The branch, v4-10-stable has been updated
via a1cdfe58b70 VERSION: Disable GIT_SNAPSHOT for the 4.9.10 release.
via d2908f256cc WHATSNEW: Add release notes for Samba 4.10.9.
via 3ad42536f87 s3:libads: Do not turn on canonicalization flag for MIT
Kerberos
via d533a588b62 lib:krb5_wrap: Do not create a temporary file for
MEMORY keytabs
via 8939186345f spnego: fix server handling of no optimistic exchange
via 68d91436d85 python/tests/gensec: add spnego downgrade python tests
via 3a06edfe4fa python/tests/gensec: make it possible to add knownfail
tests for gensec.update()
via 5c411a2f9f5 selftest: add tests for no optimistic spnego exchange
via a403e4d63e0 spnego: add client option to omit sending an optimistic
token
via 9d2d4cf9c93 selftest: s3: add a test for spnego downgrade from krb5
to ntlm
via 24a43d7c742 s3:libsmb: Do not check the SPNEGO neg token for KRB5
via f340056428a spnego: ignore server mech_types list
via de0841138e6 testprogs: Add test for 'net ads join createcomputer='
via f65a755bdd1 s3:libads: Just change the machine password if account
already exists
via 9d984cebde3 s3:libnet: Improve debug messages
via 1e384434960 s3:libads: Fix creating machine account using LDAP
via ac8c51fbb56 s3:libads: Don't set supported encryption types during
account creation
via f5216b70c37 s3:libads: Fix detection if acount already exists in
ads_find_machine_count()
via 60c5d1d3de6 s3:libads: Use a talloc_asprintf in
ads_find_machine_acct()
via ddd4a6af621 s3:libads: Cleanup error code paths in
ads_create_machine_acct()
via 39959813881 s3:libnet: Require sealed LDAP SASL connections for
joining
via 377483859c0 s3:libads: Use ldap_add_ext_s() in ads_gen_add()
via c68763bff35 testprogs: Fix failure count in test_net_ads.sh
via eafb3a20b9d s3: smbclient: Stop an SMB2-connection from blundering
into SMB1-specific calls.
via 59c3bd1b15d ctdb-vacuum: Process all records not deleted on a
remote node
via fc89f8f54ba s3:libsmb: Link libsmb against pthread
via 0fe766a4f62 nsswitch: Link stress-nss-libwbclient against pthread
via 308c2c9cd48 waf:replace: Do not link against libpthread if not
necessary
via cade53a1558 third_party: Link uid_wrapper against pthread
via e405ed01b02 third_party: Link nss_wrapper against pthread
via 171ff620cd0 third_party: Only link cmocka against librt if really
needed
via 93ab3efe769 pthreadpool: Only link pthreadpool against librt if we
have to
via a1309d360b9 replace: Only link against librt if really needed
via b0362fd07f8 s3:waf: Do not check for nanosleep() as we don't use it
anywhere
via 1ad8c6f4b08 winbind: provide passwd struct for group sid with
ID_TYPE_BOTH mapping (again)
via 8a2ca386dfb selftest: Test ID_TYPE_BOTH with idmap_rid module
via d689042dffe s3-winbindd: fix forest trusts with additional trust
attributes.
via f19881f6198 fault.c: improve fault_report message text pointing to
our wiki
via 56379945161 selftest/Samba3.pm: use "winbind use krb5 enterprise
principals = yes" for ad_member
via abd2d22cdda selftest/Samba3.pm: use "winbind scan trusted domains =
no" for ad_member
via fd097f0b3bb selftest/tests.py: test pam_winbind with a lot of
username variations
via fe13bfcdfdc selftest/tests.py: test pam_winbind with krb5_auth
via 9bb73edc69c selftest/tests.py: prepare looping over pam_winbindd
tests
via 8118fc89262 test_pam_winbind.sh: allow different pam_winbindd
config options to be specified
via 6bc0549bfde tests/pam_winbind.py: allow upn names to be used in
USERNAME with an empty DOMAIN value
via f2283616011 tests/pam_winbind.py: turn pypamtest.PamTestError into
a failure
via 956618ac6da s3:winbindd: implement the "winbind use krb5 enterprise
principals" logic
via 4760bbaae22 docs-xml: add "winbind use krb5 enterprise principals"
option
via aa1e8e53551 krb5_wrap: let smb_krb5_parse_name() accept enterprise
principals
via d7f0baf2f54 s3:libads: ads_krb5_chg_password() should always use
the canonicalized principal
via 73608fced20 s4:auth: kinit_to_ccache() should always use the
canonicalized principal
via be9ea381530 krb5_wrap: smb_krb5_kinit_password_ccache() should
always use the canonicalized principal
via 03477632b62 s3:libads/kerberos: always use the canonicalized
principal after kinit
via aeaffacb9c8 s3:libsmb: let cli_session_creds_prepare_krb5() update
the canonicalized principal to cli_credentials
via 45a078db792 s3:libsmb: avoid wrong debug message in
cli_session_creds_prepare_krb5()
via e620cad350e s3:libads: let kerberos_kinit_password_ext() return the
canonicalized principal/realm
via 9f2d5ae0c59 s4:auth: use the correct client realm in
gensec_gssapi_update_internal()
via 05eb45e1d37 s3/libads: clang: Fix Value stored to 'canon_princ' is
never read
via eaecffd63db classicupgrade: fix a a bytes-like object is required,
not 'str' error
via 1b4ccd961f1 ctdb-tools: Stop deleted nodes from influencing ctdb
nodestatus exit code
via 1d749a02fc9 s3:client:Use DEVICE_URI, instead of argv[0],for Device
URI
via 075b3fd1143 s3/4: libsmbclient test. Test using
smbc_telldir/smbc_lseekdir with smbc_readdir/smbc_readdirplus/smbc_getdents.
via 71b963ec4b3 s3: libsmbclient: Fix smbc_lseekdir() to work with
smbc_readdirplus().
via 6dd57f679f8 s3: libsmbclient: Ensure SMBC_getdents_ctx() also
updates the readdirplus pointers.
via 3f7c5daa06b s3: libsmbclient: Ensure SMBC_readdirplus_ctx() also
updates the readdir pointers.
via b47a9b9301f s3: libsmbclient: Ensure SMBC_readdir_ctx() also
updates the readdirplus pointers.
via e3f51924971 libcli/smb: send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID
via b6a50185389 libcli/smb: add new COMPRESSION and NETNAME negotiate
context ids
via cb6a155b385 s3:ldap: Fix join with don't exists machine account
via 2dbc9dce493 ctdb: fix compilation on systems with glibc robust
mutexes
via 7e07bc4f289 vfs_glusterfs: Use pthreadpool for scheduling aio
operations
via f5017935a7b ctdb-recoverd: Fix typo in previous fix
via 25dacde5c8f ctdb-tests: Clear deleted record via recovery instead
of vacuuming
via f39a9c2a4be ctdb-tests: Strengthen volatile DB traverse test
via 530119888c6 ctdb-recoverd: Only check for LMASTER nodes in the VNN
map
via 9cbb50d2e9d ctdb-tests: Don't retrieve the VNN map from target node
for notlmaster
via 3e0205ec026 ctdb-tests: Handle special cases first and return
via 576f5e30351 ctdb-tests: Inline handling of recovered and notlmaster
statuses
via d0b666a1a8d ctdb-tests: Drop unused node statuses frozen/unfrozen
via 594a2a95cea ctdb-tests: Reformat node_has_status()
via 981f8b164d3 VERSION: Bump version up to 4.10.9.
via 2aa3ab95763 Merge tag 'samba-4.10.8' into v4-10-test
via 040a483956a ctdb-daemon: Make node inactive in the NODE_STOP control
via 7dd839c7f2a ctdb-daemon: Drop unused function
ctdb_local_node_got_banned()
via d14e656f21b ctdb-daemon: Switch banning code to use
ctdb_node_become_inactive()
via 916f0db0d1b ctdb-daemon: Factor out new function
ctdb_node_become_inactive()
via e224ff934e1 ctdb-tcp: Mark node as disconnected if incoming
connection goes away
via 7f0af1f925f ctdb-tcp: Only mark a node connected if both directions
are up
via cd0d85bb4e4 ctdb-tcp: Create outbound queue when the connection
becomes writable
via e41e2feba0a ctdb-tcp: Use TALLOC_FREE()
via b31d8dc286c ctdb-tcp: Move incoming fd and queue into struct
ctdb_tcp_node
via bf08a2d958b ctdb-tcp: Rename fd -> out_fd
via 611610cff8d ctdb-daemon: Add function ctdb_ip_to_node()
via 5684a9b8ab9 ctdb-daemon: Replace function ctdb_ip_to_nodeid() with
ctdb_ip_to_pnn()
via 52f6e7cd578 vfs_glusterfs: Enable profiling for file system
operations
via a5fe60748c9 undoguidx: blackbox test
via fc4d63d657e undoduididx: Add "or later" to warning about using
tools from Samba 4.8
via 718cfd14198 sambaundoguididx: fix for -s
via 45f05dc5363 sambaundoguididx: Add flags=ldb.FLG_DONT_CREATE_DB and
port to Python3
via 4861e7acf57 s4/scripting: MORE py3 compatible print functions
via fe99db5c349 ldb: Release ldb 1.5.6
via ded3ef299c7 ldb: ldbdump key and pack format version comments
via f74bea537bc ldb: baseinfo pack format check on init
via abf29c23941 ldb: Fix segfault parsing new pack formats
via 237bebf28e1 ldb: test for parse errors
via ea4371d020d vfs_gpfs: Implement special case for denying owner
access to ACL
via 13195dff232 vfs_gpfs: Move mapping from generic NFSv ACL to GPFS
ACL to separate function
via 0ec7ac3eb18 docs: Remove gpfs:merge_writeappend from vfs_gpfs
manpage
via b1eb79b9ccc vfs_gpfs: Remove merge_writeappend parameter
via 37eebf44451 nfs4_acls: Use correct owner information for ACL after
owner change
via cf26e075382 nfs4_acls: Add test for merging duplicates when mapping
from NFS4 ACL to DACL
via 1a9b67dbafc nfs4_acls: Remove duplicate entries when mapping from
NFS4 ACL to DACL
via a10f9e6b461 nfs4_acls: Rename smbacl4_fill_ace4 function
via e637a2213e5 nfs4_acls: Add additional owner entry when mapping to
NFS4 ACL with IDMAP_TYPE_BOTH
via 6996ae8fd6b nfs4_acls: Remove redundant pointer variable
via e64fee96fa2 nfs4_acls: Remove redundant logging from
smbacl4_fill_ace4
via 8eb5b3964ad nfs4_acls: Move adding of NFS4 ACE to ACL to
smbacl4_fill_ace4
via 5a384b89fd6 nfs4_acls: Move smbacl4_MergeIgnoreReject function
via af3d3b02bbc nfs4_acls: Remove i argument from
smbacl4_MergeIgnoreReject
via 8f9b1a92f28 nfs4_acls: Add missing braces in smbacl4_win2nfs4
via e9b2e353778 nfs4_acls: Add helper function for checking INHERIT
flags.
via 5095221e8df nfs4_acls: Use correct type when checking ownerGID
via f321f066d19 nfs4_acls: Use switch/case for checking idmap type
via 8acc4979817 nfs4_acls: Use sids_to_unixids to lookup uid or gid
via ab0443b684e test_nfs4_acls: Add test for mapping from DACL to NFS4
ACL with IDMAP_TYPE_BOTH
via b3485711137 test_nfs4_acls: Add test for mapping from NFS4 ACL to
DACL with IDMAP_TYPE_BOTH
via 753f986f514 test_nfs4_acls: Add test for mapping from NFS4 to DACL
in config mode special
via db82829628f test_nfs4_acls: Add test for mapping from DACL to NFS4
ACL with config special
via 348d662474a test_nfs4_acls: Add test for matching DACL entries for
acedup
via a37db7d7494 test_nfs4_acls: Add test for acedup settings
via 5b591773bcc test_nfs4_acls: Add test for 'map full control' option
via 74cf7490384 test_nfs4_acls: Add test for mapping from NFS4 to DACL
CREATOR entries
via c437f74a6d3 test_nfs4_acls: Add test for mapping CREATOR entries to
NFS4 ACL entries
via 060d32a223a test_nfs4_acls: Add test for mapping from DACL to
special NFS4 ACL entries
via 4ab8b0eb754 test_nfs4_acls: Add test for mapping of special NFS4
ACL entries to DACL entries
via b99bf6e4638 test_nfs4_acls: Add test for mapping permissions from
DACL to NFS4 ACL
via 95138d57872 test_nfs4_acls: Add test for mapping permissions from
NFS4 ACL to DACL
via 8d378ce76c6 test_nfs4_acls: Add test for flags mapping from DACL to
NFS4 ACL
via 248f8f2de5a test_nfs4_acls: Add test for flags mapping from NFS4
ACL to DACL
via c1e2f6d9ed8 test_nfs4_acls: Add tests for mapping of ACL types
via bfed986cd00 test_nfs4_acls: Add tests for mapping of empty ACLs
via fe19ee91c22 selftest: Start implementing unit test for nfs4_acls
via 6ce0e2aa39e nfs4_acls: Remove fsp from smbacl4_win2nfs4
via 8c1ae65b581 Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
via 836e7ef2078 Add PrimaryGroupId to group array in DC response
via cbd749ec05f selftest: check for PrimaryGroupId in DC returned group
array
via 5d48bbd8c53 selftest: remote_pac: s/s2u4self/s4u2self/g
via 505297b3909 vfs:glusterfs_fuse: build only if we have setmntent()
via f7058626876 vfs:glusterfs_fuse: ensure fileids are constant across
nodes
via baafb6fc060 VERSION: Bump version up to 4.10.8...
from 2d587a11d5f VERSION: Disable GIT_SNAPSHOT for the 4.10.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 120 +-
auth/auth_sam_reply.c | 8 +-
auth/gensec/spnego.c | 55 +-
ctdb/include/ctdb_private.h | 8 +-
ctdb/server/ctdb_banning.c | 26 +-
ctdb/server/ctdb_daemon.c | 11 +-
ctdb/server/ctdb_recover.c | 45 +
ctdb/server/ctdb_recoverd.c | 14 +-
ctdb/server/ctdb_server.c | 28 +-
ctdb/server/ctdb_vacuum.c | 2 +-
ctdb/tcp/ctdb_tcp.h | 16 +-
ctdb/tcp/tcp_connect.c | 212 ++-
ctdb/tcp/tcp_init.c | 21 +-
ctdb/tcp/tcp_io.c | 17 +-
ctdb/tests/scripts/integration.bash | 80 +-
ctdb/tests/simple/69_recovery_resurrect_deleted.sh | 17 +-
ctdb/tests/simple/79_volatile_db_traverse.sh | 67 +-
ctdb/tools/ctdb.c | 8 +-
ctdb/wscript | 2 +-
docs-xml/manpages/vfs_glusterfs_fuse.8.xml | 8 +
docs-xml/manpages/vfs_gpfs.8.xml | 20 -
.../winbind/winbindusekrb5enterpriseprincipals.xml | 34 +
lib/krb5_wrap/krb5_samba.c | 23 +-
lib/ldb/ABI/{ldb-1.5.1.sigs => ldb-1.5.6.sigs} | 1 +
...yldb-util-1.1.10.sigs => pyldb-util-1.5.6.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.5.6.sigs} | 0
lib/ldb/common/ldb_pack.c | 23 +-
lib/ldb/include/ldb_module.h | 9 +
lib/ldb/ldb_key_value/ldb_kv.c | 2 +
lib/ldb/ldb_key_value/ldb_kv.h | 1 +
lib/ldb/ldb_key_value/ldb_kv_cache.c | 37 +
lib/ldb/ldb_tdb/ldb_tdb.c | 8 +-
lib/ldb/tests/ldb_kv_ops_test.c | 23 +
lib/ldb/tools/ldbdump.c | 24 +
lib/ldb/wscript | 2 +-
lib/pthreadpool/wscript_build | 7 +-
lib/replace/wscript | 34 +-
lib/util/fault.c | 6 +-
libcli/smb/smb2_constants.h | 2 +
libcli/smb/smbXcli_base.c | 17 +
libgpo/pygpo.c | 2 +-
nsswitch/tests/test_idmap_rid.sh | 132 ++
nsswitch/wscript_build | 2 +-
python/samba/tests/blackbox/undoguididx.py | 107 ++
python/samba/tests/gensec.py | 34 +-
python/samba/tests/pam_winbind.py | 25 +-
python/samba/tests/pam_winbind_chauthtok.py | 10 +-
python/samba/tests/pam_winbind_warn_pwd_expire.py | 10 +-
python/samba/tests/test_pam_winbind.sh | 12 +-
python/samba/tests/test_pam_winbind_chauthtok.sh | 4 +-
.../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +-
python/samba/upgrade.py | 2 +-
selftest/target/Samba3.pm | 11 +
selftest/tests.py | 87 +-
source3/client/client.c | 4 +
source3/client/smbspool.c | 16 +-
source3/lib/netapi/joindomain.c | 5 +-
source3/libads/ads_proto.h | 13 +-
source3/libads/ads_struct.c | 14 +-
source3/libads/authdata.c | 1 +
source3/libads/kerberos.c | 54 +-
source3/libads/kerberos_proto.h | 5 +-
source3/libads/kerberos_util.c | 3 +-
source3/libads/krb5_setpw.c | 21 +
source3/libads/ldap.c | 340 +++-
source3/libnet/libnet_join.c | 31 +-
source3/libsmb/cliconnect.c | 91 +-
source3/libsmb/libsmb_dir.c | 102 +-
source3/libsmb/namequery_dc.c | 2 +-
source3/libsmb/wscript | 1 +
source3/modules/nfs4_acls.c | 361 ++--
source3/modules/nfs4_acls.h | 2 +
source3/modules/test_nfs4_acls.c | 1898 ++++++++++++++++++++
source3/modules/vfs_glusterfs.c | 884 +++++----
source3/modules/vfs_glusterfs_fuse.c | 193 +-
source3/modules/vfs_gpfs.c | 121 +-
source3/modules/wscript_build | 5 +
source3/printing/nt_printing_ads.c | 6 +-
source3/script/tests/test_smbd_no_krb5.sh | 46 +
source3/selftest/tests.py | 11 +-
source3/utils/net_ads.c | 16 +-
source3/winbindd/wb_queryuser.c | 18 +-
source3/winbindd/winbindd_ads.c | 7 +-
source3/winbindd/winbindd_cm.c | 5 +-
source3/winbindd/winbindd_cred_cache.c | 6 +
source3/winbindd/winbindd_pam.c | 57 +-
source3/winbindd/winbindd_util.c | 2 +-
source3/wscript | 5 +-
source4/auth/gensec/gensec_gssapi.c | 6 +-
source4/auth/kerberos/kerberos_util.c | 2 +
source4/scripting/bin/autoidl | 19 +-
source4/scripting/bin/fullschema | 9 +-
source4/scripting/bin/get-descriptors | 9 +-
source4/scripting/bin/minschema | 47 +-
source4/scripting/bin/sambaundoguididx | 28 +-
source4/scripting/bin/smbstatus | 19 +-
source4/scripting/devel/addlotscontacts | 4 +-
source4/scripting/devel/crackname | 10 +-
source4/scripting/devel/getncchanges | 8 +-
source4/selftest/tests.py | 6 +
source4/torture/libsmbclient/libsmbclient.c | 340 ++++
source4/torture/rpc/remote_pac.c | 114 +-
testprogs/blackbox/test_net_ads.sh | 36 +-
third_party/cmocka/wscript | 7 +-
third_party/nss_wrapper/wscript | 2 +-
third_party/uid_wrapper/wscript | 2 +-
107 files changed, 5371 insertions(+), 1141 deletions(-)
create mode 100644
docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
copy lib/ldb/ABI/{ldb-1.5.1.sigs => ldb-1.5.6.sigs} (99%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.5.6.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.5.6.sigs} (100%)
create mode 100644 python/samba/tests/blackbox/undoguididx.py
create mode 100644 source3/modules/test_nfs4_acls.c
create mode 100755 source3/script/tests/test_smbd_no_krb5.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 59006453795..c843870dd4f 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=10
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 54c9c8fcabe..085acc45245 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,119 @@
+ ==============================
+ Release Notes for Samba 4.10.9
+ October 17, 2019
+ ==============================
+
+
+
+Changes since 4.10.8:
+---------------------
+
+o Michael Adam <[email protected]>
+ * BUG 13972: Different Device Id for GlusterFS FUSE mount is causing data
+ loss in CTDB cluster.
+ * BUG 14141: winbind: Provide passwd struct for group sid with ID_TYPE_BOTH
+ mapping (again).
+
+o Jeremy Allison <[email protected]>
+ * BUG 14094: smbc_readdirplus() is incompatible with smbc_telldir() and
+ smbc_lseekdir().
+ * BUG 14152: s3: smbclient: Stop an SMB2-connection from blundering into
+ SMB1-specific calls.
+
+o Douglas Bagnall <[email protected]>
+ * BUG 13978: s4/scripting: MORE py3 compatible print functions.
+
+o Andrew Bartlett <[email protected]>
+ * ldb: Release ldb 1.5.6
+ * BUG 13978: undoduididx: Add "or later" to warning about using tools from
+ Samba 4.8.
+ * BUG 13959: ldb_tdb fails to check error return when parsing pack formats.
+
+o Ralph Boehme <[email protected]>
+ * BUG 14038: ctdb: Fix compilation on systems with glibc robust mutexes.
+
+o Isaac Boukris <[email protected]>
+ * BUG 11362: GPO security filtering based on the groups in Kerberos PAC (but
+ primary group is missing).
+ * BUG 14106: Fix spnego fallback from kerberos to ntlmssp in smbd server.
+
+o Günther Deschner <[email protected]>
+ * BUG 14130: s3-winbindd: fix forest trusts with additional trust
attributes.
+
+o Poornima G <[email protected]>
+ * BUG 14098: vfs_glusterfs: Use pthreadpool for scheduling aio operations.
+
+o Aaron Haslett <[email protected]>
+ * BUG 13977: ldb: baseinfo pack format check on init.
+ * BUG 13978: ldb: ldbdump key and pack format version comments.
+
+o Amitay Isaacs <[email protected]>
+ * BUG 14140: Overlinking libreplace against librt and pthread against every
+ binary or library causes issues.
+ * BUG 14147: ctdb-vacuum: Process all records not deleted on a remote node.
+
+o Björn Jacke <[email protected]>
+ * BUG 14136: classicupgrade: Fix uncaught exception.
+ * BUG 14139: fault.c: Improve fault_report message text pointing to our
wiki.
+
+o Bryan Mason <[email protected]>
+ * BUG 14128: s3:client:Use DEVICE_URI, instead of argv[0],for Device URI.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 14055: We should send SMB2_NETNAME_NEGOTIATE_CONTEXT_ID negotiation
+ context.
+ * BUG 14124: 'pam_winbind' with 'krb5_auth' or 'wbinfo -K' doesn't work for
+ users of trusted domains/forests principals" logic.
+
+o Anoop C S <[email protected]>
+ * BUG 14093: vfs_glusterfs: Enable profiling for file system operations.
+
+o Christof Schmitt <[email protected]>
+ * BUG 14032: vfs_gpfs: Implement special case for denying owner access to
+ ACL.
+
+o Andreas Schneider <[email protected]>
+ * BUG 13884: Joining Active Directory should not use SAMR to set the
+ password.
+ * BUG 14106: s3:libsmb: Do not check the SPNEGO neg token for KRB5.
+ * BUG 14140: Overlinking libreplace against librt and pthread against every
+ binary or library causes issues.
+ * BUG 14155: 'kpasswd' fails when built with MIT Kerberos.
+
+o Martin Schwenke <[email protected]>
+ * BUG 14084: CTDB replies can be lost before nodes are bidirectionally
+ connected.
+ * BUG 14087: "ctdb stop" command completes before databases are frozen.
+ * BUG 14129: ctdb-tools: Stop deleted nodes from influencing ctdb nodestatus
+ exit code.
+
+o Evgeny Sinelnikov <[email protected]>
+ * BUG 14007: s3:ldap: Fix join with don't exists machine account.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
==============================
Release Notes for Samba 4.10.8
September 3, 2019
@@ -53,8 +169,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.10.7
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index bd695151dc0..b5b6362dc93 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -89,7 +89,7 @@ static NTSTATUS
auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
sam->groups.count = 0;
sam->groups.rids = NULL;
- if (user_info_dc->num_sids > 2) {
+ if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
size_t i;
sam->groups.rids = talloc_array(mem_ctx, struct
samr_RidWithAttribute,
user_info_dc->num_sids);
@@ -97,7 +97,7 @@ static NTSTATUS
auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
if (sam->groups.rids == NULL)
return NT_STATUS_NO_MEMORY;
- for (i=2; i<user_info_dc->num_sids; i++) {
+ for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
struct dom_sid *group_sid = &user_info_dc->sids[i];
if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
/* We handle this elsewhere */
@@ -451,6 +451,10 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX
*mem_ctx,
}
for (i = 0; i < base->groups.count; i++) {
+ /* Skip primary group, already added above */
+ if (base->groups.rids[i].rid == base->primary_gid) {
+ continue;
+ }
user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid;
if
(!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
base->groups.rids[i].rid)) {
return NT_STATUS_INVALID_PARAMETER;
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0b3fbdce7ac..ddbe03c5d6b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -136,6 +136,7 @@ struct spnego_state {
bool done_mic_check;
bool simulate_w2k;
+ bool no_optimistic;
/*
* The following is used to implement
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct
gensec_security *gensec_securi
spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k",
false);
+ spnego_state->no_optimistic =
gensec_setting_bool(gensec_security->settings,
+ "spnego",
+
"client_no_optimistic",
+ false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
@@ -511,7 +516,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start(
}
n->mech_idx = 0;
- n->mech_types = spnego_in->negTokenInit.mechTypes;
+
+ /* Do not use server mech list as it isn't protected. Instead, get all
+ * supported mechs (excluding SPNEGO). */
+ n->mech_types = gensec_security_oids(gensec_security, n,
+ GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -658,13 +667,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
DATA_BLOB *out)
{
struct spnego_data spnego_out;
- const char *my_mechs[] = {NULL, NULL};
+ const char * const *mech_types = NULL;
bool ok;
- my_mechs[0] = spnego_state->neg_oid;
+ if (n->mech_types == NULL) {
+ DBG_WARNING("No mech_types list\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
+ int cmp = strcmp(*mech_types, spnego_state->neg_oid);
+
+ if (cmp == 0) {
+ break;
+ }
+ }
+
+ if (*mech_types == NULL) {
+ DBG_ERR("Can't find selected sub mechanism in mech_types\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = my_mechs;
+ spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
@@ -676,7 +702,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
}
ok = spnego_write_mech_types(spnego_state,
- my_mechs,
+ mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
@@ -1295,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
spnego_state->mic_requested = true;
}
+ if (sub_in.length == 0) {
+ spnego_state->no_optimistic = true;
+ }
+
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
@@ -1923,6 +1953,21 @@ static void gensec_spnego_update_pre(struct tevent_req
*req)
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
+ spnego_state->no_optimistic) {
+ /*
+ * Skip optimistic token per conf.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
+ state->sub.in.length == 0 && spnego_state->no_optimistic) {
+ /*
+ * If we didn't like the mechanism for which the client sent us
+ * an optimistic token, or if he didn't send any, don't call
+ * the sub mechanism just yet.
+ */
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->no_optimistic = false;
} else {
/*
* MORE_PROCESSING_REQUIRED =>
diff --git a/ctdb/include/ctdb_private.h b/ctdb/include/ctdb_private.h
index ea00bb12128..0c66725d36c 100644
--- a/ctdb/include/ctdb_private.h
+++ b/ctdb/include/ctdb_private.h
@@ -481,7 +481,6 @@ int ctdb_ibw_init(struct ctdb_context *ctdb);
/* from ctdb_banning.c */
-void ctdb_local_node_got_banned(struct ctdb_context *ctdb);
int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata);
int32_t ctdb_control_get_ban_state(struct ctdb_context *ctdb, TDB_DATA
*outdata);
void ctdb_ban_self(struct ctdb_context *ctdb);
@@ -829,6 +828,8 @@ int32_t ctdb_control_recd_ping(struct ctdb_context *ctdb);
int32_t ctdb_control_set_recmaster(struct ctdb_context *ctdb,
uint32_t opcode, TDB_DATA indata);
+void ctdb_node_become_inactive(struct ctdb_context *ctdb);
+
int32_t ctdb_control_stop_node(struct ctdb_context *ctdb);
int32_t ctdb_control_continue_node(struct ctdb_context *ctdb);
@@ -841,7 +842,10 @@ void ctdb_stop_recoverd(struct ctdb_context *ctdb);
int ctdb_set_transport(struct ctdb_context *ctdb, const char *transport);
-int ctdb_ip_to_nodeid(struct ctdb_context *ctdb, const ctdb_sock_addr *nodeip);
+struct ctdb_node *ctdb_ip_to_node(struct ctdb_context *ctdb,
+ const ctdb_sock_addr *nodeip);
+uint32_t ctdb_ip_to_pnn(struct ctdb_context *ctdb,
+ const ctdb_sock_addr *nodeip);
void ctdb_load_nodes_file(struct ctdb_context *ctdb);
diff --git a/ctdb/server/ctdb_banning.c b/ctdb/server/ctdb_banning.c
index 9cd163645a1..3c711575e8c 100644
--- a/ctdb/server/ctdb_banning.c
+++ b/ctdb/server/ctdb_banning.c
@@ -57,30 +57,6 @@ static void ctdb_ban_node_event(struct tevent_context *ev,
}
}
-void ctdb_local_node_got_banned(struct ctdb_context *ctdb)
-{
- struct ctdb_db_context *ctdb_db;
-
- DEBUG(DEBUG_NOTICE, ("This node has been banned - releasing all public "
- "IPs and setting the generation to INVALID.\n"));
-
- /* Reset the generation id to 1 to make us ignore any
- REQ/REPLY CALL/DMASTER someone sends to us.
- We are now banned so we shouldnt service database calls
- anymore.
- */
- ctdb->vnn_map->generation = INVALID_GENERATION;
- for (ctdb_db = ctdb->db_list; ctdb_db != NULL; ctdb_db = ctdb_db->next)
{
- ctdb_db->generation = INVALID_GENERATION;
- }
-
- /* Recovery daemon will set the recovery mode ACTIVE and freeze
- * databases.
- */
-
- ctdb_release_all_ips(ctdb);
-}
-
int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata)
{
struct ctdb_ban_state *bantime = (struct ctdb_ban_state *)indata.dptr;
@@ -129,7 +105,7 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context
*ctdb, TDB_DATA indata)
ctdb_ban_node_event, ctdb);
if (!already_banned) {
- ctdb_local_node_got_banned(ctdb);
+ ctdb_node_become_inactive(ctdb);
}
return 0;
}
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index aa0694548f8..95b5b6381de 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -1251,21 +1251,18 @@ static void ctdb_initialise_vnn_map(struct ctdb_context
*ctdb)
static void ctdb_set_my_pnn(struct ctdb_context *ctdb)
{
- int nodeid;
-
if (ctdb->address == NULL) {
ctdb_fatal(ctdb,
"Can not determine PNN - node address is not set\n");
}
- nodeid = ctdb_ip_to_nodeid(ctdb, ctdb->address);
- if (nodeid == -1) {
+ ctdb->pnn = ctdb_ip_to_pnn(ctdb, ctdb->address);
+ if (ctdb->pnn == CTDB_UNKNOWN_PNN) {
ctdb_fatal(ctdb,
- "Can not determine PNN - node address not found in
node list\n");
+ "Can not determine PNN - unknown node address\n");
}
- ctdb->pnn = ctdb->nodes[nodeid]->pnn;
- DEBUG(DEBUG_NOTICE, ("PNN is %u\n", ctdb->pnn));
+ D_NOTICE("PNN is %u\n", ctdb->pnn);
}
/*
diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c
index cfe77f643a6..f7a73982a71 100644
--- a/ctdb/server/ctdb_recover.c
+++ b/ctdb/server/ctdb_recover.c
@@ -1418,12 +1418,57 @@ int32_t ctdb_control_set_recmaster(struct ctdb_context
*ctdb, uint32_t opcode, T
return 0;
}
+void ctdb_node_become_inactive(struct ctdb_context *ctdb)
+{
+ struct ctdb_db_context *ctdb_db;
+
+ D_WARNING("Making node INACTIVE\n");
+
+ /*
+ * Do not service database calls - reset generation to invalid
+ * so this node ignores any REQ/REPLY CALL/DMASTER
+ */
+ ctdb->vnn_map->generation = INVALID_GENERATION;
+ for (ctdb_db = ctdb->db_list; ctdb_db != NULL; ctdb_db = ctdb_db->next)
{
+ ctdb_db->generation = INVALID_GENERATION;
+ }
+
+ /*
+ * Although this bypasses the control, the only thing missing
+ * is the deferred drop of all public IPs, which isn't
+ * necessary because they are dropped below
+ */
+ if (ctdb->recovery_mode != CTDB_RECOVERY_ACTIVE) {
+ D_NOTICE("Recovery mode set to ACTIVE\n");
+ ctdb->recovery_mode = CTDB_RECOVERY_ACTIVE;
+ }
+
+ /*
+ * Initiate database freeze - this will be scheduled for
+ * immediate execution and will be in progress long before the
+ * calling control returns
+ */
+ ctdb_daemon_send_control(ctdb,
+ ctdb->pnn,
+ 0,
+ CTDB_CONTROL_FREEZE,
+ 0,
+ CTDB_CTRL_FLAG_NOREPLY,
+ tdb_null,
+ NULL,
+ NULL);
+
+ D_NOTICE("Dropping all public IP addresses\n");
+ ctdb_release_all_ips(ctdb);
+}
int32_t ctdb_control_stop_node(struct ctdb_context *ctdb)
{
DEBUG(DEBUG_ERR, ("Stopping node\n"));
ctdb->nodes[ctdb->pnn]->flags |= NODE_FLAGS_STOPPED;
+ ctdb_node_become_inactive(ctdb);
+
return 0;
}
diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c
index 3e63bd1e7a5..31e72f139ff 100644
--- a/ctdb/server/ctdb_recoverd.c
+++ b/ctdb/server/ctdb_recoverd.c
@@ -2981,13 +2981,19 @@ static void main_loop(struct ctdb_context *ctdb, struct
ctdb_recoverd *rec,
return;
}
- /* verify that all active nodes in the nodemap also exist in
- the vnnmap.
+ /*
+ * Verify that all active lmaster nodes in the nodemap also
+ * exist in the vnnmap
*/
for (j=0; j<nodemap->num; j++) {
if (nodemap->nodes[j].flags & NODE_FLAGS_INACTIVE) {
continue;
}
+ if (! ctdb_node_has_capabilities(rec->caps,
+ nodemap->nodes[j].pnn,
+ CTDB_CAP_LMASTER)) {
+ continue;
+ }
if (nodemap->nodes[j].pnn == pnn) {
continue;
}
@@ -2998,8 +3004,8 @@ static void main_loop(struct ctdb_context *ctdb, struct
ctdb_recoverd *rec,
}
}
if (i == vnnmap->size) {
- DEBUG(DEBUG_ERR, (__location__ " Node %u is active in
the nodemap but did not exist in the vnnmap\n",
- nodemap->nodes[j].pnn));
+ D_ERR("Active LMASTER node %u is not in the vnnmap\n",
+ nodemap->nodes[j].pnn);
ctdb_set_culprit(rec, nodemap->nodes[j].pnn);
do_recovery(rec, mem_ctx, pnn, nodemap, vnnmap);
return;
diff --git a/ctdb/server/ctdb_server.c b/ctdb/server/ctdb_server.c
--
Samba Shared Repository
