[SCM] Samba Shared Repository - branch v4-5-stable updated
Stefan Metzmacher
metze at samba.org
Wed Sep 7 15:07:16 UTC 2016
The branch, v4-5-stable has been updated
via 916fab0 VERSION: Set version to 4.5.0...
via dc2c876 WHATSNEW: Add release notes for Samba 4.5.0.
via d58fb55 s3-spoolss: fix _spoolss_GetPrinterDataEx by moving the keyname lengthcheck.
via 3989032 s4-torture: test GetPrinterData with server handle and 0 keylength.
via 2419d59 idmap_script: add missing "IDTOSID" argument to the script command line.
via 3987f0e vfs_acl_xattr|tdb: enforced settings when ignore system acls=yes
via 1f1d54c docs: document vfs_acl_xattr|tdb enforced settings
via 0069137 vfs_acl_common: use DBG_LEVEL and remove function prefixes in DEBUG statements
via 2aa1aea s4/torture: tests for vfs_acl_xattr default ACL styles
via 54e6a40 vfs_acl_common: Windows style default ACL
via 497e828 vfs_acl_xattr|tdb: add option to control default ACL style
via 7c657fc vfs_acl_common: check for ignore_system_acls before fetching filesystem ACL
via 694c5d0 vfs_acl_common: move stat stuff to a helper function
via eabd4f8 vfs_acl_tdb|xattr: use a config handle
via a48d106 vfs_acl_common: move the ACL blob validation to a helper function
via 8a8c2ce vfs_acl_common: simplify ACL logic, cleanup and talloc hierarchy
via a2fb0fb vfs_acl_common: remove redundant NULL assignment
via abbc4be vfs_acl_common: rename pdesc_next to psd_fs
via 32f3f7b vfs_acl_common: rename psd to psd_blob in get_nt_acl_internal()
via 8a02f97 Revert "vfs_acl_xattr: objects without NT ACL xattr"
via 64e1f55 s3/rpc_server: shared rpc modules directory may not exist
via 1349c67 gensec/spnego: work around missing server mechListMIC in SMB servers
via 73e24ec Merge tag 'samba-4.5.0rc3' into v4-5-test
via 51a6036 ctdb-tests: Add a test to ensure that CTDB works with no eventscripts
via af2386b ctdb-tests: Conditionally use temporary config file for local daemons
via 7e0846a ctdb-tests: Factor out function config_from_environment()
via 8b2e01a ctdb-daemon: Don't steal control structure before synchronous reply
via d9f5a6a ctdb-daemon: Handle failure immediately, do housekeeping later
via 41ca635 ctdb-daemon: Schedule running of callback if there are no event scripts
via 0ccfa21 dbcheck: Abandon dbcheck if we get an error during a transaction
via b005b5b dsdb: Allow missing a mandatory attribute from a dbcheck fix
via 181d050 script/release.sh: use 8 byte gpg key ids
via 91901e0 WHATSNEW: Start release notes for Samba 4.5.0rc4.
via ff8d3d6 VERSION: Bump version up to 4.5.0rc4...
via 6c94b10 VERSION: Disable git snapshots for the 4.5.0rc3 release.
via 81dff4e WHATSNEW: Release notes for Samba 4.5.0rc3.
via 46139bb tests/getnc_exop: Ensure that attribute list sorting is correct
via ef21629 getncchanges: Compute the partial attribute set from the remote schema
via 91f9633 tests/getnc_exop: PartialAttrSetEx test (passes Windows, fails us)
via 589b76f tests/getnc_exop: Ensure the remote prefixmap is always used (name attr)
via a6c6050 tests/getnc_exop: Ensure the remote prefixmap is always used (secret attrs)
via af88b47 tests/getnc_exop: Ensure that all attids are valid in a given PAS
via fc27d74 tests/getnc_exop: Ensure we do the fallback if not given a PAS
via ec38c59 drepl_out: Send the prefix map alongside the global catalog partial attribute set
via 752a32a drepl_out: Send the prefix map alongside the RODC partial attribute set
via c664c03 replicated_objects: Add missing newline for debug
via c146881 getncchanges: Fix some whitespace
via 257d1d6 tests/schemainfo: run dsdb schema info tests with proper URI
via e7c0cb3 Removed upgrading-samba4.txt
via 8869cf8 Added Wiki link to replPropertyMetaData Changes section
from d7258cb VERSION: Disable git snapshots for the 4.5.0rc3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 46 +-
auth/gensec/spnego.c | 69 +-
ctdb/server/ctdb_takeover.c | 11 +-
ctdb/server/eventscript.c | 87 ++-
ctdb/tests/simple/28_zero_eventscripts.sh | 45 ++
ctdb/tests/simple/scripts/local_daemons.bash | 33 +-
docs-xml/manpages/vfs_acl_tdb.8.xml | 49 ++
docs-xml/manpages/vfs_acl_xattr.8.xml | 49 ++
python/samba/dbchecker.py | 7 +
script/release.sh | 12 +-
selftest/target/Samba3.pm | 8 +
source3/modules/vfs_acl_common.c | 729 ++++++++++++++-------
source3/modules/vfs_acl_tdb.c | 28 +
source3/modules/vfs_acl_xattr.c | 28 +
source3/rpc_server/rpc_service_setup.c | 12 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 12 +-
source3/selftest/tests.py | 4 +-
source3/winbindd/idmap_script.c | 2 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 9 +-
source4/torture/rpc/spoolss.c | 22 +-
source4/torture/vfs/acl_xattr.c | 314 +++++++++
source4/torture/vfs/vfs.c | 1 +
source4/torture/wscript_build | 2 +-
testprogs/blackbox/dbcheck-oldrelease.sh | 10 +
25 files changed, 1283 insertions(+), 308 deletions(-)
create mode 100755 ctdb/tests/simple/28_zero_eventscripts.sh
create mode 100644 source4/torture/vfs/acl_xattr.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 85ce530..91beb78 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=3
+SAMBA_VERSION_RC_RELEASE=
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 91422af..b198a56 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,12 +1,10 @@
-Release Announcements
-=====================
+ =============================
+ Release Notes for Samba 4.5.0
+ September 7, 2016
+ =============================
-This is the third release candidate of Samba 4.5. This is *not*
-intended for production environments and is designed for testing
-purposes only. Please report any defects via the Samba bug reporting
-system at https://bugzilla.samba.org/.
-Samba 4.5 will be the next version of the Samba suite.
+This is the first stable release of the Samba 4.5 release series.
UPGRADING
@@ -343,9 +341,43 @@ smb.conf changes
KNOWN ISSUES
============
+While a lot of schema replication bugs were fixed in this release
+Bug 12204 - Samba fails to replicate schema 69
+(https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open.
+The replication fails if more than 133 schema objects are added
+at the same time.
+
+More open bugs are listed at:
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs
+CHANGES SINCE 4.5.0rc3
+======================
+
+o Björn Baumbach <bb at sernet.de>
+ * BUG 12194: idmap_script: fix missing "IDTOSID" argument in scripts
+ command line.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 12178: samba-tool dbcheck fails to fix replPropertyMetaData.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 12177: Unexpected synthesized default ACL from vfs_acl_xattr.
+ * BUG 12181: vfs_acl_common not setting filesystem permissions anymore.
+ * BUG 12184: Loading shared RPC modules failed.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 12245: fix _spoolss_GetPrinterDataEx by moving the keyname
+ length check.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11994: smbclient fails to connect to Azure or Apple share spnego
+ fails with no mechListMIC.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 12180: CTDB crashes running eventscripts.
+
+
CHANGES SINCE 4.5.0rc2
======================
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..5f5047a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,9 +55,11 @@ struct spnego_state {
DATA_BLOB mech_types;
size_t num_targs;
+ bool downgraded;
bool mic_requested;
bool needs_mic_sign;
bool needs_mic_check;
+ bool may_skip_mic_check;
bool done_mic_check;
bool simulate_w2k;
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
* Indicate the downgrade and request a
* mic.
*/
+ spnego_state->downgraded = true;
spnego_state->mic_requested = true;
break;
}
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
-
+ spnego_state->downgraded = true;
spnego_state->no_response_expected = false;
talloc_free(spnego_state->sub_sec_security);
nt_status = gensec_subcontext_start(spnego_state,
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
return NT_STATUS_INVALID_PARAMETER;
}
+ if (spnego.negTokenTarg.mechListMIC.length == 0
+ && spnego_state->may_skip_mic_check) {
+ /*
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->needs_mic_check = false;
+ nt_status = NT_STATUS_OK;
+ goto client_response;
+ }
+
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
*/
new_spnego = false;
}
+
break;
case SPNEGO_ACCEPT_INCOMPLETE:
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ new_spnego = true;
+ break;
+ }
+
+ if (spnego_state->downgraded) {
+ /*
+ * A downgrade should be protected if
+ * supported
+ */
+ break;
+ }
+
+ /*
+ * The caller may just asked for
+ * GENSEC_FEATURE_SESSION_KEY, this
+ * is only reflected in the want_features.
+ *
+ * As it will imply
+ * gensec_have_features(GENSEC_FEATURE_SIGN)
+ * to return true.
+ */
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+ break;
+ }
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+ break;
+ }
+ /*
+ * Here we're sure our preferred mech was
+ * selected by the server and our caller doesn't
+ * need GENSEC_FEATURE_SIGN nor
+ * GENSEC_FEATURE_SEAL support.
+ *
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->may_skip_mic_check = true;
+ break;
+
case SPNEGO_REQUEST_MIC:
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
diff --git a/ctdb/server/ctdb_takeover.c b/ctdb/server/ctdb_takeover.c
index ede635e..d10ffef 100644
--- a/ctdb/server/ctdb_takeover.c
+++ b/ctdb/server/ctdb_takeover.c
@@ -522,7 +522,7 @@ static int32_t ctdb_do_takeip(struct ctdb_context *ctdb,
state = talloc(vnn, struct ctdb_do_takeip_state);
CTDB_NO_MEMORY(ctdb, state);
- state->c = talloc_steal(ctdb, c);
+ state->c = NULL;
state->vnn = vnn;
vnn->update_in_flight = true;
@@ -551,6 +551,7 @@ static int32_t ctdb_do_takeip(struct ctdb_context *ctdb,
return -1;
}
+ state->c = talloc_steal(ctdb, c);
return 0;
}
@@ -659,7 +660,7 @@ static int32_t ctdb_do_updateip(struct ctdb_context *ctdb,
state = talloc(vnn, struct ctdb_do_updateip_state);
CTDB_NO_MEMORY(ctdb, state);
- state->c = talloc_steal(ctdb, c);
+ state->c = NULL;
state->old = old;
state->vnn = vnn;
@@ -691,6 +692,7 @@ static int32_t ctdb_do_updateip(struct ctdb_context *ctdb,
return -1;
}
+ state->c = talloc_steal(ctdb, c);
return 0;
}
@@ -1003,8 +1005,8 @@ int32_t ctdb_control_release_ip(struct ctdb_context *ctdb,
return -1;
}
- state->c = talloc_steal(state, c);
- state->addr = talloc(state, ctdb_sock_addr);
+ state->c = NULL;
+ state->addr = talloc(state, ctdb_sock_addr);
if (state->addr == NULL) {
ctdb_set_error(ctdb, "Out of memory at %s:%d",
__FILE__, __LINE__);
@@ -1037,6 +1039,7 @@ int32_t ctdb_control_release_ip(struct ctdb_context *ctdb,
/* tell the control that we will be reply asynchronously */
*async_reply = true;
+ state->c = talloc_steal(state, c);
return 0;
}
diff --git a/ctdb/server/eventscript.c b/ctdb/server/eventscript.c
index bd5bc0d..86d37d9 100644
--- a/ctdb/server/eventscript.c
+++ b/ctdb/server/eventscript.c
@@ -699,6 +699,62 @@ static int remove_callback(struct event_script_callback *callback)
return 0;
}
+struct schedule_callback_state {
+ struct ctdb_context *ctdb;
+ void (*callback)(struct ctdb_context *, int, void *);
+ void *private_data;
+ int status;
+ struct tevent_immediate *im;
+};
+
+static void schedule_callback_handler(struct tevent_context *ctx,
+ struct tevent_immediate *im,
+ void *private_data)
+{
+ struct schedule_callback_state *state =
+ talloc_get_type_abort(private_data,
+ struct schedule_callback_state);
+
+ if (state->callback != NULL) {
+ state->callback(state->ctdb, state->status,
+ state->private_data);
+ }
+ talloc_free(state);
+}
+
+static int
+schedule_callback_immediate(struct ctdb_context *ctdb,
+ void (*callback)(struct ctdb_context *,
+ int, void *),
+ void *private_data,
+ int status)
+{
+ struct schedule_callback_state *state;
+ struct tevent_immediate *im;
+
+ state = talloc_zero(ctdb, struct schedule_callback_state);
+ if (state == NULL) {
+ DEBUG(DEBUG_ERR, (__location__ " out of memory\n"));
+ return -1;
+ }
+ im = tevent_create_immediate(state);
+ if (im == NULL) {
+ DEBUG(DEBUG_ERR, (__location__ " out of memory\n"));
+ talloc_free(state);
+ return -1;
+ }
+
+ state->ctdb = ctdb;
+ state->callback = callback;
+ state->private_data = private_data;
+ state->status = status;
+ state->im = im;
+
+ tevent_schedule_immediate(im, ctdb->ev,
+ schedule_callback_handler, state);
+ return 0;
+}
+
/*
run the event script in the background, calling the callback when
finished
@@ -815,28 +871,33 @@ static int ctdb_event_script_callback_v(struct ctdb_context *ctdb,
state->current = 0;
state->child = 0;
- if (call == CTDB_EVENT_MONITOR) {
- ctdb->current_monitor = state;
- }
-
- talloc_set_destructor(state, event_script_destructor);
-
- ctdb->active_events++;
-
/* Nothing to do? */
if (state->scripts->num_scripts == 0) {
- callback(ctdb, 0, private_data);
+ int ret = schedule_callback_immediate(ctdb, callback,
+ private_data, 0);
talloc_free(state);
+ if (ret != 0) {
+ DEBUG(DEBUG_ERR,
+ ("Unable to schedule callback for 0 scripts\n"));
+ return 1;
+ }
return 0;
}
state->scripts->scripts[0].status = fork_child_for_script(ctdb, state);
if (state->scripts->scripts[0].status != 0) {
- /* Callback is called from destructor, with fail result. */
talloc_free(state);
- return 0;
+ return -1;
}
+ if (call == CTDB_EVENT_MONITOR) {
+ ctdb->current_monitor = state;
+ }
+
+ ctdb->active_events++;
+
+ talloc_set_destructor(state, event_script_destructor);
+
if (!timeval_is_zero(&state->timeout)) {
tevent_add_timer(ctdb->ev, state,
timeval_current_ofs(state->timeout.tv_sec,
@@ -1015,7 +1076,7 @@ int32_t ctdb_run_eventscripts(struct ctdb_context *ctdb,
state = talloc(ctdb->event_script_ctx, struct eventscript_callback_state);
CTDB_NO_MEMORY(ctdb, state);
- state->c = talloc_steal(state, c);
+ state->c = NULL;
DEBUG(DEBUG_NOTICE,("Running eventscripts with arguments %s\n", indata.dptr));
@@ -1031,7 +1092,7 @@ int32_t ctdb_run_eventscripts(struct ctdb_context *ctdb,
/* tell ctdb_control.c that we will be replying asynchronously */
*async_reply = true;
-
+ state->c = talloc_steal(state, c);
return 0;
}
diff --git a/ctdb/tests/simple/28_zero_eventscripts.sh b/ctdb/tests/simple/28_zero_eventscripts.sh
new file mode 100755
index 0000000..7c03ae4
--- /dev/null
+++ b/ctdb/tests/simple/28_zero_eventscripts.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+test_info()
+{
+ cat <<EOF
+Check that CTDB operated correctly if there are 0 event scripts
+
+This test only does anything with local daemons. On a real cluster it
+has no way of updating configuration.
+EOF
+}
+
+. "${TEST_SCRIPTS_DIR}/integration.bash"
+
+ctdb_test_init "$@"
+
+set -e
+
+cluster_is_healthy
+
+if [ -z "$TEST_LOCAL_DAEMONS" ] ; then
+ echo "SKIPPING this test - only runs against local daemons"
+ exit 0
+fi
+
+# Reset configuration
+ctdb_restart_when_done
+
+daemons_stop
+
+echo "Starting CTDB with an empty eventscript directory..."
+empty_dir=$(mktemp -d --tmpdir="$TEST_VAR_DIR")
+ctdb_test_exit_hook_add "rmdir $empty_dir"
+CTDB_EVENT_SCRIPT_DIR="$empty_dir" daemons_start
+
+wait_until_ready
+
+# If this fails to find processes then the tests fails, so look at
+# full command-line so this will work with valgrind. Note that the
+# output could be generated with pgrep's -a option but it doesn't
+# exist in older versions.
+ps -p $(pgrep -f '\<ctdbd\>' | xargs | sed -e 's| |,|g') -o args ww
+
+echo
+echo "Good, that seems to work!"
diff --git a/ctdb/tests/simple/scripts/local_daemons.bash b/ctdb/tests/simple/scripts/local_daemons.bash
index ecb64f9..fb1e7e1 100644
--- a/ctdb/tests/simple/scripts/local_daemons.bash
+++ b/ctdb/tests/simple/scripts/local_daemons.bash
@@ -22,6 +22,15 @@ export CTDB_NODES="${TEST_VAR_DIR}/nodes.txt"
#######################################
+config_from_environment ()
+{
+ # Override from the environment. This would be easier if env was
+ # guaranteed to quote its output so it could be reused.
+ env |
+ grep '^CTDB_' |
+ sed -e 's@=\([^"]\)@="\1@' -e 's@[^"]$@&"@' -e 's@="$@&"@'
+}
+
setup_ctdb ()
{
mkdir -p "${TEST_VAR_DIR}/test.db/persistent"
@@ -99,11 +108,9 @@ CTDB_SOCKET="${TEST_VAR_DIR}/sock.$pnn"
CTDB_NOSETSCHED=yes
EOF
- # Override from the environment. This would be easier if env was
- # guaranteed to quote its output so it could be reused.
- env |
- grep '^CTDB_' |
- sed -e 's@=\([^"]\)@="\1@' -e 's@[^"]$@&"@' -e 's@="$@&"@' >>"$conf"
+ # Append any configuration variables set in environment to
+ # configuration file so they affect CTDB after each restart.
+ config_from_environment >>"$conf"
done
}
@@ -116,9 +123,25 @@ daemons_start ()
local pidfile="${TEST_VAR_DIR}/ctdbd.${pnn}.pid"
local conf="${TEST_VAR_DIR}/ctdbd.${pnn}.conf"
+ # If there is any CTDB configuration in the environment then
+ # append it to the regular configuration in a temporary
+ # configuration file and use it just this once.
+ local tmp_conf=""
+ local env_conf=$(config_from_environment)
+ if [ -n "$env_conf" ] ; then
+ tmp_conf=$(mktemp --tmpdir="$TEST_VAR_DIR")
+ cat "$conf" >"$tmp_conf"
+ echo "$env_conf" >>"$tmp_conf"
+ conf="$tmp_conf"
+ fi
+
CTDBD="${VALGRIND} ctdbd --sloppy-start --nopublicipcheck" \
CTDBD_CONF="$conf" \
ctdbd_wrapper "$pidfile" start
+
+ if [ -n "$tmp_conf" ] ; then
+ rm -f "$tmp_conf"
+ fi
done
}
diff --git a/docs-xml/manpages/vfs_acl_tdb.8.xml b/docs-xml/manpages/vfs_acl_tdb.8.xml
index 724776d..5ac6510 100644
--- a/docs-xml/manpages/vfs_acl_tdb.8.xml
+++ b/docs-xml/manpages/vfs_acl_tdb.8.xml
@@ -40,6 +40,15 @@
<filename>$LOCKDIR/file_ntacls.tdb</filename>.
</para>
--
Samba Shared Repository
More information about the samba-cvs
mailing list