[SCM] Samba Shared Repository - branch v4-6-stable updated
Karolin Seeger
kseeger at samba.org
Wed Aug 9 06:53:53 UTC 2017
The branch, v4-6-stable has been updated
via a42a92b VERSION: Disable GIT_SNAPSHOTS for the 4.6.7 release.
via 7f7e329 WHATSNEW: Add release notes for Samba 4.6.7.
via f2a0600 s4-cldap/netlogon: Match Windows 2012R2 and return NETLOGON_NT_VERSION_5 when version unspecified
via 0ee93fe s4-dsdb/netlogon: allow missing ntver in cldap ping
via 38d8f3c s4:torture/ldap: Test netlogon without NtVer
via 3a5cf43 s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)
via fd96410 vfs_ceph: fix cephwrap_chdir()
via a81b8f2 s3: smbd: Fix a read after free if a chained SMB1 call goes async.
via 6155eba s3: libsmb: Fix use-after-free when accessing pointer *p.
via 378886b smbd: Fix a connection run-down race condition
via c1e5a22 s3/notifyd: ensure notifyd doesn't return from smbd_notifyd_init
via 8c0f377 ctdb-common: Set close-on-exec when creating PID file
via 791b217 vfs_fruit: don't use MS NFS ACEs with Windows clients
via 6af5fcc s3:client: The smbspool krb5 wrapper needs negotiate for authentication
via 1714d0c vfs_fruit: add fruit:model = <modelname> parametric option
via 1ec8c4a idmap_ad: Retry query_user exactly once if we get TLDAP_SERVER_DOWN
via 73550d1 selftest: Do not force run of kcc at start of selftest
via 9251372 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
via dd573c0 s3:secrets: remove unused secrets_store_[prev_]machine_password()
via d71aa30 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
via 15a7a36 net: make use of secrets_*_password_change() for "net changesecretpw"
via 13a2325 s3:trusts_util: make use the workstation password change more robust
via de1faa7 s3:libnet: make use of secrets_store_JoinCtx()
via 56403c7 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
via 835cc12 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
via cc67ccb secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
via d80ef0b netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
via 59e23da netlogon.idl: make netr_TrustFlags [public]
via b7e7ac3 lsa.idl: make lsa_DnsDomainInfo [public]
via fc98574 s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
via f7c05a3 libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
via 5d56612 libcli/auth: add const to set_pw_in_buffer()
via 29fa179 libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
via d41f361 s3:trusts_util: pass dcname to trust_pw_change()
via 324af75 s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
via 7481722 s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
via 36ae6bc s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
via fc8506d s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
via bce615d s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
via c54cf09 s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
via dd0f49a s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
via 4e649f7 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
via 45ed7f3 s3:secrets: rename secrets_delete() to secrets_delete_entry()
via e67bc70 s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
via f8dc7f3 s3:secrets: add some const to secrets_store_domain_guid()
via f297455 s3:secrets: split out a domain_guid_keystr() function
via 3341df2 s3:secrets: rework des_salt_key() to take the realm as argument
via cfba2c4 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
via f68f8f6 s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
via 0ce8cd8 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
via bf90563 s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
via 14add2c s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
via 6e1f7e2 s3:libads: provide a simpler kerberos_fetch_salt_princ() function
via bfccba4 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
via beb5f2b s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
via 4e5c9b5 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
via cb36b61 s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
via 1b648aa s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
via b098b48 s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
via e709972 s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
via 15cefb9 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
via d353c40 s3:libnet_join: remember the domain_guid for AD domains
via 0c9f0d5 s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
via 43cce73 s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
via b76556f s3:libnet_join: remove dead code from libnet_join_connect_ads()
via 691d69f krb5_wrap: add smb_krb5_salt_principal2data()
via ea40c72 krb5_wrap: add smb_krb5_salt_principal()
via cf5d62e s3:libads: remove unused kerberos_secrets_store_salting_principal()
via 5687cb0 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
via 6297a35 idl_types.h: add NDR_SECRET shortcut
via 48a9a30 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
via e73f37d librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
via 4e323ae pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
via ce91c2e s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
via 8ac00af selftest: add a test for accessing previous version of directories with snapdirseverywhere
via 7916e1a s3/smbd: let non_widelink_open() chdir() to directories directly
via 80aeac8 dnsserver: Stop dns_name_equal doing OOB read
via 04676d6 selftest: Do not enable inbound replication during replica_sync
via 7b04fb4 VERSION: Bump version up to 4.6.7...
via b528634 Merge branch 'v4-6-stable' into v4-6-test
via 05782d5 s3:tests: Do *NOT* flush the complete gencache!
via 24a5c45 selftest: Do *NOT* flush the complete gencache!
via cb6771c ldb: protect Samba < 4.7 against incompatible ldb versions and require ldb < 1.2.0
via 85dbd4d wafsamba: add maxversion and version_blacklist to CHECK_BUNDLED_SYSTEM[_PKG]()
via a971f23 s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()
via eb587fb selftest: Also wait for winbindd to start
via 9bf2391 s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
via d2bf63c auth/spnego: fix gensec_update_ev() argument order for the SPNEGO_FALLBACK case
via 545b0c4 s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02"
via 18f3dbb samba-tool: fix log message of 'samba-tool user syncpasswords'
via 15ed7a9 s3:tests: Do not delete the contets of LOCAL_PATH with tarmode test
via f625a63 auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case
via 8aea504 s3: smbd: fix regression with non-wide symlinks to directories over SMB3.
via 79afb2e s3: smbd: Add regression test for non-wide symlinks to directories fail over SMB3.
via c850f47 docs-xml: Sort input file list
via fad0c0d s3: libsmb: Correctly save and restore connection tcon in smbclient, smbcacls and smbtorture3.
via d2a309b s3: libsmb: Correctly do lifecycle management on cli->smb1.tcon and cli->smb2.tcon.
via de0fbbe s3: libsmb: Fix cli_state_has_tcon() to cope with SMB2 connections.
via 8edc00e s3: libsmb: Widen cli_state_get_tid() / cli_state_set_tid() to 32-bits.
via c519326 s3: smbtorture: Show correct use of cli_state_save_tcon() / cli_state_restore_tcon().
via b17ab94 s3: libsmb: Add cli_state_save_tcon() / cli_state_restore_tcon().
via d261f6d libcli: smb: Add smb2cli_tcon_set_id().
via 0ea8e0b libcli: smb: Add smbXcli_tcon_copy().
via 9d053cf s3: smbd: When deleting an fsp pointer ensure we don't keep any references to it around.
via f10ce74 ctdb-recovery: Do not run local ip verification when in recovery
via 9f25dff ctdb-recovery: Get recmode unconditionally in the main_loop
via 59ac9bf ctdb-recovery: Finish processing for recovery mode ACTIVE first
via 7ee7e65 ctdb-recovery: Simplify logging of recovery mode setting
via 89ee737 ctdb-recovery: Setting up of recmode should be idempotent
via a227893 ctdb-recovery: Assign banning credits if database fails to freeze
via 6e11262 ctdb-scripts: Don't send empty argument string to logger
via 9670a0d Bug 15852. There are valid paths where conn->lsa_pipe_tcp->transport is NULL. Protect against this.
via 8a7d05e s3:tests: Add test for smbclient -UDOMAIN+username
via 282560e s3:popt_common: Reparse the username in popt_common_credentials_post()
via 8dc2be5 s3:smb2_sesssetup: allow a compound request after a SessionSetup
via 6e6fb56d s3:smb2_tcon: allow a compound request after a TreeConnect
via 29c2411 s3:libsmb: add cli_state_update_after_sesssetup() helper function
via ada73fa libcli/smb: Fix alignment problems of smb_bytes_pull_str()
via 5a4f2e0 libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFO
via b4e1d73 ctdb-tests: Add more NFS eventscript tests for call-out failures
via 6d5c1f6 ctdb-scripts: NFS call-out failures should cause event failure
via c08e056 messaging: fix net command failure due to unhandled return code
via ad1f953 shadow_copy_get_shadow_copy_data: fix GCC snprintf warning
via e550c8a ndr tests: silence a harmless warning
via 123bfe0 s4:torture: Fix comparison between pointer and zero character constant
via fdcfdcd waf: Do not trhow a format-truncation error for test/snprintf.c
via 3afa33b replace: Use the same size as d_name member of struct dirent
from 55d7150 VERSION: Release Samba 4.6.6 for CVE-2017-11103
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 90 +-
auth/gensec/spnego.c | 6 +-
auth/ntlmssp/ntlmssp_util.c | 21 +
buildtools/wafsamba/samba_bundled.py | 21 +-
ctdb/common/pidfile.c | 8 +
ctdb/config/events.d/60.nfs | 8 +-
ctdb/config/functions | 2 +-
ctdb/server/ctdb_recover.c | 28 +-
ctdb/server/ctdb_recoverd.c | 19 +-
ctdb/server/ctdb_recovery_helper.c | 1 +
....nfs.monitor.107.sh => 06.nfs.releaseip.001.sh} | 0
ctdb/tests/eventscripts/06.nfs.releaseip.002.sh | 12 +
...{60.nfs.monitor.107.sh => 06.nfs.takeip.001.sh} | 0
ctdb/tests/eventscripts/06.nfs.takeip.002.sh | 12 +
ctdb/tests/eventscripts/60.nfs.monitor.109.sh | 12 +
....nfs.monitor.107.sh => 60.nfs.releaseip.001.sh} | 0
ctdb/tests/eventscripts/60.nfs.releaseip.002.sh | 12 +
...0.nfs.monitor.107.sh => 60.nfs.shutdown.001.sh} | 0
ctdb/tests/eventscripts/60.nfs.shutdown.002.sh | 12 +
...60.nfs.monitor.107.sh => 60.nfs.startup.001.sh} | 0
ctdb/tests/eventscripts/60.nfs.startup.002.sh | 12 +
...{60.nfs.monitor.107.sh => 60.nfs.takeip.001.sh} | 0
ctdb/tests/eventscripts/60.nfs.takeip.002.sh | 12 +
docs-xml/Makefile | 2 +-
docs-xml/manpages/vfs_fruit.8.xml | 9 +
lib/krb5_wrap/krb5_samba.c | 187 +++
lib/krb5_wrap/krb5_samba.h | 10 +
lib/ldb/wscript | 19 +-
lib/replace/test/os2_delete.c | 2 +-
lib/replace/wscript | 3 +-
libcli/auth/netlogon_creds_cli.c | 78 +-
libcli/auth/netlogon_creds_cli.h | 16 +-
libcli/auth/proto.h | 2 +-
libcli/auth/smbencrypt.c | 2 +-
libcli/smb/smb1cli_session.c | 28 +-
libcli/smb/smbXcli_base.c | 52 +
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_util.h | 3 +-
libcli/smb/util.c | 47 +-
librpc/idl/idl_types.h | 6 +
librpc/idl/lsa.idl | 2 +-
librpc/idl/netlogon.idl | 6 +-
librpc/ndr/libndr.h | 24 +-
librpc/ndr/ndr.c | 23 +
librpc/ndr/ndr_basic.c | 44 +
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 +
python/samba/netcmd/user.py | 2 +-
selftest/target/Samba3.pm | 22 +-
selftest/target/Samba4.pm | 75 +-
source3/client/client.c | 5 +-
source3/client/smbspool_krb5_wrapper.c | 29 +-
source3/include/ntioctl.h | 2 +-
source3/include/proto.h | 1 +
source3/include/secrets.h | 38 +-
source3/lib/messages.c | 6 +-
source3/lib/popt_common.c | 15 +
source3/lib/util_sd.c | 24 +-
source3/libads/kerberos.c | 200 ---
source3/libads/kerberos_keytab.c | 14 +-
source3/libads/kerberos_proto.h | 8 -
source3/libads/util.c | 106 +-
source3/libnet/libnet_join.c | 127 +-
source3/libnet/libnet_keytab.c | 5 +-
source3/librpc/crypto/gse_krb5.c | 48 +-
source3/librpc/idl/libnet_join.idl | 4 +-
source3/librpc/idl/secrets.idl | 92 +-
source3/librpc/wscript_build | 2 +-
source3/libsmb/cliconnect.c | 97 +-
source3/libsmb/clidfs.c | 18 +-
source3/libsmb/clientgen.c | 67 +-
source3/libsmb/libsmb_dir.c | 6 +-
source3/libsmb/proto.h | 7 +-
source3/libsmb/trusts_util.c | 276 +++-
source3/modules/vfs_ceph.c | 7 -
source3/modules/vfs_default.c | 33 +-
source3/modules/vfs_fruit.c | 12 +-
source3/modules/vfs_shadow_copy.c | 11 +-
source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++--
source3/passdb/secrets.c | 25 +-
source3/passdb/secrets_lsa.c | 2 +-
source3/rpc_client/cli_netlogon.c | 15 +-
source3/rpcclient/cmd_netlogon.c | 2 +
source3/script/tests/test_shadow_copy.sh | 23 +
source3/script/tests/test_smbclient_basic.sh | 62 +
source3/script/tests/test_smbclient_s3.sh | 55 +
source3/script/tests/test_smbclient_tarmode.sh | 10 +-
source3/script/tests/test_wbinfo_sids2xids_int.py | 25 +-
source3/selftest/tests.py | 5 +-
source3/smbd/files.c | 4 +-
source3/smbd/lanman.c | 20 +-
source3/smbd/open.c | 54 +-
source3/smbd/process.c | 2 +-
source3/smbd/reply.c | 2 +-
source3/smbd/server.c | 8 +-
source3/smbd/smb2_create.c | 43 +-
source3/smbd/smb2_ioctl_network_fs.c | 17 +
source3/smbd/smb2_sesssetup.c | 1 +
source3/smbd/smb2_tcon.c | 2 +
source3/torture/test_smb2.c | 8 +-
source3/torture/torture.c | 24 +-
source3/utils/net.c | 142 +-
source3/utils/net_rpc.c | 20 +-
source3/utils/smbcacls.c | 26 +-
source3/winbindd/idmap_ad.c | 19 +-
source3/winbindd/winbindd_cm.c | 8 +-
source3/winbindd/winbindd_dual.c | 1 +
source3/winbindd/winbindd_dual_srv.c | 2 +
source4/dsdb/samdb/ldb_modules/netlogon.c | 6 +-
source4/rpc_server/dnsserver/dnsdata.c | 4 +-
source4/torture/drs/python/replica_sync.py | 51 -
source4/torture/ldap/netlogon.c | 48 +
source4/torture/masktest.c | 2 +-
source4/torture/ndr/string.c | 20 +-
source4/torture/vfs/fruit.c | 8 +-
115 files changed, 3783 insertions(+), 865 deletions(-)
copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 06.nfs.releaseip.001.sh} (100%)
create mode 100755 ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 06.nfs.takeip.001.sh} (100%)
create mode 100755 ctdb/tests/eventscripts/06.nfs.takeip.002.sh
create mode 100755 ctdb/tests/eventscripts/60.nfs.monitor.109.sh
copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.releaseip.001.sh} (100%)
create mode 100755 ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.shutdown.001.sh} (100%)
create mode 100755 ctdb/tests/eventscripts/60.nfs.shutdown.002.sh
copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.startup.001.sh} (100%)
create mode 100755 ctdb/tests/eventscripts/60.nfs.startup.002.sh
copy ctdb/tests/eventscripts/{60.nfs.monitor.107.sh => 60.nfs.takeip.001.sh} (100%)
create mode 100755 ctdb/tests/eventscripts/60.nfs.takeip.002.sh
create mode 100755 source3/script/tests/test_smbclient_basic.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 8fc1d16..113a562 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 75d90b7..87c4579 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,90 @@
=============================
+ Release Notes for Samba 4.6.7
+ August 9, 2017
+ =============================
+
+
+This is the latest stable release of the Samba 4.6 release series.
+
+
+Changes since 4.6.6:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes async.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 11392: s4-cldap/netlogon: Match Windows 2012R2 and return
+ NETLOGON_NT_VERSION_5 when version unspecified.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories directly.
+ * BUG 12910: s3/notifyd: Ensure notifyd doesn't return from
+ smbd_notifyd_init.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 12840: vfs_fruit: Add fruit:model = <modelname> parametric option.
+
+o David Disseldorp <ddiss at samba.org>
+ * BUG 12911: vfs_ceph: Fix cephwrap_chdir().
+
+o Dustin L. Howett
+ * BUG 12720: idmap_ad: Retry query_user exactly once if we get
+ TLDAP_SERVER_DOWN.
+
+o Thomas Jarosch <thomas.jarosch at intra2net.com>
+ * BUG 12927: s3: libsmb: Fix use-after-free when accessing pointer *p.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12925: smbd: Fix a connection run-down race condition.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12782: winbindd changes the local password and gets
+ NT_STATUS_WRONG_PASSWORD for the remote change.
+ * BUG 12890: s3:smbd: consistently use talloc_tos() memory for
+ rpc_pipe_open_interface().
+
+o Noel Power <noel.power at suse.com>
+ * BUG 12937: smbcacls: Don't fail against a directory on Windows using SMB2.
+
+o Arvid Requate <requate at univention.de>
+ * BUG 11392: s4-dsdb/netlogon: Allow missing ntver in cldap ping.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUG 12813: dnsserver: Stop dns_name_equal doing OOB read.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 12886: s3:client: The smbspool krb5 wrapper needs negotiate for
+ authentication.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 12898: ctdb-common: Set close-on-exec when creating PID file.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.6.6
July 12, 2017
=============================
@@ -48,8 +134,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.6.5
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f063f7b..21c6cfb 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -366,7 +366,7 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
return nt_status;
}
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- ev, out_mem_ctx, in, out);
+ out_mem_ctx, ev, in, out);
return nt_status;
}
DEBUG(1, ("Failed to parse SPNEGO request\n"));
@@ -804,8 +804,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
switch (spnego_state->state_position) {
case SPNEGO_FALLBACK:
- return gensec_update_ev(spnego_state->sub_sec_security, ev,
- out_mem_ctx, in, out);
+ return gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev, in, out);
case SPNEGO_SERVER_START:
{
NTSTATUS nt_status;
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 4ae6101..9c7325a 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -75,6 +75,27 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
{
uint32_t missing_flags = ntlmssp_state->required_flags;
+ if (ntlmssp_state->use_ntlmv2) {
+ /*
+ * Using NTLMv2 as a client implies
+ * using NTLMSSP_NEGOTIATE_NTLM2
+ * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+ *
+ * Note that 'use_ntlmv2' is only set
+ * true in the client case.
+ *
+ * Even if the server has a bug and does not announce
+ * it, we need to assume it's present.
+ *
+ * Note that we also have the flag
+ * in ntlmssp_state->required_flags,
+ * see gensec_ntlmssp_client_start().
+ *
+ * See bug #12862.
+ */
+ flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ }
+
if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
diff --git a/buildtools/wafsamba/samba_bundled.py b/buildtools/wafsamba/samba_bundled.py
index ea88807..aa6199e 100644
--- a/buildtools/wafsamba/samba_bundled.py
+++ b/buildtools/wafsamba/samba_bundled.py
@@ -110,6 +110,7 @@ def LIB_MUST_BE_PRIVATE(conf, libname):
@conf
def CHECK_BUNDLED_SYSTEM_PKG(conf, libname, minversion='0.0.0',
+ maxversion=None, version_blacklist=[],
onlyif=None, implied_deps=None, pkg=None):
'''check if a library is available as a system library.
@@ -117,12 +118,15 @@ def CHECK_BUNDLED_SYSTEM_PKG(conf, libname, minversion='0.0.0',
'''
return conf.CHECK_BUNDLED_SYSTEM(libname,
minversion=minversion,
+ maxversion=maxversion,
+ version_blacklist=version_blacklist,
onlyif=onlyif,
implied_deps=implied_deps,
pkg=pkg)
@conf
def CHECK_BUNDLED_SYSTEM(conf, libname, minversion='0.0.0',
+ maxversion=None, version_blacklist=[],
checkfunctions=None, headers=None, checkcode=None,
onlyif=None, implied_deps=None,
require_headers=True, pkg=None, set_target=True):
@@ -181,16 +185,29 @@ def CHECK_BUNDLED_SYSTEM(conf, libname, minversion='0.0.0',
minversion = minimum_library_version(conf, libname, minversion)
msg = 'Checking for system %s' % libname
+ msg_ver = []
if minversion != '0.0.0':
- msg += ' >= %s' % minversion
+ msg_ver.append('>=%s' % minversion)
+ if maxversion is not None:
+ msg_ver.append('<=%s' % maxversion)
+ for v in version_blacklist:
+ msg_ver.append('!=%s' % v)
+ if msg_ver != []:
+ msg += " (%s)" % (" ".join(msg_ver))
uselib_store=libname.upper()
if pkg is None:
pkg = libname
+ version_checks = '%s >= %s' % (pkg, minversion)
+ if maxversion is not None:
+ version_checks += ' %s <= %s' % (pkg, maxversion)
+ for v in version_blacklist:
+ version_checks += ' %s != %s' % (pkg, v)
+
# try pkgconfig first
if (conf.CHECK_CFG(package=pkg,
- args='"%s >= %s" --cflags --libs' % (pkg, minversion),
+ args='"%s" --cflags --libs' % (version_checks),
msg=msg, uselib_store=uselib_store) and
check_functions_headers_code()):
if set_target:
diff --git a/ctdb/common/pidfile.c b/ctdb/common/pidfile.c
index b3f29e3..51c0c25 100644
--- a/ctdb/common/pidfile.c
+++ b/ctdb/common/pidfile.c
@@ -22,6 +22,8 @@
#include <talloc.h>
+#include "lib/util/blocking.h"
+
#include "common/pidfile.h"
struct pidfile_context {
@@ -61,6 +63,12 @@ int pidfile_create(TALLOC_CTX *mem_ctx, const char *pidfile,
goto fail;
}
+ if (! set_close_on_exec(fd)) {
+ close(fd);
+ ret = EIO;
+ goto fail;
+ }
+
pid_ctx->fd = fd;
lck = (struct flock) {
diff --git a/ctdb/config/events.d/60.nfs b/ctdb/config/events.d/60.nfs
index 02d6e2b..98a18c3 100755
--- a/ctdb/config/events.d/60.nfs
+++ b/ctdb/config/events.d/60.nfs
@@ -256,20 +256,20 @@ is_ctdb_managed_service || exit 0
case "$1" in
startup)
- nfs_callout "$@"
+ nfs_callout "$@" || exit $?
;;
shutdown)
- nfs_callout "$@"
+ nfs_callout "$@" || exit $?
;;
takeip)
- nfs_callout "$@"
+ nfs_callout "$@" || exit $?
ctdb_service_set_reconfigure
;;
releaseip)
- nfs_callout "$@"
+ nfs_callout "$@" || exit $?
ctdb_service_set_reconfigure
;;
diff --git a/ctdb/config/functions b/ctdb/config/functions
index 7e37bbb..3826324 100755
--- a/ctdb/config/functions
+++ b/ctdb/config/functions
@@ -150,7 +150,7 @@ script_log ()
*)
# Handle all syslog:* variants here too. There's no tool to do
# the lossy things, so just use logger.
- logger -t "ctdbd: ${_tag}" "$*"
+ logger -t "ctdbd: ${_tag}" "$@"
;;
esac
}
diff --git a/ctdb/server/ctdb_recover.c b/ctdb/server/ctdb_recover.c
index 6bed61c..813a1ad 100644
--- a/ctdb/server/ctdb_recover.c
+++ b/ctdb/server/ctdb_recover.c
@@ -856,26 +856,24 @@ int32_t ctdb_control_set_recmode(struct ctdb_context *ctdb,
struct set_recmode_state *state;
struct ctdb_cluster_mutex_handle *h;
+ if (recmode == ctdb->recovery_mode) {
+ D_INFO("Recovery mode already set to %s\n",
+ recmode == CTDB_RECOVERY_NORMAL ? "NORMAL" : "ACTIVE");
+ return 0;
+ }
+
+ D_NOTICE("Recovery mode set to %s\n",
+ recmode == CTDB_RECOVERY_NORMAL ? "NORMAL" : "ACTIVE");
+
/* if we enter recovery but stay in recovery for too long
we will eventually drop all our ip addresses
*/
- if (recmode == CTDB_RECOVERY_NORMAL) {
- talloc_free(ctdb->release_ips_ctx);
- ctdb->release_ips_ctx = NULL;
- } else {
+ if (recmode == CTDB_RECOVERY_ACTIVE) {
if (ctdb_deferred_drop_all_ips(ctdb) != 0) {
- DEBUG(DEBUG_ERR,("Failed to set up deferred drop all ips\n"));
+ D_ERR("Failed to set up deferred drop all ips\n");
}
- }
- if (recmode != ctdb->recovery_mode) {
- DEBUG(DEBUG_NOTICE,(__location__ " Recovery mode set to %s\n",
- recmode==CTDB_RECOVERY_NORMAL?"NORMAL":"ACTIVE"));
- }
-
- if (recmode != CTDB_RECOVERY_NORMAL ||
- ctdb->recovery_mode != CTDB_RECOVERY_ACTIVE) {
- ctdb->recovery_mode = recmode;
+ ctdb->recovery_mode = CTDB_RECOVERY_ACTIVE;
return 0;
}
@@ -884,6 +882,8 @@ int32_t ctdb_control_set_recmode(struct ctdb_context *ctdb,
* Therefore, what follows is special handling when setting
* recovery mode back to normal */
+ TALLOC_FREE(ctdb->release_ips_ctx);
+
for (ctdb_db = ctdb->db_list; ctdb_db != NULL; ctdb_db = ctdb_db->next) {
if (ctdb_db->generation != ctdb->vnn_map->generation) {
DEBUG(DEBUG_ERR,
diff --git a/ctdb/server/ctdb_recoverd.c b/ctdb/server/ctdb_recoverd.c
index 9ea0f61..d9cc4a2 100644
--- a/ctdb/server/ctdb_recoverd.c
+++ b/ctdb/server/ctdb_recoverd.c
@@ -2608,6 +2608,13 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec,
return;
}
+ ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(),
+ CTDB_CURRENT_NODE, &ctdb->recovery_mode);
+ if (ret != 0) {
+ D_ERR("Failed to read recmode from local node\n");
+ return;
+ }
+
/* if the local daemon is STOPPED or BANNED, we verify that the databases are
also frozen and that the recmode is set to active.
*/
@@ -2620,10 +2627,6 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec,
*/
rec->priority_time = timeval_current();
- ret = ctdb_ctrl_getrecmode(ctdb, mem_ctx, CONTROL_TIMEOUT(), CTDB_CURRENT_NODE, &ctdb->recovery_mode);
- if (ret != 0) {
- DEBUG(DEBUG_ERR,(__location__ " Failed to read recmode from local node\n"));
- }
if (ctdb->recovery_mode == CTDB_RECOVERY_NORMAL) {
DEBUG(DEBUG_ERR,("Node is stopped or banned but recovery mode is not active. Activate recovery mode and lock databases\n"));
@@ -2667,9 +2670,11 @@ static void main_loop(struct ctdb_context *ctdb, struct ctdb_recoverd *rec,
return;
}
- /* Check if an IP takeover run is needed and trigger one if
- * necessary */
- verify_local_ip_allocation(ctdb, rec, pnn, nodemap);
+ if (ctdb->recovery_mode == CTDB_RECOVERY_NORMAL) {
+ /* Check if an IP takeover run is needed and trigger one if
+ * necessary */
+ verify_local_ip_allocation(ctdb, rec, pnn, nodemap);
+ }
/* if we are not the recmaster then we do not need to check
if recovery is needed
diff --git a/ctdb/server/ctdb_recovery_helper.c b/ctdb/server/ctdb_recovery_helper.c
index 0222aa0..474b900 100644
--- a/ctdb/server/ctdb_recovery_helper.c
+++ b/ctdb/server/ctdb_recovery_helper.c
@@ -1627,6 +1627,7 @@ static void recover_db_freeze_done(struct tevent_req *subreq)
if (ret2 != 0) {
LOG("control FREEZE_DB failed for db %s on node %u,"
" ret=%d\n", state->db_name, pnn, ret2);
+ state->ban_credits[pnn] += 1;
} else {
LOG("control FREEZE_DB failed for db %s, ret=%d\n",
state->db_name, ret);
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/06.nfs.releaseip.001.sh
diff --git a/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh b/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
new file mode 100755
index 0000000..c0b8939
--- /dev/null
+++ b/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes releaseip-pre to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo releaseip-pre ; false"
+
+required_result 1 "releaseip-pre"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/06.nfs.takeip.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/06.nfs.takeip.001.sh
diff --git a/ctdb/tests/eventscripts/06.nfs.takeip.002.sh b/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
new file mode 100755
index 0000000..1baf351
--- /dev/null
+++ b/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes takeip-pre to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo takeip-pre ; false"
+
+required_result 1 "takeip-pre"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.109.sh b/ctdb/tests/eventscripts/60.nfs.monitor.109.sh
new file mode 100755
index 0000000..a86f6d9
--- /dev/null
+++ b/ctdb/tests/eventscripts/60.nfs.monitor.109.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes monitor-post to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo monitor-post ; false"
+
+required_result 1 "monitor-post"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/60.nfs.releaseip.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/60.nfs.releaseip.001.sh
diff --git a/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh b/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
new file mode 100755
index 0000000..68f636f
--- /dev/null
+++ b/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+. "${TEST_SCRIPTS_DIR}/unit.sh"
+
+define_test "callout is 'false', causes releaseip to fail"
+
+setup_nfs
+
+export CTDB_NFS_CALLOUT="echo releaseip ; false"
+
+required_result 1 "releaseip"
+simple_test
diff --git a/ctdb/tests/eventscripts/60.nfs.monitor.107.sh b/ctdb/tests/eventscripts/60.nfs.shutdown.001.sh
similarity index 100%
copy from ctdb/tests/eventscripts/60.nfs.monitor.107.sh
copy to ctdb/tests/eventscripts/60.nfs.shutdown.001.sh
diff --git a/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh b/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh
--
Samba Shared Repository
More information about the samba-cvs
mailing list