[SCM] Samba Shared Repository - branch v4-2-test updated
Stefan Metzmacher
metze at samba.org
Mon Aug 17 18:40:08 UTC 2015
The branch, v4-2-test has been updated
via baf5328 ctdb-build: Fix building of PCP PMDA module
via a156ca8 ctdb-daemon: Check if updates are in flight when releasing all IPs
via 864ca13 ctdb-banning: If node is already banned, do not run ctdb_local_node_got_banned()
via dc65591 s3-net: use talloc array in share allowedusers
via 65f09ac s4:rpc_server/netlogon: Fix for NetApp
from 98ac8fc s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit baf532857f534f659bfa28f6110a0cf97fc987e6
Author: Martin Schwenke <martin at meltin.net>
Date: Thu Jun 25 15:06:27 2015 +1000
ctdb-build: Fix building of PCP PMDA module
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 1e13455d7e9d668b426427e8bdebc73328e50d92)
Autobuild-User(v4-2-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-2-test): Mon Aug 17 20:39:02 CEST 2015 on sn-devel-104
commit a156ca8113f3c0eeb0e1045ef3589fadfe773152
Author: Martin Schwenke <martin at meltin.net>
Date: Fri Jul 24 15:32:42 2015 +1000
ctdb-daemon: Check if updates are in flight when releasing all IPs
Some code involved in releasing IPs is not re-entrant. Memory
corruption can occur if, for example, overlapping attempts are made to
ban a node. We haven't been able to recreate the corruption but this
should protect against it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11432
Signed-off-by: Martin Schwenke <martin at meltin.net>
Reviewed-by: Amitay Isaacs <amitay at gmail.com>
(cherry picked from commit 952a50485f68b3cffdf57da84aa9bb9fde630b7e)
commit 864ca138b0d0b83c570f6d519835a319ccd1f7e4
Author: Amitay Isaacs <amitay at gmail.com>
Date: Mon Jul 27 16:51:08 2015 +1000
ctdb-banning: If node is already banned, do not run ctdb_local_node_got_banned()
This calls release_all_ips() only once on the first ban. If the node gets
banned again due to event script timeout while running release_all_ips(),
then avoid calling release_all_ips() in re-entrant fashion.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11432
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 8eb04d09b119e234c88150e1dc35fc5057f9c926)
commit dc65591c9ada6df1c93403eaaeee6e389cefecb1
Author: Ralph Boehme <slow at samba.org>
Date: Tue Aug 4 11:18:34 2015 +0200
s3-net: use talloc array in share allowedusers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11426
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Aug 4 16:48:36 CEST 2015 on sn-devel-104
(cherry picked from commit 95eb6db580678a29b1f5f30a9567ea449a43d75a)
commit 65f09ac77c78e653fc96b0c294d1cad9a6fab661
Author: Arvid Requate <requate at univention.de>
Date: Thu Aug 6 15:00:25 2015 +0200
s4:rpc_server/netlogon: Fix for NetApp
This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.
The issue is triggered by NetApp filers in three steps:
1. The client calls netr_ServerReqChallenge to set up challenge tokens
2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
set to 0. Native AD and Samba respond to this with
NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
the challenge token negotiated in the first step.
3. Next the client calls netr_ServerAuthenticate2 again, this time with
NETLOGON_NEG_STRONG_KEYS set to 1.
Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
of the challenge and denies logon with the message
No challenge requested by client [CLNT1/CLNT1$], cannot authenticate
Git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291
Signed-off-by: Arvid Requate <requate at univention.de>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 6 20:29:04 CEST 2015 on sn-devel-104
(cherry picked from commit d3ac3da98611e665dc0f4e825faa5f12f6c848ef)
-----------------------------------------------------------------------
Summary of changes:
ctdb/server/ctdb_banning.c | 7 ++++++-
ctdb/server/ctdb_takeover.c | 18 +++++++++++++++---
ctdb/wscript | 2 +-
source3/utils/net_rpc.c | 24 ++++++++++++++++++++----
source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 +++++++++++-----------
5 files changed, 53 insertions(+), 20 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ctdb/server/ctdb_banning.c b/ctdb/server/ctdb_banning.c
index a9d1891..d8f7ab1 100644
--- a/ctdb/server/ctdb_banning.c
+++ b/ctdb/server/ctdb_banning.c
@@ -80,6 +80,7 @@ void ctdb_local_node_got_banned(struct ctdb_context *ctdb)
int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata)
{
struct ctdb_ban_time *bantime = (struct ctdb_ban_time *)indata.dptr;
+ bool already_banned;
DEBUG(DEBUG_INFO,("SET BAN STATE\n"));
@@ -107,9 +108,11 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata)
return 0;
}
+ already_banned = false;
if (ctdb->banning_ctx != NULL) {
talloc_free(ctdb->banning_ctx);
ctdb->banning_ctx = NULL;
+ already_banned = true;
}
if (bantime->time == 0) {
@@ -136,7 +139,9 @@ int32_t ctdb_control_set_ban_state(struct ctdb_context *ctdb, TDB_DATA indata)
event_add_timed(ctdb->ev, ctdb->banning_ctx, timeval_current_ofs(bantime->time,0), ctdb_ban_node_event, ctdb);
- ctdb_local_node_got_banned(ctdb);
+ if (!already_banned) {
+ ctdb_local_node_got_banned(ctdb);
+ }
return 0;
}
diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
index f8369da..4b9ab38 100644
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@@ -3242,9 +3242,6 @@ void ctdb_takeover_client_destructor_hook(struct ctdb_client *client)
}
-/*
- release all IPs on shutdown
- */
void ctdb_release_all_ips(struct ctdb_context *ctdb)
{
struct ctdb_vnn *vnn;
@@ -3259,6 +3256,20 @@ void ctdb_release_all_ips(struct ctdb_context *ctdb)
continue;
}
+ /* Don't allow multiple releases at once. Some code,
+ * particularly ctdb_tickle_sentenced_connections() is
+ * not re-entrant */
+ if (vnn->update_in_flight) {
+ DEBUG(DEBUG_WARNING,
+ (__location__
+ " Not releasing IP %s/%u on interface %s, an update is already in progess\n",
+ ctdb_addr_to_str(&vnn->public_address),
+ vnn->public_netmask_bits,
+ ctdb_vnn_iface_string(vnn)));
+ continue;
+ }
+ vnn->update_in_flight = true;
+
DEBUG(DEBUG_INFO,("Release of IP %s/%u on interface %s node:-1\n",
ctdb_addr_to_str(&vnn->public_address),
vnn->public_netmask_bits,
@@ -3270,6 +3281,7 @@ void ctdb_release_all_ips(struct ctdb_context *ctdb)
vnn->public_netmask_bits);
release_kill_clients(ctdb, &vnn->public_address);
ctdb_vnn_unassign_iface(ctdb, vnn);
+ vnn->update_in_flight = false;
count++;
}
diff --git a/ctdb/wscript b/ctdb/wscript
index 104fc9a..771a344 100755
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -416,7 +416,7 @@ def build(bld):
source='utils/pmda/pmda_ctdb.c',
includes='include include/internal',
deps='''ctdb-client ctdb-common ctdb-system
- pcp_pmda pcp''',
+ ctdb-common-util pcp_pmda pcp''',
install_path='${CTDB_PMDADIR}')
bld.INSTALL_FILES('${CTDB_PMDADIR}', 'utils/pmda/Install',
destname='Install')
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index b5c4d0b..cd17b2c 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -4521,10 +4521,25 @@ static struct full_alias *server_aliases;
/*
* Add an alias to the static list.
*/
-static void push_alias(TALLOC_CTX *mem_ctx, struct full_alias *alias)
+static void push_alias(struct full_alias *alias)
{
- if (server_aliases == NULL)
- server_aliases = SMB_MALLOC_ARRAY(struct full_alias, 100);
+ size_t array_size;
+
+ if (server_aliases == NULL) {
+ server_aliases = talloc_array(NULL, struct full_alias, 100);
+ if (server_aliases == NULL) {
+ smb_panic("talloc_array failed");
+ }
+ }
+
+ array_size = talloc_array_length(server_aliases);
+ if (array_size == num_server_aliases) {
+ server_aliases = talloc_realloc(NULL, server_aliases,
+ struct full_alias, array_size + 100);
+ if (server_aliases == NULL) {
+ smb_panic("talloc_realloc failed");
+ }
+ }
server_aliases[num_server_aliases] = *alias;
num_server_aliases += 1;
@@ -4633,7 +4648,7 @@ static NTSTATUS rpc_fetch_domain_aliases(struct rpc_pipe_client *pipe_hnd,
sid_compose(&alias.sid, domain_sid,
groups->entries[i].idx);
- push_alias(mem_ctx, &alias);
+ push_alias(&alias);
}
} while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
@@ -5263,6 +5278,7 @@ static NTSTATUS rpc_share_allowedusers_internals(struct net_context *c,
free_user_token(&tokens[i].token);
}
SAFE_FREE(tokens);
+ TALLOC_FREE(server_aliases);
return nt_status;
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index c5740f6..3ea26e2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -170,17 +170,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
}
}
- /*
- * At this point we can cleanup the cache entry,
- * if we fail the client needs to call netr_ServerReqChallenge
- * again.
- *
- * Note: this handles global_challenge_table == NULL
- * and also a non existing record just fine.
- */
- memcache_delete(global_challenge_table,
- SINGLETON_CACHE, challenge_key);
-
server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
NETLOGON_NEG_PERSISTENT_SAMREPL |
NETLOGON_NEG_ARCFOUR |
@@ -227,6 +216,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
}
/*
+ * At this point we can cleanup the cache entry,
+ * if we fail the client needs to call netr_ServerReqChallenge
+ * again.
+ *
+ * Note: this handles global_challenge_table == NULL
+ * and also a non existing record just fine.
+ */
+ memcache_delete(global_challenge_table,
+ SINGLETON_CACHE, challenge_key);
+
+ /*
* According to Microsoft (see bugid #6099)
* Windows 7 looks at the negotiate_flags
* returned in this structure *even if the
--
Samba Shared Repository
More information about the samba-cvs
mailing list