbindd: enforce valid SID in add_trusted_domain_from_tdc() via e43ee33 winbindd: set info6 data in append_info3_as_txt via c8f76bf nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6 via 59cb1f6 nsswitch: add "validation_level" and "info6" to winbindd_response via 7290b5c winbindd: pass validation in append_info3_as_txt via 194a9e4 winbindd: pass down validation to append_auth_data() via 7b30f69 winbindd: simplify an if condition in winbindd_dual_pam_auth via f153c95 winbindd: let winbind_dual_SamLogon return validation via 1337104 winbindd: remove a space in winbind_dual_SamLogon via 13d0d52 winbindd: let winbindd_dual_pam_auth_samlogon() return validation info via cc3ee55 winbindd: let winbind_samlogon_retry_loop return validation info via aae75d1 winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon via 489e942 s3/rpc_client: return validation from rpccli_netlogon functions via 7082ebb s3/rpc_client: add map_info3_to_validation() via 7eed166 s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon via a001f4b s3/rpc_client: in map_validation_to_info3() make a deep copy via 158c890 s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon via a1a9feb winbindd: prevent long lines in a later commit via e9a9a94 winbindd: simplify if condition in find_domain_from_name_noinit() via 751fa04 winbindd: remove an else branch via ca4d5ea winbindd: remove a space via 5812c7c winbindd: fix overly long lines via ef27942 s3/rpc_client: fix overly long lines via dcb45d5 s3/torture: fix an error message via 561a3b7 s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes via 98ba88a params: mark "ldap ssl ads" as deprecated via a79df4e7 params: mark "unicode" parameter as deprecated via f1befc5 s3/smbd: Fix error code for unsupported SET_INFO requests via ce884ee s3/smbd: Add new file information classes via 4b25c9f vfs_default: use VFS statvfs macro in fs_capabilities via 2724e0c vfs_ceph: add fs_capabilities hook to avoid local statvfs via 3297f4c Mark wbinfo test flapping via 6b09ab2 Mark whoami test flapping via 23ec73e Mark rfc2307 test flapping via bf19b6c ldb: version 1.3.1 via 6dd0a8c tevent: version 0.9.35 via efe317c talloc: version 2.1.11 via 0623097 talloc: Do not disclose the random talloc magic in free()'ed memory via e2497b2 talloc: Add tests to require use-after-free to give the correct talloc_abort() string via 00ee9da talloc: Remove talloc_abort_magic() from 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test - Log ----------------------------------------------------------------- commit 80a1b2b254bf86f0b0a6e665449598ce34762bc1 Author: Karolin Seeger <ksee...@samba.org> Date: Thu Jan 11 11:11:56 2018 +0100 VERSION: Bump version up to 4.8.0rc2... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <ksee...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 4 +- WHATSNEW.txt | 96 ++- buildtools/wafsamba/wscript | 4 - ctdb/config/ctdb.service | 1 + docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 10 +- docs-xml/smbdotconf/ldap/ldapsslads.xml | 1 + docs-xml/smbdotconf/protocol/unicode.xml | 1 + docs-xml/smbdotconf/winbind/applygrouppolicies.xml | 19 + .../winbind/winbindscantrusteddomains.xml | 29 + lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} | 0 ...yldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} | 0 ...-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} | 0 lib/ldb/wscript | 2 +- lib/param/loadparm.c | 2 + ...-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} | 0 ...3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} | 0 .../ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} | 0 lib/talloc/talloc.c | 128 ++- lib/talloc/testsuite.c | 68 ++ lib/talloc/wscript | 2 +- .../ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} | 0 lib/tevent/wscript | 2 +- libcli/smb/smbXcli_base.c | 15 +- libcli/smb/smbXcli_base.h | 4 + nsswitch/libwbclient/wbc_pam.c | 14 +- nsswitch/libwbclient/wbc_util.c | 16 +- nsswitch/libwbclient/wbclient.h | 7 + nsswitch/wbinfo.c | 21 +- nsswitch/winbind_struct_protocol.h | 10 +- packaging/systemd/nmb.service.in | 5 +- packaging/systemd/samba.service.in | 5 +- packaging/systemd/smb.service.in | 5 +- packaging/systemd/winbind.service.in | 5 +- python/samba/colour.py | 50 ++ python/samba/gpclass.py | 24 +- python/samba/graph.py | 621 +++++++++++++++ python/samba/kcc/__init__.py | 21 +- python/samba/kcc/debug.py | 24 +- python/samba/kcc/graph_utils.py | 37 +- python/samba/kcc/kcc_utils.py | 39 +- python/samba/netcmd/main.py | 1 + python/samba/netcmd/visualize.py | 574 ++++++++++++++ python/samba/tests/__init__.py | 23 + python/samba/tests/graph.py | 152 ++++ python/samba/tests/samba_tool/visualize.py | 466 +++++++++++ python/samba/tests/samba_tool/visualize_drs.py | 110 +++ selftest/flapping.d/rfc2307 | 1 + selftest/flapping.d/wbinfo | 1 + selftest/flapping.d/whoami | 1 + selftest/target/Samba4.pm | 2 +- selftest/tests.py | 1 + source3/auth/auth_util.c | 1 + source3/auth/proto.h | 2 - source3/auth/server_info.c | 42 - source3/include/trans2.h | 12 +- source3/include/vfs.h | 5 - source3/librpc/idl/smbXsrv.idl | 3 +- source3/modules/vfs_ceph.c | 15 + source3/modules/vfs_default.c | 14 +- source3/param/loadparm.c | 3 + source3/passdb/pdb_samba_dsdb.c | 877 ++++++++++++++++++++- source3/rpc_client/cli_netlogon.c | 74 +- source3/rpc_client/cli_netlogon.h | 54 +- source3/rpc_client/util_netlogon.c | 141 ++++ source3/rpc_client/util_netlogon.h | 10 + source3/rpcclient/cmd_netlogon.c | 14 +- source3/script/tests/test_net_cred_change.sh | 7 +- source3/smbd/globals.h | 1 + source3/smbd/smb2_server.c | 27 +- source3/smbd/trans2.c | 5 + source3/torture/pdbtest.c | 15 +- source3/winbindd/winbindd.c | 17 +- source3/winbindd/winbindd.h | 2 + source3/winbindd/winbindd_dual_srv.c | 20 +- source3/winbindd/winbindd_gpupdate.c | 116 +++ source3/winbindd/winbindd_irpc.c | 2 +- source3/winbindd/winbindd_misc.c | 211 ++++- source3/winbindd/winbindd_pam.c | 407 +++++++--- source3/winbindd/winbindd_pam_auth.c | 15 + source3/winbindd/winbindd_pam_auth_crap.c | 47 +- source3/winbindd/winbindd_ping_dc.c | 2 +- source3/winbindd/winbindd_proto.h | 17 +- source3/winbindd/winbindd_util.c | 747 ++++++++++++++---- source3/winbindd/wscript_build | 3 +- source4/dsdb/common/util_trusts.c | 65 ++ source4/dsdb/gpo/gpo_update.c | 193 ----- source4/dsdb/wscript_build | 9 - source4/scripting/bin/samba_gpoupdate | 35 +- source4/scripting/bin/wscript_build | 2 +- source4/scripting/wscript_build | 7 +- source4/selftest/tests.py | 6 +- source4/smbd/server.c | 3 - source4/torture/drs/python/samba_tool_drs.py | 3 + source4/torture/smb2/replay.c | 117 ++- source4/torture/unix/whoami.c | 9 +- 95 files changed, 5113 insertions(+), 888 deletions(-) create mode 100644 docs-xml/smbdotconf/winbind/applygrouppolicies.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} (100%) copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} (100%) copy lib/talloc/ABI/{pytalloc-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} (100%) copy lib/talloc/ABI/{pytalloc-util.py3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} (100%) copy lib/talloc/ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} (100%) copy lib/tevent/ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} (100%) create mode 100644 python/samba/colour.py create mode 100644 python/samba/graph.py create mode 100644 python/samba/netcmd/visualize.py create mode 100644 python/samba/tests/graph.py create mode 100644 python/samba/tests/samba_tool/visualize.py create mode 100644 python/samba/tests/samba_tool/visualize_drs.py create mode 100644 selftest/flapping.d/rfc2307 create mode 100644 selftest/flapping.d/wbinfo create mode 100644 selftest/flapping.d/whoami create mode 100644 source3/winbindd/winbindd_gpupdate.c delete mode 100644 source4/dsdb/gpo/gpo_update.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b60d783..dd52403 100644 --- a/VERSION +++ b/VERSION @@ -77,7 +77,7 @@ SAMBA_VERSION_BETA_RELEASE= # e.g. SAMBA_VERSION_PRE_RELEASE=1 # # -> "2.2.9pre1" # ######################################################## -SAMBA_VERSION_PRE_RELEASE=1 +SAMBA_VERSION_PRE_RELEASE= ######################################################## # For 'rc' releases the version will be # @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=1 # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # ######################################################## -SAMBA_VERSION_RC_RELEASE= +SAMBA_VERSION_RC_RELEASE=2 ######################################################## # To mark SVN snapshots this should be set to 'yes' # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 94278b3..f2da373 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements ===================== -This is the first preview release of Samba 4.8. This is *not* +This is the first release candidate of Samba 4.8. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -19,7 +19,7 @@ NEW FEATURES/CHANGES KDC GPO application ------------------- -Adds Group Policy support for the samba kdc. Applies password policies +Adds Group Policy support for the Samba kdc. Applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and renew lifetime). @@ -30,7 +30,8 @@ policy. Can be applied automatically by setting 'server services = +gpoupdate'. Time Machine Support with vfs_fruit -=================================== +----------------------------------- + Samba can be configured as a Time Machine target for Apple Mac devices through the vfs_fruit module. When enabling a share for Time Machine support the relevant Avahi records to support discovery will be published @@ -41,7 +42,8 @@ Shares can be designated as a Time Machine share with the following setting: 'fruit:time machine = yes' Support for lower casing the MDNS Name -====================================== +-------------------------------------- + Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name. This allows an administrator to make Samba registered MDNS records match the case of the hostname @@ -52,7 +54,8 @@ This can be set with the following settings: 'mdns name = mdns' Encrypted secrets -================= +----------------- + Attributes deemed to be sensitive are now encrypted on disk. The sensitive values are currently: pekList @@ -72,43 +75,21 @@ values are currently: This encryption is enabled by default on a new provision or join, it can be disabled at provision or join time with the new option ---plaintext-secrets. +'--plaintext-secrets'. However, an in-place upgrade will not encrypt the database. Once encrypted, it is not possible to do an in-place downgrade (eg to 4.7) of the database. To obtain an unencrypted copy of the database a -new DC join should be performed, specifying the --plaintext-secrets +new DC join should be performed, specifying the '--plaintext-secrets' option. The key file "encrypted_secrets.key" is created in the same directory as the database and should NEVER be disclosed. It is included by the samba_backup script. -smb.conf changes -================ - - Parameter Name Description Default - -------------- ----------- ------- - auth methods Removed - binddns dir New - client schannel Default changed/ yes - Deprecated - gpo update command New - map untrusted to domain Removed - oplock contention limit Removed - prefork children New 1 - mdns name Added netbios - fruit:time machine Added false - profile acls Removed - use spnego Removed - server schannel Default changed/ yes - Deprecated - winbind trusted domains only Removed - - NT4-style replication based net commands removed -================================================ +------------------------------------------------ The following commands and sub-commands have been removed from the "net" utility: @@ -131,7 +112,7 @@ commands have been removed from rpcclient. supported. vfs_aio_linux module removed -============================ +---------------------------- The current Linux kernel aio does not match what Samba would do. Shipping code that uses it leads people to false @@ -140,7 +121,7 @@ there is no special module required to see benefits of read and write request being sent do the disk in parallel. smbclient reparse point symlink parameters reversed -=================================================== +--------------------------------------------------- A bug in smbclient caused the 'symlink' command to reverse the meaning of the new name and link target parameters when creating a @@ -150,23 +131,66 @@ reversed to match the parameter ordering of the UNIX extensions 'symlink' command. The usage message for this command has also been improved to remove confusion. +Winbind changes +--------------- + +The dependency to global list of trusted domains within +the winbindd processes has been reduced a lot. + +The construction of that global list is not reliable and often +incomplete in complex trust setups. In most situations the list is not needed +any more for winbindd to operate correctly. E.g. for plain file serving via SMB +using a simple idmap setup with autorid, tdb or ad. However some more complex +setups require the list, e.g. if you specify idmap backends for specific +domains. Some pam_winbind setups may also require the global list. + +If you have a setup that doesn't require the global list, you should set +"winbind scan trusted domains = no". + + REMOVED FEATURES ================ -The two commands "net serverid list" and "net serverid wipe" have been +The two commands 'net serverid list' and 'net serverid wipe' have been removed, because the file serverid.tdb is not used anymore. -"net serverid list" can be replaced by listing all files in the +'net serverid list' can be replaced by listing all files in the subdirectory "msg.lock" of Samba's "lock directory". The unique id -listed by "net serverid list" is stored in every process' lockfile in +listed by 'net serverid list' is stored in every process' lockfile in "msg.lock". -"net serverid wipe" is not necessary anymore. It was meant primarily +'net serverid wipe' is not necessary anymore. It was meant primarily for clustered environments, where the serverid.tdb file was not properly cleaned up after single node crashes. Nowadays smbd and winbind take care of cleaning up the msg.lock and msg.sock directories automatically. + +smb.conf changes +================ + + Parameter Name Description Default + -------------- ----------- ------- + auth methods Removed + binddns dir New + client schannel Default changed/ yes + Deprecated + gpo update command New + ldap ssl ads Deprecated + map untrusted to domain Removed + oplock contention limit Removed + prefork children New 1 + mdns name Added netbios + fruit:time machine Added false + profile acls Removed + use spnego Removed + server schannel Default changed/ yes + Deprecated + unicode Deprecated + winbind scan trusted domains New yes + winbind trusted domains only Removed + + KNOWN ISSUES ============ diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript index 430d164..3b36b57 100644 --- a/buildtools/wafsamba/wscript +++ b/buildtools/wafsamba/wscript @@ -313,10 +313,6 @@ def configure(conf): conf.env.GIT_LOCAL_CHANGES = Options.options.GIT_LOCAL_CHANGES - conf.CHECK_COMMAND(['uname', '-a'], - msg='Checking build system', - define='BUILD_SYSTEM', - on_target=False) conf.CHECK_UNAME() # see if we can compile and run a simple C program diff --git a/ctdb/config/ctdb.service b/ctdb/config/ctdb.service index 63cdfa9..189f2f4 100644 --- a/ctdb/config/ctdb.service +++ b/ctdb/config/ctdb.service @@ -1,5 +1,6 @@ [Unit] Description=CTDB +Documentation=man:ctdbd(1) man:ctdb(7) After=network-online.target time-sync.target [Service] diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml index 22a4216..147751b 100644 --- a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml +++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml @@ -5,10 +5,12 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This option sets the command that is called to apply GPO policies. - The samba_gpoupdate script applies System Access and Kerberos Policies. - System Access policies set minPwdAge, maxPwdAge, minPwdLength, and - pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime, - kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf. + The samba_gpoupdate script applies System Access and Kerberos Policies + to the KDC, or Environment Variable policies to client machines. System + Access policies set minPwdAge, maxPwdAge, minPwdLength, and + pwdProperties in the samdb. Kerberos Policies set kdc:service ticket + lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in + smb.conf. </para> </description> diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml index 4fdf4dc..98c3965 100644 --- a/docs-xml/smbdotconf/ldap/ldapsslads.xml +++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml @@ -1,6 +1,7 @@ <samba:parameter name="ldap ssl ads" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This option is used to define whether or not Samba should diff --git a/docs-xml/smbdotconf/protocol/unicode.xml b/docs-xml/smbdotconf/protocol/unicode.xml index 86fb06c..25810cd 100644 --- a/docs-xml/smbdotconf/protocol/unicode.xml +++ b/docs-xml/smbdotconf/protocol/unicode.xml @@ -1,6 +1,7 @@ <samba:parameter name="unicode" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>Specifies whether the server and client should support unicode.</para> diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml new file mode 100644 index 0000000..67baa0d --- /dev/null +++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml @@ -0,0 +1,19 @@ +<samba:parameter name="apply group policies" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This option controls whether winbind will execute the gpupdate + command defined in <smbconfoption name="gpo update command"/> on the + Group Policy update interval. The Group Policy update interval is + defined as every 90 minutes, plus a random offset between 0 and 30 + minutes. This applies Group Policy Machine polices to the client or + KDC and machine policies to a server. + </para> + +</description> + +<value type="default">no</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml new file mode 100644 index 0000000..31afdc9 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml @@ -0,0 +1,29 @@ +<samba:parameter name="winbind scan trusted domains" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This option only takes effect when the <smbconfoption name="security"/> option is set to + <constant>domain</constant> or <constant>ads</constant>. + If it is set to yes (the default), winbindd periodically tries to scan for new + trusted domains and adds them to a global list inside of winbindd. + The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>. + This matches the behaviour of Samba 4.7 and older.</para> + + <para>The construction of that global list is not reliable and often + incomplete in complex trust setups. In most situations the list is + not needed any more for winbindd to operate correctly. + E.g. for plain file serving via SMB using a simple idmap setup + with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>. + However some more complex setups require the list, e.g. + if you specify idmap backends for specific domains. + Some pam_winbind setups may also require the global list.</para> + + <para>If you have a setup that doesn't require the global list, you should set + <smbconfoption name="winbind scan trusted domains">no</smbconfoption>. + </para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/lib/ldb/ABI/ldb-1.3.0.sigs b/lib/ldb/ABI/ldb-1.3.1.sigs similarity index 100% copy from lib/ldb/ABI/ldb-1.3.0.sigs copy to lib/ldb/ABI/ldb-1.3.1.sigs diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.3.1.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs copy to lib/ldb/ABI/pyldb-util-1.3.1.sigs diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs copy to lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs diff --git a/lib/ldb/wscript b/lib/ldb/wscript index 0b8ba26..8ae5be3 100644 --- a/lib/ldb/wscript +++ b/lib/ldb/wscript @@ -1,7 +1,7 @@ #!/usr/bin/env python APPNAME = 'ldb' -VERSION = '1.3.0' +VERSION = '1.3.1' blddir = 'bin' diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index a18407d..7854f57 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2729,10 +2729,12 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\"); lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True"); lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR); + lpcfg_do_global_parameter_var(lp_ctx, "apply group policies", "False"); lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR); lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR); lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command", diff --git a/lib/talloc/ABI/pytalloc-util-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util-2.1.11.sigs similarity index 100% copy from lib/talloc/ABI/pytalloc-util-2.1.10.sigs copy to lib/talloc/ABI/pytalloc-util-2.1.11.sigs diff --git a/lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs similarity index 100% copy from lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs copy to lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs diff --git a/lib/talloc/ABI/talloc-2.1.10.sigs b/lib/talloc/ABI/talloc-2.1.11.sigs similarity index 100% copy from lib/talloc/ABI/talloc-2.1.10.sigs copy to lib/talloc/ABI/talloc-2.1.11.sigs diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c index 7721fa4..cd159ef 100644 --- a/lib/talloc/talloc.c +++ b/lib/talloc/talloc.c @@ -75,12 +75,13 @@ #define TALLOC_MAGIC_REFERENCE ((const char *)1) #define TALLOC_MAGIC_BASE 0xe814ec70 -static unsigned int talloc_magic = ( - ~TALLOC_FLAG_MASK & ( - TALLOC_MAGIC_BASE + - (TALLOC_BUILD_VERSION_MAJOR << 24) + - (TALLOC_BUILD_VERSION_MINOR << 16) + - (TALLOC_BUILD_VERSION_RELEASE << 8))); +#define TALLOC_MAGIC_NON_RANDOM ( \ + ~TALLOC_FLAG_MASK & ( \ + TALLOC_MAGIC_BASE + \ + (TALLOC_BUILD_VERSION_MAJOR << 24) + \ + (TALLOC_BUILD_VERSION_MINOR << 16) + \ + (TALLOC_BUILD_VERSION_RELEASE << 8))) +static unsigned int talloc_magic = TALLOC_MAGIC_NON_RANDOM; /* by default we abort when given a bad pointer (such as when talloc_free() is called on a pointer that came from malloc() */ @@ -332,6 +333,48 @@ _PUBLIC_ int talloc_test_get_magic(void) return talloc_magic; } +static inline void _talloc_chunk_set_free(struct talloc_chunk *tc, + const char *location) +{ + /* + * Mark this memory as free, and also over-stamp the talloc + * magic with the old-style magic. + * + * Why? This tries to avoid a memory read use-after-free from + * disclosing our talloc magic, which would then allow an + * attacker to prepare a valid header and so run a destructor. + * + */ + tc->flags = TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE + | (tc->flags & TALLOC_FLAG_MASK); + + /* we mark the freed memory with where we called the free + * from. This means on a double free error we can report where + * the first free came from + */ + if (location) { + tc->name = location; + } +} + +static inline void _talloc_chunk_set_not_free(struct talloc_chunk *tc) +{ + /* + * Mark this memory as not free. + * + * Why? This is memory either in a pool (and so available for + * talloc's re-use or after the realloc(). We need to mark + * the memory as free() before any realloc() call as we can't + * write to the memory after that. + * + * We put back the normal magic instead of the 'not random' + * magic. + */ + + tc->flags = talloc_magic | + ((tc->flags & TALLOC_FLAG_MASK) & ~TALLOC_FLAG_FREE); +} + static void (*talloc_log_fn)(const char *message); _PUBLIC_ void talloc_set_log_fn(void (*log_fn)(const char *message)) @@ -429,11 +472,6 @@ static void talloc_abort(const char *reason) talloc_abort_fn(reason); } -static void talloc_abort_magic(unsigned magic) -{ - talloc_abort("Bad talloc magic value - wrong talloc version used/mixed"); -} - static void talloc_abort_access_after_free(void) { talloc_abort("Bad talloc magic value - access after free"); @@ -450,19 +488,15 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr) const char *pp = (const char *)ptr; struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE); if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) { - if ((tc->flags & (~TALLOC_FLAG_MASK)) == talloc_magic) { - talloc_abort_magic(tc->flags & (~TALLOC_FLAG_MASK)); - return NULL; - } - - if (tc->flags & TALLOC_FLAG_FREE) { + if ((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) + == (TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE)) { talloc_log("talloc: access after free error - first free may be at %s\n", tc->name); talloc_abort_access_after_free(); return NULL; - } else { - talloc_abort_unknown_value(); - return NULL; } + -- Samba Shared Repository