[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  d6ead5d3355 VERSION: Bump version up to Samba 4.13.17...
   via  27a1dfbce25 VERSION: Disable GIT_SNAPSHOT for the 4.13.16 release.
   via  2513ed0fe29 WHATSNEW: Add release notes for Samba 4.13.16.
   via  9c2e3c72c0c s3: smbd: Fix mkdir race condition allows share escape 
in Samba 4.13.X and below: CVE-2021-43566
  from  c3f170643bb VERSION: Bump version up to Samba 4.13.16...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit d6ead5d33552c52da462440c6a72360a075addbe
Author: Jule Anger 
Date:   Mon Jan 10 13:32:26 2022 +0100

VERSION: Bump version up to Samba 4.13.17...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION |  2 +-
 WHATSNEW.txt| 72 +++--
 source3/smbd/open.c | 43 +---
 3 files changed, 111 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 7a649fa0fc9..7a7178282c6 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=16
+SAMBA_VERSION_RELEASE=17
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 60b7c75f90b..b5699d7630e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,72 @@
+   ===
+   Release Notes for Samba 4.13.16
+  January 10, 2022
+   ===
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-43566:  mkdir race condition allows share escape in Samba 4.x.
+   https://www.samba.org/samba/security/CVE-2021-43566.html
+
+
+===
+Details
+===
+
+o  CVE-2021-43566:
+   All versions of Samba prior to 4.13.16 are vulnerable to a malicious
+   client using an SMB1 or NFS symlink race to allow a directory to be
+   created in an area of the server file system not exported under the
+   share definition. Note that SMB1 has to be enabled, or the share
+   also available via NFS in order for this attack to succeed.
+
+   Clients that have write access to the exported part of the file system
+   under a share via SMB1 unix extensions or NFS can create symlinks that
+   can race the server by renaming an existing path and then replacing it
+   with a symlink. If the client wins the race it can cause the server to
+   create a directory under the new symlink target after the exported
+   share path check has been done. This new symlink target can point to
+   anywhere on the server file system. The authenticated user must have
+   permissions to create a directory under the target directory of the
+   symlink.
+
+   This is a difficult race to win, but theoretically possible. Note that
+   the proof of concept code supplied wins the race only when the server
+   is slowed down and put under heavy load. Exploitation of this bug has
+   not been seen in the wild.
+
+
+Changes since 4.13.15
+-
+
+o  Jeremy Allison 
+   * BUG 13979: CVE-2021-43566: mkdir race condition allows share escape in 
Samba 4.x
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
===
Release Notes for Samba 4.13.15
   December 15, 2021
@@ -70,8 +139,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
===
Release 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  c3f170643bb VERSION: Bump version up to Samba 4.13.16...
   via  c02edb51e7f VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release.
   via  0bdce27ce0e WHATSNEW: Add release notes for Samba 4.13.15.
  from  dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching 
for the local replicated object

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit c3f170643bbc3024aba3dae819cf9c5ba35733f8
Author: Jule Anger 
Date:   Wed Dec 15 15:14:27 2021 +0100

VERSION: Bump version up to Samba 4.13.16...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit c02edb51e7f276337a99974c74d522c3069051be
Author: Jule Anger 
Date:   Wed Dec 15 15:12:59 2021 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.13.15 release.

Signed-off-by: Jule Anger 

commit 0bdce27ce0e5a90d1167a73da9f4d1c073283571
Author: Jule Anger 
Date:   Wed Dec 15 15:12:25 2021 +0100

WHATSNEW: Add release notes for Samba 4.13.15.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 77 ++--
 2 files changed, 76 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 15f13761633..7a649fa0fc9 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=15
+SAMBA_VERSION_RELEASE=16
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 40753b2b500..60b7c75f90b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,77 @@
+   ===
+   Release Notes for Samba 4.13.15
+  December 15, 2021
+   ===
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+Important Notes
+===
+
+There have been a few regressions in the security release 4.13.14:
+
+o CVE-2020-25717: A user on the domain can become root on domain members.
+  https://www.samba.org/samba/security/CVE-2020-25717.html
+  PLEASE [RE-]READ!
+  The instructions have been updated and some workarounds
+  initially adviced for 4.13.14 are no longer required and
+  should be reverted in most cases.
+
+o BUG-14902: User with multiple spaces (eg FredNurk) become
+ un-deletable. While this release should fix this bug, it is
+ adviced to have a look at the bug report for more detailed
+ information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
+
+Changes since 4.13.14
+-
+
+o  Andrew Bartlett 
+   * BUG 14656: Spaces incorrectly collapsed in ldb attributes.
+   * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+   * BUG 14902: User with multiple spaces (eg FredNurk) become 
un-
+ deletable.
+
+o  Ralph Boehme 
+   * BUG 14922: Kerberos authentication on standalone server in MIT realm
+ broken.
+
+o  Alexander Bokovoy 
+   * BUG 14903: Support for ROLE_IPA_DC is incomplete.
+
+o  Stefan Metzmacher 
+   * BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
+   * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+o  Joseph Sutton 
+   * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
+ side effects for the local nt token.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
===
Release Notes for Samba 4.13.14
November 9, 2021
@@ -103,8 +177,7 @@ database 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching 
for the local replicated object
   via  1e27b820dff CVE-2020-25717: s3-auth: fix MIT Realm regression
  from  105c6a15eff CVE-2020-25717: s3:auth: Fallback to a SID/UID based 
mapping if the named based lookup fails

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit dd679ce7f4450765274b085bbee97d1fa8e0f2a0
Author: Andrew Bartlett 
Date:   Fri Nov 12 12:44:44 2021 +1300

dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local 
replicated object

This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Wed Dec  8 16:49:25 UTC 2021 on sn-devel-184

commit 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4
Author: Ralph Boehme 
Date:   Fri Nov 26 10:57:17 2021 +0100

CVE-2020-25717: s3-auth: fix MIT Realm regression

This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.

As a quick solution it might be possible to use the username map script 
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're 
not
sure this behaves identical, but it might work in the standalone server 
case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922

Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Ralph Boehme 
Signed-off-by: Stefan Metzmacher 
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)

---

Summary of changes:
 source3/auth/user_krb5.c|  9 +
 source4/dsdb/samdb/ldb_modules/operational.c|  2 +-
 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
 3 files changed, 22 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+   bool may_retry = false;
 
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
 
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+   may_retry = true;
}
 
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
 
pw = smb_getpwnam(mem_ctx, fuser, , true);
+   if (may_retry && pw == NULL && !*is_mapped) {
+   fuser = talloc_strdup(mem_ctx, user);
+   if (!fuser) {
+   return NT_STATUS_NO_MEMORY;
+   }
+   pw = smb_getpwnam(mem_ctx, fuser, , true);
+   }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c 
b/source4/dsdb/samdb/ldb_modules/operational.c
index 5eaebf98141..4e60feaf14f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1399,7 +1399,7 @@ static const struct op_attributes_replace search_sub[] = {
{ "tokenGroups", "primaryGroupID", objectSid_attr, 
construct_token_groups },
{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr, 
construct_token_groups_no_gc},
{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr, 
construct_global_universal_token_groups },
-   { "parentGUID", NULL, NULL, construct_parent_guid },
+   { "parentGUID", "objectGUID", NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
{ "msDS-isRODC", "objectClass", objectCategory_attr, 
construct_msds_isrodc },
{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL, 
construct_msds_keyversionnumber },
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c 
b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 58c04da5f53..870185ee1d3 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  105c6a15eff CVE-2020-25717: s3:auth: Fallback to a SID/UID based 
mapping if the named based lookup fails
   via  32ba258cd75 CVE-2020-25717: tests/krb5: Add a test for idmap_nss 
mapping users to SIDs
   via  a40c007fb55 CVE-2020-25717: selftest: turn ad_member_no_nss_wb into 
ad_member_idmap_nss
   via  0a56d233bfd CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent 
uid' to make room for new accounts
   via  302bb70ebc9 CVE-2020-25717: tests/krb5: Add method to automatically 
obtain server credentials
   via  a6eddc3bd7a CVE-2020-25727: idmap_nss: verify that the name of the 
sid belongs to the configured domain
  from  fadf4963450 IPA DC: add missing checks

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 105c6a15effd118d7cfe9dfa7b1ad4faab9fe224
Author: Andrew Bartlett 
Date:   Fri Nov 12 16:10:31 2021 +1300

CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named 
based lookup fails

Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.

Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.

This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.

In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Andrew Bartlett 
Signed-off-by: Stefan Metzmacher 

[me...@samba.org moved the new logic into the fallback codepath only
 in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184

(cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Wed Nov 17 15:50:53 UTC 2021 on sn-devel-184

commit 32ba258cd753301504bdb4a00624053f08373b95
Author: Joseph Sutton 
Date:   Fri Nov 12 14:22:47 2021 +1300

CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Joseph Sutton 
Signed-off-by: Stefan Metzmacher 

[me...@samba.org removed unused tests for a feature that
 was removed before merging]
Reviewed-by: Ralph Boehme 

(cherry picked from commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7)

commit a40c007fb5574cc781b60ab948477dcd9dd05aab
Author: Joseph Sutton 
Date:   Fri Nov 12 14:20:45 2021 +1300

CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss

In reality environments without 'nss_winbind' make use of 'idmap_nss'.

For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher 

Signed-off-by: Joseph Sutton 
Signed-off-by: Stefan Metzmacher 

[me...@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme 

(cherry picked from commit 8a9f2aa2c1cdfa72ad50d7c4f879220fe37654cd)

commit 0a56d233bfdb48bb891f7abfe054769b2ef2
Author: Joseph Sutton 
Date:   Fri Nov 12 20:53:30 2021 +1300

CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room 
for new accounts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)

commit 302bb70ebc9b47d9f1d46212deac17470e64740d
Author: Joseph Sutton 
Date:   Fri Nov 12 14:14:55 2021 +1300

CVE-2020-25717: tests/krb5: Add method to automatically obtain server 
credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0)

commit a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab
Author: Stefan Metzmacher 
Date:   Fri Nov 12 15:27:58 2021 +0100

CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the 
configured domain

We already check the sid belongs to the domain, but checking the name
too feels better and make 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  fadf4963450 IPA DC: add missing checks
  from  b7158d4ce85 s3:winbindd: fix "allow trusted domains = no" regression

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit fadf49634500a08392f0625db4062d993ccb0b0a
Author: Alexander Bokovoy 
Date:   Fri Nov 12 19:06:01 2021 +0200

IPA DC: add missing checks

When introducing FreeIPA support, two places were forgotten:

 - schannel gensec module needs to be aware of IPA DC
 - _lsa_QueryInfoPolicy should treat IPA DC as PDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903

Signed-off-by: Alexander Bokovoy 
Reviewed-by: Guenther Deschner 

Autobuild-User(master): Alexander Bokovoy 
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184

(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Mon Nov 15 15:33:17 UTC 2021 on sn-devel-184

---

Summary of changes:
 auth/gensec/schannel.c  | 1 +
 source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
 2 files changed, 2 insertions(+)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 0cdae141ead..6ebbe8f3179 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct 
gensec_security *gensec_security)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+   case ROLE_IPA_DC:
return NT_STATUS_OK;
default:
return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c 
b/source3/rpc_server/lsa/srv_lsa_nt.c
index 198387424e6..08a77c80017 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -681,6 +681,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
+   case ROLE_IPA_DC:
name = get_global_sam_name();
sid = dom_sid_dup(p->mem_ctx, 
get_global_sam_sid());
if (!sid) {


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  b7158d4ce85 s3:winbindd: fix "allow trusted domains = no" regression
  from  959fb5a4c69 VERSION: Bump version up to Samba 4.13.15...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit b7158d4ce853f3ce4342ff9756490104ad163b9c
Author: Stefan Metzmacher 
Date:   Tue Nov 9 20:50:20 2021 +0100

s3:winbindd: fix "allow trusted domains = no" regression

add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).

We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184

(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Thu Nov 11 10:37:06 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/winbindd/winbindd_util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 1ae4a8d3ca3..a4f33c4765b 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -131,7 +131,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
 
-   if (!is_allowed_domain(domain_name)) {
+   if (secure_channel_type == SEC_CHAN_NULL && 
!is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  959fb5a4c69 VERSION: Bump version up to Samba 4.13.15...
   via  db11778b576 VERSION: Disable GIT_SNAPSHOT for the 4.13.14 release.
   via  6c14ac876b6 WHATSNEW: Add release notes for Samba 4.13.14.
   via  0203330e2fa CVE-2021-3738 s4:rpc_server/samr: make use of 
dcesrv_samdb_connect_as_*() helper
   via  08b6c8fda59 CVE-2021-3738 s4:rpc_server/netlogon: make use of 
dcesrv_samdb_connect_as_*() helper
   via  79d62d83e23 CVE-2021-3738 s4:rpc_server/lsa: make use of 
dcesrv_samdb_connect_as_user() helper
   via  caf3d32f68f CVE-2021-3738 s4:rpc_server/dnsserver: make use of 
dcesrv_samdb_connect_as_user() helper
   via  061c125c612 CVE-2021-3738 s4:rpc_server/drsuapi: make use of 
assoc_group aware dcesrv_samdb_connect_as_*() helpers
   via  7c3b0376000 CVE-2021-3738 s4:rpc_server/common: provide assoc_group 
aware dcesrv_samdb_connect_as_{system,user}() helpers
   via  6925a53a290 CVE-2021-3738 auth_util: avoid talloc_tos() in 
copy_session_info()
   via  5337dc5eaeb CVE-2021-3738 s4:torture/drsuapi: DsBindAssocGroup* 
tests
   via  ec1ea05e8f1 CVE-2021-3738 s4:torture/drsuapi: maintain 
priv->admin_credentials
   via  3db47b076d0 CVE-2021-3738 s4:torture/drsuapi: maintain 
priv->dc_credentials
   via  f7636fb7215 CVE-2021-3738 s4:torture/drsuapi: don't pass DsPrivate 
to test_DsBind()
   via  721e40dd379 CVE-2016-2124: s3:libsmb: don't fallback to non spnego 
authentication if we require kerberos
   via  4290223ed40 CVE-2016-2124: s4:libcli/sesssetup: don't fallback to 
non spnego authentication if we require kerberos
   via  ec712adf500 CVE-2021-23192: dcesrv_core: only the first fragment 
specifies the auth_contexts
   via  f4492f9309f CVE-2021-23192: python/tests/dcerpc: add tests to check 
how security contexts relate to fragmented requests
   via  1f66e3f97e1 CVE-2021-23192: python/tests/dcerpc: fix 
do_single_request(send_req=False)
   via  adcd0d76132 CVE-2021-23192: python/tests/dcerpc: let 
generate_request_auth() use g_auth_level in all places
   via  6afefee92ce CVE-2021-23192: python/tests/dcerpc: change 
assertNotEquals() into assertNotEqual()
   via  714cf311ab2 CVE-2021-23192: dcesrv_core: add 
dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE
   via  6b371124410 CVE-2021-23192: dcesrv_core: add better debugging to 
dcesrv_fault_disconnect()
   via  4a893891951 CVE-2021-23192 librpc: Remove the gensec dependency 
from library dcerpc-binding
   via  83a9fb52f3e CVE-2021-23192 rpc: Give dcerpc_util.c its own header
   via  3ed16e74292 CVE-2020-25722 selftest: Ensure check for duplicate 
servicePrincipalNames is not bypassed for an add operation
   via  26a1bd5cc75 CVE-2020-25722 selftest: Add test for duplicate 
servicePrincipalNames on an add operation
   via  9ac2254c50d CVE-2020-25722 pytests: Give computer accounts unique 
(and valid) sAMAccountNames and SPNs
   via  2b28b9c3be2 CVE-2020-25719 selftest: Always expect a PAC in TGS 
replies with Heimdal
   via  1c5a0ef89c9 Revert "CVE-2020-25719 heimdal:kdc: Require authdata to 
be present"
   via  a803247a1dc CVE-2020-25718 heimdal:kdc: Add comment about tests for 
tickets of users not revealed to an RODC
   via  c05ea4568fc CVE-2020-25719 tests/krb5: Add tests for using a ticket 
with a renamed account
   via  06a46f79dd6 CVE-2020-25718 tests/krb5: Only fetch RODC account 
credentials when necessary
   via  864623d873f CVE-2020-25719 heimdal:kdc: Require PAC to be present
   via  b6ab45da636 CVE-2020-25722 kdc: Do not honour a request for a 
3-part SPN (ending in our domain/realm) unless a DC
   via  1fb0c6b5ff9 CVE-2020-25719 heimdal:kdc: Verify PAC in TGT provided 
for user-to-user authentication
   via  2eaf906f926 CVE-2020-25719 heimdal:kdc: Check name in request 
against name in user-to-user TGT
   via  5f1a089 CVE-2020-25719 heimdal:kdc: Use sname from request 
rather than user-to-user TGT client name
   via  c493ff06c68 CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry 
to before enctype selection
   via  73f6a615455 CVE-2020-25719 heimdal:kdc: Check return code
   via  60ac2ff31f0 CVE-2020-25719 s4:kdc: Add KDC support for 
PAC_REQUESTER_SID PAC buffer
   via  8513fe9e30a CVE-2020-25722 Ensure the structural objectclass cannot 
be changed
   via  c59f5762ead CVE-2020-25721 auth: Fill in the new 
HAS_SAM_NAME_AND_SID values
   via  8d94ec0d3f7 CVE-2020-25719 kdc: Avoid races and multiple DB lookups 
in s4u2self check
   via  aa66df26021 CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt 
account is invalid
   via  1566a68a3dc CVE-2020-25718 kdc: Confirm the RODC was allowed to 
issue a particular ticket
   via  4cb7155917e CVE-2020-25718 dsdb: Bring sid_helper.c into common 
code as rodc_helper.c
   via  a12d50c5334 CVE-2020-25718 s4-rpc_server: Add in debug 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  20ce74008b3 ldb: version 2.2.3
   via  767bafc50ae ldb_kv_index: fix empty initializer compile warning
   via  0dc05f591db ldb: Use hex_byte() in ldb_binary_decode()
   via  9ad6b86ccc9 lib: Add "hex_byte()" to replace.h
   via  8c29175f7fe ldb_controls: control_to_string avoids crash
   via  7dd52901904 lib:ldb-samba: Improve calculate_popt_array_length()
   via  68d736a73f1 lib:ldb: Use C99 initializers for builtin_popt_options[]
   via  5363e0340d7 pyldb: fix a typo
   via  bbc5373b872 ldb: improve comments for ldb_module_connect_backend()
   via  90729aed778 ldb: correct comments in attrib_handers val_to_int64
   via  1253ee80bd1 ldb.h: remove undefined async_ctx function signatures
   via  e96b3f7185a lib:ldb: Add missing break in switch statement
   via  933fbc8ca9e pyldb: Fix Message.items() for a message containing 
elements
   via  7e8d2bcca98 ldb_match: remove redundant check
   via  f2c0ab2daed pyldb: catch potential overflow error in py_timestring
   via  cb04bfc55a8 ldb: fix ldb_comparison_fold off-by-one overrun
   via  e431362a701 ldb_match: trailing chunk must match end of string
   via  0c32ab5f61a ldb/attrib_handler casefold: simplify space dropping
  from  6671c88157b VERSION: Bump version up to Samba 4.13.14...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 20ce74008b3347256139e3d10caef0fd6322f87f
Author: Stefan Metzmacher 
Date:   Tue Nov 2 15:19:31 2021 +0100

ldb: version 2.2.3

Backport all C code changes from ldb-2.4.1
to be available for Samba 4.13.x

Signed-off-by: Stefan Metzmacher 

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Tue Nov  2 22:41:39 UTC 2021 on sn-devel-184

commit 767bafc50aed115cab1eccd997cf4cc9758db8b1
Author: Björn Jacke 
Date:   Mon Oct 19 02:39:46 2020 +0200

ldb_kv_index: fix empty initializer compile warning

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit c862ad64aea31d1d5ec66385bb50d9b97e609071)

commit 0dc05f591db1cd137e85fcb0ebc1dfc7eb320aed
Author: Volker Lendecke 
Date:   Mon Jan 4 13:55:01 2021 +0100

ldb: Use hex_byte() in ldb_binary_decode()

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit b6a57c49c00a778f954aaf10db6ebe6dca8f5ae2)

commit 9ad6b86ccc9df76311e3e9f1908f815a292d1b6d
Author: Volker Lendecke 
Date:   Mon Jan 4 13:12:30 2021 +0100

lib: Add "hex_byte()" to replace.h

This is required in quite a few places, and replace.h has things like
ZERO_STRUCT already, so this is not completely outplaced.

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit c8d9ce3f7c8c486ab21e320a0adcb71311dcb453)

commit 8c29175f7fe10bbf37595cb2e5afd26a4617fd7a
Author: Douglas Bagnall 
Date:   Fri Jul 24 12:41:29 2020 +1200

ldb_controls: control_to_string avoids crash

Otherwise a malformed control with unexpected NULL data will segfault
ldb_control_to_string(), though this is not very likely to affect
anyone in practice as converting controls to strings is rarely
necessary. If it happens at all in Samba it is in Python code.

Found by Honggfuzz using fuzz_ldb_parse_control.

Signed-off-by: Douglas Bagnall 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Douglas Bagnall 
Autobuild-Date(master): Wed Jul 29 04:43:23 UTC 2020 on sn-devel-184

(cherry picked from commit 2aace18f170644da9c293342a6df5e5b2ae8da25)

commit 7dd529019045949bcc5d7fbb49322868bfda52c7
Author: Andreas Schneider 
Date:   Thu Dec 17 19:16:13 2020 +0100

lib:ldb-samba: Improve calculate_popt_array_length()

Note that memcmp() doesn't work well with padding bytes. So avoid it!

(gdb) ptype/o struct poptOption
/* offset|  size */  type = struct poptOption {
/*0  | 8 */const char *longName;
/*8  | 1 */char shortName;
/* XXX  3-byte hole  */
/*   12  | 4 */unsigned int argInfo;
/*   16  | 8 */void *arg;
/*   24  | 4 */int val;
/* XXX  4-byte hole  */
/*   32  | 8 */const char *descrip;
/*   40  | 8 */const char *argDescrip;

   /* total size (bytes):   48 */

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit c2c7c1f50a8acb3169e19ba4329aa78839b66def)

commit 68d736a73f175c949ae19a15228b7e5e4d90a610
Author: Andreas Schneider 
Date:   Thu Dec 17 11:56:08 2020 +0100

lib:ldb: Use C99 initializers for builtin_popt_options[]

Signed-off-by: Andreas Schneider 
  

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  6671c88157b VERSION: Bump version up to Samba 4.13.14...
   via  88d73d0b4ee VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.
   via  665022c7590 WHATSNEW: Add release notes for Samba 4.13.13.
  from  74e65d7c06c ldb: Release ldb 2.2.1

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 6671c88157bf29ddbcc36587a9547e292b185e85
Author: Jule Anger 
Date:   Fri Oct 29 08:12:27 2021 +0200

VERSION: Bump version up to Samba 4.13.14...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 88d73d0b4eeabc2544e48a8301b1caa0e9aaeccd
Author: Jule Anger 
Date:   Fri Oct 29 08:11:43 2021 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.

Signed-off-by: Jule Anger 

commit 665022c7590a16275472c25ae47f47f1417cfe20
Author: Jule Anger 
Date:   Fri Oct 29 08:11:05 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.13.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |   2 +-
 WHATSNEW.txt | 101 +--
 2 files changed, 100 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index c65285cf4cd..b2cca84b9c5 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 820185349ef..575ae48705f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,101 @@
+   ===
+   Release Notes for Samba 4.13.13
+  October 29, 2021
+   ===
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.12
+-
+
+o  Douglas Bagnall 
+   * BUG 14868: rodc_rwdc test flaps.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Andrew Bartlett 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+   * BUG 14845: "in" operator on ldb.Message is case sensitive.
+   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+   * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Isaac Boukris 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Viktor Dukhovni 
+   * BUG 12998: Fix transit path validation.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Luke Howard 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Stefan Metzmacher 
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  David Mulder 
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Andreas Schneider 
+   * BUG 14870: Prepare to operate with MIT krb5 >= 1.20.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Joseph Sutton 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14645: rpcclient NetFileEnum and net rpc file both cause lock order
+ violation: brlock.tdb, share_entries.tdb.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+   * BUG 14845: "in" operator on ldb.Message is case sensitive.
+   * BUG 14848: Release LDB 2.3.1 for Samba 4.14.9.
+   * BUG 14868: rodc_rwdc test flaps.
+   * BUG 14871: Fix Samba support for UF_NO_AUTH_DATA_REQUIRED.
+   * BUG 14874: Allow special chars like "@" in samAccountName when generating
+ the salt.
+   * BUG 14881: Backport bronze bit fixes, tests, and selftest improvements.
+
+o  Nicolas Williams 
+   * BUG 14642: Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze
+ bit' S4U2Proxy Constrained Delegation bypass in Samba with
+ embedded Heimdal.
+   * BUG 14881: 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  74e65d7c06c ldb: Release ldb 2.2.1
   via  c532b425e73 pyldb: Make ldb.Message containment testing consistent 
with indexing
   via  64c41d30986 pyldb: Add tests for ldb.Message containment testing
   via  65f3e987675 pyldb: Raise TypeError for an invalid ldb.Message index
   via  4ff0a23a04b pyldb: Add test for an invalid ldb.Message index type
   via  f45e89e4326 s4/torture/drs/python: Fix attribute existence check
   via  4d1c5cc73b0 pyldb: Fix deleting an ldb.Control critical flag
   via  5e9441d55f6 pytest:segfault: Add test for deleting an ldb.Control 
critical flag
   via  a2e0682d928 pyldb: Fix deleting an ldb.Message dn
   via  d2189833c7e pytest:segfault: Add test for deleting an ldb.Message dn
   via  c7c10298973 Fix Python docstrings
   via  0c36416e319 pyldb: Avoid use-after-free in msg_diff()
   via  400d04533ab ldb_msg: Don't fail in ldb_msg_copy() if source DN is 
NULL
   via  f47f0f9f459 pytest:segfault: Add test for ldb.msg_diff()
  from  0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 74e65d7c06c5eda79105f43d87efcaec09dfbb77
Author: Andrew Bartlett 
Date:   Mon Oct 4 21:57:25 2021 +1300

ldb: Release ldb 2.2.1

* Corrected python behaviour for 'in' for LDAP attributes
  contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Andrew Bartlett 

Autobuild-User(v4-14-test): Stefan Metzmacher 
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184

commit c532b425e739a5a6860e37fd616dc5293cea0f37
Author: Joseph Sutton 
Date:   Sat Sep 25 14:39:59 2021 +1200

pyldb: Make ldb.Message containment testing consistent with indexing

Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.

Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69)

commit 64c41d30986a34b3311bc03ffce9a8856c7f4f18
Author: Joseph Sutton 
Date:   Sat Sep 25 13:48:57 2021 +1200

pyldb: Add tests for ldb.Message containment testing

These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8)

commit 65f3e987675d378afd7df4445d04c86d83cde853
Author: Joseph Sutton 
Date:   Sat Sep 25 13:39:56 2021 +1200

pyldb: Raise TypeError for an invalid ldb.Message index

Previously, a TypeError was raised and subsequently overridden by a
KeyError.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)

commit 4ff0a23a04b230bab3454cf88d317304df2cb5cb
Author: Joseph Sutton 
Date:   Sat Sep 25 13:22:05 2021 +1200

pyldb: Add test for an invalid ldb.Message index type

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06)

commit f45e89e432644b5c569808f29d27a537e07f
Author: Joseph Sutton 
Date:   Sat Sep 25 19:18:39 2021 +1200

s4/torture/drs/python: Fix attribute existence check

BUG: 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code
   via  274f16103f6 dsdb: Allow special chars like "@" in samAccountName 
when generating the salt
   via  ae6d74c9ef8 tests/krb5: Add tests for account salt calculation
   via  d3b491c3116 tests/krb5: Fix account salt calculation to match 
Windows
   via  a742af325f9 tests/krb5: Allow specifying the UPN for test accounts
   via  3f376eeaa88 tests/krb5: Allow creating machine accounts without a 
trailing dollar
   via  a2a173d70ad tests/krb5: Allow specifying prefix or suffix for test 
account names
   via  4056198f4c9 tests/krb5: Decrease length of test account prefix
   via  89b9cb8b786 selftest/Samba3: replace (winbindd => "yes", skip_wait 
=> 1) with (winbindd => "offline")
   via  88f824aeb3f selftest/Samba3: remove unused close(USERMAP); calls
   via  c9e54bbe242 waf: Allow building with MIT KRB5 >= 1.20
   via  f01e4e19cf6 selftest: Improve error handling and perl style when 
setting up users in Samba4.pm
   via  2bf0e4224f8 selftest: Remove duplicate setup of $base_dn and 
$ldbmodify
   via  38ebe186f42 selftest: krb5 account creation: clarify account type 
as an enum
   via  18bce6fc477 pytest: dynamic tests optionally add __doc__
   via  a64c25ff097 selftest: Increase account lockout windows to make test 
more realiable
   via  a203de48197 pytest/rodc_rwdc: try to avoid race.
   via  f7d6826afea HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
   via  e9b12d2def9 tests/krb5: Add tests for constrained delegation to 
NO_AUTH_DATA_REQUIRED service
   via  999208d3afa tests/krb5: Ensure PAC is not present if expect_pac is 
false
   via  3eb78cd43b6 kdc: Correctly strip PAC, rather than error on 
UF_NO_AUTH_DATA_REQUIRED for servers
   via  106dc4a0492 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client 
principals
   via  fa32948c1d1 tests/krb5: Add tests for requesting a service ticket 
without a PAC
   via  473278c1301 tests/krb5: Add method to get the PAC from a ticket
   via  033249c56e1 tests/krb5: Allow specifying whether to expect a PAC 
with _test_as_exchange()
   via  33537398392 tests/krb5: Allow get_tgt() to request including or 
omitting a PAC
   via  543478fe985 heimdal:kdc: Fix ticket signing without a PAC
   via  4ff8af7d54d selftest/dbcheck: Fix up RODC one-way links (use 
correct dbcheck rule)
   via  cb044703b29 krb5: Fix PAC signature leak affecting KDC
   via  5919475dc90 s4:kdc: Check ticket signature
   via  9d3419c3068 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a 
global function
   via  6fbde548803 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match 
Windows
   via  e5ca4a51c80 kdc: correctly generate PAC TGS signature
   via  61fb0ba82c6 kdc: use ticket client name when signing PAC
   via  58bc0a4b7f1 kdc: only set HDB_F_GET_KRBTGT when requesting TGS 
principal
   via  49bcbcbb4d6 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum 
fails
   via  c73825d0b01 krb5: rework PAC validation loop
   via  c17bfba3001 krb5: allow NULL parameter to krb5_pac_free()
   via  4114e57a371 kdc: sign ticket using Windows PAC
   via  ff31503bd41 kdc: remove KRB5SignedPath, to be replaced with PAC
   via  6afc41b262e s4/torture: Expect ticket checksum PAC buffer
   via  1486a8a04b0 s4:kdc: Fix debugging messages
   via  8b363a630e5 s4:kdc: Simplify samba_kdc_update_pac_blob() to take 
ldb_context as parameter
   via  0e53c4353a2 tests/krb5: Fix duplicate account creation
   via  f3c36a06998 tests/krb5: Allow bypassing cache when creating accounts
   via  8b947965d4f tests/krb5: Don't include empty AD-IF-RELEVANT
   via  2373c1ac1ef tests/krb5: Add constrained delegation tests
   via  61ec92dc096 tests/krb5: Verify tickets obtained with 
get_service_ticket()
   via  6a1549a4955 tests/krb5: Require ticket checksums if decryption key 
is available
   via  91faad4ef6b tests/krb5: Add TKT_SIG_SUPPORT environment variable
   via  518e990f496 selftest/dbcheck: Fix up RODC one-way links
   via  1ca795a0cb9 tests/krb5: Fix sha1 checksum type
   via  2c6b918ab92 tests/krb5: Provide clearer assertion messages for test 
failures
   via  d46f0d1793b tests/krb5: Disable debugging output for tests
   via  90d58c72bd7 tests/krb5: Simplify padata checking
   via  b08fd85bcb2 tests/krb5: Check logon name in PAC
   via  07ace448a5c tests/krb5: Check padata types when STRICT_CHECKING=0
   via  54fb144fe9a tests/krb5: Add environment variable to specify KDC 
FAST support
   via  8ee28d96b29 tests/krb5: Fix padata checking at functional level 2003
   via  d82e7716f48 tests/krb5: Clarify checksum type assertion message
   via  07e242da411 tests/krb5: Use correct principal name type
   via  5f72fd098f0 tests/krb5: Add compatability tests 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a 
missing sname
   via  7a2a6e0bcb0 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing 
field
   via  1e27b45f49c tests/krb5: Allow expected_error_mode to be a container 
type
   via  57800189c5f tests/krb5: Allow specifying parameters specific to the 
inner FAST request body
   via  b5e11c10966 tests/krb5: Add tests for omitting sname in request
   via  cabc5b114dc tests/krb5: Check PADATA-PW-SALT element in e-data
   via  8a8872f7070 tests/krb5: Check e-data element for TGS-REP errors 
without FAST
   via  bd76f6d47e7 tests/krb5: Remove harmful and a-typical return in 
as_req testcase
   via  d3a611377bd CVE-2021-3671 tests/krb5: Add tests for omitting sname 
in outer request
   via  a67cda7159f CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
   via  95de6d138ad tests/krb5: Make cname checking less strict
   via  497b461238b tests/krb5: Make e-data checking less strict
   via  17c7bc10695 selftest: Remove knownfail for no_etypes FAST tests
   via  27e964233a5 tests/krb5: Add FAST tests
   via  576e5ca2e9c initial FAST tests
   via  e7e79028093 tests/krb5: Check PADATA-FX-ERROR in reply
   via  1fd611e9e7f tests/krb5: Allow generic_check_kdc_error() to check 
inner FAST errors
   via  83073237a95 tests/krb5: Check PADATA-PAC-OPTIONS in reply
   via  48199d18cc9 tests/krb5: Make generic_check_kdc_error() also work 
for checking TGS replies
   via  8fa99e31658 tests/krb5: Make check_rep_padata() also work for 
checking TGS replies
   via  e1c4d715a61 tests/krb5: Check PADATA-FX-COOKIE in reply
   via  2391eabfcf2 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
   via  40da4ffbf18 tests/krb5: Adjust reply padata checking depending on 
whether FAST was sent
   via  0febff53f38 tests/krb5: Check reply FAST padata if request included 
FAST
   via  ee892faca94 tests/krb5: Check sname is krbtgt for FAST generic error
   via  2356b4d9b75 tests/krb5: Add get_krbtgt_sname() method
   via  be4977249bc tests/krb5: Remove unused variables
   via  fef9198aafc tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a 
non-error reply
   via  087cf5f9504 tests/krb5: Add check_rep_padata() method to check 
padata in reply
   via  efe112dfa56 tests/krb5: Add generate_simple_fast() method to 
generate FX-FAST padata
   via  bef5024da8c tests/krb5: Include authdata in kdc_exchange_dict
   via  8eaa8e10383 tests/krb5: Add expected_cname_private parameter to 
kdc_exchange_dict
   via  8a3b41f0483 tests/krb5: Check encrypted-pa-data
   via  701e5c98399 tests/krb5: Add methods to determine whether elements 
were included in the request
   via  64b5183a776 tests/krb5: Add functions to get dicts of request padata
   via  cedfc67ede4 tests/krb5: Check FAST response
   via  5d39d4b36e8 tests/krb5: Add method to verify ticket checksum for 
FAST
   via  b551c801193 tests/krb5: Add method to check PA-FX-FAST-REPLY
   via  de8fbf93111 tests/krb5: Allow specifying parameters specific to the 
outer request body
   via  3be408a3a83 tests/krb5: Add FAST armor generation to 
_generic_kdc_exchange()
   via  52eb693ac31 tests/krb5: Modify generate_ap_req() to also generate 
FAST armor AP-REQ
   via  25b6681c3cd tests/krb5: Include authenticator_subkey in AS-REQ 
exchange dict
   via  a57e79c5fce tests/krb5: Rename generic_check_as_error() to 
generic_check_kdc_error()
   via  6264ed42420 tests/krb5: Add methods to calculate keys for FAST
   via  b7562c873e8 tests/krb5: Add method to generate FAST encrypted 
challenge padata
   via  0e33a06673b tests/krb5: Add more methods to create ASN1 objects for 
FAST
   via  dbeafd158a4 tests/krb5: Add more ASN1 definitions for FAST
   via  1ce82cbc9d6 tests/krb5: Generate AP-REQ for TGS request in 
_generic_kdc_exchange()
   via  04a6c902ede tests/krb5: Ensure generated padata is not None
   via  a9e421c4bfa tests/krb5: Add generate_ap_req() method
   via  d9f406518ca tests/krb5: Check nonce in EncKDCRepPart
   via  d81a88a78f4 tests/krb5: Make checking less strict
   via  ee9b0a028c2 tests/krb5: Check version number of obtained ticket
   via  1e451d724b0 tests/krb5: Assert that more variables are not None
   via  db6495a2377 tests/krb5: Ensure in assertElementPresent() that 
container elements are not empty
   via  81408702949 tests/krb5: Only allow specifying one of check_rep_fn 
and check_error_fn
   via  cc1f6fcddbc tests/krb5: Include kdc_options in kdc_exchange_dict
   via  d82d3a20d32 tests/krb5: Always specify expected error code
   via  235873ff334 tests/krb5: Add check_reply() method to check for AS or 
TGS reply
   via  dcd9320cd9c tests/krb5: Add method to calculate account salt
   via  afcf48e752c tests/krb5: Add more methods for 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  2b97c11bca6 VERSION: Bump version up to Samba 4.13.13...
   via  aa756f3f9fc VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release.
   via  4703acc82c8 WHATSNEW: Add release notes for Samba 4.13.12.
  from  b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a 
missing sname

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 2b97c11bca667e40dd84c36de42cb057dead12ae
Author: Jule Anger 
Date:   Wed Sep 22 08:57:14 2021 +0200

VERSION: Bump version up to Samba 4.13.13...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit aa756f3f9fc88bbd10c6a3a7c1827ca09a669714
Author: Jule Anger 
Date:   Wed Sep 22 08:56:40 2021 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.12 release.

Signed-off-by: Jule Anger 

commit 4703acc82c8840fefbbee62f4485355e48b1d699
Author: Jule Anger 
Date:   Wed Sep 22 08:56:02 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.12.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 81 ++--
 2 files changed, 80 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index ee13bf3ceef..c65285cf4cd 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4b33797845e..820185349ef 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,81 @@
+   ===
+   Release Notes for Samba 4.13.12
+ September 22, 2021
+   ===
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.11
+-
+
+o  Andrew Bartlett 
+   * BUG 14806: Address a signifcant performance regression in database access
+ in the AD DC since Samba 4.12.
+   * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 
since
+ Samba 4.9 by using an explicit database handle cache.
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+   * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+   * BUG 14819: Address flapping dsdb_schema_attributes test.
+
+o  Björn Baumbach 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ
+
+o  Luke Howard 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o  Volker Lendecke 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o  Gary Lockyer 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o  Stefan Metzmacher 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o  Andreas Schneider 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o  Martin Schwenke 
+   * BUG 14784: Fix CTDB flag/status update race conditions.
+
+o  Joseph Sutton 
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
===
Release Notes for Samba 4.13.11
  September 07, 2021
@@ -49,8 +127,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  cea68cbf537 ctdb-daemon: Don't mark a node as unhealthy when 
connecting to it
   via  479fc4fee0c ctdb-daemon: Ignore flag changes for disconnected nodes
   via  cc3ce341ee1 ctdb-daemon: Simplify ctdb_control_modflags()
   via  3ab6be4f7bc ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
   via  7c4daa7ffa0 ctdb-daemon: Don't bother sending 
CTDB_SRVID_SET_NODE_FLAGS
   via  c4d7ed5eac4 ctdb-daemon: Modernise remaining debug macro in this 
function
   via  3d2313dc906 ctdb-daemon: Update logging for flag changes
   via  85372296a7e ctdb-daemon: Correct the condition for logging 
unchanged flags
   via  c89f30810d3 ctdb-tools: Use disable and enable controls in tool
   via  75b8b5de3e8 ctdb-client: Add client code for disable/enable controls
   via  ce58aefb4ee ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
   via  7aac8fd9e5e ctdb-daemon: Start as disabled means 
PERMANENTLY_DISABLED
   via  65f9b5520d2 ctdb-daemon: Factor out a function to get node 
structure from PNN
   via  e3578ea22cb ctdb-daemon: Add a helper variable
   via  3d797b570b0 ctdb-protocol: Add marshalling for controls 
DISABLE_NODE/ENABLE_NODE
   via  ac8bbe2d0ae ctdb-protocol: Add new controls to disable and enable 
nodes
   via  74aa5b204e2 ctdb-recoverd: Push flags for a node if any remote node 
disagrees
   via  e93c885426d ctdb-recoverd: Update the local node map before pushing 
out flags
   via  76f8dffb527 ctdb-recoverd: Add a helper variable
  from  4ada6c24a5c selftest: Add prefix to new schema attributes to avoid 
flapping dsdb_schema_attributes

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit cea68cbf537b6d44eb199126dc2ccf97fd3fff55
Author: Martin Schwenke 
Date:   Fri Jul 9 17:25:32 2021 +1000

ctdb-daemon: Don't mark a node as unhealthy when connecting to it

Remote nodes are already initialised as UNHEALTHY when the node list
is initialised at startup (ctdb_load_nodes_file() calls
convert_node_map_to_list()) and when disconnected (ctdb_node_dead()).
So, drop this code.

RN: Fix CTDB flag/status update race conditions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

Autobuild-User(master): Amitay Isaacs 
Autobuild-Date(master): Thu Sep  9 02:38:34 UTC 2021 on sn-devel-184

(cherry picked from commit 9e7d2d9794af7251c42cb22f23ee9f86c6ea05c1)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Mon Sep 13 14:13:00 UTC 2021 on sn-devel-184

commit 479fc4fee0c78dd8e6fcab929480d08ec5ccfba2
Author: Martin Schwenke 
Date:   Tue Jul 27 15:50:54 2021 +1000

ctdb-daemon: Ignore flag changes for disconnected nodes

If this node is not connected to a node then we shouldn't know
anything about it.  The state will be pushed later by the recovery
master.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke 
Signed-off-by: Amitay Isaacs 
(cherry picked from commit 7f697b1938efb3972f03f25546bf807d5af9a26c)

commit cc3ce341ee17d46bc8461b8628641d9f7c0c033c
Author: Martin Schwenke 
Date:   Thu Jul 8 11:11:11 2021 +1000

ctdb-daemon: Simplify ctdb_control_modflags()

Now that there are separate disable/enable controls used by the ctdb
tool this control can ignore any flag updates for the current nodes.
These only come from the recovery master, which depends on being able
to fetch flags for all nodes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit ae10a8a4b70e53ea3be6257d1f86f2d9a56aa62a)

commit 3ab6be4f7bc672c719ea6891736ecc6448bab1be
Author: Martin Schwenke 
Date:   Wed Jan 17 19:04:34 2018 +1100

ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete

CTDB_SRVID_SET_NODE_FLAGS is no longer sent so drop monitor_handler()
and replace with srvid_not_implemented().  Mark the SRVID obsolete in
its comment.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14784
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit 916c5ee131dc5c7f1d9c3540147d1f915c8302ad)

commit 7c4daa7ffa05c2fb6ef710ba107cdb47a0e57811
Author: Martin Schwenke 
Date:   Thu Jul 8 11:32:20 2021 +1000

ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS

The code that handles this message is
ctdb_recoverd.c:monitor_handler().  Although it appears to do
something potentially useful, it only logs the flags changes.  All
changes made are to local structures - there are no actual
side-effects.

It used to trigger a takeover run when the DISABLED flag changed.
This was 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  4ada6c24a5c selftest: Add prefix to new schema attributes to avoid 
flapping dsdb_schema_attributes
   via  33ef89475b0 s4-lsa: Cache sam.ldb handle in 
lsa_LookupSids3/LookupNames4
   via  be4f4f4f594 selftest: Add a test for LookupSids3 and LookupNames4 
in python
   via  02c40fd92dc dsdb: Be careful to avoid use of the expensive 
talloc_is_parent()
   via  49a15402f4d selftest: Only run samba_tool_drs_showrepl test once
   via  a69c7cb30fd selftest: Split up targets for samba_tool_drs from 
samba_tool_drs_showrepl
  from  a7fe21a0d66 VERSION: Bump version up to Samba 4.13.12...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 4ada6c24a5c3c9f0924f90fc11747cd0969f
Author: Andrew Bartlett 
Date:   Mon Sep 6 08:52:21 2021 +1200

selftest: Add prefix to new schema attributes to avoid flapping 
dsdb_schema_attributes

If two of these unit tests run in the same second they could
select the same name, as the name was only based on the time
and a common prefix.

As observed by Jeremy Allison.  Thanks for the report!

RN: Address flapping dsdb_schema_attributes test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14819

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon Sep  6 02:32:51 UTC 2021 on sn-devel-184

(cherry picked from commit 6590bb0b77c641f0d4686b39c713c1405ffb64f5)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Fri Sep 10 15:09:48 UTC 2021 on sn-devel-184

commit 33ef89475b09dcdbbad2048c47961a95eb2f1558
Author: Andrew Bartlett 
Date:   Wed Aug 25 12:03:08 2021 +1200

s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4

Since 5c0345ea9bb34695dcd7be6c913748323bebe937 this
would not have been implicitly cached via the ldb_wrap
cache, due to the recording of the remote IP address
(which is a good thing).

This creates a more explicit and direct correct
cache on the connection.

The common code, including the SCHANNEL check is
placed into a helper function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807

RN: Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 
4.9 by using an explicit database handle cache

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Sun Sep  5 03:19:26 UTC 2021 on sn-devel-184

(cherry picked from commit ae57d22e45b33537e9fca5969e9b68abd1ad633f)

commit be4f4f4f5942ee1f762e6645e42916f3f6fc7ad6
Author: Andrew Bartlett 
Date:   Wed Aug 25 09:54:04 2021 +

selftest: Add a test for LookupSids3 and LookupNames4 in python

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jeremy Allison 
(cherry picked from commit b40761b42e889369599c5eb355028ba377c43b49)

commit 02c40fd92dcd7224228dc232d5fdf0738d313a36
Author: Andrew Bartlett 
Date:   Wed Aug 25 09:41:11 2021 +1200

dsdb: Be careful to avoid use of the expensive talloc_is_parent()

The wrong talloc API was selected while addressing a memory leak.

commit ee2fe56ba0ef6626b634376e8dc2185aa89f8c99
Author: Aaron Haslett 
Date:   Tue Nov 27 11:07:44 2018 +1300

drepl: memory leak fix

Fixes a memory leak where schema reference attached to ldb
instance is lost before it can be freed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14042

Signed-off-by: Aaron Haslett 

Reviewed-by: Andrew Bartlett 
Reviewed-by: Garming Sam 

Autobuild-User(master): Garming Sam 
Autobuild-Date(master): Wed Jul 17 06:17:10 UTC 2019 on sn-devel-184

By using talloc_get_parent() walking the entire talloc tree is
avoided.

RN: Address a signifcant performance regression in database access in the 
AD DC since Samba 4.12

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14806

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 8affe4a1e625104de4ca024fdc3e9cd96498aff3)

commit 49a15402f4d2fe36405ad9507d1d84757bb8a876
Author: Andrew Bartlett 
Date:   Sat Sep 4 13:11:08 2021 +1200

selftest: Only run samba_tool_drs_showrepl test once

This test is not slow, but there is no value running it twice.

Running this test twice just increases the chances we might
loose a race as it shows and validates live replication data.

Signed-off-by: Andrew Bartlett 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 75a5ed66731e947fa16af81aab7649d1fddec45f)

commit 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  a7fe21a0d66 VERSION: Bump version up to Samba 4.13.12...
   via  2119f9f9f66 VERSION: Disable GIT_SNAPSHOT for the 4.13.11 release.
   via  14acad25bd2 WHATSNEW: Add release notes for Samba 4.13.11.
  from  20ef0b16ed3 registry: check for running as root in clustering mode

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit a7fe21a0d666ec33108cb1507bfd491e21b6e019
Author: Jule Anger 
Date:   Tue Sep 7 08:54:06 2021 +0200

VERSION: Bump version up to Samba 4.13.12...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger 

commit 2119f9f9f66b66ae07fb6dea84c74f5b8b735880
Author: Jule Anger 
Date:   Tue Sep 7 08:52:16 2021 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.11 release.

Signed-off-by: Jule Anger 

commit 14acad25bd2fa7f8b44e17c0c8ea770da099ce69
Author: Jule Anger 
Date:   Tue Sep 7 08:50:15 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.11.

Signed-off-by: Jule Anger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 58 --
 2 files changed, 57 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 49a0d6e775a..ee13bf3ceef 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c141d32b62e..4b33797845e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+   ===
+   Release Notes for Samba 4.13.11
+ September 07, 2021
+   ===
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.10
+-
+
+o  Jeremy Allison 
+   * BUG 14769: smbd panic on force-close share during offload write.
+
+o  Ralph Boehme 
+   * BUG 14731: Fix returned attributes on fake quota file handle and avoid
+ hitting the VFS.
+   * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
+   * BUG 14787: net conf list crashes when run as normal user.
+
+o  Stefan Metzmacher 
+   * BUG 14607: Work around special SMB2 READ response behavior of NetApp Ontap
+ 7.3.7.
+   * BUG 14793: Start the SMB encryption as soon as possible.
+
+o  Andreas Schneider 
+   * BUG 14792: Winbind should not start if the socket path for the privileged
+ pipe is too long.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
===
Release Notes for Samba 4.13.10
 July 14, 2021
@@ -61,8 +116,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
 
 
==


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  20ef0b16ed3 registry: check for running as root in clustering mode
   via  16fc7a12aca s3/lib/dbwrap: check if global_messaging_context() 
succeeded
  from  6be92d44bb7 s3/rpc_server: track the number of policy handles with 
a talloc destructor

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 20ef0b16ed365e0dc499bd11231a627af7a0f0e2
Author: Ralph Boehme 
Date:   Sat Aug 7 10:52:28 2021 +

registry: check for running as root in clustering mode

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787
RN:  net conf list crashes when run as normal user

Signed-off-by: Ralph Boehme 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Tue Aug 17 11:23:15 UTC 2021 on sn-devel-184

(cherry picked from commit 4809f4a6ee971bcd9767839c729b636b7582fc02)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Mon Sep  6 10:16:27 UTC 2021 on sn-devel-184

commit 16fc7a12aca6ecba72d42a86d07739a80cf7a16e
Author: Ralph Boehme 
Date:   Sat Aug 7 10:51:38 2021 +

s3/lib/dbwrap: check if global_messaging_context() succeeded

The subsequent messaging_ctdb_connection() will fail an assert if messaging 
is
not up and running, maybe it's a bit better to add a check if
global_messaging_context() actually succeeded.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14787

Signed-off-by: Ralph Boehme 
Reviewed-by: Andreas Schneider 
(cherry picked from commit fd19cae8d2f21977d8285efd3f29e2b480d241e9)

---

Summary of changes:
 source3/lib/dbwrap/dbwrap_open.c  | 4 
 source3/registry/reg_backend_db.c | 9 +
 2 files changed, 13 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
index e67341607a4..2c6ce3b7104 100644
--- a/source3/lib/dbwrap/dbwrap_open.c
+++ b/source3/lib/dbwrap/dbwrap_open.c
@@ -149,6 +149,10 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
 * to be initialized.
 */
msg_ctx = global_messaging_context();
+   if (msg_ctx == NULL) {
+   DBG_ERR("Failed to initialize messaging\n");
+   return NULL;
+   }
 
conn = messaging_ctdb_connection();
if (conn == NULL) {
diff --git a/source3/registry/reg_backend_db.c 
b/source3/registry/reg_backend_db.c
index c870dc57ed6..423b310fe8a 100644
--- a/source3/registry/reg_backend_db.c
+++ b/source3/registry/reg_backend_db.c
@@ -733,6 +733,15 @@ WERROR regdb_init(void)
return WERR_OK;
}
 
+/*
+ * Clustered Samba can only work as root because we need messaging to
+ * talk to ctdb which only works as root.
+ */
+if (lp_clustering() && geteuid() != 0) {
+DBG_ERR("Cluster mode requires running as root.\n");
+   return WERR_ACCESS_DENIED;
+}
+
db_path = state_path(talloc_tos(), "registry.tdb");
if (db_path == NULL) {
return WERR_NOT_ENOUGH_MEMORY;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  6be92d44bb7 s3/rpc_server: track the number of policy handles with 
a talloc destructor
   via  f25f3118593 selftest: add a test for the "deadtime" parameter
  from  23ce76e94e8 s3:libsmb: start encryption as soon as possible after 
the session setup

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 6be92d44bb7a7fbfb524b75102e562a5dccff6ae
Author: Ralph Boehme 
Date:   Mon Aug 9 15:12:31 2021 +0200

s3/rpc_server: track the number of policy handles with a talloc destructor

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14783
RN: smbd "deadtime" parameter doesn't work anymore

Signed-off-by: Ralph Boehme 
Reviewed-by: Samuel Cabrero 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Aug 10 18:41:43 UTC 2021 on sn-devel-184

(cherry picked from commit 45a33b25c4e6b1db5d2dfa6297ccb390220a7c80)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Fri Aug 27 08:41:19 UTC 2021 on sn-devel-184

commit f25f3118593dbf35553c3e9b7ae15483b8155d22
Author: Ralph Boehme 
Date:   Mon Aug 9 12:31:07 2021 +0200

selftest: add a test for the "deadtime" parameter

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14783

Signed-off-by: Ralph Boehme 
Reviewed-by: Samuel Cabrero 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 39db53a1391769fc6476fa55b02add08f1b8cd75)

---

Summary of changes:
 source3/rpc_server/rpc_handles.c  | 20 +--
 source3/script/tests/test_deadtime.sh | 67 +++
 source3/selftest/tests.py |  4 +++
 3 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100755 source3/script/tests/test_deadtime.sh


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
index bcf8f240f63..7e7a40079cc 100644
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -103,18 +103,36 @@ size_t num_pipe_handles(void)
   data_ptr is TALLOC_FREE()'ed
 /
 
+struct hnd_cnt {
+   bool _dummy;
+};
+
+static int hnd_cnt_destructor(struct hnd_cnt *cnt)
+{
+   num_handles--;
+   return 0;
+}
+
 bool create_policy_hnd(struct pipes_struct *p,
   struct policy_handle *hnd,
   uint8_t handle_type,
   void *data_ptr)
 {
struct dcesrv_handle *rpc_hnd = NULL;
+   struct hnd_cnt *cnt = NULL;
 
rpc_hnd = dcesrv_handle_create(p->dce_call, handle_type);
if (rpc_hnd == NULL) {
return false;
}
 
+   cnt = talloc_zero(rpc_hnd, struct hnd_cnt);
+   if (cnt == NULL) {
+   TALLOC_FREE(rpc_hnd);
+   return false;
+   }
+   talloc_set_destructor(cnt, hnd_cnt_destructor);
+
if (data_ptr != NULL) {
rpc_hnd->data = talloc_move(rpc_hnd, _ptr);
}
@@ -204,8 +222,6 @@ bool close_policy_hnd(struct pipes_struct *p,
 
TALLOC_FREE(rpc_hnd);
 
-   num_handles--;
-
return true;
 }
 
diff --git a/source3/script/tests/test_deadtime.sh 
b/source3/script/tests/test_deadtime.sh
new file mode 100755
index 000..68703008f02
--- /dev/null
+++ b/source3/script/tests/test_deadtime.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+#
+# Test deadtime parameter
+#
+
+if [ $# -lt 1 ]; then
+echo Usage: test_deadtime.sh IP
+exit 1
+fi
+
+server=$1
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+. $incdir/common_test_fns.inc
+
+failed=0
+
+smbclient="$BINDIR/smbclient"
+smbcontrol="$BINDIR/smbcontrol"
+
+global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
+
+echo "deadtime = 1" > $global_inject_conf
+$smbcontrol smbd reload-config
+
+cd $SELFTEST_TMPDIR || exit 1
+
+# Create the smbclient communication pipes.
+rm -f smbclient-stdin smbclient-stdout smbclient-stderr
+mkfifo smbclient-stdin smbclient-stdout smbclient-stderr
+
+export CLI_FORCE_INTERACTIVE=1
+export SAMBA_DEPRECATED_SUPPRESS=1
+
+# This gets inherited by smbclient and is required to smbclient doesn't get
+# killed by an unhandled SIGPIPE when writing an SMB2 KEEPALIVE packet to the
+# connection fd that was already closed by the server.
+trap "" SIGPIPE
+
+$smbclient //$server/tmp -U${USER}%${PASSWORD} \
+< smbclient-stdin > smbclient-stdout 2>smbclient-stderr &
+client_pid=$!
+
+sleep 1
+
+exec 100>smbclient-stdin  101 $global_inject_conf
+$smbcontrol smbd reload-config
+
+rm -f smbclient-stdin smbclient-stdout smbclient-stderr
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 47e914b1009..90bda2052af 100755

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  23ce76e94e8 s3:libsmb: start encryption as soon as possible after 
the session setup
  from  7c9aabe2dd0 s3: smbd: For FSCTL calls that go async, add the 
outstanding tevent_reqs to the aio list on the file handle.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 23ce76e94e80954cc6d6c6395ceefb65cf926b92
Author: Stefan Metzmacher 
Date:   Wed Aug 11 14:33:24 2021 +0200

s3:libsmb: start encryption as soon as possible after the session setup

For the SMB1 UNIX CIFS extensions we create a temporary IPC$ tcon,
if there's no tcon yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Jeremy Allison 

(similar to commit 21302649c46441ea325c66457294225ddb1d6235)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Thu Aug 26 10:48:45 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/libsmb/clidfs.c | 44 ++--
 1 file changed, 34 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 3cc52cc5ac9..2a2509870e3 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -50,6 +50,7 @@ NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
uint16_t major, minor;
uint32_t caplow, caphigh;
NTSTATUS status;
+   bool temp_ipc = false;
 
if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
status = smb2cli_session_encryption_on(c->smb2.session);
@@ -72,12 +73,26 @@ NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
return NT_STATUS_NOT_SUPPORTED;
}
 
+   if (c->smb1.tcon == NULL) {
+   status = cli_tree_connect_creds(c, "IPC$", "IPC", creds);
+   if (!NT_STATUS_IS_OK(status)) {
+   d_printf("Encryption required and "
+   "can't connect to IPC$ to check "
+   "UNIX CIFS extensions.\n");
+   return NT_STATUS_UNKNOWN_REVISION;
+   }
+   temp_ipc = true;
+   }
+
status = cli_unix_extensions_version(c, , , ,
 );
if (!NT_STATUS_IS_OK(status)) {
d_printf("Encryption required and "
"can't get UNIX CIFS extensions "
"version from server.\n");
+   if (temp_ipc) {
+   cli_tdis(c);
+   }
return NT_STATUS_UNKNOWN_REVISION;
}
 
@@ -85,6 +100,9 @@ NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
d_printf("Encryption required and "
"share %s doesn't support "
"encryption.\n", sharename);
+   if (temp_ipc) {
+   cli_tdis(c);
+   }
return NT_STATUS_UNSUPPORTED_COMPRESSION;
}
 
@@ -93,9 +111,15 @@ NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
d_printf("Encryption required and "
"setup failed with error %s.\n",
nt_errstr(status));
+   if (temp_ipc) {
+   cli_tdis(c);
+   }
return status;
}
 
+   if (temp_ipc) {
+   cli_tdis(c);
+   }
return NT_STATUS_OK;
 }
 
@@ -221,6 +245,16 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
 
DEBUG(4,(" session setup ok\n"));
 
+   if (force_encrypt) {
+   status = cli_cm_force_encryption_creds(c,
+  creds,
+  sharename);
+   if (!NT_STATUS_IS_OK(status)) {
+   cli_shutdown(c);
+   return status;
+   }
+   }
+
/* here's the fun partto support 'msdfs proxy' shares
   (on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL
   here before trying to connect to the original share.
@@ -246,16 +280,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
return status;
}
 
-   if (force_encrypt) {
-   status = cli_cm_force_encryption_creds(c,
-  creds,
-  sharename);
-   if (!NT_STATUS_IS_OK(status)) {
-   cli_shutdown(c);
-   return status;
-   }
-   }
-
DEBUG(4,(" tconx ok\n"));
*pcli = c;
return NT_STATUS_OK;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  7c9aabe2dd0 s3: smbd: For FSCTL calls that go async, add the 
outstanding tevent_reqs to the aio list on the file handle.
  from  aa64f02ca94 configure: Do not put arguments into double quotes

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 7c9aabe2dd01e77442d95582f17037b006bac9dd
Author: Jeremy Allison 
Date:   Wed Aug 11 13:58:13 2021 -0700

s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs to 
the aio list on the file handle.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14769
RN: smbd panic on force-close share during offload write

Back-ported from c013509680742ff45b2f5965a5564015da7d466b.

Signed-off-by: Jeremy Allison 
Reviewed-by: Ralph Boehme 

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Tue Aug 17 10:30:21 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/smbd/smb2_ioctl.c | 15 +++
 1 file changed, 15 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c
index d29ff5d0303..3d65a96368c 100644
--- a/source3/smbd/smb2_ioctl.c
+++ b/source3/smbd/smb2_ioctl.c
@@ -230,6 +230,21 @@ NTSTATUS smbd_smb2_request_process_ioctl(struct 
smbd_smb2_request *req)
if (subreq == NULL) {
return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
}
+
+   /*
+* If the FSCTL has gone async on a file handle, remember
+* to add it to the list of async requests we need to wait
+* for on file handle close.
+*/
+   if (in_fsp != NULL && tevent_req_is_in_progress(subreq)) {
+   bool ok;
+
+   ok = aio_add_req_to_fsp(in_fsp, subreq);
+   if (!ok) {
+   return smbd_smb2_request_error(req, 
NT_STATUS_NO_MEMORY);
+   }
+   }
+
tevent_req_set_callback(subreq, smbd_smb2_request_ioctl_done, req);
 
return smbd_smb2_request_pending_queue(req, subreq, 1000);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Jule Anger]

The branch, v4-13-test has been updated
   via  aa64f02ca94 configure: Do not put arguments into double quotes
  from  97c6d6fee8a smbd: return correct timestamps for quota fake file

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit aa64f02ca944be1a6e7baa552c602b005c8c7d86
Author: Andreas Schneider 
Date:   Mon Aug 2 17:43:01 2021 +0200

configure: Do not put arguments into double quotes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14777

This could create an issue that arguments don't get split by python and 
then the
following could happen:

./configure --libdir=/usr/lib64 --enable-clangdb

LIBDIR='/usr/lib64 --enable-clangdb'

This ends then up in parameters.all.xml:



The python parser then errors out:

xml.etree.ElementTree.ParseError: not well-formed (invalid token)

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Tue Aug  3 18:36:37 UTC 2021 on sn-devel-184

(cherry picked from commit e2962b4262fc4a7197a3fcbd010fcfaca781baea)

Autobuild-User(v4-13-test): Jule Anger 
Autobuild-Date(v4-13-test): Mon Aug  9 13:45:32 UTC 2021 on sn-devel-184

---

Summary of changes:
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/configure b/configure
index a6ca50feb47..2b0ffb0dae1 100755
--- a/configure
+++ b/configure
@@ -13,5 +13,5 @@ export JOBS
 unset LD_PRELOAD
 
 cd . || exit 1
-$PYTHON $WAF configure "$@" || exit 1
+$PYTHON $WAF configure $@ || exit 1
 cd $PREVPATH


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  6fa28f4eb3a VERSION: Bump version up to Samba 4.13.11...
   via  85bb95881bb VERSION: Disable GIT_SNAPSHOT for the 4.13.10 release.
   via  22882df5ac4 WHATSNEW: Add release notes for Samba 4.13.10.
  from  b9b1d98af4c smbXsrv_{open,session,tcon}: protect 
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 6fa28f4eb3ad9d6040b6108d4db87103944dd6a4
Author: Karolin Seeger 
Date:   Wed Jul 14 08:31:55 2021 +0200

VERSION: Bump version up to Samba 4.13.11...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit 85bb95881bbe6e3953fcbf80ee42208420d72f70
Author: Karolin Seeger 
Date:   Wed Jul 14 08:31:24 2021 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.10 release.

Signed-off-by: Karolin Seeger 

commit 22882df5ac49a27a3563e71919a422afa30b7c45
Author: Karolin Seeger 
Date:   Wed Jul 14 08:30:52 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.10.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 70 ++--
 2 files changed, 69 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index addb12d75e0..49a0d6e775a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index da680c071d9..c141d32b62e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,70 @@
+   ===
+   Release Notes for Samba 4.13.10
+July 14, 2021
+   ===
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.9
+
+
+o  Jeremy Allison 
+   * BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
+ Windows ACL for directory handles.
+   * BUG 14721: Take a copy to make sure we don't reference free'd memory.
+   * BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
+   * BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
+ change_file_owner_to_parent() error path.
+
+o  Andrew Bartlett 
+   * BUG 14575: samba-tool: Give better error information when the
+ 'domain backup restore' fails with a duplicate SID.
+
+o  Ralph Boehme 
+   * BUG 14714: smbd: Correctly initialize close timestamp fields.
+   * BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
+
+o  Volker Lendecke 
+   * BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
+
+o  Stefan Metzmacher 
+   * BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
+   * BUG 14752: smbXsrv_{open,session,tcon}: Protect
+ smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
+
+o  Joseph Sutton 
+   * BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
+ backend.
+   * BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
+ restoring a backup.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
==
Release Notes for Samba 4.13.9
 May 11, 2021
@@ -61,8 +128,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
 
 
==


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  b9b1d98af4c smbXsrv_{open,session,tcon}: protect 
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records
   via  7065f203a9f gensec_krb5: restore ipv6 support for kpasswd
   via  82e0f3e7997 netcmd: Use next_free_rid() function to calculate a SID 
for restoring a backup
   via  e5c3a675464 python/tests/dsdb: Add tests for RID allocation 
functions
   via  afad2fd9e24 dsdb: Add next_free_rid() function to allocate a RID 
without modifying the database
   via  b3d59842fd9 netcmd: Add tests for performing an offline backup 
immediately after joining a domain
   via  00444ac64f5 netcmd: Ignore rIDUsedPool attribute in offline domain 
backup test
   via  445fb770c77 netcmd: Fix error-checking condition
   via  303a0ecdd9d netcmd: Avoid database corruption by opting not to 
create database files during an offline domain backup
   via  54c353e9ad6 netcmd: Determine which files are to be copied for an 
offline domain backup
   via  4a68b1cb2dc netcmd: Add test for an offline backup of nested 
directories
   via  6569d0b9967 netcmd: Add test for an offline backup of a directory 
containing hardlinks
   via  d0bde5703b2 samba-tool: Give better error information when the 
'domain backup restore' fails with a duplicate SID
   via  6e284db7877 samba-tool domain backup: Confirm the sidForRestore we 
will put into the backup is free
  from  b01c4526fef s3: smbd: Fix uninitialized memory read in 
process_symlink_open() when used with vfs_shadow_copy2().

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit b9b1d98af4c7cd2326e12e1c3b734056663932d1
Author: Stefan Metzmacher 
Date:   Mon Jul 5 17:17:30 2021 +0200

smbXsrv_{open,session,tcon}: protect 
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records

I saw systems with locking.tdb records being part of:
  ctdb catdb smbXsrv_tcon_global.tdb

It's yet unknown how that happened, but we should not panic in srvsvc_*
calls because the info0 pointer was NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14752

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue Jul  6 11:08:43 UTC 2021 on sn-devel-184

(cherry picked from commit 00bab5b3c821f272153a25ded9743460887a7907)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Jul 13 13:18:20 UTC 2021 on sn-devel-184

commit 7065f203a9fa0618e9a72043ec925eee7c7cdd01
Author: Stefan Metzmacher 
Date:   Fri Jul 2 09:37:25 2021 +0200

gensec_krb5: restore ipv6 support for kpasswd

We need to offer as much space we have in order to
get the address out of tsocket_address_bsd_sockaddr().

This fixes a regression in commit
43c808f2ff907497dfff0988ff90a48fdcfc16ef.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14750

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 0388a8f33bdde49f1cc805a0291859203c1a52b4)

commit 82e0f3e79975ffdffd5afca77b6458a33488eff7
Author: Joseph Sutton 
Date:   Thu May 27 15:35:35 2021 +1200

netcmd: Use next_free_rid() function to calculate a SID for restoring a 
backup

This means we won't get errors if the DC doesn't have a rIDNextRID
attribute, but we will still error if there is no RID Set or if all its
pools are exhausted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit 59d293b60608172ae61551c642d13d3b215924e4)

commit e5c3a675464208bffad08a0e923406c9a2d4b0a5
Author: Joseph Sutton 
Date:   Mon May 24 16:46:28 2021 +1200

python/tests/dsdb: Add tests for RID allocation functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit 7c7cad81844950c3efe9a540a47b9d4e1ce1b2a1)

commit afad2fd9e2499f6ddacae9ddace22c81e9de7da0
Author: Joseph Sutton 
Date:   Mon May 24 12:59:59 2021 +1200

dsdb: Add next_free_rid() function to allocate a RID without modifying the 
database

If used to generate SIDs for objects, care should be taken, as the
possibility for having duplicate objectSIDs can arise.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14669

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit cc98e03e7a0f2bf7a1ace2950fe6500f53640c1b)

commit b3d59842fd99c8d72dbc6f65259efad05bd5d897
Author: Joseph Sutton 
Date:   Mon May 24 14:58:40 2021 +1200

netcmd: Add tests for performing 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  b01c4526fef s3: smbd: Fix uninitialized memory read in 
process_symlink_open() when used with vfs_shadow_copy2().
   via  a708c9b48a2 mdssvc: avoid direct filesystem access, use the VFS
   via  9f4e3da5eec mdssvc: chdir() to the conn of the RPC request
   via  7c924449b87 mdssvc: maintain a connection struct in the mds_ctx
   via  48b2dc3c5cc smbd: add create_conn_struct_cwd()
   via  60e091a153e smbd: pass tevent context to 
create_conn_struct_as_root()
   via  63ff1e37d55 mdssvc: pass messaging context to mds_init_ctx()
   via  dce4c5ed911 mdssvc: don't fail mds_add_result() if result is not 
found in CNID set
   via  0484804d9f6 mdssvc: use a helper variable in mds_add_result()
   via  b0746202c20 s3: smbd: Remove erroneous 
TALLOC_FREE(smb_fname_parent) in change_file_owner_to_parent() error path.
   via  0b75c272368 s3: lib: Fix talloc heirarcy error in 
parent_smb_fname().
  from  5d4bbaff8b6 smbd: correctly initialize close timestamp fields

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit b01c4526fef64ac7458459111d0715434ca3f2a2
Author: Jeremy Allison 
Date:   Wed May 26 22:41:53 2021 -0700

s3: smbd: Fix uninitialized memory read in process_symlink_open() when used 
with vfs_shadow_copy2().

Valgrind trace follows.

==3627798== Invalid read of size 1
==3627798==at 0x483FF46: strlen (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==by 0x55DE412: strdup (strdup.c:41)
==3627798==by 0x4F4657E: smb_xstrdup (util.c:660)
==3627798==by 0x4C62C2E: vfs_ChDir (vfs.c:988)
==3627798==by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798==by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798==by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==by 0x4C48A00: filename_convert_internal (filename.c:2027)
==3627798==by 0x4C48B77: filename_convert (filename.c:2067)
==3627798==by 0x4C32408: call_trans2qfilepathinfo (trans2.c:6173)
==3627798==by 0x4C3C5DA: handle_trans2 (trans2.c:10143)
==3627798==  Address 0xda8bc90 is 96 bytes inside a block of size 217 free'd
==3627798==at 0x483DA3F: free (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==by 0x4FCA3C9: _tc_free_internal (talloc.c:1222)
==3627798==by 0x4FCA481: _talloc_free_internal (talloc.c:1248)
==3627798==by 0x4FCB825: _talloc_free (talloc.c:1792)
==3627798==by 0xDB248DD: store_cwd_data (vfs_shadow_copy2.c:1473)
==3627798==by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798==by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798==by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798==by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798==by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798==by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==  Block was alloc'd at
==3627798==at 0x483C7F3: malloc (in 
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==by 0x4FC9365: __talloc_with_prefix (talloc.c:783)
==3627798==by 0x4FC94FF: __talloc (talloc.c:825)
==3627798==by 0x4FCCFDC: __talloc_strlendup (talloc.c:2454)
==3627798==by 0x4FCD096: talloc_strdup (talloc.c:2470)
==3627798==by 0xDB24977: store_cwd_data (vfs_shadow_copy2.c:1476)
==3627798==by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798==by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798==by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798==by 0x4C4A92D: non_widelink_open (open.c:755)
==3627798==by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==

Even though SMB_VFS_CONNECTPATH() returns a const char,
vfs_shadow_copy2() can free and reallocate this whilst
in use inside process_symlink_open().

Take a copy to make sure we don't reference free'd memory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14721

Signed-off-by: Jeremy Allison 
Reviewed-by: Ralph Böhme 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Thu May 27 17:25:43 UTC 2021 on sn-devel-184

(cherry picked from commit 2f0cfe82907516ecf23cc385d41b8d29ed6b8c96)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon Jul 12 11:03:04 UTC 2021 on sn-devel-184

commit a708c9b48a212e5ccedf0f34e899bb0d565d77f6
Author: Ralph Boehme 
Date:   Mon May 10 12:34:32 2021 +0200

mdssvc: avoid direct filesystem access, use the VFS

This ensures 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  5d4bbaff8b6 smbd: correctly initialize close timestamp fields
   via  37233cbdf8f torture: add a test that verifies SMB2 close fields 
without postqueryattrib
  from  c67dbd55aad ctdb: Fix a crash in run_proc_signal_handler()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 5d4bbaff8b62504f20074c08bc8f07093a9f52cc
Author: Ralph Boehme 
Date:   Mon May 24 12:03:28 2021 +0200

smbd: correctly initialize close timestamp fields

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14714

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon May 24 16:56:22 UTC 2021 on sn-devel-184

(cherry picked from commit f96cc29711181b5237a5b92c4bfb5e75fe2a73b9)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed May 26 11:43:14 UTC 2021 on sn-devel-184

commit 37233cbdf8fc95cd63f24419d8516e303cff
Author: Ralph Boehme 
Date:   Mon May 24 12:21:38 2021 +0200

torture: add a test that verifies SMB2 close fields without postqueryattrib

The server must set all fields to 0 if postqueryattrib is not set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14714

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit ac9042ff4dc6c892764abd23a9445116ad40e62a)

---

Summary of changes:
 source3/smbd/smb2_close.c |  8 ++---
 source4/torture/smb2/timestamps.c | 65 +++
 2 files changed, 69 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_close.c b/source3/smbd/smb2_close.c
index a7f1eb7ae46..8ea84c3f0cf 100644
--- a/source3/smbd/smb2_close.c
+++ b/source3/smbd/smb2_close.c
@@ -215,10 +215,10 @@ static NTSTATUS smbd_smb2_close(struct smbd_smb2_request 
*req,
uint16_t flags = 0;
bool posix_open = false;
 
-   ZERO_STRUCTP(out_creation_ts);
-   ZERO_STRUCTP(out_last_access_ts);
-   ZERO_STRUCTP(out_last_write_ts);
-   ZERO_STRUCTP(out_change_ts);
+   *out_creation_ts = (struct timespec){0, SAMBA_UTIME_OMIT};
+   *out_last_access_ts = (struct timespec){0, SAMBA_UTIME_OMIT};
+   *out_last_write_ts = (struct timespec){0, SAMBA_UTIME_OMIT};
+   *out_change_ts = (struct timespec){0, SAMBA_UTIME_OMIT};
 
*out_flags = 0;
*out_allocation_size = 0;
diff --git a/source4/torture/smb2/timestamps.c 
b/source4/torture/smb2/timestamps.c
index f0cc9c269ff..c37e81d2adc 100644
--- a/source4/torture/smb2/timestamps.c
+++ b/source4/torture/smb2/timestamps.c
@@ -29,6 +29,70 @@
 #define BASEDIR "smb2-timestamps"
 #define FNAME "testfile.dat"
 
+static bool test_close_no_attrib(struct torture_context *tctx,
+struct smb2_tree *tree)
+{
+   const char *filename = BASEDIR "/" FNAME;
+   struct smb2_create cr;
+   struct smb2_handle handle = {{0}};
+   struct smb2_handle testdirh = {{0}};
+   struct smb2_close c;
+   NTSTATUS status;
+   bool ret = true;
+
+   smb2_deltree(tree, BASEDIR);
+
+   status = torture_smb2_testdir(tree, BASEDIR, );
+   torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+   "torture_smb2_testdir failed\n");
+   smb2_util_close(tree, testdirh);
+
+   cr = (struct smb2_create) {
+   .in.desired_access = SEC_FLAG_MAXIMUM_ALLOWED,
+   .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+   .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+   .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+   .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+   .in.fname = filename,
+   };
+
+   status = smb2_create(tree, tctx, );
+   torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+   "smb2_create failed\n");
+   handle = cr.out.file.handle;
+
+   c = (struct smb2_close) {
+   .in.file.handle = handle,
+   };
+
+   status = smb2_close(tree, );
+   torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+   "close failed\n");
+   ZERO_STRUCT(handle);
+
+   torture_assert_u64_equal_goto(tctx, c.out.create_time, NTTIME_OMIT,
+ ret, done, "Unexpected create time\n");
+   torture_assert_u64_equal_goto(tctx, c.out.access_time, NTTIME_OMIT,
+ ret, done, "Unexpected access time\n");
+   torture_assert_u64_equal_goto(tctx, c.out.write_time, NTTIME_OMIT,
+ ret, done, "Unexpected write time\n");
+   torture_assert_u64_equal_goto(tctx, 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  c67dbd55aad ctdb: Fix a crash in run_proc_signal_handler()
   via  037f4b8fb9a ctdb: Introduce output before and after the 10-second 
timeout
   via  87265cef4b7 ctdb: Wait for SIGCHLD if script timed out
   via  e70a8cbdb4a ctdb: Introduce a helper variable in run_event_test.c
   via  5e55d2c0dcf ctdb: Call run_event_recv() in a callback function
   via  83511576a1c ctdb: fix typos
  from  abcddbae481 s3: smbd: Ensure POSIX default ACL is mapped into 
returned Windows ACL for directory handles.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit c67dbd55aadfffb8ee7623aacbda13aa5c676418
Author: Volker Lendecke 
Date:   Tue May 18 08:32:45 2021 +0200

ctdb: Fix a crash in run_proc_signal_handler()

If a script times out the caller can talloc_free() the script_list
output of run_event_recv, which talloc_free's proc->output from
run_proc.c as well. If the script generates further output after the
timeout and then exits after a while, the SIGCHLD handler in the
eventd tries to read into proc->output, which was already free'ed.

Fix this by not doing just a talloc_steal but a talloc_move. This way
proc_read_handler() called from run_proc_signal_handler() does not try
to realloc the stale reference to proc->output but gets a NULL
reference.

I don't really know how to do a knownfail in ctdb, so this commit
actually activates catching the signal by waiting long enough for
22.bar to exit and generate the SIGCHLD.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit adef87a621b17baf746d12f991c60a8a3ffcfcd3)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue May 25 08:55:59 UTC 2021 on sn-devel-184

commit 037f4b8fb9a3f3ee373441ea31ab0755053df3c2
Author: Volker Lendecke 
Date:   Tue May 18 08:28:16 2021 +0200

ctdb: Introduce output before and after the 10-second timeout

This will lead to a crash in run_event_test.c soon

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit f320d1a7ab0f81eefdb28b36bfe346eacb8980de)

commit 87265cef4b7e47d8b7a0eac7bb30ff3682714f43
Author: Volker Lendecke 
Date:   Tue May 18 08:23:05 2021 +0200

ctdb: Wait for SIGCHLD if script timed out

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 19290f10c7d39e055847eb45affd9e229a116b18)

commit e70a8cbdb4a1b571651bdc8712ae905d9d9d5283
Author: Volker Lendecke 
Date:   Tue May 18 08:18:25 2021 +0200

ctdb: Introduce a helper variable in run_event_test.c

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 07ab9b7a71d59f3ff2b9dee662632315062213ab)

commit 5e55d2c0dcfa41c10ae0637cd930625a5a273b3a
Author: Volker Lendecke 
Date:   Tue May 18 08:01:06 2021 +0200

ctdb: Call run_event_recv() in a callback function

Triggers a different code path in run_event_* and aligns it more what
the ctdb eventd really does.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 9398d4b912387be8cde0c2ca30734eca7d547d19)

commit 83511576a1c8a4b3b674b176cf190fc8710eb421
Author: Volker Lendecke 
Date:   Fri May 7 17:36:58 2021 +0200

ctdb: fix typos

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14475
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit f188c9d732e4b9b3d37c4cb09608aba747845997)

---

Summary of changes:
 ctdb/common/run_proc.c |  6 ++--
 ctdb/tests/UNIT/cunit/run_event_001.sh |  3 ++
 ctdb/tests/src/run_event_test.c| 52 +++---
 3 files changed, 47 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c
index 0c3c1de72fe..d55af6c3a1e 100644
--- a/ctdb/common/run_proc.c
+++ b/ctdb/common/run_proc.c
@@ -426,7 +426,7 @@ static void run_proc_done(struct tevent_req *req)
 
state->result = state->proc->result;
if (state->proc->output != NULL) {
-   state->output = talloc_steal(state, state->proc->output);
+   state->output = talloc_move(state, >proc->output);
}
talloc_steal(state, state->proc);
 
@@ -464,7 +464,7 @@ static void run_proc_timedout(struct tevent_req *subreq)
 
state->result.err = ETIMEDOUT;
if 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  abcddbae481 s3: smbd: Ensure POSIX default ACL is mapped into 
returned Windows ACL for directory handles.
  from  46c071544f1 VERSION: Bump version up to 4.13.10...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit abcddbae481034e35da7062e46ac86bc1c0b37d1
Author: Jeremy Allison 
Date:   Mon May 17 15:34:55 2021 -0700

s3: smbd: Ensure POSIX default ACL is mapped into returned Windows ACL for 
directory handles.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14708

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 

Autobuild-User(master): Noel Power 
Autobuild-Date(master): Wed May 19 09:22:56 UTC 2021 on sn-devel-184

(cherry picked from commit b7f62e13933da14c381f70cd46ad13849b108e68)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri May 21 08:50:20 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/smbd/posix_acls.c | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index db2d36a89a1..1e39261828b 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3475,6 +3475,7 @@ NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, 
uint32_t security_info,
 {
SMB_STRUCT_STAT sbuf;
SMB_ACL_T posix_acl = NULL;
+   SMB_ACL_T def_acl = NULL;
struct pai_val *pal;
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
@@ -3493,10 +3494,19 @@ NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, 
uint32_t security_info,
/* Get the ACL from the fd. */
posix_acl = SMB_VFS_SYS_ACL_GET_FD(fsp, frame);
 
+   /* If it's a directory get the default POSIX ACL. */
+   if(fsp->fsp_flags.is_directory) {
+   def_acl = SMB_VFS_SYS_ACL_GET_FILE(fsp->conn,
+  fsp->fsp_name,
+  SMB_ACL_TYPE_DEFAULT,
+  frame);
+   def_acl = free_empty_sys_acl(fsp->conn, def_acl);
+   }
+
pal = fload_inherited_info(fsp);
 
status = posix_get_nt_acl_common(fsp->conn, fsp->fsp_name->base_name,
-, pal, posix_acl, NULL,
+, pal, posix_acl, def_acl,
 security_info, mem_ctx, ppdesc);
TALLOC_FREE(frame);
return status;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  46c071544f1 VERSION: Bump version up to 4.13.10...
   via  1d232e39a02 Merge branch 'v4-13-stable' into 'v4-13-test' again for 
the 4.13.9 release
   via  13061573a33 Revert "VERSION: Bump version up to 4.13.10..." for now
   via  692d5287eaf VERSION: Disable GIT_SNAPSHOT for the 4.13.8 release.
   via  dc853e700d4 WHATSNEW: Add release notes for Samba 4.13.8.
   via  39d9e71cfcf CVE-2021-20254 passdb: Simplify sids_to_unixids()
   via  a44be607c9d VERSION: Enable GIT_SNAPSHOT.
  from  ca362d33d75 VERSION: Bump version up to 4.13.10...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 46c071544f134cf8f04af9f7be5dc9c05f50a2cc
Author: Karolin Seeger 
Date:   Tue May 11 09:52:03 2021 +0200

VERSION: Bump version up to 4.13.10...

and re-enable GIT_SNAPSHOT

Signed-off-by: Karolin Seeger 
(cherry picked from commit ca362d33d752459e9f799d49a944247f50e124a2)

commit 1d232e39a02d5b69af9551136f375c5372fef432
Merge: 13061573a33 692d5287eaf
Author: Stefan Metzmacher 
Date:   Tue May 11 10:24:06 2021 +0200

Merge branch 'v4-13-stable' into 'v4-13-test' again for the 4.13.9 release

Somehow the samba-4.13.8 was not done in v4-13-stable...

This merge has no changes, but it allows us to sync the
history between v4-13-test and v4-13-stable again.

Signed-off-by: Stefan Metzmacher 

commit 13061573a333d1a9de7b868ab014c6ab18d35e79
Author: Stefan Metzmacher 
Date:   Tue May 11 10:23:07 2021 +0200

Revert "VERSION: Bump version up to 4.13.10..." for now

This reverts commit ca362d33d752459e9f799d49a944247f50e124a2.

---

Summary of changes:


Changeset truncated at 500 lines:



-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  ca362d33d75 VERSION: Bump version up to 4.13.10...
   via  37540e4f90e VERSION: Disable GIT_SNAPSHOT for the Samba 4.13.9 
release.
   via  6afc37ae5d9 WHATSNEW: Add release notes for Samba 4.13.9.
  from  aae24152b8d s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on 
success.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit ca362d33d752459e9f799d49a944247f50e124a2
Author: Karolin Seeger 
Date:   Tue May 11 09:52:03 2021 +0200

VERSION: Bump version up to 4.13.10...

and re-enable GIT_SNAPSHOT

Signed-off-by: Karolin Seeger 

commit 37540e4f90edc80f6073956ec373bb8bdeb4e55e
Author: Karolin Seeger 
Date:   Tue May 11 09:51:07 2021 +0200

VERSION: Disable GIT_SNAPSHOT for the Samba 4.13.9 release.

Signed-off-by: Karolin Seeger 

commit 6afc37ae5d94e50faccad7cf06fb103d892c1a2d
Author: Karolin Seeger 
Date:   Tue May 11 09:50:16 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.9.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 70 ++--
 2 files changed, 69 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index b151df5266d..addb12d75e0 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6fe057c5b40..da680c071d9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,70 @@
+   ==
+   Release Notes for Samba 4.13.9
+May 11, 2021
+   ==
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.8
+
+
+o  Jeremy Allison 
+   * BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
+
+o  Andrew Bartlett 
+   * BUG 14689: Add documentation for dsdb_group_audit and 
dsdb_group_json_audit
+ to "log level", synchronise "log level" in smb.conf with the code.
+
+o  Ralph Boehme 
+   * BUG 14672: Fix smbd panic when two clients open same file.
+   * BUG 14675: Fix memory leak in the RPC server. 
+   * BUG 14679: s3: smbd: Fix deferred renames.
+
+o  Samuel Cabrero 
+   * BUG 14675: s3-iremotewinspool: Set the per-request memory context.
+
+o  Volker Lendecke 
+   * BUG 14675: rpc_server3: Fix a memleak for internal pipes.
+
+o  Stefan Metzmacher 
+   * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
+   * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.
+
+
+o  Christof Schmitt 
+   * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
+ conflict.
+
+o  Martin Schwenke https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
==
Release Notes for Samba 4.13.8
April 29, 2021
@@ -59,8 +126,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
 
 
==


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  aae24152b8d s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on 
success.
   via  8feeac11f7e docs: Expand the "log level" docs on audit logging
   via  83c39f1e4ee docs: underline special words in the audit logging part 
of "log level" in man smb.conf
   via  ef386397d34 docs: Further discourage the use of the "event 
notification" options
   via  78562c46bed docs: Add proper explination on why transactions need 
to be audited.
   via  56e4cb8f3d0 docs: Add missing documentation on dsdb_group_audit and 
dsdb_group_audit_json
   via  bd6f38ed8b7 debug: Synchronise "log level" in smb.conf with the code
  from  4484b030c0d VERSION: Bump version up to 4.13.9.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit aae24152b8d4691252fb56b095ed892e11b40bec
Author: Jeremy Allison 
Date:   Thu Apr 29 09:50:30 2021 -0700

s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.

Missing call to set up req->outbuf means no reply is sent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14696

Signed-off-by: Jeremy Allison 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Thu Apr 29 21:27:58 UTC 2021 on sn-devel-184

(cherry picked from commit 47d79d7e7e406f7dd204ded7c72cfed3e0761ad5)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon May  3 09:06:36 UTC 2021 on sn-devel-184

commit 8feeac11f7e4453bc3c5f826ba2694ea9937b430
Author: Andrew Bartlett 
Date:   Fri Apr 16 10:43:07 2021 +1200

docs: Expand the "log level" docs on audit logging

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 38fe888f95f8d22736080ed521939be932e7bca0)

commit 83c39f1e4ee15ba4660a102b487eb4a44d6084dd
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:40:30 2021 +1200

docs: underline special words in the audit logging part of "log level" in 
man smb.conf

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 
(cherry picked from commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04)

commit ef386397d34cedd0a7068dd2e8ff4e4d40a68e5a
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:45:07 2021 +1200

docs: Further discourage the use of the "event notification" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2)

commit 78562c46beddf870aeb696a81f1efdac6a281de2
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:44:22 2021 +1200

docs: Add proper explination on why transactions need to be audited.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 
(cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3)

commit 56e4cb8f3d008382850fa51c45c31a31193ae05e
Author: Andrew Bartlett 
Date:   Thu Apr 15 14:39:49 2021 +1200

docs: Add missing documentation on dsdb_group_audit and 
dsdb_group_audit_json

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd)

commit bd6f38ed8b7d50f93e6d629280b11d090920f133
Author: Andrew Bartlett 
Date:   Thu Apr 15 13:52:38 2021 +1200

debug: Synchronise "log level" in smb.conf with the code

This is done by pasting in the contents of default_classname_table[]
in lib/util/debug.c into
cut -f 2 -d \"| xargs -i sh -c 'echo "\t{}"'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa)

---

Summary of changes:
 docs-xml/smbdotconf/logging/loglevel.xml   | 108 +++--
 .../smbdotconf/logon/autheventnotification.xml |  17 ++--
 docs-xml/smbdotconf/misc/dsdbeventnotification.xml |  14 ++-
 .../misc/dsdbgroupchangenotification.xml   |  16 +--
 .../misc/dsdbpasswordeventnotification.xml |  16 +--
 source3/smbd/reply.c   |   2 +
 6 files changed, 121 insertions(+), 52 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/logging/loglevel.xml 
b/docs-xml/smbdotconf/logging/loglevel.xml
index 273765c6fbe..4c6bb5e7e73 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -24,8 +24,6 @@
printdrivers

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  4484b030c0d VERSION: Bump version up to 4.13.9.
   via  5e9cd05325e Merge tag 'samba-4.13.8' into v4-13-test
   via  058aaad5f4a WHATSNEW: Add release notes for Samba 4.13.8.
   via  32c511d439b CVE-2021-20254 passdb: Simplify sids_to_unixids()
   via  2f7500d3927 VERSION: Bump version up to 4.13.8...
  from  2022e490d5e s3-iremotewinspool: set the per-request memory context

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 4484b030c0dc20285950da1b65d3cfad6393464d
Author: Karolin Seeger 
Date:   Thu Apr 29 11:11:31 2021 +0200

VERSION: Bump version up to 4.13.9.

Signed-off-by: Karolin Seeger 

commit 5e9cd05325ea0220426cef1fe8990c1f303a0867
Merge: 2022e490d5e 058aaad5f4a
Author: Karolin Seeger 
Date:   Thu Apr 29 11:11:10 2021 +0200

Merge tag 'samba-4.13.8' into v4-13-test

samba: tag release samba-4.13.8

commit 058aaad5f4a2399dc0c11b42a6650c251957f24d
Author: Karolin Seeger 
Date:   Mon Apr 26 12:45:26 2021 +0200

WHATSNEW: Add release notes for Samba 4.13.8.

Signed-off-by: Karolin Seeger 

commit 32c511d439b23d880133b8d9d32274eba3952a88
Author: Volker Lendecke 
Date:   Sat Feb 20 15:50:12 2021 +0100

CVE-2021-20254 passdb: Simplify sids_to_unixids()

Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.

Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

(backported from patch from master)
[backport by npo...@samba.org as master commit
 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and
 58e9b6ad62c81cdf11d704859a227cb2902b creates conflicts
 due to rename of WBC_ID_TYPE_* -> ID_TYPE_*]

---

Summary of changes:
 VERSION |   2 +-
 WHATSNEW.txt|  68 +++-
 source3/passdb/lookup_sid.c | 123 
 3 files changed, 168 insertions(+), 25 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index ae39d7d1aac..b151df5266d 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7df21d367c1..6fe057c5b40 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,68 @@
+   ==
+   Release Notes for Samba 4.13.8
+   April 29, 2021
+   ==
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2021-20254: Negative idmap cache entries can cause incorrect group 
entries
+  in the Samba file server process token.
+
+
+===
+Details
+===
+
+o  CVE-2021-20254:
+   The Samba smbd file server must map Windows group identities (SIDs) into 
unix
+   group ids (gids). The code that performs this had a flaw that could allow it
+   to read data beyond the end of the array in the case where a negative cache
+   entry had been added to the mapping cache. This could cause the calling code
+   to return those values into the process token that stores the group
+   membership for a user.
+
+   Most commonly this flaw caused the calling code to crash, but an alert user
+   (Peter Eriksson, IT Department, Linköping University) found this flaw by
+   noticing an unprivileged user was able to delete a file within a network
+   share that they should have been disallowed access to.
+
+   Analysis of the code paths has not allowed us to discover a way for a
+   remote user to be able to trigger this flaw reproducibly or on demand,
+   but this CVE has been issued out of an abundance of caution.
+
+
+Changes since 4.13.7
+
+
+o  Volker Lendecke 
+   * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  2022e490d5e s3-iremotewinspool: set the per-request memory context
  from  56156a8fd54 build: Only add -Wl,--as-needed when supported

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 2022e490d5e506b5b07b02578a68b124241bdad6
Author: Samuel Cabrero 
Date:   Thu Apr 8 18:45:38 2021 +0200

s3-iremotewinspool: set the per-request memory context

The iremotewinspool service is not using the pidl autogenerated code.
Set the per-request memory context following the changes made is commit
5a7e9ade9a4cdfa68900c6a64b639f53c0da47ad.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1890

Signed-off-by: Samuel Cabrero 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Fri Apr  9 15:20:02 UTC 2021 on sn-devel-184

(cherry picked from commit 1efa9ffd7ae77ebf22b28c12dd642a89991b75d2)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon Apr 19 07:53:48 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/rpc_server/spoolss/srv_iremotewinspool.c | 2 ++
 1 file changed, 2 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_server/spoolss/srv_iremotewinspool.c 
b/source3/rpc_server/spoolss/srv_iremotewinspool.c
index 26b225818f8..d6a983c722a 100644
--- a/source3/rpc_server/spoolss/srv_iremotewinspool.c
+++ b/source3/rpc_server/spoolss/srv_iremotewinspool.c
@@ -100,6 +100,7 @@ static NTSTATUS 
iremotewinspool__op_dispatch_internal(struct dcesrv_call_state *
/* Update pipes struct opnum */
p->opnum = opnum;
p->dce_call = dce_call;
+   p->mem_ctx = mem_ctx;
/* Update pipes struct session info */
pipe_session_info = p->session_info;
p->session_info = dce_call->auth_state->session_info;
@@ -1238,6 +1239,7 @@ fail:
}
 
p->dce_call = NULL;
+   p->mem_ctx = NULL;
/* Restore session info */
p->session_info = pipe_session_info;
p->auth.auth_type = 0;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  56156a8fd54 build: Only add -Wl,--as-needed when supported
  from  7436dde6ef6 s3: smbd: fix deferred renames

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 56156a8fd5432728b3d0526bb3ac3165ab5ebc90
Author: Martin Schwenke 
Date:   Mon Mar 29 16:30:37 2021 +1100

build: Only add -Wl,--as-needed when supported

If -Wl,--as-needed is added to EXTRA_LDFLAGS (via ADD_LDFLAGS, as per
commit 996560191ac6bd603901dcd6c0de5d239e019ef4) then on some
platforms (at least CentOS 8 and Fedora 33), any indirect/recursive
dependencies (i.e. private libraries) are added to both the
binary (reqid_test in the CTDB case) and to samba-util.so.  However,
only samba-util.so has rpath set to find private libraries.

When ld.so tries to resolve these dependencies for the binary it
fails. This may be a bug on those platforms, but it occurs reliably
and our users will also hit the bug.  For binaries that have other
private library dependencies (e.g. bundled talloc) rpath will contain
the private library directory so the duplicate private library
dependencies are then found... that is, when it works, it works by
accident!

For some reason (deep in waf or wafsamba) if -Wl,--as-needed is added to
LINKFLAGS (as is done in conf.add_as_needed()) then it works: the direct
dependencies are only added to samba-util.so and the same depenencies
(indirect dependencies for binaries) are not added incorrectly to the
binaries.

So, without changing 1/2 of waf/wafsamba the simplest fix is to revert
to adding -Wl,--as-needed to LINKFLAGS, which was the case before
commit 996560191ac6bd603901dcd6c0de5d239e019ef4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14288
RN: Fix the build on OmniOS

Signed-off-by: Amitay Isaacs 
Signed-off-by: Martin Schwenke 
Reviewed-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 
(backported from commit ff1c3af603b47a7e8f9faad8d1c2e4a489559155)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Apr 13 13:16:05 UTC 2021 on sn-devel-184

---

Summary of changes:
 wscript | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/wscript b/wscript
index e50aba255a7..51b0376ac18 100644
--- a/wscript
+++ b/wscript
@@ -340,7 +340,8 @@ def configure(conf):
 # allows us to find problems on our development hosts faster.
 # It also results in faster load time.
 
-conf.add_as_needed()
+if conf.CHECK_LDFLAGS('-Wl,--as-needed'):
+conf.env.append_unique('LINKFLAGS', '-Wl,--as-needed')
 
 if not conf.CHECK_NEED_LC("-lc not needed"):
 conf.ADD_LDFLAGS('-lc', testflags=False)


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  7436dde6ef6 s3: smbd: fix deferred renames
   via  a85f7995740 s4: torture. Add smb2.lease.rename_wait test to 
reproduce regression in delay rename for lease break code.
   via  3644afc38c7 rpc_server3: Fix a memleak for internal pipes
   via  85b5657cbd6 spools: avoid leaking memory into the callers mem_ctx
   via  890cc945e33 pidl: set the per-request memory context in the pidl 
generator
  from  42e7b36454d smbd: free open_rec state in 
remove_deferred_open_message_smb2_internal()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 7436dde6ef68826174b9f74a014e2a2040cb14a2
Author: Ralph Boehme 
Date:   Mon Mar 29 12:24:39 2021 +0200

s3: smbd: fix deferred renames

This was broken by c7a9e0e4cdfb22e66533b5c8e20af3cfdb8ae78c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Wed Mar 31 06:13:39 UTC 2021 on sn-devel-184

(cherry picked from commit 10d753868e810604d8f60673bbd48f55aaff0797)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Thu Apr  1 12:19:23 UTC 2021 on sn-devel-184

commit a85f79957407b0369166c63e30537b5170ba0ea7
Author: Jeremy Allison 
Date:   Tue Mar 30 15:05:47 2021 -0700

s4: torture. Add smb2.lease.rename_wait test to reproduce regression in 
delay rename for lease break code.

Passes against Windows 10. Add to knownfail, the
next commit will fix this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875

Back-ported from 8d9a0b8d57713781c72440c7e91746b5d89e6f6a.

Signed-off-by: Jeremy Allison 
Reviewed-by: Ralph Boehme 

commit 3644afc38c726a19f39f1d4f96badfb7827fb1a4
Author: Volker Lendecke 
Date:   Tue Mar 23 17:06:15 2021 +0100

rpc_server3: Fix a memleak for internal pipes

state->call should not be talloc'ed off a long-lived context

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
RN: Memory leak in the RPC server

Signed-off-by: Volker Lendecke 
Reviewed-by: Samuel Cabrero 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Wed Mar 31 12:14:01 UTC 2021 on sn-devel-184

(cherry picked from commit 12f516e4680753460e7fe8811e6c6ff70057580c)

commit 85b5657cbd685968045fcaad2e7d3323b902edc9
Author: Ralph Boehme 
Date:   Mon Mar 22 12:06:39 2021 +0100

spools: avoid leaking memory into the callers mem_ctx

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861

Signed-off-by: Ralph Boehme 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 481176ec745c14b78fca68e01a61c83405a4b97b)

commit 890cc945e338bbe3047bee45772330ec32feb5a2
Author: Ralph Boehme 
Date:   Tue Mar 23 11:40:21 2021 +0100

pidl: set the per-request memory context in the pidl generator

The talloc memory context referenced by the pipe_struct mem_ctx member is 
used
as talloc parent for RPC response data by the RPC service implementations.

In Samba versions up to 4.10 all talloc children of p->mem_ctx were freed 
after
a RPC response was delivered by calling talloc_free_children(p->mem_ctx). 
Commit
60fa8e255254d38e9443bf96f2c0f31430be6ab8 removed this call which resulted 
in all
memory allocations on this context not getting released, which can consume
significant memory in long running RPC connections.

Instead of putting the talloc_free_children(p->mem_ctx) back, just use the
mem_ctx argument of the ${pipename}_op_dispatch_internal() function which 
is a
dcesrv_call_state object created by dcesrv_process_ncacn_packet() and 
released
by the RPC server when the RPC request processing is finished.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861

Signed-off-by: Ralph Boehme 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 4c3fb2a5912966a61e7ebdb05eb3231a0e1d6033)

---

Summary of changes:
 pidl/lib/Parse/Pidl/Samba4/NDR/ServerCompat.pm |   2 +
 source3/rpc_server/rpc_handles.c   |   6 -
 source3/rpc_server/rpc_ncacn_np.c  |   2 +-
 source3/rpc_server/spoolss/srv_spoolss_nt.c|   6 +-
 source3/smbd/smb2_setinfo.c|   1 +
 source4/torture/smb2/lease.c   | 145 +
 6 files changed, 153 insertions(+), 9 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  42e7b36454d smbd: free open_rec state in 
remove_deferred_open_message_smb2_internal()
   via  27cd9103dc6 smbd: cancel pending poll open timer in poll_open_done()
   via  f8d67bc3d7d smbd: reset dangling watch_req pointer in poll_open_done
   via  3f366878d33 idmap_nss: Do not return SID from unixids_to_sids on 
type mismatch
   via  af37d5abae9 idmap_rfc2307: Do not return SID from unixids_to_sids 
on type mismatch
   via  3aa06edf38b winbind: Only use unixid2sid mapping when module 
reports ID_MAPPED
   via  f2be1673ede third_party: Update socket_wrapper to version 1.3.3
   via  4da1c2301fa third_party: Update socket_wrapper to version 1.3.2
  from  5677103fe7b VERSION: Bump version up to 4.13.8...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 42e7b36454db64120b9940c42592f2fa6d668ad7
Author: Ralph Boehme 
Date:   Tue Mar 16 18:18:46 2021 +0100

smbd: free open_rec state in remove_deferred_open_message_smb2_internal()

The lifetime of open_rec (struct deferred_open_record) ojects is the time
processing the SMB open request every time the request is scheduled, ie 
once we
reschedule we must wipe the slate clean. In case the request gets deferred
again, a new open_rec will be created by the schedule functions.

This ensures any timer-event tied to the open_rec gets cancelled and doesn't
fire unexpectedly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
RN: smbd panic when two clients open same file

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Thu Mar 18 18:04:09 UTC 2021 on sn-devel-184

(cherry picked from commit 591c9196962b695b01c0d86918b8f8a263e9665c)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Mar 31 10:13:40 UTC 2021 on sn-devel-184

commit 27cd9103dc68bf5a23026eb1be75127f0bc831cd
Author: Ralph Boehme 
Date:   Wed Mar 17 16:24:28 2021 +0100

smbd: cancel pending poll open timer in poll_open_done()

The retry of the open is scheduled below, avoid rescheduling it a second 
time in
the open retry timeout function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 171a58ff3e8ee07cf5d7af08eabcb4a7379e7ce5)

commit f8d67bc3d7d4c2cf1a16a67072fdd097044072dd
Author: Ralph Boehme 
Date:   Wed Mar 17 16:22:37 2021 +0100

smbd: reset dangling watch_req pointer in poll_open_done

We just freed subreq and a pointer to subreq is stored in 
open_rec->watch_req,
so we must invalidate the pointer.

Otherwise if the poll open timer fires it will do a

  TALLOC_FREE(open_rec->watch_req);

on the dangling pointer which may crash or do something worse like freeing 
some
other random talloc memory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 065ed088b3d5710c288e46a5bf1e063f9a29c8cc)

commit 3f366878d33cf977230137021f6376936b2a1862
Author: Christof Schmitt 
Date:   Fri Mar 5 16:07:54 2021 -0700

idmap_nss: Do not return SID from unixids_to_sids on type mismatch

The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.

Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184

(cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7)

commit af37d5abae924d095e7b35620d850cf1f19021c4
Author: Christof Schmitt 
Date:   Fri Mar 5 16:01:13 2021 -0700

idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch

The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.

Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  5677103fe7b VERSION: Bump version up to 4.13.8...
   via  112d5f41718 Merge tag 'samba-4.13.7' into HEAD
   via  bf1d38a7a16 WHATSNEW: Add release notes for Samba 4.13.7.
   via  2afbb6d42e6 VERSION: Bump version for Samba 4.13.7 release.
   via  7cb60d4209a ldb: version 2.2.1
   via  440b75fda70 VERSION: Disable GIT_SNAPSHOT for the 4.13.6 release.
   via  ef48e861e84 WHATSNEW: Add release notes for Samba 4.13.6.
   via  56a72e2562a CVE-2020-27840: pytests: move Dn.validate test to ldb
   via  2193d840045 CVE-2020-27840 ldb_dn: avoid head corruption in 
ldb_dn_explode
   via  7924431e7e4 CVE-2020-27840: pytests:segfault: add ldb.Dn validate 
test
   via  e0901deb314 CVE-2021-20277 ldb/attrib_handlers casefold: stay in 
bounds
   via  309b18d53c1 CVE-2021-20277 ldb: Remove tests from ldb_match_test 
that do not pass
   via  736cdfad05c CVE-2021-20277 ldb tests: ldb_match tests with extra 
spaces
   via  99d849abc3b ldb: add tests for ldb_wildcard_compare
   via  b3f66d56baa VERSION: Bump version up to 4.13.6...
  from  b30c0416390 VERSION: Bump version up to 4.13.6...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 5677103fe7b49ed7738d5df5e5231473c673e08c
Author: Stefan Metzmacher 
Date:   Wed Mar 24 11:52:22 2021 +0100

VERSION: Bump version up to 4.13.8...

GIT_SNAPSHOT is already 'yes'.

Signed-off-by: Stefan Metzmacher 

commit 112d5f417186f24483205866cafd3f1a2ad6b6d0
Merge: b30c0416390 bf1d38a7a16
Author: Stefan Metzmacher 
Date:   Wed Mar 24 11:51:33 2021 +0100

Merge tag 'samba-4.13.7' into HEAD

samba: tag release samba-4.13.7

Signed-off-by: Stefan Metzmacher 

---

Summary of changes:
 VERSION|   2 +-
 WHATSNEW.txt   | 127 ++-
 lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.2.1.sigs} |   0
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.2.1.sigs} |   0
 lib/ldb/common/attrib_handlers.c   |   2 +-
 lib/ldb/common/ldb_dn.c|   1 +
 lib/ldb/tests/ldb_match_test.c | 138 +++--
 lib/ldb/tests/python/crash.py  |  45 +++
 lib/ldb/wscript|   3 +-
 9 files changed, 303 insertions(+), 15 deletions(-)
 copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.2.1.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.2.1.sigs} (100%)
 create mode 100644 lib/ldb/tests/python/crash.py


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 2a2707bfcf2..ae39d7d1aac 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=8
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8b8c349eaa5..7df21d367c1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,127 @@
+   ==
+   Release Notes for Samba 4.13.7
+   March 24, 2021
+   ==
+
+
+This is a follow-up release to depend on the correct ldb version. This is only
+needed when building against a system ldb library.
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+===
+Details
+===
+
+o  CVE-2020-27840:
+   An anonymous attacker can crash the Samba AD DC LDAP server by sending 
easily
+   crafted DNs as part of a bind request. More serious heap corruption is 
likely
+   also possible.
+
+o  CVE-2021-20277:
+   User-controlled LDAP filter strings against the AD DC LDAP server may crash
+   the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.13.6
+
+
+o  Release with dependency on ldb version 2.2.1.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  b30c0416390 VERSION: Bump version up to 4.13.6...
   via  6df178003a3 VERSION: Disable GIT_SNAPSHOT for the 4.13.5 release.
   via  7eb253a4221 Revert "wscript: use --as-needed only if tested 
successfully"
   via  5d765d7358d WHATSNEW: Add release notes for Samba 4.13.5.
  from  6c5e6046345 g_lock: Fix uninitalized variable reads

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit b30c0416390ce4151a6bf97ea44e18e9d668e596
Author: Karolin Seeger 
Date:   Tue Mar 9 09:16:21 2021 +0100

VERSION: Bump version up to 4.13.6...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit 6df178003a32483a4d98785806c716a942213f21
Author: Karolin Seeger 
Date:   Tue Mar 9 09:15:02 2021 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.13.5 release.

Signed-off-by: Karolin Seeger 

commit 7eb253a42217ab7cde72e5216efbdb4a6ec1725b
Author: Karolin Seeger 
Date:   Tue Mar 9 09:10:12 2021 +0100

Revert "wscript: use --as-needed only if tested successfully"

This reverts commit eebf510fbd8847077c7bec72a1cda674b5a02714.

commit 5d765d7358d5d7bbe03b19aa6c00da520435a19e
Author: Karolin Seeger 
Date:   Mon Mar 8 09:02:43 2021 +0100

WHATSNEW: Add release notes for Samba 4.13.5.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 79 ++--
 wscript  |  3 +--
 3 files changed, 79 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 9efcef67b3a..2a2707bfcf2 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 544f4377bfd..8b8c349eaa5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,79 @@
+   ==
+   Release Notes for Samba 4.13.5
+   March 09, 2021
+   ==
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.4
+
+
+o  Trever L. Adams 
+   * BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause 
infinite
+ start-up failure.
+
+o  Jeremy Allison 
+   * BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
+ setup failed on temp proxy connection.
+   * BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection 
closed
+ force a full reload of services.
+
+o  Andrew Bartlett 
+   * BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports 
about
+ expired tombstones.
+
+o  Ralph Boehme conn->session_info for the initial
+ delete-on-close token.
+
+o  Peter Eriksson 
+   * BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
+ path.
+
+o  Björn Jacke 
+   * BUG 14624: classicupgrade: Treat old never expires value right.
+
+o  Volker Lendecke 
+   * BUG 14636: g_lock: Fix uninitalized variable reads.
+
+o  Stefan Metzmacher 
+   * BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
+
+o  Andreas Schneider 
+   * BUG 14625: lib:util: Avoid free'ing our own pointer.
+
+o  Paul Wise 
+   * BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
==
Release Notes for Samba 4.13.4
   January 26, 2021
@@ -65,8 +141,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  6c5e6046345 g_lock: Fix uninitalized variable reads
   via  efd3ee23123 locking: Fix an uninitialized variable read
  from  a04f19ecdd3 s3:modules:vfs_virusfilter: Recent talloc changes cause 
infinite start-up failure

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 6c5e6046345914d8e0660d9d279d8abc3921535a
Author: Volker Lendecke 
Date:   Wed Mar 3 19:15:31 2021 +0100

g_lock: Fix uninitalized variable reads

If dbwrap_watched_watch_recv() returns IO_TIMEOUT, "blockerdead" might
be an uninitialized non-false, and further down we'll remove the wrong
exclusive locker.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14636
Signed-off-by: Volker Lendecke 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Fri Mar  5 11:22:07 UTC 2021 on sn-devel-184

(cherry picked from commit 654c18a244f060d81280493a324b98602a69dbbf)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon Mar  8 09:47:35 UTC 2021 on sn-devel-184

commit efd3ee23123c2cc7685113f4253b800258b7532f
Author: Volker Lendecke 
Date:   Wed Mar 3 19:19:23 2021 +0100

locking: Fix an uninitialized variable read

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14636
Signed-off-by: Volker Lendecke 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 84b634c613352fc1da8e1525d72597c526d534d2)

---

Summary of changes:
 source3/lib/g_lock.c  | 4 ++--
 source3/locking/share_mode_lock.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index c36539393e1..36b527706da 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -646,8 +646,8 @@ static void g_lock_lock_retry(struct tevent_req *subreq)
struct g_lock_lock_state *state = tevent_req_data(
req, struct g_lock_lock_state);
struct g_lock_lock_fn_state fn_state;
-   struct server_id blocker;
-   bool blockerdead;
+   struct server_id blocker = { .pid = 0 };
+   bool blockerdead = false;
NTSTATUS status;
 
status = dbwrap_watched_watch_recv(subreq, , );
diff --git a/source3/locking/share_mode_lock.c 
b/source3/locking/share_mode_lock.c
index 1c4d3a42221..d4c27e4d654 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -2256,7 +2256,7 @@ static bool share_mode_entry_do(
struct locking_tdb_data *ltdb = NULL;
size_t idx;
bool found = false;
-   bool modified;
+   bool modified = false;
struct share_mode_entry e;
uint8_t *e_ptr = NULL;
bool have_share_modes;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  a04f19ecdd3 s3:modules:vfs_virusfilter: Recent talloc changes cause 
infinite start-up failure
   via  eebf510fbd8 wscript: use --as-needed only if tested successfully
  from  0eb58c2d68b s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in 
error path.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit a04f19ecdd30fc26be3eb0c2f7f169639a52dd6b
Author: Trever L. Adams 
Date:   Fri Feb 26 14:52:03 2021 -0800

s3:modules:vfs_virusfilter: Recent talloc changes cause infinite start-up 
failure

Recent talloc changes cause the current check for failure to allocate to be 
incorrectly triggered.

This patch checks to see if the original parameter to be checked for NULL 
if the talloc returns NULL. This allows for rapid passing in the ca

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14634
RN: Fix failure of vfs_virusfilter starting due to talloc changes

Signed-off-by: Trever L. Adams" 
Reviewed-by: Jeremy Allison 
Reviewed-by: Noel Power 
(cherry picked from commit 5a92810082c9a9d2833946ae0d83ce05a6bde597)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Mar  5 12:18:56 UTC 2021 on sn-devel-184

commit eebf510fbd8847077c7bec72a1cda674b5a02714
Author: Björn Jacke 
Date:   Tue Mar 2 22:47:35 2021 +0100

wscript: use --as-needed only if tested successfully

Some OSes like Solaris based OmiOS don't support this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14288

Signed-off-by: Bjoern Jacke 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 996560191ac6bd603901dcd6c0de5d239e019ef4)

---

Summary of changes:
 source3/modules/vfs_virusfilter.c | 157 ++
 wscript   |   3 +-
 2 files changed, 92 insertions(+), 68 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_virusfilter.c 
b/source3/modules/vfs_virusfilter.c
index dc3f040363d..466aec920be 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -267,18 +267,21 @@ static int virusfilter_vfs_connect(
 
infected_file_command = lp_parm_const_string(
snum, "virusfilter", "infected file command", NULL);
-   config->infected_file_command = talloc_strdup(config, 
infected_file_command);
-   if (config->infected_file_command == NULL) {
-   DBG_ERR("virusfilter-vfs: out of memory!\n");
-   return -1;
+   if (infected_file_command != NULL) {
+   config->infected_file_command = talloc_strdup(config, 
infected_file_command);
+   if (config->infected_file_command == NULL) {
+   DBG_ERR("virusfilter-vfs: out of memory!\n");
+   return -1;
+   }
}
-
scan_error_command = lp_parm_const_string(
snum, "virusfilter", "scan error command", NULL);
-   config->scan_error_command = talloc_strdup(config, scan_error_command);
-   if (config->scan_error_command == NULL) {
-   DBG_ERR("virusfilter-vfs: out of memory!\n");
-   return -1;
+   if (scan_error_command != NULL) {
+   config->scan_error_command = talloc_strdup(config, 
scan_error_command);
+   if (config->scan_error_command == NULL) {
+   DBG_ERR("virusfilter-vfs: out of memory!\n");
+   return -1;
+   }
}
 
config->block_access_on_error = lp_parm_bool(
@@ -290,10 +293,12 @@ static int virusfilter_vfs_connect(
quarantine_dir = lp_parm_const_string(
snum, "virusfilter", "quarantine directory",
tmp ? tmp : "/tmp/.quarantine");
-   config->quarantine_dir = talloc_strdup(config, quarantine_dir);
-   if (config->quarantine_dir == NULL) {
-   DBG_ERR("virusfilter-vfs: out of memory!\n");
-   return -1;
+   if (quarantine_dir != NULL) {
+   config->quarantine_dir = talloc_strdup(config, quarantine_dir);
+   if (config->quarantine_dir == NULL) {
+   DBG_ERR("virusfilter-vfs: out of memory!\n");
+   return -1;
+   }
}
 
if (tmp != config->quarantine_dir) {
@@ -311,42 +316,50 @@ static int virusfilter_vfs_connect(
quarantine_prefix = lp_parm_const_string(
snum, "virusfilter", "quarantine prefix",
VIRUSFILTER_DEFAULT_QUARANTINE_PREFIX);
-   config->quarantine_prefix = talloc_strdup(config, quarantine_prefix);
-   if (config->quarantine_prefix == NULL) {
-   DBG_ERR("virusfilter-vfs: out of memory!\n");
-   return -1;
+   if 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  0eb58c2d68b s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in 
error path.
   via  4917b5e93d1 script/autobuild.py: let cleanup() ignore errors from 
rmdir_force() by default
   via  6d93064e188 script/autobuild.py: split out a rmdir_force() helper 
function
   via  35dc71bbc19 selftest: make/use a copy of GNUPGHOME
   via  70a46568228 s4:selftest: use plansmbtorture4testsuite() for 
'rpc.echo'
   via  01a0a619adf s3:selftest: run test_smbclient_tarmode.pl with a fixed 
subdirectory name
   via  86c7854a1bb selftest/Samba4: allow get_cmd_env_vars() to take an 
overwrite dictionary
   via  8f95912a5d3 selftest/Samba4: correctly pass KRB5CCNAME to provision
   via  98051444a58 selftest/Samba4: make more use of get_cmd_env_vars()
   via  7a72dc8cd36 selftest:Samba4: avoid File::Path 'make_path' in 
setup_dns_hub_internal()
   via  57994ca68f2 selftest: allow a prefix under /m/username/
   via  aa9a1644f41 Makefile: add support for 'make testonly'
  from  9806b67ee4c s3: fix fcntl waf configure check

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 0eb58c2d68b68e63a603bb4a3fdced5c3cae4a68
Author: Peter Eriksson 
Date:   Tue Feb 23 12:13:37 2021 -0800

s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14648

Signed-off-by: Peter Eriksson 
Reviewed-by: Jeremy Allison 
Reviewed-by: David Mulder 

Autobuild-User(master): David Mulder 
Autobuild-Date(master): Thu Feb 25 20:46:02 UTC 2021 on sn-devel-184

(cherry picked from commit 3d91fe071a29e2e0c54a10ba081a46cb5c324585)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Mar  3 09:08:34 UTC 2021 on sn-devel-184

commit 4917b5e93d1e7858e9ada1f5840650d9368e2323
Author: Stefan Metzmacher 
Date:   Fri Nov 20 09:20:14 2020 +

script/autobuild.py: let cleanup() ignore errors from rmdir_force() by 
default

It's not useful to generate a python backtrace from within the cleanup code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14628

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 9883ac45939f253a63f3ff312fc3912c5f02cdac)

Autobuild-User(v4-14-test): Karolin Seeger 
Autobuild-Date(v4-14-test): Tue Feb  2 10:29:44 UTC 2021 on sn-devel-184

(cherry picked from commit cc1568be4d4250390a9ad03c84f5e260fc7acffd)

commit 6d93064e1881f749d4b0a08e0c09eb58cab477c6
Author: Stefan Metzmacher 
Date:   Fri Nov 20 09:20:14 2020 +

script/autobuild.py: split out a rmdir_force() helper function

That also tries to re-add write permissions before removing.
In future we'll have jobs changing there directory to read-only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14628

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 7a5df2deaaf62a7edd7c64251f75ab15abe94c07)
(cherry picked from commit c933135969be29072971f96481b05f499fd48b57)

commit 35dc71bbc19a7f6e36af6bad74f990cfe38db59a
Author: Stefan Metzmacher 
Date:   Sun Nov 22 23:28:31 2020 +0100

selftest: make/use a copy of GNUPGHOME

That makes it possible to run tests from a read only source tree.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14628

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 86343125a55d184c15aa94cd01f4c8893a5a0917)
(cherry picked from commit c1a4cb97d1d71b974eed2ecb5f34bb1425f36294)

commit 70a465682281da2b5e4765ad8d7fdf2095fc60ae
Author: Stefan Metzmacher 
Date:   Sun Nov 22 22:43:36 2020 +0100

s4:selftest: use plansmbtorture4testsuite() for 'rpc.echo'

This makes sure "--basedir=$SELFTEST_TMPDIR" is passed to smbtorture.

Tests should not create files in the build nor the source directory!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14628

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andreas Schneider 
(cherry picked from commit d06f2c22d726a5ec7bd804d89154ee272ab1a679)
(cherry picked from commit 81b36b389cb01eca9b2f0a2a452d290e21f31394)

commit 01a0a619adf91fb95446e26f26a902423b20f052
Author: Stefan Metzmacher 
Date:   Thu Dec 17 06:38:14 2020 +0100

s3:selftest: run test_smbclient_tarmode.pl with a fixed subdirectory name

$PREFIX is the the value from --with-selftest-prefix.

The result of the test should not depend on --with-selftest-prefix,
the 'long_path' test in particular.

If the path is to long smbclient (via libarchive) will only
put the full path into a PAX HEADER as 'path' keyword,
that's fine in general, modern tools handle it just fine.
But Perl's Archive::Tar don't handle it and only 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  9806b67ee4c s3: fix fcntl waf configure check
  from  331e4d8363f smbd: In conn_force_tdis_done() when forcing a 
connection closed force a full reload of services.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 9806b67ee4c2dd4e1ef42b03517c0ffda40f2ace
Author: Ralph Boehme 
Date:   Mon Sep 21 07:48:43 2020 +0200

s3: fix fcntl waf configure check

RN: Fix fcntl waf configure check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14503

Signed-off-by: Ralph Boehme 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Mon Sep 21 07:26:54 UTC 2020 on sn-devel-184

(cherry picked from commit 454ccd986b61799908a6898a55d0480911f15306)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Feb 26 10:57:20 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/wscript | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/wscript b/source3/wscript
index 9920432a360..563854c1d23 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -1244,7 +1244,7 @@ err:
 
 int main(void)
 {
-uint64_t *hint, get_hint;
+uint64_t hint, get_hint;
 int fd;
 
 fd = open(DATA, O_RDONLY | O_CREAT | O_EXCL);
@@ -1252,8 +1252,8 @@ int main(void)
 goto err;
 }
 
-*hint = RWH_WRITE_LIFE_SHORT;
-int ret = fcntl(fd, F_SET_RW_HINT, hint);
+hint = RWH_WRITE_LIFE_SHORT;
+int ret = fcntl(fd, F_SET_RW_HINT, );
 if (ret == -1) {
 goto err;
 }
@@ -1267,8 +1267,8 @@ int main(void)
 goto err;
 }
 
-*hint = RWH_WRITE_LIFE_EXTREME;
-ret = fcntl(fd, F_SET_FILE_RW_HINT, hint);
+hint = RWH_WRITE_LIFE_EXTREME;
+ret = fcntl(fd, F_SET_FILE_RW_HINT, );
 if (ret == -1) {
 goto err;
 }


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  331e4d8363f smbd: In conn_force_tdis_done() when forcing a 
connection closed force a full reload of services.
  from  55400f08000 dbcheck: Check Deleted Objects and reduce noise in 
reports about expired tombstones

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 331e4d8363fee023b9ac56137e48592a9e1323d7
Author: Jeremy Allison 
Date:   Tue Jan 26 21:29:58 2021 -0800

smbd: In conn_force_tdis_done() when forcing a connection closed force a 
full reload of services.

Prevents reload_services() caching the fact it might be
called multiple times in a row.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14604

Signed-off-by: Jeremy Allison 
Reviewed-by: Ralph Boehme 
(cherry picked from commit e4c8cd0781aef2a29bb4db1314c9fcd4f6edcecd)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Feb 26 08:50:23 UTC 2021 on sn-devel-184

---

Summary of changes:
 source3/smbd/conn_idle.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/conn_idle.c b/source3/smbd/conn_idle.c
index ca697383877..56a6ef896fb 100644
--- a/source3/smbd/conn_idle.c
+++ b/source3/smbd/conn_idle.c
@@ -273,5 +273,13 @@ static void conn_force_tdis_done(struct tevent_req *req)
* uid in the meantime. Ensure we're still root.
*/
change_to_root_user();
-   reload_services(sconn, conn_snum_used, true);
+   /*
+* Use 'false' in the last parameter (test) to force
+* a full reload of services. Prevents
+* reload_services caching the fact it's
+* been called multiple times in a row.
+* See BUG: https://bugzilla.samba.org/show_bug.cgi?id=14604
+* for details.
+*/
+   reload_services(sconn, conn_snum_used, false);
 }


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  55400f08000 dbcheck: Check Deleted Objects and reduce noise in 
reports about expired tombstones
   via  02b4ddcaed8 selftest: Confirm that we fix any errors on the Deleted 
Objects container itself
  from  ac0e7f6a0cd classicupgrade: treat old never expires value right

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 55400f080001bcfbcf00c29932e2f01a629e0cdf
Author: Andrew Bartlett 
Date:   Thu Dec 10 16:03:49 2020 +1300

dbcheck: Check Deleted Objects and reduce noise in reports about expired 
tombstones

These reports (about recently deleted objects)
create concern about a perfectly normal part of DB operation.

We must not operate on objects that are expired or we might reanimate them,
but we must fix "Deleted Objects" if it is wrong (mostly it is set as being
deleted in , but in alpha19 we got this wrong).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Feb  3 05:29:11 UTC 2021 on sn-devel-184

(cherry picked from commit da627106cdbf8d375b25fa3338a717447f3dbb6e)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon Feb 22 12:58:04 UTC 2021 on sn-devel-184

commit 02b4ddcaed8c46382620939ee4bf26e1907cf169
Author: Andrew Bartlett 
Date:   Fri Dec 11 15:37:04 2020 +1300

selftest: Confirm that we fix any errors on the Deleted Objects container 
itself

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit 1ec1c35a3ae422720df491fc9bc787c9944c)

---

Summary of changes:
 python/samba/dbchecker.py  | 25 +-
 ...cted-dbcheck-link-output-lost-deleted-user3.txt | 16 +++---
 testprogs/blackbox/dbcheck-links.sh|  2 +-
 testprogs/blackbox/dbcheck-oldrelease.sh   | 12 +++
 4 files changed, 45 insertions(+), 10 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 593aa8cf6d2..d12833d9390 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -1819,6 +1819,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), 
str(to_base)))
 # old static provision dumps
 return False
 
+if dn in self.deleted_objects_containers:
+# The Deleted Objects container will look like an expired
+# tombstone
+return False
+
 repl = ndr_unpack(drsblobs.replPropertyMetaDataBlob, repl_val)
 
 isDeleted = self.find_repl_attid(repl, drsuapi.DRSUAPI_ATTID_isDeleted)
@@ -1832,7 +1837,25 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), 
str(to_base)))
 if delta <= tombstone_delta:
 return False
 
-self.report("SKIPING: object %s is an expired tombstone" % dn)
+expunge_time = delete_time + tombstone_delta
+
+delta_days = delta / (24 * 60 * 60)
+
+if delta_days <= 2:
+self.report("SKIPPING additional checks on object "
+"%s which very recently "
+"became an expired tombstone (normal)" % dn)
+self.report("INFO: it is expected this will be expunged "
+"by the next daily task some time after %s, "
+"%d hours ago"
+% (time.ctime(expunge_time), delta // (60 * 60)))
+else:
+self.report("SKIPPING: object %s is an expired tombstone" % dn)
+self.report("INFO: it was expected this object would have "
+"been expunged soon after"
+"%s, %d days ago"
+% (time.ctime(expunge_time), delta_days))
+
 self.report("isDeleted: attid=0x%08x version=%d invocation=%s usn=%s 
(local=%s) at %s" % (
 isDeleted.attid,
 isDeleted.version,
diff --git 
a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-lost-deleted-user3.txt
 
b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-lost-deleted-user3.txt
index d014bfacae2..ea9b630df08 100644
--- 
a/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-lost-deleted-user3.txt
+++ 
b/source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-lost-deleted-user3.txt
@@ -1,19 +1,19 @@
 Checking 232 objects
-SKIPING: object 
CN=fred\0ADEL:2301a64c-1122-5566-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp
 is an expired tombstone
+SKIPPING: object 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  ac0e7f6a0cd classicupgrade: treat old never expires value right
   via  5957cf2e2ca s3:pysmbd: fix fd leak in py_smbd_create_file()
   via  780fbc30041 HEIMDAL: krb5_storage_free(NULL) should work
  from  cf9066b2153 lib:util: Avoid free'ing our own pointer

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit ac0e7f6a0cd6a27679762556324a6ec755401824
Author: Björn Jacke 
Date:   Fri Feb 5 12:47:01 2021 +0100

classicupgrade: treat old never expires value right

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14624

Signed-off-by: Bjoern Jacke 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Wed Feb 10 15:06:49 UTC 2021 on sn-devel-184

(cherry picked from commit df75d82c9de6977c466ee9f01886cb012a9c5fef)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Feb 16 17:16:21 UTC 2021 on sn-devel-184

commit 5957cf2e2ca6265f233803c23212d307c3ccf530
Author: Stefan Metzmacher 
Date:   Tue Feb 9 13:48:36 2021 +0100

s3:pysmbd: fix fd leak in py_smbd_create_file()

Various 'samba-tool domain backup' commands use this and will
fail if there's over ~1000 files in the sysvol folder.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13898

Signed-off-by: Stefan Metzmacher 
(cherry picked from commit d8fa464a2dfb11df4e1db4ebffe8bd28ff118c75)

commit 780fbc3004126175c66ec906910453aed866b163
Author: Paul Wise 
Date:   Mon Feb 29 11:58:45 2016 -0600

HEIMDAL: krb5_storage_free(NULL) should work

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12505

Signed-off-by: Paul Wise 
Reviewed-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 
Original-author: Nicolas Williams 
(cherry-picked from heimdal commit b3db07d5f0e03f6a1a0a392e70f9675e19a6d6af)
(cherry picked from commit f9ed4f7028a5ed29026ac8ef1b47b63755ba98f8)

---

Summary of changes:
 python/samba/upgrade.py  | 2 +-
 source3/smbd/pysmbd.c| 3 +++
 source4/heimdal/lib/krb5/store.c | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py
index 8511bed2868..dff856a8d7c 100644
--- a/python/samba/upgrade.py
+++ b/python/samba/upgrade.py
@@ -74,7 +74,7 @@ def import_sam_policy(samdb, policy, logger):
 
 if 'maximum password age' in policy:
 max_pw_age_unix = policy['maximum password age']
-if max_pw_age_unix == -1 or max_pw_age_unix == 0:
+if max_pw_age_unix == -1 or max_pw_age_unix == 0 or max_pw_age_unix == 
0x:
 max_pw_age_nt = -0x8000
 else:
 max_pw_age_nt = int(-max_pw_age_unix * (1e7))
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index dd4a70ca256..2081a75d52c 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -1144,9 +1144,12 @@ static PyObject *py_smbd_create_file(PyObject *self, 
PyObject *args, PyObject *k
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("init_files_struct failed: %s\n",
nt_errstr(status));
+   } else if (fsp != NULL) {
+   SMB_VFS_CLOSE(fsp);
}
 
TALLOC_FREE(frame);
+   PyErr_NTSTATUS_NOT_OK_RAISE(status);
Py_RETURN_NONE;
 }
 
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
index 17de78e9e74..31afb23c983 100644
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -270,6 +270,8 @@ krb5_storage_get_eof_code(krb5_storage *sp)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_storage_free(krb5_storage *sp)
 {
+if (sp == NULL)
+return 0;
 if(sp->free)
(*sp->free)(sp);
 free(sp->data);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  cf9066b2153 lib:util: Avoid free'ing our own pointer
   via  a3fa41c7429 lib:util: Add cache oversize test for memcache
   via  32d62beae34 lib:util: Add basic memcache unit test
   via  4914efd0cc4 s3: libsmb: Add missing cli_tdis() in error path if 
encryption setup failed on temp proxy connection.
  from  d78648963ed s3: libsmb: cli_state_save_tcon(). Don't deepcopy tcon 
struct when temporarily swapping out a connection on a cli_state.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit cf9066b21534de4d0a05a696ba2c28ae2813192d
Author: Andreas Schneider 
Date:   Tue Feb 2 18:10:38 2021 +0100

lib:util: Avoid free'ing our own pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 0bdbe50fac680be3fe21043246b8c75005611351)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon Feb  8 11:42:58 UTC 2021 on sn-devel-184

commit a3fa41c742900d7a91adc2e80a388e86e5b05f17
Author: Andreas Schneider 
Date:   Wed Feb 3 10:37:12 2021 +0100

lib:util: Add cache oversize test for memcache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 00543ab3b29e3fbfe8314e51919629803e14ede6)

commit 32d62beae343a58e8ddc1bccff8dbf9bfe8f869e
Author: Andreas Schneider 
Date:   Wed Feb 3 10:30:08 2021 +0100

lib:util: Add basic memcache unit test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 
(cherry picked from commit bebbf621d6052f797c5cf19a2a9bbc13e699d3f0)

commit 4914efd0cc4818a7334344ce417f3ddfbaac8e2d
Author: Jeremy Allison 
Date:   Wed Feb 3 17:43:08 2021 -0800

s3: libsmb: Add missing cli_tdis() in error path if encryption setup failed 
on temp proxy connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992

Signed-off-by: Jeremy Allison 

---

Summary of changes:
 lib/util/memcache.c|  19 -
 lib/util/tests/test_memcache.c | 161 +
 lib/util/wscript_build |   8 +-
 selftest/tests.py  |   2 +
 source3/libsmb/clidfs.c|   1 +
 5 files changed, 186 insertions(+), 5 deletions(-)
 create mode 100644 lib/util/tests/test_memcache.c


Changeset truncated at 500 lines:

diff --git a/lib/util/memcache.c b/lib/util/memcache.c
index 1e616bd0e9a..7b0b27eaddb 100644
--- a/lib/util/memcache.c
+++ b/lib/util/memcache.c
@@ -223,14 +223,25 @@ static void memcache_delete_element(struct memcache 
*cache,
TALLOC_FREE(e);
 }
 
-static void memcache_trim(struct memcache *cache)
+static void memcache_trim(struct memcache *cache, struct memcache_element *e)
 {
+   struct memcache_element *tail = NULL;
+
if (cache->max_size == 0) {
return;
}
 
-   while ((cache->size > cache->max_size) && DLIST_TAIL(cache->mru)) {
-   memcache_delete_element(cache, DLIST_TAIL(cache->mru));
+   for (tail = DLIST_TAIL(cache->mru);
+(cache->size > cache->max_size) && (tail != NULL);
+tail = DLIST_TAIL(cache->mru))
+   {
+   if (tail == e) {
+   tail = DLIST_PREV(tail);
+   if (tail == NULL) {
+   break;
+   }
+   }
+   memcache_delete_element(cache, tail);
}
 }
 
@@ -351,7 +362,7 @@ void memcache_add(struct memcache *cache, enum 
memcache_number n,
memcpy(, cache_value.data, sizeof(mtv));
cache->size += mtv.len;
}
-   memcache_trim(cache);
+   memcache_trim(cache, e);
 }
 
 void memcache_add_talloc(struct memcache *cache, enum memcache_number n,
diff --git a/lib/util/tests/test_memcache.c b/lib/util/tests/test_memcache.c
new file mode 100644
index 000..8a3997817c1
--- /dev/null
+++ b/lib/util/tests/test_memcache.c
@@ -0,0 +1,161 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2021  Andreas Schneider 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  d78648963ed s3: libsmb: cli_state_save_tcon(). Don't deepcopy tcon 
struct when temporarily swapping out a connection on a cli_state.
   via  1b609f04661 s3: torture: Change the SMB1-only UID-REGRESSION-TEST 
to do an explicit copy of the tcon struct in use.
   via  643fcfd5566 s3: smbtorture3: Ensure run_tcon_test() always replaces 
any saved tcon and shuts down correctly even in error paths.
   via  2a6ba7ab9eb s3: smbtorture3: Ensure we *always* replace the saved 
saved_tcon even in an error condition.
   via  47581202cf3 s3: tests: Add regression test for bug 13992.
  from  f6e5fe6f122 smbd: use fsp->conn->session_info for the initial 
delete-on-close token

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit d78648963ed0475dcce2f87b9dc969661fcbfc06
Author: Jeremy Allison 
Date:   Thu Jan 28 11:08:48 2021 -0800

s3: libsmb: cli_state_save_tcon(). Don't deepcopy tcon struct when 
temporarily swapping out a connection on a cli_state.

This used to make a deep copy of either
cli->smb2.tcon or cli->smb1.tcon, but this leaves
the original tcon pointer in place which will then get
TALLOC_FREE()'d when the new tree connection is made on
this cli_state.

As there may be pipes open on the old tree connection with
talloc'ed state allocated using the original tcon pointer as a
talloc parent we can't deep copy and then free this pointer
as that will fire the destructors on the pipe memory and
mark them as not connected.

This call is used to temporarily swap out a tcon pointer
(whilst keeping existing pipes open) to allow a new tcon
on the same cli_state and all users correctly call
cli_state_restore_tcon() once they are finished with
the new tree connection.

Just return the existing pointer and set the old value to NULL.
We know we MUST be calling cli_state_restore_tcon() below
to restore the original tcon tree connection pointer before
closing the session.

Remove the knownfail.d entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992

Signed-off-by: Jeremy Allison 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Feb  2 21:05:25 UTC 2021 on sn-devel-184

(cherry picked from commit 4f80f5f9046b64a9e5e0503b1cb54f1492c4faec)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Feb  3 21:23:36 UTC 2021 on sn-devel-184

commit 1b609f046615abb69bf5a59f1df915f46e9853bc
Author: Jeremy Allison 
Date:   Thu Jan 28 17:35:55 2021 -0800

s3: torture: Change the SMB1-only UID-REGRESSION-TEST to do an explicit 
copy of the tcon struct in use.

For this test only, explicitly copy the SMB1 tcon struct,
don't use cli_state_save_tcon()//cli_state_restore_tcon()
as these calls will soon change to just manipulate the pointer
to avoid TALLOC_FREE() on the tcon struct which calls
destructors on child pipe data.

In SMB1 this test calls cli_tdis() twice with an invalid
vuid and expects the SMB1 tcon struct to be preserved
across the calls.

SMB1 cli_tdis() frees cli->smb1.tcon so we must put back
a deep copy into cli->smb1.tcon to be able to safely call
cli_tdis() again.

This is a test-only hack. Real client code
uses cli_state_save_tcon()/cli_state_restore_tcon()
if it needs to temporarily swap out the active
tcon on a client connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992

Signed-off-by: Jeremy Allison 
Reviewed-by: Andreas Schneider 
(cherry picked from commit e93e6108837eff0cebad8dc26d055c0e1386093a)

commit 643fcfd5566c64001df2ed7d6b313e31f218789c
Author: Jeremy Allison 
Date:   Thu Jan 28 10:56:18 2021 -0800

s3: smbtorture3: Ensure run_tcon_test() always replaces any saved tcon and 
shuts down correctly even in error paths.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992

Signed-off-by: Jeremy Allison 
Reviewed-by: Andreas Schneider 
(cherry picked from commit f9ca91bd293e9f2710c4449c5d4f5d016a066049)

commit 2a6ba7ab9eb7d5371e1de2a50d5e63ed214f88f0
Author: Jeremy Allison 
Date:   Thu Jan 28 10:46:33 2021 -0800

s3: smbtorture3: Ensure we *always* replace the saved saved_tcon even in an 
error condition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13992

Signed-off-by: Jeremy Allison 
Reviewed-by: Andreas Schneider 
(cherry picked from commit dc701959cad7bf15aa47cad6451212606520f67f)

commit 47581202cf32c2f9103103d987e6d8e694cee532
Author: Jeremy Allison 
Date:   Thu Jan 28 14:07:23 2021 -0800

s3: tests: Add regression test for bug 13992.

Subtle extra test. Mark as knownfail for now.

'^ user1$' must appear MORE THAN ONCE, as 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  f6e5fe6f122 smbd: use fsp->conn->session_info for the initial 
delete-on-close token
   via  ba12f0c3ae0 selftest: add a test that verifies unlink works when 
"force user" is set
   via  35eddb388f2 selftest: add force_user_error_inject share in 
maptoguest env
   via  483c1dc818e vfs_error_inject: add unlinkat hook
   via  2c0987d6564 s3/auth: implement "winbind:ignore domains"
   via  b236cbcf9d2 winbind: check for allowed domains in 
winbindd_pam_auth_pac_verify()
   via  f0225b0adcb winbind: check for allowed domains in 
winbindd_dual_pam_chauthtok()
   via  888e1d67229 winbind: check for allowed domains in 
winbindd_dual_pam_chng_pswd_auth_crap()
   via  7878dec1da0 winbind: check for allowed domains in 
winbindd_dual_pam_auth_crap()
   via  c983012811e winbind: check for allowed domains in 
winbindd_dual_pam_auth()
   via  86a96954c1f winbind: move "winbind:ignore domain" logic to a 
seperate function
   via  2e2e854f04e selftest: add a test for "winbind:ignore domains"
   via  27dc8f4e90b winbind: handle MSG_SMB_CONF_UPDATED in the winbinds 
children
   via  3b5fa17d9bd winbind: set logfile after reloading config
   via  19f39e67942 winbind: move config-reloading code to winbindd_dual.c
   via  7003d050b0c selftest: use correct DNS domain name for wrapper hosts 
file
  from  670eddc646a VERSION: Bump version up to 4.13.5...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit f6e5fe6f122f85dda46872045cbc4cb020b399b9
Author: Ralph Boehme 
Date:   Sat Jan 23 18:36:23 2021 +0100

smbd: use fsp->conn->session_info for the initial delete-on-close token

There's a correctly set up session_info at fsp->conn->session_info, we can 
just
use that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14617

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Jan 26 04:04:14 UTC 2021 on sn-devel-184

(cherry picked from commit e06f86bbd93d024c70016e1adcf833db85742aca)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Mon Feb  1 08:47:05 UTC 2021 on sn-devel-184

commit ba12f0c3ae02d002435ecbb32ac018f8eb821691
Author: Ralph Boehme 
Date:   Mon Jan 25 11:48:32 2021 +0100

selftest: add a test that verifies unlink works when "force user" is set

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14617

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit aa1f09cda0a097617e34dd0a8b1b0acc7a37bca8)

commit 35eddb388f248cb206518eb2843f9aaf1479bfeb
Author: Ralph Boehme 
Date:   Mon Jan 25 11:47:45 2021 +0100

selftest: add force_user_error_inject share in maptoguest env

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14617

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit f3f8fdfbf10f690bc8d972a13d6f74f1fb0fb375)

commit 483c1dc818ec748daad85fd8e4f223d6edf22f60
Author: Ralph Boehme 
Date:   Mon Jan 25 11:46:30 2021 +0100

vfs_error_inject: add unlinkat hook

Note that a failure is only injected if the owner of the parent directory 
is not
the same as the current user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14617

Back-ported from commit c44dad3ac2eb36fc5eb5a9f80a9ef97183be26ef.

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

commit 2c0987d65646aa41d0bc81f9e1c06f2ad9b5b485
Author: Ralph Boehme 
Date:   Fri Jan 15 12:56:25 2021 +0100

s3/auth: implement "winbind:ignore domains"

Under the following conditions a user from an ignored domain might be able 
to
authenticate:

- using Kerberos

- successfully previous authentication so the idmap and name caches are 
filled

- winbind not running (fwiw, winbindd is mandatory on a domain member)

- nscd running with a cached getpwnam for the ignored user (otherwise auth 
fails
  because getpwnam fails)

- lookup_name() function being modified to look into the name cache before
  contacting winbindd. Currently it talks directly to winbindd and that will
  check the cache.

Currently, authentication will only fail because creating the local token 
for
the user fails because an LSA lookupname RPC call fails (because winbindd 
is not
running).

All of this makes a successfull authentication unlikelly, but that is more 
by
accident then by design.

To ensures that if winbindd is not running and as such winbindd itself can 
not
enforce the restriction, also implement the ignored domains check in the 
auth
system as a last line of defense.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
RN: "winbind:ignore 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  670eddc646a VERSION: Bump version up to 4.13.5...
   via  19965edb713 VERSION: Disable GIT_SNAPSHOT for the 4.13.4 release.
   via  54868d2d58e WHATSNEW: Add release notes for Samba 4.13.4.
  from  d5905865962 script/release.sh: always select the GPG key by it's ID

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 670eddc646a508ca85c3170fbe6152fef6f6494f
Author: Karolin Seeger 
Date:   Tue Jan 26 08:14:38 2021 +0100

VERSION: Bump version up to 4.13.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit 19965edb713f94f8a28b2d4df7a64a829179f9dc
Author: Karolin Seeger 
Date:   Tue Jan 26 08:12:22 2021 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.13.4 release.

Signed-off-by: Karolin Seeger 

commit 54868d2d58e8017d56b41ce1da03ce2dacf46586
Author: Karolin Seeger 
Date:   Mon Jan 25 13:47:33 2021 +0100

WHATSNEW: Add release notes for Samba 4.13.4.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 76 
 2 files changed, 73 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 567aa29970f..9efcef67b3a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 947fd89e3c3..544f4377bfd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,74 @@
+   ==
+   Release Notes for Samba 4.13.4
+  January 26, 2021
+   ==
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.3
+
+
+o  Jeremy Allison 
+   * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp 
Ontap
+ 7.3.7.
+   * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
+ same way as a regular share definition does.
+
+o  Dimitry Andric 
+   * BUG 14605: lib: Avoid declaring zero-length VLAs in various messaging
+ functions.
+
+o  Andrew Bartlett 
+   * BUG 14579: Do not create an empty DB when accessing a sam.ldb.
+
+o  Ralph Boehme 
+   * BUG 14596: vfs_fruit may close wrong backend fd.
+   * BUG 14612: Temporary DFS share setup doesn't set case parameters in the
+ same way as a regular share definition does.
+
+o  Arne Kreddig 
+   * BUG 14606: vfs_virusfilter: Allocate separate memory for config char*.
+
+o  Stefan Metzmacher 
+   * BUG 14596: vfs_fruit may close wrong backend fd.
+   * BUG 14607: Work around special SMB2 IOCTL response behavior of NetApp 
Ontap
+ 7.3.7.
+
+o  Andreas Schneider 
+   * BUG 14601: The cache directory for the user gencache should be created
+ recursively.
+
+o  Martin Schwenke 
+   * BUG 14594: Be more flexible with repository names in CentOS 8 test
+ environments.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
+
==
Release Notes for Samba 4.13.3
   December 15, 2020
@@ -66,10 +137,7 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
-
-   ==
+-- 
  ==
Release Notes for Samba 4.13.2
   November 03, 2020
==


-- 
Samba 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  d5905865962 script/release.sh: always select the GPG key by it's ID
   via  cd0442f4147 ReleaseKey: add GnuPG key transition statement for the 
Samba release key
   via  5817c495c59 script/release.sh: Use new GPG key.
  from  4e48d658f8d s3: smbd: Add call to conn_setup_case_options() to 
create_conn_struct_as_root().

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit d59058659627155ea065295891d7f2bc3e9c8189
Author: Karolin Seeger 
Date:   Thu Jan 21 13:03:44 2021 +0100

script/release.sh: always select the GPG key by it's ID

Signed-off-by: Karolin Seeger 
Signed-off-by: Stefan Metzmacher 
(cherry picked from commit 715b208b513035269a6523f8543c4bf328a7c0f2)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Jan 22 15:10:26 UTC 2021 on sn-devel-184

commit cd0442f4147da5249009af5dfb35a394f91f6bb4
Author: Karolin Seeger 
Date:   Thu Jan 21 13:02:26 2021 +0100

ReleaseKey: add GnuPG key transition statement for the Samba release key

Signed-off-by: Karolin Seeger 
Signed-off-by: Stefan Metzmacher 
(cherry picked from commit 38a278b1afedd6c0a6de0fd4f08008e83f8597a9)

commit 5817c495c599c2bef6b51df2cf5092436fdd792f
Author: Karolin Seeger 
Date:   Tue Dec 22 09:35:58 2020 +0100

script/release.sh: Use new GPG key.

Signed-off-by: Karolin Seeger 
(cherry picked from commit 2f6cea063ddf52d77037644d612bbc209837e707)

---

Summary of changes:
 GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt | 27 ++
 script/release.sh  | 10 
 2 files changed, 32 insertions(+), 5 deletions(-)
 create mode 100644 GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt


Changeset truncated at 500 lines:

diff --git a/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt 
b/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
new file mode 100644
index 000..8e240bae8db
--- /dev/null
+++ b/GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
@@ -0,0 +1,27 @@
+-BEGIN PGP SIGNED MESSAGE-
+Hash: SHA1
+
+The GPG release key for Samba releases changed from:
+
+pub   dsa1024/6F33915B6568B7EA 2007-02-04 [SC] [expires: 2021-02-05]
+  Key fingerprint = 52FB C0B8 6D95 4B08 4332  4CDC 6F33 915B 6568 B7EA
+uid [  full  ] Samba Distribution Verification Key 

+sub   elg2048/9C6ED163DA6DFB44 2007-02-04 [E] [expires: 2021-02-05]
+
+to the following new key:
+
+pub   rsa4096/AA99442FB680B620 2020-12-21 [SC] [expires: 2022-12-21]
+  Key fingerprint = 81F5 E283 2BD2 545A 1897  B713 AA99 442F B680 B620
+uid [ultimate] Samba Distribution Verification Key 

+sub   rsa4096/97EF9386FBFD4002 2020-12-21 [E] [expires: 2022-12-21]
+
+Starting from Jan 21th 2021, all Samba releases will be signed with the new 
key.
+
+This document is signed with the old key.
+
+-BEGIN PGP SIGNATURE-
+
+iF0EARECAB0WIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCYAltCQAKCRBvM5FbZWi3
+6ofOAJ491tFEr36jLkf158ueIrDw9zNVtgCbBV3PgocOX5VH57s1NQdBOof+ihw=
+=wf56
+-END PGP SIGNATURE-
diff --git a/script/release.sh b/script/release.sh
index 507d5931a6a..45e9206005c 100755
--- a/script/release.sh
+++ b/script/release.sh
@@ -316,7 +316,7 @@ create_release() {
 
echo "Signing ${tarname} => ${tarname}.asc"
rm -f "${tarname}.asc"
-   gpg -u "${GPG_USER}" --detach-sign --armor ${tarname} || {
+   gpg --default-key "${GPG_KEYID}" --detach-sign --armor ${tarname} || {
return 1
}
test -f "${tarname}.asc" || {
@@ -362,7 +362,7 @@ patch_release() {
echo "Signing ${patchfile} => ${patchfile}.asc"
rm -f "${patchfile}.asc"
CLEANUP_FILES="${CLEANUP_FILES} ${patchfile}.asc"
-   gpg -u "${GPG_USER}" --detach-sign --armor ${patchfile} || {
+   gpg --default-key "${GPG_KEYID}" --detach-sign --armor ${patchfile} || {
return 1
}
test -f "${patchfile}.asc" || {
@@ -1053,7 +1053,7 @@ samba-rc)
}
 
test -z "${GPG_KEYID-}"  && {
-   GPG_KEYID='6F33915B6568B7EA'
+   GPG_KEYID='AA99442FB680B620'
}
 
productbase="samba"
@@ -1074,7 +1074,7 @@ samba-stable)
}
 
test -z "${GPG_KEYID-}"  && {
-   GPG_KEYID='6F33915B6568B7EA'
+   GPG_KEYID='AA99442FB680B620'
}
 
productbase="samba"
@@ -1096,7 +1096,7 @@ TODO-samba-security)
}
 
test -z "${GPG_KEYID-}"  && {
-   GPG_KEYID='6F33915B6568B7EA'
+   GPG_KEYID='AA99442FB680B620'
}
 
productbase="samba"


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  4e48d658f8d s3: smbd: Add call to conn_setup_case_options() to 
create_conn_struct_as_root().
   via  d13354f08f5 s3: smbd: Factor out setting up case parameters for a 
share to a function - conn_setup_case_options().
   via  a6ec2580b4d build: remove smbd_conn private library
   via  810b019db9e libcli/smb: allow unexpected padding in SMB2 IOCTL 
responses
   via  efb811f6e43 smbd: implement 
FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 as reproducer for bug 14607
   via  6ae3c220a93 s4:torture/smb2: add samba3.smb2.ioctl.bug14607
   via  26e762a42e2 libcli/smb: split out smb2cli_ioctl_parse_buffer()
   via  5e64e53fe2f libcli/smb: Allow 
smb2cli_validate_negotiate_info_done() to ignore NT_STATUS_INVALID_PARAMETER.
   via  bb951cd05c2 libcli/smb: Change some checks to SMB_ASSERTS
  from  fdeba39 vfs_fruit: fix close for fake_fd

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 4e48d658f8d750c350ebbf33314323a9a9ee1ebc
Author: Jeremy Allison 
Date:   Tue Jan 12 11:44:44 2021 -0800

s3: smbd: Add call to conn_setup_case_options() to 
create_conn_struct_as_root().

Ensures temporary DFS share doesn't leave the case parameters set
as zero (i.e.:

conn->case sensitive = 0
conn->share_case_preserve = 0
and default case is lower

which can cause problems doing a DFS_GET_REFERRALS request).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14612

Signed-off-by: Jeremy Allison 
Reviewed-by: Anoop C S 

Autobuild-User(master): Anoop C S 
Autobuild-Date(master): Wed Jan 13 18:14:31 UTC 2021 on sn-devel-184

(cherry picked from commit 39ce73321093a0a5e25f574d0d32d7f88892de46)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Jan 20 10:27:02 UTC 2021 on sn-devel-184

commit d13354f08f573251f32e532166b3e5808ebdc634
Author: Jeremy Allison 
Date:   Tue Jan 12 11:39:51 2021 -0800

s3: smbd: Factor out setting up case parameters for a share to a function - 
conn_setup_case_options().

Will allow it to be reused in the msdfs temporary share code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14612

Signed-off-by: Jeremy Allison 
Reviewed-by: Anoop C S 
(cherry picked from commit ab7700177c2badbf8ed649985be8029223b6e946)

commit a6ec2580b4dc41bf78cab5bac282f4cd618adcf2
Author: Ralph Boehme 
Date:   Sun Sep 27 08:52:58 2020 +0200

build: remove smbd_conn private library

This is not needed anymore since 6822baa2920f30374ec84363497d97e24f359fab.

Needed here for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14612

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 80ac7fa7c4c728bef4f947872c090fec35fb26f0)

commit 810b019db9ed9f5e1ea49db2b1c3e4e5fcae7f5c
Author: Stefan Metzmacher 
Date:   Thu Jan 14 17:32:15 2021 +0100

libcli/smb: allow unexpected padding in SMB2 IOCTL responses

A NetApp Ontap 7.3.7 SMB server add 8 padding bytes to an
offset that's already 8 byte aligned.

RN: Work around special SMB2 IOCTL response behavior of NetApp Ontap 7.3.7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Pair-Programmed-With: Volker Lendecke 

Signed-off-by: Stefan Metzmacher 
Signed-off-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Fri Jan 15 08:36:34 UTC 2021 on sn-devel-184

(cherry picked from commit 4c6c71e1378401d66bf2ed230544a75f7b04376f)

commit efb811f6e4390f9f210decb2da9c59b1ca63cfee
Author: Stefan Metzmacher 
Date:   Thu Jan 14 17:39:01 2021 +0100

smbd: implement FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 as reproducer 
for bug 14607

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 39c0d2b666a6ddac7cd3b29fe76be7375690b27b)

commit 6ae3c220a93c2128d6522d02004310ca30380a63
Author: Stefan Metzmacher 
Date:   Thu Jan 14 17:39:18 2021 +0100

s4:torture/smb2: add samba3.smb2.ioctl.bug14607

FSCTL_SMBTORTURE_IOCTL_RESPONSE_BODY_PADDING8 will be used
to trigger an SMB2 IOCTL response with extra padding.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 3db566026bcc0bff87acae762211e1c49220dc82)

commit 26e762a42e2191009c7f42bfe7b1131e8af33409
Author: Stefan Metzmacher 
Date:   Thu Jan 14 17:27:21 2021 +0100

libcli/smb: split out smb2cli_ioctl_parse_buffer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14607

Pair-Programmed-With: Volker Lendecke 

Signed-off-by: Stefan Metzmacher 
Signed-off-by: Volker Lendecke 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  fdeba39 vfs_fruit: fix close for fake_fd
   via  0391c7b55ff vfs_fruit: check fake_fd in fruit_pread_meta_stream()
   via  800a3dae912 vfs_fruit: use "fake_fd" instead of "created"
   via  124a7dc0680 vfs_streams_xattr: make use of vfs_fake_fd_close()
   via  15e4e106fe4 vfs_fruit: make use of vfs_fake_fd_close()
   via  a01b3646a54 s3:smbd: add vfs_fake_fd_close() helper
   via  1581c4c0752 s3:lib: Create the cache path of user gencache 
recursively
   via  c28deed6da1 lib:util: Add directory_create_or_exists_recursive()
   via  9ab30ab1c80 vfs_virusfilter: Allocate separate memory for config 
char*
  from  fc15ff8951f Do not create an empty DB when accessing a sam.ldb

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit fdeba393ac7d7488413f252d8b4b2efe0485
Author: Ralph Boehme 
Date:   Fri Dec 11 12:59:28 2020 +0100

vfs_fruit: fix close for fake_fd

If the next backend doesn't use kernel fd's should not
pass a fake_fd to the next backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596

Signed-off-by: Ralph Boehme 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Fri Jan  8 21:38:18 UTC 2021 on sn-devel-184

(back-ported from commit 564b62a6f7c0a9b9712946d723118122b9c3785f)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Jan 13 14:45:03 UTC 2021 on sn-devel-184

commit 0391c7b55ff2810cbd3847700bf2183d86167d14
Author: Ralph Boehme 
Date:   Fri Dec 11 13:00:56 2020 +0100

vfs_fruit: check fake_fd in fruit_pread_meta_stream()

Don't call into the next VFS backend if we know we still have a fake-fd. 
Just
return -1 and the caller has the logic to handle this, which results in
returning a AFP_AfpInfo blob initialized with some defaults.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596

Signed-off-by: Ralph Boehme 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Jeremy Allison 
(back-ported from commit c5da08422990dfc1e082bc01aa10d6e415eebe3f)

commit 800a3dae9126bcacdc0b21f0b71dc38d94e3faa9
Author: Ralph Boehme 
Date:   Fri Dec 11 13:00:09 2020 +0100

vfs_fruit: use "fake_fd" instead of "created"

Both have basically the same semantics.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596

Signed-off-by: Ralph Boehme 
Reviewed-by: Stefan Metzmacher 
Reviewed-by: Jeremy Allison 
(back-ported from commit 36eb30fd7d4b82bffd0e1ab471c088f678d700a4)

commit 124a7dc068045362428dada609a41162455a6ff5
Author: Stefan Metzmacher 
Date:   Fri Dec 18 14:36:00 2020 +0100

vfs_streams_xattr: make use of vfs_fake_fd_close()

When we used vfs_fake_fd() we should use vfs_fake_fd_close()
in order to have things symetric.

That may allows us to change vfs_fake_fd() internally if required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(back-ported from commit 40e70cbd3c3a1df9205a7b18d07784c1754cc340)

commit 15e4e106fe4c5a2310151dc4f88f25216306fa96
Author: Stefan Metzmacher 
Date:   Fri Dec 18 14:36:00 2020 +0100

vfs_fruit: make use of vfs_fake_fd_close()

When we used vfs_fake_fd() we should use vfs_fake_fd_close()
in order to have things symetric.

That may allows us to change vfs_fake_fd() internally if required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(back-ported from commit 719c83b4dc4cef16429ec2803621039545f6885e)

commit a01b3646a540fb982c661a2550c5bfb49f62aa2f
Author: Stefan Metzmacher 
Date:   Fri Dec 18 14:03:09 2020 +0100

s3:smbd: add vfs_fake_fd_close() helper

When we used vfs_fake_fd() we should use vfs_fake_fd_close()
in order to have things symetric.

This makes code easier to understand and may allow us to change
vfs_fake_fd() internally if required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14596

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(back-ported from commit 8f057333466b2d9845cd8bc2b794d98252ade2a4)

commit 1581c4c075270f26a1d1fc363dbcc8ccd44fc6c7
Author: Andreas Schneider 
Date:   Mon Dec 21 10:36:46 2020 +0100

s3:lib: Create the cache path of user gencache recursively

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14601

Signed-off-by: Andreas Schneider 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Wed Jan  6 23:59:58 UTC 2021 on sn-devel-184

  

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  fc15ff8951f Do not create an empty DB when accessing a sam.ldb
  from  c5159bd6d76 bootstrap: Cope with case changes in CentOS 8 repo names

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit fc15ff8951f791ba53f25b44c105093c1cdb9bac
Author: Andrew Bartlett 
Date:   Mon Nov 23 19:35:37 2020 +1300

Do not create an empty DB when accessing a sam.ldb

Samba already does this for samba-tool and doing this should make
our errors more sensible, particularly in BIND9 if not provisioned
with the correct --dns-backend=DLZ_BIND9

The old error was like:

 named[62954]: samba_dlz: Unable to get basedn for
 /var/lib/samba/private/dns/sam.ldb
  - NULL Base DN invalid for a base search.

The new error will be like (in this case from the torture test):
 Failed to connect to Failed to connect to
 ldb:///home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb:
 Unable to open tdb 
'/home/abartlet/samba/st/chgdcpass/bind-dns/dns/sam.ldb':
 No such file or directory: Operations error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14579

Reviewed-by: Andreas Schneider 
Signed-off-by: Andrew Bartlett 
(cherry picked from commit d49e96bc45ea5e2d3364242dad36fe9094b7cc42)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Thu Jan  7 10:50:10 UTC 2021 on sn-devel-184

---

Summary of changes:
 source4/dsdb/samdb/samdb.c | 3 +++
 1 file changed, 3 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 10db0c50395..d5890dec03e 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -63,6 +63,9 @@ int samdb_connect_url(TALLOC_CTX *mem_ctx,
*ldb_ret = NULL;
*errstring = NULL;
 
+   /* We create sam.ldb in provision, and never anywhere else */
+   flags |= LDB_FLG_DONT_CREATE_DB;
+
if (remote_address == NULL) {
ldb = ldb_wrap_find(url, ev_ctx, lp_ctx,
session_info, NULL, flags);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  c5159bd6d76 bootstrap: Cope with case changes in CentOS 8 repo names
   via  6e6a16d8805 lib: Avoid declaring zero-length VLAs in various 
messaging functions
  from  6f4f529dded VERSION: Bump version up to 4.13.4...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit c5159bd6d7678b62461da785a2994f1cf97ca5db
Author: Martin Schwenke 
Date:   Wed Dec 9 00:03:47 2020 +1100

bootstrap: Cope with case changes in CentOS 8 repo names

RN: Be more flexible with repository names in CentOS 8 test environments

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14594
Signed-off-by: Martin Schwenke 
Reviewed-by: Andrew Bartlett 
(backported from commit 1c59f49aaede8ec1662d4e49aef84fcd902a8a76)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Jan  5 12:50:02 UTC 2021 on sn-devel-184

commit 6e6a16d88050ee7930f74e12615c0e046c3f9f77
Author: Dimitry Andric 
Date:   Fri Jan 1 18:25:48 2021 +0100

lib: Avoid declaring zero-length VLAs in various messaging functions

In messaging_rec_create(), messaging_recv_cb() and
messaging_dispatch_rec(), variable length arrays of file descriptors are
declared using an incoming num_fds parameter.

However, there are several scenarios where num_fds can be zero, and
declaring a zero-length VLA is undefined behavior. This can lead to
segmentation faults and/or other crashes when compiling with recent
versions of clang at high optimization levels.

To avoid ever using zero as the length for these declarations, use
MAX(1, length) instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14605

Signed-off-by: Dimitry Andric 
Reviewed-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Mon Jan  4 10:50:07 UTC 2021 on sn-devel-184

(cherry picked from commit 3e96c95d41e4ccd0bf43b3ee78af644e2bc32e30)

---

Summary of changes:
 .gitlab-ci.yml | 2 +-
 bootstrap/config.py| 6 --
 bootstrap/generated-dists/centos8/bootstrap.sh | 6 --
 bootstrap/sha1sum.txt  | 2 +-
 source3/lib/messages.c | 6 +++---
 5 files changed, 13 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index c657b4a1d8f..0004820968a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -23,7 +23,7 @@ variables:
   # Set this to the contents of bootstrap/sha1sum.txt
   # which is generated by bootstrap/template.py --render
   #
-  SAMBA_CI_CONTAINER_TAG: 1275dc52ac8c1de5981f267df88b85b6f87e299a
+  SAMBA_CI_CONTAINER_TAG: b5b78cacae2fa6cec91925170bc6d4e3774cac9b
   #
   # We use the ubuntu1804 image as default as
   # it matches what we have on sn-devel-184.
diff --git a/bootstrap/config.py b/bootstrap/config.py
index 24f21a3c749..320a28e0f00 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -232,8 +232,10 @@ yum install -y dnf-plugins-core
 yum install -y epel-release
 
 yum -v repolist all
-yum config-manager --set-enabled PowerTools -y
-yum config-manager --set-enabled Devel -y
+yum config-manager --set-enabled PowerTools -y || \
+yum config-manager --set-enabled powertools -y
+yum config-manager --set-enabled Devel -y || \
+yum config-manager --set-enabled devel -y
 yum update -y
 
 yum install -y \
diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh 
b/bootstrap/generated-dists/centos8/bootstrap.sh
index b494d0040dd..eeea0e8f3b3 100755
--- a/bootstrap/generated-dists/centos8/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8/bootstrap.sh
@@ -12,8 +12,10 @@ yum install -y dnf-plugins-core
 yum install -y epel-release
 
 yum -v repolist all
-yum config-manager --set-enabled PowerTools -y
-yum config-manager --set-enabled Devel -y
+yum config-manager --set-enabled PowerTools -y || \
+yum config-manager --set-enabled powertools -y
+yum config-manager --set-enabled Devel -y || \
+yum config-manager --set-enabled devel -y
 yum update -y
 
 yum install -y \
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 345d4a95e98..9101ad627cc 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-1275dc52ac8c1de5981f267df88b85b6f87e299a
+b5b78cacae2fa6cec91925170bc6d4e3774cac9b
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index c63b027c617..448e5d5a2b6 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -157,7 +157,7 @@ struct messaging_rec *messaging_rec_create(
 
{
struct messaging_rec rec;
-   int64_t fds64[num_fds];
+   int64_t fds64[MAX(1, num_fds)];
size_t i;
 
 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  6f4f529dded VERSION: Bump version up to 4.13.4...
   via  916472aebc9 VERSION: Disable GIT_SNAPSHOT for the 4.13.3 release.
   via  1648eed2470 WHATSNEW: Add release notes for Samba 4.13.3.
  from  670c33fe9cb vfs_zfsacl: add missing inherited flag on hidden 
"magic" everyone@ ACE

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 6f4f529ddedfefae28a4476b33e9e1b556469786
Author: Karolin Seeger 
Date:   Tue Dec 15 08:51:12 2020 +0100

VERSION: Bump version up to 4.13.4...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit 916472aebc907c6bc78972e16c5d0557ad215b59
Author: Karolin Seeger 
Date:   Tue Dec 15 08:50:21 2020 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.13.3 release.

Signed-off-by: Karolin Seeger 

commit 1648eed247013464624076e8430fb590d0e32aa7
Author: Karolin Seeger 
Date:   Tue Dec 15 08:48:59 2020 +0100

WHATSNEW: Add release notes for Samba 4.13.3.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 75 ++--
 2 files changed, 74 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 3450883b693..567aa29970f 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a3ce5cc3dd5..947fd89e3c3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,74 @@
+   ==
+   Release Notes for Samba 4.13.3
+  December 15, 2020
+   ==
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+
+Changes since 4.13.2
+
+
+o  Jeremy Allison 
+   * BUG 14210: libcli: smb2: Never print length if smb2_signing_key_valid()
+ fails for crypto blob.
+   * BUG 14486: s3: modules: gluster. Fix the error I made in preventing talloc
+ leaks from a function. 
+   * BUG 14515: s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with
+ NULL via TALLOC_FREE().
+   * BUG 14568: s3: spoolss: Make parameters in call to user_ok_token() match
+ all other uses.
+   * BUG 14590: s3: smbd: Quiet log messages from usershares for an unknown
+ share.
+
+o  Ralph Boehme 
+   * BUG 14248: samba process does not honor max log size.
+   * BUG 14587: vfs_zfsacl: Add missing inherited flag on hidden "magic"
+ everyone@ ACE.
+
+o  Isaac Boukris 
+   * BUG 13124: s3-libads: Pass timeout to open_socket_out in ms.
+
+o  Günther Deschner 
+   * BUG 14486: s3-vfs_glusterfs: Always disable write-behind translator.
+
+o  Volker Lendecke 
+   * BUG 14517: smbclient: Fix recursive mget.
+   * BUG 14581: clitar: Use do_list()'s recursion in clitar.c.
+
+o  Anoop C S 
+   * BUG 14486: manpages/vfs_glusterfs: Mention silent skipping of write-behind
+ translator.
+   * BUG 14573: vfs_shadow_copy2: Preserve all open flags assuming ROFS.
+
+o  Jones Syue 
+   * BUG 14514: interface: Fix if_index is not parsed correctly.
+
+
+###
+Reporting bugs & Development Discussion
+###
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+==
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==
+
+
+Release notes for older releases follow:
+
+
==
Release Notes for Samba 4.13.2
   November 03, 2020
@@ -104,8 +175,8 @@ database (https://bugzilla.samba.org/).
 ==
 
 
-Release notes for older releases follow:
-
+--
+
 
==
Release Notes for Samba 4.13.1

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  670c33fe9cb vfs_zfsacl: add missing inherited flag on hidden 
"magic" everyone@ ACE
   via  67d42392a31 vfs_zfsacl: reformatting
   via  e3d6d452118 s4/samba: call force_check_log_size() in 
standard_new_task()
   via  db202fc3efc s4/samba: call force_check_log_size() in 
standard_accept_connection()
   via  f89daf8d255 s4/samba: call force_check_log_size() in 
prefork_reload_after_fork()
   via  7258fc076ad s4: call reopen_logs_internal() in the SIGHUP handler 
of the prefork process model
   via  fa2ea13ec04 s4: replace low-level SIGUP handler with a tevent 
handler
   via  504c6e03018 s4: install tevent tracing hooks to trigger logfile 
rotation
   via  69a8fb4f971 s4: add samba server tevent trace helper stuff
   via  80401025504 debug: detect logrotation by checking inode number
   via  e7df21ac640 debug: pass struct debug_class *config to 
do_one_check_log_size()
   via  39efb02c6b4 debug: pass struct debug_class *config to 
reopen_one_log()
   via  99ea8cd6dfa loadparm: setup debug subsystem setting max_log_size 
from config
  from  54d3d3cbf49 s3: smbd: Quiet log messages from usershares for an 
unknown share.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 670c33fe9cbfe033feb785bf82e0540b1d95d762
Author: Ralph Boehme 
Date:   Mon Nov 30 12:28:58 2020 +0100

vfs_zfsacl: add missing inherited flag on hidden "magic" everyone@ ACE

This was an omission in the fixes for bug 14470.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14587

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Tue Dec  1 20:29:34 UTC 2020 on sn-devel-184

(cherry picked from commit 936f74daed0d6221312f651f35c4ed357bbf1414)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Dec  9 08:56:47 UTC 2020 on sn-devel-184

commit 67d42392a31781296936f7de74a4622874586084
Author: Ralph Boehme 
Date:   Mon Nov 30 12:28:00 2020 +0100

vfs_zfsacl: reformatting

No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14587

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit a8457ac3c80e22588e33a343c2306b702734ca88)

commit e3d6d452118389dedbd64f22a2e1f167d24dd45f
Author: Ralph Boehme 
Date:   Thu Nov 26 15:24:44 2020 +0100

s4/samba: call force_check_log_size() in standard_new_task()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248
RN: samba process does not honor max log size

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon Dec  7 18:54:29 UTC 2020 on sn-devel-184

(cherry picked from commit 058f96f4c4eda42b404f0067521d3eafb495fe7d)

commit db202fc3efc104bb9ded33931759e506f0523d25
Author: Ralph Boehme 
Date:   Thu Nov 26 15:24:26 2020 +0100

s4/samba: call force_check_log_size() in standard_accept_connection()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 6fa5fb8ef26dab862df5c46bb5e74f19839c30e2)

commit f89daf8d25585a22470dfe4ca04157421f8e93cf
Author: Ralph Boehme 
Date:   Thu Nov 26 15:23:58 2020 +0100

s4/samba: call force_check_log_size() in prefork_reload_after_fork()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme 
(cherry picked from commit 82b64e930b0e2d3b2e5186017d9f8e420994136c)

commit 7258fc076adab75d3abeaa874159eb5b04ee5f23
Author: Ralph Boehme 
Date:   Mon Nov 23 16:44:04 2020 +0100

s4: call reopen_logs_internal() in the SIGHUP handler of the prefork 
process model

With debug_schedule_reopen_logs() the actual reopen only takes place at some
point in the future when a DEBUG message is processed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 19413e76a46f07fdd46fde5e60707bb6845a782d)

commit fa2ea13ec04c09d1748aad41b27bbcb0c8e056f8
Author: Ralph Boehme 
Date:   Fri Nov 20 15:21:03 2020 +0100

s4: replace low-level SIGUP handler with a tevent handler

Replace the low-level signal handler for SIGHUP with a nice tevent signal
handler. The low-level handler sig_hup() installed by setup_signals() 
remains
being used during early startup before a tevent context is available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14248

Signed-off-by: Ralph Boehme 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 9f71e6173ab43a04804ba8061cb0e8ae6c0165bf)

commit 504c6e03018038aef0fa4753b9e0f315307f4ad1
Author: 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  54d3d3cbf49 s3: smbd: Quiet log messages from usershares for an 
unknown share.
   via  f7490ec9d94 s3-libads: Pass timeout to open_socket_out in ms
  from  585c49f21f7 vfs_glusterfs: print exact cmdline for disabling 
write-behind translator

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 54d3d3cbf49b660f7e93aa45caa94fa6821c0999
Author: Jeremy Allison 
Date:   Wed Dec 2 11:47:02 2020 -0800

s3: smbd: Quiet log messages from usershares for an unknown share.

No need to log missing shares/sharenames at debug level zero.

Keep the debug level zero for all other usershare problems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14590

Signed-off-by: Jeremy Allison 
Reviewed-by: Rowland penny 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Fri Dec  4 20:54:06 UTC 2020 on sn-devel-184

(cherry picked from commit 8a0a7359faba642baf55a8f98ff78c0d0884d0f0)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Dec  8 10:21:11 UTC 2020 on sn-devel-184

commit f7490ec9d94edfc9cdc79e70580b3b226a2022d5
Author: Isaac Boukris 
Date:   Tue Jul 14 22:38:06 2020 +0200

s3-libads: Pass timeout to open_socket_out in ms

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andreas Schneider 
Autobuild-Date(master): Thu Jul 16 10:41:40 UTC 2020 on sn-devel-184

(cherry picked from commit d67e9149a612044e247e7a4d78913ecf396c69fc)

---

Summary of changes:
 source3/libads/ldap.c|  4 +++-
 source3/param/loadparm.c | 10 ++
 2 files changed, 13 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 10ab043f721..ee4628a09a2 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
{
int fd = -1;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+   unsigned timeout_ms = 1000 * to;
 
-   status = open_socket_out(ss, port, to, );
+   status = open_socket_out(ss, port, timeout_ms, );
if (!NT_STATUS_IS_OK(status)) {
+   DEBUG(3, ("open_socket_out: failed to open socket\n"));
return NULL;
}
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 6674485738a..a3abaa2ec67 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -3418,6 +3418,11 @@ static int process_usershare_file(const char *dir_name, 
const char *file_name, i
   open and fstat. Ensure this isn't a symlink link. */
 
if (sys_lstat(fname, , false) != 0) {
+   if (errno == ENOENT) {
+   /* Unknown share requested. Just ignore. */
+   goto out;
+   }
+   /* Only log messages for meaningful problems. */
DEBUG(0,("process_usershare_file: stat of %s failed. %s\n",
fname, strerror(errno) ));
goto out;
@@ -3623,6 +3628,11 @@ int load_usershare_service(const char *servicename)
int max_user_shares = Globals.usershare_max_shares;
int snum_template = -1;
 
+   if (servicename[0] == '\0') {
+   /* Invalid service name. */
+   return -1;
+   }
+
if (*usersharepath == 0 ||  max_user_shares == 0) {
return -1;
}


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  585c49f21f7 vfs_glusterfs: print exact cmdline for disabling 
write-behind translator
   via  587fa331f62 manpages/vfs_glusterfs: Mention silent skipping of 
write-behind translator
   via  2ea7b5c43e8 selftest: Remove samba3.blackbox.smbclient_tar from 
flapping tests
   via  8cec2732890 clitar: Use do_list()'s recursion in clitar.c
   via  2954051aa6d s3/script/tests: Ensure all remote test files are 
removed
   via  5f1772d94a3 s3/script/tests: call smbclient deltree to remove 
remote files
   via  257ce5ed541 s3/script/tests: Make smb_client 'die' behaviour 
configurable
   via  a0ab7adfd78 s3/script/tests: Remove make_path (for remote dir)
   via  c19198e8732 selftest: make samba3.blackbox.smbclient_tar runnable 
(even manually)
   via  53a91d6cdc0 s3/script/tests: Fix samba3.blackbox.smbclient_tarmode 
cleanup
   via  896d93091ab s3/script: Use smbclient deltree to clean up 
smbclient_tarmode subdir
   via  5908aebf364 s3/script/tests: Use tarmode share for 
samba3.blackbox.smbclient_tar*
   via  5143b487532 s3/script/test: Use different testdir for 
samba3.blackbox.smbclient_tarmode
   via  7fb13330380 selftest: Add a new tarmode shares
   via  d67c3ea864b s3/script/tests: Fix 'Unrecognized option(s) passed to 
mkpath()' error
   via  e9b2be96ebc Revert "vfs_ceph: drop fdopendir handler"
  from  441bf80265f smbclient: Fix recursive mget

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 585c49f21f7db686f479ce02b2ae647a313f1184
Author: Günther Deschner 
Date:   Tue Nov 24 15:38:41 2020 +0100

vfs_glusterfs: print exact cmdline for disabling write-behind translator

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Guenther

Signed-off-by: Guenther Deschner 
Reviewed-by: Anoop C S 

Autobuild-User(master): Günther Deschner 
Autobuild-Date(master): Fri Nov 27 17:15:07 UTC 2020 on sn-devel-184

(cherry picked from commit 369c1d539837b70e94fe9d533d44860c8a9380a1)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Wed Dec  2 14:49:18 UTC 2020 on sn-devel-184

commit 587fa331f62f6bd36fdb8688c8d0734d02f07ee8
Author: Anoop C S 
Date:   Thu Nov 5 16:12:09 2020 +0530

manpages/vfs_glusterfs: Mention silent skipping of write-behind translator

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Signed-off-by: Anoop C S 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Guenther Deschner 

Autobuild-User(master): Günther Deschner 
Autobuild-Date(master): Mon Nov  9 13:30:06 UTC 2020 on sn-devel-184

(cherry picked from commit be03ce7d8bb213633eedcfc3299b8d9865a3c67f)

commit 2ea7b5c43e814faef44cf76b5ffad93e4a2f4840
Author: Noel Power 
Date:   Mon Nov 30 09:21:50 2020 +

selftest: Remove samba3.blackbox.smbclient_tar from flapping tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14581

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 89e2d68bb4d93dc391af97f35ff1148aec7930b0)

commit 8cec27328904e47462051878db2de97033ecbd9b
Author: Volker Lendecke 
Date:   Tue Dec 1 08:58:14 2020 +0100

clitar: Use do_list()'s recursion in clitar.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14581

Signed-off-by: Volker Lendecke 
Reviewed-by: Aurelien Aptel 
Reviewed-by: Noel Power 
(cherry picked from commit 20e0ce508844fec2dd0011423b10484dc7ccfdb7)

commit 2954051aa6db3b38d24801fe451019ccec0b5c77
Author: Jeremy Allison 
Date:   Mon Nov 30 17:19:29 2020 +

s3/script/tests: Ensure all remote test files are removed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14581

Signed-off-by: Jeremy Allison 
Reviewed-by: Noel Power 
(cherry picked from commit 16ffa17ee28edfc3bc70c66abf41b5518aeab8fe)

commit 5f1772d94a34922a4fc83ff8a036cbb3ce2dcdd5
Author: Noel Power 
Date:   Mon Nov 30 10:41:57 2020 +

s3/script/tests: call smbclient deltree to remove remote files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14581

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 6c7dc4959fd5de4382aee413b4cc711cc6f281f4)

commit 257ce5ed541c0e46bbd565bd8a89d5905287897c
Author: Noel Power 
Date:   Mon Nov 30 10:18:32 2020 +

s3/script/tests: Make smb_client 'die' behaviour configurable

smb_client behaviour is to die if there is an error. This is
a little heavy handed and make it impossible for example to
use smb_client to run a command that might fail (where such
a failure isn't really an error) E.G. Calling deltree and
the directory doesn't exist

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14581

Signed-off-by: Noel Power 
Reviewed-by: Jeremy Allison 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  441bf80265f smbclient: Fix recursive mget
   via  67364d982d9 test3: Add a test showing that smbclient recursive mget 
is broken
   via  b4be2f994d1 smbclient: Slightly simplify do_mget()
   via  ddb0d43f0ae smbclient: Remove the "abort_mget" variable
  from  8c82d0fd49b vfs_shadow_copy2: Preserve all open flags assuming ROFS

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 441bf80265f41ab6384c2b209943d36c3c441b37
Author: Volker Lendecke 
Date:   Mon Sep 28 15:03:41 2020 +0200

smbclient: Fix recursive mget

Make do_mget rely on do_list() already doing the recursion in a
breadth-first manner. The previous code called do_list() from within
its callback. Unfortunately the recent simplifications of do_list()
broke this, leading to recursive mget to segfault. Instead of figuring
out how this worked before the simplifications in do_list() (I did
spend a few hours on this) and fixing it, I chose to restructure
do_mget() to not recursively call do_list() anymore but instead rely
on do_list() to do the recursion. Saves quite a few lines of code and
complexity.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14517
Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Wed Sep 30 17:23:45 UTC 2020 on sn-devel-184

(cherry picked from commit 9f24b5098f796f364a3f403ad4e9ae28b3c0935a)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Thu Nov 26 09:43:32 UTC 2020 on sn-devel-184

commit 67364d982d911f80604145b95904d075b13bb036
Author: Volker Lendecke 
Date:   Mon Sep 28 16:29:27 2020 +0200

test3: Add a test showing that smbclient recursive mget is broken

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14517
Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 254a5b034e5a081c9d3f28717a4b54d2af0180fc)

commit b4be2f994d1776a6ed6507d17bb9a1b5a378a29d
Author: Volker Lendecke 
Date:   Mon Sep 28 14:21:24 2020 +0200

smbclient: Slightly simplify do_mget()

Put the prompt query into a separate if-statement, move the "quest"
variable closer to its use

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14517
Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 71bc4d4b8d94458ac2e40d659f06110d434fd5c9)

commit ddb0d43f0ae064fc6cc4c9a466eb98e002b520fd
Author: Volker Lendecke 
Date:   Mon Sep 28 14:11:13 2020 +0200

smbclient: Remove the "abort_mget" variable

This was never set to true anywhere in the code

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14517
Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 8fa451d2b052223a11b24ffc2a956b80d03aaa7c)

---

Summary of changes:
 source3/client/client.c | 152 
 source3/script/tests/test_smbclient_mget.sh |  39 +++
 source3/selftest/tests.py   |  10 ++
 3 files changed, 93 insertions(+), 108 deletions(-)
 create mode 100755 source3/script/tests/test_smbclient_mget.sh


Changeset truncated at 500 lines:

diff --git a/source3/client/client.c b/source3/client/client.c
index f65293849d0..8c7ceb644aa 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -87,8 +87,6 @@ static char dest_ss_str[INET6_ADDRSTRLEN];
 
 #define SEPARATORS " \t\n\r"
 
-static bool abort_mget = true;
-
 /* timing globals */
 uint64_t get_total_size = 0;
 unsigned int get_total_time_ms = 0;
@@ -1203,12 +1201,10 @@ static NTSTATUS do_mget(struct cli_state *cli_state, 
struct file_info *finfo,
const char *dir)
 {
TALLOC_CTX *ctx = talloc_tos();
-   NTSTATUS status = NT_STATUS_OK;
-   char *rname = NULL;
-   char *quest = NULL;
-   char *saved_curdir = NULL;
-   char *mget_mask = NULL;
-   char *new_cd = NULL;
+   const char *client_cwd = NULL;
+   size_t client_cwd_len;
+   char *path = NULL;
+   char *local_path = NULL;
 
if (!finfo->name) {
return NT_STATUS_OK;
@@ -1217,121 +1213,63 @@ static NTSTATUS do_mget(struct cli_state *cli_state, 
struct file_info *finfo,
if (strequal(finfo->name,".") || strequal(finfo->name,".."))
return NT_STATUS_OK;
 
-   if (abort_mget) {
-   d_printf("mget aborted\n");
-   return NT_STATUS_UNSUCCESSFUL;
-   }
-
-   if (finfo->attr & FILE_ATTRIBUTE_DIRECTORY) {
-   if (asprintf(,
-"Get directory %s? ",finfo->name) < 0) {
-   return NT_STATUS_NO_MEMORY;
-   }
-   } else {
- 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  8c82d0fd49b vfs_shadow_copy2: Preserve all open flags assuming ROFS
   via  7e9d27271db s3: spoolss: Make parameters in call to user_ok_token() 
match all other uses.
   via  61c8a44895e s3: smbd: Don't overwrite contents of 
fsp->aio_requests[0] with NULL via TALLOC_FREE().
   via  68f19debb74 interface: fix if_index is not parsed correctly
   via  76f07c13cd6 s3: modules: gluster. Fix the error I made in 
preventing talloc leaks from a function.
   via  c58689c9aad libcli: smb2: Never print length if 
smb2_signing_key_valid() fails for crypto blob.
  from  4337a6378db s3-vfs_glusterfs: always disable write-behind translator

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 8c82d0fd49b0406b34e60f49fd4c3b2ff95cb049
Author: Anoop C S 
Date:   Thu Nov 12 20:27:24 2020 +0530

vfs_shadow_copy2: Preserve all open flags assuming ROFS

Instead of replacing open flags with just O_RDONLY, filter out all those
flags unrelated to a Read Only File System

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14573

Signed-off-by: Anoop C S 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Thu Nov 12 17:23:19 UTC 2020 on sn-devel-184

(cherry picked from commit e9e06a11daf036abf7a7022ebc8eaefde178aa52)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Thu Nov 19 11:24:37 UTC 2020 on sn-devel-184

commit 7e9d27271db00db8610eeabdebb49d59f03345ac
Author: Jeremy Allison 
Date:   Thu Nov 5 15:48:08 2020 -0800

s3: spoolss: Make parameters in call to user_ok_token() match all other 
uses.

We already have p->session_info->unix_info->unix_name, we don't
need to go through a legacy call to 
uidtoname(p->session_info->unix_token->uid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14568

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Mon Nov  9 04:10:45 UTC 2020 on sn-devel-184

(cherry picked from commit e5e1759057a767f517bf480a2172a36623df2799)

commit 61c8a44895ea5e4bd42d1447384005d89f5327e6
Author: Jeremy Allison 
Date:   Sat Sep 26 22:14:33 2020 -0700

s3: smbd: Don't overwrite contents of fsp->aio_requests[0] with NULL via 
TALLOC_FREE().

They may have been carefully set by the aio_del_req_from_fsp()
destructor so we must not overwrite here.

Found via some *amazing* debugging work from Ashok Ramakrishnan 
.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14515

Signed-off-by: Jeremy Allison 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Wed Sep 30 11:18:43 UTC 2020 on sn-devel-184

(cherry picked from commit fca8cb63762faff54cda243c1ed8217b36333131)

commit 68f19debb7453a83d1837c4a0595f7d433b562c0
Author: Jones Syue 
Date:   Mon Sep 28 09:10:03 2020 +0800

interface: fix if_index is not parsed correctly

Replace probed_ifaces[i] with ifs.

In SDC 2020 SMB3 Virtual IO Lab,
run Windows Protocol Test Suite to test FileServer multichannel test cases.
Samba server has 2 virtual interfaces for VPN connection:
> name=tun2001, ip/mask=192.168.144.9/22
> name=tun2002, ip/mask=192.168.144.10/22
test suite client can ping these 2 ip addresses and browse shares.
Then client try to use IOCTL FSCTL_QUERY_NETWORK_INTERFACE_INFO to get the
virtual ip addresses of samba server, but samba server responded it
without the virtual ip addresses. My VPN setup is point-to-point and the
virtual interfaces 'tun2001' & 'tun2002' are without flag IFF_BROADCAST.
So edit smb.conf and add
"interfaces = ${virtual_ip}/${mask_length};if_index=${id}", like this:
> interfaces = eth4 eth8 eth11 eth10 qvs0 "192.168.144.9/22;if_index=50" 
"192.168.144.10/22;if_index=51"
then samba server IOCTL response could return the virtual ip addresses,
but found a issue:
the interface index of virtual ip addresses is always 4294967295
(0x, -1).

Quote Metze: 
https://gitlab.com/samba-team/devel/samba/-/commit/6cadb55d975a6348a417caed8b3258f5be2acba4#note_419181789
This looks good, I think that also explains
the possible memory corruption/crash I mentioned in the bug report.
As 'i' is most likely the same as 'total_probed' and
probed_ifaces[i] is not valid, so we overwrite unrelated memory.
Later I see 'realloc(): invalid pointer' and this backtrace:
  BACKTRACE:
   #0 log_stack_trace + 0x29 [ip=0x7f2f1b6fffa9] [sp=0x7ffcd0ab53e0]
   #1 smb_panic + 0x11 [ip=0x7f2f1b700301] [sp=0x7ffcd0ab5d10]
   #2 sig_fault + 0x54 [ip=0x7f2f1b7004f4] [sp=0x7ffcd0ab5e20]
   #3 funlockfile + 0x50 [ip=0x7f2f17ce6dd0] 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  4337a6378db s3-vfs_glusterfs: always disable write-behind translator
  from  87b220530b2 VERSION: Bump version up to 4.13.3...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 4337a6378db35d6204886d4e3ad6add5c727c7cd
Author: Günther Deschner 
Date:   Mon Nov 2 16:10:44 2020 +0100

s3-vfs_glusterfs: always disable write-behind translator

The "pass-through" option has now been merged upstream as of:
https://github.com/gluster/glusterfs/pull/1640

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Guenther

Signed-off-by: Guenther Deschner 
Pair-Programmed-With: Anoop C S 
Pair-Programmed-With: Sachin Prabhu 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Wed Nov  4 22:53:49 UTC 2020 on sn-devel-184

(cherry picked from commit a51cda69ec6a017ad04b5690a3ae67a5478deee9)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Thu Nov  5 13:54:25 UTC 2020 on sn-devel-184

---

Summary of changes:
 source3/modules/vfs_glusterfs.c | 20 +---
 source3/wscript |  3 +++
 2 files changed, 20 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index 3cbb1ab6cb6..bdfe35ced82 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -363,6 +363,7 @@ static int vfs_gluster_connect(struct vfs_handle_struct 
*handle,
glfs_t *fs = NULL;
TALLOC_CTX *tmp_ctx;
int ret = 0;
+   bool write_behind_pass_through_set = false;
 
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -435,6 +436,17 @@ static int vfs_gluster_connect(struct vfs_handle_struct 
*handle,
goto done;
}
 
+#ifdef HAVE_GFAPI_VER_7_9
+   ret = glfs_set_xlator_option(fs, "*-write-behind", "pass-through",
+"true");
+   if (ret < 0) {
+   DBG_ERR("%s: Failed to set xlator option: pass-through\n",
+   volume);
+   goto done;
+   }
+   write_behind_pass_through_set = true;
+#endif
+
ret = glfs_set_logging(fs, logfile, loglevel);
if (ret < 0) {
DEBUG(0, ("%s: Failed to set logfile %s loglevel %d\n",
@@ -449,9 +461,11 @@ static int vfs_gluster_connect(struct vfs_handle_struct 
*handle,
goto done;
}
 
-   ret = check_for_write_behind_translator(tmp_ctx, fs, volume);
-   if (ret < 0) {
-   goto done;
+   if (!write_behind_pass_through_set) {
+   ret = check_for_write_behind_translator(tmp_ctx, fs, volume);
+   if (ret < 0) {
+   goto done;
+   }
}
 
ret = glfs_set_preopened(volume, handle->conn->connectpath, fs);
diff --git a/source3/wscript b/source3/wscript
index 335cfd797f1..9920432a360 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -1766,6 +1766,9 @@ main() {
 conf.CHECK_CFG(package='glusterfs-api', args='"glusterfs-api >= 7.6" 
--cflags --libs',
msg='Checking for glusterfs-api >= 7.6',
uselib_store="GFAPI_VER_7_6")
+conf.CHECK_CFG(package='glusterfs-api', args='"glusterfs-api >= 7.9" 
--cflags --libs',
+   msg='Checking for glusterfs-api >= 7.9',
+   uselib_store="GFAPI_VER_7_9")
 else:
 conf.SET_TARGET_TYPE('gfapi', 'EMPTY')
 conf.undefine('HAVE_GLUSTERFS')


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  87b220530b2 VERSION: Bump version up to 4.13.3...
   via  ffef4e947a6 VERSION: Disable GIT_SNAPSHOT for the 4.13.2 release.
   via  c2df37320aa WHATSNEW: Add relase notes for Samba 4.13.2.
  from  2599b6bd3ef s3: modules: vfs_glusterfs: Fix leak of char **lines 
onto mem_ctx on return.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 87b220530b26f984193118e8f849f26fe0729e59
Author: Karolin Seeger 
Date:   Tue Nov 3 13:23:25 2020 +0100

VERSION: Bump version up to 4.13.3...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit ffef4e947a697218432d3d839e4d0490a9509a96
Author: Karolin Seeger 
Date:   Tue Nov 3 13:22:45 2020 +0100

VERSION: Disable GIT_SNAPSHOT for the 4.13.2 release.

Signed-off-by: Karolin Seeger 

commit c2df37320aac48214a199d2ede4a3c9099a4f447
Author: Karolin Seeger 
Date:   Tue Nov 3 13:22:10 2020 +0100

WHATSNEW: Add relase notes for Samba 4.13.2.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |   2 +-
 WHATSNEW.txt | 113 +--
 2 files changed, 112 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 40bee2f283d..3450883b693 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e35229fe06a..a3ce5cc3dd5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,112 @@
+   ==
+   Release Notes for Samba 4.13.2
+  November 03, 2020
+   ==
+
+
+This is the latest stable release of the Samba 4.13 release series.
+
+Major enhancements include:
+  o BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
+  o BUG 14486: vfs_glusterfs: Avoid data corruption with the write-behind
+   translator.
+
+
+===
+Details
+===
+
+The GlusterFS write-behind performance translator, when used with Samba, could
+be a source of data corruption. The translator, while processing a write call,
+immediately returns success but continues writing the data to the server in the
+background. This can cause data corruption when two clients relying on Samba to
+provide data consistency are operating on the same file.
+
+The write-behind translator is enabled by default on GlusterFS.
+The vfs_glusterfs plugin will check for the presence of the translator and
+refuse to connect if detected. Please disable the write-behind translator for
+the GlusterFS volume to allow the plugin to connect to the volume.
+
+
+Changes since 4.13.1
+
+
+o  Jeremy Allison 
+   * BUG 14486: s3: modules: vfs_glusterfs: Fix leak of char 
+ **lines onto mem_ctx on return.
+
+o  Ralph Boehme 
+   * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
+
+o  Alexander Bokovoy 
+   * BUG 14538: smb.conf.5: Add clarification how configuration changes
+ reflected by Samba.
+   * BUG 14552: daemons: Report status to systemd even when running in
+ foreground.
+   * BUG 14553: DNS Resolver: Support both dnspython before and after 2.0.0.
+ 
+o  Günther Deschner 
+   * BUG 14486: s3-vfs_glusterfs: Refuse connection when write-behind xlator is
+ present.
+
+o  Amitay Isaacs 
+   * BUG 14487: provision: Add support for BIND 9.16.x.
+   * BUG 14537: ctdb-common: Avoid aliasing errors during code optimization.
+   * BUG 14541: libndr: Avoid assigning duplicate versions to symbols.
+
+o  Björn Jacke 
+   * BUG 14522: docs: Fix default value of spoolss:architecture.
+
+o  Laurent Menase 
+   * BUG 14388: winbind: Fix a memleak.
+
+o  Stefan Metzmacher 
+   * BUG 14531: s4:dsdb:acl_read: Implement "List Object" mode feature.
+
+o  Sachin Prabhu 
+   * BUG 14486: docs-xml/manpages: Add warning about write-behind translator 
for
+ vfs_glusterfs.
+
+o  Khem Raj 
+   * nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h.
+
+o  Anoop C S 
+   * BUG 14530: vfs_shadow_copy2: Avoid closing snapsdir twice.
+
+o  Andreas Schneider 
+   * BUG 14547: third_party: Update resolv_wrapper to version 1.1.7.
+   * BUG 14550: examples:auth: Do not install example plugin.
+
+o  Martin Schwenke 
+   * BUG 14513: ctdb-recoverd: Drop unnecessary and broken code.
+
+o  Andrew Walker 
+   * BUG 14471: RN: vfs_zfsacl: Only grant DELETE_CHILD if ACL tag is special.
+
+
+###
+Reporting bugs & Development 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  2599b6bd3ef s3: modules: vfs_glusterfs: Fix leak of char **lines 
onto mem_ctx on return.
   via  3d5be93eea8 s3-vfs_glusterfs: refuse connection when write-behind 
xlator is present
   via  8079e2a9116 docs-xml/manpages: Add warning about write-behind 
translator for vfs_glusterfs
  from  dbba939ce50 s4:torture: Pass buffer correctly to write()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 2599b6bd3ef0b21590487c95de09be2f82c6d38b
Author: Jeremy Allison 
Date:   Mon Nov 2 15:46:51 2020 -0800

s3: modules: vfs_glusterfs: Fix leak of char **lines onto mem_ctx on return.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Signed-off-by: Jeremy Allison 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Nov  3 01:56:59 UTC 2020 on sn-devel-184

(cherry picked from commit 7d846cd178d653600c71ee4bd6a491a9e48a56da)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Nov  3 10:16:27 UTC 2020 on sn-devel-184

commit 3d5be93eea886e31d1eaf087e9bc21bfae336126
Author: Günther Deschner 
Date:   Mon Nov 2 12:30:36 2020 +0100

s3-vfs_glusterfs: refuse connection when write-behind xlator is present

s3-vfs_glusterfs: refuse connection when write-behind xlator is present

Once the new glusterfs api is available we will programmtically disable
the translator, for now we just refuse the connection as there is
a potential for serious data damage.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Guenther

Signed-off-by: Guenther Deschner 
Pair-Programmed-With: Sachin Prabhu 
Pair-Programmed-With: Anoop C S 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon Nov  2 21:40:33 UTC 2020 on sn-devel-184

(cherry picked from commit 2a49ccbcf5e3ff0f6833bcb7f04b800125f1783f)

commit 8079e2a9116a70726cf99c7e7ad6b4ed0f925fbe
Author: Sachin Prabhu 
Date:   Thu Oct 15 12:14:33 2020 +0100

docs-xml/manpages: Add warning about write-behind translator for 
vfs_glusterfs

Add warning about data corruption with the write-behind translator.

The data corruption is highlighted by the smbtorture test smb2.rw.rw1.
More information about this data corruption issue is available in the
bz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14486

Signed-off-by: Sachin Prabhu 
Reviewed-by: Jeremy Allison 
Reviewed-by: Guenther Deschner 
(cherry picked from commit 08f8f665d409ee7b93840c25a8142f2ce8bacfa1)

---

Summary of changes:
 docs-xml/manpages/vfs_glusterfs.8.xml | 22 +
 source3/modules/vfs_glusterfs.c   | 91 +++
 2 files changed, 113 insertions(+)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/vfs_glusterfs.8.xml 
b/docs-xml/manpages/vfs_glusterfs.8.xml
index cf3b8e5e384..7a4da1af919 100644
--- a/docs-xml/manpages/vfs_glusterfs.8.xml
+++ b/docs-xml/manpages/vfs_glusterfs.8.xml
@@ -161,6 +161,28 @@
 
 
 
+
+   CAVEATS
+
+   
+The GlusterFS write-behind performance translator, when used
+with Samba, could be a source of data corruption. The
+translator, while processing a write call, immediately returns
+success but continues writing the data to the server in the
+background. This can cause data corruption when two clients
+relying on Samba to provide data consistency are operating on
+the same file.
+
+
+The write-behind translator is enabled by default on GlusterFS.
+The vfs_glusterfs plugin will check for the presence of the
+translator and refuse to connect if detected.
+Please disable the write-behind translator for the GlusterFS
+volume to allow the plugin to connect to the volume.
+   
+
+
+
 
VERSION
 
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index bf7244ea3a5..3cbb1ab6cb6 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -264,6 +264,92 @@ out:
 
 /* Disk Operations */
 
+static int check_for_write_behind_translator(TALLOC_CTX *mem_ctx,
+glfs_t *fs,
+const char *volume)
+{
+   char *buf = NULL;
+   char **lines = NULL;
+   int numlines = 0;
+   int i;
+   char *option;
+   bool write_behind_present = false;
+   size_t newlen;
+   int ret;
+
+   ret = glfs_get_volfile(fs, NULL, 0);
+   if (ret == 0) {
+

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  dbba939ce50 s4:torture: Pass buffer correctly to write()
   via  e424e1d65e4 DNS Resolver: support both dnspython before and after 
2.0.0
   via  6521b0ff5e2 ctdb-common: Avoid aliasing errors during code 
optimization
   via  d9d661993d4 vfs_zfsacl: only grant DELETE_CHILD if ACL tag is 
special
   via  c64c277b607 vfs_zfsacl: use a helper variable in 
zfs_get_nt_acl_common()
   via  2a6c27d63b7 vfs_zfsacl: README.Coding fix
   via  50bb50341df vfs_zfsacl: Add new parameter to stop automatic 
addition of special entries
   via  1b03a345231 vfs_zfsacl: use handle based facl() call to query ZFS 
filesytem ACL
   via  bca2f0e92c2 libndr: Avoid assigning duplicate versions to symbols
   via  1b6b85304d3 smb.conf.5: add clarification how configuration changes 
reflected by Samba
  from  05aa0b4b3d5 VERSION: Bump version up to 4.13.2.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit dbba939ce50627c32df0b7ee0707be1ea1a7623c
Author: Andreas Schneider 
Date:   Wed Oct 28 15:05:34 2020 +0100

s4:torture: Pass buffer correctly to write()

../../source4/torture/basic/denytest.c: In function 
‘torture_createx_specific.isra’:
../../source4/torture/basic/denytest.c:2372:9: error: ‘write’ reading 56 
bytes from a region of size 8 [-Werror=stringop-overflow=]
 2372 |   res = write(data_file_fd, , cxd_len);
  | ^~

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14555

Signed-off-by: Andreas Schneider 
Reviewed-by: Alexander Bokovoy 
Reviewed-by: Jeremy Allison 
(cherry picked from commit 5f92ec6988d2f4c20eab9449cbe17317588f6634)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Oct 30 13:53:37 UTC 2020 on sn-devel-184

commit e424e1d65e439460783bce4a32b723bc45fb5f2e
Author: Alexander Bokovoy 
Date:   Sat Oct 24 12:17:44 2020 +0300

DNS Resolver: support both dnspython before and after 2.0.0

`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

The compatibility shim was developed by Stanislav Levin for FreeIPA and
adopted for Samba by Alexander Bokovoy.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14553

Signed-off-by: Stanislav Levin 
Signed-off-by: Alexander Bokovoy 
Reviewed-by: Andreas Schneider 
(cherry picked from commit 183d5d63f4b40accda3b3ffc980fea391612f964)

commit 6521b0ff5e23dea526f3c0cf9c5843bbb07adcec
Author: Amitay Isaacs 
Date:   Mon Jul 27 12:51:41 2020 +1000

ctdb-common: Avoid aliasing errors during code optimization

When compiling with GCC 10.x and -O3 optimization, the IP checksum
calculation code generates wrong checksum.  The function uint16_checksum
gets inlined during optimization and ip4pkt->tcp data gets wrongly
aliased.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14537

Signed-off-by: Amitay Isaacs 
Reviewed-by: Martin Schwenke 

Autobuild-User(master): Martin Schwenke 
Autobuild-Date(master): Wed Oct 21 05:52:28 UTC 2020 on sn-devel-184

(cherry picked from commit 6aa396b0cd1f83f45cb76a4f3123d99135e8dd8c)

commit d9d661993d4c7619465364905a39e0c90727a4cf
Author: Andrew Walker 
Date:   Thu Sep 24 16:04:12 2020 -0400

vfs_zfsacl: only grant DELETE_CHILD if ACL tag is special

When ZFS aclmode is set to "passthrough" chmod(2)/fchmod(2) will result
in special entries being modified in a way such that delete, delete_child,
write_named_attr, write_attribute are stripped from the returned ACL entry,
and the kernel / ZFS treats this as having rights equivalent to the desired
POSIX mode. Historically, samba has added delete_child to the NFSv4 ACL, but
this is only really called for in the case of special entries in this
particular circumstance.

Alter circumstances in which delete_child is granted so that it only
is added to special entries. This preserves the intend post-chmod behavior,
but avoids unnecessarily increasing 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  05aa0b4b3d5 VERSION: Bump version up to 4.13.2.
   via  c2fef893ca7 Merge tag 'samba-4.13.1' into v4-13-test
   via  9e9941a843f VERSION: Disable GIT_SNAPSHOT for the 4.13.1 release.
   via  5a70cd80017 WHATSNEW: Add release notes for Samba 4.13.1.
   via  862d6fb6f32 CVE-2020-14383: s4/dns: do not crash when additional 
data not found
   via  4cbf95e731b CVE-2020-14383: s4/dns: Ensure variable initialization 
with NULL.
   via  0b259a48a70 CVE-2020-14323 torture4: Add a simple test for invalid 
lookup_sids winbind call
   via  595dd9fc416 CVE-2020-14323 winbind: Fix invalid lookupsids DoS
   via  5dd4c789c13 s3: smbd: Ensure change notifies can't get set unless 
the directory handle is open for SEC_DIR_LIST.
   via  22528b76ed6 s4: torture: Add smb2.notify.handle-permissions test.
   via  3ebed681104 VERSION: Bump version up to 4.13.1...
  from  c4938561a97 daemons: report status to systemd even when running in 
foreground

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 05aa0b4b3d54f380392ea0cf0f34d926aed791ef
Author: Karolin Seeger 
Date:   Thu Oct 29 10:40:54 2020 +0100

VERSION: Bump version up to 4.13.2.

Signed-off-by: Karolin Seeger 

commit c2fef893ca70af2d3bf2cd12f10234e5c7c484e6
Merge: c4938561a97 9e9941a843f
Author: Karolin Seeger 
Date:   Thu Oct 29 10:40:21 2020 +0100

Merge tag 'samba-4.13.1' into v4-13-test

samba: tag release samba-4.13.1

---

Summary of changes:
 VERSION |  2 +-
 WHATSNEW.txt| 93 +
 source3/smbd/notify.c   |  8 +++
 source3/winbindd/winbindd_lookupsids.c  |  2 +-
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 31 +
 source4/torture/smb2/notify.c   | 80 +
 source4/torture/winbind/struct_based.c  | 27 +++
 7 files changed, 227 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index a9d8bb4e55a..40bee2f283d 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
 
 
 # If a official release has a serious bug  #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b7d5254d549..e35229fe06a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,96 @@
+   ==
+   Release Notes for Samba 4.13.1
+  October 29, 2020
+   ==
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
+o CVE-2020-14323: Unprivileged user can crash winbind.
+o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
+ crafted records.
+
+
+===
+Details
+===
+
+o  CVE-2020-14318:
+   The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
+   request file name notification on a directory handle when a condition such 
as
+   "new file creation" or "file size change" or "file timestamp update" occurs.
+
+   A missing permissions check on a directory handle requesting ChangeNotify
+   meant that a client with a directory handle open only for
+   FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
+   notify replies from the server. These replies contain information that 
should
+   not be available to directory handles open for FILE_READ_ATTRIBUTE only.
+
+o  CVE-2020-14323:
+   winbind in version 3.6 and later implements a request to translate multiple
+   Windows SIDs into names in one request. This was done for performance
+   reasons: The Microsoft RPC call domain controllers offer to do this
+   translation, so it was an obvious extension to also offer this batch
+   operation on the winbind unix domain stream socket that is available to 
local
+   processes on the Samba server.
+
+   Due to improper input validation a hand-crafted packet can make winbind
+   perform a NULL pointer dereference and thus crash.
+
+o  CVE-2020-14383:
+   Some DNS records (such as MX and NS records) usually contain data in the
+   additional section. Samba's dnsserver RPC pipe (which is an administrative
+   interface not used in the DNS server itself) made an error in handling the
+   case where there are no records present: instead of noticing the lack of
+   records, it dereferenced uninitialised memory, causing the RPC server to
+   crash. This RPC server, which also serves protocols other 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  c4938561a97 daemons: report status to systemd even when running in 
foreground
   via  ff781ba4682 docs: fix default value of spoolss:architecture
   via  24ae26cb49e provision: BIND 9.17.x is not supported
   via  a831cc5799b provision: Add support for BIND 9.16.x
   via  f6b6867d549 bind9-dlz: Add support for BIND 9.16.x
   via  34513738155 provision: BIND 9.15.x is not supported
   via  4e65cc6058e provision: Add support for BIND 9.14.x
   via  63d94da74a6 bind9-dlz: Add support for BIND 9.14.x
   via  b5bc60e77d3 provision: BIND 9.13.x is not supported
   via  8e2ef3cda23 bind9-dlz: Bind 9.13.x switched to using bool as 
isc_boolean_t instead of int.
   via  61cd114be10 examples:auth: Do not install example plugin
   via  b5b7a958ef6 s3:modules: Do not install vfs modules only used for 
testing
   via  cfd5b368d42 unittests: Mark test binaries for selftest
   via  a4c241736bc buildtools: Do not install binaries which are for 
selftest
   via  fe28ffc4a7e s3:script: Fix test_dfree_quota.sh
   via  d76e1b43e2d third_party: Update resolv_wrapper to version 1.1.7
   via  995478c9378 testprogs: Fix and improve upgradeprovision-oldrelease 
test
   via  e51a5e8aea4 testprogs: Fix and improve dbcheck-oldrelease test
   via  7357ddefe33 testprogs: Fix and improve functionalprep test
   via  7b2c975a88b testprogs: Fix and improve dbcheck-links test
   via  2aad79378ad testprogs: Fix and improve runtime-links test
   via  62e97089a88 testprogs: Fix and improve tombstones-expunge test
   via  33b116da10a testprogs: Fix and improve demote-saveddb test
   via  daeada8e48e testprogs: Add remove_directory to common test functions
   via  069c5acc4b6 python: Create targetdir recursively
   via  15e15f7c21b nsswitch/nsstest.c: Avoid nss function conflicts with 
glibc nss.h
   via  b15f35b5738 s4:dsdb:acl_read: Implement "List Object" mode feature
   via  0918966f9d5 s4:dsdb:util: add dsdb_do_list_object() helper
   via  160a2d6a5f9 s4:dsdb:acl_read: defer LDB_ERR_NO_SUCH_OBJECT
   via  ee5b2e3be90 s4:dsdb:acl_read: make use of 
aclread_check_object_visible() for the search base
   via  24e0a440a93 s4:dsdb:acl_read: fully set up 'struct aclread_context' 
before the search base acl check
   via  540cd43baf2 s4:dsdb:acl_read: introduce 
aclread_check_object_visible() helper
   via  f92b61ec826 s4:dsdb:tests: add AclVisibiltyTests
   via  a89a78aa609 python/tests: add DynamicTestCase 
setUpDynamicTestCases() infrastructure
   via  e759ecdae11 ctdb-tests: Strengthen node state checking in ctdb 
disable/enable test
   via  710b287bdc9 ctdb-recoverd: Drop unnecessary and broken code
   via  895bc9a7c2a ctdb-recoverd: Drop unnecessary code
   via  a6606369e2c vfs_shadow_copy2: Avoid closing snapsdir twice
   via  a9bf4f90260 winbind: Fix a memleak
  from  e32a1f1bd25 WHATSNEW: Fix release notes.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit c4938561a97e55efd624694ea55ef7c1a46a350a
Author: Alexander Bokovoy 
Date:   Sat Oct 24 16:52:43 2020 +0300

daemons: report status to systemd even when running in foreground

When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().

As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit
d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc

This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.

Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552

Signed-off-by: Alexander Bokovoy 
Reviewed-by: Andreas Schneider 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Mon Oct 26 19:58:18 UTC 2020 on sn-devel-184

(cherry picked from commit 3e27dc4847bd35ca8914be087d5a8ca096510399)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Tue Oct 27 10:50:29 UTC 2020 on sn-devel-184

commit ff781ba4682ded42142ace6e8634fff57788819e
Author: Björn Jacke 
Date:   Tue Oct 6 23:05:24 2020 +0200

docs: fix default value of spoolss:architecture

"Windows x64" is the default here since a couple of years already.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14522

Signed-off-by: Bjoern Jacke 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  e32a1f1bd25 WHATSNEW: Fix release notes.
  from  cbcc754bc36 VERSION: Bump version up to 4.13.1...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit e32a1f1bd25036b9b870c464202aa715ac65c727
Author: Karolin Seeger 
Date:   Wed Sep 23 09:45:35 2020 +0200

WHATSNEW: Fix release notes.

"server schannel" has not been removed.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 WHATSNEW.txt | 4 
 1 file changed, 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c538f1d63d..b7d5254d549 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -84,9 +84,6 @@ REMOVED FEATURES
 
 The deprecated "ldap ssl ads" smb.conf option has been removed.
 
-The deprecated "server schannel" smb.conf option will very likely
-removed in the final 4.13.0 release.
-
 
 smb.conf changes
 
@@ -102,7 +99,6 @@ smb.conf changes
   client NTLMv2 auth  Deprecated yes
   client lanman auth  Deprecated no
   client use spnego   Deprecated yes
-  server schannel To be removed in 4.13.0
   server require schannel:COMPUTERAdded
 
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  cbcc754bc36 VERSION: Bump version up to 4.13.1...
   via  3fe82c204f0 VERSION: Disable GIT_SNAPSHOT for the 4.13.0 release.
   via  2034fefbc48 WHATSNEW: Add release notes for Samba 4.13.0.
  from  d8b4efed45c VERSION: Bump version up to 4.13.0rc7...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit cbcc754bc36503f1de5b5313fd72653b85dc0a29
Author: Karolin Seeger 
Date:   Tue Sep 22 15:41:37 2020 +0200

VERSION: Bump version up to 4.13.1...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit 3fe82c204f0d88cb6db50b7bd1f798b591a918f8
Author: Karolin Seeger 
Date:   Tue Sep 22 15:33:16 2020 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.0 release.

Signed-off-by: Karolin Seeger 

commit 2034fefbc48444e332d4293e29b34dcceb02d587
Author: Karolin Seeger 
Date:   Tue Sep 22 15:31:49 2020 +0200

WHATSNEW: Add release notes for Samba 4.13.0.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  4 ++--
 WHATSNEW.txt | 73 +++-
 2 files changed, 15 insertions(+), 62 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index acb82668f4e..a9d8bb4e55a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=13
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
 
 
 # If a official release has a serious bug  #
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=7
+SAMBA_VERSION_RC_RELEASE=
 
 
 # To mark SVN snapshots this should be set to 'yes'#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b103703144f..5c538f1d63d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,69 +1,21 @@
-Release Announcements
-=
+   ==
+   Release Notes for Samba 4.13.0
+  September 22, 2020
+   ==
 
-This is the sixth release condidate of Samba 4.13.  This is *not*
-intended for production environments and is designed for testing
-purposes only.  Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
 
-Samba 4.13 will be the next version of the Samba suite.
+This is the first stable release of the Samba 4.13 release series.
+Please read the release notes carefully before upgrading.
 
-SECURITY
-
 
-o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
-
-The following applies to Samba used as domain controller only (most
-seriously the Active Directory DC, but also the classic/NT4-style DC).
-
-Installations running Samba as a file server only are not directly
-affected by this flaw, though they may need configuration changes to
-continue to talk to domain controllers (see "file servers and domain
-members" below).
-
-The netlogon protocol contains a flaw that allows an authentication
-bypass. This was reported and patched by Microsoft as CVE-2020-1472.
-Since the bug is a protocol level flaw, and Samba implements the
-protocol, Samba is also vulnerable.
-
-However, since version 4.8 (released in March 2018), the default
-behaviour of Samba has been to insist on a secure netlogon channel,
-which is a sufficient fix against the known exploits. This default is
-equivalent to having 'server schannel = yes' in the smb.conf.
-
-Therefore versions 4.8 and above are not vulnerable unless they have
-the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
-
-Samba versions 4.7 and below are vulnerable unless they have 'server
-schannel = yes' in the smb.conf.
-
-Note each domain controller needs the correct settings in its smb.conf.
-
-Vendors supporting Samba 4.7 and below are advised to patch their
-installations and packages to add this line to the [global] section if
-their smb.conf file.
-
-The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
-'FullSecureChannelProtection=1' registry key, the introduction of
-which we understand forms the core of Microsoft's fix.
-
-Some domains employ third-party software that will not work with a
-'server schannel = yes'. For these cases patches are available that
-allow specific machines to use insecure netlogon. For example, the
-following smb.conf:
-
-   server schannel = yes
-   server require schannel:triceratops$ = no
-   server require schannel:greywacke$ = no
-

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  d8b4efed45c VERSION: Bump version up to 4.13.0rc7...
   via  09ef8ab5099 VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc6 release.
   via  de91bb3d467 WHATSNEW: Add release notes for Samba 4.13.0rc6.
   via  049388aeb94 WHATSNEW: document the planed removal of "server 
schannel"
   via  ba279325b7a WHATSNEW: document the 'smb2 disable oplock break 
retry' option
   via  e4dc8227ae1 CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated 
bytes in client challenge
   via  7c88d85ca8c CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty 
machine acct pwd
   via  e5c7800b096 CVE-2020-1472(ZeroLogon): docs-xml: document 'server 
require schannel:COMPUTERACCOUNT'
   via  6192153da9a CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log 
warnings about unsecure configurations
   via  b93e1dcd154 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: 
support "server require schannel:WORKSTATION$ = no"
   via  7ab19ec5a10 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: 
refactor dcesrv_netr_creds_server_step_check()
   via  32dd379f30a CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log 
warnings about unsecure configurations
   via  b6f91e77ef4 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: 
support "server require schannel:WORKSTATION$ = no"
   via  befc2aca239 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: 
refactor dcesrv_netr_creds_server_step_check()
   via  6e8f1830382 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: 
protect netr_ServerPasswordSet2 against unencrypted passwords
   via  4ad58d61ba1 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix 
mem leak onto p->mem_ctx in error path of _netr_ServerPasswordSet2().
   via  ed94cb18f01 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: 
protect netr_ServerPasswordSet2 against unencrypted passwords
   via  ba9110a17d7 CVE-2020-1472(ZeroLogon): libcli/auth: reject weak 
client challenges in netlogon_creds_server_init()
   via  fdac15704f9 CVE-2020-1472(ZeroLogon): libcli/auth: add 
netlogon_creds_is_random_challenge() to avoid weak values
   via  afa0ec41cbb CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make 
use of netlogon_creds_random_challenge()
   via  5f28e4f7473 CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make 
use of netlogon_creds_random_challenge()
   via  acf80197316 CVE-2020-1472(ZeroLogon): libcli/auth: make use of 
netlogon_creds_random_challenge() in netlogon_creds_cli.c
   via  9d90cd2b509 CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of 
netlogon_creds_random_challenge()
   via  b57b6004db8 CVE-2020-1472(ZeroLogon): libcli/auth: add 
netlogon_creds_random_challenge()
  from  45d4e546067 VERSION: Bump version up to 4.13.0rc5...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit d8b4efed45cb45ba61b48308e713d3cbe240a500
Author: Stefan Metzmacher 
Date:   Fri Sep 18 14:05:27 2020 +0200

VERSION: Bump version up to 4.13.0rc7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Stefan Metzmacher 

commit 09ef8ab5099ce8fe42638c351ba8ccd4507361e1
Author: Stefan Metzmacher 
Date:   Fri Sep 18 14:04:45 2020 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc6 release.

Signed-off-by: Stefan Metzmacher 

commit de91bb3d467f9562138370882befb9c4f2e77d12
Author: Stefan Metzmacher 
Date:   Fri Sep 18 14:03:37 2020 +0200

WHATSNEW: Add release notes for Samba 4.13.0rc6.

CVE-2020-1472: Samba impact of "ZeroLogon".

Signed-off-by: Stefan Metzmacher 

commit 049388aeb94a69adba08da0e4169071e3354fedd
Author: Stefan Metzmacher 
Date:   Fri Sep 18 14:01:29 2020 +0200

WHATSNEW: document the planed removal of "server schannel"

Also add "server require schannel:COMPUTER"

Signed-off-by: Stefan Metzmacher 

commit ba279325b7afcb610a716839c3db3b139593ad5a
Author: Stefan Metzmacher 
Date:   Fri Sep 18 13:59:26 2020 +0200

WHATSNEW: document the 'smb2 disable oplock break retry' option

Signed-off-by: Stefan Metzmacher 

commit e4dc8227ae1e28ef7f49d0903d057c7f7912ca27
Author: Gary Lockyer 
Date:   Fri Sep 18 15:57:34 2020 +1200

CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge

Ensure that client challenges with the first 5 bytes identical are
rejected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Gary Lockyer 

[abart...@samba.org: backported from master as test order was flipped]

commit 7c88d85ca8c513f0fe967f91f4ea64d8f63d0aee
Author: Gary Lockyer 
Date:   Fri Sep 18 12:39:54 2020 +1200

CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd

Ensure that an empty machine account password can't be set by
netr_ServerPasswordSet2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  45d4e546067 VERSION: Bump version up to 4.13.0rc5...
   via  f5fd34cced9 VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc5 release.
   via  a0074cacc4a WHATSNEW: Add release notes for Samba 4.13.0rc5.
   via  47e446f3f7c waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS 
> 3.6.14
   via  8bd284a5b36 s3:smbd: Fix %U substitutions if it contains a domain 
name
   via  90835ba1c35 s3:tests: Add test for 'valid users = DOMAIN\%U'
   via  7a9537a3ad8 Revert "Add vfs_ring."
   via  d61eb49180f Revert "vfs_ring: Adapt to 4.13 VFS"
  from  b3845522bec WHATSNEW: Announce the end of Python 2.6/2.7 support to 
build Samba

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 45d4e54606743ad076987a33d28f6d4b9a59d9ba
Author: Karolin Seeger 
Date:   Tue Sep 15 12:23:47 2020 +0200

VERSION: Bump version up to 4.13.0rc5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit f5fd34cced9ebe4f90a0b5baef229d616270b9db
Author: Karolin Seeger 
Date:   Tue Sep 15 12:21:10 2020 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc5 release.

Signed-off-by: Karolin Seeger 

commit a0074cacc4aba7976490d82cad298fdbee1d0f25
Author: Karolin Seeger 
Date:   Tue Sep 15 12:20:26 2020 +0200

WHATSNEW: Add release notes for Samba 4.13.0rc5.

Signed-off-by: Karolin Seeger 

commit 47e446f3f7ccdd65f60dbbab72a1e3b81f650959
Author: Andreas Schneider 
Date:   Thu Sep 10 11:34:50 2020 +0200

waf: Only use gnutls_aead_cipher_encryptv2() for GnuTLS > 3.6.14

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14399

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 
(cherry picked from commit 94808cc50e4350a8c3bc250a886e8d4e7802dd12)

commit 8bd284a5b36d118a26c0c17be40a03703db517d2
Author: Andreas Schneider 
Date:   Mon Aug 17 14:12:48 2020 +0200

s3:smbd: Fix %U substitutions if it contains a domain name

'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
version.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 5de7c91e6d4e98f438157a7675c8582cabdd828d)

commit 90835ba1c35ade078dc494034daeb3bf6ea02f7c
Author: Andreas Schneider 
Date:   Mon Aug 17 13:39:58 2020 +0200

s3:tests: Add test for 'valid users = DOMAIN\%U'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467

Signed-off-by: Andreas Schneider 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 53b6dd951249052772e1ffcf651b7efd0963b931)

commit 7a9537a3ad8d876b6fa999823336476905dfb7a8
Author: Karolin Seeger 
Date:   Mon Sep 14 11:47:47 2020 +0200

Revert "Add vfs_ring."

This reverts commit b29103ef46a9f80a0184d4d999f22512b7fdcd89.

commit d61eb49180f628305359f605a3c841359f9b096d
Author: Karolin Seeger 
Date:   Mon Sep 14 11:47:44 2020 +0200

Revert "vfs_ring: Adapt to 4.13 VFS"

This reverts commit 191c2cd7b93524fc1ee119c0f995171fb38dc210.

---

Summary of changes:
 VERSION|   2 +-
 WHATSNEW.txt   |  16 +++-
 selftest/target/Samba3.pm  |   4 +
 source3/modules/vfs_ring.c | 115 -
 source3/modules/wscript_build  |   8 --
 source3/script/tests/test_substitutions.sh |   5 ++
 source3/smbd/share_access.c|  18 -
 source3/wscript|   1 -
 wscript_configure_system_gnutls|   5 +-
 9 files changed, 46 insertions(+), 128 deletions(-)
 delete mode 100644 source3/modules/vfs_ring.c


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 98143de8e35..b31f4b5a6c7 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=5
+SAMBA_VERSION_RC_RELEASE=6
 
 
 # To mark SVN snapshots this should be set to 'yes'#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cf70c1df1c0..467d4c0dfc5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
 Release Announcements
 =
 
-This is the fourth release condidate of Samba 4.13.  This is *not*
+This is the fifth release condidate of Samba 4.13.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
@@ -93,6 +93,20 @@ smb.conf changes
   client use spnego  Deprecated  

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  b3845522bec WHATSNEW: Announce the end of Python 2.6/2.7 support to 
build Samba
  from  a0c9e2e4907 s3:libads: Also add a realm entry for the domain name

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit b3845522bece6565507cdbb1f1e215d320fcc1b0
Author: Andrew Bartlett 
Date:   Sun Sep 6 18:07:29 2020 +1200

WHATSNEW: Announce the end of Python 2.6/2.7 support to build Samba

This is a warning for 4.14, to give users the normal deprecation
notice.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14488

Signed-off-by: Andrew Bartlett 

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Sep 11 09:59:57 UTC 2020 on sn-devel-184

---

Summary of changes:
 WHATSNEW.txt | 14 ++
 1 file changed, 10 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6c0cd70e840..cf70c1df1c0 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -16,16 +16,22 @@ UPGRADING
 NEW FEATURES/CHANGES
 
 
-Python 3.6 Required

+Python 3.6 or later required
+
 
 Samba's minimum runtime requirement for python was raised to Python
 3.5 with samba 4.12.  Samba 4.13 raises this minimum version to Python
 3.6 both to access new features and because this is the oldest version
 we test with in our CI infrastructure.
 
-(Build time support for the file server with Python 2.6 has not
-changed)
+This is also the last release where it will be possible to build Samba
+(just the file server) with Python versions 2.6 and 2.7.
+
+As Python 2.7 has been End Of Life upstream since April 2020, Samba
+is dropping ALL Python 2.x support in the NEXT release.
+
+Samba 4.14 to be released in March 2021 will require Python 3.6 or
+later to build.
 
 wide links functionality
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  a0c9e2e4907 s3:libads: Also add a realm entry for the domain name
   via  41f9aef217f s3:libads: Only add RC4 if weak crypto is allowed
   via  3e145fef4f9 s3:libads: Remove DES legacy types for Kerberos
   via  88a31703a2d lib/replace: move lib/replace/closefrom.c from 
ROKEN_HOSTCC_SOURCE to REPLACE_HOSTCC_SOURCE
   via  191c2cd7b93 vfs_ring: Adapt to 4.13 VFS
   via  b29103ef46a Add vfs_ring.
  from  99d555f772a VERSION: Bump version up to 4.13.0rc5...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit a0c9e2e49079f093baa26621a593d45d10ba69ed
Author: Andreas Schneider 
Date:   Thu Sep 3 13:49:33 2020 +0200

s3:libads: Also add a realm entry for the domain name

This is required if we try to authenticate as Administrator@DOMAIN so it
can find the KDC. This fixes 'net ads join' for ad_member_fips if we
require Kerberos auth.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479

Signed-off-by: Andreas Schneider 
Reviewed-by: Isaac Boukris 
(cherry picked from commit 6444a743525532c70634e2dd4cacadce54ba2eab)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Thu Sep 10 09:42:31 UTC 2020 on sn-devel-184

commit 41f9aef217fd67c2809b4a660a2bf8d479e55371
Author: Andreas Schneider 
Date:   Thu Sep 3 11:45:33 2020 +0200

s3:libads: Only add RC4 if weak crypto is allowed

Signed-off-by: Andreas Schneider 
Reviewed-by: Isaac Boukris 
(cherry picked from commit a5303967287cef0c3d0b653e2aca73d25d438cf7)

commit 3e145fef4f9a139e7517d101cfba011862ef2f4a
Author: Andreas Schneider 
Date:   Thu Sep 3 11:11:14 2020 +0200

s3:libads: Remove DES legacy types for Kerberos

We already removed DES support for Kerberos in Samba 4.12.

Signed-off-by: Andreas Schneider 
Reviewed-by: Isaac Boukris 
(cherry picked from commit 9cf1aecd73e011ad03ddb072760454379b3f0a32)

commit 88a31703a2d28d5f61e334153ef10920fac63e96
Author: Stefan Metzmacher 
Date:   Tue Sep 8 10:13:20 2020 +

lib/replace: move lib/replace/closefrom.c from ROKEN_HOSTCC_SOURCE to 
REPLACE_HOSTCC_SOURCE

This is where it really belongs and we avoid the strange interaction
with source4/heimdal_build/config.h. This a follow up for commit
f31333d40e6fa38daa32a3ebb32d5a317c06fc62.

This fixes a build problem if libbsd-dev is not installed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14482

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Alexander Bokovoy 
Reviewed-by: Andreas Schneider 
Reviewed-by: Björn Jacke 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue Sep  8 13:59:58 UTC 2020 on sn-devel-184

(cherry picked from commit 0022cd94587b805a525b0b9ef71ff0f15780424a)

commit 191c2cd7b93524fc1ee119c0f995171fb38dc210
Author: Volker Lendecke 
Date:   Mon Aug 10 12:12:30 2020 +0200

vfs_ring: Adapt to 4.13 VFS

commit b29103ef46a9f80a0184d4d999f22512b7fdcd89
Author: Jean-Marc Saffroy 
Date:   Wed Sep 11 12:44:59 2019 +0200

Add vfs_ring.

---

Summary of changes:
 lib/replace/wscript |   3 +
 source3/libads/kerberos.c   |  11 +++-
 source3/modules/vfs_ring.c  | 115 
 source3/modules/wscript_build   |   8 +++
 source3/wscript |   1 +
 source4/heimdal_build/wscript_build |   7 +--
 6 files changed, 136 insertions(+), 9 deletions(-)
 create mode 100644 source3/modules/vfs_ring.c


Changeset truncated at 500 lines:

diff --git a/lib/replace/wscript b/lib/replace/wscript
index 55c8903f1c8..64f305d6df0 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -876,6 +876,9 @@ def build(bld):
 if bld.CONFIG_SET('HAVE_LIBRT'): extra_libs += ' rt'
 if bld.CONFIG_SET('REPLACE_REQUIRES_LIBSOCKET_LIBNSL'): extra_libs += ' 
socket nsl'
 
+if not bld.CONFIG_SET('HAVE_CLOSEFROM'):
+REPLACE_HOSTCC_SOURCE += ' closefrom.c'
+
 bld.SAMBA_SUBSYSTEM('LIBREPLACE_HOSTCC',
 REPLACE_HOSTCC_SOURCE,
 use_hostcc=True,
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 5959da919b0..03c7f35a44d 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -592,9 +592,10 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx)
 #endif
}
 
-   if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
-   lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
-   legacy_enctypes = "RC4-HMAC DES-CBC-CRC DES-CBC-MD5";
+   if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
+   (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) {
+   

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  99d555f772a VERSION: Bump version up to 4.13.0rc5...
   via  caa4cf52000 VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc4 release.
   via  29e15b80541 WHATSNEW: Add release notes for Samba 4.13.0rc4.
  from  be07e26807b build: toggle vfs_snapper using --with-shared-modules

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 99d555f772a93ba2f4d167daaa253c50e7a83210
Author: Karolin Seeger 
Date:   Mon Sep 7 12:47:09 2020 +0200

VERSION: Bump version up to 4.13.0rc5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit caa4cf52fda3455cbd7b468132b2b9d528a0
Author: Karolin Seeger 
Date:   Mon Sep 7 12:46:21 2020 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc4 release.

Signed-off-by: Karolin Seeger 

commit 29e15b80541ad50ebecd3618ed6b3472f794d549
Author: Karolin Seeger 
Date:   Mon Sep 7 12:45:48 2020 +0200

WHATSNEW: Add release notes for Samba 4.13.0rc4.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 18 +-
 2 files changed, 18 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 045cb22a7f3..98143de8e35 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=5
 
 
 # To mark SVN snapshots this should be set to 'yes'#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 81d9300df94..6c0cd70e840 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
 Release Announcements
 =
 
-This is the third release condidate of Samba 4.13.  This is *not*
+This is the fourth release condidate of Samba 4.13.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
@@ -87,6 +87,22 @@ smb.conf changes
   client use spnego  Deprecated yes
 
 
+CHANGES SINCE 4.13.0rc3
+===
+
+o  David Disseldorp 
+   * BUG 14437: build: Toggle vfs_snapper using "--with-shared-modules".
+
+o  Volker Lendecke 
+   * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
+ response.
+
+o  Stefan Metzmacher 
+   * BUG 14428: PANIC: Assert failed in get_lease_type().
+   * BUG 14465: idmap_ad does not deal properly with a RFC4511 section 4.4.1
+ response.
+
+
 CHANGES SINCE 4.13.0rc2
 ===
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  be07e26807b build: toggle vfs_snapper using --with-shared-modules
  from  df1ff55deb9 s3:share_mode_lock: remove unused reproducer for bug 
#14428

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit be07e26807bf3c126a0417f16480ed03ed9776aa
Author: David Disseldorp 
Date:   Wed Sep 2 10:50:04 2020 +0200

build: toggle vfs_snapper using --with-shared-modules

7ae03a19b3c ("build: add configure option to control vfs_snapper build")
added new --enable-snapper and --disable-snapper configure parameters to
control whether the vfs_snapper module was built.
The new parameters conflicted with existing
--with-shared-modules=[!]vfs_snapper behaviour.

This change reinstates working --with-shared-modules=[!]vfs_snapper
functionality. vfs_snapper stays enabled by default, but only on Linux.
Linux systems lacking the dbus library and header files should
explicitly disable the module via --with-shared-modules=!vfs_snapper as
documented.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14437

Signed-off-by: David Disseldorp 
Reviewed-by: Björn Jacke 

Autobuild-User(master): David Disseldorp 
Autobuild-Date(master): Wed Sep  2 16:24:50 UTC 2020 on sn-devel-184

(cherry picked from commit b6805d5e0bcf1716f87e84bcbb2fd8f93c38a8a3)

Autobuild-User(v4-13-test): Karolin Seeger 
Autobuild-Date(v4-13-test): Fri Sep  4 12:37:35 UTC 2020 on sn-devel-184

---

Summary of changes:
 source3/wscript | 27 ---
 1 file changed, 12 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/wscript b/source3/wscript
index 5e94c6f6c71..335cfd797f1 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -95,7 +95,6 @@ def options(opt):
 
 opt.samba_add_onoff_option('glusterfs', with_name="enable", 
without_name="disable", default=True)
 opt.samba_add_onoff_option('cephfs', with_name="enable", 
without_name="disable", default=True)
-opt.samba_add_onoff_option('snapper', with_name="enable", 
without_name="disable", default=True)
 
 opt.add_option('--enable-vxfs',
   help=("enable support for VxFS (default=no)"),
@@ -1774,17 +1773,6 @@ main() {
 if Options.options.enable_vxfs:
 conf.DEFINE('HAVE_VXFS', '1')
 
-if Options.options.with_snapper:
-if conf.CHECK_CFG(package='dbus-1', args='--cflags --libs',
-  msg='Checking for dbus', uselib_store="DBUS-1"):
-if (conf.CHECK_HEADERS('dbus/dbus.h', lib='dbus-1')
-  and conf.CHECK_LIB('dbus-1', 
shlib=True)):
-conf.DEFINE('HAVE_DBUS', '1')
-else:
-conf.fatal("vfs_snapper is enabled but prerequisite DBUS libraries 
"
-   "or headers not found. Use --disable-snapper to disable 
"
-   "vfs_snapper support.");
-
 if conf.CHECK_CFG(package='liburing', args='--cflags --libs',
   msg='Checking for liburing package', 
uselib_store="URING"):
 if (conf.CHECK_HEADERS('liburing.h', lib='uring')
@@ -1954,6 +1942,9 @@ main() {
   vfs_commit vfs_worm vfs_crossrename 
vfs_linux_xfs_sgid
   vfs_time_audit vfs_offline 
vfs_virusfilter vfs_widelinks
   '''))
+if host_os.rfind('linux') > -1:
+default_shared_modules.extend(['vfs_snapper'])
+
 default_shared_modules.extend(TO_LIST('idmap_tdb2 idmap_script'))
 # these have broken dependencies
 forced_shared_modules.extend(TO_LIST('idmap_autorid idmap_rid idmap_hash'))
@@ -2023,9 +2014,6 @@ main() {
 if conf.CONFIG_SET('HAVE_VXFS'):
 default_shared_modules.extend(TO_LIST('vfs_vxfs'))
 
-if conf.CONFIG_SET('HAVE_DBUS'):
-default_shared_modules.extend(TO_LIST('vfs_snapper'))
-
 explicit_shared_modules = TO_LIST(Options.options.shared_modules, 
delimiter=',')
 explicit_static_modules = TO_LIST(Options.options.static_modules, 
delimiter=',')
 
@@ -2146,4 +2134,13 @@ main() {
 Logs.info("%s: %s" % (static_env, ','.join(conf.env[static_env])))
 Logs.info("%s: %s" % (shared_env, ','.join(conf.env[shared_env])))
 
+if (('vfs_snapper' in shared_list.get('vfs', []) or 'vfs_snapper' in 
static_list.get('vfs', []))
+and not (conf.CHECK_CFG(package='dbus-1', args='--cflags --libs',
+msg='Checking for dbus', uselib_store="DBUS-1")
+ and conf.CHECK_HEADERS('dbus/dbus.h', lib='dbus-1')
+ and conf.CHECK_LIB('dbus-1', shlib=True))):
+conf.fatal("vfs_snapper is enabled but prerequisite dbus-1 package not 
"
+   "found. Use 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  df1ff55deb9 s3:share_mode_lock: remove unused reproducer for bug 
#14428
   via  0a682a18986 s3:share_mode_lock: make sure 
share_mode_cleanup_disconnected() removes the record
   via  b83efaec198 s3:share_mode_lock: add missing 'goto done' in 
share_mode_cleanup_disconnected()
   via  8a8b90eba76 s3:share_mode_lock: consistently debug share_mode_entry 
records
   via  4aa4f12f533 s3:share_mode_lock: let 
share_mode_forall_entries/share_entry_forall evaluate e.stale first
   via  e62a37e9748 s3:share_mode_lock: reproduce problem with stale 
disconnected share mode entries
   via  431192896a2 s3:selftest: also run durable_v2_reconnect_delay_msec 
in samba3.blackbox.durable_v2_delay
   via  1549dc56280 tldap: Receiving "msgid == 0" means the connection is 
dead
   via  c785fc601de test: Test winbind idmap_ad ticket expiry behaviour
   via  725dda2b809 idmap_ad: Pass tldap debug messages on to DEBUG()
   via  4a4af2c2534 tldap: Add PRINTF_ATTRIBUTE declaration to tldap_debug()
   via  4f695a62055 tldap: Make sure all requests are cancelled on rundown
   via  468286f4c8a tldap: Centralize connection rundown on error
   via  4b02185ecc1 tldap: Maintain the ldap read request in tldap_context
   via  a3758fa56ec tldap: Always remove ourselves from ld->pending at 
cleanup time
   via  73deb8332a5 tldap: Fix tldap_msg_received()
   via  67676bc4f5e tldap: Only free() ld->pending if "req" is part of it
   via  3824ce0de3b ldap_server: Terminate LDAP connections on krb ticket 
expiry
   via  caf9cfa8653 ldap_server: Add the krb5 expiry to conn->limits
   via  6179ac98e6f torture: Test ldap session expiry
   via  fa74a0a2f66 build: Wrap a long line
  from  04630942058 VERSION: Bump version up to 4.13.0rc4...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit df1ff55deb92827eb502c1857a0039743752c6b3
Author: Stefan Metzmacher 
Date:   Fri Aug 28 16:28:41 2020 +0200

s3:share_mode_lock: remove unused reproducer for bug #14428

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Mon Aug 31 13:34:17 UTC 2020 on sn-devel-184

(cherry picked from commit b02f1d676f6e62a0a4b33b9b08f8f51a68b561ca)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Thu Sep  3 14:55:14 UTC 2020 on sn-devel-184

commit 0a682a1898695839fe4933af61c8a1d4068005a3
Author: Stefan Metzmacher 
Date:   Fri Aug 28 16:28:41 2020 +0200

s3:share_mode_lock: make sure share_mode_cleanup_disconnected() removes the 
record

This fixes one possible trigger for "PANIC: assert failed in 
get_lease_type()"
https://bugzilla.samba.org/show_bug.cgi?id=14428

This is no longer enough to remove the record:

   d->have_share_modes = false;
   d->modified = true;

Note that we can remove it completely from
share_mode_cleanup_disconnected() as
share_mode_forall_entries() already sets it
when there are no entries left.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 
(cherry picked from commit b5c0874fd5d31e252cf9ac8b84bde5c536b1e8ef)

commit b83efaec1981600668fae5f67a483c2c698b6e68
Author: Stefan Metzmacher 
Date:   Fri Aug 28 15:56:35 2020 +0200

s3:share_mode_lock: add missing 'goto done' in 
share_mode_cleanup_disconnected()

When cleanup_disconnected_lease() fails we should stop,
at least we do that if brl_cleanup_disconnected() fails.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 1aa1ac97082f81f6dc62f345823d2dd345e0afd7)

commit 8a8b90eba76b94f3d7291ccc86fe1e80d4423ff3
Author: Stefan Metzmacher 
Date:   Fri Aug 28 15:56:35 2020 +0200

s3:share_mode_lock: consistently debug share_mode_entry records

share_mode_entry_do(), share_mode_forall_entries() and
share_entry_forall() print the record before the callback is called
and when it was modified or deleted.

This makes it much easier to debug problems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14428

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 4d740ac2084a68c6d4836cd83ea5d5f1ee9d37a2)

commit 4aa4f12f5333bd4913989ae1f54027e480535eb4
Author: Stefan Metzmacher 
Date:   Fri Aug 28 15:56:35 2020 +0200

s3:share_mode_lock: let share_mode_forall_entries/share_entry_forall 
evaluate e.stale first

It's not really clear why e.stale would be ignored if *modified is set
to true.

This 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  04630942058 VERSION: Bump version up to 4.13.0rc4...
   via  f5f22da6b8e VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc3 release.
   via  15ec9863704 WHATSNEW: Add release notes for Samba 4.13.0rc3.
  from  58627af19cc ctdb-recoverd: Rename update_local_flags() -> 
update_flags()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 04630942058e274471fdada33c4c17dc33d420f4
Author: Karolin Seeger 
Date:   Fri Aug 28 11:19:18 2020 +0200

VERSION: Bump version up to 4.13.0rc4...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit f5f22da6b8e07fec9af65c7cc49073b38a4d9e14
Author: Karolin Seeger 
Date:   Fri Aug 28 11:18:15 2020 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc3 release.

Signed-off-by: Karolin Seeger 

commit 15ec9863704e87faf8c6a4f0ed529c1eea750da5
Author: Karolin Seeger 
Date:   Thu Aug 27 11:21:12 2020 +0200

WHATSNEW: Add release notes for Samba 4.13.0rc3.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 18 +-
 2 files changed, 18 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index df5e378c519..045cb22a7f3 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=4
 
 
 # To mark SVN snapshots this should be set to 'yes'#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e8b7cb4574c..81d9300df94 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
 Release Announcements
 =
 
-This is the second release condidate of Samba 4.13.  This is *not*
+This is the third release condidate of Samba 4.13.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
@@ -87,6 +87,22 @@ smb.conf changes
   client use spnego  Deprecated yes
 
 
+CHANGES SINCE 4.13.0rc2
+===
+
+o  Andrew Bartlett 
+   * BUG 14460: Deprecate domain logons, SMBv1 things.
+
+o  Günther Deschner 
+   * BUG 14318: docs: Add missing winexe manpage.
+
+o  Christof Schmitt 
+   * BUG 14166: util: Allow symlinks in directory_create_or_exist.
+
+o  Martin Schwenke 
+   * BUG 14466: ctdb disable/enable can fail due to race condition.
+
+
 CHANGES SINCE 4.13.0rc1
 ===
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  58627af19cc ctdb-recoverd: Rename update_local_flags() -> 
update_flags()
   via  98580fca5f6 ctdb-recoverd: Change update_local_flags() to use 
already retrieved nodemaps
   via  8e10b67f315 ctdb-recoverd: Get remote nodemaps earlier
   via  7fe08880958 ctdb-recoverd: Do not fetch the nodemap from the 
recovery master
   via  48ca1987350 ctdb-recoverd: Change get_remote_nodemaps() to use 
connected nodes
   via  a1f00ebef11 ctdb-recoverd: Fix node_pnn check and assignment of 
nodemap into array
   via  da94f78c55e ctdb-recoverd: Add fail callback to assign banning 
credits
   via  05b46fa631b ctdb-recoverd: Add an intermediate state struct for 
nodemap fetching
   via  092beb2f6f1 ctdb-recoverd: Move memory allocation into 
get_remote_nodemaps()
   via  97ed7d289c7 ctdb-recoverd: Change signature of get_remote_nodemaps()
   via  245f0043d88 ctdb-recoverd: Fix a local memory leak
   via  772dfb02d45 ctdb-recoverd: Basic cleanups for get_remote_nodemaps()
   via  3261adfc84f ctdb-recoverd: Simplify calculation of new flags
   via  991907cf217 ctdb-recoverd: Correctly find nodemap entry for pnn
   via  b0bf26df6c8 ctdb-recoverd: Do not retrieve nodemap from recovery 
master
   via  6d8271ff3b7 ctdb-recoverd: Flatten update_flags_on_all_nodes()
   via  267bb7faf22 ctdb-recoverd: Move ctdb_ctrl_modflags() to 
ctdb_recoverd.c
   via  299d4e3f3b0 ctdb-recoverd: Improve a call to 
update_flags_on_all_nodes()
   via  abc8222fa5d ctdb-recoverd: Use update_flags_on_all_nodes()
   via  6fc2ec1653a ctdb-recoverd: Introduce some local variables to 
improve readability
   via  3e3124afa3b ctdb-recoverd: Change update_flags_on_all_nodes() to 
take rec argument
   via  5ad1f837d65 ctdb-recoverd: Drop unused nodemap argument from 
update_flags_on_all_nodes()
   via  51f8ccf2887 docs: Add missing winexe manpage
  from  e0aa042c518 WHATSNEW: list deprecated parameters

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 58627af19cc9d57d4d36d26406884c7e35036929
Author: Martin Schwenke 
Date:   Wed Jan 24 10:21:37 2018 +1100

ctdb-recoverd: Rename update_local_flags() -> update_flags()

This also updates remote flags so the name is misleading.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14466
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit 4aa8e72d60e92951b35190d2ffcfdb1bfb756609)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Thu Aug 27 12:11:01 UTC 2020 on sn-devel-184

commit 98580fca5f681e19d7310006f6e85607a3f7871c
Author: Martin Schwenke 
Date:   Thu Jan 18 20:35:55 2018 +1100

ctdb-recoverd: Change update_local_flags() to use already retrieved nodemaps

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14466
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit 702c7c4934e79a9161fdc59df70df30ae492d89f)

commit 8e10b67f315338e0e6640819adcb334e75dd0507
Author: Martin Schwenke 
Date:   Fri Jun 14 03:51:01 2019 +1000

ctdb-recoverd: Get remote nodemaps earlier

update_local_flags() will be changed to use these nodemaps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14466
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit 910a0b3b747a987ba69b6a0b6256e964b7d85dfe)

commit 7fe088809585285aaed835a622d92ebb2dec7406
Author: Martin Schwenke 
Date:   Fri Jun 14 00:23:22 2019 +1000

ctdb-recoverd: Do not fetch the nodemap from the recovery master

The nodemap has already been fetched from the local node and is
actually passed to this function.  Care must be taken to avoid
referencing the "remote" nodemap for the recovery master.  It also
isn't useful to do so, since it would be the same nodemap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14466
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit d50919b0cb28f299c9b6985271b29d4f27c5f619)

commit 48ca1987350683b58c9bd43cd54ea9e2614da337
Author: Martin Schwenke 
Date:   Thu Jan 18 20:02:42 2018 +1100

ctdb-recoverd: Change get_remote_nodemaps() to use connected nodes

The plan here is to use the nodemaps retrieved by get_remote_nodes()
in update_local_flags().  This will improve efficiency, since
get_remote_nodes() fetches flags from nodes in parallel.  It also
means that get_remote_nodes() can be used exactly once early on in
main_loop() to retrieve remote nodemaps.  Retrieving nodemaps multiple
times is unnecessary and racy - a single monitoring iteration should
not fetch flags multiple times and compare them.

This introduces a temporary behaviour change but it will be of no
consequence 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  e0aa042c518 WHATSNEW: list deprecated parameters
   via  8dbeb26319c docs: deprecate "raw NTLMv2 auth"
   via  af78b53f114 docs: deprecate "client plaintext auth"
   via  e2b9972f3c6 docs: deprecate "client NTLMv2 auth"
   via  100e32dba49 docs: deprecate "client lanman auth"
   via  7b48056533e docs: deprecate "client use spnego"
   via  1338e3a481b docs: Deprecate NT4-like domains and SMBv1-only 
protocol options
   via  e3c608d27e9 selftest: Do not let deprecated option warnings muck 
this test up
   via  dcf92a69cd0 param: Allow tests to silence deprecation warnings
   via  b44b26b9cd2 selftest: Add test for suppression of deprecation 
warnings
  from  97d3c93e31e util: Add cmocka unit test for 
directory_create_or_exists

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit e0aa042c5187fe7eff075123b8fb3a3344fa87a6
Author: Andrew Bartlett 
Date:   Tue Jun 16 22:23:32 2020 +1200

WHATSNEW: list deprecated parameters

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Tue Aug 18 01:32:21 UTC 2020 on sn-devel-184

(cherry picked from commit 20606fd0a4c4697ff99da59f748af6908d929901)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Mon Aug 24 15:13:30 UTC 2020 on sn-devel-184

commit 8dbeb26319ce82177068bfed8c25c9c1023adf69
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:55:35 2019 +1200

docs: deprecate "raw NTLMv2 auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 8c9d9441edce2e8d7f0428d0ec5e209ed8a55dbc)

commit af78b53f114f0668df7e9439fe0f3f95bcd81979
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:55:23 2019 +1200

docs: deprecate "client plaintext auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 37583b19d2c3dbf3e9d0498a39b8b9d9c727e1d4)

commit e2b9972f3c6719e3834eb1ff3df2c25c465d913c
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:54:01 2019 +1200

docs: deprecate "client NTLMv2 auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 5543c11c8b007b49641758428af7ba3976683438)

commit 100e32dba493e9274350cb7860ff7cc2a41924b6
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:53:46 2019 +1200

docs: deprecate "client lanman auth"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit ac8e5ea22d9f9b16a79f519f69852b46ac798541)

commit 7b48056533e1ad3b65781f92cfcfc5e080648883
Author: Andrew Bartlett 
Date:   Thu Sep 5 16:53:20 2019 +1200

docs: deprecate "client use spnego"

This parameter is appicable only to SMBv1 and we are deprecating SMBv1 
specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 1b85db57e53533ce14beb79f6d949a08f6ef9f91)

commit 1338e3a481be568d39bd2cafe95e89ca12bdac4c
Author: Andrew Bartlett 
Date:   Tue Jun 16 21:46:33 2020 +1200

docs: Deprecate NT4-like domains and SMBv1-only protocol options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit c6aa710f8da9ef92b388f1c0c59b2dd3c602ad2d)

commit e3c608d27e968d01b439e8d088a18c5d5af9bb45
Author: Andrew Bartlett 
Date:   Mon Aug 10 20:36:53 2020 +1200

selftest: Do not let deprecated option warnings muck this test up

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 9e212dd15e6c484d69f236f3c6d7186f0e6353b4)

commit dcf92a69cd0c776d9e59bbc5166d24d35ebe9be0
Author: Andrew Bartlett 
Date:   Wed 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  97d3c93e31e util: Add cmocka unit test for 
directory_create_or_exists
   via  031618f0acb util: Allow symlinks in directory_create_or_exist
  from  2bd88d076e8 VERSION: Bump version up to 4.13.0rc3...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 97d3c93e31e85f6c69231949aa482554c6351a61
Author: Christof Schmitt 
Date:   Fri Aug 14 12:18:51 2020 -0700

util: Add cmocka unit test for directory_create_or_exists

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14166

Signed-off-by: Christof Schmitt 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Sun Aug 16 07:06:59 UTC 2020 on sn-devel-184

(cherry picked from commit e89ec78e9a262a6e7bb9082323083eb5f1609655)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Wed Aug 19 09:56:13 UTC 2020 on sn-devel-184

commit 031618f0acb15bb05004c702dbb4ec086c3e27b9
Author: Christof Schmitt 
Date:   Fri Aug 14 09:36:26 2020 -0700

util: Allow symlinks in directory_create_or_exist

Commit 9f60a77e0b updated the check to avoid having files or other
objects instead of a directory. This missed the valid case that there
might be a symlink to a directory. Updated the check accordingly to
allow symlinks to directories.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14166

Signed-off-by: Christof Schmitt 
Reviewed-by: Volker Lendecke 
(cherry picked from commit 672212cecdd7a7de40acdc81c56e2996ea82c090)

---

Summary of changes:
 lib/util/tests/test_util.c | 234 +
 lib/util/util.c|  18 +++-
 lib/util/wscript_build |   6 ++
 selftest/tests.py  |   2 +
 4 files changed, 258 insertions(+), 2 deletions(-)
 create mode 100644 lib/util/tests/test_util.c


Changeset truncated at 500 lines:

diff --git a/lib/util/tests/test_util.c b/lib/util/tests/test_util.c
new file mode 100644
index 000..eebba39e70c
--- /dev/null
+++ b/lib/util/tests/test_util.c
@@ -0,0 +1,234 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *
+ *  Unit test for util.c
+ *
+ *  Copyright (C) Christof Schmitt 2020
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see .
+ */
+
+#include "lib/util/util.c"
+#include 
+
+struct test_paths {
+   char testdir[PATH_MAX];
+   char none[PATH_MAX];
+   char dir[PATH_MAX];
+   mode_t dir_mode;
+   char file[PATH_MAX];
+   mode_t file_mode;
+   char symlink_none[PATH_MAX];
+   char symlink_dir[PATH_MAX];
+   char symlink_file[PATH_MAX];
+};
+
+static int group_setup(void **state)
+{
+   struct test_paths *paths = NULL;
+   char *testdir = NULL;
+   int ret, fd;
+
+   umask(0);
+
+   paths = malloc(sizeof(struct test_paths));
+   assert_non_null(paths);
+
+   strlcpy(paths->testdir, tmpdir(), sizeof(paths->testdir));
+   strlcat(paths->testdir, "/test_util_XX", sizeof(paths->testdir));
+   testdir = mkdtemp(paths->testdir);
+   assert_non_null(testdir);
+
+   strlcpy(paths->none, testdir, sizeof(paths->none));
+   strlcat(paths->none, "/none", sizeof(paths->none));
+
+   strlcpy(paths->dir, testdir, sizeof(paths->dir));
+   strlcat(paths->dir, "/dir", sizeof(paths->dir));
+   paths->dir_mode = 0750;
+   ret = mkdir(paths->dir, paths->dir_mode);
+   assert_return_code(ret, errno);
+
+   strlcpy(paths->file, testdir, sizeof(paths->file));
+   strlcat(paths->file, "/file", sizeof(paths->file));
+   paths->file_mode = 0640;
+   fd = creat(paths->file, paths->file_mode);
+   assert_return_code(fd, errno);
+   ret = close(fd);
+   assert_return_code(ret, errno);
+
+   strlcpy(paths->symlink_none, testdir, sizeof(paths->symlink_none));
+   strlcat(paths->symlink_none, "/symlink_none",
+   sizeof(paths->symlink_none));
+   ret = symlink("/none", paths->symlink_none);
+   assert_return_code(ret, errno);
+
+   strlcpy(paths->symlink_dir, testdir, sizeof(paths->symlink_dir));
+   strlcat(paths->symlink_dir, "/symlink_dir", sizeof(paths->symlink_dir));
+   

[SCM] Samba Shared Repository - branch v4-13-test updated

[Karolin Seeger]

The branch, v4-13-test has been updated
   via  2bd88d076e8 VERSION: Bump version up to 4.13.0rc3...
   via  8c7bedccada VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc2 release.
   via  2dace996ef6 WHATSNEW: Add release notes for Samba 4.13.0rc2.
  from  5df2c348ca9 Remove depracated "ldap ssl ads" smb.conf option

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 2bd88d076e8824cd0f41d7d8f1e8fed6b974f95e
Author: Karolin Seeger 
Date:   Fri Aug 14 10:01:35 2020 +0200

VERSION: Bump version up to 4.13.0rc3...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger 

commit 8c7bedccadac667039c64dac945e27015b45bc09
Author: Karolin Seeger 
Date:   Fri Aug 14 09:59:48 2020 +0200

VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc2 release.

Signed-off-by: Karolin Seeger 

commit 2dace996ef66c0d9e9cb63d8b88fabc778615b9b
Author: Karolin Seeger 
Date:   Fri Aug 14 09:59:09 2020 +0200

WHATSNEW: Add release notes for Samba 4.13.0rc2.

Signed-off-by: Karolin Seeger 

---

Summary of changes:
 VERSION  |  2 +-
 WHATSNEW.txt | 28 ++--
 2 files changed, 27 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 5d09e1af487..df5e378c519 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=2
+SAMBA_VERSION_RC_RELEASE=3
 
 
 # To mark SVN snapshots this should be set to 'yes'#
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5fd139e9d4b..cac8cecd2b7 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
 Release Announcements
 =
 
-This is the first release condidate of Samba 4.13.  This is *not*
+This is the second release condidate of Samba 4.13.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
@@ -63,10 +63,34 @@ smb.conf changes
   Parameter Name DescriptionDefault
   -- ------
   ldap ssl ads   removed
-
   smb2 disable lock sequence checking  No
 
 
+CHANGES SINCE 4.13.0rc1
+===
+
+o  Andrew Bartlett 
+   * BUG 14450: dbcheck: Allow a dangling forward link outside our known NCs.
+
+o  Isaac Boukris 
+   * BUG 14462: Remove deprecated "ldap ssl ads" smb.conf option.
+
+o  Volker Lendecke 
+   * BUG 14435: winbind: Fix lookuprids cache problem.
+
+o  Stefan Metzmacher 
+   * BUG 14354: kdc:db-glue: Ignore KRB5_PROG_ETYPE_NOSUPP also for
+ Primary:Kerberos.
+
+o  Andreas Schneider 
+   * BUG 14358: docs: Fix documentation for require_membership_of of
+ pam_winbind.conf.
+
+o  Martin Schwenke 
+   * BUG 1: ctdb-scripts: Use nfsconf as a last resort get nfsd thread
+ count.
+
+
 KNOWN ISSUES
 
 


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  5df2c348ca9 Remove depracated "ldap ssl ads" smb.conf option
   via  78a6cce9c79 ctdb-tests: Stop cat command failure from causing test 
failure
  from  bb49e891025 winbind: Fix lookuprids cache problem

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 5df2c348ca9ee31b542d207217d12e5b9403453d
Author: Isaac Boukris 
Date:   Mon Aug 10 12:15:26 2020 +0200

Remove depracated "ldap ssl ads" smb.conf option

Signed-off-by: Isaac Boukris 

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Wed Aug 12 11:16:04 UTC 2020 on sn-devel-184

commit 78a6cce9c7949be2d5be640b66fd43fa0a45d73e
Author: Martin Schwenke 
Date:   Mon Jul 6 14:02:49 2020 +1000

ctdb-tests: Stop cat command failure from causing test failure

In certain circumstance, which aren't obvious, cat(1) can fail when
attempting to write a lot of data.  This is due to something (probably
write(2)) returning EAGAIN.

Given that the -v option should only really be used for test
debugging, ignore the failure instead of spending time debugging it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14446
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit 3ff8765d04c0fb950b7be4f9a04aeb08223b)

---

Summary of changes:
 WHATSNEW.txt|  2 ++
 ctdb/tests/scripts/integration.bash |  2 +-
 docs-xml/smbdotconf/ldap/ldapsslads.xml | 21 -
 source3/libads/ldap.c   |  7 ---
 source3/param/loadparm.c|  1 -
 5 files changed, 3 insertions(+), 30 deletions(-)
 delete mode 100644 docs-xml/smbdotconf/ldap/ldapsslads.xml


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 58bcf9ba20a..5fd139e9d4b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -55,12 +55,14 @@ The release notes will be updated to note this change when 
it occurs.
 REMOVED FEATURES
 
 
+The deprecated "ldap ssl ads" smb.conf option has been removed.
 
 smb.conf changes
 
 
   Parameter Name DescriptionDefault
   -- ------
+  ldap ssl ads   removed
 
   smb2 disable lock sequence checking  No
 
diff --git a/ctdb/tests/scripts/integration.bash 
b/ctdb/tests/scripts/integration.bash
index 31f4387a404..39c4e8b8167 100644
--- a/ctdb/tests/scripts/integration.bash
+++ b/ctdb/tests/scripts/integration.bash
@@ -164,7 +164,7 @@ try_command_on_node ()
 
 if $verbose ; then
echo "Output of \"$cmd\":"
-   cat "$outfile"
+   cat "$outfile" || true
 fi
 }
 
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml 
b/docs-xml/smbdotconf/ldap/ldapsslads.xml
deleted file mode 100644
index 98c39651f1e..000
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-http://www.samba.org/samba/DTD/samba-doc;>
-
-   This option is used to define whether or not Samba should
-   use SSL when connecting to the ldap server using
-   ads methods.
-   Rpc methods are not affected by this parameter. Please note, that
-   this parameter won't have any effect if 
-   is set to no.
-   
-
-   See 
smb.conf5
-   for more information on .
-   
-
-
-no
-
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 55c9668089d..10ab043f721 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -702,13 +702,6 @@ got_connection:
 
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, );
 
-   if ( lp_ldap_ssl_ads() ) {
-   status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
-   if (!ADS_ERR_OK(status)) {
-   goto out;
-   }
-   }
-
/* fill in the current time and offsets */
 
status = ads_current_time( ads );
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index cf5da0aca21..6674485738a 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -740,7 +740,6 @@ static void init_globals(struct loadparm_context *lp_ctx, 
bool reinit_globals)
 
lpcfg_string_set(Globals.ctx, _admin_dn, "");
Globals.ldap_ssl = LDAP_SSL_START_TLS;
-   Globals.ldap_ssl_ads = false;
Globals.ldap_deref = -1;
Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF;
Globals.ldap_delete_dn = false;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  bb49e891025 winbind: Fix lookuprids cache problem
   via  12997bb8196 winbind: Add test for lookuprids cache problem
   via  ab227e7db1c torture3: Align integer types
   via  2bdf5e9c292 dbcheck: Allow a dangling forward link outside our 
known NCs
   via  18628ba1558 ctdb-scripts: Use nfsconf as a last resort get nfsd 
thread count
   via  8bd4e018780 ctdb-scripts: Use nfsconf as a last resort to set 
NFS_HOSTNAME
   via  983b35fdcf8 docs: Fix documentation for require_membership_of of 
pam_winbind.conf
   via  f2f122d65a7 docs: Fix documentation for require_membership_of of 
pam_winbind
  from  19fecfaa35f kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for 
Primary:Kerberos

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit bb49e891025bdb71bacb8ed084c286d9d4da2cad
Author: Volker Lendecke 
Date:   Wed Jul 8 15:09:45 2020 +0200

winbind: Fix lookuprids cache problem

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Thu Jul  9 21:40:52 UTC 2020 on sn-devel-184

(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Mon Aug 10 10:46:37 UTC 2020 on sn-devel-184

commit 12997bb81961e98668d3de16fdb09ada3996408d
Author: Volker Lendecke 
Date:   Wed Jul 8 15:00:49 2020 +0200

winbind: Add test for lookuprids cache problem

When reading entries from gencache, wb_cache_rids_to_names() can
return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle
correctly.

This test enforces this situation by filling gencache with one wbinfo
-R and then erasing the winbindd_cache.tdb. This forces winbind to
enter the domain helper process, which will then read from gencache
filled with the previous wbinfo -R.

Without having the entries cached this does not happen because
wb_cache_rids_to_names() via the do_query: path calls deep inside
calls dcerpc_lsa_lookup_sids_noalloc(), which hides the
STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 
(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61)

commit ab227e7db1cc41dbd8667da752e9420cef1091a1
Author: Volker Lendecke 
Date:   Tue Jul 7 08:50:31 2020 +0200

torture3: Align integer types

Signed-off-by: Volker Lendecke 
Reviewed-by: Ralph Boehme 

commit 2bdf5e9c292364b45b43dbf985245641a16fa398
Author: Andrew Bartlett 
Date:   Mon Jul 27 11:37:29 2020 +1200

dbcheck: Allow a dangling forward link outside our known NCs

If we do not have the NC of the target object we can not be really sure
that the object is redundent and so we want to keep it for now
and not (as happened until now) break the dbcheck run made during the
replication stage of a "samba-tool domain backup rename".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14450

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall 
(cherry picked from commit 05228c4e07013c0e6f78f1330b3b787271282ca8)

commit 18628ba15585f991b004ef4bd66abf2f8ed12b3f
Author: Martin Schwenke 
Date:   Mon Jul 20 12:02:45 2020 +1000

ctdb-scripts: Use nfsconf as a last resort get nfsd thread count

If nfsconf exists then use it as last resort to attempt to extract
[nfsd]:threads from /etc/nfs.conf.

Invocation of nfsconf requires "|| true" because this script uses "set
-e".  Add a stub that always fails to at least test this much.

RN: Use nfsconf utility for variable values in CTDB NFS scripts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=1
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 

Autobuild-User(master): Amitay Isaacs 
Autobuild-Date(master): Mon Jul 27 07:06:58 UTC 2020 on sn-devel-184

(cherry picked from commit 642dc6ded6426ba2fbf3ac1e5cd71aae11ca245b)

commit 8bd4e0187803b4263dae9eafb07d539350f30ce0
Author: Martin Schwenke 
Date:   Mon Jul 13 10:16:33 2020 +1000

ctdb-scripts: Use nfsconf as a last resort to set NFS_HOSTNAME

If nfsconf exists then use it as last resort to attempt to extract
[statd]:name from /etc/nfs.conf.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=1
Signed-off-by: Martin Schwenke 
Reviewed-by: Amitay Isaacs 
(cherry picked from commit 334dd8cedda6a341e3b89c9adc8102ea5480e452)

commit 983b35fdcf85826d3b667c8c5b0234402a6863c7
Author: Andreas Schneider 
Date:   Fri Jul 17 12:14:16 2020 +0200

docs: Fix documentation for require_membership_of of 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  19fecfaa35f kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for 
Primary:Kerberos
   via  6ddc1b66065 Add a test with old msDS-SupportedEncryptionTypes
  from  8aa9258e265 VERSION: Bump version up to 4.13.0rc2...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 19fecfaa35fc641e578be38c037149d8c9ac57af
Author: Stefan Metzmacher 
Date:   Thu Apr 23 11:56:54 2020 +0200

kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos

Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for
Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos.

If a service account has msDS-SupportedEncryptionTypes: 31
and DES keys stored in Primary:Kerberos, we'll pass the
DES key to smb_krb5_keyblock_init_contents(), but may get
KRB5_PROG_ETYPE_NOSUPP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Isaac Boukris 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184

(cherry picked from commit 4baa7cc8e473f6b63316b4ae5db34796c0f864c3)

Autobuild-User(v4-13-test): Stefan Metzmacher 
Autobuild-Date(v4-13-test): Fri Aug  7 10:39:26 UTC 2020 on sn-devel-184

commit 6ddc1b6606500b4c66c20d653d9a2e985f1bfd4f
Author: Isaac Boukris 
Date:   Mon Apr 27 14:00:38 2020 +0200

Add a test with old msDS-SupportedEncryptionTypes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Isaac Boukris 
Reviewed-by: Stefan Metzmacher 
(cherry picked from commit 07399831794e28c7c2cf0140d0f1d1b5538b5f60)

---

Summary of changes:
 source4/kdc/db-glue.c   | 18 ++---
 source4/selftest/tests.py   |  2 +
 testprogs/blackbox/test_old_enctypes.sh | 68 +
 3 files changed, 82 insertions(+), 6 deletions(-)
 create mode 100755 testprogs/blackbox/test_old_enctypes.sh


Changeset truncated at 500 lines:

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 27728dab904..5fd0f431cdf 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -631,18 +631,18 @@ static krb5_error_code 
samba_kdc_message2entry_keys(krb5_context context,
  
pkb4->keys[i].value->data,
  
pkb4->keys[i].value->length,
  );
-   if (ret == KRB5_PROG_ETYPE_NOSUPP) {
-   DEBUG(2,("Unsupported keytype ignored - type 
%u\n",
-pkb4->keys[i].keytype));
-   ret = 0;
-   continue;
-   }
if (ret) {
if (key.salt) {
smb_krb5_free_data_contents(context, 
>salt);
free(key.salt);
key.salt = NULL;
}
+   if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+   DEBUG(2,("Unsupported keytype ignored - 
type %u\n",
+pkb4->keys[i].keytype));
+   ret = 0;
+   continue;
+   }
goto out;
}
 
@@ -693,6 +693,12 @@ static krb5_error_code 
samba_kdc_message2entry_keys(krb5_context context,
free(key.salt);
key.salt = NULL;
}
+   if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+   DEBUG(2,("Unsupported keytype ignored - 
type %u\n",
+pkb3->keys[i].keytype));
+   ret = 0;
+   continue;
+   }
goto out;
}
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 0e219f94d04..f4d91520a12 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -494,6 +494,8 @@ plantestsuite("samba4.blackbox.net_rpc_user(ad_dc)", 
"ad_dc", [os.path.join(bbdi
 
 plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", 
[os.path.join(bbdir, "test_primary_group.sh"), '$SERVER', '$USERNAME', 
'$PASSWORD', '$DOMAIN', '$PREFIX_ABS'])
 
+plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", 

[SCM] Samba Shared Repository - branch v4-13-test updated

[Stefan Metzmacher]

The branch, v4-13-test has been updated
   via  8aa9258e265 VERSION: Bump version up to 4.13.0rc2...
  from  8c86998910d VERSION: Disable GIT_SNAPSHOT for the 4.13.0rc1 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test


- Log -
commit 8aa9258e26544d1643493fc61720cffc49a9b58d
Author: Stefan Metzmacher 
Date:   Thu Aug 6 12:26:31 2020 +0200

VERSION: Bump version up to 4.13.0rc2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Stefan Metzmacher 

---

Summary of changes:
 VERSION | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index d5cf0b9ce28..5d09e1af487 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
 # e.g. SAMBA_VERSION_RC_RELEASE=1  #
 #  ->  "3.0.0rc1"  #
 
-SAMBA_VERSION_RC_RELEASE=1
+SAMBA_VERSION_RC_RELEASE=2
 
 
 # To mark SVN snapshots this should be set to 'yes'#
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=1
 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes   #
 #  ->  "3.0.0-SVN-build-199"   #
 
-SAMBA_VERSION_IS_GIT_SNAPSHOT=no
+SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
 
 
 # This is for specifying a release nickname#


-- 
Samba Shared Repository