date:20170906

[SCM] Socket Wrapper Repository - branch master updated

2017-09-06 Thread Andreas Schneider

The branch, master has been updated
   via  c777417 swrap: Fix prototype of open[64] to prevent segfault on 
ppc64le
   via  753f387 swrap: Improve argument handling for libc_vopen*()
   via  03c0602 swrap: Improve argument handling for libc_vioctl()
   via  96c93cf swrap: Improve argument handling for libc_fcntl()
   via  a886815 tests: Add a simple fnctl() test
   via  b5a67f4 swrap: Simplify printing different log prefixes
   via  49d7a4e swrap: Do an early return if log level doesn't match
   via  d1bc679 swrap: Always enable logging
  from  fa9cc40 swrap: Protect the FALL_THROUGH define

https://git.samba.org/?p=socket_wrapper.git;a=shortlog;h=master


- Log -
commit c7774174beffe9a8d29dd4fb38bbed43ece1cecd
Author: Andreas Schneider 
Date:   Wed Aug 2 13:21:59 2017 +0200

swrap: Fix prototype of open[64] to prevent segfault on ppc64le

The calling conventions for vaarg are different on ppc64le. The patch
fixes segfaults on that platform.

Thanks to Florian Weimer who helped debugging it!

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 753f3872370a076628c272612da51963f4996ca4
Author: Andreas Schneider 
Date:   Tue Aug 1 10:58:50 2017 +0200

swrap: Improve argument handling for libc_vopen*()

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 03c06022e29e790938a1701a686ee2863677ff3c
Author: Andreas Schneider 
Date:   Tue Aug 1 10:48:47 2017 +0200

swrap: Improve argument handling for libc_vioctl()

The ioctl() only takes one or no argument.

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 96c93cf0ff3f06b99cdf84a3270e7686a4c7a0d3
Author: Andreas Schneider 
Date:   Tue Aug 1 10:20:46 2017 +0200

swrap: Improve argument handling for libc_fcntl()

fcntl() has either one or no argument.

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit a886815fc1408382a7bf0ac056e7c7d99f494345
Author: Andreas Schneider 
Date:   Mon Jul 31 19:25:41 2017 +0200

tests: Add a simple fnctl() test

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit b5a67f495620a38371cec166e05fa7010df8298a
Author: Andreas Schneider 
Date:   Mon Jul 31 18:25:42 2017 +0200

swrap: Simplify printing different log prefixes

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit 49d7a4efd7a7de5a0962b358eb6e8c560a3f4711
Author: Andreas Schneider 
Date:   Mon Jul 31 18:25:30 2017 +0200

swrap: Do an early return if log level doesn't match

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

commit d1bc679f21155a19d5b691f695cf29c2a94b87cc
Author: Andreas Schneider 
Date:   Mon Jul 31 18:21:53 2017 +0200

swrap: Always enable logging

Signed-off-by: Andreas Schneider 
Reviewed-by: Stefan Metzmacher 

---

Summary of changes:
 src/socket_wrapper.c | 110 +--
 tests/CMakeLists.txt |   1 +
 tests/test_fcntl.c   |  67 +++
 3 files changed, 114 insertions(+), 64 deletions(-)
 create mode 100644 tests/test_fcntl.c


Changeset truncated at 500 lines:

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 280215e..ccbe67f 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -350,10 +350,6 @@ bool socket_wrapper_enabled(void);
 void swrap_constructor(void) CONSTRUCTOR_ATTRIBUTE;
 void swrap_destructor(void) DESTRUCTOR_ATTRIBUTE;
 
-#ifdef NDEBUG
-# define SWRAP_LOG(...)
-#else
-
 static void swrap_log(enum swrap_dbglvl_e dbglvl, const char *func, const char 
*format, ...) PRINTF_ATTRIBUTE(3, 4);
 # define SWRAP_LOG(dbglvl, ...) swrap_log((dbglvl), __func__, __VA_ARGS__)
 
@@ -365,42 +361,40 @@ static void swrap_log(enum swrap_dbglvl_e dbglvl,
va_list va;
const char *d;
unsigned int lvl = 0;
+   const char *prefix = "SWRAP";
 
d = getenv("SOCKET_WRAPPER_DEBUGLEVEL");
if (d != NULL) {
lvl = atoi(d);
}
 
+   if (lvl < dbglvl) {
+   return;
+   }
+
va_start(va, format);
vsnprintf(buffer, sizeof(buffer), format, va);
va_end(va);
 
-   if (lvl >= dbglvl) {
-   switch (dbglvl) {
-   case SWRAP_LOG_ERROR:
-   fprintf(stderr,
-

[SCM] Samba Shared Repository - branch master updated

2017-09-06 Thread Jeremy Allison

The branch, master has been updated
   via  1e4c32e cli_credentials: Fix a typo
   via  c754f48 WHATSNEW: Add Using x86_64 Accelerated AES Crypto 
Instructions section.
   via  5f87a05 lib: crypto: Add the ability to select Intel AESNI 
instruction set at configure time.
   via  53ac0f7 lib: crypto: Plumb in the Intel AES instructions.
   via  3324b55 lib: crypt: Prepare the existing code to switch to Intel 
AES hardware instructions.
   via  11a5676 third_party: Add build capability to aesni-intel.
   via  421fa34 third_party: Add the Intel Add support for AES-NI 
acceleration.
  from  8c365c5 python: Enable execution of samba.tests.security with 
Python 3.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1e4c32e3ff7e8dbf6aef12c737c5330273854510
Author: Volker Lendecke 
Date:   Wed Sep 6 14:05:09 2017 +0200

cli_credentials: Fix a typo

Signed-off-by: Volker Lendecke 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Thu Sep  7 05:56:14 CEST 2017 on sn-devel-144

commit c754f48575a5034242594762d62261a48025cebc
Author: Jeremy Allison 
Date:   Wed Sep 6 12:13:32 2017 -0700

WHATSNEW: Add Using x86_64 Accelerated AES Crypto Instructions section.

Describes --accel-aes configure time option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008

Signed-off-by: Jeremy Allison 
Reviewed-by: Stefan Metzmacher 

commit 5f87a05aa314776135eec1057dd644c0b25a9d14
Author: Jeremy Allison 
Date:   Wed Sep 6 11:59:44 2017 -0700

lib: crypto: Add the ability to select Intel AESNI instruction set at 
configure time.

Add --accel-aes=[none|intelaesni] to select.
Default is none.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008

Signed-off-by: Jeremy Allison 
Reviewed-by: Stefan Metzmacher 

commit 53ac0f7c59a9192e4fa88bf3d257ad80379ded23
Author: Jeremy Allison 
Date:   Wed Sep 6 11:40:02 2017 -0700

lib: crypto: Plumb in the Intel AES instructions.

Causes:

AES_set_encrypt_key()
AES_set_decrypt_key()
AES_encrypt()
AES_decrypt()

to probe for the Intel AES instructions at runtime (only once)
and then call the hardware implementations if so, otherwise
fall back to the software implementations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008

Based on original work by Justin Maggard 

Signed-off-by: Jeremy Allison 
Reviewed-by: Stefan Metzmacher 

commit 3324b55bde96d4098df2f1138be5fd243206ceba
Author: Jeremy Allison 
Date:   Thu Aug 31 11:41:32 2017 -0700

lib: crypt: Prepare the existing code to switch to Intel AES hardware 
instructions.

Rename the old struct aes_key as an intermediate struct aes_key_rj
and wrap it in a union so we can chose an alternate aes_key struct
when using Intel AES hardware.

Rename the original software implementations of:

 AES_set_encrypt_key()
 AES_set_decrypt_key()
 AES_encrypt()
 AES_decrypt()

by adding an _rj on the end, and call them via a wrapper
function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008

Based on original work by Justin Maggard 

Signed-off-by: Jeremy Allison 
Reviewed-by: Stefan Metzmacher 

commit 11a56768950e1caae302507e15e58eb1c316c30a
Author: Jeremy Allison 
Date:   Wed Sep 6 09:58:06 2017 -0700

third_party: Add build capability to aesni-intel.

Minor modifications to code to allow building as a Samba
shared library.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008

Based on original work by Justin Maggard 

Signed-off-by: Jeremy Allison 
Reviewed-by: Stefan Metzmacher 

commit 421fa346de575ebbed3496dc203011b80537bd8a
Author: Jeremy Allison 
Date:   Wed Sep 6 09:44:42 2017 -0700

third_party: Add the Intel Add support for AES-NI acceleration.

This commit takes the Linux kernel AES-NI code, and puts it into a
third_party private library. The Linux kernel code is under GPLv2+
so is compatible with Samba.

This can result in massive speed improvements (up to 200% on some
platforms), by using Intel AES-NI instructions.

These are the pristine check-ins of Linux kernel files for Intel AESNI 
crypto.

git show 
8691ccd764f9ecc69a6812dfe76214c86ac9ba06:arch/x86/crypto/aesni-intel_asm.S
git show

autobuild[sn-devel-144]: intermittent test failure detected

2017-09-06 Thread autobuild

The autobuild test system (on sn-devel-144) has detected an intermittent 
failing test in 
the current master tree.

The autobuild log of the failure is available here:

   http://git.samba.org/autobuild.flakey.sn-devel-144/2017-09-07-0251/flakey.log

The samba build logs are available here:

   
http://git.samba.org/autobuild.flakey.sn-devel-144/2017-09-07-0251/samba.stderr
   
http://git.samba.org/autobuild.flakey.sn-devel-144/2017-09-07-0251/samba.stdout
  
The top commit at the time of the failure was:

commit 8c365c5fe09e396e55891945bb4983c0e95d6c13
Author: Lumir Balhar 
Date:   Tue Aug 8 08:50:35 2017 +0200

python: Enable execution of samba.tests.security with Python 3.

Signed-off-by: Lumir Balhar 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Sep  6 15:29:58 CEST 2017 on sn-devel-144

[SCM] Samba Shared Repository - branch master updated

2017-09-06 Thread Andrew Bartlett

The branch, master has been updated
   via  8c365c5 python: Enable execution of samba.tests.security with 
Python 3.
   via  c81aff3 python: Fix bad type in conversion of NTSTATUS.
   via  6f87728 python: Add tests for check_access function from 
samba.security.
   via  022aa5e python: Port samba.security to Python 3 compatible form.
  from  2d0e138 python:samba: Add code to remove obsolete files in the 
private dir

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8c365c5fe09e396e55891945bb4983c0e95d6c13
Author: Lumir Balhar 
Date:   Tue Aug 8 08:50:35 2017 +0200

python: Enable execution of samba.tests.security with Python 3.

Signed-off-by: Lumir Balhar 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Wed Sep  6 15:29:58 CEST 2017 on sn-devel-144

commit c81aff362fe99a65385c6f8337ffcb47c9456829
Author: Lumir Balhar 
Date:   Wed Sep 6 09:27:02 2017 +0200

python: Fix bad type in conversion of NTSTATUS.

More info: 
https://lists.samba.org/archive/samba-technical/2017-August/122574.html

Signed-off-by: Lumir Balhar 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 6f877285a3e92029cd761d55836c062a93e94749
Author: Lumir Balhar 
Date:   Tue Aug 8 08:48:28 2017 +0200

python: Add tests for check_access function from samba.security.

Signed-off-by: Lumir Balhar 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

commit 022aa5ea34c82e3906c626a50a722ad0e9f33a1d
Author: Lumir Balhar 
Date:   Mon May 22 15:21:08 2017 +0200

python: Port samba.security to Python 3 compatible form.

Signed-off-by: Lumir Balhar 
Reviewed-by: Andrew Bartlett 
Reviewed-by: Andreas Schneider 

---

Summary of changes:
 libcli/security/pysecurity.c   | 22 +++---
 libcli/security/wscript_build  | 12 +++-
 python/samba/tests/security.py | 26 ++
 selftest/tests.py  |  2 +-
 source4/libcli/util/pyerrors.h |  2 +-
 5 files changed, 50 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/pysecurity.c b/libcli/security/pysecurity.c
index 5dbf95c..7205842 100644
--- a/libcli/security/pysecurity.c
+++ b/libcli/security/pysecurity.c
@@ -18,13 +18,12 @@
 */
 
 #include 
+#include "python/py3compat.h"
 #include "includes.h"
 #include "libcli/util/pyerrors.h"
 #include "libcli/security/security.h"
 #include "pytalloc.h"
 
-void initsecurity(void);
-
 static PyObject *py_se_access_check(PyObject *module, PyObject *args, PyObject 
*kwargs)
 {
NTSTATUS nt_status;
@@ -65,7 +64,7 @@ static PyObject *py_se_access_check(PyObject *module, 
PyObject *args, PyObject *
PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
}
 
-   return PyLong_FromLong(access_granted);
+   return PyInt_FromLong(access_granted);
 }
 
 static PyMethodDef py_security_methods[] = {
@@ -74,12 +73,21 @@ static PyMethodDef py_security_methods[] = {
{ NULL },
 };
 
-void initsecurity(void)
+static struct PyModuleDef moduledef = {
+   PyModuleDef_HEAD_INIT,
+   .m_name = "security",
+   .m_doc = "Security support.",
+   .m_size = -1,
+   .m_methods = py_security_methods,
+};
+
+MODULE_INIT_FUNC(security)
 {
PyObject *m;
 
-   m = Py_InitModule3("security", py_security_methods,
-  "Security support.");
+   m = PyModule_Create();
if (m == NULL)
-   return;
+   return NULL;
+
+   return m;
 }
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index b529ec8..6a6b012 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -7,8 +7,10 @@ bld.SAMBA_LIBRARY('samba-security',
   deps='talloc ndr NDR_SECURITY'
   )
 
-bld.SAMBA_PYTHON('pysecurity',
- source='pysecurity.c',
- deps='samba-security pytalloc-util',
- realname='samba/security.so'
- )
+for env in bld.gen_python_environments():
+pytalloc_util = bld.pyembed_libname('pytalloc-util')
+bld.SAMBA_PYTHON('pysecurity',
+ source='pysecurity.c',
+ deps='samba-security %s' % pytalloc_util,
+ realname='samba/security.so'
+ )
diff --git a/python/samba/tests/security.py

[SCM] Samba Shared Repository - branch v4-7-test updated

2017-09-06 Thread Karolin Seeger

The branch, v4-7-test has been updated
   via  4cc6517 WHATSNEW: We generate SHA265 certificates now
   via  2ab073a WHATSNEW: warn against using the RODC on older Samba 
versions
   via  4dfa810 WHATSNEW: explain that we may use much more RAM and SWAP 
with multi-process LDAP
   via  d6a9f6b WHATSNEW: fix spelling
  from  eb299c6 s4-drsuapi: Avoid segfault when replicating as a non-admin 
with GUID_DRS_GET_CHANGES

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test


- Log -
commit 4cc6517a170f075a14375d64c56d7690c93a1e29
Author: Andrew Bartlett 
Date:   Mon Aug 28 21:37:16 2017 +1200

WHATSNEW: We generate SHA265 certificates now

Signed-off-by: Andrew Bartlett 

Autobuild-User(v4-7-test): Karolin Seeger 
Autobuild-Date(v4-7-test): Wed Sep  6 14:21:15 CEST 2017 on sn-devel-144

commit 2ab073a1ab9fa76337ca01e7dbc050795ec439ce
Author: Andrew Bartlett 
Date:   Mon Aug 28 21:36:14 2017 +1200

WHATSNEW: warn against using the RODC on older Samba versions

Signed-off-by: Andrew Bartlett 

commit 4dfa810ed569406387bbb4abd636ab3c7543c8f9
Author: Andrew Bartlett 
Date:   Mon Aug 28 21:35:56 2017 +1200

WHATSNEW: explain that we may use much more RAM and SWAP with multi-process 
LDAP

Signed-off-by: Andrew Bartlett 

commit d6a9f6be321f7f2489df934dc57362f09b5f3863
Author: Andrew Bartlett 
Date:   Mon Aug 28 21:35:34 2017 +1200

WHATSNEW: fix spelling

Signed-off-by: Andrew Bartlett 

---

Summary of changes:
 WHATSNEW.txt | 22 --
 1 file changed, 20 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c58c297..8ba321f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -53,7 +53,7 @@ Whole DB read locks: Improved LDAP and replication consistency
 --
 
 Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba
-erronously did not take whole-DB read locks to protect search
+erroneously did not take whole-DB read locks to protect search
 and DRS replication operations.
 
 While each object returned remained subject to a record-level lock (so
@@ -150,7 +150,8 @@ the rest of the 'samba' process, rather than being forced 
into a single
 process.  This aids in Samba's ability to scale to larger numbers of AD
 clients and the AD DC's overall resiliency, but will mean that there is a
 fork()ed child for every LDAP client, which may be more resource
-intensive in some situations.
+intensive in some situations.  If you run Samba in a
+resource-constrained VM, consider allocating more RAM and swap space.
 
 Improved Read-Only Domain Controller (RODC) Support
 ---
@@ -172,6 +173,14 @@ The reliability of RODCs locating a writable partner still 
requires some
 improvements and so the 'password server' configuration option is generally
 recommended on the RODC.
 
+Samba 4.7 is the first Samba release to be secure as an RODC or when
+hosting an RODC.  If you have been using earlier Samba versions to
+host or be an RODC, please upgrade.
+
+In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for
+details on the security implications for password disclosure to an
+RODC using earlier versions.
+
 Additional password hashes stored in supplementalCredentials
 
 
@@ -247,6 +256,15 @@ the talloc_autofree_context() (which is inherently 
thread-unsafe)
 and still be valgrind-clean on exit. Modules that don't need to
 free long-lived data on exit should use the NULL talloc context.
 
+SHA256 LDAPS Certificates
+-
+
+The self-signed certificate generated for use on LDAPS will now be
+generated with a SHA256 self-signature, not a SHA1 self-signature.
+
+Replacing this certificate with a certificate signed by a trusted
+CA is still highly recommended.
+
 CTDB changes
 
 


-- 
Samba Shared Repository

[SCM] Socket Wrapper Repository - branch master updated

[SCM] Samba Shared Repository - branch master updated

autobuild[sn-devel-144]: intermittent test failure detected

[SCM] Samba Shared Repository - branch master updated

[SCM] Samba Shared Repository - branch v4-7-test updated

5 matches

Site Navigation

Mail list logo

Footer information