[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via a6f3bbf17ea CVE-2019-3824 ldb: Release ldb 1.2.4 via c6ec3fc6d0f CVE-2019-3824 ldb: Add tests for ldb_wildcard_match via 8ddaf853404 CVE-2019-3824 ldb: wildcard_match end of data check via c62bd66b84d CVE-2019-3824 ldb: wildcard_match check tree operation via e71cdbe57b5 CVE-2019-3824 ldb: ldb_parse_tree use talloc_zero via 5d6df9adbfd CVE-2019-3824 ldb: Improve code style and layout in wildcard processing via a3c42ff9331 CVE-2019-3824 ldb: Extra comments to clarify no pointer wrap in wildcard processing via e8af7222d2d CVE-2019-3824 ldb: Out of bound read in ldb_wildcard_compare from 23b41ebe1de CVE-2018-14629 dns: fix CNAME loop prevention using counter regression https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit a6f3bbf17ea49838b799aad2bc942105fdf718db Author: Gary Lockyer Date: Wed Feb 20 01:03:41 2019 + CVE-2019-3824 ldb: Release ldb 1.2.4 * CVE-2019-3824 out of bounds read in wildcard compare (bug 13773) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Tue Feb 26 16:52:19 CET 2019 on sn-devel-144 commit c6ec3fc6d0f47885f4ce4fa89ac5644167a7dab0 Author: Gary Lockyer Date: Tue Feb 19 10:24:38 2019 +1300 CVE-2019-3824 ldb: Add tests for ldb_wildcard_match Add cmocka tests for ldb_wildcard_match. Running test_wildcard_match under valgrind reproduces CVE-2019-3824 out of bounds read in wildcard compare (bug 13773) valgrind --suppressions=lib/ldb/tests/ldb_match_test.valgrind\ bin/ldb_match_test BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer commit 8ddaf853404f3cddef84b77b38951526d73ffbda Author: Gary Lockyer Date: Tue Feb 19 10:26:56 2019 +1300 CVE-2019-3824 ldb: wildcard_match end of data check ldb_handler_copy and ldb_val_dup over allocate by one and add a trailing '\0' to the data, to make them safe to use the C string functions on. However testing for the trailing '\0' is not the correct way to test for the end of a value, the length should be checked instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer commit c62bd66b84defc73465e5f16f230f1855fb3bde3 Author: Gary Lockyer Date: Tue Feb 19 10:26:25 2019 +1300 CVE-2019-3824 ldb: wildcard_match check tree operation Check the operation type of the passed parse tree, and return LDB_INAPPROPRIATE_MATCH if the operation is not LDB_OP_SUBSTRING. A query of "attribute=*" gets parsed as LDB_OP_PRESENT, checking the operation and failing ldb_wildcard_match should help prevent confusion writing tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer commit e71cdbe57b5c86e597f1c007c07c66df652038c5 Author: Gary Lockyer Date: Tue Feb 19 10:25:24 2019 +1300 CVE-2019-3824 ldb: ldb_parse_tree use talloc_zero Initialise the created ldb_parse_tree with talloc_zero, this ensures that it is correctly initialised if inadvertently passed to a function expecting a different operation type. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Gary Lockyer commit 5d6df9adbfd279cc0da7d5cae90cd724b635e97c Author: Andrew Bartlett Date: Mon Feb 4 11:22:50 2019 +1300 CVE-2019-3824 ldb: Improve code style and layout in wildcard processing BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Andrew Bartlett commit a3c42ff9331642ea989cba20175b7813050b9f5f Author: Andrew Bartlett Date: Mon Feb 4 11:22:34 2019 +1300 CVE-2019-3824 ldb: Extra comments to clarify no pointer wrap in wildcard processing BUG: https://bugzilla.samba.org/show_bug.cgi?id=13773 Signed-off-by: Andrew Bartlett commit e8af7222d2de69d19216b922d5a85e4259ea5c40 Author: Lukas Slebodnik Date: Fri Jan 18 16:37:24 2019 +0100 CVE-2019-3824 ldb: Out of bound read in ldb_wildcard_compare There is valgrind error in few tests tests/test-generic.sh 91 echo "Test wildcard match" 92 $VALGRIND ldbadd $LDBDIR/tests/test-wildcard.ldif || exit 1 93 $VALGRIND ldbsearch '(cn=test*multi)' || exit 1 95 $VALGRIND ldbsearch '(cn=*test_multi)' || exit 1 97 $VALGRIND ldbsearch '(cn=test*multi*test*multi)' || exit 1 e.g. ==3098== Memcheck, a memory error detector ==3098== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3098== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==3098== Command: ./bin/ldbsearch (cn=test*multi) ==3098== ==3098==
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 23b41ebe1de CVE-2018-14629 dns: fix CNAME loop prevention using counter regression via afc79912685 CVE-2018-14629: Tests to expose regression from dns cname loop fix via 29481e9dd5d .gitlab-ci.yml: Adapt to current GitLab CI setup via 463ee44 gitlab-ci: add .gitlab-ci.yml via fcbea2c7c96 CVE-2018-16853: fix crash in expired passowrd case via 09b9a9bed3a CVE-2018-16853: Do not segfault if client is not set via 03607d79e35 CVE-2018-16853: Add a test to verify s4u2self doesn't crash via 22794132513 CVE-2018-16853: The ticket in check_policy_as can actually be a TGS via 51518080df9 CVE-2018-16853: Fix kinit test on system lacking ldbsearch from c4ec9d57608 VERSION: Bump version up to 4.7.13. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 23b41ebe1deca762e03d4d688f0a11e11f809afd Author: Stefan Metzmacher Date: Wed Nov 28 15:21:56 2018 +0100 CVE-2018-14629 dns: fix CNAME loop prevention using counter regression The loop prevention should only be done for CNAME records! Otherwise we truncate the answer records for A, or SRV queries, which is a bad idea if you have more than 20 DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Dec 4 08:52:29 CET 2018 on sn-devel-144 (cherry picked from commit 34f4491d79b47b2fe2457b8882f11644cf773bc4) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Dec 7 16:59:16 CET 2018 on sn-devel-144 commit afc799126853e1ce9cb498c4cc0eb17b9e0dd565 Author: Aaron Haslett Date: Fri Nov 30 18:37:27 2018 +1300 CVE-2018-14629: Tests to expose regression from dns cname loop fix These tests expose the regression described by Stefan Metzmacher in discussion on the bugzilla paged linked below. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett Reviewed-by: Douglas Bagnall Reviewed-by: Stefan Metzmacher (cherry picked from commit 14399fd818b130a6347eec860460929c292d5996) commit 29481e9dd5dc1765d1108eee5d6ab2a3551c5192 Author: Andrew Bartlett Date: Tue Jun 26 14:59:26 2018 +1200 .gitlab-ci.yml: Adapt to current GitLab CI setup Signed-off-by: Andrew Bartlett (cherry picked from commit fb522c1ba0afa1b2298e66dfde42806cae72e5b9) commit 463ee44ec1757b9b16d293a331e2f5c962e6 Author: Joe Guo Date: Wed Sep 20 09:33:27 2017 +1200 gitlab-ci: add .gitlab-ci.yml Add .gitlab-ci.yml file, and define build jobs in groups. Once gitlab-runner set up, builds and tests can be triggered automatically in parallel when push to gitlab. Also, with gitlab-runner autoscale mode, build instances will be created and removed on demand. Signed-off-by: Joe Guo Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Oct 31 15:32:16 CET 2017 on sn-devel-144 (cherry picked from commit 8be4236b323b5f755ff6c0bf0a4a5fb99343c84d) commit fcbea2c7c9680ad7e24235150d61f9a0aee36bb4 Author: Isaac Boukris Date: Wed Nov 7 22:53:35 2018 +0200 CVE-2018-16853: fix crash in expired passowrd case When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 09b9a9bed3aae0fbd945921849cd66ce9e22e0ea Author: Andreas Schneider Date: Wed Sep 28 07:22:32 2016 +0200 CVE-2018-16853: Do not segfault if client is not set This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 03607d79e358c664bcf25a5304684dccb49b3ffe Author: Isaac Boukris Date: Sat Aug 18 16:01:59 2018 +0300 CVE-2018-16853: Add a test to verify s4u2self doesn't crash BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 22794132513e7c8ddc3cff98f7786a48554499dc Author: Isaac Boukris Date: Sat Aug 18 00:40:30 2018 +0300 CVE-2018-16853: The ticket in check_policy_as can actually be a TGS This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Bou
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via c4ec9d57608 VERSION: Bump version up to 4.7.13. via ba16fccfccc Merge tag 'samba-4.7.12' into v4-7-test via b7d190f89d7 VERSION: Disable GIT_SNAPSHOT for the 4.7.12 release. via fb5d78cfa06 WHATSNEW: Add release notes for Samba 4.7.12. via 5f7f57fbe30 CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental via ac0b38fb285 CVE-2018-16851 ldap_server: Check ret before manipulating blob via b49c87f8d64 CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ via e1026a1685b CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal via f7a8294d65e CVE-2018-14629 dns: CNAME loop prevention using counter via 32299234424 VERSION: Bump version up to 4.7.12... from 787ab099388 VERSION: Bump version up to 4.7.12... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit c4ec9d57608a1d010973890d91f9ae9bba6a9ebc Author: Karolin Seeger Date: Tue Nov 27 11:08:33 2018 +0100 VERSION: Bump version up to 4.7.13. Signed-off-by: Karolin Seeger commit ba16fccfcccd408a01b2bf1c6f7212c1a18eb1fd Merge: 787ab099388 b7d190f89d7 Author: Karolin Seeger Date: Tue Nov 27 11:08:12 2018 +0100 Merge tag 'samba-4.7.12' into v4-7-test samba: tag release samba-4.7.12 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 103 +- python/samba/tests/dns.py | 24 +++ selftest/knownfail.d/dns | 6 ++ source4/dns_server/dns_query.c| 6 ++ source4/kdc/db-glue.c | 6 +- source4/ldap_server/ldap_server.c | 4 +- testprogs/blackbox/test_pkinit_heimdal.sh | 8 +++ wscript | 17 + 9 files changed, 168 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a8a6777bdd1..43f0495fecc 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index e3da5bfadb5..be9dc7e56c3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,102 @@ + == + Release Notes for Samba 4.7.12 + November 27, 2018 + == + + +This is a security release in order to address the following defects: + +o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD + Internal DNS server) +o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) +o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) +o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos + configuration (unsupported)) + + +=== +Details +=== + +o CVE-2018-14629: + All versions of Samba from 4.0.0 onwards are vulnerable to infinite + query recursion caused by CNAME loops. Any dns record can be added via + ldap by an unprivileged user using the ldbadd tool, so this is a + security issue. + +o CVE-2018-16841: + When configured to accept smart-card authentication, Samba's KDC will call + talloc_free() twice on the same memory if the principal in a validly signed + certificate does not match the principal in the AS-REQ. + + This is only possible after authentication with a trusted certificate. + + talloc is robust against further corruption from a double-free with + talloc_free() and directly calls abort(), terminating the KDC process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16851: + During the processing of an LDAP search before Samba's AD DC returns + the LDAP entries to the client, the entries are cached in a single + memory object with a maximum size of 256MB. When this size is + reached, the Samba process providing the LDAP service will follow the + NULL pointer, terminating the process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16853: + A user in a Samba AD domain can crash the KDC when Samba is built in the + non-default MIT Kerberos configuration. + + With this advisory we clarify that the MIT Kerberos build of the Samba + AD DC is considered experimental. Therefore the Samba Team will not + issue security patches for this co
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 787ab09 VERSION: Bump version up to 4.7.12... via 9a8a725 VERSION: Disable GIT_SNAPSHOT for the 4.7.11 release. via db25438 WHATSNEW: Add release notes for Samba 4.7.11. from 145b2ee s3:winbind: Fix regression introduced with bso #12851 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 787ab0993889f5ac06691426d7eca3d78bded4a6 Author: Karolin Seeger Date: Mon Oct 22 12:51:33 2018 +0200 VERSION: Bump version up to 4.7.12... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 9a8a7255853ae8cd73cacf8ca024545b44aec24e Author: Karolin Seeger Date: Mon Oct 22 12:50:50 2018 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.7.11 release. Signed-off-by: Karolin Seeger commit db25438883c2869ae8a300fab19d32a43680c0dc Author: Karolin Seeger Date: Mon Oct 22 12:50:13 2018 +0200 WHATSNEW: Add release notes for Samba 4.7.11. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 69 ++-- 2 files changed, 68 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a9c988c..a8a6777 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 98fcfe5..e3da5bf 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,69 @@ == + Release Notes for Samba 4.7.11 + October 23, 2018 + == + + +Please note that this will very likely be the last bugfix release of the Samba +4.7 release series. There will be security fixes only beyond this point. + + +Changes since 4.7.10: + + +o Paulo Alcantara + * BUG 13578: s3: util: Do not take over stderr when there is no log file. + +o Jeremy Allison + * BUG 13585: s3: smbd: Ensure get_real_filename() copes with empty pathnames. + * BUG 13633: s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test. + +o Ralph Boehme + * BUG 13549: Durable Reconnect fails because cookie.allow_reconnect is not + set redundant for SMB2. + +o Alexander Bokovoy + * BUG 13539: krb5-samba: Interdomain trust uses different salt principal. + +o Volker Lendecke + * BUG 13362: Fix possible memory leak in the Samba process. + * BUG 13441: vfs_fruit: Don't unlink the main file. + * BUG 13602: smbd: Fix a memleak in async search ask sharemode. + +o Stefan Metzmacher + * BUG 11517: Fix Samba GPO issue when Trust is enabled. + * BUG 13539: samba-tool: Add virtualKerberosSalt attribute to 'user + getpassword/syncpasswords'. + * BUG 13624: smb2_server: Set req->do_encryption = true earlier. + +o Andreas Schneider + * BUG 12851: s3:winbind: Fix regression. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + == Release Notes for Samba 4.7.10 August 27, 2018 == @@ -100,8 +165,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- + = Release Notes for Samba 4.7.9 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 145b2ee s3:winbind: Fix regression introduced with bso #12851 from 9885da4 smb2_server: set req->do_encryption = true earlier https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 145b2ee5b0df35d1c1b6a316e04e49a8a5816cee Author: Andreas Schneider Date: Wed Jun 20 11:38:28 2018 +0200 s3:winbind: Fix regression introduced with bso #12851 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851 Pair-Programmed-With: Guenther Deschner Signed-off-by: Andreas Schneider Signed-off-by: Guenther Deschner (cherry picked from commit c1c764925e24788905ab91aa455b415765d6f71f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Oct 19 15:17:27 CEST 2018 on sn-devel-144 --- Summary of changes: source3/winbindd/wb_getpwsid.c | 28 ++-- 1 file changed, 10 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c index 0595034..c7cbb53 100644 --- a/source3/winbindd/wb_getpwsid.c +++ b/source3/winbindd/wb_getpwsid.c @@ -95,25 +95,17 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) info->domain_name, acct_name, &mapped_name); - if (NT_STATUS_IS_OK(status)) { - output_username = fill_domain_username_talloc(state, -info->domain_name, -mapped_name, true); - if (output_username == NULL) { - tevent_req_nterror(req, NT_STATUS_NO_MEMORY); - return; - } + if (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { fstrcpy(acct_name, mapped_name); - } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { - fstrcpy(acct_name, mapped_name); - } else { - output_username = fill_domain_username_talloc(state, -info->domain_name, -acct_name, true); - if (output_username == NULL) { - tevent_req_nterror(req, NT_STATUS_NO_MEMORY); - return; - } + } + output_username = fill_domain_username_talloc(state, + info->domain_name, + acct_name, + true); + if (output_username == NULL) { + tevent_req_nterror(req, NT_STATUS_NO_MEMORY); + return; } strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name)); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 9885da4 smb2_server: set req->do_encryption = true earlier via fcdce95 s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion from 1f634f3 s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 9885da4b6645465a3b9020f5d430892c949a8254 Author: Stefan Metzmacher Date: Fri Aug 17 11:35:41 2018 +0200 smb2_server: set req->do_encryption = true earlier The STATUS_SESSION_EXPIRED error was returned unencrypted, if the request was encrypted. If clients use SMB3 encryption and the kerberos authenticated session expires, clients disconnect the connection instead of doing a reauthentication. From https://blogs.msdn.microsoft.com/openspecification/2012/10/05/encryption-in-smb-3-0-a-protocol-perspective/ The sender encrypts the message if any of the following conditions is satisfied: - If the sender is sending a response to an encrypted request. - If Session.EncryptData is TRUE and the request or response being sent is not NEGOTIATE. - If Session.EncryptData is FALSE, the request or response being sent is not NEGOTIATE or SESSION_SETUP or TREE_CONNECT, and .EncryptData is TRUE. [MS-SMB2] 3.3.4.1.4 Encrypting the Message If Connection.Dialect belongs to the SMB 3.x dialect family and Connection.ClientCapabilities includes the SMB2_GLOBAL_CAP_ENCRYPTION bit, the server MUST encrypt the message before sending, if any of the following conditions are satisfied: - If the message being sent is any response to a client request for which Request.IsEncrypted is TRUE. - If Session.EncryptData is TRUE and the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP. - If Session.EncryptData is FALSE, the response being sent is not SMB2_NEGOTIATE or SMB2 SESSION_SETUP or SMB2 TREE_CONNECT, and Share.EncryptData for the share associated with the TreeId in the SMB2 header of the response is TRUE. The server MUST encrypt the message as specified in section 3.1.4.3, before sending it to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Oct 2 14:11:30 CEST 2018 on sn-devel-144 (cherry picked from commit 4ef45e5334d5874f5d0fdc69286b745ebcdc612d) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Oct 10 15:51:31 CEST 2018 on sn-devel-144 commit fcdce95838db67b04ef8c5525fab18e76b78f5a5 Author: Stefan Metzmacher Date: Fri Sep 28 12:23:37 2018 +0200 s4:torture: split smb2.session.expire{1,2} to run with signing and encryptpion This reproduces the problem we have with expired encrypted sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13624 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit 01b868455c9bae309d1ca7ddad54077fc5d7f4b1) --- Summary of changes: source3/smbd/smb2_server.c | 15 - source4/torture/smb2/session.c | 50 ++ 2 files changed, 56 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 177e5ff..af065e9 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -2364,7 +2364,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) req->async_internal = false; req->do_signing = false; - req->do_encryption = false; + if (opcode != SMB2_OP_SESSSETUP) { + req->do_encryption = encryption_desired; + } else { + req->do_encryption = false; + } req->was_encrypted = false; if (intf_v->iov_len == SMB2_TF_HDR_SIZE) { const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req); @@ -2388,9 +2392,11 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) } req->was_encrypted = true; + req->do_encryption = true; } if (encryption_required && !req->was_encrypted) { + req->do_encryption = true; return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED); } @@ -2526,15 +2532,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) encryption_required = true; } if (encryption_required && !req->was_encrypted) { +
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 1f634f3 s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test. from 629466e lib: Hold at most 10 outstanding paged result cookies https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 1f634f328c46ac2dbfccbaf2efa52436299f4a3b Author: Jeremy Allison Date: Thu Sep 27 14:12:47 2018 -0700 s3: smbd: Prevent valgrind errors in smbtorture3 POSIX test. Missing fsp talloc free and linked list delete in error paths in close_directory(). Now matches close_normal_file() and close_fake_file(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13633 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Sep 29 05:32:41 CEST 2018 on sn-devel-144 (cherry picked from commit 660dbfaeff493359474ebdb36098ac49b3f7ba0c) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Oct 9 17:20:22 CEST 2018 on sn-devel-144 --- Summary of changes: source3/smbd/close.c | 4 1 file changed, 4 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/smbd/close.c b/source3/smbd/close.c index 095feec..9c9217b 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -1081,6 +1081,8 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, if (lck == NULL) { DEBUG(0, ("close_directory: Could not get share mode lock for " "%s\n", fsp_str_dbg(fsp))); + close_filestruct(fsp); + file_free(req, fsp); return NT_STATUS_INVALID_PARAMETER; } @@ -1164,6 +1166,8 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp, if (!NT_STATUS_IS_OK(status)) { DEBUG(5, ("delete_all_streams failed: %s\n", nt_errstr(status))); + close_filestruct(fsp); + file_free(req, fsp); return status; } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 629466e lib: Hold at most 10 outstanding paged result cookies via 5968278 lib: Put "results_store" into a doubly linked list from dccaea5 krb5-samba: interdomain trust uses different salt principal https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 629466ec5662248ffeba1faf7b7e6c9dbf46512f Author: Volker Lendecke Date: Mon May 7 16:53:00 2018 +0200 lib: Hold at most 10 outstanding paged result cookies Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue May 15 09:37:21 CEST 2018 on sn-devel-144 (cherry picked from commit 9fbd4672b06de5333a9c44fc126b8edac0b9d31a) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Sep 28 13:55:34 CEST 2018 on sn-devel-144 commit 59682787ad97674c49c084acd161bb81aacb16b8 Author: Volker Lendecke Date: Mon May 7 16:41:55 2018 +0200 lib: Put "results_store" into a doubly linked list Bug: https://bugzilla.samba.org/show_bug.cgi?id=13362 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 8063995a92fffc93aa9d6d1d92a75bf3f3c9592b) --- Summary of changes: lib/ldb/modules/paged_results.c | 43 - 1 file changed, 25 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/modules/paged_results.c b/lib/ldb/modules/paged_results.c index de014a3..ecb2227 100644 --- a/lib/ldb/modules/paged_results.c +++ b/lib/ldb/modules/paged_results.c @@ -35,6 +35,8 @@ #include "replace.h" #include "system/filesys.h" #include "system/time.h" +#include "dlinklist.h" +#include #include "ldb_module.h" struct message_store { @@ -48,14 +50,13 @@ struct message_store { struct private_data; struct results_store { + struct results_store *prev, *next; struct private_data *priv; char *cookie; time_t timestamp; - struct results_store *next; - struct message_store *first; struct message_store *last; int num_entries; @@ -68,6 +69,7 @@ struct results_store { struct private_data { uint32_t next_free_id; + size_t num_stores; struct results_store *store; }; @@ -75,22 +77,12 @@ struct private_data { static int store_destructor(struct results_store *del) { struct private_data *priv = del->priv; - struct results_store *loop; - - if (priv->store == del) { - priv->store = del->next; - return 0; - } + DLIST_REMOVE(priv->store, del); - for (loop = priv->store; loop; loop = loop->next) { - if (loop->next == del) { - loop->next = del->next; - return 0; - } - } + assert(priv->num_stores > 0); + priv->num_stores -= 1; - /* is not in list ? */ - return -1; + return 0; } static struct results_store *new_store(struct private_data *priv) @@ -120,11 +112,23 @@ static struct results_store *new_store(struct private_data *priv) newr->first_ref = NULL; newr->controls = NULL; - newr->next = priv->store; - priv->store = newr; + DLIST_ADD(priv->store, newr); + + assert(priv->num_stores < SIZE_MAX); + priv->num_stores += 1; talloc_set_destructor(newr, store_destructor); + if (priv->num_stores > 10) { + struct results_store *last; + /* +* 10 is the default for MaxResultSetsPerConn -- +* possibly need to parameterize it. +*/ + last = DLIST_TAIL(priv->store); + TALLOC_FREE(last); + } + return newr; } @@ -381,6 +385,8 @@ static int paged_search(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_UNWILLING_TO_PERFORM; } + DLIST_PROMOTE(private_data->store, current); + ac->store = current; /* check if it is an abandon */ @@ -412,6 +418,7 @@ static int paged_request_init(struct ldb_module *module) } data->next_free_id = 1; + data->num_stores = 0; data->store = NULL; ldb_module_set_private(module, data); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via dccaea5 krb5-samba: interdomain trust uses different salt principal via b31ba49 testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt via 5f89783 testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh via fab6d42 samba-tool: add virtualKerberosSalt attribute to 'user getpassword/syncpasswords' via f7b9267 s4:selftest: test kinit with the interdomain trust user account via 38d7e58 libds: rename UF_MACHINE_ACCOUNT_MASK to UF_TRUST_ACCOUNT_MASK via 17ed5e0 vfs_fruit: Don't unlink the main file via 3d8fdc3 torture: Make sure that fruit_ftruncate only unlinks streams via 0e8298e s3:smbd: add a comment stating that file_close_user() is redundant for SMB2 via b7c659a s3:smbd: let session logoff close files and tcons before deleting the session via 5125304 s3:smbd: reorder tcon global record deletion and closing files of a tcon via 6a179a5 selftest: add a durable handle test with delayed disconnect via 34b4b5b s4:selftest: reformat smb2_s3only list via ada2165 vfs_delay_inject: adding delay to VFS calls via fc3d25b s4:rpc_server/netlogon: don't treet trusted domains as primary in LogonGetDomainInfo() via f77ea35 s4:rpc_server/netlogon: make use of talloc_zero_array() for the netr_OneDomainInfo array via f73ef35 s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values via ecffd79 s4:dsdb/common: add samdb_domain_guid() helper function via 14a2695 dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper function via 467e6ae dsdb/util_trusts: domain_dn is an input parameter of dsdb_trust_crossref_tdo_info() via 8e81aa4 s4:torture/rpc/netlogon: verify the trusted domains output of LogonGetDomainInfo() via 435e096a s4:torture/rpc/netlogon: assert that cli_credentials_get_{workstation,password} don't return NULL via 592bdff smbd: Fix a memleak in async search ask sharemode via 8f1183d s3: util: Do not take over stderr when there is no log file from 1cdf976 s3: smbd: Ensure get_real_filename() copes with empty pathnames. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit dccaea50ce57d6718ffd937cc8b97b64c98c0e79 Author: Alexander Bokovoy Date: Fri Feb 16 18:15:28 2018 +0200 krb5-samba: interdomain trust uses different salt principal Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Alexander Bokovoy Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144 (cherry picked from commit f3e349bebc443133fdbe4e14b148ca8db8237060) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Wed Sep 5 18:44:46 CEST 2018 on sn-devel-144 commit b31ba498125995dcb67451e4cb28cc27f9e799ed Author: Stefan Metzmacher Date: Tue Sep 4 10:53:52 2018 +0200 testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt This demonstrates the bug we currently have. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 1b31fa62567ec549e32c9177b322cfbfb3b6ec1a) commit 5f8978321fea94bab94810bda4ea4b16928fd150 Author: Stefan Metzmacher Date: Tue Sep 4 10:38:44 2018 +0200 testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh BUG: https:/
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 1cdf976 s3: smbd: Ensure get_real_filename() copes with empty pathnames. from b9b4e96 VERSION: Bump version up to 4.7.9... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 1cdf976a530f1e47b54837a41e141053f4b68d97 Author: Jeremy Allison Date: Tue Aug 21 12:05:34 2018 -0700 s3: smbd: Ensure get_real_filename() copes with empty pathnames. Needed for vfs_glusterfs, as Gluster requires "." not '\0'. Based on a fix from Anoop C S BUG: https://bugzilla.samba.org/show_bug.cgi?id=13585 Signed-off-by: Jeremy Allison Reviewed-by: Ira Cooper Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Aug 22 21:50:41 CEST 2018 on sn-devel-144 (cherry picked from commit 9c71f61ed8a31d287d343d4f2e68cb40c57a2b89) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Aug 29 14:00:12 CEST 2018 on sn-devel-144 --- Summary of changes: source3/smbd/filename.c | 5 + 1 file changed, 5 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c index 1186918..4d79ea1 100644 --- a/source3/smbd/filename.c +++ b/source3/smbd/filename.c @@ -1443,6 +1443,11 @@ int get_real_filename(connection_struct *conn, const char *path, int ret; bool mangled; + /* handle null paths */ + if ((path == NULL) || (*path == 0)) { + path = "."; + } + mangled = mangle_is_mangled(name, conn->params); if (mangled) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via b9b4e96 VERSION: Bump version up to 4.7.9... via 2ec3c4d VERSION: Disable GIT_SNAPSHOT for the 4.7.10 release. via eb1028b WHATSNEW: Add release notes for Samba 4.7.10. from b21740a torture: Demonstrate the invalid lock order panic https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit b9b4e96dc4ae0d445f73eaf8d48579bba0c29cfe Author: Karolin Seeger Date: Mon Aug 27 09:51:59 2018 +0200 VERSION: Bump version up to 4.7.9... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 2ec3c4dc3475cac330de3f3d59e39ae42d5f12a8 Author: Karolin Seeger Date: Mon Aug 27 09:51:10 2018 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.7.10 release. Signed-off-by: Karolin Seeger commit eb1028bd49be784ee02ad26a4aa5ea1f77ab810b Author: Karolin Seeger Date: Mon Aug 27 09:50:08 2018 +0200 WHATSNEW: Add release notes for Samba 4.7.10. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 109 +-- 2 files changed, 108 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 96ac5db..a9c988c 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c812417..98fcfe5 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,108 @@ + == + Release Notes for Samba 4.7.10 + August 27, 2018 + == + + +This is the latest stable release of the Samba 4.7 release series. + + +Changes since 4.7.9: + + +o Jeremy Allison + * BUG 13474: python: pysmbd: Additional error path leak fix. + * BUG 13511: libsmbclient: Initialize written value before use. + * BUG 13527: s3: libsmbclient: Fix cli_splice() fallback when reading less + than a complete file. + * BUG 13537: Using "sendfile = yes" with SMB2 can cause CPU spin. + +o Jeffrey Altman + * BUG 11573: heimdal: lib/krb5: Do not fail set_config_files due to parse + error. + +o Andrew Bartlett + * BUG 13519: ldb: Refuse to build Samba against a newer minor version of + ldb. + +o Bailey Berro + * BUG 13511: libsmbclient: Initialize written in cli_splice_fallback(). + +o Alexander Bokovoy + * BUG 13538: samba-tool trust: Support discovery via netr_GetDcName. + +o Ralph Boehme + * BUG 13318: Durable Handles reconnect fails in a cluster when the cluster + fs uses different device ids. + * BUG 13351: s3: smbd: Always set vuid in check_user_ok(). + * BUG 13505: lib: smb_threads: Fix access before init bug. + * BUG 13535: s3: smbd: Fix path check in + smbd_smb2_create_durable_lease_check(). + * BUG 13451: Fail renaming file if that file has open streams. + +o Günther Deschner + * BUG 13437: Fix building Samba with gcc 8.1. + +o David Disseldorp + * BUG 13506: vfs_ceph: Don't lie about flock support. + * BUG 13540: Fix deadlock with ctdb_mutex_ceph_rados_helper. + +o Volker Lendecke + * BUG 13195: g_lock: Fix lock upgrades. + * BUG 13584: vfs_fruit: Fix a panic if fruit_access_check detects a locking + conflict. + +o Gary Lockyer + * BUG 13536: The current position in the dns name was not advanced past the + '.' character. + +o Stefan Metzmacher + * BUG 13308: samba-tool domain trust: Fix trust compatibility to Windows + Server 1709 and FreeIPA. + +o Christof Schmitt + * BUG 13478: krb5_wrap: Fix keep_old_entries logic for older kerberos + libraries. + +o Andreas Schneider + * BUG 13437: Fix building Samba with gcc 8.1. + +o Martin Schwenke + * BUG 13499: Don't use CTDB_BROADCAST_VNNMAP. + * BUG 13500: ctdb-daemon: Only consider client ID for local database attach. + +o Karolin Seeger + * BUG 13499: s3/notifyd.c: Rename CTDB_BROADCAST_VNNMAP to + CTDB_BROADCAST_ACTIVE. + +o Ralph Wuerthner + * BUG 13568: vfs_time_audit: Fix handling of token_blob in + smb_time_audit_offload_read_recv(). + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the proble
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via b21740a torture: Demonstrate the invalid lock order panic via 8ef80a0 vfs_fruit: Fix a leak of "br_lck" via a73d973 selftest: Load time_audit and full_audit modules for all tests via 0470afa s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv() via a329764 g_lock: Fix lock upgrades via cc4eed2 torture3: Extend the g_lock6 test to also cover upgrades via 72a4177 torture3: add LOCAL-G-LOCK6 test from 50b081a selftest: subunithelper needs to follow the subunit spec more closely https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit b21740a25ac098735fbf27ae4d6063885405a977 Author: Volker Lendecke Date: Mon Aug 6 14:35:15 2018 +0200 torture: Demonstrate the invalid lock order panic BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Aug 21 02:33:05 CEST 2018 on sn-devel-144 (cherry picked from commit ec3c37ee53f21d8c0e80b1d3b3d7e95a4ac8e0bc) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Aug 23 15:48:56 CEST 2018 on sn-devel-144 commit 8ef80a001b961309d820a61404d41e23bef9ad1c Author: Volker Lendecke Date: Mon Aug 6 14:33:34 2018 +0200 vfs_fruit: Fix a leak of "br_lck" Fix a panic if fruit_access_check detects a locking conflict. do_lock() returns a valid br_lck even in case of a locking conflict. Not free'ing it leads to a invalid lock order panic later, because "br_lck" corresponds to a dbwrap lock on brlock.tdb. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 51d57073798f76ec4f1261945e0ba779b2530009) commit a73d973f0869fb92723bf5acf86a9eaf4029 Author: Christof Schmitt Date: Fri Aug 10 10:38:28 2018 -0700 selftest: Load time_audit and full_audit modules for all tests Previously the only test was to load these modules to trigger the smb_vfs_assert_all_fns check. As these modules just pass through the calls, they can be loaded for all tests to ensure that the codepaths are exercised. This would have found the problem in smb_time_audit_offload_read_recv. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Mon Aug 13 22:35:20 CEST 2018 on sn-devel-144 (cherry picked from commit a98f09a09db2fc7be85f9171b586e65344a39e92) commit 0470afae4398c2bae388dd30d31d85bd6cf469c9 Author: Ralph Wuerthner Date: Wed Aug 8 17:42:18 2018 +0200 s3: vfs: time_audit: fix handling of token_blob in smb_time_audit_offload_read_recv() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13568 Signed-off-by: Ralph Wuerthner Reviewed-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit 4909b966050c921b0a6a32285fee55f5f14dc3ff) commit a3297648fa049471cc6b3767e34d9b8731473bd9 Author: Volker Lendecke Date: Tue Aug 14 14:31:01 2018 +0200 g_lock: Fix lock upgrades Master has changed significantly, this is a minimum fix for 4.7 without cleaning up the code BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit cc4eed27367822c1829778cb0599c962b54e17f6 Author: Volker Lendecke Date: Tue Aug 14 13:54:56 2018 +0200 torture3: Extend the g_lock6 test to also cover upgrades The fixes for #13195 were incomplete and did not cover upgrades properly. It's all gone in master with the new code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 72a417741bf90b1a20e4d28cf720d43a3a358d03 Author: Stefan Metzmacher Date: Wed Dec 20 09:44:40 2017 +0100 torture3: add LOCAL-G-LOCK6 test This is a regression test for bug #13195. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke --- Summary of changes: selftest/target/Samba3.pm| 12 +-- source3/lib/g_lock.c | 4 + source3/modules/vfs_fruit.c | 24 -- source3/modules/vfs_time_audit.c | 12 +-- source3/selftest/tests.py| 1 + source3/torture/proto.h | 1 + source3/torture/test_g_lock.c| 168 +++ source3/torture/torture.c| 1 + source4/torture/vfs/fruit.c
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 50b081a selftest: subunithelper needs to follow the subunit spec more closely via 9dcded3 unittests.lib_util_modules: test module probe with "skel", not "unix" via cfcee58 ctdb: add expiry test for ctdb_mutex_ceph_rados_helper via 0056094 ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals via 3ec4c73 ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev via 05295db ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup via 8c16413 ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler via a18bcf2 ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common from fe6886e VERSION: Bump version up to 4.7.10. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 50b081a609e03cd6cfda89ffb78c14ba1cbccdbc Author: Douglas Bagnall Date: Thu Feb 22 12:46:47 2018 +1300 selftest: subunithelper needs to follow the subunit spec more closely In particular allow ]\n without \n]\n as used by cmocka Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit 7d79575de8e47a0ce03e30c3ea84176be696269f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Aug 21 16:10:23 CEST 2018 on sn-devel-144 commit 9dcded330bfaa473f960cf33f50df9598cbe457f Author: Douglas Bagnall Date: Thu Feb 22 11:26:00 2018 +1300 unittests.lib_util_modules: test module probe with "skel", not "unix" The unix module is not available as a module on some systems. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit cb5f1f3b262467faba59b3b323e240d1351d5fc0) commit cfcee58488410feb9901ba6e5e26efaeee847e1a Author: David Disseldorp Date: Fri Jul 20 17:20:08 2018 +0200 ctdb: add expiry test for ctdb_mutex_ceph_rados_helper Kill the ctdb_mutex_ceph_rados_helper with SIGKILL and then confirm that the lock is automatically released following expiry. Signed-off-by: David Disseldorp Reviewed-by: Samuel Cabrero Reviewed-by: Amitay Isaacs Autobuild-User(master): David Disseldorp Autobuild-Date(master): Thu Aug 9 16:26:36 CEST 2018 on sn-devel-144 (cherry picked from commit 4abf348ec4cbb78d3216d5e8c5f3020d4499f10a) commit 0056094519166614c7c6d6f0851ea183d54f8721 Author: David Disseldorp Date: Thu Jul 19 11:55:23 2018 +0200 ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals RADOS locks without expiry persist indefinitely. This results in CTDB deadlock during failover if the recovery master dies unexpectedly, as subsequently elected recovery master nodes can't obtain the recovery lock. Avoid deadlock by using a lock expiration time (10s by default), and renewing it periodically. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13540 Signed-off-by: David Disseldorp Reviewed-by: Samuel Cabrero Reviewed-by: Amitay Isaacs (cherry picked from commit ce289e89e5c469cf2c5626dc7f2666b945dba3bd) commit 3ec4c73a53ec8a9d7d73aad3c88b86e73cbb07fc Author: David Disseldorp Date: Tue Jul 17 23:36:36 2018 +0200 ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev In preparation for adding a lock refresh timer. Signed-off-by: David Disseldorp Reviewed-by: Samuel Cabrero Reviewed-by: Amitay Isaacs (cherry picked from commit 91a89c146453ca203a83dc2ba555bb93276c4d7f) commit 05295db70482c35d58ef4a9d541b3ff508769af6 Author: David Disseldorp Date: Thu Jul 19 18:46:27 2018 +0200 ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup Signed-off-by: David Disseldorp Reviewed-by: Samuel Cabrero Reviewed-by: Amitay Isaacs (cherry picked from commit 8d30fd591600ac17c742cd78c7bc4056bba6b877) commit 8c16413f6497615e9deaff0199cc734b679e3b1d Author: Samuel Cabrero Date: Fri Jun 15 18:15:53 2018 +0200 ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler Set a handler for SIGINT to release the lock. Signed-off-by: Samuel Cabrero Reviewed-by: David Disseldorp Reviewed-by: Amitay Isaacs (cherry picked from commit 85706bd27535eaa4ec653f99b1910fbd8f2aab88) commit a18bcf23a265b71fa88e1963ea23dfd26beaaec3 Author: David Disseldorp Date: Mon Jul 9 14:53:00 2018 +0200 ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common ceph-common linkage is needed with new versions of Ceph. Also respect the --libcephfs_dir= parameter when provided. Signed-off-by: David Disseldorp Reviewed-by: Amitay Isaacs (cherry picked from commit bd64af6b8861f892e6ae2840a493f037d1e0a06c) --- Summary of changes: ctdb/utils/ceph/ctdb_mutex_ceph_rad
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via fe6886e VERSION: Bump version up to 4.7.10. via 764141d Merge tag 'samba-4.7.9' into v4-7-test via 3e5da7e VERSION: Disable GIT_SNAPSHOT for the 4.7.9 release. via 36ad973 WHATSNEW: Add release notes for Samba 4.7.9. via 9ff1d90 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". via cd2e11d CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled. via 304ad86 CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check(). via 29f2fe7 CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check() via a5fe27c CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check() via b2a68d6 selftest/tests.py: remove always-needed, never-set with_cmocka flag via e0bb0b6 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case via 9b17ce9 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches via 717bde3 CVE-2018-10919 acl_read: Flip the logic in the dirsync check via df6c1db CVE-2018-10919 acl_read: Small refactor to aclread_callback() via e95c621 CVE-2018-10919 acl_read: Split access_mask logic out into helper function via ddd6279 CVE-2018-10919 tests: test ldap searches for non-existent attributes. via 1594cad CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights via 938a55c CVE-2018-10919 tests: Add test case for object visibility with limited rights via 49920e7 CVE-2018-10919 tests: Add tests for guessing confidential attributes via 81865e8 CVE-2018-10919 security: Add more comments to the object-specific access checks via 12f97f9 CVE-2018-10919 security: Move object-specific access checks into separate function via 49d940f CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user via 011d25d CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers. via 02db55b CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer. via 9cf4b08 VERSION: Bump version up to 4.7.9... from a431bdf s3: smbd: Fix AIX sendfile() for SMB2. Ensure we don't spin on EAGAIN. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit fe6886ee4d0ff66ddd21f777e176fdc6a323646b Author: Karolin Seeger Date: Tue Aug 14 12:18:43 2018 +0200 VERSION: Bump version up to 4.7.10. Signed-off-by: Karolin Seeger commit 764141d4f4d1d253f6cbabf60e32a9e98d7a0f45 Merge: a431bdf 3e5da7e Author: Karolin Seeger Date: Tue Aug 14 12:18:19 2018 +0200 Merge tag 'samba-4.7.9' into v4-7-test samba: tag release samba-4.7.9 --- Summary of changes: VERSION|2 +- WHATSNEW.txt | 83 +- libcli/auth/ntlm_check.c | 10 +- libcli/auth/tests/ntlm_check.c | 413 ++ libcli/auth/wscript_build | 13 + libcli/security/access_check.c | 110 ++- selftest/knownfail |3 +- selftest/tests.py | 20 +- source3/libsmb/libsmb_dir.c| 57 +- source3/libsmb/libsmb_path.c |9 +- source3/selftest/tests.py |2 +- source3/utils/ntlm_auth.c |6 +- source4/dsdb/samdb/cracknames.c|8 +- source4/dsdb/samdb/ldb_modules/acl_read.c | 331 +++- source4/dsdb/tests/python/acl.py | 68 ++ source4/dsdb/tests/python/confidential_attr.py | 1025 source4/dsdb/tests/python/ldap.py |9 + source4/selftest/tests.py |3 + source4/torture/drs/python/cracknames.py | 38 + 19 files changed, 2117 insertions(+), 93 deletions(-) create mode 100644 libcli/auth/tests/ntlm_check.c create mode 100755 source4/dsdb/tests/python/confidential_attr.py Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b3be468..96ac5db 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=9 +SAMBA_VERSION_RELEASE=10 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 54a9398..c812417 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,83 @@ = + Release Notes for Samba 4.7
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via a431bdf s3: smbd: Fix AIX sendfile() for SMB2. Ensure we don't spin on EAGAIN. via 7bf1568 s3: smbd: Fix FreeBSD sendfile() for SMB2. Ensure we don't spin on EAGAIN. via adb7d6a s3: smbd: Fix HPUX sendfile() for SMB2. Ensure we don't spin on EAGAIN. via 2c58fbd s3: smbd: Fix Solaris sendfile() for SMB2. Ensure we don't spin on EAGAIN. via c166fa0 s3: smbd: Fix Linux sendfile() for SMB2. Ensure we don't spin on EAGAIN. via 2bc9c4d dns wildcards: fix BUG 13536 via c6d9862 dns wildcards: tests to confirm BUG 13536 via 066ba51 s3: smbd: fix path check in smbd_smb2_create_durable_lease_check() via 0c37304 s4: torture: run test_durable_v2_open_reopen2_lease() in a subdirectory via 80c7e28 s3: libsmbclient: Fix cli_splice() fallback when reading less than a complete file. via a7783f5 s3: torture: Test SMB1 cli_splice() fallback path when doing a non-full file splice. via 6cf5809 docs/vfs_ceph: add CTDB_SAMBA_SKIP_SHARE_CHECK=yes caveat via be42bf4 vfs_ceph: don't lie about flock support via 5bfa46c ldb: Refuse to build Samba against a newer minor version of ldb via 7658ffc samba-tool trust: support discovery via netr_GetDcName via a500e04 s3:selftest: run rpc.lsa.lookupsids also with explicit [smb1] and [smb2] via 3aaaeb9 s4:librpc: autonegotiate SMB1/2/3 via 882db91 python/tests: use explicit "client ipc max protocol = NT1" for samba.tests.net_join_no_spnego via 80a0c49 tests/auth_log: Permit SMB2 service description if empty binding is used for kerberos authentication via 0af5606 s4:libcli: add smb_connect_nego_{send,recv}() via faa5c60 s4:libcli: allow a fallback to NTLMSSP if SPNEGO is not supported locally via 73f0518 s4:libcli: add fallback_to_anonymous to smb2_connect_send() via b2e0a78 s4:libcli: allow passing an already negotiated connection to smb2_connect_send() via 384a61f s4:libcli: split out smb2_connect_session_start() via 630b5b9 s4:libcli: add smb2_transport_raw_init() via 139ee19 s4:libcli: allow passing an already negotiated connection to smb_composite_connect() via 5bed1ef s4:libcli: use talloc_zero() for struct smb_composite_connect in fetchfile.c via 7ee0293 s4:libcli: add smbcli_transport_raw_init() via b2a3582 s4:libcli: split out smb_raw_negotiate_fill_transport() via 3f03c9a librpc: add binding handle support for [smb1] from 5260dbc s3: smbd: always set vuid in check_user_ok() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit a431bdf08fdad479471bbb2ab0cf86c595260d23 Author: Jeremy Allison Date: Wed Jul 18 15:49:29 2018 -0700 s3: smbd: Fix AIX sendfile() for SMB2. Ensure we don't spin on EAGAIN. For SMB2 the socket is set non-blocking. Ensure sendfile() calls complete if they return EAGAIN by saving the socket state, setting it blocking, doing the sendfile until completion and then restoring the socket state. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13537 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Fri Jul 20 15:14:24 CEST 2018 on sn-devel-144 (cherry picked from commit 582ce5d6b599516d6d8d619529a2aa809139a175) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Sat Jul 28 10:57:39 CEST 2018 on sn-devel-144 commit 7bf15686b60c35c853ae469906baa7d5ed51e4b7 Author: Jeremy Allison Date: Wed Jul 18 15:44:34 2018 -0700 s3: smbd: Fix FreeBSD sendfile() for SMB2. Ensure we don't spin on EAGAIN. For SMB2 the socket is set non-blocking. Ensure sendfile() calls complete if they return EAGAIN by saving the socket state, setting it blocking, doing the sendfile until completion and then restoring the socket state. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13537 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 456e520a3be7e4b54f1f144324c3671b8f6e35ea) commit adb7d6a1f465dcf39e68cdaa3980a0bf65ca35b4 Author: Jeremy Allison Date: Wed Jul 18 15:36:47 2018 -0700 s3: smbd: Fix HPUX sendfile() for SMB2. Ensure we don't spin on EAGAIN. For SMB2 the socket is set non-blocking. Ensure sendfile() calls complete if they return EAGAIN by saving the socket state, setting it blocking, doing the sendfile until completion and then restoring the socket state. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13537 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit d222caa449d9c00bb2dd9da6c79ea509960d47c6) commit 2c58fbdec214d33561e1d1ddad5724d36cfc07f2
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 5260dbc s3: smbd: always set vuid in check_user_ok() from 50e4615 s3: smbd/durable: remove dev and inode check from vfs_default_durable_reconnect_check_stat() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 5260dbc6e380762a83ef98fa68b058030204ddb7 Author: Ralph Boehme Date: Thu Mar 22 08:03:58 2018 +0100 s3: smbd: always set vuid in check_user_ok() A SMB session reauth will have invalidated conn->vuid via conn_clear_vuid_caches(). Ensure conn->vuid always has the vuid of the current user in check_user_ok(). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13351 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Thu Mar 22 18:26:04 CET 2018 on sn-devel-144 (cherry picked from commit 42d6dd2f30b6c3b3176bd1f378422a2eb62b1008) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Jul 26 10:54:01 CEST 2018 on sn-devel-144 --- Summary of changes: source3/smbd/uid.c | 2 ++ 1 file changed, 2 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 6eb5392..b24ae3c 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -202,6 +202,7 @@ static bool check_user_ok(connection_struct *conn, conn->session_info = ent->session_info; conn->read_only = ent->read_only; conn->share_access = ent->share_access; + conn->vuid = ent->vuid; return(True); } } @@ -250,6 +251,7 @@ static bool check_user_ok(connection_struct *conn, ent->share_access = share_access; free_conn_session_info_if_unused(conn); conn->session_info = ent->session_info; + conn->vuid = ent->vuid; if (vuid == UID_FIELD_INVALID) { /* * Not strictly needed, just make it really -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 50e4615 s3: smbd/durable: remove dev and inode check from vfs_default_durable_reconnect_check_stat() via 449d166 libsmbclient: Initialize written in cli_splice_fallback() via 956d7c7 libsmbclient: Initialize written value before use. via 6699ce8 lib: smb_threads: fix access before init bug via c93357b python: pysmbd: Additional error path leak fix. via ab45387 s3:smbd: don't allow renaming basefile if streams are open via 279fa62 s3:locking: add file_has_open_streams() via 2da420e s3:smbd: add private option NTCREATEX_OPTIONS_PRIVATE_STREAM_BASEOPEN via ab32e7a s4:torture/vfs/fruit: adjust test testing basefile rename to expect failure via 7d0b1fd s4:torture/smb2/streams: try to rename basefile while is has open streams via 7f84f9f selftest: run smb2.streams tests against a share with vfs_streams_xattr via 0a3ba68 vfs_fruit: delete 0 byte size streams if AAPL is enabled via 1a500df s4:torture: test setting EOF of a stream to 0 with enabled AAPL extensions via c5ed2b3 s4:torture/vfs/fruit: decrease large resource fork size in test from 1 GB to 64 MB from 58403cb s3/notifyd.c: Rename CTDB_BROADCAST_VNNMAP to CTDB_BROADCAST_ACTIVE. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 50e461549f456959caee56fdea92a73a67c9040e Author: Ralph Boehme Date: Fri Mar 2 15:50:29 2018 +0100 s3: smbd/durable: remove dev and inode check from vfs_default_durable_reconnect_check_stat() On a cluster filesystem the device numbers may differ on the cluster nodes. We already verify the file_id in vfs_default_durable_reconnect(), so we can safely remove the dev/inode checks. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13318 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 0a91ade5272698c094137fa28d2ad4723b5963cf) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Jul 12 17:47:34 CEST 2018 on sn-devel-144 commit 449d166537174e75596fcc84a0732dcd5ee8226c Author: Bailey Berro Date: Tue Jun 26 13:13:39 2018 -0700 libsmbclient: Initialize written in cli_splice_fallback() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13511 Signed-off-by: Bailey Berro Reviewed-by: David Mulder Reviewed-by: Jeremy Allison Reviewed-by: David Disseldorp Autobuild-User(master): David Disseldorp Autobuild-Date(master): Mon Jul 9 21:29:48 CEST 2018 on sn-devel-144 (cherry picked from commit fe25bc793d30a64f06b19f737c652b0c7389ca92) commit 956d7c7a3cd506a85efb1a5ece09e8698b150167 Author: Jeremy Allison Date: Fri Jul 6 11:46:44 2018 -0700 libsmbclient: Initialize written value before use. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13511 Signed-off-by: Jeremy Allison Reviewed-by: David Disseldorp (cherry picked from commit 2e4878a69a62fb59d843ee53a1a9469b987e3a59) commit 6699ce8ec32205969aafe964779959295eb87098 Author: Ralph Boehme Date: Tue Jul 3 15:30:33 2018 +0200 lib: smb_threads: fix access before init bug talloc_stackframe_internal() calls SMB_THREAD_GET_TLS(global_ts) which calls smb_get_tls_pthread() in the POSIX pthread wrapper implementation. If SMB_THREAD_SET_TLS() hasn't been called before, global_ts is NULL and smb_get_tls_pthread dereferences it so it crashes. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13505 Signed-off-by: Ralph Boehme Reviewed-by: Andreas Schneider (cherry picked from commit e311801e0e7171a2b50e39d3e0c2d2137f8b3d7e) commit c93357b78a61895089d0aac31e18d83fc427bab8 Author: Jeremy Allison Date: Wed Jul 11 15:23:09 2018 -0700 python: pysmbd: Additional error path leak fix. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13474 Signed-off-by: Jeremy Allison commit ab453876876f5843df4ebb01b10245748500a405 Author: Ralph Boehme Date: Sat May 26 18:32:21 2018 +0200 s3:smbd: don't allow renaming basefile if streams are open Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 465b7d07e5db787c3d6330371e5e42ecbb1b57b9) commit 279fa62a634ac7fc0e926a201cb7f547f4a2c1c2 Author: Ralph Boehme Date: Sun May 27 13:03:25 2018 +0200 s3:locking: add file_has_open_streams() This can be used to check if a file opened by fsp also has stream opens. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit dd8cf54c79fe8536e34cde15801d60931cd47b8b) commit 2da420e9f21772b8f544f25cc681fd6645a12823 Author: Ralph Boehme Date: Sun May 27
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 58403cb s3/notifyd.c: Rename CTDB_BROADCAST_VNNMAP to CTDB_BROADCAST_ACTIVE. via 516448f ctdb-tests: Avoid segfault by initializing logging via bea8c19 ctdb-tests: Avoid segfault by initializing logging via 5f0ba9c ctdb-pmda: Use modified API in pcp library 4.0 via 66d36b3 socket_wrapper: Add missing dependency on tirpc via 7fd58cb ctdb-daemon: Only consider client ID for local database attach via b521f79 ctdb-docs: Fix the documentation for VNN map via 99d490d ctdb-server: Rename CTDB_BROADCAST_VNNMAP -> CTDB_BROADCAST_ACTIVE via 9352dd5 ctdb-tests: Add a simple test for database traverses via 93c09bd ctdb-tests: Add check for non-lmaster node status in integration tests from e728f9f s4:kcc: Add a NULL check before qsort() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 58403cb7053d8f0131e2780deb004ae094aa2d5c Author: Karolin Seeger Date: Fri Jul 6 12:38:02 2018 +0200 s3/notifyd.c: Rename CTDB_BROADCAST_VNNMAP to CTDB_BROADCAST_ACTIVE. This fixes the build. Was introduced by a fix for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13499. Signed-off-by: Karolin Seeger Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Jul 9 17:29:44 CEST 2018 on sn-devel-144 commit 516448f203ea4fa721656fe7c92172ba9bdb44a9 Author: Amitay Isaacs Date: Thu Jul 5 13:40:33 2018 +1000 ctdb-tests: Avoid segfault by initializing logging This is in addition to af697008531. Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke Autobuild-User(master): Martin Schwenke Autobuild-Date(master): Thu Jul 5 15:22:16 CEST 2018 on sn-devel-144 (cherry picked from commit a30ac853ff9bca023c53ad98775eabb23156c566) commit bea8c194633dc0a9079c19ec213709663a6f5c46 Author: Amitay Isaacs Date: Thu Jun 21 20:00:41 2018 +1000 ctdb-tests: Avoid segfault by initializing logging Setting DEBUGLEVEL before calling debug_init() causes segmentation violation with gcc8. DEBUGLEVEL_CLASS is statically initialized to debug_class_list_initial which is defined as const. Only after debug_init() is called, DEBUGLEVEL_CLASS becomes a talloc'd array. So before modifying DEBUGLEVEL, ensure debug_init() is called via setup_logging(). (debug_init is a static function.) Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit af697008531bd74546656841dd3a1ed92522fc57) commit 5f0ba9c1d94681eb14636509702b720f50bb37ae Author: Amitay Isaacs Date: Thu Mar 1 12:32:26 2018 +1100 ctdb-pmda: Use modified API in pcp library 4.0 Support backward compatibility by checking for __pmID_int type, which was previously in . In the new version, this type is not defined anymore and there is no need to include . Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke Autobuild-User(master): Martin Schwenke Autobuild-Date(master): Fri Mar 2 00:38:52 CET 2018 on sn-devel-144 (cherry picked from commit 426e4a5a20cff73a80d80b46f15826deac3f934f) commit 66d36b3199166ff40234fba1bdbd32e02686c164 Author: Amitay Isaacs Date: Mon May 14 16:52:58 2018 +1000 socket_wrapper: Add missing dependency on tirpc Signed-off-by: Amitay Isaacs Reviewed-by: Andreas Schneider Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Tue May 22 13:57:07 CEST 2018 on sn-devel-144 (cherry picked from commit 7049b2153b08152f03a0fcbb1817b430fe0a8451) commit 7fd58cbec458a353f8732c7becadb5fc2315695c Author: Martin Schwenke Date: Tue Jun 26 20:12:23 2018 +1000 ctdb-daemon: Only consider client ID for local database attach The comment immediately above this code says "don't allow local clients to attach" and then looks up the client ID regardless of whether the request is local or remote. This means that an intentional remote attach from a client will not work correctly. No real client should ever do that since clients attach so they an access databases locally. Perhaps some sanity checks should be added. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13500 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit 63255ef92552da92956c05160f33622d0bbc3a28) commit b521f79e4ab64c0de5f1c9a81f051fb1f3a8514d Author: Martin Schwenke Date: Fri Jun 15 06:07:54 2018 +1000 ctdb-docs: Fix the documentation for VNN map It is incorrectly says that nodes not in the VNN map can not be DMASTER. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13499 Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit af4
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via e728f9f s4:kcc: Add a NULL check before qsort() via 84bac58 s3:smbget: Fix buffer truncation issues with gcc8 via e0a7415 s3:registry: Fix buffer truncation issues issues with gcc8 via ce0b090 samdb: Fix build error with gcc8 via bc6a072 s3-winbindd: remove unused fill_domain_username() via 6fa0630 s3-winbindd: use fill_domain_username_talloc() in winbind. via 7b6a1de s3:libnet: Fix format-truncation warning in samsync_ldif via 6aaf3a8 lib: Fix array size in audit_logging via aab4aca s4:ntvfs: Fix string copy of share_name via 461bd25 lib:util: Fix parameter aliasing in tfork test via 99ab2e2 s3:passdb: Fix size of ascii_p16 via 992faaa s3:lib: Use memcpy() in escape_ldap_string() via 7cf1573 s4:torture: Use strlcpy() in gen_name() via c4a2cd3 s3-utils: fix format-truncation in smbpasswd via 911417a s4-torture: fix format-truncation warning in smb2 session tests. via c146fd8 s3-printing: fix format-truncation in print_queue_update() from 454f425 heimdal: lib/krb5: do not fail set_config_files due to parse error https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit e728f9f4e0c4a2a196b87d02f33892cdd0e032c2 Author: Andreas Schneider Date: Thu Jun 21 11:11:58 2018 +0200 s4:kcc: Add a NULL check before qsort() ../source4/dsdb/kcc/kcc_topology.c: In function ‘kcctpl_get_all_bridgehead_dcs.constprop’: ../source4/dsdb/kcc/kcc_topology.c:1330:3: error: argument 1 null where non-null expected [-Werror=nonnull] qsort(bridgeheads.data, bridgeheads.count, ^~ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Jun 27 14:52:13 CEST 2018 on sn-devel-144 commit 84bac589f3d4f8ce7131d374963f275ea80af80b Author: Andreas Schneider Date: Mon Jun 18 10:43:53 2018 +0200 s3:smbget: Fix buffer truncation issues with gcc8 ../source3/utils/smbget.c: In function ‘smb_download_file’: ../source3/utils/smbget.c:97:27: error: ‘b’ directive output may be truncated writing 1 byte into a region of size between 0 and 19 [-Werror=format-truncation=] snprintf(buffer, l, "%jdb", (intmax_t)s); ^ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 4a3164e0beea35c1f4ce44fbe43547f7104587d1) commit e0a7415b48cf986ae8359e88dfd1eee51b7a2cb8 Author: Andreas Schneider Date: Mon Jun 18 10:34:27 2018 +0200 s3:registry: Fix buffer truncation issues issues with gcc8 ../source3/registry/reg_perfcount.c: In function ‘reg_perfcount_get_hkpd’: ../source3/registry/reg_perfcount.c:337:29: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] snprintf(buf, buflen,"%d%s", key_part1, key_part2); BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 29f6842ee86b768f3677b38c5640655e312c398e) commit ce0b0908b7753d6daf5162c9694f9c96bc8b563d Author: Andreas Schneider Date: Mon Jun 18 10:24:06 2018 +0200 samdb: Fix build error with gcc8 ../source4/dsdb/samdb/ldb_modules/samldb.c: In function ‘samldb_add’: ../source4/dsdb/samdb/ldb_modules/samldb.c:424:6: error: ‘found’ may be used uninitialized in this function [-Werror=maybe-uninitialized] if (found) { ^ ../source4/dsdb/samdb/ldb_modules/samldb.c:348:11: note: ‘found’ was declared here bool ok, found; ^ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 76828876faa3cd463023e323983df0be597c7361) commit bc6a07241d30118589dd61d061a3a4498d0a6757 Author: Günther Deschner Date: Tue May 8 11:19:42 2018 +0200 s3-winbindd: remove unused fill_domain_username() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider (cherry picked from commit b24d4eb7afad82afc3a9bab65e1d799edc4b5172) commit 6fa063049a685970f962394aee034b4388e4be26 Author: Günther Deschner Date: Tue May 8 11:18:56 2018 +0200 s3-winbindd: use fill_domain_username_talloc() in winbind. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider (cherry picked from commit
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 454f425 heimdal: lib/krb5: do not fail set_config_files due to parse error via cdf16fd krb5_wrap: fix keep_old_entries logic for older kerberos libraries from 0b95014 VERSION: Bump version up to 4.7.9... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 454f425048151e52fca2094b99f295935370f858 Author: Jeffrey Altman Date: Thu Jun 16 16:25:41 2016 -0400 heimdal: lib/krb5: do not fail set_config_files due to parse error Follow Apple's lead and do not fail krb5_set_config_files() simply because one of the files in the profile list fails to parse correctly. Doing so can lead to hard to find failures and could lead to an end user shooting themselves in the foot and no longer be able to login to their system to fix it. Parse as many of the files as we can. Only fail krb5_set_config_files() if init_context_from_config_file() fails. Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8 Cherry-pick of Heimdal commit b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573 Signed-off-by: Björn Baumbach Reviewed-by: Alexander Bokovoy (cherry picked from commit f05a1554b770c6a2c905170347bfb41157f4aa78) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Jun 25 17:16:50 CEST 2018 on sn-devel-144 commit cdf16fd98fc765072a14fdfadb92a2004798c498 Author: Christof Schmitt Date: Tue Jun 19 15:09:41 2018 -0700 krb5_wrap: fix keep_old_entries logic for older kerberos libraries MIT kerberos 1.13 and older only stores 8 bits of the KVNO. The change from commit 35b2fb4ff32 resulted in breakage for these kerberos versions: 'net ads keytab create' reads a large KVNO from AD, and only the lower 8 bits are stored. The next check then removed the entry again as the 8 bit value did not match the currently valid KVNO. Fix this by limiting the check to only 8 bits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13478 Signed-off-by: Christof Schmitt Reviewed-by: Alexander Bokovoy Autobuild-User(master): Christof Schmitt Autobuild-Date(master): Sat Jun 23 00:57:47 CEST 2018 on sn-devel-144 (cherry picked from commit 97eaeea6a130871cfac5be42459380c0c4e0fae6) --- Summary of changes: lib/krb5_wrap/krb5_samba.c | 2 +- source4/heimdal/lib/krb5/config_file.c | 4 ++-- source4/heimdal/lib/krb5/context.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 7c461e5..0ba8aae 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context, } if (!flush && - (kt_entry.vno == kvno) && + ((kt_entry.vno & 0xff) == (kvno & 0xff)) && (kt_entry_enctype != enctype)) { DEBUG(5, (__location__ ": Saving entry with kvno [%d] " diff --git a/source4/heimdal/lib/krb5/config_file.c b/source4/heimdal/lib/krb5/config_file.c index 4ac25ae..f5ddcc9 100644 --- a/source4/heimdal/lib/krb5/config_file.c +++ b/source4/heimdal/lib/krb5/config_file.c @@ -370,11 +370,11 @@ krb5_config_parse_debug (struct fileptr *f, b = NULL; } else if (*p == '}') { *err_message = "unmatched }"; - return EINVAL; /* XXX */ + return KRB5_CONFIG_BADFORMAT; } else if(*p != '\0') { if (s == NULL) { *err_message = "binding before section"; - return EINVAL; + return KRB5_CONFIG_BADFORMAT; } ret = parse_binding(f, lineno, p, &b, &s->u.list, err_message); if (ret) diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c index 23e3879..770f012 100644 --- a/source4/heimdal/lib/krb5/context.c +++ b/source4/heimdal/lib/krb5/context.c @@ -646,7 +646,8 @@ krb5_set_config_files(krb5_context context, char **filenames) krb5_config_binding *tmp = NULL; while(filenames != NULL && *filenames != NULL && **filenames != '\0') { ret = krb5_config_parse_file_multi(context, *filenames, &tmp); - if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) { + if (ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM + && ret != KRB5_CONFIG_BADFORMAT) { krb5_config_file_free(context, tmp); return ret; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 0b95014 VERSION: Bump version up to 4.7.9... via c216a22 VERSION: Disable GIT_SNAPSHOT for the 4.7.8 release. via 8d6bfb4 WHATSNEW: Add release notes for Samba 4.7.8. from ca441a0 python: Fix talloc frame use in make_simple_acl(). https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 0b9501442285fc17eb508d3d7afac1938850363a Author: Karolin Seeger Date: Thu Jun 21 09:58:10 2018 +0200 VERSION: Bump version up to 4.7.9... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit c216a22f793c5b21825afbcfc5b95c1ff051d969 Author: Karolin Seeger Date: Thu Jun 21 09:57:01 2018 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.7.8 release. Signed-off-by: Karolin Seeger commit 8d6bfb41fbce6c958dd45cecaf7a51b6a3b3d395 Author: Karolin Seeger Date: Thu Jun 21 09:56:30 2018 +0200 WHATSNEW: Add release notes for Samba 4.7.8. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 120 ++- 2 files changed, 119 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b54c7f1..b3be468 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 629dba8..54a9398 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,120 @@ = + Release Notes for Samba 4.7.8 + June 21, 2018 + = + + +This is the latest stable release of the Samba 4.7 release series. + + +Changes since 4.7.7: + + +o Jeremy Allison + * BUG 13380: s3: smbd: Generic fix for incorrect reporting of stream dos + attributes on a directory. + * BUG 13412: ceph: VFS: Add asynchronous fsync to ceph module, fake using + synchronous call. + * BUG 13419: s3: libsmbclient: Fix hard-coded connection error return of + ETIMEDOUT. + * BUG 13428: s3: smbd: Fix SMB2-FLUSH against directories. + * BUG 13457: s3: smbd: printing: Re-implement delete-on-close semantics for + print files missing since 3.5.x. + * BUG 13474: python: Fix talloc frame use in make_simple_acl(). + +o Andrew Bartlett + * BUG 13430: winbindd on the AD DC is slow for passdb queries. + * BUG 13454: No Backtrace given by Samba's AD DC by default. + +o Ralph Boehme + * BUG 13332: winbindd doesn't recover loss of netlogon secure channel in + case the peer DC is rebooted. + * BUG 13432: s3:smbd: Fix interaction between chown and SD flags. + +o Günther Deschner + * BUG 13437: s4-heimdal: Fix the format-truncation errors. + +o David Disseldorp + * BUG 13425: vfs_ceph: Add fake async pwrite/pread send/recv hooks. + +o Björn Jacke + * BUG 13395: printing: Return the same error code as Windows does on upload + failures. + +o Volker Lendecke + * BUG 13290: winbind: Improve child selection. + * BUG 13292: winbind: Maintain a binding handle per domain and always go via + wb_domain_request_send(). + * BUG 13332: winbindd doesn't recover loss of netlogon secure channel in + case the peer DC is rebooted. + * BUG 13369: Looking up the user using the UPN results in user name with the + REALM instead of the DOMAIN. + * BUG 13370: rpc_server: Init local_server_* in + make_internal_rpc_pipe_socketpair. + * BUG 13382: smbclient: Fix broken notify. + +o Stefan Metzmacher + * BUG 13273: libads: Fix the build --without-ads. + * BUG 13279: winbindd: Don't split the rid for SID_NAME_DOMAIN sids in + wb_lookupsids. + * BUG 13280: winbindd: initialize type = SID_NAME_UNKNOWN in + wb_lookupsids_single_done(). + * BUG 13289: s4:rpc_server: Fix call_id truncation in + dcesrv_find_fragmented_call(). + * BUG 13290: A disconnecting winbind client can cause a problem in the + winbind parent child communication. + * BUG 13291: tevent: version 0.9.36 + - improve documentation of tevent_queue_add_optimize_empty() +- add tevent_queue_entry_untrigger() + * BUG 13292: winbind: Use one queue for all domain children. + * BUG 13293: Minimize the lifetime of winbindd_cli_state->{pw,gr}ent_state. + * BUG 13294: winbind should avoid using fstrcpy(domain->dcname,...) on a + char *. + * BUG 13295: The winbind parent should find the dc of a foreign domain via + the primary domain. + * BUG 13400: nsswitch: Fix memory l
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via ca441a0 python: Fix talloc frame use in make_simple_acl(). via 03cfdb0 s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x. via 1f1edc0 s4-heimdal: Fix the format-truncation errors. via db362df s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on directories. via a743be8 s3: smbd: Fix SMB2-FLUSH against directories. from d3c2cc2 smbd: Flush dfree memcache on service reload https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit ca441a0f8ddde4458cb729eaabc6906a45458f1d Author: Jeremy Allison Date: Thu Jun 14 14:08:36 2018 -0700 python: Fix talloc frame use in make_simple_acl(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13474 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher This was fixed differently by commit 539f51f0dfbe4ce317a2978982fd0fc9a7fd6922 in master. Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Jun 19 17:54:45 CEST 2018 on sn-devel-144 commit 03cfdb0d758d9b0697844d4c5053bd2428b16a6d Author: Jeremy Allison Date: Thu May 31 10:35:48 2018 -0700 s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13457 Signed-off-by: Jeremy Allison Reviewed-by: Andreas Schneider Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Jun 1 20:32:03 CEST 2018 on sn-devel-144 (cherry picked from commit 364175b359f018c8641359440fa07b0ea567b045) commit 1f1edc09bfa3384571254f7057703dbc5db069bf Author: Günther Deschner Date: Wed May 30 09:27:49 2018 +0200 s4-heimdal: Fix the format-truncation errors. ../source4/heimdal/lib/com_err/compile_et.c: In function ‘generate_h’: ../source4/heimdal/lib/com_err/compile_et.c:138:33: error: ‘%s’ directive output may be truncated writing up to 127 bytes into a region of size 126 [-Werror=format-truncation=] snprintf(fn, sizeof(fn), "__%s__", hfn); ^~ ~~~ ../source4/heimdal/lib/com_err/compile_et.c:138:5: note: ‘snprintf’ output between 5 and 132 bytes into a destination of size 128 snprintf(fn, sizeof(fn), "__%s__", hfn); ^~~ ../source4/heimdal/lib/com_err/compile_et.c: In function ‘main’: ../source4/heimdal/lib/com_err/compile_et.c:234:35: error: ‘.h’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=] snprintf(hfn, sizeof(hfn), "%s.h", Basename); ^~ ../source4/heimdal/lib/com_err/compile_et.c:234:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128 snprintf(hfn, sizeof(hfn), "%s.h", Basename); ^~~~ ../source4/heimdal/lib/com_err/compile_et.c:235:35: error: ‘.c’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=] snprintf(cfn, sizeof(cfn), "%s.c", Basename); ^~ ../source4/heimdal/lib/com_err/compile_et.c:235:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128 snprintf(cfn, sizeof(cfn), "%s.c", Basename); ^~~~ cc1: some warnings being treated as errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Jun 8 13:23:51 CEST 2018 on sn-devel-144 commit db362df94261512fff0701cf4153441fc8cf0c07 Author: Jeremy Allison Date: Thu May 10 11:30:24 2018 -0700 s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on directories. Tests against a directory handle on the root of a share, and a directory handle on a sub-directory in a share. Check SEC_DIR_ADD_FILE and SEC_DIR_ADD_SUBDIR separately, either allows flush to succeed. Passes against Windows. Regression test for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13428 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri May 18 02:38:50 CEST 2018 on sn-devel-144 (cherry picked from commit d42f467a25e75e5487a00378609a24809ddc83ee) commit a743be8440b05d8dd11170777965aac0fd06b062 Author: Jeremy Allison Date: Thu May 10 10:26:52 2018 -0700 s3: smbd: Fix SMB2-FLUSH against directories. Directories opened wit
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d3c2cc2 smbd: Flush dfree memcache on service reload via b310f37 smbd: Cache dfree information based on query path via bf63e6f memcache: Add new cache type for dfree information via 5cbb3c3 selftest: Add test for 'dfree cache' via 9d9d959 selftest: Add dfq_cache share with 'dfree cache time' set from f156d20 lib/util: Call log_stack_trace() in smb_panic_default() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d3c2cc28545b052754a2b77a5df0a7dc86e90766 Author: Christof Schmitt Date: Fri May 18 20:51:58 2018 -0700 smbd: Flush dfree memcache on service reload BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit e30d0c0e0d11f65b2d1886be3c0fe9e32eaf3926) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Jun 7 13:54:43 CEST 2018 on sn-devel-144 commit b310f375726afedbc33f9f9033f7f79772898dc9 Author: Christof Schmitt Date: Wed May 16 13:17:52 2018 -0700 smbd: Cache dfree information based on query path Sub directories in a SMB share can have different free space information (e.g. when a different file system is mounted there). Caching the dfree information per SMB share will return invalid data. Address this by switching to memcache and store the cached data based on the query path. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit 8f121747b06ca78cf51801a3931b2ddd1a424c77) commit bf63e6f23721487e1e582154b14ba7b069670d93 Author: Christof Schmitt Date: Wed May 16 13:05:36 2018 -0700 memcache: Add new cache type for dfree information BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit f5d05562679f6aa691b98b4a75952f7dda7ed343) commit 5cbb3c35561b52369335020df7dc4d69bc49fc35 Author: Christof Schmitt Date: Wed May 23 11:25:42 2018 -0700 selftest: Add test for 'dfree cache' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit a55b3d2fcc2f7737a2702bf908dcf1f80969bf21) commit 9d9d95965b425075d2c602cacc896ebd781b6ff8 Author: Christof Schmitt Date: Wed May 23 11:07:54 2018 -0700 selftest: Add dfq_cache share with 'dfree cache time' set BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit 7ffcbd5ce1222971cb9879f78765d87cdc4102a8) --- Summary of changes: lib/util/memcache.h | 3 +- selftest/target/Samba3.pm| 6 ++ source3/script/tests/test_dfree_quota.sh | 35 +++ source3/smbd/dfree.c | 104 +-- source3/smbd/proto.h | 1 + source3/smbd/server_reload.c | 1 + 6 files changed, 130 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/memcache.h b/lib/util/memcache.h index b87746b..c6a5b86 100644 --- a/lib/util/memcache.h +++ b/lib/util/memcache.h @@ -44,7 +44,8 @@ enum memcache_number { SINGLETON_CACHE_TALLOC, /* talloc */ SINGLETON_CACHE, SMB1_SEARCH_OFFSET_MAP, - SHARE_MODE_LOCK_CACHE /* talloc */ + SHARE_MODE_LOCK_CACHE, /* talloc */ + DFREE_CACHE, }; /* diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 299d55b..39a8f49 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -2007,6 +2007,12 @@ sub provision($) vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq admin users = $unix_name include = $dfqconffile +[dfq_cache] + path = $shrdir/dfree + vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq + admin users = $unix_name + include = $dfqconffile + dfree cache time = 60 [dfq_owner] path = $shrdir/dfree vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq diff --git a/source3/script/tests/test_dfree_quota.sh b/source3/script/tests/test_dfree_quota.sh index 6e227c4..abd82b4 100755 --- a/source3/script/tests/test_dfree_quota.sh +++ b/source3/script/tests/test_dfree_quota.sh @@ -130,6 +130,35 @@ test_smbclient_dfree() { return $status } +# Issue two queries to different directories in one session to test +# caching effects +test_smbclient_dfree_2() { + name="$1" + share="$2" + dir1="$3" + dir2="$4" + confs="$5" + expected="$
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via f156d20 lib/util: Call log_stack_trace() in smb_panic_default() via 0dc4806 lib/util: Move log_stack_trace() to common code via 67d037c lib/util: Log PANIC before calling pacic action just like s3 via 8f9be61 s3-lib: Remove support for libexc for IRIX backtraces via e322613 s3:utils: Do not segfault on error in DoDNSUpdate() via e8489ae auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server via 7731ad2 s4:selftest: run test_ldb_simple.sh with more auth options via 0edc63e auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option from 603bc01 s3:smbd: fix interaction between chown and SD flags https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit f156d2039653a59d675a962495213e7417f03116 Author: Andrew Bartlett Date: Tue Apr 10 16:37:45 2018 +1200 lib/util: Call log_stack_trace() in smb_panic_default() This matches the AD DC with the behaviour in smbd. Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=13454 Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Apr 11 04:03:07 CEST 2018 on sn-devel-144 (cherry picked from commit 462eb4a44cc51dc17aebbcd5c609c9ff7f088554) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Jun 4 14:20:17 CEST 2018 on sn-devel-144 commit 0dc480678749484819c72533c0e00552627ab262 Author: Andrew Bartlett Date: Tue Apr 10 16:35:07 2018 +1200 lib/util: Move log_stack_trace() to common code Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=13454 (cherry picked from commit bf9551902afdb32310db4a3381964c435dd08bf0) commit 67d037c58f93845640cfff792686d4797cb86a7c Author: Andrew Bartlett Date: Tue Apr 10 16:06:12 2018 +1200 lib/util: Log PANIC before calling pacic action just like s3 This is like the changes made in s3 by 4fa555980070d78b39711ef21d77628d26055bc2 Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=13454 (cherry picked from commit 3acc00b6808d5d5ad035d9d43526204db1608c8a) commit 8f9be615515622738fbc7175a44902679f2187d7 Author: Andrew Bartlett Date: Tue Apr 10 15:54:10 2018 +1200 s3-lib: Remove support for libexc for IRIX backtraces IRIX is long dead, and this code needs become_root() which is not in the top level code. Additionally, the check for libexc never made it into waf, so this has been dead code since Samba 4.1. Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=13454 (cherry picked from commit 85dc9ee14023a8fb84b5c74555d43008bb6bb0c0) commit e322613d518953dfe725a8d6c0c35c8cd73c8dbb Author: Andreas Schneider Date: Thu May 17 11:53:18 2018 +0200 s3:utils: Do not segfault on error in DoDNSUpdate() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13440 Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke (cherry picked from commit cdd98aa1e2116fb97e16718d115ee883fe1bc8ba) commit e8489ae8538a06fb224e8af9e45da43fecaef316 Author: Stefan Metzmacher Date: Mon May 7 14:50:27 2018 +0200 auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144 (cherry pi
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 603bc01 s3:smbd: fix interaction between chown and SD flags via b99d51f s4:torture/smb2: new test for interaction between chown and SD flags via 6a8939c nsswitch:tests: Add test for wbinfo --user-info via 0c8b0b0 selftest: Add a user with a different userPrincipalName via 67dc018 nsswitch: Lookup the domain in tests with the wb seperator via b3bdf4b nsswitch: Add a test looking up domain sid via 9fbdbe6 nsswitch: Add a test looking up the user using the upn via 0f2e271 winbindd: Name<->SID cache is not sequence number based anymore via a92c5dc winbindd: Move name<->sid cache to gencache via ea49628 winbindd: Factor out winbindd_domain_init_backend from get_cache() via 7626db2 net: Parse namemap_cache in "net cache list" via ccad9a3 lib: Add namemap_cache via afcffa9 lib: Pass blob instead of &blob to gencache_set_data_blob via 18664ed lib: Allow parsing a strv from a non-talloc const buf via 5c5c38b lib: Only call strlen if necessary in strv via 9d402a9 lib: Pass in "strv_len" to strv_valid_entry from 4dc19ac s3: VFS: Fix memory leak in vfs_ceph. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 603bc0160f9cf3322f7958a530c14fb35262251c Author: Ralph Boehme Date: Thu May 10 12:29:35 2018 +0200 s3:smbd: fix interaction between chown and SD flags A change ownership operation that doesn't set the NT ACLs must not touch the SD flags (type). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri May 11 23:30:32 CEST 2018 on sn-devel-144 (cherry picked from commit ced55850034a3653525823bf9623912a4fcf18a0) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu May 24 17:22:35 CEST 2018 on sn-devel-144 commit b99d51f1b88b606f9b162b019ee28c707e1d59a6 Author: Ralph Boehme Date: Thu May 10 12:28:43 2018 +0200 s4:torture/smb2: new test for interaction between chown and SD flags This passes against Windows, but fails against Samba. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 12f6d56c4814fca64e0e3c636018e70d71ad0be5) commit 6a8939ccd46ba02d775760a40b4c8441951eeaaf Author: Andreas Schneider Date: Fri Apr 20 11:20:44 2018 +0200 nsswitch:tests: Add test for wbinfo --user-info BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 2715f52f54e66a73131a92d752a8c2447da1fd33) commit 0c8b0b00ec1675c371d135a53de27aad2ebdc6f9 Author: Andreas Schneider Date: Fri Apr 20 09:38:24 2018 +0200 selftest: Add a user with a different userPrincipalName BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 5319cae00096dcecc29aa9fa675a983352ad64d8) commit 67dc018917b05b46b12b4cdf03fdd515edd539ec Author: Andreas Schneider Date: Mon May 7 13:23:42 2018 +0200 nsswitch: Lookup the domain in tests with the wb seperator Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 4fa811ec7bc301e96f5e40ba281e8d4e8709b94f) commit b3bdf4b6c7af8e702ec26c7dd3d8e6f480b07e50 Author: Andreas Schneider Date: Fri May 4 12:43:05 2018 +0200 nsswitch: Add a test looking up domain sid BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 0aceca6a94e868f9c01a66f79624ca10d80560ab) commit 9fbdbe6fc511ed1179a67c291b8f292b7e798ee3 Author: Andreas Schneider Date: Fri Apr 20 11:24:30 2018 +0200 nsswitch: Add a test looking up the user using the upn BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 0d2f743d826b87b369e25fc6bb9ff61f2b0896aa) commit 0f2e2711e92a433abdc9436ecaf3ba9d773902c8 Author: Volker Lendecke Date: Tue Aug 8 14:24:27 2017 +0200 winbindd: Name<->SID cache is not sequence number based anymore BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369 Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme commit a92c5dc7800a32c4dc58051c111a43b4749d0854 Author: Volker Lendecke Date: Sun Aug 6 18:13:10 2017 +0200 winbindd: Move name<->sid cache to gencache The mapping from name to sid and vice versa has nothing to do with a s
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 4dc19ac s3: VFS: Fix memory leak in vfs_ceph. from 91edd9c winbindd: Do re-connect if the RPC call fails in the passdb case https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 4dc19aced2c2d5b44a4c89e64c0445953911e917 Author: Vandana Rungta Date: Tue May 8 11:27:47 2018 -0700 s3: VFS: Fix memory leak in vfs_ceph. Centralize error handling. https://bugzilla.samba.org/show_bug.cgi?id=13424 Signed-off-by: Vandana Rungta Reviewed-by: Jeremy Allison Reviewed-by: David Disseldorp Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed May 9 04:28:11 CEST 2018 on sn-devel-144 (cherry picked from commit 4e78aeedb8329953df83fc7f2c191b2c97a051d0) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu May 17 18:18:42 CEST 2018 on sn-devel-144 --- Summary of changes: source3/modules/vfs_ceph.c | 21 +++-- 1 file changed, 11 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c index a27b762..9f75283 100644 --- a/source3/modules/vfs_ceph.c +++ b/source3/modules/vfs_ceph.c @@ -1355,30 +1355,31 @@ static struct smb_filename *cephwrap_realpath(struct vfs_handle_struct *handle, TALLOC_CTX *ctx, const struct smb_filename *smb_fname) { - char *result; + char *result = NULL; const char *path = smb_fname->base_name; size_t len = strlen(path); struct smb_filename *result_fname = NULL; + int r = -1; - result = SMB_MALLOC_ARRAY(char, PATH_MAX+1); if (len && (path[0] == '/')) { - int r = asprintf(&result, "%s", path); - if (r < 0) return NULL; + r = asprintf(&result, "%s", path); } else if ((len >= 2) && (path[0] == '.') && (path[1] == '/')) { if (len == 2) { - int r = asprintf(&result, "%s", + r = asprintf(&result, "%s", handle->conn->connectpath); - if (r < 0) return NULL; } else { - int r = asprintf(&result, "%s/%s", + r = asprintf(&result, "%s/%s", handle->conn->connectpath, &path[2]); - if (r < 0) return NULL; } } else { - int r = asprintf(&result, "%s/%s", + r = asprintf(&result, "%s/%s", handle->conn->connectpath, path); - if (r < 0) return NULL; } + + if (r < 0) { + return NULL; + } + DBG_DEBUG("[CEPH] realpath(%p, %s) = %s\n", handle, path, result); result_fname = synthetic_smb_fname(ctx, result, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 91edd9c winbindd: Do re-connect if the RPC call fails in the passdb case via 6a41a0d winbindd: Add a cache of the samr and lsa handles for the passdb domain via 139743e vfs_ceph: add fake async pwrite/pread send/recv hooks from bf466d2 s3: libsmbclient: Fix hard-coded connection error return of ETIMEDOUT. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 91edd9c30f2545519844e3413e43626b3ca0c321 Author: Andrew Bartlett Date: Wed Mar 21 20:44:31 2018 +1300 winbindd: Do re-connect if the RPC call fails in the passdb case This is very, very unlikely but possible as in the AD case the RPC server is in another process that may eventually be able to restart. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13430 Signed-off-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit fc9150dcab231fe9beb72e198b0c2742d5f2505f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon May 14 14:58:22 CEST 2018 on sn-devel-144 commit 6a41a0dcbec9644f2661c919c669144c67bf9394 Author: Andrew Bartlett Date: Wed Mar 21 20:43:10 2018 +1300 winbindd: Add a cache of the samr and lsa handles for the passdb domain This domain is very close, in AD DC configurations over a internal ncacn_np pipe and otherwise in the same process via C linking. It is however very expensive to re-create the binding handle per SID->name lookup, so keep a cache. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13430 Signed-off-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit d418d0ca33afb41a793a2fff19ca68871aa5e9ef) commit 139743ec1ed9078be0891e416c536305b6dd1b33 Author: David Disseldorp Date: Wed May 9 16:51:34 2018 +0200 vfs_ceph: add fake async pwrite/pread send/recv hooks As found by Jeremy, VFS modules that don't provide pread_send() or pwrite_send() hooks result in vfs_default fallback, which is catastrophic for VFS modules with non-mounted filesystems such as vfs_ceph. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13425 Reported-by: Jeremy Allison Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison (cherry picked from commit f0e6453b0420fe9d062936d4ddc05f44b40cf2ba) --- Summary of changes: source3/modules/vfs_ceph.c | 109 ++- source3/winbindd/winbindd_samr.c | 395 --- 2 files changed, 395 insertions(+), 109 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c index 87d3c00..a27b762 100644 --- a/source3/modules/vfs_ceph.c +++ b/source3/modules/vfs_ceph.c @@ -482,6 +482,57 @@ static ssize_t cephwrap_pread(struct vfs_handle_struct *handle, files_struct *fs WRAP_RETURN(result); } +struct cephwrap_pread_state { + ssize_t bytes_read; + struct vfs_aio_state vfs_aio_state; +}; + +/* + * Fake up an async ceph read by calling the synchronous API. + */ +static struct tevent_req *cephwrap_pread_send(struct vfs_handle_struct *handle, + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct files_struct *fsp, + void *data, + size_t n, off_t offset) +{ + struct tevent_req *req = NULL; + struct cephwrap_pread_state *state = NULL; + int ret = -1; + + DBG_DEBUG("[CEPH] %s\n", __func__); + req = tevent_req_create(mem_ctx, &state, struct cephwrap_pread_state); + if (req == NULL) { + return NULL; + } + + ret = ceph_read(handle->data, fsp->fh->fd, data, n, offset); + if (ret < 0) { + /* ceph returns -errno on error. */ + tevent_req_error(req, -ret); + return tevent_req_post(req, ev); + } + + state->bytes_read = ret; + tevent_req_done(req); + /* Return and schedule the completion of the call. */ + return tevent_req_post(req, ev); +} + +static ssize_t cephwrap_pread_recv(struct tevent_req *req, + struct vfs_aio_state *vfs_aio_state) +{ + struct cephwrap_pread_state *state = + tevent_req_data(req, struct cephwrap_pread_state); + + DBG_DEBUG("[CEPH] %s\n", __func__); + if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) { + return -1; + } + *vfs_aio_state = state->vfs_aio_state; + return state->bytes_read; +} static ssize_t cephwrap_write(struct vfs_handle_struct *handle, files_struct *fsp, const
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via bf466d2 s3: libsmbclient: Fix hard-coded connection error return of ETIMEDOUT. via 989c684 ceph: VFS: Add asynchronous fsync to ceph module, fake using synchronous call. via 314f0e1 rpc_server: Fix NetSessEnum with stale sessions via 0797e58 selftest: Add testcase for querying sessions after smbd crash via cfbcd62 rpcclient: Print number of entries for NetSessEnum via 1f5faf4 printing: return the same error code as windows does on upload failures via 6db05c0 s3: tests: Regression test to ensure we can never return a DIRECTORY attribute on a stream. via 8607fea s3: smbd. Generic fix for incorrect reporting of stream dos attributes on a directory via db8296b s3: vfs: vfs_streams_xattr: Don't blindly re-use the base file mode bits. via d4940e6 winbindd: add retry to _winbind_SendToSam via 4319c43 winbindd: add retry to _winbind_DsrUpdateReadOnlyServerDnsRecords via 1e6275a winbindd: add retry to _wbint_DsGetDcName via b7c598d winbindd: add retry to _wbint_LookupSids() via b0a14aec winbindd: use reset_cm_connection_on_error() instead of dcerpc_binding_handle_is_connected() via 1b7c16a winbindd: fix logic calling dcerpc_binding_handle_is_connected() via 76a4df1 winbindd: call dcerpc_binding_handle_is_connected() from reset_cm_connection_on_error() via 30dd8bc winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error() via 5fde0c6 winbindd: call reset_cm_connection_on_error() from reconnect_need_retry() via 3ef2377 winbindd: make reset_cm_connection_on_error() public via 406a8f3 winbindd: check for NT_STATUS_IO_DEVICE_ERROR in reset_cm_connection_on_error() via 4f793f6 winbindd: add and use ldap_reconnect_need_retry() in winbindd_reconnect_ads.c via bc655b6 winbind: Keep "force_reauth" in invalidate_cm_connection via 8da9fb5 winbind: Add smbcontrol disconnect-dc via 91fd11d utils: Add destroy_netlogon_creds_cli from d6ac540 nsswitch: fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit bf466d26a9d48e19caa887c3c15781739c2d120d Author: Jeremy Allison Date: Wed May 2 11:19:31 2018 -0700 s3: libsmbclient: Fix hard-coded connection error return of ETIMEDOUT. We shouldn't hard-code the connection error as ETIMEDOUT when we have a perfectly good NT_STATUS to map from. Found by the ChromeOS guys trying to connect an SMB2-only client to an SMB1-only supporting server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13419 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu May 3 02:42:20 CEST 2018 on sn-devel-144 (cherry picked from commit 795ec751ac5f6e58966385bec25063c4af4f185d) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon May 7 14:19:42 CEST 2018 on sn-devel-144 commit 989c68483baa5925271c020dd9173726ad443ded Author: Jeremy Allison Date: Fri Apr 27 14:25:54 2018 -0700 ceph: VFS: Add asynchronous fsync to ceph module, fake using synchronous call. This will allow me to ultimately simplify the VFS by removing the synchronous fsync VFS call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13412 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Apr 30 21:48:55 CEST 2018 on sn-devel-144 (cherry picked from commit aefe444d17a2eee3c0ff38bd34cf9e3f012ecf51) commit 314f0e1ebe8e565e1df7f992b22aa359278e8bd5 Author: Christof Schmitt Date: Tue Apr 24 13:53:41 2018 -0700 rpc_server: Fix NetSessEnum with stale sessions BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Apr 25 22:49:07 CEST 2018 on sn-devel-144 (cherry picked from commit a6fade4e10760284ef56abf45d3fa70038091cbe) commit 0797e58833d7b4880df7e3ff9d76802952278175 Author: Christof Schmitt Date: Tue Apr 24 13:52:59 2018 -0700 selftest: Add testcase for querying sessions after smbd crash BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit e04846c7df8e3eec1f3dbb2fc5eaf47ceb1c44d2) commit cfbcd62a54b07a7fc7932eef3526dd33f8aa5a15 Author: Christof Schmitt Date: Tue Apr 24 12:18:49 2018 -0700 rpcclient: Print number of entries for NetSessEnum BUG: https://bugzilla.samba.org/
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d6ac540 nsswitch: fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable. from 825aea7 s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d6ac5408f7c4d2fc0bb648a302bc012b725bec41 Author: Stefan Metzmacher Date: Tue Apr 24 10:59:05 2018 +0200 nsswitch: fix memory leak in winbind_open_pipe_sock() when the privileged pipe is not accessable. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13400 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke (cherry picked from commit ffe970007bf934955f72ec2d73bf8f94a2b796eb) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Wed May 2 15:36:48 CEST 2018 on sn-devel-144 --- Summary of changes: nsswitch/wb_common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c index 262181a..336092b 100644 --- a/nsswitch/wb_common.c +++ b/nsswitch/wb_common.c @@ -420,14 +420,14 @@ static int winbind_open_pipe_sock(struct winbindd_context *ctx, ctx->winbindd_fd = fd; ctx->is_privileged = 1; } + + SAFE_FREE(response.extra_data.data); } if ((need_priv != 0) && (ctx->is_privileged == 0)) { return -1; } - SAFE_FREE(response.extra_data.data); - return ctx->winbindd_fd; #else return -1; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 825aea7 s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call() via bdfdf93 tests:dcerpc/raw_protocol: reproduce call_id truncation bug via 7a636de winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done() via d1869c6 winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids from 38af417 s3:passdb: Do not return OK if we don't have pinfo set up https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 825aea77e5cb4d600933b6493633c8ed0515f783 Author: Stefan Metzmacher Date: Wed Feb 21 00:49:55 2018 +0100 s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Feb 21 19:02:56 CET 2018 on sn-devel-144 (cherry picked from commit 5d113f80944f2e1d2a7e80f73aea7a4cfdfbd140) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Apr 25 13:15:10 CEST 2018 on sn-devel-144 commit bdfdf93f0ca2bc847d640733bbaa71efb0d8e262 Author: Stefan Metzmacher Date: Wed Feb 21 00:50:26 2018 +0100 tests:dcerpc/raw_protocol: reproduce call_id truncation bug We need to make sure the server handles call_id values > UINT16_MAX. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 65e8edb382fbc7450919aad8b42cfcae9e779d11) commit 7a636de5fabdf1f46fe9f7178114540b48e00b39 Author: Stefan Metzmacher Date: Tue Jan 23 23:52:59 2018 +0100 winbindd: initialize type = SID_NAME_UNKNOWN in wb_lookupsids_single_done() We check for !NT_STATUS_LOOKUP_ERR(), but wb_lookupsid_recv() only initializes the results together with NT_STATUS_OK. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13280 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit b5ffa0e21f74fa0c452df38cf50e542eb278562d) commit d1869c670fb2d9ccca0c2ad17c5901d42449d54e Author: Stefan Metzmacher Date: Tue Jan 23 14:34:45 2018 +0100 winbindd: don't split the rid for SID_NAME_DOMAIN sids in wb_lookupsids Bug: https://bugzilla.samba.org/show_bug.cgi?id=13279 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 17c48f26dea5701feed1c24769348f332695391c) --- Summary of changes: python/samba/tests/dcerpc/raw_protocol.py | 2 +- source3/winbindd/wb_lookupsids.c | 6 -- source4/rpc_server/dcerpc_server.c| 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/dcerpc/raw_protocol.py b/python/samba/tests/dcerpc/raw_protocol.py index 587df54..ff815e9 100755 --- a/python/samba/tests/dcerpc/raw_protocol.py +++ b/python/samba/tests/dcerpc/raw_protocol.py @@ -1974,7 +1974,7 @@ class TestDCERPC_BIND(RawDCERPCTest): # And now try a request without auth_info # netr_ServerReqChallenge() -req = self.generate_request(call_id = 2, +req = self.generate_request(call_id = 0x21234, pfc_flags=pfc_flags, context_id=ctx.context_id, opnum=4, diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c index f2b2768..bd90c43 100644 --- a/source3/winbindd/wb_lookupsids.c +++ b/source3/winbindd/wb_lookupsids.c @@ -513,7 +513,7 @@ static void wb_lookupsids_single_done(struct tevent_req *subreq) req, struct wb_lookupsids_state); const char *domain_name = NULL; const char *name = NULL; - enum lsa_SidType type; + enum lsa_SidType type = SID_NAME_UNKNOWN; uint32_t res_sid_index; uint32_t src_rid; @@ -545,7 +545,9 @@ static void wb_lookupsids_single_done(struct tevent_req *subreq) */ sid_copy(&src_domain_sid, &state->sids[res_sid_index]); - sid_split_rid(&src_domain_sid, &src_rid); + if (type != SID_NAME_DOMAIN) { + sid_split_rid(&src_domain_sid, &src_rid); + } src_domain.name.string = domain_name; src_domain.sid = &src_domain_sid; diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index 6a985c5..262eb70 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -239,7 +239,7 @@ const struct dcesrv_interface *find_interface_by_uuid(const struct dcesrv_endpoi
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 38af417 s3:passdb: Do not return OK if we don't have pinfo set up via 7a58eb8 lib/util: remove unused '#include ' from tests/tfork.c via 5d00889 winbind: Use one queue for all domain children via 470aa11 winbind: Maintain a binding handle per domain and always go via wb_domain_request_send() via fe8982b winbind: make choose_domain_child() static via 8a544c7 winbind: add locator_child_handle() and use it instead of child->binding_handle via 136c16e winbind: add idmap_child_handle() and use it instead of child->binding_handle via 128789f winbind: improve wb_domain_request_send() to use wb_dsgetdcname_send() for a foreign domain via 5bbe243 winbind: use state->{ev,request} in wb_domain_request_send() via ed83d30 winbind: avoid using fstrcpy(dcname,...) in _dual_init_connection via bd14266 winbind: cleanup winbindd_cli_state->pwent_state if winbindd_getpwent_recv() returns an error via e404058 winbind: cleanup winbindd_cli_state->grent_state if winbindd_getgrent_recv() returns an error via 2594449 winbind: call lp_winbind_enum_{users,groups}() already in set{pw,gr}ent() via 06c5e07 winbind: protect a pending wb_child_request against a talloc_free() via dbb72ad winbind: use tevent_queue_wait_send/recv in wb_child_request_*() via 28680d7 winbind: Improve child selection via e19b0731 smbclient: Handle ENUM_DIR in "notify" command via 0c5e24d libsmb: Handle IO_TIMEOUT in cli_smb2_notify properly via b28593e libsmb: Handle long-running smb2cli_notify via 3c3746f libsmb: Enable "cli_notify" for SMB2+ via 41666d5 libsmb: Add cli_smb2_notify via 898297b libsmb: Add smb2cli_notify() via 8b47aed rpc_server: Init local_server_* in make_internal_rpc_pipe_socketpair via 80b822b tevent: version 0.9.36 via c2a tevent: add tevent_queue_entry_untrigger() via 55b8d61 tevent: improve documentation of tevent_queue_add_optimize_empty() via a588c39 tevent: version 0.9.35 via 5457c2f lib/async_req/async_sock.c set socket close on exec via b344866 lib/tevent/echo_server.c set socket close on exec via 7206dfd tevent: Fix typos via 772ca21 lib: tevent: Minor cleanup. wakeup_fd can always be gotten from the event context. via bc24206 lib: tevent: Use system , not internal header path (except in self-test). via 383f130 libads: Fix the build --without-ads from 2366b51 VERISON: Bump version up to 4.7.8... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 38af417f34bee9d60417affb8ece81bc2c172b92 Author: Andreas Schneider Date: Tue Apr 17 08:55:23 2018 +0200 s3:passdb: Do not return OK if we don't have pinfo set up This prevents a crash in fill_mem_keytab_from_secrets() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13376 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 99859479fc6e12b2f74ce2dfa83da56d8b8f3d26) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Apr 20 16:43:11 CEST 2018 on sn-devel-144 commit 7a58eb8aac648f4fb34c9f09cad0b8633469d14c Author: Stefan Metzmacher Date: Tue Mar 20 16:49:30 2018 +0100 lib/util: remove unused '#include ' from tests/tfork.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=13342 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit f2ff61ce9e8ab56d8a69fce29c9f214d5d98f89e) commit 5d008894dca367f4683f3455edea1f3f778c4aed Author: Stefan Metzmacher Date: Wed Feb 14 15:04:01 2018 +0100 winbind: Use one queue for all domain children If we have multiple domain children, it's important that the first idle child takes over the next waiting request. Before we had the problem that a request could get stuck in the queue of a busy child, while later requests could get served fine by other children. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Feb 23 09:04:23 CET 2018 on sn-devel-144 (similar to commit 7f2d45a6c2a88dd8833fc66d314ec21507dd52c3) commit 470aa11c339a1e5283245750bac831075910f0c4 Author: Volker Lendecke Date: Tue Feb 13 16:04:44 2018 +0100 winbind: Maintain a binding handle per domain and always go via wb_domain_request_send() Pair-Programmed-With: Stefan Metzmacher BUG: https://bugzilla.samba.org/show_bug.cgi?id=13292 Signed-off-by: Stefan Metzmacher Signed-off-by: Volker Lendecke (similar to commit b518cb0597d26900210564430
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 2366b51 VERISON: Bump version up to 4.7.8... via 41f51e0 WHATSNEW: Fix release date. via c2df74d Revert "VERISON: Bump version up to 4.7.8..." from a79aad4 VERISON: Bump version up to 4.7.8... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 2366b510ba25d8a40c970997164a5761d591c24b Author: Karolin Seeger Date: Wed Apr 11 11:16:34 2018 +0200 VERISON: Bump version up to 4.7.8... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 41f51e0180615494bc61ec643ba4e921208cc369 Author: Karolin Seeger Date: Tue Apr 17 09:02:57 2018 +0200 WHATSNEW: Fix release date. Signed-off-by: Karolin Seeger commit c2df74dbdfa7482235bbcad716d073aabaca0976 Author: Karolin Seeger Date: Tue Apr 17 09:05:38 2018 +0200 Revert "VERISON: Bump version up to 4.7.8..." This reverts commit a79aad47de6606d6b211d33c6c22217f3c14bd97. --- Summary of changes: WHATSNEW.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 3eea285..629dba8 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,6 +1,6 @@ = Release Notes for Samba 4.7.7 - April 12, 2018 + April 17, 2018 = -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via a79aad4 VERISON: Bump version up to 4.7.8... via 19a46b0 WHATSNEW: Add release notes for Samba 4.7.7. from 5a2066f torture: Test compound request request counters https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit a79aad47de6606d6b211d33c6c22217f3c14bd97 Author: Karolin Seeger Date: Wed Apr 11 11:16:34 2018 +0200 VERISON: Bump version up to 4.7.8... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 19a46b0f221e9ae43425ec9d9b9bab4284538d73 Author: Karolin Seeger Date: Wed Apr 11 11:02:52 2018 +0200 WHATSNEW: Add release notes for Samba 4.7.7. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 4 +-- WHATSNEW.txt | 109 +-- 2 files changed, 109 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index f9f4813..b54c7f1 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=7 +SAMBA_VERSION_RELEASE=8 # If a official release has a serious bug # @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 021f2e7..3eea285 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,109 @@ = + Release Notes for Samba 4.7.7 + April 12, 2018 + = + + +This is the latest stable release of the Samba 4.7 release series. + + +Changes since 4.7.6: + + +o Jeremy Allison + * BUG 13206: s4:auth_sam: Allow logons with an empty domain name. + * BUG 13244: s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on + error, we don't own it here. + * BUG 13270: s3: smbd: Fix possible directory fd leak if the underlying + OS doesn't support fdopendir(). + * BUG 13319: Round-tripping ACL get/set through vfs_fruit will increase + the number of ACE entries without limit. + * BUG 13347: s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically + debug credit issues. + * BUG 13358: s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE + without delete access. + * BUG 13372: s3: smbd: Fix memory leak in vfswrap_getwd(). + * BUG 13375: s3: smbd: Unix extensions attempts to change wrong field + in fchown call. + +o Ralph Boehme + * BUG 13363: s3:smbd: Don't use the directory cache for SMB2/3. + +o Günther Deschner + * BUG 13277: build: Fix libceph-common detection. + +o David Disseldorp + * BUG 13250: build: Fix ceph_statx check when configured with libcephfs_dir. + +o Poornima G + * BUG 13297: vfs_glusterfs: Fix the wrong pointer being sent in + glfs_fsync_async. + +o Amitay Isaacs + * BUG 13359: ctdb-scripts: Drop 'net serverid wipe' from 50.samba event + script. + +o Lutz Justen + * BUG 13368: s3: lib: messages: Don't use the result of sec_init() before + calling sec_init(). + +o Volker Lendecke + * BUG 13215: smbd can panic if the client-supplied channel sequence number + wraps. + * BUG 13367: dsdb: Fix CID 1034966 Uninitialized scalar variable. + +o Stefan Metzmacher + * BUG 13206: s3:libsmb: Allow -U"\\administrator" to work. + * BUG 13328: Windows 10 cannot logon on Samba NT4 domain. + +o David Mulder + * BUG 13050: smbc_opendir should not return EEXIST with invalid login + credentials. + +o Anton Nefedov + * BUG 13338: s3:smbd: map nterror on smb2_flush errorpath. + +o Dan Robertson + * BUG 13310: libsmb: Use smb2 tcon if conn_protocol >= SMB2_02. + +o Garming Sam + * BUG 13031: subnet: Avoid a segfault when renaming subnet objects. + +o Christof Schmitt + * BUG 13312: 'wbinfo --name-to-sid' returns misleading result on invalid + query. + +o Andreas Schneider + * BUG 13315: s3:smbd: Do not crash if we fail to init the session table. + +o Eric Vannier + * BUG 13302: Allow AESNI to be used on all processor supporting AESNI. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel o
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 5a2066f torture: Test compound request request counters via bb15458 s3:smb2_server: correctly maintain request counters for compound requests from 686b2ba winbindd: Do not ignore domain in the LOOKUPNAME request https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 5a2066f5ca52d8f1421139f27112183952070a05 Author: Volker Lendecke Date: Wed Apr 11 15:11:10 2018 +0200 torture: Test compound request request counters This will send an unfixed smbd into the SMB_ASSERT(op->request_count > 0); in smbd_smb2_request_reply_update_counts BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Thu Apr 12 14:38:39 CEST 2018 on sn-devel-144 (cherry picked from commit 40edd1bc273f664d5567ef5be169033899acee1f) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Fri Apr 13 22:48:05 CEST 2018 on sn-devel-144 commit bb15458485e48ce173e54186f1b54aef2e852544 Author: Stefan Metzmacher Date: Wed Apr 11 12:14:59 2018 +0200 s3:smb2_server: correctly maintain request counters for compound requests If a session expires during a compound request chain, we exit smbd_smb2_request_dispatch() with 'return smbd_smb2_request_error(req, ...)' before calling smbd_smb2_request_dispatch_update_counts(). As req->request_counters_updated was only reset within smbd_smb2_request_dispatch_update_counts(), smbd_smb2_request_reply_update_counts() was called twice on the same request, which triggers SMB_ASSERT(op->request_count > 0); BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke (cherry picked from commit 87e25cd1e45bfe57292b62ffc44ddafc01c61ca0) --- Summary of changes: source3/smbd/smb2_server.c | 6 +++- source4/torture/smb2/compound.c | 77 + 2 files changed, 82 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index ee03a8e..177e5ff 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -2180,7 +2180,7 @@ static NTSTATUS smbd_smb2_request_dispatch_update_counts( bool update_open = false; NTSTATUS status = NT_STATUS_OK; - req->request_counters_updated = false; + SMB_ASSERT(!req->request_counters_updated); if (xconn->protocol < PROTOCOL_SMB2_22) { return NT_STATUS_OK; @@ -2315,6 +2315,8 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) DO_PROFILE_INC(request); + SMB_ASSERT(!req->request_counters_updated); + /* TODO: verify more things */ flags = IVAL(inhdr, SMB2_HDR_FLAGS); @@ -2755,6 +2757,8 @@ static void smbd_smb2_request_reply_update_counts(struct smbd_smb2_request *req) return; } + req->request_counters_updated = false; + if (xconn->protocol < PROTOCOL_SMB2_22) { return; } diff --git a/source4/torture/smb2/compound.c b/source4/torture/smb2/compound.c index c592308..d2d4d7e 100644 --- a/source4/torture/smb2/compound.c +++ b/source4/torture/smb2/compound.c @@ -1030,6 +1030,81 @@ done: return ret; } +static bool test_compound_invalid4(struct torture_context *tctx, + struct smb2_tree *tree) +{ + struct smb2_create cr; + struct smb2_read rd; + NTSTATUS status; + const char *fname = "compound_invalid4.dat"; + struct smb2_close cl; + bool ret = true; + bool ok; + struct smb2_request *req[2]; + + smb2_transport_credits_ask_num(tree->session->transport, 2); + + smb2_util_unlink(tree, fname); + + ZERO_STRUCT(cr); + cr.in.security_flags = 0x00; + cr.in.oplock_level= 0; + cr.in.impersonation_level = NTCREATEX_IMPERSONATION_IMPERSONATION; + cr.in.create_flags= 0x; + cr.in.reserved= 0x; + cr.in.desired_access = SEC_RIGHTS_FILE_ALL; + cr.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + cr.in.share_access= NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE | + NTCREATEX_SHARE_ACCESS_DELETE; + cr.in.create_disposition = NTCREATEX_DISP_OPEN_IF; + cr.in.create_options = NTCREATEX_OPTIONS_SEQUENTIAL_ONLY | + NTCREATEX_OPTIONS_ASYNC_ALERT | + NTCREATEX_OPTION
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 686b2ba winbindd: Do not ignore domain in the LOOKUPNAME request via 81c3e2d Add test for wbinfo name lookup via ccbdb3c nsswitch: Fix wbcListGroups test via af5d75d nsswitch: Fix wbcListUsers test via 705b1fa test_smbclient_s3.sh: Use correct separator in "list with backup privilege" test from d7f84b6 s3: smbd: Unix extensions attempts to change wrong field in fchown call. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 686b2ba3641f6c0367dd8531cab5feda51837416 Author: Christof Schmitt Date: Wed Feb 28 12:05:34 2018 -0700 winbindd: Do not ignore domain in the LOOKUPNAME request A LOOKUPNAME request with a domain and a name containing a winbind separator character would return the result for the joined domain, instead of the specified domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Apr 6 21:03:31 CEST 2018 on sn-devel-144 (cherry picked from commit 1775ac8aa4dc00b9a0845ade238254ebb8b32429) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Apr 11 13:53:02 CEST 2018 on sn-devel-144 commit 81c3e2dbc830563d3721005974bdbc46b595f7d5 Author: Christof Schmitt Date: Wed Feb 28 13:10:43 2018 -0700 Add test for wbinfo name lookup This demonstrates that wbinfo -n / --name-to-sid returns information instead of failing the request. More specifically the query for INVALIDDOMAIN//user returns the user SID for the joined domain, instead of failing the request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt Reviewed-by: Andreas Schneider (cherry picked from commit 552a00ec1f6795b9025298931a6cc50ebe552052) commit ccbdb3c0741feaea1645f8777251b62f40e9a4e3 Author: Christof Schmitt Date: Fri Mar 30 14:35:03 2018 -0700 nsswitch: Fix wbcListGroups test With an AD DC, wbcListGroups returns the users in the DOMAIN SEPARATOR GROUPNAME format. The test then calls wbcLookupName with the domain name and the previous string (including domain and separator) as username. Fix this by passing the correct username and adding some additional checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt Reviewed-by: Andreas Schneider (cherry picked from commit f4db4e86c341a89357082e81e30c302440647530) commit af5d75d009eac8f24c44c407dbe4efebceaff695 Author: Christof Schmitt Date: Fri Mar 30 14:28:46 2018 -0700 nsswitch: Fix wbcListUsers test With an AD DC, wbcListUsers returns the users in the DOMAIN SEPARATOR USERNAME format. The test then calls wbcLookupName with the domain name and the previous string (including domain and separator) as username. Fix this by passing the correct username and adding some additional checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt Reviewed-by: Andreas Schneider (cherry picked from commit 3c146be404affc894c0c702bbfbfcc4fb9ed902b) commit 705b1fa689829b0234209d245b950e3927439c15 Author: Christof Schmitt Date: Fri Mar 16 13:52:14 2018 -0700 test_smbclient_s3.sh: Use correct separator in "list with backup privilege" test Samba selftest uses the forward slash as winbind separator and in the USERNAME passed to the test. "net sam rights" expect the backslash. Map the separator used in selftest to a backslash to avoid creating an incorrect username DOMAIN\DOMAIN/USERNAME. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt Reviewed-by: Andreas Schneider (cherry picked from commit 6f07afad07d9c670a00d9d314a8134efdda5e424) --- Summary of changes: nsswitch/libwbclient/tests/wbclient.c | 66 ++- nsswitch/tests/test_wbinfo_name_lookup.sh | 40 +++ source3/script/tests/test_smbclient_s3.sh | 10 +++-- source3/selftest/tests.py | 4 ++ source3/winbindd/winbindd_lookupname.c| 33 ++-- 5 files changed, 136 insertions(+), 17 deletions(-) create mode 100755 nsswitch/tests/test_wbinfo_name_lookup.sh Changeset truncated at 500 lines: diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c index e80afc4..d107942 100644 --- a/nsswitch/libwbclient/tests/wbclient.c +++ b/nsswitch/libwbclient/tests/wbclient.c @@ -296,6 +296,7 @@ static bool test_wbc_users(struct torture_context *tctx) char *name = NULL; char *sid_stri
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d7f84b6 s3: smbd: Unix extensions attempts to change wrong field in fchown call. from 00428e8 s3: smbd: Fix memory leak in vfswrap_getwd() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d7f84b64897192c252b992db0d9b5f06845d53c5 Author: Jeremy Allison Date: Mon Apr 9 09:32:23 2018 -0700 s3: smbd: Unix extensions attempts to change wrong field in fchown call. Cut and paste error. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13375 Reported-by: Rungta, Vandana Signed-off-by: Jeremy Allison Reviewed-by: David Disseldorp Autobuild-User(master): David Disseldorp Autobuild-Date(master): Tue Apr 10 00:45:56 CEST 2018 on sn-devel-144 (cherry picked from commit 3227b110d065500ed84fc70063da70ab35823a2e) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Apr 11 02:26:18 CEST 2018 on sn-devel-144 --- Summary of changes: source3/smbd/trans2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index de6073a..d028dd0 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -7783,10 +7783,10 @@ static NTSTATUS smb_set_file_unix_basic(connection_struct *conn, DEBUG(10,("smb_set_file_unix_basic: SMB_SET_FILE_UNIX_BASIC " "changing group %u for file %s\n", - (unsigned int)set_owner, + (unsigned int)set_grp, smb_fname_str_dbg(smb_fname))); if (fsp && fsp->fh->fd != -1) { - ret = SMB_VFS_FCHOWN(fsp, set_owner, (gid_t)-1); + ret = SMB_VFS_FCHOWN(fsp, (uid_t)-1, set_grp); } else { /* * UNIX extensions calls must always operate -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 00428e8 s3: smbd: Fix memory leak in vfswrap_getwd() via d217375 s3: lib: messages: Don't use the result of sec_init() before calling sec_init(). via c62c1c9 dsdb: Fix CID 1034966 Uninitialized scalar variable via 119c28b s3:smbd: don't use the directory cache for SMB2/3 via 4de5e3b ctdb-scripts: Drop "net serverid wipe" from 50.samba event script from 8ac2ffa s4: torture: Test all combinations of directory open with existing directory to ensure behavior is the same. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 00428e8b36ee25110922989ec5507f875aba8797 Author: Jeremy Allison Date: Fri Apr 6 13:52:52 2018 -0700 s3: smbd: Fix memory leak in vfswrap_getwd() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13372 Signed-off-by: Andrew Walker . Reviewed-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Mon Apr 9 21:48:12 CEST 2018 on sn-devel-144 (cherry picked from commit 461a1172ff819692aa0a2dc5ce7fc5379c8a529e) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Apr 10 14:09:46 CEST 2018 on sn-devel-144 commit d217375a87d49d65aeff9957d50046722b40e734 Author: Lutz Justen Date: Wed Apr 4 09:50:12 2018 -0700 s3: lib: messages: Don't use the result of sec_init() before calling sec_init(). Commit ad8c7171ba86e8a47d78b0c7329bb814e5a8871e accidently moved sec_init() to the point after sec_initial_uid() is called in the call to directory_create_or_exist_strict(). I missed this in the review (sorry). This works as root as initial_uid/initial_gid are static (and so initialized as zero) but doesn't work on ChromeOS as this code isn't running as root. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13368 Signed-off-by: Lutz Justen Reviewed-by: Jeremy Allison Reviewed-by: Andreas Schneider Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Apr 4 23:52:02 CEST 2018 on sn-devel-144 (cherry picked from commit e895b6cf4a7eb3d50d618a022be74db85975bf69) commit c62c1c93f5712e7c3590eb9b9df9573300bd229a Author: Volker Lendecke Date: Wed Mar 28 15:43:53 2018 -0500 dsdb: Fix CID 1034966 Uninitialized scalar variable "continue" in a do-while loop jumps to the "while"-check, so "id_exists" needs to be initialized by that point. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13367 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit 925d1f23291c4bdbc832977b2b4577964b8301c8) commit 119c28bba77f258f3d2912b9524884b369200b2d Author: Ralph Boehme Date: Thu Mar 29 20:06:47 2018 +0200 s3:smbd: don't use the directory cache for SMB2/3 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13363 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Mar 30 03:51:48 CEST 2018 on sn-devel-144 (cherry picked from commit 66052fdccd28922cf1caa2bc750e39051a6414cf) commit 4de5e3bb09a62eae2e2f8f27d84251a5695ecf92 Author: Amitay Isaacs Date: Thu Mar 29 10:45:19 2018 +1100 ctdb-scripts: Drop "net serverid wipe" from 50.samba event script BUG: https://bugzilla.samba.org/show_bug.cgi?id=13359 There is no serverid database anymore. Signed-off-by: Amitay Isaacs Reviewed-by: Volker Lendecke Reviewed-by: Martin Schwenke Autobuild-User(master): Martin Schwenke Autobuild-Date(master): Sat Mar 31 08:34:00 CEST 2018 on sn-devel-144 (cherry picked from commit 6b75d2c650aa9ee632122fa87ea8a2a98f1fa613) --- Summary of changes: ctdb/config/events.d/50.samba | 2 -- .../smbdotconf/misc/directorynamecachesize.xml | 5 ++-- source3/lib/messages.c | 9 -- source3/modules/vfs_default.c | 9 -- source3/smbd/dir.c | 32 -- source4/dsdb/samdb/ldb_modules/samldb.c| 1 + 6 files changed, 46 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/config/events.d/50.samba b/ctdb/config/events.d/50.samba index 4c32e4e..f0d8e84 100755 --- a/ctdb/config/events.d/50.samba +++ b/ctdb/config/events.d/50.samba @@ -53,8 +53,6 @@ service_start () # start Samba service. Start it reniced, as under very heavy load # the number of smbd processes will mean that it leaves few cycles # for anything else -net serverid wipe - if [ -n "$CTDB_SERVICE_NMB" ] ; then nice_service
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 8ac2ffa s4: torture: Test all combinations of directory open with existing directory to ensure behavior is the same. via 2500fe7 s4: torture: Test all combinations of directory create to ensure behavior is the same. via ada7126 s4: torture: Test all combinations of file open with existing file to ensure behavior is the same. via 1d8c67f s4: torture: Test all combinations of file create to ensure behavior is the same. via 052ca44 s4: torture: Ensure a failed file create doesn't create the file. via bd2c850 s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access. via 9f2bae3 Allow AESNI to be used on all processor supporting AESNI, not just Intel's This improves performance/reduced CPU usage. Tests performed: - Ran on Ivy Bridge and Ryzen and verified that AESNI is detected (crypto tests) - Ran on Ryzen, and observed 50% increased speed. via b44b079 smbc_opendir should not return EEXIST with invalid login credentials from 214291f s3: docs: Add documentation for "smb2" and "smb2_credits" debug classes. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 8ac2ffaa0060cff4df92e1c90ff4b648a301d74d Author: Jeremy Allison Date: Wed Mar 28 13:19:12 2018 -0700 s4: torture: Test all combinations of directory open with existing directory to ensure behavior is the same. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Mar 29 23:13:42 CEST 2018 on sn-devel-144 (cherry picked from commit c98cd0f25edaae7558f18fd331e2fef3aabb61f2) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Apr 4 16:56:29 CEST 2018 on sn-devel-144 commit 2500fe7c4014f3da3d768360be6cad5d29c3c35b Author: Jeremy Allison Date: Wed Mar 28 13:17:14 2018 -0700 s4: torture: Test all combinations of directory create to ensure behavior is the same. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit fd9084336e7e86ccec83141d880fd7c336c23b6c) commit ada71264ddf1b19ae17e593015b12bf3b523be39 Author: Jeremy Allison Date: Wed Mar 28 11:44:40 2018 -0700 s4: torture: Test all combinations of file open with existing file to ensure behavior is the same. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 820b35bb1ceb445eb3659b67eedfb0a2f5b2f976) commit 1d8c67f44feaf4c2b3c6b9ae2dcdbb965c94f7ae Author: Jeremy Allison Date: Wed Mar 28 11:00:59 2018 -0700 s4: torture: Test all combinations of file create to ensure behavior is the same. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 22fe8dcb77565495886244e88bb0433363d1f80a) commit 052ca448aca47bbd23ab10a667f392adaa594ed6 Author: Jeremy Allison Date: Wed Mar 28 10:54:30 2018 -0700 s4: torture: Ensure a failed file create doesn't create the file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 53cdf7a9a18ed547eade4c3cdd80d286058e440d) commit bd2c850c3dd74b3a8e9ff7a4d4af1cfe7cf87079 Author: Jeremy Allison Date: Wed Mar 28 12:42:20 2018 -0700 s3: smbd: Files or directories can't be opened DELETE_ON_CLOSE without delete access. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13358 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 2514bee0a3b0a12430e2679ee590075c54d4803a) commit 9f2bae39970e020420238edfff7aa999bd5ba52a Author: Eric Vannier Date: Thu Mar 22 21:32:56 2018 -0700 Allow AESNI to be used on all processor supporting AESNI, not just Intel's This improves performance/reduced CPU usage. Tests performed: - Ran on Ivy Bridge and Ryzen and verified that AESNI is detected (crypto tests) - Ran on Ryzen, and observed 50% increased speed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13302 Signed-off-by: Eric Vannier Reviewed-by: Jeremy Allison Reviewed-by: Björn Jacke Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Mar 27 13:50:09 CEST 2018 on sn-devel-144 (cherry picked from commit 77d88d75f6262a855e818a9b2b4018f8b6ced7b0) commit b44b0791c09e63d6bd5fa5afac22dee8ef801d05 Author: David Mulder Date: Thu Nov 2 08:25:11 2017 -0600 smbc_opendir should not return EEXIST with invalid login credentials BU
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 214291f s3: docs: Add documentation for "smb2" and "smb2_credits" debug classes. via 2546926 s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues. via 465f3a3 lib: debug: Add DBGC_XXX versions of the macros to allow class-specific messages. via 8bfe55e s3: debug: smb2: Create a new DBGC_SMB2 debug class and mark all smbd/smb2_*.c files with it. via fe02c78 s3:smbd: map nterror on smb2_flush errorpath via 62388a0 s3: smbd: Fruit. Make the use of dom_sid_compare_domain() much clearer. via 8b9e15b s4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries. via 8df51e5 selftest: vfs.fruit: add xattr_tdb where possible via bb8bbed selftest: run vfs.fruit_netatalk test against seperate share via 3893417 s3: smbd: vfs_fruit: Replace code in fruit_fget_nt_acl() with remove_virtual_nfs_aces(). via 85553b7 s3: smbd: vfs_fruit: Replace code in check_ms_nfs() with remove_virtual_nfs_aces(). via bf3e904 s3: smbd: vfs_fruit: Add remove_virtual_nfs_aces() a generic NFS ACE remover. via db293b8 s3: vfs_fruit. Change check_ms_nfs() to remove the virtual ACE's generated by fruit_fget_nt_acl(). via a37fad5 s3: vfs_fruit. If the security descriptor was modified, ensure we set the flags correctly to reflect the ACE's left. via 9b5d24d s3: vfs_fruit: Ensure we operate on a copy of the incoming security descriptor. via 15391e3 s3: vfs_fruit. Ensure we only return one set of the 'virtual' UNIX ACE entries. via ea6c0ae vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async via 6d4906c s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir() via 520672e s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here. from 7a49112 s4:auth_sam: allow logons with an empty domain name https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 214291f832510b2e0245c0703c7ee1ca5c41f0c6 Author: Jeremy Allison Date: Wed Mar 21 12:56:12 2018 -0700 s3: docs: Add documentation for "smb2" and "smb2_credits" debug classes. https://bugzilla.samba.org/show_bug.cgi?id=13347 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Böhme (cherry picked from commit fc922bd29b40a20450f16728fa7347f8f83d3bcd) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Mar 23 02:37:09 CET 2018 on sn-devel-144 commit 25469265883a0e63baee72ab3d1ff250ad122264 Author: Jeremy Allison Date: Wed Mar 21 12:52:49 2018 -0700 s3: smbd: SMB2: Add DBGC_SMB2_CREDITS class to specifically debug credit issues. https://bugzilla.samba.org/show_bug.cgi?id=13347 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Böhme (cherry picked from commit ad973fddef00d6d92443be89e7f5404006a94d99) commit 465f3a39b11ce7caf28d36e4168f7a1eeb76ee0a Author: Jeremy Allison Date: Wed Mar 21 12:40:50 2018 -0700 lib: debug: Add DBGC_XXX versions of the macros to allow class-specific messages. https://bugzilla.samba.org/show_bug.cgi?id=13347 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Böhme (cherry picked from commit cdde6d93605d15a59e816a35e8e02ca193bf1403) commit 8bfe55e063fbb79048dcf715520265f3ac814434 Author: Jeremy Allison Date: Wed Mar 21 12:01:05 2018 -0700 s3: debug: smb2: Create a new DBGC_SMB2 debug class and mark all smbd/smb2_*.c files with it. Will allow easier smb2-specific debugging. https://bugzilla.samba.org/show_bug.cgi?id=13347 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Böhme (cherry picked from commit 8dabcf8948c2e514b489169c34673e093519b583) commit fe02c78becb2f0bed3fe876157f2ea2d52bb0a97 Author: Anton Nefedov via samba-technical Date: Thu Mar 15 14:38:41 2018 +0300 s3:smbd: map nterror on smb2_flush errorpath smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise aborts in tevent_req_is_nterror() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338 Signed-off-by: Anton Nefedov Reviewed-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 98623129446672521b7fa41d3457b8ce95db828c) commit 62388a06a548e83decd0e74d3003f6c03b742729 Author: Jeremy Allison Date: Mon Mar 19 15:46:41 2018 -0700 s3: smbd: Fruit. Make the use of dom_sid_compare_domain() much clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 5c909ea4530d4e7e4aa27046c45e3e48b094a411) commit 8b9e15bd2d71432525aef0012ba5529cb0df5330 Author: Jeremy Allison Date: Thu Mar 15 14:45:06 2018 -0700 s4: vfs: fruit
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 7a49112 s4:auth_sam: allow logons with an empty domain name via 7ea5588 tests/bind.py: Add a bind test with NTLMSSP with no domain via 35c8220 tests/py_creds: Add a SamLogonEx test with an empty string domain via 04cc893 s3:cliconnect.c: remove useless ';' via 4c087a0 s3:libsmb: allow -U"\administrator" to work via 6c1dde6 s3:auth: make use of make_{server,session}_info_anonymous() via 47b1336 s3:rpc_server: make use of make_session_info_anonymous() via 8f69498 s3:auth: add make_{server,session}_info_anonymous() via c3fdc61 s3:auth: pass the whole auth_session_info from copy_session_info_serverinfo_guest() to create_local_token() via 1902652 s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info() via b8c518d s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create() via 104de61 auth: add auth_user_info_copy() function via 8b5253e s3:auth: remove static from finalize_local_nt_token() via 627a86b s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token() via ecee945 s3:auth: don't try to expand system or anonymous tokens in finalize_local_nt_token() via 7687d26 s3:auth: add add_builtin_guests() handling to finalize_local_nt_token() via e0e4aa1 s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token() via c1f61c0 s3:passdb: handle dom_sid=NULL in create_builtin_{users,administrators}() via 85097b1 s3:auth: move add_local_groups() out of finalize_local_nt_token() via 1258f28 s3:auth: add the "Unix Groups" sid for the primary gid via b991dca s3:auth: remove unused auth_serversupplied_info->system via ff7a8e4 libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User' via e39a5bd s3:selftest: run SMB2-ANONYMOUS via 23d1850 s3:torture: add SMB2-ANONYMOUS which asserts no GUEST bit for anonymous from 17977a9 Merge tag 'samba-4.7.6' into v4-7-test https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 7a49112b5077381383d9d6c2b5356e6208dceaf0 Author: Stefan Metzmacher Date: Tue Jan 9 08:54:11 2018 +0100 s4:auth_sam: allow logons with an empty domain name It turns out that an empty domain name maps to the local SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144 (cherry picked from commit 57762229da971e837b923f09ca01bad6151f9419) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Tue Mar 20 21:51:18 CET 2018 on sn-devel-144 commit 7ea5588d089b5b97f307c71aa4de78fe0aa2441b Author: Garming Sam Date: Mon Jan 8 16:34:02 2018 +1300 tests/bind.py: Add a bind test with NTLMSSP with no domain Confirmed to pass against Windows 2012 R2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 2e49a9ebf5bffbeadca03517b4a21bca24c0) commit 35c8220990a2671443ca6b9f457efd72a427be9e Author: Garming Sam Date: Mon Jan 8 13:36:59 2018 +1300 tests/py_creds: Add a SamLogonEx test with an empty string domain This test passes against 4.6, but failed against 4.7.5 and master. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18) commit 04cc8936c3f90bf3bbb05bce25c55212c8f0823b Author: Stefan Metzmacher Date: Tue Jan 9 08:57:05 2018 +0100 s3:cliconnect.c: remove useless ';' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3) commit 4c087a0e9e8ffd797e810f7dc21d630fd6833eed Author: Stefan Metzmacher Date: Tue Jan 9 08:55:48 2018 +0100 s3:libsmb: allow -U"\\administrator" to work cli_credentials_get_principal() returns NULL in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87) commit 6c1dde631da2f5b41682210eca40f9d363168696 Author: Stefan Metzmacher Date: Fri Mar 2 14:40:19 2018 +0100 s3:auth: make use of make_{server,session}_info_anonymous() It's important t
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 17977a9 Merge tag 'samba-4.7.6' into v4-7-test via 5cfa947 VERSION: Disable GIT_SNAPSHOT for the 4.7.6 release. via 4119137 WHATSNEW: Add release notes for Samba 4.7.6. via 11fbafc CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control via 86b41e9 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID via f11f3cc CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control via 32d65d8 CVE-2018-1057: s4:dsdb/acl: run password checking only once via 946bab0 CVE-2018-1057: s4/dsdb: correctly detect password resets via bb2ab8e CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights() via a6221ea CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control via 32384ea CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks via 31088fa CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights() via 50eb427 CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights() via e2acd0d CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values via 5ad58a9 CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE via d8de52b CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete via 9f9db58 CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs. via a572eed VERSION: Bump version up to 4.7.6... from cc04ea1 VERSION: Bump version up to 4.7.7. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 17977a918f97309f2d2d2aeaa162766f36342478 Merge: cc04ea1 5cfa947 Author: Stefan Metzmacher Date: Tue Mar 13 11:11:29 2018 +0100 Merge tag 'samba-4.7.6' into v4-7-test samba: tag release samba-4.7.6 --- Summary of changes: Changeset truncated at 500 lines: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via cc04ea1 VERSION: Bump version up to 4.7.7. via 2f57b6d VERSION: Disable GIT_SNAPSHOT for the 4.7.6 release. via f17ddb9 WHATSNEW: Add release notes for Samba 4.7.6. via 49b49f1 CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control via 7d8de68 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID via f797e86 CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control via c5a663f CVE-2018-1057: s4:dsdb/acl: run password checking only once via 7cc3749 CVE-2018-1057: s4/dsdb: correctly detect password resets via a192242 CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights() via fd1817c CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control via 0820307 CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks via 0bb68f5 CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights() via b3746a4 CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights() via 7ee55ea CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values via 43a5d96 CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE via d15b66c CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete via b59ca4d CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs. from af47cdb s3:smbd: Do not crash if we fail to init the session table https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit cc04ea177183c054236edd6ab721dc9f36c5dab3 Author: Karolin Seeger Date: Tue Mar 13 10:24:24 2018 +0100 VERSION: Bump version up to 4.7.7. Signed-off-by: Karolin Seeger commit 2f57b6d9aa381dba7646f919dd7c7dc18fab4979 Author: Karolin Seeger Date: Sun Mar 11 22:03:58 2018 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.7.6 release. CVE-2018-1050 (Denial of Service Attack on external print server.) CVE-2018-1057 (Authenticated users can change other user's password.) Signed-off-by: Karolin Seeger commit f17ddb96286dbbe45e3aec5f9af1aac4383c0561 Author: Karolin Seeger Date: Sun Mar 11 22:02:30 2018 +0100 WHATSNEW: Add release notes for Samba 4.7.6. CVE-2018-1050 (Denial of Service Attack on external print server.) CVE-2018-1057 (Authenticated users can change other user's password.) Signed-off-by: Karolin Seeger commit 49b49f16030858d498e1937d1c81124b65567828 Author: Ralph Boehme Date: Thu Feb 15 23:11:38 2018 +0100 CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control This is not strictly needed to fig bug 13272, but it makes sense to also fix this while fixing the overall ACL checking logic. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 7d8de684f0ff3882fdb5db549a85d515bef4391c Author: Ralph Boehme Date: Fri Feb 16 15:38:19 2018 +0100 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID This is used to pass information about which password change operation (change or reset) the acl module validated, down to the password_hash module. It's very important that both modules treat the request identical. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit f797e86896397b9dfd3a235f3537ced6cb37 Author: Ralph Boehme Date: Fri Feb 16 15:30:13 2018 +0100 CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control Will be used to pass "user password change" vs "password reset" from the ACL to the password_hash module, ensuring both modules treat the request identical. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit c5a663f754148af6fb7e47f5990b93b55abd7342 Author: Ralph Boehme Date: Wed Feb 14 19:15:49 2018 +0100 CVE-2018-1057: s4:dsdb/acl: run password checking only once This is needed, because a later commit will let the acl module add a control to the change request msg and we must ensure that this is only done once. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 7cc374973406c49130fff019de26bdf0db48f494 Author: Ralph Boehme Date: Thu Feb 22 10:54:37 2018 +0100 CVE-2018-1057: s4/dsdb: correctly detect password resets This change ensures we correctl
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via af47cdb s3:smbd: Do not crash if we fail to init the session table via 1efaec6 libsmb: Use smb2 tcon if conn_protocol >= SMB2_02 via e8a69b9 torture: Add test for channel sequence number handling via 164b38c smbXcli: Add "force_channel_sequence" via f2d311e smbd: Fix channel sequence number checks for long-running requests via d5c0ad6 smbd: Remove a "!" from an if-condition for easier readability via caca68c torture4: Fix typos via 09200da smbd: Fix a typo from b276495 build: fix libceph-common detection https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit af47cdb3e1310ba0a365fa2c5b0161b6554fbead Author: Andreas Schneider Date: Mon Feb 19 18:07:50 2018 +0100 s3:smbd: Do not crash if we fail to init the session table This should the following segfault with SMB1: #6 sig_fault (sig=) at ../lib/util/fault.c:94 #7 #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8) at ../source3/smbd/smbXsrv_session.c:1212 #9 0x7f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961 #10 0x7f7618ae17b0 in switch_message (type=, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726 #11 0x7f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0) at ../source3/smbd/process.c:1762 #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=, nread=140, unread_bytes=0, seqnum=0, encrypted=, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008 #13 0x7f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608 #14 0x7f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0 Inspection the core shows that: conn->client-session_table is NULL conn->protocol is PROTOCOL_NONE BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit a89a7146563f2d9eb8bc02f1c090158ee499c878) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Thu Mar 8 17:53:27 CET 2018 on sn-devel-144 commit 1efaec6bc9f51e3595ed254e38b6569962d36ee4 Author: Dan Robertson Date: Thu Feb 22 20:47:11 2018 + libsmb: Use smb2 tcon if conn_protocol >= SMB2_02 When the connection protocol is SMB2 the tid from the smb1 member is used instead of smb2 in cli_state_set_tid which often results in a null deref. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13310 Signed-off-by: Dan Robertson Reviewed-by: Jeremy Allison Reviewed-by: Andreas Schneider (cherry picked from commit b67ffaf518c971817b167b41bf6226cddfdcfd2f) commit e8a69b9a3a58de4d78be1fabe7c5263002528a47 Author: Volker Lendecke Date: Thu Jan 11 11:55:39 2018 +0100 torture: Add test for channel sequence number handling We run into an assert when the csn wraps Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jan 14 14:47:15 CET 2018 on sn-devel-144 (cherry picked from commit 0abe16a5343de9a69bb5cccbad9809b28b642f45) commit 164b38ccb778a9128fd6ad29cad72ab96e109f9d Author: Volker Lendecke Date: Thu Jan 11 11:25:49 2018 +0100 smbXcli: Add "force_channel_sequence" This enables use of the channel sequence number even for non-multi-channel servers. This makes our client invalid, but we need to protect against broken clients with tests. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit cd288a08500b1cc38ef26e5cb8ef754b4da658b6) commit f2d311eee9301717b99ed7ae758f0d05958d86b0 Author: Volker Lendecke Date: Thu Jan 11 15:34:45 2018 +0100 smbd: Fix channel sequence number checks for long-running requests When the client's supplied csn overflows and hits a pending, long-running request's csn, we panic. Fix this by counting the overflows in smbXsrv_open_global0->channel_generation Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Volker Lendecke Signed-off-by: Stefan Metzmacher (cherry picked from commit 0b57434151a8334a6e9b9b7542824ce4915421a2) commit d5c0ad63c942f4df60ef6dfcee5c48c65ba7dea3 Author: Volker Lendecke Date: W
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via b276495 build: fix libceph-common detection from 4978ee1 subnet: Avoid a segfault when renaming subnet objects https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit b27649592001ef64f255380eade6246554c1e216 Author: Günther Deschner Date: Mon Jan 15 23:20:39 2018 +0100 build: fix libceph-common detection BUG: https://bugzilla.samba.org/show_bug.cgi?id=13277 Guenther Signed-off-by: Guenther Deschner Reviewed-by: David Disseldorp Autobuild-User(master): Günther Deschner Autobuild-Date(master): Thu Feb 22 19:30:12 CET 2018 on sn-devel-144 (cherry picked from commit 6a59619844e0def505a6bfa778c17721c062e0ee) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Feb 28 16:51:15 CET 2018 on sn-devel-144 --- Summary of changes: source3/wscript | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/wscript b/source3/wscript index 6823e0a..611af5b 100644 --- a/source3/wscript +++ b/source3/wscript @@ -1583,11 +1583,13 @@ main() { conf.env['CPPPATH_CEPHFS'] = Options.options.libcephfs_dir + '/include' conf.env['LIBPATH_CEPHFS'] = Options.options.libcephfs_dir + '/lib' conf.env['LIBPATH_CEPH-COMMON'] = Options.options.libcephfs_dir + '/lib/ceph' +else: +conf.env['LIBPATH_CEPH-COMMON'] = Options.options.LIBDIR + '/ceph' if (Options.options.with_cephfs and conf.CHECK_HEADERS('cephfs/libcephfs.h', False, False, 'cephfs') and -conf.CHECK_LIB('cephfs', shlib=True) and -conf.CHECK_LIB('ceph-common', shlib=True)): +conf.CHECK_LIB('cephfs', shlib=True)): +conf.CHECK_LIB('ceph-common', shlib=True) if Options.options.with_acl_support: conf.DEFINE('HAVE_CEPH', '1') if conf.CHECK_FUNCS_IN('ceph_statx', 'cephfs ceph-common', -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 4978ee1 subnet: Avoid a segfault when renaming subnet objects from 1fa65b4 build: fix ceph_statx check when configured with libcephfs_dir https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 4978ee103d7474015e98bff5654d0d4f834e6dcd Author: Garming Sam Date: Wed Sep 20 14:55:11 2017 +1200 subnet: Avoid a segfault when renaming subnet objects BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031 Signed-off-by: Garming Sam Reviewed-by: Douglas Bagnall Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Feb 20 17:48:35 CET 2018 on sn-devel-144 --- Summary of changes: python/samba/subnets.py | 33 source4/dsdb/samdb/ldb_modules/samldb.c | 8 +++--- source4/dsdb/tests/python/sites.py | 45 + 3 files changed, 82 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/subnets.py b/python/samba/subnets.py index e859f06..72eeb0f 100644 --- a/python/samba/subnets.py +++ b/python/samba/subnets.py @@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name): samdb.delete(dnsubnet) +def rename_subnet(samdb, configDn, subnet_name, new_name): +"""Rename a subnet. + +:param samdb: A samdb connection +:param configDn: The DN of the configuration partition +:param subnet_name: Name of the subnet to rename +:param new_name: New name for the subnet +:return: None +:raise SubnetNotFound: if the subnet to be renamed does not exist. +:raise SubnetExists: if the subnet to be created already exists. +""" +dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites") +if dnsubnet.add_base(configDn) == False: +raise SubnetException("dnsubnet.add_base() failed") +if dnsubnet.add_child("CN=X") == False: +raise SubnetException("dnsubnet.add_child() failed") +dnsubnet.set_component(0, "CN", subnet_name) + +newdnsubnet = ldb.Dn(samdb, str(dnsubnet)) +newdnsubnet.set_component(0, "CN", new_name) +try: +samdb.rename(dnsubnet, newdnsubnet) +except LdbError as (enum, estr): +if enum == ldb.ERR_NO_SUCH_OBJECT: +raise SubnetNotFound('Subnet %s does not exist' % subnet) +elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS: +raise SubnetAlreadyExists('A subnet with the CIDR %s already exists' + % new_name) +elif enum == ldb.ERR_INVALID_DN_SYNTAX: +raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name, + estr)) +else: +raise def set_subnet_site(samdb, configDn, subnet_name, site_name): """Assign a subnet to a site. diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 971048d..3e429e1 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -3351,13 +3351,13 @@ static int verify_cidr(const char *cidr) } -static int samldb_verify_subnet(struct samldb_ctx *ac) +static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn) { struct ldb_context *ldb = ldb_module_get_ctx(ac->module); const char *cidr = NULL; const struct ldb_val *rdn_value = NULL; - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); + rdn_value = ldb_dn_get_rdn_val(dn); if (rdn_value == NULL) { ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val " "failed"); @@ -3588,7 +3588,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req) if (samdb_find_attribute(ldb, ac->msg, "objectclass", "subnet") != NULL) { - ret = samldb_verify_subnet(ac); + ret = samldb_verify_subnet(ac, ac->msg->dn); if (ret != LDB_SUCCESS) { talloc_free(ac); return ret; @@ -3991,7 +3991,7 @@ static int check_rename_constraints(struct ldb_message *msg, /* subnet objects */ if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) { - ret = samldb_verify_subnet(ac); + ret = samldb_verify_subnet(ac, newdn); if (ret != LDB_SUCCESS) { talloc_free(ac); return ret; diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py index a894da3..123e1ec 100755 --- a/source4/dsdb/tests/python/sites.py +++ b/source4/dsdb/tests/python/sites.py @@ -183,6 +183,51 @@ class SimpleSubnetTests(SitesBaseTests): self.assertRaises(subnets.SubnetNotFound,
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 1fa65b4 build: fix ceph_statx check when configured with libcephfs_dir from 5c782d5 VERSION: Bump version up to 4.7.6... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 1fa65b4e832c690412ed40b72ed7772e63d44ec5 Author: David Disseldorp Date: Thu Jul 20 11:10:57 2017 +0200 build: fix ceph_statx check when configured with libcephfs_dir When configured with a custom libcephfs_dir, the ceph_statx check fails to link. This is due to the location of the ceph-common dependency, which is installed under a ceph subdirectory. ceph/build > make DESTDIR=./inst install ... ceph/build > find inst/|grep -e /libcephfs -e /libceph-common inst/usr/local/lib64/ceph/libceph-common.so.0 inst/usr/local/lib64/ceph/libceph-common.so inst/usr/local/lib64/libcephfs.so.2.0.0 inst/usr/local/lib64/libcephfs.so.2 inst/usr/local/lib64/libcephfs.so inst/usr/local/include/cephfs/libcephfs.h Bug: https://bugzilla.samba.org/show_bug.cgi?id=13250 Signed-off-by: David Disseldorp Reviewed-by: Jeff Layton (cherry picked from commit ff7df3d3f5259362a6bb6780d6b532e57e89681d) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Feb 13 14:05:47 CET 2018 on sn-devel-144 --- Summary of changes: source3/wscript | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/wscript b/source3/wscript index aa1a7b3..6823e0a 100644 --- a/source3/wscript +++ b/source3/wscript @@ -1582,11 +1582,16 @@ main() { if Options.options.libcephfs_dir: conf.env['CPPPATH_CEPHFS'] = Options.options.libcephfs_dir + '/include' conf.env['LIBPATH_CEPHFS'] = Options.options.libcephfs_dir + '/lib' +conf.env['LIBPATH_CEPH-COMMON'] = Options.options.libcephfs_dir + '/lib/ceph' -if conf.CHECK_HEADERS('cephfs/libcephfs.h', False, False, 'cephfs') and conf.CHECK_LIB('cephfs', shlib=True) and Options.options.with_cephfs: +if (Options.options.with_cephfs and +conf.CHECK_HEADERS('cephfs/libcephfs.h', False, False, 'cephfs') and +conf.CHECK_LIB('cephfs', shlib=True) and +conf.CHECK_LIB('ceph-common', shlib=True)): if Options.options.with_acl_support: conf.DEFINE('HAVE_CEPH', '1') -if conf.CHECK_FUNCS_IN('ceph_statx', 'cephfs', headers='cephfs/libcephfs.h'): +if conf.CHECK_FUNCS_IN('ceph_statx', 'cephfs ceph-common', + headers='cephfs/libcephfs.h'): conf.DEFINE('HAVE_CEPH_STATX', '1') else: Logs.warn("ceph support disabled due to --without-acl-support") -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 5c782d5 VERSION: Bump version up to 4.7.6... via c15b477 VERSION: Disable GIT_SNAPSHOT for the 4.7.5 release. via bbf315b WHATSNEW: Add release notes for Samba 4.7.5. from 9f4091b dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 5c782d5f7670d7855990cd359b919706d584ac4b Author: Karolin Seeger Date: Wed Feb 7 09:27:59 2018 +0100 VERSION: Bump version up to 4.7.6... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit c15b47761e1f10748f7b6eafd2e7a01ddcf10660 Author: Karolin Seeger Date: Wed Feb 7 09:26:57 2018 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.7.5 release. Signed-off-by: Karolin Seeger commit bbf315b9396fc989e4a18c3d3927dec0db866bc9 Author: Karolin Seeger Date: Wed Feb 7 09:26:05 2018 +0100 WHATSNEW: Add release notes for Samba 4.7.5. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 91 ++-- 2 files changed, 90 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 2a351ec..bbc59a4 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=5 +SAMBA_VERSION_RELEASE=6 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 22ad049..2914f57 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,91 @@ = + Release Notes for Samba 4.7.5 + February 7, 2018 + = + + +This is the latest stable release of the Samba 4.7 release series. + +Major enhancements include: + +o BUG 13228: This is a major issue in Samba's ActiveDirectory domain + controller code. It might happen that AD objects have missing or broken + linked attributes. This could lead to broken group memberships e.g. + All Samba AD domain controllers set up with Samba 4.6 or lower and then + upgraded to 4.7 are affected. The corrupt database can be fixed with + 'samba-tool dbcheck --cross-ncs --fix'. + + +Changes since 4.7.4: + + +o Jeremy Allison + * BUG 13193: smbd tries to release not leased oplock during oplock II + downgrade. + +o Ralph Boehme + * BUG 13181: Fix copying file with empty FinderInfo from Windows client + to Samba share with fruit. + +o Günther Deschner + * BUG 10976: build: Deal with recent glibc sunrpc header removal. + * BUG 13238: Make Samba work with tirpc and libnsl2. + +o David Disseldorp + * BUG 13208: vfs_ceph: Add fs_capabilities hook to avoid local statvfs. + +o Love Hornquist Astrand + * BUG 12986: Kerberos: PKINIT: Can't decode algorithm parameters in + clientPublicValue. + +o Amitay Isaacs + * BUG 13188: ctdb-recovery-helper: Deregister message handler in error + paths. + +o Volker Lendecke + * BUG 13240: samba: Only use async signal-safe functions in signal handler. + +o Stefan Metzmacher + * BUG 12986: Kerberos: PKINIT: Can't decode algorithm parameters in + clientPublicValue. + * BUG 13228: repl_meta_data: Fix linked attribute corruption on databases + with unsorted links on expunge. dbcheck: Add functionality to fix the + corrupt database. + +o Christof Schmitt + * BUG 13189: Fix smbd panic when chdir returns error during exit. + +o Andreas Schneider + * BUG 13238: Make Samba work with tirpc and libnsl2. + +o Uri Simchoni + * BUG 13176: Fix POSIX ACL support on HPUX and possibly other big-endian OSs. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + ==
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 9f4091b dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature via 692e6b2 dbcheck: add support for restoring missing forward links via dad609d dbcheck: add find_missing_forward_links_from_backlinks() via 8fcdf4e dbcheck: make sure we ask for replPropertyMetaData if we need to process any forward link attributes via 944c05b dbcheck: make sure we always ask for the objectGUID attribute explicitly via 1c524c1 dbcheck: add a helper function that checks is a value has duplicate links via 323c8f2 dbcheck: add a dict where we remember attributes with duplicate links via 8224416 dbcheck: split out check_duplicate_links from check_dn via 6dd195d dbcheck: store fixed forward link attributes with the correct sorting via 882befa dbcheck: remove ldb.FLAG_MOD_REPLACE when replacing search results for forward links via 163c935 dbcheck: rename err_duplicate_links() to err_recover_forward_links() and adjust the output message via 43d419b dbcheck: add link direction to error message for duplicate links via 86015a9 dbcheck: rename err_duplicate_links arguments via b03423b dbcheck: only pass obj_dn to err_orphaned_backlink() via 1d59b2a dbcheck: add forward_syntax argument to err_orphaned_backlink via 478f51c dbcheck: rename and reorder err_orphaned_backlink arguments via b230586 selftest/dbcheck: add a test for corrupt forward links restoration via 51383bd Revert "dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links" via 9819e1e python/common: add __cmp__ function to dsdb_Dn similar to parsed_dn_compare() via ca2605a python:tests: add test_dsdb_Dn_sorted() to "samba.tests.common" via 12f6cf7 python:tests: remove test_dsdb_Dn() to test_dsdb_Dn_binary() via fdf182b python:tests: use TestCaseInTempDir for "samba.tests.common" from a73a751 vfs_fruit: set delete-on-close for empty finderinfo https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 9f4091b2d858e351e95aa5107fd3b00ddedcb25a Author: Stefan Metzmacher Date: Wed Jan 31 09:50:47 2018 +0100 dbcheck: skip find_missing_forward_links_from_backlinks() if the db has the sortedLinks feature BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Feb 5 18:32:51 CET 2018 on sn-devel-144 (cherry picked from commit 0c3348feb09f4f0ba85455b8c3ff5c5fa60d139b) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Feb 6 16:41:09 CET 2018 on sn-devel-144 commit 692e6b2897ff99ff7a2dea7f16ccb5a0b6869e2a Author: Ralph Boehme Date: Thu Jan 25 14:48:55 2018 +0100 dbcheck: add support for restoring missing forward links This recovers broken databases with duplicate and missing forward links. See commit a25c99c9f1fd1814c56c21848c748cd0e038eed7 for the fix that prevents to problem from happening. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher (cherry picked from commit 5bf823d68bd33ee3160175a18a3838eff4e3cbb2) commit dad609d0d74d1fbdaa3eb6dd59b800f3b258e714 Author: Ralph Boehme Date: Thu Jan 25 14:48:55 2018 +0100 dbcheck: add find_missing_forward_links_from_backlinks() find_missing_forward_links_from_backlinks() finds and returns missing forward-links by searching all for all objects that link to the object in the backlink attribute. This will be used in the next commit to restore forward links in a corrupted forward link attribute by passing the missing backling objects to err_recover_forward_links(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher (cherry picked from commit d59f201388e8a16688adda145734dab8e27b785f) commit 8fcdf4e8218cf01c353b276630deadb370ade256 Author: Stefan Metzmacher Date: Tue Jan 30 12:19:31 2018 +0100 dbcheck: make sure we ask for replPropertyMetaData if we need to process any forward link attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme (cherry picked from commit 182fb3c4c9db8715d0dbcbc3d1aa0655b5cb29f1) commit 944c05ba4d592f9050cdddc7d56cb5f6632e8d1f Author: Stefan Metzmacher Date: Tue Jan 30 12:19:31 2018 +0100 dbcheck: make sure we always ask for the objectGUID attribute expl
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via a73a751 vfs_fruit: set delete-on-close for empty finderinfo via f06e251 vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close via f597147 vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream() via b4864ac s4/torture/fruit: enhance zero AFP_AfpInfo stream test via 2a376b7 s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialized via aba3f9b dbcheck: disable fixing duplicate linked attributes until we can recover lost forward links via 5070224 repl_meta_data: fix linked attribute corruption on databases with unsorted links on expunge via 376298e testprogs:blackbox: add regression test for unsorted links in tombstones-expunge.sh via 46a212d samba: Only use async signal-safe functions in signal handler via fafbd4e waf: Fix NFS quota support with libtirpc via 7ed0c06 wafsamba: Allow passing 'lib' to CHECK_STRUCTURE_MEMBER via 25e01d9 build: deal with recent glibc sunrpc header removal via f3f5d50 include: Create system/nis.h in libreplace via 3bc0a57 s3:waf: Move HAVE_NETGROUP to wscript from bde3d64 vfs_default: use VFS statvfs macro in fs_capabilities https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit a73a7512390d71009feee0d0703730539da6fdf6 Author: Ralph Boehme Date: Wed Dec 6 22:09:52 2017 +0100 vfs_fruit: set delete-on-close for empty finderinfo We previously removed the stream from the underlying filesystem stream backing store when the client zeroes out FinderInfo in the AFP_AfpInfo stream, but this causes certain operations to fail (eg stat) when trying to access the stream over any file-handle open on that stream. So instead of deleting, set delete-on-close on the stream. The previous commit already implemented not to list list streams with delete-on-close set which is necessary to implemenent correct macOS semantics for this particular stream. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Jan 9 17:09:12 CET 2018 on sn-devel-144 (cherry picked from commit e61e9e98e9ff461055daae2fe78f0202f7ed8663) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Jan 26 01:29:54 CET 2018 on sn-devel-144 commit f06e2514748672fb5847629056357427b91ef44b Author: Ralph Boehme Date: Thu Dec 7 17:32:35 2017 +0100 vfs_fruit: filter out AFP_AfpInfo streams with pending delete-on-close This is in preperation of fixing the implementation of removing the AFP_AfpInfo stream by zeroing the FinderInfo out. We currently remove the stream blob from the underyling filesystem backing store, but that results in certain operations to fail on any still open file-handle. The fix comes in the next commit which will convert to backing store delete operation to a set delete-on-close on the stream. This commit adds filtering on streams that have the delete-on-close set. It is only needed for the fruit:metadata=stream case, as with fruit:metadata=netatalk the filtering is already done in fruit_streaminfo_meta_netatalk(). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit 70d8f7c5d25f35b58620c2db8f57c7c0758267b3) commit f59714752445bac37feb6ced394afe5a173f3c30 Author: Ralph Boehme Date: Thu Dec 7 14:56:36 2017 +0100 vfs_fruit: factor out delete_invalid_meta_stream() from fruit_streaminfo_meta_stream() No change in behaviour, just some refactoring before adding more code to fruit_streaminfo_meta_stream() in the next commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit c41e1ea9247611473d30184efd953c61955ead15) commit b4864ac384d23fdff60cc8212ad852a1aa71e6ee Author: Ralph Boehme Date: Thu Dec 7 13:43:02 2017 +0100 s4/torture/fruit: enhance zero AFP_AfpInfo stream test This test more operations in the zeroed out FinderInfo test, ensuring after zeroing out FinderInfo, operations on the filehandle still work and that enumerating streams doesn't return the stream anymore. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison (cherry picked from commit df31e94eb6241f5e5594f6fd0ec1ad7896e02e27) commit 2a376b7a77c729cbf403260daa2b7e82677c8775 Author: Ralph Boehme Date: Wed Dec 6 22:05:23 2017 +0100 s4/torture/fruit: ensure AFP_AfpInfo blobs are 0-initialize
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via bde3d64 vfs_default: use VFS statvfs macro in fs_capabilities via da6ee0c vfs_ceph: add fs_capabilities hook to avoid local statvfs from d251dcc selftest: allow more time for tests https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit bde3d6402e6424015089fe3a2887c72eee45144f Author: David Disseldorp Date: Wed Jan 10 14:03:09 2018 +0100 vfs_default: use VFS statvfs macro in fs_capabilities Currently the vfs_default fs_capabilities handler calls statvfs directly, rather than calling the vfs macro. This behaviour may cause issues for VFS modules that delegate fs_capabilities handling to vfs_default but offer their own statvfs hook. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208 Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison (cherry picked from commit 4b25c9f4a4d336a16894452862ea059701b025de) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Jan 22 13:48:30 CET 2018 on sn-devel-144 commit da6ee0cf34af010d0796abddd06c83887e61c88e Author: David Disseldorp Date: Wed Jan 10 01:37:14 2018 +0100 vfs_ceph: add fs_capabilities hook to avoid local statvfs Adding the fs_capabilities() hook to the CephFS VFS module avoids fallback to the vfs_default code-path, which calls statvfs() against the share path on the *local* filesystem. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13208 Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison (cherry picked from commit 2724e0cac29cd1632ea28075a740fcc888affb36) --- Summary of changes: source3/modules/vfs_ceph.c| 15 +++ source3/modules/vfs_default.c | 14 +++--- 2 files changed, 22 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c index 9abd321..f482a8b 100644 --- a/source3/modules/vfs_ceph.c +++ b/source3/modules/vfs_ceph.c @@ -270,6 +270,20 @@ static int cephwrap_statvfs(struct vfs_handle_struct *handle, return ret; } +static uint32_t cephwrap_fs_capabilities(struct vfs_handle_struct *handle, +enum timestamp_set_resolution *p_ts_res) +{ + uint32_t caps = FILE_CASE_SENSITIVE_SEARCH | FILE_CASE_PRESERVED_NAMES; + +#ifdef HAVE_CEPH_STATX + *p_ts_res = TIMESTAMP_SET_NT_OR_BETTER; +#else + *p_ts_res = TIMESTAMP_SET_MSEC; +#endif + + return caps; +} + /* Directory operations */ static DIR *cephwrap_opendir(struct vfs_handle_struct *handle, @@ -1399,6 +1413,7 @@ static struct vfs_fn_pointers ceph_fns = { .get_quota_fn = cephwrap_get_quota, .set_quota_fn = cephwrap_set_quota, .statvfs_fn = cephwrap_statvfs, + .fs_capabilities_fn = cephwrap_fs_capabilities, /* Directory operations */ diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 53d9785..6686303 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -129,8 +129,14 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle, struct vfs_statvfs_struct statbuf; int ret; + smb_fname_cpath = synthetic_smb_fname(talloc_tos(), conn->connectpath, + NULL, NULL, 0); + if (smb_fname_cpath == NULL) { + return caps; + } + ZERO_STRUCT(statbuf); - ret = sys_statvfs(conn->connectpath, &statbuf); + ret = SMB_VFS_STATVFS(conn, smb_fname_cpath, &statbuf); if (ret == 0) { caps = statbuf.FsCapabilities; } @@ -140,12 +146,6 @@ static uint32_t vfswrap_fs_capabilities(struct vfs_handle_struct *handle, /* Work out what timestamp resolution we can * use when setting a timestamp. */ - smb_fname_cpath = synthetic_smb_fname(talloc_tos(), conn->connectpath, - NULL, NULL, 0); - if (smb_fname_cpath == NULL) { - return caps; - } - ret = SMB_VFS_STAT(conn, smb_fname_cpath); if (ret == -1) { TALLOC_FREE(smb_fname_cpath); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d251dcc selftest: allow more time for tests from 7336f54 s3: smbd: Use identical logic to test for kernel oplocks on a share. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d251dcc909f11f382000aaaf1d647287dacc213a Author: Douglas Bagnall Date: Thu Dec 28 11:45:49 2017 +1300 selftest: allow more time for tests Maybe make test *should* run in under 4 hours, but it currently doesn't. Signed-off-by: Douglas Bagnall Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 29 02:48:59 CET 2017 on sn-devel-144 (cherry picked from commit a0f810e7e39cde003c9c5e0cb701846472e80a74) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Jan 11 14:00:50 CET 2018 on sn-devel-144 --- Summary of changes: selftest/selftest.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/selftest.pl b/selftest/selftest.pl index db65500..9bfd4e5 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -441,8 +441,8 @@ if ($opt_testenv) { # 1 year should be enough :-) $server_maxtime = 365 * 24 * 60 * 60; } else { -# make test should run under 4 hours -$server_maxtime = 4 * 60 * 60; +# make test should run under 5 hours +$server_maxtime = 5 * 60 * 60; } if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 7336f54 s3: smbd: Use identical logic to test for kernel oplocks on a share. from 671a3c6 smbd: Fix coredump on failing chdir during logoff https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 7336f54d45ab8848ae1e52db9c5639888df376d8 Author: Jeremy Allison Date: Wed Jan 3 09:52:33 2018 -0800 s3: smbd: Use identical logic to test for kernel oplocks on a share. Due to inconsistent use of lp_kernel_oplocks() we could miss kernel oplocks being on/off in some of our oplock handling code, and thus use the wrong logic. Ensure all logic around koplocks and lp_kernel_oplocks() is consistent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13193 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Thu Jan 4 16:03:38 CET 2018 on sn-devel-144 (cherry picked from commit 114f5da2fab6f587de77e792274b396fb3d7ce71) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Jan 9 17:47:10 CET 2018 on sn-devel-144 --- Summary of changes: source3/smbd/oplock.c | 25 ++--- 1 file changed, 18 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c index 1b2a87b..e848b5e 100644 --- a/source3/smbd/oplock.c +++ b/source3/smbd/oplock.c @@ -56,7 +56,8 @@ NTSTATUS set_file_oplock(files_struct *fsp) { struct smbd_server_connection *sconn = fsp->conn->sconn; struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops; - bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks; + bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && + (koplocks != NULL); if (fsp->oplock_type == LEVEL_II_OPLOCK) { if (use_kernel && @@ -98,7 +99,8 @@ static void release_file_oplock(files_struct *fsp) { struct smbd_server_connection *sconn = fsp->conn->sconn; struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops; - bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks; + bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && + (koplocks != NULL); if ((fsp->oplock_type != NO_OPLOCK) && use_kernel) { @@ -131,13 +133,15 @@ static void downgrade_file_oplock(files_struct *fsp) { struct smbd_server_connection *sconn = fsp->conn->sconn; struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops; + bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && + (koplocks != NULL); if (!EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { DEBUG(0, ("trying to downgrade an already-downgraded oplock!\n")); return; } - if (koplocks) { + if (use_kernel) { koplocks->ops->release_oplock(koplocks, fsp, LEVEL_II_OPLOCK); } fsp->oplock_type = LEVEL_II_OPLOCK; @@ -729,12 +733,14 @@ static void add_oplock_timeout_handler(files_struct *fsp) { struct smbd_server_connection *sconn = fsp->conn->sconn; struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops; + bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && + (koplocks != NULL); /* * If kernel oplocks already notifies smbds when an oplock break times * out, just return. */ - if (koplocks && + if (use_kernel && (koplocks->flags & KOPLOCKS_TIMEOUT_NOTIFICATION)) { return; } @@ -845,7 +851,8 @@ static void process_oplock_break_message(struct messaging_context *msg_ctx, break_to &= ~SMB2_LEASE_READ; } - use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && koplocks; + use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && + (koplocks != NULL); if (use_kernel && !(koplocks->flags & KOPLOCKS_LEVEL2_SUPPORTED)) { DEBUG(10, ("Kernel oplocks don't allow level2\n")); break_to &= ~SMB2_LEASE_READ; @@ -1255,8 +1262,10 @@ void smbd_contend_level2_oplocks_begin(files_struct *fsp, { struct smbd_server_connection *sconn = fsp->conn->sconn; struct kernel_oplocks *koplocks = sconn->oplocks.kernel_ops; + bool use_kernel = lp_kernel_oplocks(SNUM(fsp->conn)) && + (koplocks != NULL); - if (koplocks && koplocks->ops->contend_level2_oplocks_begin) { + if (use_kernel && koplocks->ops->contend_level2_oplocks_begin) { koplocks->ops->contend_level2_oplocks_begin(fsp, type); return; } @@ -1269,9 +1278,11 @@ void smbd_contend_level2_oplocks_end(files_str
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 671a3c6 smbd: Fix coredump on failing chdir during logoff via e21538a selftest: Add test for failing chdir call in smbd via bba8e0f selftest: Make location of log file available in tests via 02c60f2 selftest: Add share for error injection testing via 028d129 vfs_error_inject: Add new module via 47b6eca ctdb-recovery-helper: Deregister message handler in error paths via d983766 sysacls: change datatypes to 32 bits via 0752022 pysmbd: fix use of sysacl API from 424e40f HEIMDAL:kdc: fix dh->q allocation check in get_dh_param() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 671a3c6a5e8f5025ad4cdaff38461fce49737c7c Author: Christof Schmitt Date: Wed Dec 13 11:34:23 2017 -0700 smbd: Fix coredump on failing chdir during logoff server_exit does an internal tree disconnect which requires a chdir to the share directory. In case the file system encountered a problem and the chdir call returns an error, this triggers a SERVER_EXIT_ABNORMAL which in turn results in a panic and a coredump. As the log already indicates the problem (chdir returned an error), avoid the SERVER_EXIT_ABNORMAL in this case and not trigger a coredump. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Dec 16 01:56:06 CET 2017 on sn-devel-144 (cherry picked from commit 7fa91fc4791d076c609eaf119753e38dd3c50a1c) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Jan 2 14:19:44 CET 2018 on sn-devel-144 commit e21538a676539471016425201c36ef2ad637204f Author: Christof Schmitt Date: Wed Dec 13 12:58:18 2017 -0700 selftest: Add test for failing chdir call in smbd BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit 0d3000be2af8f8c4a37892d95ae694ad834d7b3a) commit bba8e0f761186f92f6864c03aeca1dc082c5f21a Author: Christof Schmitt Date: Wed Dec 13 12:47:31 2017 -0700 selftest: Make location of log file available in tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit b0e1fc74fdacecb86f46b47e527b3fdf1906d27b) commit 02c60f2e83b9ecd1024138954c635be248fd3a7b Author: Christof Schmitt Date: Wed Dec 13 11:34:05 2017 -0700 selftest: Add share for error injection testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison (cherry picked from commit 8b6402f3e5ff98c2701e626e47246b2400f76e5f) commit 028d12916c872075c5b11a1038fd0d1d5a9274de Author: Christof Schmitt Date: Fri Dec 8 15:29:07 2017 -0700 vfs_error_inject: Add new module This module allow injecting errors in vfs calls. It only implements one case (return ESTALE from chdir), but the idea is to extend this to more vfs functions and more errors when needed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison (cherry picked from commit 24623d53256c2424563709dedc19af1a106ccc73) commit 47b6ecaf953a3ed3edbdba04a25a32f0241af2c4 Author: Amitay Isaacs Date: Wed Dec 13 16:12:09 2017 +1100 ctdb-recovery-helper: Deregister message handler in error paths BUG: https://bugzilla.samba.org/show_bug.cgi?id=13188 If PULL_DB control times out but the remote node is still sending the data, then the tevent_req for pull_database_send will be freed without removing the message handler. So when the data is received, srvid handler will be called and it will try to access tevent_req which will result in use-after-free and abort. Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke commit d983766eaf7ff93db5aa0ac478bbacdda8aef62d Author: Uri Simchoni Date: Tue Dec 5 20:56:49 2017 +0200 sysacls: change datatypes to 32 bits The SMB_ACL_PERMSET_T and SMB_ACL_PERM_T were defined as mode_t, which is 16-bits on some (non-Linux) systems. However, pidl *always* encodes mode_t as uint32_t. That created a bug on big-endian systems as sys_acl_get_permset() returns a SMB_ACL_PERMSET_T pointer to an internal a_perm structure member defined in IDL as a mode_t, which pidl turns into a uin32_t in the emitted header file. Changing to 32 bits fixes that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13176 Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison (cherr
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 424e40f HEIMDAL:kdc: fix dh->q allocation check in get_dh_param() via d06e849 HEIMDAL: don't bother seeing q if not sent via c793ac6 HEIMDAL: allow optional q in DH DomainParameters from efc261d VERSION: Bump version up to 4.7.5... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 424e40f75b03b5b9311d10c8d724c4aa8bb3c1a1 Author: Stefan Metzmacher Date: Tue Aug 29 07:24:35 2017 +0200 HEIMDAL:kdc: fix dh->q allocation check in get_dh_param() Thanks to Doug Nazar for spotting this! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Signed-off-by: Stefan Metzmacher (cherry picked from heimdal commit a79b59ba27070a015479e8d981b7e685dbe34310) Reviewed-by: Andreas Schneider (cherry picked from commit 183e5d1e3dc306491c06f94c8c98e4882c64bc27) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Sun Dec 24 01:36:48 CET 2017 on sn-devel-144 commit d06e849e7238a6afff0797afdcac489889aae873 Author: Love Hornquist Astrand Date: Mon Apr 29 11:42:46 2013 -0700 HEIMDAL: don't bother seeing q if not sent BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b) Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 28 15:10:54 CEST 2017 on sn-devel-144 (cherry picked from commit dd3e06f14ec1788a59e4c6ba4ea165fd77b9135e) commit c793ac602cfc252f7dd2025e9ac0d17b06256d0d Author: Love Hornquist Astrand Date: Mon Apr 29 11:37:39 2013 -0700 HEIMDAL: allow optional q in DH DomainParameters BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95) (cherry picked from commit 9f245aafdca8397df7dc050e25cfd858aeb1cc7f) --- Summary of changes: source4/heimdal/kdc/pkinit.c | 11 +++ source4/heimdal/lib/asn1/rfc2459.asn1 | 2 +- source4/heimdal/lib/krb5/pkinit.c | 7 ++- 3 files changed, 14 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index d85b156..ad7f3ef 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -361,7 +361,7 @@ get_dh_param(krb5_context context, } ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits, - &dhparam.p, &dhparam.g, &dhparam.q, moduli, + &dhparam.p, &dhparam.g, dhparam.q, moduli, &client_params->dh_group_name); if (ret) { /* XXX send back proposal of better group */ @@ -381,9 +381,12 @@ get_dh_param(krb5_context context, dh->g = integer_to_BN(context, "DH base", &dhparam.g); if (dh->g == NULL) goto out; -dh->q = integer_to_BN(context, "DH p-1 factor", &dhparam.q); -if (dh->g == NULL) - goto out; + +if (dhparam.q) { + dh->q = integer_to_BN(context, "DH p-1 factor", dhparam.q); + if (dh->q == NULL) + goto out; +} { heim_integer glue; diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1 index bf82f81..7843f65 100644 --- a/source4/heimdal/lib/asn1/rfc2459.asn1 +++ b/source4/heimdal/lib/asn1/rfc2459.asn1 @@ -239,7 +239,7 @@ ValidationParms ::= SEQUENCE { DomainParameters ::= SEQUENCE { p INTEGER, -- odd prime, p=jq +1 g INTEGER, -- generator, g - q INTEGER, -- factor of p-1 + q INTEGER OPTIONAL, -- factor of p-1 j INTEGER OPTIONAL, -- subgroup factor validationParms ValidationParms OPTIONAL -- ValidationParms } diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c index 1103a17..c30a298 100644 --- a/source4/heimdal/lib/krb5/pkinit.c +++ b/source4/heimdal/lib/krb5/pkinit.c @@ -497,7 +497,12 @@ build_auth_pack(krb5_context context, free_DomainParameters(&dp); return ret; } - ret = BN_to_integer(context, dh->q, &dp.q); + dp.q = calloc(1, sizeof(*dp.q)); + if (dp.q == NULL) { + free_DomainParameters(&dp); + return ENOMEM; + } + ret = BN_to_integer(context, dh->q, dp.q); if (ret) { free_DomainParameters(&dp); return ret; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via efc261d VERSION: Bump version up to 4.7.5... via 4b1b5b1 VERSION: Disable GIT_SNAPSHOT for the 4.7.4 release. via 437395d WHATSNEW: Add release notes for Samba 4.7.4. from 237bead s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HERE https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit efc261dedf3a37e7c4b5a236e5a708ef83d7500e Author: Karolin Seeger Date: Fri Dec 22 21:38:26 2017 +0100 VERSION: Bump version up to 4.7.5... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 4b1b5b141d3a46847eeec169a08516b65ab27255 Author: Karolin Seeger Date: Fri Dec 22 21:37:26 2017 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.7.4 release. Signed-off-by: Karolin Seeger commit 437395d0bf5d2b2b3721878e4678267d01425fba Author: Karolin Seeger Date: Fri Dec 22 21:36:39 2017 +0100 WHATSNEW: Add release notes for Samba 4.7.4. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 128 ++- 2 files changed, 127 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 6be993b..2a351ec 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=4 +SAMBA_VERSION_RELEASE=5 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4e403ae..22ad049 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,128 @@ = + Release Notes for Samba 4.7.4 + December 22, 2017 + = + + +This is the latest stable release of the Samba 4.7 release series. + + +smbclient reparse point symlink parameters reversed +=== + +A bug in smbclient caused the 'symlink' command to reverse the +meaning of the new name and link target parameters when creating a +reparse point symlink against a Windows server. + +This only affects using the smbclient 'symlink' command against +a Windows server, not a Samba server using the UNIX extensions +(the parameter order is correct in that case) so no existing +user scripts that depend on creating symlinks on Samba servers +need to change. + +As this is a little used feature the ordering of these parameters +has been reversed to match the parameter ordering of the UNIX +extensions 'symlink' command. This means running 'symlink' against +both Windows and Samba now uses the same paramter ordering in both +cases. + +The usage message for this command has also been improved to remove confusion. + + +Changes since 4.7.3: + + +o Jeremy Allison + * BUG 13140: s3: smbclient: Implement 'volume' command over SMB2. + * BUG 13171: s3: libsmb: Fix valgrind read-after-free error in + cli_smb2_close_fnum_recv(). + * BUG 13172: s3: libsmb: Fix reversing of oldname/newname paths when creating + a reparse point symlink on Windows from smbclient. + +o Timur I. Bakeyev + * BUG 12934: Build man page for vfs_zfsacl.8 with Samba. + +o Andrew Bartlett + * BUG 13095: repl_meta_data: Allow delete of an object with dangling + backlinks. + * BUG 13129: s4:samba: Fix default to be running samba as a deamon. + * BUG 13191: Performance regression in DNS server with introduction of + DNS wildcard, ldb: Release 1.2.3 + +o Ralph Boehme + * BUG 6133: vfs_zfsacl: Fix compilation error. + * BUG 13051: "smb encrypt" setting changes are not fully applied until full + smbd restart. + * BUG 13052: winbindd: Fix idmap_rid dependency on trusted domain list. + * BUG 13155: vfs_fruit: Proper VFS-stackable conversion of FinderInfo. + * BUG 13173: winbindd: Dependency on trusted-domain list in winbindd in + critical auth codepath. + +o Andrej Gessel + * BUG 13120: repl_meta_data: Fix removing of backlink on deleted objects. + +o Amitay Isaacs + "* BUG 13153: ctdb: sock_daemon leaks memory. + * BUG 13154: TCP tickles not getting synchronised on CTDB restart. + +o Volker Lendecke + * BUG 13150: winbindd: winbind parent and child share a ctdb connection. + * BUG 13170: pthreadpool: Fix deadlock. + * BUG 13179: pthreadpool: Fix starvation after fork. + * BUG 13180: messaging: Always register the unique id. + +o Gary Lockyer + * 13129: s4/smbd: set the process group. + +o Stefan Metzmacher + * BUG 13095: Fix broken linked attribute handling. + * BUG 13132: The KDC on an RWDC doesn't send error replies in some + sit
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 237bead s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HERE via 8be0198 s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions via 2108b10 s3:smbd: return the correct error for cancelled SMB2 notifies on expired sessions via b5e8614 s4:torture: add smb2.session.expire2 test via 3648ab0 g_lock: fix cleanup of stale entries in g_lock_trylock() via 7249bc1 dns_server: Use the indexed "name" attribute in wildcard lookup via 6c5481b dns_server: Do not look for a wildcard for @ via 7d60443 dns_server: Do the exact match query first, then do the wildcard lookup via 2cd8389 ldb: Release 1.2.3 via 82764c9 ldb: Intersect the index from SCOPE_ONELEVEL with the index for the search expression via 5f51561 ldb_tdb: Provide struct ltdb_private to index routines via 6ddcbfd selftest: Do not use dn= filter string from edc0c99 s4:samba: Fix default to be running samba as a deamon https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 237bead2f243224264aca0b5c65bf3bfadef78aa Author: Stefan Metzmacher Date: Thu Sep 21 12:02:25 2017 +0200 s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HERE HDB_ERR_NOT_FOUND_HERE indicated a very specific error on an RODC. We should not map any error to HDB_ERR_NOT_FOUND_HERE, we should just pass errors along unmapped. Otherwise we'll hit the logic bug in: if (ret == KDC_PROXY_REQUEST) { uint16_t port; if (!sock->kdc_socket->kdc->am_rodc) { DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC")); talloc_free(call); goto done; } And just don't send an error message to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13132 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed Dec 6 23:16:54 CET 2017 on sn-devel-144 (cherry picked from commit aaa946bb9eb8088389b8ffdec460023f1961616c) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Fri Dec 22 14:23:12 CET 2017 on sn-devel-144 commit 8be019859010a12874e0e78ebec2d44e5b2abe5c Author: Stefan Metzmacher Date: Wed Dec 20 14:05:54 2017 +0100 s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions Windows client at least doesn't have code to replay a SMB2 Close after getting NETWORK_SESSION_EXPIRED, which locks out a the client and generates an endless loop around NT_STATUS_SHARING_VIOLATION. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Dec 21 23:28:42 CET 2017 on sn-devel-144 (cherry picked from commit c4919d4d5f78aeb54a438b95d4eab2f082a8174e) commit 2108b1092e3106f59ae2383c34c7bfbeb896314b Author: Stefan Metzmacher Date: Thu Dec 21 14:47:06 2017 +0100 s3:smbd: return the correct error for cancelled SMB2 notifies on expired sessions BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit cfaba684785529d656138df454165aa08a775a01) commit b5e86148c6c6c465805486fcfd628dc4d6d8a6a5 Author: Stefan Metzmacher Date: Thu Dec 21 12:53:02 2017 +0100 s4:torture: add smb2.session.expire2 test This demonstrates the interaction of NT_STATUS_NETWORK_SESSION_EXPIRED and various SMB2 opcodes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit f60af3b61c4a374d7d1c575049a932d1824489b6) commit 3648ab02d4188f6441b83806faa79ae7c06bdb61 Author: Stefan Metzmacher Date: Wed Dec 20 08:25:19 2017 +0100 g_lock: fix cleanup of stale entries in g_lock_trylock() g_lock_trylock() always incremented the counter 'i', even after cleaning a stale entry at position 'i', which means it skipped checking for a conflict against the new entry at position 'i'. As result a process could get a write lock, while there're still some read lock holders. Once we get into that problem, also more than one write lock are possible. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13195 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed Dec 20 20:31:48 CET 2017 on sn-devel-144 (similar to commit 576fb4fb5dc506bf55e5cf87973999dca44
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via edc0c99 s4:samba: Fix default to be running samba as a deamon from 1eb0844 messaging: Always register the unique id https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit edc0c992e0ddbd305e4a70939dac6a0691db5cf2 Author: Andrew Bartlett Date: Tue Dec 19 16:30:08 2017 +1300 s4:samba: Fix default to be running samba as a deamon Commit 8736013dc42c5755b75bbb2e843a290bcd545909 got the (confusing) sense of opt_fork wrong. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Dec 19 11:24:29 CET 2017 on sn-devel-144 (cherry picked from commit 0806ff7dfd3f982226e4cd9b923a0e570b765f0c) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Dec 21 00:55:29 CET 2017 on sn-devel-144 --- Summary of changes: source4/smbd/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source4/smbd/server.c b/source4/smbd/server.c index 2349d5c..b57ee4c 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -429,7 +429,7 @@ static int binary_smbd_main(const char *binary_name, "not allowed together with -D|--daemon\n\n"); poptPrintUsage(pc, stderr, 0); return 1; - } else if (!opt_interactive && !opt_fork) { + } else if (!opt_interactive && opt_fork) { /* default is --daemon */ opt_daemon = true; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 1eb0844 messaging: Always register the unique id from 40ac029 winbindd: idmap_rid: error code for failing id-to-sid mapping request https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 1eb08445d96a2c41593719925203f43f881b3567 Author: Volker Lendecke Date: Thu Nov 30 21:06:53 2017 +0100 messaging: Always register the unique id The winbind child does not call serverid_register, so the unique id is not registered. ctdbd_process_exists now calls CTDB_CONTROL_CHECK_PID_SRVID, which then fails. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13180 Signed-off-by: Volker Lendecke Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Dec 15 15:35:25 CET 2017 on sn-devel-144 --- Summary of changes: source3/lib/messages_ctdbd.c | 13 + 1 file changed, 13 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/lib/messages_ctdbd.c b/source3/lib/messages_ctdbd.c index 6ecec32..95bd694 100644 --- a/source3/lib/messages_ctdbd.c +++ b/source3/lib/messages_ctdbd.c @@ -223,6 +223,19 @@ static int messaging_ctdbd_init_internal(struct messaging_context *msg_ctx, return ret; } + { + struct server_id self = messaging_server_id(msg_ctx); + + ret = register_with_ctdbd(ctx->conn, self.unique_id, + NULL, NULL); + if (ret != 0) { + DBG_DEBUG("register_with_ctdbd failed: %s\n", + strerror(ret)); + return ret; + } + + } + ctdb_fd = ctdbd_conn_get_fd(ctx->conn); ev = messaging_tevent_context(msg_ctx); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 40ac029 winbindd: idmap_rid: error code for failing id-to-sid mapping request via e92edf0 winbindd: idmap_rid: don't rely on the static domain list via 5724d65 winbindd: pass domain SID to wbint_UnixIDs2Sids via 5ffedec winbindd: add domain SID to idmap mapping domains via dce01ac pthreadpool: Add a test for the race condition fixed in the last commit via b418ab3 pthreadpool: Fix starvation after fork via 2530053 third_party: Fix a typo in the option name via 364f1c5 third_party: Link th aesni-intel library with -z noexecstack from 2d1d00b s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 40ac02968ec88acca9ca7cf0345aa5b4b9ba39b4 Author: Ralph Boehme Date: Mon Oct 9 13:29:05 2017 +0200 winbindd: idmap_rid: error code for failing id-to-sid mapping request NT_STATUS_NO_SUCH_DOMAIN triggers complete request failure in the parent winbindd. By returning NT_STATUS_NONE_MAPPED winbindd lets the individual mapping fail but keeps processing any remaining mapping requests. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Oct 10 19:57:37 CEST 2017 on sn-devel-144 (cherry picked from commit 490c35df35bad6c2f1c4acd2f056d6fdc480ec1f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Dec 14 16:32:49 CET 2017 on sn-devel-144 commit e92edf0db5b4f58666b7826448f242f2ceda3d26 Author: Ralph Boehme Date: Mon Sep 25 15:42:08 2017 +0200 winbindd: idmap_rid: don't rely on the static domain list The domain list in the idmap child is inherited from the parent winbindd process and may not contain all domains in case enumerating trusted domains didn't finish before the first winbind request that triggers the idmap child fork comes along. The previous commits added the domain SID as an additional argument to the wbint_UnixIDs2Sids request, storing the domain SID in struct idmap_domain. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke (cherry picked from commit 108675c4cf4c3d5bd29468255743423a56bd1471) commit 5724d651c450a1980ec5899e1afa870060c7ae59 Author: Ralph Boehme Date: Mon Sep 25 15:39:39 2017 +0200 winbindd: pass domain SID to wbint_UnixIDs2Sids This makes the domain SID available to the idmap child for wbint_UnixIDs2Sids mapping request. It's not used yet anywhere, this comes in the next commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke (cherry picked from commit 71f99cb132f4c26f9febac6cb7dcd79f4940216a) commit 5ffedec128d6087eecc447a3ea7ef1e507e08b41 Author: Ralph Boehme Date: Mon Sep 25 13:25:57 2017 +0200 winbindd: add domain SID to idmap mapping domains Fetch the domain SID for every domain in the idmap-domain map. This is in preperation of passing the domain SID as an additional argument to xid2sid requests to the idmap child. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13052 Signed-off-by: Ralph Boehme Reviewed-by: Volker Lendecke (cherry picked from commit 59438bfd3d3551195582cf88bd1109c3cbc7e12a) commit dce01acabed7fc8e8ad35369971f0cfd2ddefbc3 Author: Volker Lendecke Date: Wed Nov 29 18:55:21 2017 +0100 pthreadpool: Add a test for the race condition fixed in the last commit Bug: https://bugzilla.samba.org/show_bug.cgi?id=13179 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 53f7bbca0451e4f57cdbe8ab4f67f601fe8d40c1) commit b418ab369876f6aff08ee564a7f07d9e5dc0bcc0 Author: Volker Lendecke Date: Wed Nov 29 16:45:40 2017 +0100 pthreadpool: Fix starvation after fork After the race is before the race: 1) Create an idle thread 2) Add a job: This won't create a thread anymore 3) Immediately fork The idle thread will be woken twice before it's actually woken up: Both pthreadpool_add_job and pthreadpool_prepare_pool call cond_signal, for different reasons. We must look at pool->prefork_cond first because otherwise we will end up in a blocking job deep within a fork call, the helper thread must take its fingers off the condvar as quickly as possible. This means that after the fork there's no idle thread around anymore that would pick up the job submitted in 2). So we must keep the idle threads around across the fork. The quic
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 2d1d00b s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient. via 3f1f2a8 s3: client: Rename to in cmd_symlink() and cli_posix_symlink(). via 61140f4 pthreadpool: Fix deadlock via 086b453 pthreadpool: Add test for pthread_create failure via a677717 wscript: Add check for --wrap linker flag via fcc8616 pthreadpool: Undo put_job when returning error via c43c888 pthreadpool: Move creating of thread to new function via 97a9e81 ctdb-daemon: Send STARTUP control after startup event via 6f7215f ctdb-takeover: Send tcp tickles immediately on STARTUP control via 0fdc82e ctdb-takeover: Refactor code to send tickle lists for all public IPs from 5bb2b9c vfs_zfsacl: fix compilation error https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 2d1d00bdd0f1acf66c6700488f4a3e3970b722a1 Author: Jeremy Allison Date: Wed Nov 29 13:16:43 2017 -0800 s3: libsmb: Fix reversing of oldname/newname paths when creating a reparse point symlink on Windows from smbclient. This happened as smbd doesn't support reparse points so we couldn't test. This was the reverse of the (tested) symlink parameters in the unix extensions symlink command. Rename parameters to link_target instead of oldname so this is clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13172 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit abbc9b9ab793d22bca6a37828f4375ef38c56dd3) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Dec 13 14:19:59 CET 2017 on sn-devel-144 commit 3f1f2a82896fb7f506b4671a95613365e9250f46 Author: Jeremy Allison Date: Wed Nov 29 13:10:25 2017 -0800 s3: client: Rename to in cmd_symlink() and cli_posix_symlink(). Stops us from mixing up the old and new names. Only behavior change is correcting the names printed in the error messages. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13172 Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit 8448dcaa8da78bcb84fca6a000c75e256bce1e77) commit 61140f4b47488018ec3d505a390f55640dd724d8 Author: Volker Lendecke Date: Tue Dec 12 23:07:39 2017 +0100 pthreadpool: Fix deadlock Christof's idea from https://lists.samba.org/archive/samba-technical/2017-December/124384.html was that the thread already exited. It could also be that the thread is not yet idle when the new pthreadpool_add_jobs comes around the corner. Signed-off-by: Volker Lendecke Reviewed-by: Christof Schmitt Autobuild-User(master): Christof Schmitt Autobuild-Date(master): Wed Dec 13 04:46:12 CET 2017 on sn-devel-144 (cherry picked from commit dfc4670640341761b346065922a62a3e755e9e58) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13170 commit 086b45389fe825f461f04de00b90c98ff5f335b9 Author: Christof Schmitt Date: Wed Dec 6 15:10:23 2017 -0700 pthreadpool: Add test for pthread_create failure This is implemented using cmocka and the __wrap override for pthread_create. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13170 Signed-off-by: Christof Schmitt Autobuild-User(master): Christof Schmitt Autobuild-Date(master): Fri Dec 8 13:54:20 CET 2017 on sn-devel-144 (cherry picked from commit 8cdb3995caf7a21d0c27a56a0bf0c1efd5b491e4) commit a6777171c0a4e0a8bdda9bf160193773c6b93838 Author: Christof Schmitt Date: Thu Dec 7 10:42:30 2017 -0700 wscript: Add check for --wrap linker flag BUG: https://bugzilla.samba.org/show_bug.cgi?id=13170 Signed-off-by: Christof Schmitt Reviewed-by: Andreas Schneider (cherry picked from commit 8e17be1c3df09c238560c8a7e62c17e9f9ff9bc7) commit fcc8616450f16850ba1d35fb3d7529c784b615f2 Author: Christof Schmitt Date: Tue Nov 28 10:59:06 2017 -0700 pthreadpool: Undo put_job when returning error When an error is returned to the caller of pthreadpool_add_job, the job should not be kept in the internal job array. Otherwise the caller might free the data structure and a later worker thread would still reference it. When it is not possible to create a single worker thread, the system might be out of resources or hitting a configured limit. In this case fall back to calling the job function synchronously instead of raising the error to the caller and possibly back to the SMB client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13170 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit 065fb5d94d25d19fc85832bb85aa9e379e8551cc) commit c
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 5bb2b9c vfs_zfsacl: fix compilation error from 8a313c8 winbindd: let normalize_name_map() call find_domain_from_name_noinit() https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 5bb2b9c9a3e296e84130b85718a0bb1f037588e8 Author: Ralph Boehme Date: Sat Oct 28 16:13:16 2017 +0200 vfs_zfsacl: fix compilation error Bug: https://bugzilla.samba.org/show_bug.cgi?id=6133 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Nov 2 03:16:11 CET 2017 on sn-devel-144 (cherry picked from commit 11da1e5c056c92fd7f51ecce0285628cac65f174) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Dec 7 14:19:57 CET 2017 on sn-devel-144 --- Summary of changes: source3/modules/vfs_zfsacl.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_zfsacl.c b/source3/modules/vfs_zfsacl.c index dd0f343..2e277c6 100644 --- a/source3/modules/vfs_zfsacl.c +++ b/source3/modules/vfs_zfsacl.c @@ -51,6 +51,7 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, SMB_STRUCT_STAT sbuf; const SMB_STRUCT_STAT *psbuf = NULL; int ret; + bool is_dir; if (VALID_STAT(smb_fname->st)) { psbuf = &smb_fname->st; @@ -65,10 +66,7 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, } psbuf = &sbuf; } - - if (S_ISDIR(psbuf->st_ex_mode) && (ace->aceMask & SMB_ACE4_ADD_FILE)) { - ace->aceMask |= SMB_ACE4_DELETE_CHILD; - } + is_dir = S_ISDIR(psbuf->st_ex_mode); /* read the number of file aces */ if((naces = acl(smb_fname->base_name, ACE_GETACLCNT, 0, NULL)) == -1) { @@ -115,6 +113,10 @@ static NTSTATUS zfs_get_nt_acl_common(struct connection_struct *conn, aceprop.aceMask |= SMB_ACE4_SYNCHRONIZE; } + if (is_dir && (aceprop.aceMask & SMB_ACE4_ADD_FILE)) { + aceprop.aceMask |= SMB_ACE4_DELETE_CHILD; + } + if(aceprop.aceFlags & ACE_OWNER) { aceprop.flags = SMB_ACE4_ID_SPECIAL; aceprop.who.special_id = SMB_ACE4_WHO_OWNER; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 8a313c8 winbindd: let normalize_name_map() call find_domain_from_name_noinit() via ac32a77 s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(). via 0fcdf5d testprogs: Test net ads keytab list via aba1e91 s3:libads: net ads keytab list fails with "Key table name malformed" via 73d3e64 vfs_fruit: proper VFS-stackable conversion of FinderInfo via 3f94680 vfs_fruit: add AfpInfo prototypes via 2d3e21f s4/torture: fruit: in test_adouble_conversion() also check stream list and AFPINFO_STREAM via 3d90751 s4/torture: fruit: remove use of localdir from test_adouble_conversion test via 8946fc8 selftest: add "fruit:veto_appledouble = no" to fruit shares via 1143b2f s4/torture: let write_stream() deal with stream=NULL via 0b7e170 selftest: run AppleDouble sidecar-file conversion test runs against all fruit shares via b9f7dd4 s4/torture: use torture_assert_goto in a vfs.fruit test via e24e345 s4/torture: rework stream names tests usage of local xattr call via 1a2f564 selftest: add localdir option to fruit subtests via 590a4cf selftest: reorder arguments for fruit tests via 9990e6e s3/loadparm: don't mark IPC$ as autoloaded via cecbc43 s3/loadparm: ensure default service options are not changed via 7dc2782 s3/loadparm: allocate a fresh sDefault object per lp_ctx via e36b1ce Add vfs_zfsacl manpage to the list of manpages if we have this module enabled. via b21d9f0 Fix typo in the "wide links" description for the getwd cache. from 39922b5 s4:samba: Allow samba daemon to run in foreground https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 8a313c8d6974f691b33a276fa4c7e2488733ba0d Author: Ralph Boehme Date: Mon Nov 27 12:42:44 2017 +0100 winbindd: let normalize_name_map() call find_domain_from_name_noinit() Let normalize_name_map fetch the domain itself with find_domain_from_name_noinit(). This removes two calls to find_domain_from_name_noinit() in the default configuration of "winbind normalize names = no". The domain is only need in normalize_name_map if "winbind normalize names" is enabled. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13173 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher (cherry picked from commit 1ce165a73350e802500c32435dbefe3639340435) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Dec 5 14:48:41 CET 2017 on sn-devel-144 commit ac32a770fc1fad988629654039119278e0c1afa4 Author: Jeremy Allison Date: Wed Nov 29 09:21:30 2017 -0800 s3: libsmb: Fix valgrind read-after-free error in cli_smb2_close_fnum_recv(). cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which frees req, then uses the state pointer which was owned by req. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Böhme Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144 (cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787) commit 0fcdf5db90a05ee95c30ddfa32f3868702b77628 Author: Noel Power Date: Fri Nov 24 07:06:27 2017 + testprogs: Test net ads keytab list Test that correct keytab is picked up. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 Signed-off-by: Noel Power Reviewed-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2) commit aba1e9199ddb18c229bf0def46a7caf333d2d618 Author: Noel Power Date: Thu Nov 23 15:55:21 2017 + s3:libads: net ads keytab list fails with "Key table name malformed" When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open instead, this function will determine the correct keytab to use. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 Signed-off-by: Noel Power Reviewed-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463) commit 73d3e642f8c71177bc8f42afb6724a7f93ef5472 Author: Ralph Boehme Date: Wed Nov 15 16:52:48 2017 +0100 vfs_fruit: proper VFS-stackable conversion of FinderInfo This fixes the problem that conversion failed with fruit:metadata=stream. Before we were calling ad_set() which stores the metadata in the Netatalk compatible format. Rewrite to fully go through the VFS by calling SMB_VFS_CREATE_FILE() and SMB_VFS_PWRITE(). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13155 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 39922b5 s4:samba: Allow samba daemon to run in foreground via 6182708 s4:samba: Do not segfault if we run into issues via e41925e s4/smbd: set the process group. from 00dfe4c repl_meta_data: Fix removing of backlink on deleted objects https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 39922b5a6fa830fcf507354ae6c0a30be0a077cc Author: Andreas Schneider Date: Fri Nov 10 09:18:18 2017 +0100 s4:samba: Allow samba daemon to run in foreground We are passing the no_process_group to become_daemon() that setsid() is not called. In case we are double forking, we run in SysV daemon mode, setsid() should be called! See: https://www.freedesktop.org/software/systemd/man/daemon.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Nov 30 14:11:02 CET 2017 on sn-devel-144 commit 6182708d014e1c2b48eb3d5085eff23c35aba6b6 Author: Andreas Schneider Date: Wed Nov 15 10:00:52 2017 +0100 s4:samba: Do not segfault if we run into issues Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209) commit e41925e5ecfd245d690719e9e1fdf7054c21302e Author: Gary Lockyer Date: Mon Aug 21 15:12:04 2017 +1200 s4/smbd: set the process group. Set the process group in the samba daemon, the --no-process-group option allows this to be disabled. The no-process-group option needs to be disabled in self test. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144 --- Summary of changes: selftest/target/Samba4.pm | 2 +- source3/smbd/server.c | 2 +- source4/smbd/server.c | 39 +++ 3 files changed, 37 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 772f982..6a1856e 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -158,7 +158,7 @@ sub check_or_start($$$) close($env_vars->{STDIN_PIPE}); open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!"; - exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!"); + exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!"); } $env_vars->{SAMBA_PID} = $pid; print "DONE ($pid)\n"; diff --git a/source3/smbd/server.c b/source3/smbd/server.c index 181bcd1..252b431 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -1592,7 +1592,7 @@ extern void build_options(bool screen); struct poptOption long_options[] = { POPT_AUTOHELP {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" }, - {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"}, + {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"}, {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" }, {"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" }, {"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" }, diff --git a/source4/smbd/server.c b/source4/smbd/server.c index a8bad06..2349d5c 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx) { char *path; TALLOC_CTX *mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + exit_daemon("Failed to create memory context", + ENOMEM); + } path = smbd_tmp_path(mem_ctx, lp_ctx, NULL); + if (path == NULL) { + exit_daemon("Failed to cleanup temporary files", + EINVAL); + } recursive_delete(path); talloc_free(mem_ctx); @@ -340,7 +348,9 @@ static int binary_smbd_main(const char *binary_name,
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 00dfe4c repl_meta_data: Fix removing of backlink on deleted objects via f2c4754 repl_meta_data: Allow delete of an object with dangling backlinks via fe3ae81 selftest: Add more corruption cases for runtime and dbcheck via 09a311c selftest: add dbcheck tests for duplicate links via ece46f7 dbcheck: detect and fix duplicate links via c1860d1 dbcheck: only calculate linked attribute helper variables once in check_dn() via 7b67da4 dbcheck: remove indentation level via 27cdadf dsdb:extended_dn_store: implement DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS control via aafcb73 dsdb:repl_meta_data: implement DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS control via f0920ea s4:dsdb: allocate DSDB_CONTROL_DBCHECK_FIX_DUPLICATE_LINKS oid via 67270b3 s4:schema_samba4: mark DSDB_CONTROL_INVALID_NOT_IMPLEMENTED 1.3.6.1.4.1.7165.4.3.32 as allocated via ee05047 selftest: Additional check for a backlink pointing at a deleted object via df23dc8 selftest: Split out creation of complex (often invalid) links via 505936a selftest: Split out dbcheck runs from dangling_multi_valued test via 74688a2 selftest: add more dbcheck tests via 68bf275 dbcheck: Use the GUID as the DN to fix replPropertyMetaData via b7c9edb dbcheck: Clarify error count bumping in deleted/gone DN handling via ed4189f selftest: sort dbcheck output to avoid sort order impacting results via 45911b0 dbcheck: Allow removal of one-way links to missing objects via e90e3d7 systemd: Start processes in forground and without a process group from fe6da67 libnet_join: fix "net rpc oldjoin" https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 00dfe4cf9818abdc50da034fd931e29bc871b10c Author: Andrej Gessel Date: Thu Oct 19 17:16:37 2017 +0200 repl_meta_data: Fix removing of backlink on deleted objects USER is memberOf GROUP and they both were deleted on W2K8R2 AD. Domain join ends with error below. Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:421 8: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1 179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=samdom,DC=intern: dsdb_module_ search_dn: did not find base dn CN=GROUP\0ADEL:030d0be1-3ada-4b93-8371-927f2092 3116,CN=Deleted Objects,DC=samdom,DC=intern (0 results): Operations error Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE BUG: https://bugzilla.samba.org/show_bug.cgi?id=13120 Signed-off-by: Andrej Gessel Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 40bd7e145a68c9a58d6bc3c5526a12fdf0027729) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Nov 29 13:43:37 CET 2017 on sn-devel-144 commit f2c47544dc8fd42680b1f90bc962e57fe915de45 Author: Andrew Bartlett Date: Wed Nov 1 08:22:22 2017 +1300 repl_meta_data: Allow delete of an object with dangling backlinks This should not happen, but stopping all replication because of it is a pain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Nov 24 19:53:50 CET 2017 on sn-devel-144 (cherry picked from commit 6cf7abbcfdad84fee57852862ebe44aa6115ca25) commit fe3ae81cd9a5cf263da9cb373d07ebad4541727b Author: Andrew Bartlett Date: Wed Nov 1 09:02:01 2017 +1300 selftest: Add more corruption cases for runtime and dbcheck These tests now confirm we can handle these issues at runtime as well as at dbcheck Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 4815efc0e3f89079e7c9b868b7514ea7c49a807c) commit 09a311caa602265b18067d8cd155e91f33918b1a Author: Stefan Metzmacher Date: Thu Oct 26 14:42:23 2017 +0200 selftest: add dbcheck tests for duplicate links BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095 Pair-Programmed-With: Andrew Bartlett Signed-off-by: Stefan Metzmacher Signed-off-by: Andrew Bartlett (cherry picked from commit 70bf809e0cdf84029022ca95fb83d17a0d6e36c0) commit ece46f7278ed2633167d01f483cdb44858d0dd51 Author: Stefan Metzmacher Date: Fri Oct 27 10:21:26 2017 +0200 dbcheck: detect and fix duplicate links Check with git show -w BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 239fbeb163c24b0f08e1bd9d8f7a9f73443d4b90) commit c1860d169cb60a1d4e40800ad6e87e81fa24fcac Author: Stefa
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via fe6da67 libnet_join: fix "net rpc oldjoin" via 72e69f5 s3:selftest: add samba3.blackbox.net_rpc_oldjoin test from 3ef93ab vfs_glusterfs: include glusterfs/api/glfs.h without relying on -I options https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit fe6da6730b5a7bc43fe8a060f00571cad783ee15 Author: Stefan Metzmacher Date: Thu Nov 16 21:09:20 2017 + libnet_join: fix "net rpc oldjoin" We need to open the ncacn_np (smb) transport connection with anonymous credentials. In order to do netr_ServerPasswordSet*() we need to establish a 2nd netlogon connection using dcerpc schannel authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (similar to commit d27f38d35bf111a5c0a898a5ef8b7dd0b320da0d) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Nov 28 14:47:32 CET 2017 on sn-devel-144 commit 72e69f597fa7a16434de817903ee896128baeff1 Author: Stefan Metzmacher Date: Fri Nov 17 15:51:36 2017 +0100 s3:selftest: add samba3.blackbox.net_rpc_oldjoin test This demonstrates that "net rpc oldjoin" is currently broken. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13149 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison (cherry picked from commit 9466796c87cc4ca8d32da553421cd8ecef1bb8e4) --- Summary of changes: source3/libnet/libnet_join.c | 94 +--- source3/script/tests/test_net_rpc_oldjoin.sh | 32 ++ source3/selftest/tests.py| 4 ++ 3 files changed, 108 insertions(+), 22 deletions(-) create mode 100755 source3/script/tests/test_net_rpc_oldjoin.sh Changeset truncated at 500 lines: diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 591c177..903c93b 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1044,12 +1044,23 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, NTSTATUS status, result; union lsa_PolicyInformation *info = NULL; struct dcerpc_binding_handle *b; + const char *account = r->in.admin_account; + const char *domain = r->in.admin_domain; + const char *password = r->in.admin_password; + bool use_kerberos = r->in.use_kerberos; + + if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) { + account = ""; + domain = ""; + password = NULL; + use_kerberos = false; + } status = libnet_join_connect_dc_ipc(r->in.dc_name, - r->in.admin_account, - r->in.admin_domain, - r->in.admin_password, - r->in.use_kerberos, + account, + domain, + password, + use_kerberos, cli); if (!NT_STATUS_IS_OK(status)) { goto done; @@ -1121,16 +1132,19 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, struct cli_state *cli) { TALLOC_CTX *frame = talloc_stackframe(); - struct rpc_pipe_client *netlogon_pipe = NULL; + struct rpc_pipe_client *authenticate_pipe = NULL; + struct rpc_pipe_client *passwordset_pipe = NULL; struct netlogon_creds_cli_context *netlogon_creds = NULL; - struct samr_Password current_nt_hash; + struct cli_credentials *cli_creds = NULL; + struct netlogon_creds_CredentialState *creds = NULL; + uint32_t netlogon_flags = 0; size_t len = 0; bool ok; DATA_BLOB new_trust_blob = data_blob_null; NTSTATUS status; status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon, - &netlogon_pipe); + &authenticate_pipe); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; @@ -1148,31 +1162,67 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, } } + cli_creds = cli_credentials_init(talloc_tos()); + if (cli_creds == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + cli_credentials_set_username(cli_creds, r->out.account_name, +CRED_SPECIFIED); + cli_credentials_s
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 3ef93ab vfs_glusterfs: include glusterfs/api/glfs.h without relying on -I options from 710c2ad ctdb-common: Call missing tevent_wakeup_recv() in sock_daemon https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 3ef93aba153fc262ca093e6440457fbc170e50ce Author: Niels de Vos Date: Tue Oct 31 15:52:49 2017 +0100 vfs_glusterfs: include glusterfs/api/glfs.h without relying on -I options BUG: https://bugzilla.samba.org/show_bug.cgi?id=13125 The glfs.h header file has always resided under glusterfs/api/ in the standard include directory. The glusterfs-api.pc file adds the unneeded -I${includedir}/glusterfs compiler option. This option will be removed from future versions of the pkg-config file. This change can safely be backported to older versions if there is a need to have them build against glusterfs-3.13 or newer. URL: https://review.gluster.org/18576 CC: Andrea Bolognani Signed-off-by: Niels de Vos Reviewed-by: Andreas Schneider Reviewed-by: Guenther Deschner Autobuild-User(master): Günther Deschner Autobuild-Date(master): Thu Nov 9 22:37:30 CET 2017 on sn-devel-144 (cherry picked from commit 732ba3c84a2d40040550ea36b0478dd6af9a173a) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Nov 24 16:23:43 CET 2017 on sn-devel-144 --- Summary of changes: source3/modules/vfs_glusterfs.c | 2 +- source3/wscript | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c index 32074cb..55a9467 100644 --- a/source3/modules/vfs_glusterfs.c +++ b/source3/modules/vfs_glusterfs.c @@ -38,7 +38,7 @@ #include "includes.h" #include "smbd/smbd.h" #include -#include "api/glfs.h" +#include #include "lib/util/dlinklist.h" #include "lib/util/tevent_unix.h" #include "smbd/globals.h" diff --git a/source3/wscript b/source3/wscript index 8fa51fb..f3b6d33 100644 --- a/source3/wscript +++ b/source3/wscript @@ -1588,10 +1588,10 @@ main() { if Options.options.with_glusterfs: conf.CHECK_CFG(package='glusterfs-api', args='"glusterfs-api >= 4" --cflags --libs', msg='Checking for glusterfs-api >= 4', uselib_store="GFAPI") -conf.CHECK_HEADERS('api/glfs.h', lib='gfapi') +conf.CHECK_HEADERS('glusterfs/api/glfs.h', lib='gfapi') conf.CHECK_LIB('gfapi', shlib=True) -if conf.CONFIG_SET('HAVE_API_GLFS_H'): +if conf.CONFIG_SET('HAVE_GLUSTERFS_API_GLFS_H'): if Options.options.with_acl_support: conf.DEFINE('HAVE_GLUSTERFS', '1') else: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 710c2ad ctdb-common: Call missing tevent_wakeup_recv() in sock_daemon via e4cce45 ctdb-daemon: Allocate deferred calls off calling context via f398a79 winbind: Remove winbind_messaging_context via bbe5614 winbind: winbind_messaging_context -> server_messaging_context via 3aaa48c winbind: Remove winbind_event_context via f6a9d34 winbind: Replace winbind_event_context with server_event_context via 58e728a s3: smbclient: tests: Test "volume" command over SMB1 and SMB2+. via ea297d6 s3: smbclient: Implement "volume" command over SMB2. from cb6ec4d VERSION: Bump version up to 4.7.4... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 710c2ade8c2c30d4e86b0343f16ceec7c1d28b15 Author: Amitay Isaacs Date: Fri Nov 10 12:18:01 2017 +1100 ctdb-common: Call missing tevent_wakeup_recv() in sock_daemon https://bugzilla.samba.org/show_bug.cgi?id=13153 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 49308f7f22f3d6fa05cc81fdef3db020e503fa9f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Nov 22 16:57:01 CET 2017 on sn-devel-144 commit e4cce452e7dc1629e3680b14ab1dbdecd887f08e Author: Amitay Isaacs Date: Thu Oct 19 14:58:18 2017 +1100 ctdb-daemon: Allocate deferred calls off calling context BUG: https://bugzilla.samba.org/show_bug.cgi?id=13152 This makes sure that if a client disconnects, all the deferred calls from the client are correctly freed. Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 848f2425984667c243ccac847b8f48a66ce10178) commit f398a79dedc477fcce4848bb56bca4a504c0452f Author: Volker Lendecke Date: Fri Nov 17 11:47:37 2017 +0100 winbind: Remove winbind_messaging_context BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Nov 18 04:07:24 CET 2017 on sn-devel-144 (cherry picked from commit 050ca45dc7fc5bbab6e1c60b919ac0b1e9661e27) commit bbe5614e312109834a61a1c2f9f1ad501b351900 Author: Volker Lendecke Date: Fri Nov 17 11:42:34 2017 +0100 winbind: winbind_messaging_context -> server_messaging_context Don't use winbind_messaging_context anymore. This fixes a bug analysed by Peter Somogyi : If a parent winbind forks, it only called reinit_after_fork on winbind_messaging_context. On the other hand, deep in dbwrap_open we use server_messaging_context(). This is not reinitialized by winbind_reinit_after fork, so the parent and child share a ctdb connection. This is invalid, because replies from ctdb end up in the wrong process. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit d8a01d09c13728f36107f6eb94ecb7653706a4db) commit 3aaa48c8c3f702fb9a72df967ae231f409d5c3cf Author: Volker Lendecke Date: Fri Nov 17 11:37:30 2017 +0100 winbind: Remove winbind_event_context BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit e1f12acc13a3cc004518ac3460c6000ea0b95115) commit f6a9d3485c590bb4629b27946a2e97f667bc7c6e Author: Volker Lendecke Date: Fri Nov 17 11:35:19 2017 +0100 winbind: Replace winbind_event_context with server_event_context There's no point in having two global event contexts BUG: https://bugzilla.samba.org/show_bug.cgi?id=13150 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry picked from commit 7e83d1489406cd53d72097e40bf02295c88ea61e) commit 58e728ac7bbc2702c0c76f073215a92bd8685b7f Author: Jeremy Allison Date: Tue Nov 14 15:54:19 2017 -0800 s3: smbclient: tests: Test "volume" command over SMB1 and SMB2+. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13140 Signed-off-by: Jeremy Allison Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed Nov 15 19:50:54 CET 2017 on sn-devel-144 (cherry picked from commit f8cd211acc3824e01d89a6f8bc39aa5cd54e) commit ea297d6bce7f0eb3a77008807d7236251deb7ca4 Author: Jeremy Allison Date: Tue Nov 14 15:42:14 2017 -0800 s3: smbclient: Implement "volume" command over SMB2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13140 Signed-off-by: Jeremy Allison Reviewed-by: Andreas Schneider (cherry picked from commit aaa52ab7b5ae711b80e3967ab1ecc91888c346f6) --
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via cb6ec4d VERSION: Bump version up to 4.7.4... via 641af30 Merge tag 'samba-4.7.3' into v4-7-test via d0b59a5 VERSION: Disable GIT_SNAPSHOT for the 4.7.3 release. via 6dc9b5f WHATSNEW: Add release notes for Samba 4.7.3. via 8c08a4e s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. via 7e17418 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 from 7b28a97 s3: libsmb: smbc_statvfs is missing the supporting SMB2 calls. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit cb6ec4d50ebc5eb89ef6cff3c4d8f887d329da1b Author: Karolin Seeger Date: Wed Nov 22 09:08:06 2017 +0100 VERSION: Bump version up to 4.7.4... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 641af304b9d1d55951376a57b41d8396658714e4 Merge: 7b28a97 d0b59a5 Author: Karolin Seeger Date: Wed Nov 22 09:07:45 2017 +0100 Merge tag 'samba-4.7.3' into v4-7-test samba: tag release samba-4.7.3 --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 75 -- source3/smbd/process.c | 7 +++-- source3/smbd/reply.c | 5 source3/smbd/srvstr.c | 14 ++ 5 files changed, 97 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 0ba31a3..6be993b 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=3 +SAMBA_VERSION_RELEASE=4 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8074a83..4e403ae 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,75 @@ = + Release Notes for Samba 4.7.3 + November 21, 2017 + = + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +=== +Details +=== + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.7.2: + + +o Jeremy Allison + * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. + * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized + memory when talloc buffer is grown. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.7.2 November 15, 2017 = @@ -51,8 +122,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 7b28a97 s3: libsmb: smbc_statvfs is missing the supporting SMB2 calls. via 6f18428 libsmbclient: Allow server (NetApp) to return STATUS_INVALID_PARAMETER from an echo. from 70d7a5c VERSION: Bump version up to 4.7.3... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 7b28a97a7f5125022d784f0f633ad17f79843535 Author: Jeremy Allison Date: Tue Nov 14 13:52:03 2017 -0800 s3: libsmb: smbc_statvfs is missing the supporting SMB2 calls. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138 Signed-off-by: Jeremy Allison Reviewed-by: Andreas Schneider (cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Nov 20 17:19:21 CET 2017 on sn-devel-144 commit 6f184288eb2d3eab0dfe6f50bce3b6b51496e437 Author: Jeremy Allison Date: Fri Sep 8 16:20:34 2017 -0700 libsmbclient: Allow server (NetApp) to return STATUS_INVALID_PARAMETER from an echo. It does this if we send a session ID of zero. The server still replied. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 Signed-off-by: Jeremy Allison Reviewed-by: Andreas Schneider Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144 (cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142) --- Summary of changes: source3/client/client.c| 8 +++- source3/libsmb/cli_smb2_fnum.c | 97 ++ source3/libsmb/cli_smb2_fnum.h | 6 +++ source3/libsmb/clifsinfo.c | 9 source3/libsmb/libsmb_server.c | 11 - 5 files changed, 129 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/client/client.c b/source3/client/client.c index b4a6c7d..9c57375 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -5900,7 +5900,13 @@ static void readline_callback(void) /* Ping the server to keep the connection alive using SMBecho. */ memset(garbage, 0xf0, sizeof(garbage)); status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage))); - if (NT_STATUS_IS_OK(status)) { + if (NT_STATUS_IS_OK(status) || + NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + /* +* Even if server returns NT_STATUS_INVALID_PARAMETER +* it still responded. +* BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 +*/ return; } diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c index a478c41..89cb1f4 100644 --- a/source3/libsmb/cli_smb2_fnum.c +++ b/source3/libsmb/cli_smb2_fnum.c @@ -1993,6 +1993,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path, } /*** + Wrapper that allows SMB2 to query file system sizes. + Synchronous only. +***/ + +NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli, + uint64_t *total_allocation_units, + uint64_t *caller_allocation_units, + uint64_t *actual_allocation_units, + uint64_t *sectors_per_allocation_unit, + uint64_t *bytes_per_sector) +{ + NTSTATUS status; + uint16_t fnum = 0x; + DATA_BLOB outbuf = data_blob_null; + struct smb2_hnd *ph = NULL; + TALLOC_CTX *frame = talloc_stackframe(); + + if (smbXcli_conn_has_async_calls(cli->conn)) { + /* +* Can't use sync call while an async call is in flight +*/ + status = NT_STATUS_INVALID_PARAMETER; + goto fail; + } + + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { + status = NT_STATUS_INVALID_PARAMETER; + goto fail; + } + + /* First open the top level directory. */ + status = + cli_smb2_create_fnum(cli, "", 0, /* create_flags */ +FILE_READ_ATTRIBUTES, /* desired_access */ +FILE_ATTRIBUTE_DIRECTORY, /* file attributes */ +FILE_SHARE_READ | FILE_SHARE_WRITE | +FILE_SHARE_DELETE, /* share_access */ +FILE_OPEN, /* create_disposition */ +FILE_DIRECTORY_FILE, /* create_options */ +&fnum, +NULL); +
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 70d7a5c VERSION: Bump version up to 4.7.3... via c5bb8ef VERSION: Disable GIT_SNAPSHOT for the 4.7.2 release. via 53b7208 WHATSNEW: Add release notes for Samba 4.7.2. from d7a0721 s4: torture: kernel oplocks. Add smb2.kernel-oplocks.kernel_oplocks8 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 70d7a5c8dc5f73649440a9f50910d532e2eb2a34 Author: Karolin Seeger Date: Tue Nov 14 13:24:15 2017 +0100 VERSION: Bump version up to 4.7.3... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit c5bb8ef9e793bb7cd82f8d53786f2c5daa431470 Author: Karolin Seeger Date: Tue Nov 14 13:23:27 2017 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.7.2 release. Signed-off-by: Karolin Seeger commit 53b7208fd6814cd7a973f11663e7a1c83283411e Author: Karolin Seeger Date: Tue Nov 14 13:22:52 2017 +0100 WHATSNEW: Add release notes for Samba 4.7.2. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 60 ++-- 2 files changed, 59 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 0411083..0ba31a3 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6de5de8..8074a83 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,60 @@ = + Release Notes for Samba 4.7.2 + November 15, 2017 + = + + +This is an additional bugfix release to address a possible data corruption +issue. Please update immediately! For details, please see + + https://bugzilla.samba.org/show_bug.cgi?id=13130 + +Samba 4.6.0 and newer is affected by this issue. + + +Changes since 4.7.1: + + +o Jeremy Allison + * BUG 13121: Non-smbd processes using kernel oplocks can hang smbd. + +o Joe Guo + * BUG 13127: python: use communicate to fix Popen deadlock. + +o Volker Lendecke + * BUG 13130: smbd on disk file corruption bug under heavy threaded load. + +o Stefan Metzmacher + * BUG 13130: tevent: version 0.9.34. + +o Ralph Wuerthner + * BUG 13118: s3: smbd: Fix delete-on-close after smb2_find. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.7.1 November 02, 2017 = @@ -106,8 +162,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- + = Release Notes for Samba 4.7.0 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d7a0721 s4: torture: kernel oplocks. Add smb2.kernel-oplocks.kernel_oplocks8 via 6e276ca s3: smbd: kernel oplocks. Replace retry_open() with setup_kernel_oplock_poll_open(). via 510b11d python: use communicate to fix Popen deadlock via f1fe68f blackbox tests: method to check specific exit codes via e45ab18 tevent: version 0.9.34 via cbd lib: tevent: Remove select backend. from 5ec68b2 tevent: Fix a race condition https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d7a07213e478e1c30d153c7061eb8ae72dcb75c9 Author: Jeremy Allison Date: Thu Nov 9 09:59:23 2017 -0800 s4: torture: kernel oplocks. Add smb2.kernel-oplocks.kernel_oplocks8 Test if the server blocks whilst waiting on a kernel lease held by a non-smbd process. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13121 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Sat Nov 11 20:12:26 CET 2017 on sn-devel-144 (cherry picked from commit ad82557e1355107920ae80fd6a0df0f16d1bdb6c) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Nov 14 16:59:15 CET 2017 on sn-devel-144 commit 6e276cab469da33a4499feca62858451bac63494 Author: Jeremy Allison Date: Thu Nov 9 12:48:15 2017 -0800 s3: smbd: kernel oplocks. Replace retry_open() with setup_kernel_oplock_poll_open(). If a O_NONBLOCK open fails with EWOULDBLOCK, this code changes smbd to do a retry open every second, until either the timeout or we get a successful open. If we're opening a file that has a kernel lease set by a non-smbd process, this is the best we can do. Prior to this, smbd would block on the second open on such a leased file (not using O_NONBLOCK) which freezes active clients. Regression test to follow. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13121 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 47c13fc10a2c9709e9511b2ffcf0e1004497887d) commit 510b11d0b675f91cd3cad4ea422538d197bbf6f1 Author: Joe Guo Date: Fri Sep 15 16:13:26 2017 +1200 python: use communicate to fix Popen deadlock `Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the child process generates large output to a pipe such that it blocks waiting for the OS pipe buffer to accept more data. Use communicate() to avoid that. Signed-off-by: Joe Guo Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 19 09:27:16 CEST 2017 on sn-devel-144 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13127 (cherry picked from commit 5dc773a5b00834c7a53130a73a48f49048bd55e8) commit f1fe68f724022aa89d8a6c1aeb991257e0a047be Author: Gary Lockyer Date: Wed Aug 16 13:52:25 2017 +1200 blackbox tests: method to check specific exit codes Signed-off-by: Gary Lockyer Reviewed-by: Douglas Bagnall Reviewed-by: Garming Sam (cherry picked from commit 74ebcf6dfc84b6aab6838fa99e12808eb6b913d9) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13127 commit e45ab18baeb665b5ec5a82adda288c92c731f11e Author: Stefan Metzmacher Date: Mon Nov 13 11:05:04 2017 +0100 tevent: version 0.9.34 * Remove unused select backend * Fix a race condition in tevent_threaded_schedule_immediate() (bug #13130) Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Nov 13 18:02:46 CET 2017 on sn-devel-144 (cherry picked from commit 2e573eead96b2e98dd8a15c9c8e470679e530392) commit cbd6024ee4208cd7c5356f4c3fb68b8476b8 Author: Jeremy Allison Date: Tue Sep 12 12:08:38 2017 -0700 lib: tevent: Remove select backend. select() is no longer useful on modern systems. Signed-off-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Sat Sep 16 08:35:39 CEST 2017 on sn-devel-144 (cherry picked from commit 2a003b1a576dcbbba0d60bae90427776a5c27867) --- Summary of changes: .../ABI/{tevent-0.9.31.sigs => tevent-0.9.34.sigs} | 0 lib/tevent/tevent.c| 1 - lib/tevent/tevent_internal.h | 1 - lib/tevent/tevent_select.c | 280 - lib/tevent/wscript | 4 +- python/samba/tests/__init__.py | 25 +- source3/selftest/tests.py | 4 +- source3/smbd/open.c
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 5ec68b2 tevent: Fix a race condition via d41af5d s4: torture: Add smb2 FIND_and_set_DOC test case. via 007e8fe s3: smbd: Fix delete-on-close after smb2_find via aebe7a4 s4: torture: kernel_oplocks. Create a regression test case for bug #13058. via 0b0d248 Revert "s3/smbd: fix deferred open with streams and kernel oplocks" from 2505c6c VERSION: Bump version up to 4.7.2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 5ec68b2e44e5c0c4e6fae362c7e36ad99124faa8 Author: Volker Lendecke Date: Fri Nov 10 21:22:26 2017 +0100 tevent: Fix a race condition We can't rely on tctx to exist after we unlocked the mutex. It took a while, but this does lead to data corruption. If *tctx is replaced with something where tctx->wakeup_fd points to a real, existing file descriptor, we're screwed. And by screwed, this means file corruption on disk. Again. I am not tall enough for this business. http://bholley.net/blog/2015/must-be-this-tall-to-write-multi-threaded-code.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=13130 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Nov 11 03:20:09 CET 2017 on sn-devel-144 (cherry picked from commit 20cfcb7dbc5dd099384b76a76e3d35cf627100b6) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Nov 13 13:54:56 CET 2017 on sn-devel-144 commit d41af5d03dd7f8375e1295001d920007c113143c Author: Ralph Wuerthner Date: Fri Oct 27 14:59:32 2017 +0200 s4: torture: Add smb2 FIND_and_set_DOC test case. Regression tests doing an SMB2_find followed by a set delete on close and then close on a directory. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118 Signed-off-by: Ralph Wuerthner Reviewed-by: Jeremy Allison Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Sun Nov 5 12:31:12 CET 2017 on sn-devel-144 (cherry picked from commit 44c018bdcc2d81aaf667d11c0c8fae209419ddd7) commit 007e8fe6a148217c91beb43cfe6865dd620802ff Author: Ralph Wuerthner Date: Fri Nov 3 22:33:28 2017 + s3: smbd: Fix delete-on-close after smb2_find Both dptr_create() and can_delete_directory_fsp() are calling OpenDir_fsp() to get a directory handle. This causes an issue when delete-on-close is set after smb2_find because both directory handle instances share the same underlying file descriptor. In addition the SMB_ASSERT() in destructor smb_Dir_destructor() gets triggered. To avoid this use OpenDir() instead of OpenDir_fsp(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13118 Signed-off-by: Ralph Wuerthner Reviewed-by: Jeremy Allison Reviewed-by: Volker Lendecke (cherry picked from commit c9e996d78df3ce326a5c13f8f4f1426918769ceb) commit aebe7a4974e71d449950ccde840128161205df3f Author: Jeremy Allison Date: Fri Nov 3 12:02:17 2017 -0700 s4: torture: kernel_oplocks. Create a regression test case for bug #13058. It implements the following test case: 1. client of smbd-1 opens the file and sets the oplock. 2. client of smbd-2 tries to open the file. open() fails(EAGAIN) and open is deferred. 3. client of smbd-1 sends oplock break request to the client. 4. client of smbd-1 closes the file. 5. client of smbd-1 opens the file and sets the oplock. 6. client of smbd-2 calls defer_open_done(), sees that the file lease was not changed and does not reschedule open. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13058 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Böhme (cherry picked from commit 15597a95ecd2d1c2b7edce4942d489c95796951f) commit 0b0d2485ea55e324577b01a880286183e14b2dac Author: Jeremy Allison Date: Fri Nov 3 21:47:01 2017 + Revert "s3/smbd: fix deferred open with streams and kernel oplocks" This reverts commit b35a296a27a0807c780f2a9e7af2f2e93feefaa8. This was the cause of BUG: https://bugzilla.samba.org/show_bug.cgi?id=13058 1. client of smbd-1 opens the file and sets the oplock. 2. client of smbd-2 tries to open the file. open() fails(EAGAIN) and open is deferred. 3. client of smbd-1 sends oplock break request to the client. 4. client of smbd-1 closes the file. 5. client of smbd-1 opens the file and sets the oplock. 6. client of smbd-2 calls defer_open_done(), sees that the file lease was not changed and does not reschedule open. and is no longer needed now vfs_streams_xattr.c no longer opens the base file internally. Signed-o
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 2505c6c VERSION: Bump version up to 4.7.2... via b174cb5 VERSION: Disable GIT_SNAPSHOTS for the Samba 4.7.1 release. via e36b55c WHATSNEW: Add release notes for Samba 4.7.1. from 3c45cc8 s4:pyparam: Fix resource leaks on error https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 2505c6c4071f142571bde5809504e8665837d412 Author: Karolin Seeger Date: Thu Nov 2 12:36:25 2017 +0100 VERSION: Bump version up to 4.7.2... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger commit b174cb515385afc81e591a4b42d2bef1a2244c03 Author: Karolin Seeger Date: Thu Nov 2 12:35:19 2017 +0100 VERSION: Disable GIT_SNAPSHOTS for the Samba 4.7.1 release. Signed-off-by: Karolin Seeger commit e36b55c7ec27e2a9ee16c80123f452b79f83ca77 Author: Karolin Seeger Date: Thu Nov 2 12:34:42 2017 +0100 WHATSNEW: Add release notes for Samba 4.7.1. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 111 +++ 2 files changed, 112 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index e927ea0..0411083 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=1 +SAMBA_VERSION_RELEASE=2 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 09c7be6..6de5de8 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,115 @@ = + Release Notes for Samba 4.7.1 + November 02, 2017 + = + + +This is the latest stable release of the Samba 4.7 release series. + + +Changes since 4.7.0: + + +o Michael Adam + * BUG 13091: vfs_glusterfs: Fix exporting subdirs with shadow_copy2. + +o Jeremy Allison + * BUG 13027: s3: smbd: Currently if getwd() fails after a chdir(), we panic. + * BUG 13068: s3: VFS: Ensure default SMB_VFS_GETWD() call can't return a + partially completed struct smb_filename. + * BUG 13069: sys_getwd() can leak memory or possibly return the wrong errno + on older systems. + * BUG 13093: 'smbclient' doesn't correctly canonicalize all local names + before use. + +o Douglas Bagnall + * BUG 13095: Fix broken linked attribute handling. + +o Andrew Bartlett + * BUG 12994: Missing LDAP query escapes in DNS rpc server. + * BUG 13087: replace: Link to -lbsd when building replace.c by hand. + +o Ralph Boehme + * BUG 6133: Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem. + * BUG 7909: Map SYNCHRONIZE acl permission statically in zfs_acl vfs module. + * BUG 7933: Samba fails to honor SEC_STD_WRITE_OWNER bit with the + acl_xattr module. + * BUG 12991: s3/mdssvc: Missing assignment in sl_pack_float. + * BUG 12995: Wrong Samba access checks when changing DOS attributes. + * BUG 13062: samba_runcmd_send() leaves zombie processes on timeout + * BUG 13065: net: groupmap cleanup should not delete BUILTIN mappings. + * BUG 13076: Enabling vfs_fruit results in loss of Finder tags and other + xattrs. + +o Alexander Bokovoy + * BUG 9613: man pages: Properly ident lists. + * BUG 13081: smb.conf.5: Sort parameters alphabetically. + +o Samuel Cabrero + * BUG 12993: s3: spoolss: Fix GUID string format on GetPrinter info. + +o Amitay Isaacs + * BUG 13042: Remote serverid check doesn't check for the unique id. + * BUG 13056: CTDB starts consuming memory if there are dead nodes in the + cluster. + * BUG 13070: ctdb-common: Ignore event scripts with multiple '.'s. + +o Lutz Justen + * BUG 13046: libgpo doesn't sort the GPOs in the correct order. + +o Volker Lendecke + * BUG 13042: Remote serverid check doesn't check for the unique id. + * BUG 13090: vfs_catia: Fix a potential memleak. + * BUG 12903: Fix file change notification for renames. + +o Gary Lockyer + * BUG 12952: Samba DNS server does not honour wildcards. + +o Stefan Metzmacher + * BUG 13079: Can't change password in samba from a Windows client if Samba + runs on IPv6 only interface. + +o Anoop C S + * BUG 13086: vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR. + +o Christof Schmitt + * BUG 13047: Apple client can't cope with SMB2 async replies when creating + symlinks. + +o Andreas Schneider + * BUG 12959: s4:rpc_server:backupkey: Move variable into scope. + * BUG 13099: s4:scripting: Fix ntstatus_gen.h generation on 32bit. + * BUG 13100: s3:vfs_glusterfs: Fi
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 3c45cc8 s4:pyparam: Fix resource leaks on error via 81047d0 s3:modules: Check correct variable for NULL in posixacl_xattr via bdbbc80 s3:passdb: Make sure the salt is fully initialized before passing via e4a4a43 s3:secrets: Do not leak memory of pw and old_pw via bd6e153 s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd() via 8bb2f28 s4:scripting: Fix ntstatus_gen.h generation on 32bit via 8875241 ctdb-tests: Process-exists unit tests should wait until PID is registered via 020afdc ctdb-tests: Wait for fake_ctdbd to start, fail if it doesn't via 418c5c5 ctdb-tests: Skip starting fake_ctdbd when current node is disconnected via 4dc2604 ctdb-tests: Wait for ctdb_eventd to start, fail if it doesn't via a3b2963 ctdb-tests: Allow wait_until() to be used in unit tests via ab7d073 replmd: check for duplicate values in MOD_REPLACE case via 1167d46 linked attribute tests: test against duplicates in replace via 3379b70 s3: smbclient: Test we can rename with a name containing. via 5e86ee4 s3: smbclient: Ensure we call client_clean_name() before all operations on remote pathnames. via f3f306c s3: client: Add new utility function client_clean_name(). via 5e1abab vfs_glusterfs: Fix exporting subdirs with shadow_copy2 via 9a5761b replace: Link to -lbsd when building replace.c by hand via 62e9e06 vfs_fruit: Replace closedir() by SMB_VFS_CLOSEDIR via 7963780 selftest: Also run smbtorture smb2.compound with aio enabled via d9723a2 torture: Add testcase for compound CREATE-WRITE-CLOSE request via f66d6cc smbd/aio: Do not go async for SMB2 compound requests via c1dbeb2 smbd: Move check for SMB2 compound request to new function from eec0b43 vfs_catia: Fix a potential memleak https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 3c45cc8a3abe2fcd7986a9db93bd83773640c864 Author: Andreas Schneider Date: Wed Oct 25 19:25:20 2017 +0200 s4:pyparam: Fix resource leaks on error BUG: https://bugzilla.samba.org/show_bug.cgi?id=13101 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit e56626e864492831a3dbbca2d4fb8f3281547a90) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Nov 1 14:59:46 CET 2017 on sn-devel-144 commit 81047d00c909caec4211b60c8dd3a4c2e1118f49 Author: Andreas Schneider Date: Wed Oct 25 19:55:32 2017 +0200 s3:modules: Check correct variable for NULL in posixacl_xattr BUG: https://bugzilla.samba.org/show_bug.cgi?id=13101 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Oct 27 04:54:22 CEST 2017 on sn-devel-144 (cherry picked from commit 327190893f5f3352a2e6abc4872b54092ee7de68) commit bdbbc80a2c54724f4b31a7a1e0d95d04fa42e88c Author: Andreas Schneider Date: Wed Oct 25 19:50:57 2017 +0200 s3:passdb: Make sure the salt is fully initialized before passing Otherwise the magic member is not initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13101 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 5274beba4cf722a34403dc07bf287815a6df6281) commit e4a4a4368200ad720859c5cd33eb173a33d5c078 Author: Andreas Schneider Date: Wed Oct 25 19:30:28 2017 +0200 s3:secrets: Do not leak memory of pw and old_pw BUG: https://bugzilla.samba.org/show_bug.cgi?id=13101 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit d6a418c13f0a41851ecc0579765502e076a5cd3b) commit bd6e153f34efe86d2b5f63459254b65f7c863c3d Author: Andreas Schneider Date: Wed Oct 25 19:39:34 2017 +0200 s3:vfs_glusterfs: Fix a double free in vfs_gluster_getwd() Found by cppcheck. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13100 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison (cherry picked from commit 16389bed0773952ca563b7bf1fecc2a737587257) commit 8bb2f283dfb60189a0e0a44e572f463f76a56f6d Author: Andreas Schneider Date: Wed Oct 25 17:37:24 2017 +0200 s4:scripting: Fix ntstatus_gen.h generation on 32bit The hex() function results in different output on 32bit systems. It adds a L for long for some numbers. Thus we have a different header file. This patch makes sure we have a consistent file generation on different paltforms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13099 Signed-off-by: Andreas Schneider Reviewed-by: David Disseldorp Autobuild-User(master): David Disseldorp Autobuild-Date(master): Wed Oct 25 2
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via eec0b43 vfs_catia: Fix a potential memleak via d179770 vfs_catia: Fix a memory leak via 43088b1 smb.conf.5: sort parameters alphabetically via 38d6051 krb5_wrap: ADDRTYPE_INET6 is available in all supported MIT versions via 64db83b krb5_wrap: KRB5_ADDRESS_INET6 is not a define in Heimdal via 779a5a9 s4/torture: vfs_fruit: test xattr unpacking via 4942194 s4/torture: vfs_fruit: replace AppleDouble data blob with xattr data via 76bd6dc vfs_fruit: on-access conversion of AppleDouble xattr data via 3a6ee04 vfs_fruit: static string fruit_catia_maps via d076049 vfs_fruit: pass smb_fname to ad_convert via 266a416 vfs_fruit: unpack AppleDouble xattr header if present via 0a62033 vfs_fruit: allocate ad_data buffer up to AD_XATTR_MAX_HDR_SIZE bytes via a0acb0f vfs_fruit: add AppleDouble xattr structure definitions via 9245b3f vfs_fruit: fix ftruncating resource fork via e433622 vfs_catia: factor out mapping functions via cc2f7d6 ctdb-tests: Add tests for event scripts with multiple '.'s via fbac803 ctdb-common: Ignore event scripts with multiple '.'s via 7d36ecb s3: VFS: Protect errno if sys_getwd() fails across free() call. via 6b1971f s3: VFS: Ensure sys_getwd() doesn't leak memory on error on really old systems. via e507bcd s3: VFS: Ensure default SMB_VFS_GETWD() call can't return a partially completed struct smb_filename. via 7070cfb net: groupmap cleanup should not delete BUILTIN mappings via 61dcee4 ctdb-common: Do not queue a packet if queue does not have valid fd via 433132e ctdb-tests: Send broadcast to connected nodes, not configured nodes via 6676099 ctdb-daemon: Send broadcast to connected nodes, not configured nodes via 7689bdd vfs_solarisacl: fix build for samba 4.7 and up via 7015e55 lib: gpo: Put enforced GPOs at the end of the list. via 953d05b lib: gpo: Fixes issue with GPOPTIONS_BLOCK_INHERITANCE. via 3e7a1d1 lib: gpo: Changes order to match GPO application order. via 9501b00 lib: Use CTDB_CONTROL_CHECK_PID_SRVID via 660a4cc lib: Add "unique_id" to ctdbd_process_exists via f1da343 ctdb-tests: Add tests for client with multiple connections via 8455844 ctdb-tests: Add support for multiple ctdb connections in dummy_client via f007f3c ctdb-tests: Check all connections from a process in CHECK_PID_SRVID control via 3893a71 ctdb-daemon: Check all connections from a process in CHECK_PID_SRVID control via 4c833aa ctdb-tests: Add tests for PID with srvid via c3b6860 ctdb-tests: Implement control CHECK_PID_SRVID in fake daemon via a93d844 ctdb-tests: Reimplement message handlers using srvid abstraction via 00fafb1 ctdb-tool: Update process-exists command to pass optional srvid via ac799fb ctdb-client: Add client code for control CHECK_PID_SRVID via be97d96 ctdb-daemon: Add implementation of control CHECK_PID_SRVID via 655c67f ctdb-protocol: Add marshalling for control CHECK_PID_SRVID via cce9800 ctdb-protocol: Add marshalling for struct ctdb_pid_srvid via ef9db44 ctdb-protocol: Add new control CTDB_CONTROL_CHECK_PID_SRVID via 29fae09 ctdb-common: Extend srvid_exists() check to support optional private_data via 0a99c01 s3: smbd: Currently if getwd() fails after a chdir(), we panic. via df225fe s3/smbd: use correct access in get_file_handle_for_metadata via 12f19c3 s3/smbd: fix access checks in set_ea_dos_attribute() via 7fff450 s3/smbd: README.Coding fixes in set_ea_dos_attribute via 08e6e69 s3: spoolss: Fix GUID string format on GetPrinter info via 3d23c0c s3/mdssvc: missing assignment in sl_pack_float via 7f7b132 s4:rpc_server:backupkey: Move variable into scope via 925aa83 s4-dnsserver: Check for too many DNS results via 6ed5472 s4-dnsserver: Always encode user-supplied names when looking up DNS records via e0d79ab samba-tool dns query: Allow '*' in names via 443b85c samba-tool dns: Test support of DNS wild card in names via bf9ad97 dnsserver: Add support for dns wildcards via 086b68c dnsserver: Tighten DNS name checking via d603ff0 dnsserver: Tests for dns wildcard entries via 8aa3ae4 s4/torture: add a test for rename change notification with inotify enabled via 70809cf selftest: run smb2.notify-inotify testsuite against fileserver via f85dcf3 selftest: enable kernel change notifications in the fileserver environment via 9663cab messaging: Remove messaging_handler_send via 32cbcbe notifyd: Remove notifyd_handler_done via a4e5da1 notifyd: Use messaging_register for MSG_SMB_NOTIFY_DB via dea5b99 notifyd: Use messaging_register for MSG_
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 6a67866 lib/util/run_cmd: use a cleanup function instead of a destructor via 31eefb6 lib/util/run_cmd: remove a printf via c7f33ca lib/util/run_cmd: ensure fd_stdin gets set to -1 in the destructor via 634514a lib/util/run_cmd: prevent zombies in samba_runcmd_send on timeout via 3711ec4 selftest: Check re-opening sam.ldb corrects the @ATTRIBUTES and @INDEXLIST from 16594ab VERSION: Bump version up to 4.7.1... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 6a678665aec5ec026edb49841f037703ea2fd5a7 Author: Ralph Boehme Date: Fri Sep 29 13:07:53 2017 +0200 lib/util/run_cmd: use a cleanup function instead of a destructor Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062 Pair-programmed-with: Stefan Metzmacher Signed-off-by: Stefan Metzmacher Signed-off-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Sat Sep 30 12:14:57 CEST 2017 on sn-devel-144 (cherry picked from commit 6539cc8a24204697b20506896c401e7b40eee928) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Mon Oct 2 13:17:15 CEST 2017 on sn-devel-144 commit 31eefb6c98418cdde9dcee383262a298ae956ac4 Author: Ralph Boehme Date: Fri Sep 29 13:07:26 2017 +0200 lib/util/run_cmd: remove a printf Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062 Pair-programmed-with: Stefan Metzmacher Signed-off-by: Stefan Metzmacher Signed-off-by: Ralph Boehme (cherry picked from commit 94a8331e5425b735f9e2c0121afc2fb108bec891) commit c7f33ca3183a68be725587044ce8cf0c44d5d549 Author: Ralph Boehme Date: Fri Sep 29 13:06:08 2017 +0200 lib/util/run_cmd: ensure fd_stdin gets set to -1 in the destructor Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062 Pair-programmed-with: Stefan Metzmacher Signed-off-by: Stefan Metzmacher Signed-off-by: Ralph Boehme (cherry picked from commit 4aaf072d1fd732abf2cbea135d508260cdafa4eb) commit 634514a8d431b45a070f1d052b552bcf5f0a3bee Author: Ralph Boehme Date: Fri Sep 29 12:45:24 2017 +0200 lib/util/run_cmd: prevent zombies in samba_runcmd_send on timeout Ensure the state desctructor calls tfork_destroy to reap the waiter and worker processes. Otherwise we leave the waiter process as a zombie behind us as we never call waitpid on it in case of a timeout or talloc_free() from the caller. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13062 Pair-programmed-with: Stefan Metzmacher Signed-off-by: Stefan Metzmacher Signed-off-by: Ralph Boehme (cherry picked from commit 9a8eeabd95afca2e88666b3e8f2af954dbf23ba9) commit 3711ec4dafc098668eb0c1bee9dee62838024a59 Author: Andrew Bartlett Date: Wed Sep 13 16:13:06 2017 +1200 selftest: Check re-opening sam.ldb corrects the @ATTRIBUTES and @INDEXLIST https://bugzilla.samba.org/show_bug.cgi?id=13025 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 51be27522caffde8a3806f8c0c877a0f85eaf398) --- Summary of changes: lib/util/util_runcmd.c | 19 +- python/samba/tests/dsdb_schema_attributes.py | 53 2 files changed, 64 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/util_runcmd.c b/lib/util/util_runcmd.c index 6077fdd..42d84a8 100644 --- a/lib/util/util_runcmd.c +++ b/lib/util/util_runcmd.c @@ -32,18 +32,21 @@ #include "../lib/util/tfork.h" #include "../lib/util/sys_rw.h" -static int samba_runcmd_state_destructor(struct samba_runcmd_state *state) +static void samba_runcmd_cleanup_fn(struct tevent_req *req, + enum tevent_req_state req_state) { - if (state->pid > 0) { - kill(state->pid, SIGKILL); - waitpid(state->pid, NULL, 0); - state->pid = -1; + struct samba_runcmd_state *state = tevent_req_data( + req, struct samba_runcmd_state); + + if (state->tfork != NULL) { + tfork_destroy(&state->tfork); } + state->pid = -1; if (state->fd_stdin != -1) { close(state->fd_stdin); + state->fd_stdin = -1; } - return 0; } static void samba_runcmd_io_handler(struct tevent_context *ev, @@ -110,7 +113,6 @@ struct tevent_req *samba_runcmd_send(TALLOC_CTX *mem_ctx, state->tfork = tfork_create(); if (state->tfork == NULL) { - printf("state->tfork == NULL\n"); close(p1[0]); close(p1[1]); close(p2[0]); @@ -141,7 +143,7 @@ struct tevent_req *samba_runcmd_s
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 16594ab VERSION: Bump version up to 4.7.1... from d1e6984 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 16594ab0468b375154d5a164f1ff06796c53c7cd Author: Karolin Seeger Date: Thu Sep 21 08:29:04 2017 +0200 VERSION: Bump version up to 4.7.1... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index d91963a..e927ea0 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=0 +SAMBA_VERSION_RELEASE=1 # If a official release has a serious bug # @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=no +SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # This is for specifying a release nickname# -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d1e6984 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0 release. via 9c85af0 WHATSNEW: Add release notes for Samba 4.7.0. from 19df09e CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d1e69845e28c20a491c4cd60c712b46ddfcb9dc0 Author: Karolin Seeger Date: Wed Sep 20 12:53:38 2017 +0200 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0 release. Signed-off-by: Karolin Seeger commit 9c85af09b66c9b2b2684f7b38ecb6135b888ec14 Author: Karolin Seeger Date: Wed Sep 20 12:52:08 2017 +0200 WHATSNEW: Add release notes for Samba 4.7.0. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 4 ++-- WHATSNEW.txt | 30 ++ 2 files changed, 24 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index d460d71..d91963a 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=7 +SAMBA_VERSION_RC_RELEASE= # To mark SVN snapshots this should be set to 'yes'# @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=7 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # -SAMBA_VERSION_IS_GIT_SNAPSHOT=yes +SAMBA_VERSION_IS_GIT_SNAPSHOT=no # This is for specifying a release nickname# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4da5ae3..09c7be6 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,13 +1,11 @@ -Release Announcements -= + = + Release Notes for Samba 4.7.0 +September 20, 2017 + = -This is the sixth release candidate of Samba 4.7. This is *not* -intended for production environments and is designed for testing -purposes only. Please report any defects via the Samba bug reporting -system at https://bugzilla.samba.org/. - -Samba 4.7 will be the next version of the Samba suite. +This is the first stable release of Samba 4.7. +Please read the release notes carefully before upgrading. UPGRADING = @@ -370,6 +368,22 @@ KNOWN ISSUES https://wiki.samba.org/inFdex.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +CHANGES SINCE 4.7.0rc6 +== + +o CVE-2017-12150: + A man in the middle attack may hijack client connections. + +o CVE-2017-12151: + A man in the middle attack can read and may alter confidential + documents transferred via a client connection, which are reached + via DFS redirect when the original connection used SMB3. + +o CVE-2017-12163: + Client with write access to a share can cause server memory contents to be + written into a file or printer. + + CHANGES SINCE 4.7.0rc5 == -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 19df09e CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. via ecb3cfd CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() via c38e3a7 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function via e0fe5d0 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested via acd9dcb CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() via dfd1156 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL via d148d6d CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() via f737447 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' via 1b6684e CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED via 1217df5 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one from f2f5ab6 VERSION: Bump version up to 4.7.0rc7... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 19df09e29a3c1daace945dfa9e5f7ba7c574a888 Author: Jeremy Allison Date: Fri Sep 8 10:13:14 2017 -0700 CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from writing server memory to file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 Signed-off-by: Jeremy Allison Signed-off-by: Stefan Metzmacher Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Sep 20 16:20:07 CEST 2017 on sn-devel-144 commit ecb3cfd8982a6d6b610f98ca80362d3db4178b50 Author: Stefan Metzmacher Date: Sat Dec 17 10:36:49 2016 +0100 CVE-2017-12151: s3:libsmb: make use of cli_state_is_encryption_on() This will keep enforced encryption across dfs referrals. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit c38e3a7086164b1c58e003dd627b207ffcbe856e Author: Stefan Metzmacher Date: Mon Aug 14 12:13:18 2017 +0200 CVE-2017-12151: s3:libsmb: add cli_state_is_encryption_on() helper function This allows to check if the current cli_state uses encryption (either via unix extentions or via SMB3). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 Signed-off-by: Stefan Metzmacher commit e0fe5d09082509c8a11720f683264ffac21e7a75 Author: Stefan Metzmacher Date: Mon Dec 12 06:07:56 2016 +0100 CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested With forced encryption or required signing we should also don't fallback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit acd9dcb671fdc4cd543ddf76918e70599cb09259 Author: Stefan Metzmacher Date: Tue Aug 29 15:35:49 2017 +0200 CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit dfd11569de24064bcf8a4348b4b5271807dd501b Author: Stefan Metzmacher Date: Tue Aug 29 15:24:14 2017 +0200 CVE-2017-12150: auth/credentials: cli_credentials_authentication_requested() should check for NTLM_CCACHE/SIGN/SEAL BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit d148d6df0b39e0c2c31ba8fc1d31207a4c852af0 Author: Stefan Metzmacher Date: Mon Dec 12 05:49:46 2016 +0100 CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED in gpo_connect_server() It's important that we use a signed connection to get the GPOs! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit f7374475c867cb8a71fe4cf07a6bfec9f148af0b Author: Stefan Metzmacher Date: Fri Dec 9 09:26:32 2016 +0100 CVE-2017-12150: s3:pylibsmb: make use of SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 1b6684ea4e9c77229c5b9ef6399eb639ec39e50f Author: Stefan Metzmacher Date: Thu Nov 3 17:16:43 2016 +0100 CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED This is an addition to the fixes for CVE-2015-5296. It applies to smb2mount -e, smbcacls -e and smbcquotas -e. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher commit 1217df5f9c507dfa08b584ecd39ce982a8d69ddc Author: Stefan Metzmacher Date: Tue Aug 29 17:06:21 2017 +0200 CVE-2017-12150: s3:popt_common: don't turn a guessed username into a specified one BUG: https://bugzilla.samb
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via f2f5ab6 VERSION: Bump version up to 4.7.0rc7... via 33244e5 VERSION: Disable GIT_SNAPSHOT for the 4.7.0rc6 release. via abb58c4 WHATSNEW: Prepare release notes for Samba 4.7.0rc6. from d02af0b util_runcmd: Free the fde in event handler. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit f2f5ab69cd41d34879aa9fe22ee1de70ce057c4a Author: Karolin Seeger Date: Thu Sep 14 06:47:22 2017 -0700 VERSION: Bump version up to 4.7.0rc7... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 33244e57d95e516bc088cd5a5ad39a9178c5889a Author: Karolin Seeger Date: Thu Sep 14 06:46:34 2017 -0700 VERSION: Disable GIT_SNAPSHOT for the 4.7.0rc6 release. Signed-off-by: Karolin Seeger commit abb58c49f0cbd8ed46fdd9217fdf6250d0c0bc1e Author: Karolin Seeger Date: Thu Sep 14 06:45:45 2017 -0700 WHATSNEW: Prepare release notes for Samba 4.7.0rc6. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 25 +++-- 2 files changed, 24 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b880ed7..d460d71 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=6 +SAMBA_VERSION_RC_RELEASE=7 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 46a786c..4da5ae3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the fifth release candidate of Samba 4.7. This is *not* +This is the sixth release candidate of Samba 4.7. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -367,13 +367,15 @@ smb.conf changes KNOWN ISSUES -https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +https://wiki.samba.org/inFdex.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs CHANGES SINCE 4.7.0rc5 == o Jeremy Allison + * BUG 13003: s3: vfs: catia: compression get/set must act only on base file, and + must cope with fsp==NULL. * BUG 13008: lib: crypto: Make smbd use the Intel AES instruction set for signing and encryption. @@ -386,18 +388,37 @@ o Andrew Bartlett * BUG 13017: Add ldb_ldif_message_redacted_string() to allow debug of redacted log messages, avoiding showing secret values. * BUG 13023: ldb: version 1.2.2. + * BUG 13025: schema: Rework dsdb_schema_set_indices_and_attributes() db + operations. + +o Alexander Bokovoy + * BUG 13030: Install dcerpc/__init__.py for all Python environments. o Ralph Boehme * BUG 13024: s3/smbd: Sticky write time offset miscalculation causes broken timestamps + * BUG 13037: lib/util: Only close the event_fd in tfork if the caller didn't + call tfork_event_fd(). o Volker Lendecke * BUG 13006: messaging: Avoid a socket leak after fork. +o Stefan Metzmacher + * BUG 13018: charset: Fix str[n]casecmp_m() by comparing lower case values. + +o Gary Lockyer + * BUG 13037: util_runcmd: Free the fde in event handler. + o Amitay Isaacs * BUG 13012: ctdb-daemon: Fix implementation of process_exists control. * BUG 13021: GET_DB_SEQNUM control can cause ctdb to deadlock when databases are frozen. + * BUG 13029: ctdb-daemon: Free up record data if a call request is deferred. + * BUG 13036: ctdb-client: Initialize ctdb_ltdb_header completely for empty + record. + +o Christof Schmitt + * BUG 13032: vfs_streams_xattr: Fix segfault when running with log level 10. CHANGES SINCE 4.7.0rc4 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d02af0b util_runcmd: Free the fde in event handler. via 21624ed lib/util: only close the event_fd in tfork if the caller didn't call tfork_event_fd() via 392d300 util/tfork: Write to the status pipe via a401725 tests util/tfork: Tests for status and event fd from 9e8688a ctdb-client: Initialize ctdb_ltdb_header completely for empty record https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d02af0b151affcd9c63ab1701f8025f4927437f9 Author: Gary Lockyer Date: Fri Sep 8 14:03:25 2017 +1200 util_runcmd: Free the fde in event handler. Free the fde in the event handler to prevent the event triggering again While not strictly necessary in this case, this code serves as an example of the usage of tfork. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13037 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Sat Sep 16 23:50:27 CEST 2017 on sn-devel-144 (cherry picked from commit 563bbb9c24d1d0bcc64530a6635b8b82d1ebb24d) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Sun Sep 17 13:56:23 CEST 2017 on sn-devel-144 commit 21624ed39eb0aecea65aee79df3f5b286001edd0 Author: Ralph Boehme Date: Sat Sep 16 01:22:31 2017 -0700 lib/util: only close the event_fd in tfork if the caller didn't call tfork_event_fd() Make closing of the event_fd the global responsibility of the parent process if it called tfork_event_fd(). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13037 Signed-off-by: Ralph Boehme Reviewed-by: Gary Lockyer Reviewed-by: Stefan Metzmacher (cherry picked from commit 6c36ea0737ae12fc97e4a024588e6a3845caf329) commit 392d300743f13fcb8cc3288440cec388584114da Author: Gary Lockyer Date: Mon Sep 11 10:25:49 2017 +1200 util/tfork: Write to the status pipe The previous design relied on only calling close() of the status pipe. We now write a single 0 byte to the status FD as well as closing it in the parent process. Both of these operations typically trigger a read event on the other end of the FD, held in the waiter process (the child). The child process blocks on the status FD, until it becomes readable. However if there is a sibling process that was launched after the waiter process they also will hold the status FD open and the status FD would, until this change, never become readable to the waiter process (the child). This caused the waiter process (child) not to exit and the parent process to hang in tfork_status() while expecting the waitpid() to return. That is, file descriptors are essentially global variables copied to children in the process tree. The last child that (unwittingly) holds the file descriptor open is the one that needs to trigger the close() this code previously depended on. Without this change, there is no notification of process death until all these unrelated children exit for their own reasons. We can write up to 4K (PIPE_BUF) into this pipe before blocking, but we only write one byte. Additionally sys_write() refuses to block. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13037 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit f6a40ff2a1c133b6c30cf3ce29d7bb3ea005e3c8) commit a4017255bfd4d63230ac14ece9d91c0f0d1d2175 Author: Gary Lockyer Date: Mon Sep 11 14:48:21 2017 +1200 tests util/tfork: Tests for status and event fd Add tests to ensure that: - The event_fd becomes readable once the worker process has terminated - That the event_fd is not closed by the tfork code. - If this is done in tevent code and the event fde has not been freed, "Bad talloc magic value - " errors can result. - That the status call does not block if the parent process launches more than one child process. - The status file descriptor for a child is passed to the subsequent children. These processes hold the FD open, so that closing the fd does not make the read end go readable, and the process calling status blocks. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13037 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit 28edf7012b5fa474897055c8c1a4c438c69b8323) --- Summary of changes: lib/util/tests/tfork.c | 251 + lib/util/tfork.c | 27 +- lib/util/tfork.h | 7 +- lib/util/
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 9e8688a ctdb-client: Initialize ctdb_ltdb_header completely for empty record via aea5af0 ctdb-daemon: Free up record data if a call request is deferred via 74bbce0 s3: vfs: catia: compression get/set must act only on base file, and must cope with fsp==NULL. via d955230 s3: VFS: streams_xattr: Compression is only set/get on base filenames. via 8d52dd3 vfs_streams_xattr: Fix segfault when running with log level 10 via 5c36e9a schema: Rework dsdb_schema_set_indices_and_attributes() db operations via db16b55 Install dcerpc/__init__.py for all Python environments via 11048d4 charset: fix str[n]casecmp_m() by comparing lower case values via 1630838 charset/tests: also tests the system str[n]casecmp() via c6a4931 charset/tests: add more str[n]casecmp_m() tests to demonstrate the bug via 7e47230 charset/tests: assert the exact values of str[n]casecmp_m() from adfca55 WHATSNEW: Prepare changes since 4.7.0rc5. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 9e8688a58f00393662ee482d408cfabed2fd4ea2 Author: Amitay Isaacs Date: Mon Sep 11 14:05:17 2017 +1000 ctdb-client: Initialize ctdb_ltdb_header completely for empty record ctdb_ltdb_fetch() only fills in relevant portion of ctdb_ltdb_header if the record does not exist. This can result in uninitialized writes to ctdb_rec_buffer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13036 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit a878171cb432673f635a75cce0b72c92bb0d3ec7) Autobuild-User(v4-7-test): Stefan Metzmacher Autobuild-Date(v4-7-test): Sat Sep 16 13:34:33 CEST 2017 on sn-devel-144 commit aea5af075f33b85090125da0e197b21844d42737 Author: Amitay Isaacs Date: Mon Sep 11 15:59:19 2017 +1000 ctdb-daemon: Free up record data if a call request is deferred BUG: https://bugzilla.samba.org/show_bug.cgi?id=13029 If a call request for a key (migration request) is in flight, then all the subsequent call requests for the same key are deferred. In that case, the data corresponding to key read from the local tdb is useless and there is no need to keep it around. Once the deferred call is reprocessed, the data corresponding to that key will be fetched again. Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 77c17b03cfc4734142fd86ba3cdd9663e75f34e3) commit 74bbce04e93eba09c7b63b6cf4df3b3aeb2cdb90 Author: Jeremy Allison Date: Fri Sep 8 15:28:39 2017 -0700 s3: vfs: catia: compression get/set must act only on base file, and must cope with fsp==NULL. Correctly do filename conversion. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13003 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Sep 12 10:50:57 CEST 2017 on sn-devel-144 (cherry picked from commit 3ff1b83ab7cb3a6ab94b87d0bf73857b731c869d) commit d95523041bb5ccb94df8cd8353133881ddb6590c Author: Jeremy Allison Date: Fri Sep 8 15:27:37 2017 -0700 s3: VFS: streams_xattr: Compression is only set/get on base filenames. Can be ignored (pass-through) in streams_xattr VFS module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13003 Signed-off-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 1a7c0f77e2203aa674eb8b06fe3220868f11) commit 8d52dd377bddd1bd705cf8ac58471d57aee721d5 Author: Christof Schmitt Date: Wed Sep 13 16:23:53 2017 -0700 vfs_streams_xattr: Fix segfault when running with log level 10 This happens when vfs_streams_xattr is loaded, log level is set to 10 and the default stream of a file or directory is accessed. In that case streams_xattr_open does not allocate the stream_io fsp extension. The DBG_DEBUG message in streams_xattr_fstat tries to access the stream_io before checking for a NULL value, resulting in the crash. Fix this by moving the debug message after the check for a NULL pointer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13032 Signed-off-by: Christof Schmitt Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Thu Sep 14 10:58:12 CEST 2017 on sn-devel-144 (cherry picked from commit 1b6aa39fac0825b1f25fd62a6c67994b5c491170) commit 5c36e9ae5b74b28396d1acc5103e53aea6f5fc8f Author: Andrew Bartlett Date: Mon Sep 11 15:22:23 2017 +1200 schema: Rework dsdb_schema_set_indices_and_attributes() db operations Commit ec9b1e881c3eef503d6b4b311594113acf7d47d8 did not fully fix this. There is no value in using dsdb_replace(), we are under t
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via adfca55 WHATSNEW: Prepare changes since 4.7.0rc5. via 81f31fd libcli: SMB2: NetApps negotiate SMB3_11 but also set the SMB2_CAP_ENCRYPTION flag. via 668cc39 python: Allow debug classes to be specified on the command line for python tools via c7f3f20 librpc/dceprc_util.c: Move debug message to DBG_DEBUG() via 2f2edad libcli/security: Move debug message to DBG_DEBUG() via f6cadd5 dsdb: Add missing to debug via 66de4c1 drs repl: Only print raw DRS replication traffic at level 9 via 5977227 debug: Add new debug class "drs_repl" for DRS replication processing via 8fbaf15 repl_meta_data: Re-work printing of replicated entries via 2ea6beb linked_attributes: Use ldb_ldif_message_redacted_string() for consistency via 11568c8 repl_meta_data: Use ldb_ldif_message_redacted_string() to avoid printing secrets in logs via dab3dea ldb: version 1.2.2 via 256f485 ldb: Add new ldb_ldif_message_redacted_string() with tests via 0806c9c ldb_tdb: Refuse to re-index very old database with no DN in the record via 8f603e7 ldb_tdb: Use braces in ltdb_dn_list_find_val() via 504d3df ldb_tdb: Check for talloc_strdup() failure in ltdb_index_add1() via 285efde ldb_tdb: Check for errors during tdb operations in ltdb_reindex() via 5311eb4 ldb_tdb: Use memcmp rather than strncmp() in ltdb_key_is_record(), re_key() and re_index() via 0c87159 ldb_tdb: Create a common ltdb_key_is_record() allowing multiple key forms via e703680 ldb_tdb: Do not trigger the unique index check during a re-index, use another pass via 7db6c56 ldb_tdb: Use memcmp() to compare TDB keys in re_index() via 1a2d909 ldb: Add tests for indexed and unindexed search expressions via e517bc4 ldb: Fix tests to call the parent tearDown(), not setUp in tearDown via b6fd54b ldb_tdb: Rework ltdb_modify_internal() to use ltdb_search_dn1() internally via 98a803f ldb: Add LDB_UNPACK_DATA_FLAG_NO_ATTRS from eabed4d ctdb-daemon: GET_DB_SEQNUM should read database conditionally https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit adfca554850ca2078dce79f26699308db799c85a Author: Karolin Seeger Date: Thu Sep 14 06:45:45 2017 -0700 WHATSNEW: Prepare changes since 4.7.0rc5. Signed-off-by: Karolin Seeger Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Sep 14 22:01:27 CEST 2017 on sn-devel-144 commit 81f31fd50901a91fcce2024f3616f3543d4e4504 Author: Jeremy Allison Date: Mon Sep 11 16:36:47 2017 -0700 libcli: SMB2: NetApps negotiate SMB3_11 but also set the SMB2_CAP_ENCRYPTION flag. This is a SHOULD not, not a MUST not. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13009 Signed-off-by: Jeremy Allison Reviewed-by: Steve French Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Sep 14 14:48:20 CEST 2017 on sn-devel-144 (cherry picked from commit f0a90a1287a8f4c4114919a32afaff52e3c69a9b) commit 668cc39e320aeb30641580a1fcab39c108bd9c26 Author: Andrew Bartlett Date: Thu Sep 7 11:26:04 2017 +1200 python: Allow debug classes to be specified on the command line for python tools Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 7 10:43:33 CEST 2017 on sn-devel-144 (cherry picked from commit c938f61d332de0323cb135b201367f90f08d76a8) commit c7f3f20590971d2777b81302484e32b595d109d5 Author: Andrew Bartlett Date: Thu Sep 7 11:20:27 2017 +1200 librpc/dceprc_util.c: Move debug message to DBG_DEBUG() This message shows up a lot (every packet) at level 6 for the succesful case BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall (cherry picked from commit cbb3dcf2c67dd6ddbb419fff04112e3c345c2108) commit 2f2edada445e32a41c8f3c861261dff114f3f2d3 Author: Andrew Bartlett Date: Thu Sep 7 11:19:01 2017 +1200 libcli/security: Move debug message to DBG_DEBUG() This message shows up a lot at level 6 for no particularly good reason BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall (cherry picked from commit 544084d4a2e19958982e6003b1b1290315099b34) commit f6cadd503c76507458c74548c013192a3f2ddbdf Author: Andrew Bartlett Date: Thu Sep 7 11:13:17 2017 +1200 dsdb: Add missing \n to debug BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall (ch
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via eabed4d ctdb-daemon: GET_DB_SEQNUM should read database conditionally via 8c22449 ctdb-daemon: Add a function to check if db access is allowed via a472eb9 ctdb-tests: Fix ctdb test binary name in path testing via 17410dc ctdb-tests: Wait up to 30 seconds for process to be registered in ctdbd via c4599cc ctdb-tests: Fix ctdb process-exist tests via 104f9ca ctdb-tests: Add a dummy ctdb client for testing via 551a778 ctdb-tests: Fix the implementation of process-exists in fake daemon via 3afa1b4 ctdb-daemon: Fix implementation of process_exists control from 024c1b7 s3/smbd: sticky write time offset miscalculation causes broken timestamps https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit eabed4d055487a6607b4b2169d88c57bf3cb8783 Author: Amitay Isaacs Date: Thu Sep 7 17:21:03 2017 +1000 ctdb-daemon: GET_DB_SEQNUM should read database conditionally BUG: https://bugzilla.samba.org/show_bug.cgi?id=13021 Once the recovery starts and databases are frozen, then all the record access is postponed till the recovery is complete except reading the database sequence number. Database access for reading sequence number is done via a control which does not check if the databases are frozen or not. If the database is frozen and if the freeze transaction is not started (this can happen when a node is inactive, or during recovery when the database is frozen but the transaction has not yet started), then trying to read sequence number will cause ctdb daemon to deadlock. Before reading the sequence number, check if the database access is allowed. Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit f57d379446c551bca5906247c622e857c77089b0) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Sep 13 19:52:24 CEST 2017 on sn-devel-144 commit 8c22449d65d0aac09f245b05a987361fea0c4850 Author: Amitay Isaacs Date: Thu Sep 7 17:18:18 2017 +1000 ctdb-daemon: Add a function to check if db access is allowed BUG: https://bugzilla.samba.org/show_bug.cgi?id=13021 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 5d2f2677de65a0fd6683bb759d80ebced604fa6b) commit a472eb9eeaa966ccf4f326c938116df40b8363c3 Author: Amitay Isaacs Date: Tue Sep 5 13:52:47 2017 +1000 ctdb-tests: Fix ctdb test binary name in path testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 96aef2371c6c1e0c6bd13874a71583eb9609959b) commit 17410dcdd1e34bd645bcc0959049143180650f7a Author: Martin Schwenke Date: Tue Sep 12 11:51:19 2017 +1000 ctdb-tests: Wait up to 30 seconds for process to be registered in ctdbd BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012 This avoids a potential race where the client is not properly registered before "ctdb process-exists" is called. Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs (cherry picked from commit ff75f0836aef56476ec45a3bc8f3ca22c118e3a4) commit c4599ccbad940aa98af7b557c556fb5a1394c3c1 Author: Amitay Isaacs Date: Fri Aug 25 16:55:34 2017 +1000 ctdb-tests: Fix ctdb process-exist tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke Autobuild-User(master): Amitay Isaacs Autobuild-Date(master): Sat Sep 9 14:44:57 CEST 2017 on sn-devel-144 (cherry picked from commit 87f7d32a906799e83cb9b023978e689a630de017) commit 104f9cacc2aa9d403fda57024bf806ccfba5347a Author: Amitay Isaacs Date: Wed Aug 30 13:05:32 2017 +1000 ctdb-tests: Add a dummy ctdb client for testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 3067db5b50162fdae288aaad8e75beb924fc9494) commit 551a778015683cbffe0fd66e43c4d2dfbd42f0c7 Author: Amitay Isaacs Date: Fri Aug 25 16:54:47 2017 +1000 ctdb-tests: Fix the implementation of process-exists in fake daemon Keep track of clients and their pids. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012 Signed-off-by: Amitay Isaacs Reviewed-by: Martin Schwenke (cherry picked from commit 7dec80a7c042d83f9d48c75a8717c3d1b59b1fbf) commit 3afa1b43bcd69b9a7f2d021ec0785242898ad337 Author: Amitay Isaacs Date: Fri Aug 25 15:00:59 2017 +1000 ctdb-daemon: Fix implementation of process_exists control Only check processes that are CTDB clients. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13012
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 024c1b7 s3/smbd: sticky write time offset miscalculation causes broken timestamps from 4e64d1f WHATSNEW: Unify usage of "''". https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 024c1b725eb174b61cb4fb1e211a4539d8c4c997 Author: Ralph Boehme Date: Fri Sep 8 12:19:03 2017 +0200 s3/smbd: sticky write time offset miscalculation causes broken timestamps The offset calculation for the offset that got passed to fetch_write_time_send() in the enumeration loop was wrong as it passed the offset before smbd_dirptr_lanman2_entry() added required padding. This resulted in broken timestamps in the find response. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13024 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Sep 12 02:45:46 CEST 2017 on sn-devel-144 (cherry picked from commit 7e0b2af4c0c429a3d347ace7b2f75cfeecea6d1f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Sep 12 23:59:14 CEST 2017 on sn-devel-144 --- Summary of changes: source3/smbd/smb2_query_directory.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c index 3e0abdf..430fdca 100644 --- a/source3/smbd/smb2_query_directory.c +++ b/source3/smbd/smb2_query_directory.c @@ -501,7 +501,6 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, while (true) { bool got_exact_match = false; int space_remaining = in_output_buffer_length - off; - int cur_off = off; struct file_id file_id; bool stop = false; @@ -556,7 +555,7 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, conn, file_id, info_level, - base_data + cur_off, + base_data + last_entry_off, &stop); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 4e64d1f WHATSNEW: Unify usage of "''". via 9651f4a WHATSNEW: Add Using x86_64 Accelerated AES Crypto Instructions section. via a1aa3f4 lib: crypto: Add the ability to select Intel AESNI instruction set at configure time. via 9d193a9 lib: crypto: Plumb in the Intel AES instructions. via 8e2afc8 lib: crypt: Prepare the existing code to switch to Intel AES hardware instructions. via ed459e2 third_party: Add build capability to aesni-intel. via add95df third_party: Add the Intel Add support for AES-NI acceleration. via 36aa4af messaging: Avoid a socket leak after fork from f08b212 pthreadpool: Test fork with an active thread https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 4e64d1fb31196e1e326f097b9e98362bc203f9bc Author: Karolin Seeger Date: Sun Sep 10 16:02:24 2017 +0200 WHATSNEW: Unify usage of "''". Signed-off-by: Karolin Seeger Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Sep 11 05:30:28 CEST 2017 on sn-devel-144 commit 9651f4a50273efb05146bde929944d82526da124 Author: Jeremy Allison Date: Wed Sep 6 12:13:32 2017 -0700 WHATSNEW: Add Using x86_64 Accelerated AES Crypto Instructions section. Describes --accel-aes configure time option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit c754f48575a5034242594762d62261a48025cebc) commit a1aa3f49bf348e2c9bbfd23a04b973b2b1e03c6b Author: Jeremy Allison Date: Wed Sep 6 11:59:44 2017 -0700 lib: crypto: Add the ability to select Intel AESNI instruction set at configure time. Add --accel-aes=[none|intelaesni] to select. Default is none. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit 5f87a05aa314776135eec1057dd644c0b25a9d14) commit 9d193a942fdbcab135e40d06422eab640d33d00b Author: Jeremy Allison Date: Wed Sep 6 11:40:02 2017 -0700 lib: crypto: Plumb in the Intel AES instructions. Causes: AES_set_encrypt_key() AES_set_decrypt_key() AES_encrypt() AES_decrypt() to probe for the Intel AES instructions at runtime (only once) and then call the hardware implementations if so, otherwise fall back to the software implementations. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008 Based on original work by Justin Maggard Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit 53ac0f7c59a9192e4fa88bf3d257ad80379ded23) commit 8e2afc83b012bf1caa662a03c4cff28d9f0259a6 Author: Jeremy Allison Date: Thu Aug 31 11:41:32 2017 -0700 lib: crypt: Prepare the existing code to switch to Intel AES hardware instructions. Rename the old struct aes_key as an intermediate struct aes_key_rj and wrap it in a union so we can chose an alternate aes_key struct when using Intel AES hardware. Rename the original software implementations of: AES_set_encrypt_key() AES_set_decrypt_key() AES_encrypt() AES_decrypt() by adding an _rj on the end, and call them via a wrapper function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008 Based on original work by Justin Maggard Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit 3324b55bde96d4098df2f1138be5fd243206ceba) commit ed459e272cf4b8b04555eb2bb363d9aa5f84d011 Author: Jeremy Allison Date: Wed Sep 6 09:58:06 2017 -0700 third_party: Add build capability to aesni-intel. Minor modifications to code to allow building as a Samba shared library. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13008 Based on original work by Justin Maggard Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit 11a56768950e1caae302507e15e58eb1c316c30a) commit add95df6e4720a0416e079d6dfa8df608c041efc Author: Jeremy Allison Date: Wed Sep 6 09:44:42 2017 -0700 third_party: Add the Intel Add support for AES-NI acceleration. This commit takes the Linux kernel AES-NI code, and puts it into a third_party private library. The Linux kernel code is under GPLv2+ so is compatible with Samba. This can result in massive speed improvements (up to 200% on some platforms), by using Intel AES-NI instructions. These are the pristine check-ins of Linux kernel files for Intel AESNI crypto. git show 8691ccd764f9ecc69a6812dfe76214c86ac9ba06:arch/x86/crypto/aesni-intel_asm.S git show 2baad6121e2b2fa3428ee6cb2298107be11ab23a:arch/x86/includ
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via f08b212 pthreadpool: Test fork with an active thread via efcd9ee pthreadpool: Fix fork behaviour from 4cc6517 WHATSNEW: We generate SHA265 certificates now https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit f08b212c5cfbd42410b6114df2c75c8b68b6e9bc Author: Volker Lendecke Date: Tue Aug 29 21:57:54 2017 +0200 pthreadpool: Test fork with an active thread Bug: https://bugzilla.samba.org/show_bug.cgi?id=13006 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Reviewed-by: Stefan Metzmacher Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Thu Aug 31 21:34:57 CEST 2017 on sn-devel-144 (cherry picked from commit 981e674a7472017274c9b169c776d5c5e8bd1469) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Sat Sep 9 01:44:12 CEST 2017 on sn-devel-144 commit efcd9eed9882a98e9ecd80ba773138f705d228f6 Author: Volker Lendecke Date: Mon Aug 28 16:38:19 2017 +0200 pthreadpool: Fix fork behaviour glibc's pthread_cond_wait(&c, &m) increments m.__data.__nusers, making pthread_mutex_destroy return EBUSY. Thus we can't allow any thread waiting for a job across a fork. Also, the state of the condvar itself is unclear across a fork. Right now to me it looks like an initialized but unused condvar can be used in the child. Busy worker threads don't cause any trouble here, they don't hold mutexes or condvars. Also, they can't reach the condvar because _prepare holds all mutexes. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13006 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Reviewed-by: Stefan Metzmacher (cherry picked from commit ff98e3fb666b57b56a1427aa1196948ceebdec66) --- Summary of changes: lib/pthreadpool/pthreadpool.c | 67 - lib/pthreadpool/tests.c | 114 ++ 2 files changed, 179 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/pthreadpool/pthreadpool.c b/lib/pthreadpool/pthreadpool.c index f97cdcc..23885aa 100644 --- a/lib/pthreadpool/pthreadpool.c +++ b/lib/pthreadpool/pthreadpool.c @@ -89,6 +89,13 @@ struct pthreadpool { * Number of idle threads */ int num_idle; + + /* +* Condition variable indicating that we should quickly go +* away making way for fork() without anybody waiting on +* pool->condvar. +*/ + pthread_cond_t *prefork_cond; }; static pthread_mutex_t pthreadpools_mutex = PTHREAD_MUTEX_INITIALIZER; @@ -148,6 +155,7 @@ int pthreadpool_init(unsigned max_threads, struct pthreadpool **presult, pool->num_threads = 0; pool->max_threads = max_threads; pool->num_idle = 0; + pool->prefork_cond = NULL; ret = pthread_mutex_lock(&pthreadpools_mutex); if (ret != 0) { @@ -169,6 +177,47 @@ int pthreadpool_init(unsigned max_threads, struct pthreadpool **presult, return 0; } +static void pthreadpool_prepare_pool(struct pthreadpool *pool) +{ + pthread_cond_t prefork_cond = PTHREAD_COND_INITIALIZER; + int ret; + + ret = pthread_mutex_lock(&pool->mutex); + assert(ret == 0); + + while (pool->num_idle != 0) { + /* +* Exit all idle threads, which are all blocked in +* pool->condvar. In the child we can destroy the +* pool, which would result in undefined behaviour in +* the pthread_cond_destroy(pool->condvar). glibc just +* blocks here. +*/ + pool->prefork_cond = &prefork_cond; + + ret = pthread_cond_signal(&pool->condvar); + assert(ret == 0); + + ret = pthread_cond_wait(&prefork_cond, &pool->mutex); + assert(ret == 0); + + pool->prefork_cond = NULL; + } + + ret = pthread_cond_destroy(&prefork_cond); + assert(ret == 0); + + /* +* Probably it's well-defined somewhere: What happens to +* condvars after a fork? The rationale of pthread_atfork only +* writes about mutexes. So better be safe than sorry and +* destroy/reinit pool->condvar across a fork. +*/ + + ret = pthread_cond_destroy(&pool->condvar); + assert(ret == 0); +} + static void pthreadpool_prepare(void) { int ret; @@ -180,8 +229,7 @@ static void pthreadpool_prepare(void) pool = pthreadpools; while (pool != NULL) { - ret = pthread_mutex_lock(&pool->mutex); - assert(ret == 0); + pthreadpool_prepare_pool(pool); pool = pool->next; } } @@ -19
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 4cc6517 WHATSNEW: We generate SHA265 certificates now via 2ab073a WHATSNEW: warn against using the RODC on older Samba versions via 4dfa810 WHATSNEW: explain that we may use much more RAM and SWAP with multi-process LDAP via d6a9f6b WHATSNEW: fix spelling from eb299c6 s4-drsuapi: Avoid segfault when replicating as a non-admin with GUID_DRS_GET_CHANGES https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 4cc6517a170f075a14375d64c56d7690c93a1e29 Author: Andrew Bartlett Date: Mon Aug 28 21:37:16 2017 +1200 WHATSNEW: We generate SHA265 certificates now Signed-off-by: Andrew Bartlett Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Sep 6 14:21:15 CEST 2017 on sn-devel-144 commit 2ab073a1ab9fa76337ca01e7dbc050795ec439ce Author: Andrew Bartlett Date: Mon Aug 28 21:36:14 2017 +1200 WHATSNEW: warn against using the RODC on older Samba versions Signed-off-by: Andrew Bartlett commit 4dfa810ed569406387bbb4abd636ab3c7543c8f9 Author: Andrew Bartlett Date: Mon Aug 28 21:35:56 2017 +1200 WHATSNEW: explain that we may use much more RAM and SWAP with multi-process LDAP Signed-off-by: Andrew Bartlett commit d6a9f6be321f7f2489df934dc57362f09b5f3863 Author: Andrew Bartlett Date: Mon Aug 28 21:35:34 2017 +1200 WHATSNEW: fix spelling Signed-off-by: Andrew Bartlett --- Summary of changes: WHATSNEW.txt | 22 -- 1 file changed, 20 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c58c297..8ba321f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -53,7 +53,7 @@ Whole DB read locks: Improved LDAP and replication consistency -- Prior to Samba 4.7 and ldb 1.2.0, the LDB database layer used by Samba -erronously did not take whole-DB read locks to protect search +erroneously did not take whole-DB read locks to protect search and DRS replication operations. While each object returned remained subject to a record-level lock (so @@ -150,7 +150,8 @@ the rest of the 'samba' process, rather than being forced into a single process. This aids in Samba's ability to scale to larger numbers of AD clients and the AD DC's overall resiliency, but will mean that there is a fork()ed child for every LDAP client, which may be more resource -intensive in some situations. +intensive in some situations. If you run Samba in a +resource-constrained VM, consider allocating more RAM and swap space. Improved Read-Only Domain Controller (RODC) Support --- @@ -172,6 +173,14 @@ The reliability of RODCs locating a writable partner still requires some improvements and so the 'password server' configuration option is generally recommended on the RODC. +Samba 4.7 is the first Samba release to be secure as an RODC or when +hosting an RODC. If you have been using earlier Samba versions to +host or be an RODC, please upgrade. + +In particular see https://bugzilla.samba.org/show_bug.cgi?id=12977 for +details on the security implications for password disclosure to an +RODC using earlier versions. + Additional password hashes stored in supplementalCredentials @@ -247,6 +256,15 @@ the talloc_autofree_context() (which is inherently thread-unsafe) and still be valgrind-clean on exit. Modules that don't need to free long-lived data on exit should use the NULL talloc context. +SHA256 LDAPS Certificates +- + +The self-signed certificate generated for use on LDAPS will now be +generated with a SHA256 self-signature, not a SHA1 self-signature. + +Replacing this certificate with a certificate signed by a trusted +CA is still highly recommended. + CTDB changes -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via eb299c6 s4-drsuapi: Avoid segfault when replicating as a non-admin with GUID_DRS_GET_CHANGES via 7364965 tests/fake_snap: sanitize paths from 8619bd1 VERSION: Bump version up to 4.7.0rc6... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit eb299c63f15c42bf65393f26cf3c7ab6b05470fd Author: Andrew Bartlett Date: Fri Aug 4 11:44:19 2017 +1200 s4-drsuapi: Avoid segfault when replicating as a non-admin with GUID_DRS_GET_CHANGES Users who are not administrator do not get b_state->sam_ctx_system filled in. We should probably use the 'sam_ctx' variable in all cases (instead of b_state->sam_ctx*), but I'll make this change in a separate patch, so that the bug fix remains independent from other tidy-ups. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12946 Signed-off-by: Andrew Bartlett Signed-off-by: Tim Beale Reviewed-by: Garming Sam (cherry picked from commit dd863b604984c1504895f376ec64f58e27e53efa) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Aug 31 14:02:51 CEST 2017 on sn-devel-144 commit 7364965ac09b799a25f95ab475819b389dcad174 Author: David Disseldorp via samba-technical Date: Sat Aug 26 23:40:37 2017 +0200 tests/fake_snap: sanitize paths Ensure fake_snap.pl can be run in taint mode (-T), by sanitizing paths and the PATH env. This fixes the following samba3.rpc.fsrvp selftest failures: Insecure dependency in mkdir while running setgid at (eval 2) line 4. snap create failed: NT_STATUS_UNSUCCESSFUL snap create failed for shadow copy of /home/ddiss/isms/samba/st/nt4_dc/share Bug: https://bugzilla.samba.org/show_bug.cgi?id=12988 Signed-off-by: David Disseldorp Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Aug 29 04:54:51 CEST 2017 on sn-devel-144 (cherry picked from commit f9d4158f0b002b482df0a919d4cb337cce81f9f8) --- Summary of changes: source3/script/tests/fake_snap.pl | 19 - source4/rpc_server/drsuapi/getncchanges.c | 2 +- source4/selftest/tests.py | 5 ++ source4/torture/drs/python/getnc_unpriv.py | 116 + 4 files changed, 138 insertions(+), 4 deletions(-) create mode 100644 source4/torture/drs/python/getnc_unpriv.py Changeset truncated at 500 lines: diff --git a/source3/script/tests/fake_snap.pl b/source3/script/tests/fake_snap.pl index d1233f3..18bbcb7 100755 --- a/source3/script/tests/fake_snap.pl +++ b/source3/script/tests/fake_snap.pl @@ -5,14 +5,25 @@ use strict; use File::Path qw(rmtree); use POSIX (); +sub _untaint_path +{ + my ($path) = @_; + + if ($path =~ /^(.*)$/) { + return $1; + } + die "bad path"; +} + sub _create_snapshot { - my ($base_path) = @_; + my ($base_path) = _untaint_path(shift); my $time_str = POSIX::strftime("%Y.%m.%d-%H.%M.%S" , localtime()); my $snap_path = $base_path . "/.snapshots/\@GMT-" . $time_str; my $ret; - POSIX::mkdir($base_path . "/.snapshots", 0777); + $ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH + POSIX::mkdir($base_path . "/.snapshots", 0755); # add trailing slash to src path to ensure that only contents is copied $ret = system("rsync", "-a", "--exclude=.snapshots/", "${base_path}/", @@ -28,7 +39,8 @@ sub _create_snapshot sub _delete_snapshot { - my ($base_path, $snap_path) = @_; + my $base_path = _untaint_path(shift); + my $snap_path = _untaint_path(shift); # we're doing a recursive delete, so do some sanity checks if ((index($snap_path, $base_path) != 0) || (index($snap_path, ".snapshots") == -1)) { @@ -36,6 +48,7 @@ sub _delete_snapshot return -1; } + $ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH rmtree($snap_path, {error => \my $err}); if (@$err) { for my $diag (@$err) { diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index da294a6..32580bd 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -2250,7 +2250,7 @@ allowed: return WERR_NOT_ENOUGH_MEMORY; } - ret = dsdb_find_guid_by_dn(b_state->sam_ctx_system, + ret = dsdb_find_guid_by_dn(b_state->sam_ctx, getnc_state->ncRoot_dn, &getnc_state->ncRoot_guid); if (ret != LDB_SUCCESS) { diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index c13af0c..4bcbdc6 100755 --- a/source
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 8619bd1 VERSION: Bump version up to 4.7.0rc6... via 7d8e33c VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc5 release. via 74baf7d WHATSNEW: Add release notes for Samba 4.7.0rc5. from 52d8cc3 s4:torture: The teardown function should just return https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 8619bd1036b26e2da655257a144ac6a3612d1b22 Author: Karolin Seeger Date: Tue Aug 29 06:10:50 2017 +0200 VERSION: Bump version up to 4.7.0rc6... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger commit 7d8e33c2adb2ee77e9ed66ae8364cf58a5d6c7f8 Author: Karolin Seeger Date: Tue Aug 29 06:10:06 2017 +0200 VERSION: Disable GIT_SNAPSHOTS for the 4.7.0rc5 release. Signed-off-by: Karolin Seeger commit 74baf7d0544154023759fb28bf819791ae17540f Author: Karolin Seeger Date: Tue Aug 29 06:09:24 2017 +0200 WHATSNEW: Add release notes for Samba 4.7.0rc5. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 42 +- 2 files changed, 42 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 41c3271..b880ed7 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=5 +SAMBA_VERSION_RC_RELEASE=6 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index de74a99..c58c297 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the fourth release candidate of Samba 4.7. This is *not* +This is the fifth release candidate of Samba 4.7. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -334,6 +334,46 @@ KNOWN ISSUES https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +CHANGES SINCE 4.7.0rc4 +== + +o Andrew Bartlett + * BUG 12929: smb.conf: Explain that "ntlm auth" is a per-passdb setting. + * BUG 12953: s4/lib/tls: Use SHA256 to sign the TLS certificates. + +o Jeremy Allison + * BUG 12932: Get rid of talloc_autofree_context(). + +o Amitay Isaacs + * BUG 12978: After restarting CTDB, it attaches replicated databases with + wrong flags. + +o Stefan Metzmacher + * BUG 12863: s3:smbclient: Don't try any workgroup listing with + "client min protocol = SMB2". + * BUG 12876: s3:libsmb: Don't call cli_NetServerEnum() on SMB2/3 connections + in SMBC_opendir_ctx(). + * BUG 12881: s3:libsmb: Let do_connect() debug the negotiation result + similar to "session request ok". + * BUG 12919: s4:http/gensec: add missing tevent_req_done() to + gensec_http_ntlm_update_done(). + * BUG 12968: Fix 'smbclient tarmode' with SMB2/3. + * BUG 12973: 'smbd': Don't use a lot of CPU on startup of a connection. + +o Christof Schmitt + * BUG 12983: vfs_default: Fix passing of errno from async calls. + +o Andreas Schneider + * BUG 12629: s3:utils: Do not report an invalid range for AD DC role. + * BUG 12704: s3:libsmb: Let get_ipc_connect() use + CLI_FULL_CONNECTION_FORCE_SMB1. + * BUG 12930: Fix build issues with GCC 7.1. + * BUG 12950: s3:script: Untaint user supplied data in modprinter.pl. + * BUG 12956: s3:libads: Fix changing passwords with Kerberos. + * BUG 12975: Fix changing the password with 'smbpasswd' as a local user on + a domain member. + + CHANGES SINCE 4.7.0rc3 == -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 52d8cc3 s4:torture: The teardown function should just return via 5b41f24 s4:torture: Delete printer before we remove the driver via 4ed0884 s4:torture: Use a different driver name for add_driver tests via 63945e1 [PATCH] WHATSNEW: Added links to Wiki documentation via bec5eb1 vfs_default: Fix passing of errno from async calls via 9ca3ad4 ctdb-client: Fix ctdb_attach() to use database flags via b787635 ctdb-client: Optionally return database id from ctdb_ctrl_createdb() via da1aad0 ctdb-client: Fix ctdb_ctrl_createdb() to use database flags via 29270b0 ctdb-tests: Add a test to check databases are attached with correct flags via 8fb3c3c ctdb-tests: Add functions to start/stop/restart a single local daemon via 9774290 ctdb-tests: Add functions to start/stop/restart ctdb on single node via 5568b2d s3:utils: Remove pointless if-clause for remote_machine via c308ad1 s3:utils: Make sure we authenticate against our SAM name in smbpasswd via 2fcedfb s3:utils: Pass domain to password_change() in smbpasswd via 0714ae6 s3:utils: Make strings const passed to password_change() in smbpasswd via a53ed1e s3:libsmb: Move prototye of remote_password_change() via 34137a1 s3:libsmb: Pass domain to remote_password_change() via c9eed50 s3:gse_krb5: make use of precalculated krb5 keys in fill_mem_keytab_from_secrets() via 069dd3e s3:secrets: allow secrets_fetch_or_upgrade_domain_info() on an AD DC via 173ea78 libcli/smb: debug an error if smb1cli_req_writev_submit() is called for SMB2/3 via f35dab5 s3: libsmb: Add cli_smb2_chkpath() and use from cli_chkpath(). via 639ec48 blackbox: Add test for 'net ads changetrustpw' via f3fb65c s3:libads: Fix changing passwords with Kerberos via fa0b6d5 s3:script: Untaint user supplied data in modprinter.pl via cc9f583 s4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done() via 50ad7f1 s3:libsmb: let do_connect() debug the negotiation result similar to "session request ok" via d5d9632 s3:libsmb: don't call cli_NetServerEnum() on SMB2/3 connections in SMBC_opendir_ctx() via 84052d0 s3:smbclient: don't try any workgroup listing with "client min protocol = SMB2" via 50a8102 s3:smbclient: improve the error messages for smbclient -L via dcdeb33 s3:libsmb: let get_ipc_connect() use CLI_FULL_CONNECTION_FORCE_SMB1 via 3ba3f92 s3:libsmb: Print the kinit failed message with DBGLVL_NOTICE via 09df2eb s3:utils: Do not report an invalid range for AD DC role via cf604fb s4/lib/tls: Use SHA256 to sign the TLS certificates via 21b585f heimdal: Fix printing a short int into a string via 168bea2 s3:utils: Fix buffer size for snprintf and format string via 3b9c9f0 s3:torture: Fix spoolss test to build with -O3 via 9850c58 s4:samdb: Fix building Samba with -O3 from 54ab11d s4: com: Replace erroneous inclusion of internal talloc.h header with external. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 52d8cc3f87894c91bf2f902721f2b7ab59cff8ed Author: Andreas Schneider Date: Tue Aug 8 12:05:24 2017 +0200 s4:torture: The teardown function should just return The teardown functions should not return on error but finish cleaning up! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12984 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit c90069b26424752b15922de9cb796c431d2f3e08) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Aug 28 15:19:58 CEST 2017 on sn-devel-144 commit 5b41f24a6f71f51c620fe14051468caee3098c5d Author: Andreas Schneider Date: Tue Aug 8 10:40:19 2017 +0200 s4:torture: Delete printer before we remove the driver BUG: https://bugzilla.samba.org/show_bug.cgi?id=12984 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit bd44e435fa6a93d47a470f8ee95763a95eba4b5d) commit 4ed08849e4c0bacc3c09f0688fb5bc3073824fc1 Author: Andreas Schneider Date: Tue Aug 8 11:25:48 2017 +0200 s4:torture: Use a different driver name for add_driver tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=12984 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner (cherry picked from commit 731fe596ac0999d54aae03ce4175356c56b3c94b) commit 63945e1f55b9507534afa9237a4d8b526f1db933 Author: Marc Muehlfeld Date: Mon Aug 28 10:54:43 2017 +0200 [PATCH] WHATSNEW: Added links to Wiki documentation Signed-off-by: Marc Muehlfeld Reviewed-by: Karolin Seeger commit bec5eb17de21556d62a66aff634902ba1c39aa6c Author:
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 54ab11d s4: com: Replace erroneous inclusion of internal talloc.h header with external. via dbc050b lib: auth: Store the netlogon_creds_cli_global_db pointer on the NULL context. via eb2d10d s3: clients: Use netlogon_creds_cli_close_global_db() in all normal exit paths. via 301044e lib: auth: Add a shutdown function for netlogon_creds_cli_global_db. via df7ccb9 s3: rpcclient: Use rpcclient_msg_ctx as the long-lived talloc context for rpcclient_netlogon_creds. via fc3c124 s3: rpcclient: Use event context as the talloc parent of the rpcclient_msg_ctx. via 4880438 s3: rpcclient: Split out initialization and free of event context. via 65a90719 s3: rpc_client: Allocate struct db_context * off the local frame, as all other variables in this function. via a4a0478 lib: cli: fname is a local variable already freed in the function scope, doesn't need to be on talloc_autofree_context() via 68f8c33 s4: schema: Allocate global_schema off the NULL context, not the talloc_autofree_context(). via 07ee9d4 lib: ldb: Python. Take care of freeing the passed in module description if ldb_register_module() fails. via d09bb56 lib: ldb: Use NULL to allocate modules not talloc_autofree_context(). via f5f63d6 s4: COM: Remove talloc_autofree_context() from (unused) COM code. via 490464a lib: rpc: The registered interfaces are a lists of singletons that are never removed. via 26cf4ec s4: modules. Fix missing TALLOC_CTX in module init function. via a727c56 smb.conf: Explain that "ntlm auth" is a per-passdb setting from 67612bb selftest: Add test for password change when NTLM is disabled https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 54ab11d16f21d4bb3ae3a62a86597ebaade0ae09 Author: Jeremy Allison Date: Mon Aug 14 13:02:30 2017 -0700 s4: com: Replace erroneous inclusion of internal talloc.h header with external. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison Reviewed-by: Stefan Metzmacher Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Aug 15 08:06:40 CEST 2017 on sn-devel-144 (cherry picked from commit f816de5636bb17ab09dd4b9c3e5b0249dc9b186f) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Aug 17 14:58:08 CEST 2017 on sn-devel-144 commit dbc050b7e888373dd43b56d1c42756d73047b98c Author: Jeremy Allison Date: Mon Jul 24 16:14:00 2017 -0700 lib: auth: Store the netlogon_creds_cli_global_db pointer on the NULL context. Now we shutdown correctly it doesn't need the talloc_autofree_context(). Last use of talloc_autofree_context() ourside the talloc test code ! Please don't add it ever again :-). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Jul 27 01:34:12 CEST 2017 on sn-devel-144 (cherry picked from commit e74081ce5d0f81024f7384816c589e5bc28baf80) commit eb2d10df8ad7ed80de8c83e03618ae6624cb03cf Author: Jeremy Allison Date: Mon Jul 24 16:12:45 2017 -0700 s3: clients: Use netlogon_creds_cli_close_global_db() in all normal exit paths. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit dbd32932463935cd47c55a9e1afdaccd7f6daf4d) commit 301044e10640aa6ce4867c28fc61aed889fbb611 Author: Jeremy Allison Date: Mon Jul 24 14:49:47 2017 -0700 lib: auth: Add a shutdown function for netlogon_creds_cli_global_db. Will allow us to move off the talloc_autofree_context(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit 4cc104d015bdfeb631c7c8f5252fc31727a128ca) commit df7ccb91466fee717dd8d49c6ba54b770591c1b2 Author: Jeremy Allison Date: Mon Jul 24 13:14:08 2017 -0700 s3: rpcclient: Use rpcclient_msg_ctx as the long-lived talloc context for rpcclient_netlogon_creds. Guaranteed to stay around until the command exits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit 74b589799e794cc8872a7d3845ced9f5087a8366) commit fc3c124662c92cbb3d58ac110c22b16b56403491 Author: Jeremy Allison Date: Mon Jul 24 13:12:20 2017 -0700 s3: rpcclient: Use event context as the talloc parent of the rpcclient_msg_ctx. Give control over shutdown. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jere
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 67612bb selftest: Add test for password change when NTLM is disabled via 5e1e86e WHATSNEW: Fix some typos. from e131010 VERSION: Bump version up to 4.7.0rc5... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 67612bbe87bc61886daf407851c83511fa991e79 Author: Tim Beale Date: Tue Jul 4 17:27:27 2017 +1200 selftest: Add test for password change when NTLM is disabled When NTLM is disabled, the server should reject NTLM-based password changes. Changing the password is a bit complicated from python, but because the server should reject the password change outright with NTLM_BLOCKED, the test doesn't actually need to provide valid credentials. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Signed-off-by: Tim Beale Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144 (cherry picked from commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Wed Aug 16 13:03:26 CEST 2017 on sn-devel-144 commit 5e1e86e5e9eae26106aa6f3133161b360d4c3b3d Author: Karolin Seeger Date: Tue Aug 15 10:25:30 2017 +0200 WHATSNEW: Fix some typos. Signed-off-by: Karolin Seeger --- Summary of changes: WHATSNEW.txt | 37 - python/samba/tests/ntlmauth.py | 46 ++ selftest/knownfail | 2 ++ 3 files changed, 54 insertions(+), 31 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a40feb3..d738e4d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -12,13 +12,13 @@ Samba 4.7 will be the next version of the Samba suite. UPGRADING = -smbclient changes -- +'smbclient' changes +-- -smbclient no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' -banner when connecting to the first server. With SMB2 and Kerberos -there's no way to print this information reliable. Now we avoid it at all -consistently. In interactive session the following banner is now presented +'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1] Server=[...]' +banner when connecting to the first server. With SMB2 and Kerberos, +there's no way to print this information reliably. Now we avoid it at all +consistently. In interactive sessions the following banner is now presented to the user: 'Try "help" do get a list of possible commands.'. The default for "client max protocol" has changed to "SMB3_11", @@ -26,22 +26,23 @@ which means that smbclient (and related commands) will work against servers without SMB1 support. It's possible to use the '-m/--max-protocol' option to overwrite -the "client max protocol" option temporary. +the "client max protocol" option temporarily. Note that the '-e/--encrypt' option also works with most SMB3 servers (e.g. Windows >= 2012 and Samba >= 4.0.0), so the SMB1 unix extensions are not required for encryption. -The change to SMB3_11 as default also means smbclient no longer +The change to SMB3_11 as default also means smbclient no longer negotiates SMB1 unix extensions by default, when talking to a Samba server with -"unix extensions = yes". As a result some commands are not available, e.g. -posix_encrypt, posix_open, posix_mkdir, posix_rmdir, posix_unlink, posix_whoami, -getfacl and symlink. Using "-mNT1" reenabled them, if the server supports SMB1. +"unix extensions = yes". As a result, some commands are not available, e.g. +'posix_encrypt', 'posix_open', 'posix_mkdir', 'posix_rmdir', 'posix_unlink', +'posix_whoami', 'getfacl' and 'symlink'. Using "-mNT1" reenables them, if the +server supports SMB1. Note the default ("CORE") for "client min protocol" hasn't changed, so it's still possible to connect to SMB1-only servers by default. -smbclient learned a new command "deltree" that is able to do +'smbclient' learned a new command "deltree" that is able to do a recursive deletion of a directory tree. @@ -106,15 +107,15 @@ Dynamic RPC port range -- The dynamic port range for RPC services has been changed from the old default -value 1024-1300 to 49152-65535. This port range is not only used by a -Samba AD DC but also applies to all other server roles including NT4-style +value "1024-1300" to "49152-65535". This port range is not only used by a +Samba AD DC, but also applies to all other server roles including NT4-style domain controllers. The new value has been defined by Microsoft in Windows Server 2008 and newer versions. To make it easier for Administrators to control those port rang
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via e131010 VERSION: Bump version up to 4.7.0rc5... via 842bac1 VERSION: Disable GIT_SNAPSHOT for the 4.7.0rc4 release. via 7bc3506 WHATSNEW: Add release notes for Samba 4.7.0rc4. from 11a6fd3 source3/client: Fix typo in help message displayed by default https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit e1310105a7459094e6817509261e409f67e29416 Author: Karolin Seeger Date: Mon Aug 14 12:49:02 2017 +0200 VERSION: Bump version up to 4.7.0rc5... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger commit 842bac10737439d04e4dcd7421b952755612480b Author: Karolin Seeger Date: Mon Aug 14 12:47:57 2017 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.7.0rc4 release. Signed-off-by: Karolin Seeger commit 7bc35068cb2d74b57fca7d9c637d57cbee0435e2 Author: Karolin Seeger Date: Mon Aug 14 12:47:16 2017 +0200 WHATSNEW: Add release notes for Samba 4.7.0rc4. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 47 ++- 2 files changed, 47 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 9c77c15..41c3271 100644 --- a/VERSION +++ b/VERSION @@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE= # e.g. SAMBA_VERSION_RC_RELEASE=1 # # -> "3.0.0rc1" # -SAMBA_VERSION_RC_RELEASE=4 +SAMBA_VERSION_RC_RELEASE=5 # To mark SVN snapshots this should be set to 'yes'# diff --git a/WHATSNEW.txt b/WHATSNEW.txt index aa0730b..a40feb3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,7 +1,7 @@ Release Announcements = -This is the third release candidate of Samba 4.7. This is *not* +This is the fourth release candidate of Samba 4.7. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. @@ -327,6 +327,51 @@ KNOWN ISSUES https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.7#Release_blocking_bugs +CHANGES SINCE 4.7.0rc3 +== + +o Jeremy Allison + * BUG 12913: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo(). + +o Andrew Bartlett + * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return + NETLOGON_NT_VERSION_5 when version unspecified. + * BUG 12855: dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7. + * BUG 12904: dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() + etc. + * BUG 12939: s4-rpc_server: Improve debug of new endpoints. + +o Ralph Boehme + * BUG 12791: Fix kernel oplocks issues with named streams. + * BUG 12944: vfs_gpfs: Handle EACCES when fetching DOS attributes from xattr. + +o Bob Campbell + * BUG 12842: samdb/cracknames: Support user and service principal as desired + format. + +o David Disseldorp + * BUG 12911: vfs_ceph: Fix cephwrap_chdir(). + +o Gary Lockyer + * BUG 12865: Track machine account ServerAuthenticate3. + +o Marc Muehlfeld + * BUG 12947: python: Fix incorrect kdc.conf parameter name in kerberos.py. + +o Noel Power + * BUG 12937: s3/utils: 'smbcacls' failed to detect DIRECTORIES using SMB2 + (Windows only). + +o Arvid Requate + * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping. + +o Anoop C S + * BUG 12936: source3/client: Fix typo in help message displayed by default. + +o Andreas Schneider + * BUG 12930: Fix building with GCC 7.1.1. + + CHANGES SINCE 4.7.0rc2 == -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 11a6fd3 source3/client: Fix typo in help message displayed by default via d7ab149 vfs_fruit: factor out common code from ad_get() and ad_fget() via 67649b7 vfs_fruit: return fake pipe fd in fruit_open_meta_netatalk() via 6f00dc7 vfs_fruit: don't open basefile in ad_open() and simplify API via dafa192 vfs_fruit: use path based setxattr call in ad_fset() via 4a742a6 s4/torture: additional tests for kernel-oplocks via 60a551e s4/torture: reproducer for kernel oplocks issue with streams via a89dca2 vfs_streams_xattr: return a fake fd in streams_xattr_open() via 715bae3 vfs_streams_xattr: implement all missing handle based VFS functions via 577a3c1 vfs_streams_xattr: always pass NULL as fsp arg to get_ea_value() via cc0ada5 vfs_streams_xattr: remove fsp argument from get_xattr_size() via 2987e49 vfs_streams_xattr: remove all uses of fd, use name based functions via a0727ee vfs_streams_xattr: invalidate stat info if xattr was not found via ca32a25 s3: torture: Add a test for cli_setpathinfo_basic() to smbtorture3. via 4cc812b s3: libsmb: Implement cli_smb2_setatr() by calling cli_smb2_setpathinfo(). via a899335 s3: libsmb: Add cli_smb2_setpathinfo(), to be called by cli_setpathinfo_basic(). via 527d1aa s3: libsmbclient: Fix cli_setpathinfo_basic() to treat mode == -1 as no change. from 53643ac vfs_gpfs: handle EACCES when fetching DOS attributes from xattr https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 11a6fd32c36ff7159445a871fd97b3b80d1f7ae6 Author: Anoop C S Date: Mon Jul 31 15:39:19 2017 +0530 source3/client: Fix typo in help message displayed by default BUG: https://bugzilla.samba.org/show_bug.cgi?id=12936 Signed-off-by: Anoop C S Reviewed-by: Volker Lendecke Reviewed-by: Andreas Schneider (cherry picked from commit 90487259e365d5b966ccc47ac51eadb4733f3197) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Aug 14 14:35:34 CEST 2017 on sn-devel-144 commit d7ab149b68d84ed58cd69af607c451e5c70feebd Author: Ralph Boehme Date: Wed May 24 09:17:19 2017 +0200 vfs_fruit: factor out common code from ad_get() and ad_fget() As a result of the previous changes ad_get() and ad_fget() do completey the same, so factor out the common code to a new helper function. No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791 Signed-off-by: Ralph Boehme Reviewed-by: Richard Sharpe Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed Aug 9 22:33:36 CEST 2017 on sn-devel-144 (cherry picked from commit d55c27abc5a7357f740c7065bbe12e7f36b57125) commit 67649b72d551d95d8fefc0f417d295be7a9c29ce Author: Ralph Boehme Date: Tue May 23 17:44:16 2017 +0200 vfs_fruit: return fake pipe fd in fruit_open_meta_netatalk() Do not open the basefile, that conflict with "kernel oplocks = yes". We just return a fake file fd based on dup'ing a pipe fd and ensure all VFS functions that go through vfs_fruit and work on the metadata stream can deal with it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791 Signed-off-by: Ralph Boehme Reviewed-by: Richard Sharpe Reviewed-by: Volker Lendecke (cherry picked from commit 7583ee6e1c558067e4c7a7351085fcc0e4240366) commit 6f00dc7f9e9b14d0a018c22f75115d35e7cb22ad Author: Ralph Boehme Date: Tue May 23 17:31:47 2017 +0200 vfs_fruit: don't open basefile in ad_open() and simplify API We never need an fd on the basefile when operating on the metadata, as we can always use path based syscalls. Opening the basefile conflicts with "kernel oplocks" so just don't do it. Additional changes: - remove the adouble_type_t argument to ad_open(), the type is passed and set when allocating a struct adouble with ad_alloc() - additionally pass an optional fsp to ad_open() (so the caller can pass NULL). With this change we can move the fd inheritance from fsp to ad into ad_open() itself where it belongs and remove it from the caller ad_fget() Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791 Signed-off-by: Ralph Boehme Reviewed-by: Richard Sharpe (cherry picked from commit e92a39255e66f655e2758f0a71a01eaf258cf711) commit dafa1922d161255ae340b8ef6f9c23f04bad0523 Author: Ralph Boehme Date: Tue May 23 17:39:46 2017 +0200 vfs_fruit: use path based setxattr call in ad_fset() This allows later commits to remove opening of the basefile which conflict with "kernel oplocks = yes". Bug: https://bugzilla.samba.org/show_bug.cgi?id=12791 Signed-off-by: Ralph Boehme
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 53643ac vfs_gpfs: handle EACCES when fetching DOS attributes from xattr via 07b678b s3/smbd: handle EACCES when fetching DOS attributes from xattr via a64088b s3/smbd: handling of failed DOS attributes reading from cb38898 python: Fix incorrect kdc.conf parameter name in kerberos.py https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 53643ac0eb2391ddebab11916f010d28039eb4ba Author: Ralph Boehme Date: Thu Jun 8 19:18:36 2017 +0200 vfs_gpfs: handle EACCES when fetching DOS attributes from xattr When trying to fetch the DOS attributes via gpfswrap_get_winattrs_path() if the filesystem doesn't grant READ_ATTR to the file the function fails with EACCESS. But according to MS-FSA 2.1.5.1.2.1 "Algorithm to Check Access to an Existing File" FILE_LIST_DIRECTORY on a directory implies FILE_READ_ATTRIBUTES for directory entries. So if the user can open the parent directory for reading this implies FILE_LIST_DIRECTORY and we can safely call gpfswrap_get_winattrs_path() with DAC_OVERRIDE_CAPABILITY. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12944 Signed-off-by: Ralph Boehme Reviewed-by: Christof Schmitt Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Wed Aug 9 01:21:14 CEST 2017 on sn-devel-144 (cherry picked from commit 62d73f5b936550d623ef4f31c7438ac3c90105b9) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Fri Aug 11 14:48:10 CEST 2017 on sn-devel-144 commit 07b678b377194d4e6b41e4d4e1609c3c55367cc0 Author: Ralph Boehme Date: Thu Jun 8 19:10:20 2017 +0200 s3/smbd: handle EACCES when fetching DOS attributes from xattr When trying to fetch the DOS attributes xattr via SMB_VFS_GETXATTR() if the filesystem doesn't grant read access to the file the xattr read request fails with EACCESS. But according to MS-FSA 2.1.5.1.2.1 "Algorithm to Check Access to an Existing File" FILE_LIST_DIRECTORY on a directory implies FILE_READ_ATTRIBUTES for directory entries. So if the user can open the parent directory for reading this implies FILE_LIST_DIRECTORY and we can safely call SMB_VFS_GETXATTR() as root, ensuring we can read the DOS attributes xattr. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12944 Signed-off-by: Ralph Boehme Reviewed-by: Christof Schmitt (cherry picked from commit c54fcb7cbd0de244eed4134e877da6e9c16e7aab) commit a64088bdf223d408da4ad7912d5ea9c779ced34c Author: Ralph Boehme Date: Thu Jun 8 19:05:48 2017 +0200 s3/smbd: handling of failed DOS attributes reading Only fall back to using UNIX modes if we get NOT_IMPLEMENTED. This is exactly what we already do when setting DOS attributes. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12944 Signed-off-by: Ralph Boehme Reviewed-by: Christof Schmitt (cherry picked from commit 9de1411d9e7c7ac3da544345d4dea7fd73dff01b) --- Summary of changes: source3/modules/vfs_gpfs.c | 69 +- source3/smbd/dosmode.c | 43 - 2 files changed, 110 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c index a552cdd..b2c9244 100644 --- a/source3/modules/vfs_gpfs.c +++ b/source3/modules/vfs_gpfs.c @@ -1537,6 +1537,47 @@ static unsigned int vfs_gpfs_dosmode_to_winattrs(uint32_t dosmode) return winattrs; } +static int get_dos_attr_with_capability(struct smb_filename *smb_fname, + struct gpfs_winattr *attr) +{ + int saved_errno = 0; + int ret; + + /* +* According to MS-FSA 2.1.5.1.2.1 "Algorithm to Check Access to an +* Existing File" FILE_LIST_DIRECTORY on a directory implies +* FILE_READ_ATTRIBUTES for directory entries. Being able to stat() a +* file implies FILE_LIST_DIRECTORY for the directory containing the +* file. +*/ + + if (!VALID_STAT(smb_fname->st)) { + /* +* Safety net: dos_mode() already checks this, but as we set +* DAC_OVERRIDE_CAPABILITY based on this, add an additional +* layer of defense. +*/ + DBG_ERR("Rejecting DAC override, invalid stat [%s]\n", + smb_fname_str_dbg(smb_fname)); + errno = EACCES; + return -1; + } + + set_effective_capability(DAC_OVERRIDE_CAPABILITY); + + ret = gpfswrap_get_winattrs_path(smb_fname->base_name, attr); + if (ret == -1) { + saved_errno = errno; + } + + drop_effe
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via cb38898 python: Fix incorrect kdc.conf parameter name in kerberos.py from ee55090 WHATSNEW: Update doc for Samba AD with MIT Kerberos https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit cb38898fb36d537146fc0bf49da7f2600f7efb3a Author: Marc Muehlfeld Date: Sun Aug 6 11:50:55 2017 +0200 python: Fix incorrect kdc.conf parameter name in kerberos.py Signed-off-by: Marc Muehlfeld Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=12947 Typo in kdc.conf results in: Unable to load requested database module 'samba'. Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Thu Aug 10 12:58:59 CEST 2017 on sn-devel-144 --- Summary of changes: python/samba/provision/kerberos.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/python/samba/provision/kerberos.py b/python/samba/provision/kerberos.py index 24ced9c..4ed4d57 100644 --- a/python/samba/provision/kerberos.py +++ b/python/samba/provision/kerberos.py @@ -69,7 +69,7 @@ def create_kdc_conf(kdcconf, realm, domain, logdir): f.write("[dbmodules]\n") -f.write("\tdb_modules_dir = %s\n" % kdb_modules_dir) +f.write("\tdb_module_dir = %s\n" % kdb_modules_dir) f.write("\n") f.write("\t%s = {\n" % realm) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via ee55090 WHATSNEW: Update doc for Samba AD with MIT Kerberos via 9461ede dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7 via c13e416 dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() etc from d77de9a s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit ee55090a72af7186b6d98d72da38ddb668879580 Author: Andreas Schneider Date: Mon Aug 7 14:55:34 2017 +0200 WHATSNEW: Update doc for Samba AD with MIT Kerberos This has been changed, the file is created in the private samba directory. The path is printed by 'samba-tool' after it has been created. Signed-off-by: Andreas Schneider Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Aug 8 12:49:24 CEST 2017 on sn-devel-144 commit 9461ede6adc4c9ec4d6754914b79d1d902127580 Author: Andrew Bartlett Date: Tue Aug 1 10:26:34 2017 +1200 dsdb: Do not force a re-index of sam.ldb on upgrade to 4.7 This means that no compatibleFeatures or incompatibleFeatures will be honoured until a re-index, but that can be triggered when these features are set. New databases will still get this support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12855 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 39c6274084e5d72d6fdfae1fb9fede439f6ad60d) commit c13e41642aa2e6b8aa7d0298d4a517d88281a5fd Author: Andrew Bartlett Date: Tue Aug 1 13:18:33 2017 +1200 dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() etc If we do not call ldb_module_done() then we do not know that up_req->callback() has been called, and ldb_next_request() will call the callback again. If called twice, the new ldb_lock_backend_callback() in ldb 1.2.0 will segfault. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12904 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Aug 1 07:52:38 CEST 2017 on sn-devel-144 (cherry picked from commit d5750f016362ce55a1c905509c419756b523dde6) --- Summary of changes: WHATSNEW.txt | 5 + python/samba/tests/dsdb.py| 23 +++ source4/dsdb/pydsdb.c | 1 + source4/dsdb/samdb/ldb_modules/util.c | 25 +++-- source4/dsdb/samdb/samdb.h| 2 ++ source4/dsdb/schema/schema_set.c | 22 +- 6 files changed, 71 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8302e5f..aa0730b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -100,10 +100,7 @@ Missing features, compared to Heimdal, are: The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct -kdc.conf file for the MIT KDC. Note that 'samba-tool' will overwrite the system -kdc.conf by default. It is possible to use a different location during -provision. You should consult the 'samba-tool' help and smb.conf manpage for -details. +kdc.conf file for the MIT KDC. Dynamic RPC port range -- diff --git a/python/samba/tests/dsdb.py b/python/samba/tests/dsdb.py index ce5f599..a9f569b 100644 --- a/python/samba/tests/dsdb.py +++ b/python/samba/tests/dsdb.py @@ -23,6 +23,7 @@ from samba.auth import system_session from samba.tests import TestCase from samba.ndr import ndr_unpack, ndr_pack from samba.dcerpc import drsblobs +from samba import dsdb import ldb import os import samba @@ -505,3 +506,25 @@ class DsdbTests(TestCase): backend_filename) backend_path = self.lp.private_path(backend_subpath) self._test_full_db_lock2(backend_path) + +def test_no_error_on_invalid_control(self): +try: +res = self.samdb.search(expression="cn=Administrator", +scope=ldb.SCOPE_SUBTREE, +attrs=["replPropertyMetaData"], +controls=["local_oid:%s:0" + % dsdb.DSDB_CONTROL_INVALID_NOT_IMPLEMENTED]) +except ldb.LdbError as e: +self.fail("Should have not raised an exception") + +def test_error_on_invalid_critical_control(self): +try: +res = self.samdb.search(expression="cn=Administrator", +scope=ldb.SCOPE_SUBTREE, +
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via d77de9a s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified via cf4e08f s4-dsdb/netlogon: allow missing ntver in cldap ping via 11cbf1f s4:torture/ldap: Test netlogon without NtVer via 66707ea s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only) from 1a90ffe mit-kdb: Fix NULL pointer check after malloc https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit d77de9a6d0b265929fc10bcc31c560646ccc28bf Author: Andrew Bartlett Date: Tue Jul 25 14:26:45 2017 +1200 s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified The previous patch set this incorrectly to NETLOGON_NT_VERSION_1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392 Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall (cherry picked from commit 0554bc237f1b84d672d36781bead8b2c33f2e5a4) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Tue Aug 1 15:56:56 CEST 2017 on sn-devel-144 commit cf4e08fecb3cc5d687432aaee963e9c36ab96393 Author: Arvid Requate Date: Thu Jun 22 13:37:13 2017 +0200 s4-dsdb/netlogon: allow missing ntver in cldap ping BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392 Signed-off-by: Arvid Requate Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit 88db634ed84647e5105c4b4fdf37d5892bebfd8d) commit 11cbf1f37494f8cfc8ba25554b348692f287ff77 Author: Arvid Requate Date: Tue Jun 20 20:05:17 2017 +0200 s4:torture/ldap: Test netlogon without NtVer BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392 Signed-off-by: Arvid Requate Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett (cherry picked from commit 22a94b728bd5d513b2002b62c129271d2210ed73) commit 66707ea1cdb3c274ad3c0752482180e2e97423b4 Author: Noel Power Date: Thu Jul 20 13:01:50 2017 +0100 s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only) uint16_t get_fileinfo(...) returns file attributes, this function called cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL, NULL, NULL, NULL); which was failing with NT_STATUS_ACCESS_DENIED errors when fnum above was obtained via (when using protocol > SMB). Note: This only seems to be an issue when run against a windows server, with smbd SMB1 & SMB2 work fine. status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, FILE_OPEN, 0x0, 0x0, &fnum, NULL); The failing cli_qfileinfo_basic call above is unnecessary as we can already obtain the required information from the cli_ntcreate call BUG: https://bugzilla.samba.org/show_bug.cgi?id=12937 Signed-off-by: Noel Power Reviewed-by: Jeremy Allison Reviewed-by: David Disseldorp (cherry picked from commit c57dcafb150823b00fd873046e65a966a8488fa8) --- Summary of changes: source3/utils/smbcacls.c | 14 ++--- source4/dsdb/samdb/ldb_modules/netlogon.c | 6 +--- source4/torture/ldap/netlogon.c | 48 +++ 3 files changed, 52 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index 86b4591..6bf32e5 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -229,30 +229,22 @@ get fileinfo for filename static uint16_t get_fileinfo(struct cli_state *cli, const char *filename) { uint16_t fnum = (uint16_t)-1; - uint16_t mode = 0; NTSTATUS status; + struct smb_create_returns cr = {0}; /* The desired access below is the only one I could find that works with NT4, W2KP and Samba */ status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ, 0, FILE_SHARE_READ|FILE_SHARE_WRITE, - FILE_OPEN, 0x0, 0x0, &fnum, NULL); + FILE_OPEN, 0x0, 0x0, &fnum, &cr); if (!NT_STATUS_IS_OK(status)) { printf("Failed to open %s: %s\n", filename, nt_errstr(status)); return 0; } - status = cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL, -NULL, NULL, NULL); - if (!NT_STATUS_IS_OK(status)) { - printf("Failed to file info %s: %s\n", filename, - nt_errstr(status)); -} - cli_close(cli, fnum); - -return mode; + return cr.file_attributes; } /**
[SCM] Samba Shared Repository - branch v4-7-test updated
The branch, v4-7-test has been updated via 1a90ffe mit-kdb: Fix NULL pointer check after malloc via 0309fcf s4:kcc: Add a NULL check before qsort() via 2a2ba42 selftest: Make --include-env and --exclude-env use the base env name via 6d469e7 selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds via 9fbfd46 s4-netlogon: Use log_escape to protect against un-validated strings via 3a65622 s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms via 32e9367 source4 netlogon: Add authentication logging for ServerAuthenticate3 via 280621c tests auth_log: Add new tests for NETLOGON via 09ed546 tests auth_log: Modify existing tests to handle NETLOGON messages via d8b9a83 auth_log: use symbolic constant to replace /root/ncalrpc_as_system via 0523140 rpc: use symbolic constant to replace /root/ncalrpc_as_system via eb6e820 dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system via e7d6201 samdb/cracknames: support user and service principal as desired format via 87103e3 samdb/cracknames: do not show recycled when a guid is desired via 08a0206 python/tests: add python test for cracknames via a432712 s4-rpc_server: Improve debug of new endpoints via c991fd9 s4-rpc_server: ensure we get a new endpoint for netlogon via f81665e WHATSNEW: Fix typo. via 762d338 vfs_ceph: fix cephwrap_chdir() from eb874b9 VERSION: Bump version up to 4.7.0rc4... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test - Log - commit 1a90ffe6d125fba6d509ba2721527fd113e7 Author: Andreas Schneider Date: Mon Jul 24 12:19:27 2017 +0200 mit-kdb: Fix NULL pointer check after malloc This fixes building with GCC 7.1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit 9b64b11c2f2c1bc77ae887b34d7efcb9f1452da7) Autobuild-User(v4-7-test): Karolin Seeger Autobuild-Date(v4-7-test): Mon Jul 31 15:49:51 CEST 2017 on sn-devel-144 commit 0309fcfbdad1209eda38cfcd991a8542248a96b6 Author: Andreas Schneider Date: Mon Jul 24 12:13:50 2017 +0200 s4:kcc: Add a NULL check before qsort() This fixes building with GCC 7.1.1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930 Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme (cherry picked from commit 314cf608932c21d593afd04769b07435bcd4fc53) commit 2a2ba42a66f3fcff07f4e65bda8c5cf8653e15f4 Author: Andrew Bartlett Date: Fri Jul 21 20:10:43 2017 +1200 selftest: Make --include-env and --exclude-env use the base env name The code as deployed would have required (eg) '--include-env=ktest --include-env=ktest:local' which was not done in autobuild, causing tests to be skipped. This patch restores the intended behaviour. This causes 33 testsuites to run, one more test (the newly added samba.tests.ntlmauth) than the old regex provided (before 602772159dfd1213385f42ecbf31136f57693b63). (The regression dropped us down to matching only 7 tests). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12922 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 24 03:33:01 CEST 2017 on sn-devel-144 (cherry picked from commit 61455ad82e293df4a094204fdf28162baad686ae) commit 6d469e7ecb1b283064bc4768ba591b824964fbdf Author: Andrew Bartlett Date: Tue Jul 18 09:03:17 2017 +1200 selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144 (cherry picked from commit a420b1bdccbba72faf1108f7fae8b8202075db97) commit 9fbfd465ff64bc7bdfe3bdae1b5bd91c11a1e9c0 Author: Andrew Bartlett Date: Tue Jul 18 08:57:03 2017 +1200 s4-netlogon: Use log_escape to protect against un-validated strings Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy (cherry picked from commit 427a11b812d1872879658c998ef0328dd7c2a53a) commit 3a65622d77994c63c456ed1535fc3991af7cd94f Author: Andrew Bartlett Date: Tue Jul 18 08:46:08 2017 +1200 s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms This splits out the username into the input, mapped and obtained just as we do elsewhere. Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy (cherry picked from commit abd821b76b27eb8d9bc2f8acfcf9d98caf015f5f) commit 32e9367d37be9c6c40e6a1ea896094e5cdf141ea Author: Gary Lockyer Date