[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Jan 12 18:24:03 UTC 2017
The branch, master has been updated
via d35ff9e lib: talloc: Make it clear that talloc_get_size(NULL) returns 0.
via 99ffef3 auth/gensec: convert external.c to provide update_send/recv
via ac6083e auth/gensec: convert ncalrpc.c to provide update_send/recv
via b8abd4a auth/gensec: convert schannel.c to provide update_send/recv
via c9f5a89 auth/gensec: remove unused prototype headers
via 278c921 script/autobuild.py: try to make TMPDIR handling more verbose
via 96277a9 script/autobuild.py: add a do_print() wrapper function that flushes after each message
via 5a8d7a5 script/autobuild.py: export PYTHONUNBUFFERED=1
via f9e1887 script/autobuild.py: cleanup the task subdirs when they're done.
via b919994 s3-spoolss: globally set print server environment/architecture.
via 92fc6a6 s3-spoolss: make us appear as a 64bit print server.
via 0e7302d spoolss: Fix PROCESSOR_AMD_X8664 value in IDL
via d6a9377 s3-spoolss: Use a more accurate DefaultSpoolDirectory
via 03a4741 spoolss: allow truncated driver version in spoolss_driver_version_to_qword()
via 34218e0 s3-spoolss: Fix architecture handling in spoolss_DeletePrinterDriverEx call
via 06e4d1c s4-torture: cleanup after printing tests that had to add a driver
via 39489a8 s4-torture: cleanup architecture handling in spoolss driver tests.
via 14d65fb script/autobuild.py: use --enable-developer and --picky-developer for the ctdb build
via f981e2c credentials: Create a smb_gss_krb5_copy_ccache() function
via 72fe43f mit-kdb: Remove unneeded memset()
via adcb8a9 mit-kdb: Use calloc() to allocate memory
via e467eef gensec: Cast data for MIT Kerberos correctly
via 9b263c5 gensec: Fix picky developer with MIT Kerberos
via ecec8bb docs: Bump version up to 4.7.
via 5d9eb27 WHATSNEW: Start release notes for Samba 4.7.0pre1.
from 7870c64 script/release.sh: fix off by 1 error in announce.${tagname}.mail.txt creation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d35ff9e9bdae79e5f5b2c9b5bf8cfe05199da804
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 11 11:48:25 2017 -0800
lib: talloc: Make it clear that talloc_get_size(NULL) returns 0.
This *isn't* a behavior change, as the previous code could potentially
return the size of null_context, which (currently) is defined as
a named talloc region of ZERO size, but this makes it very clear
what the ABI behavior should be.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jan 12 19:23:25 CET 2017 on sn-devel-144
commit 99ffef3de297395a62bab3279519f2fab990b42b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 01:53:27 2016 +0100
auth/gensec: convert external.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ac6083eb72e96b5880859caa08ccd95694d38412
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 01:35:18 2016 +0100
auth/gensec: convert ncalrpc.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit b8abd4a8a23b465c7fc6a585d198ec1fcf8ce13b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 01:30:13 2016 +0100
auth/gensec: convert schannel.c to provide update_send/recv
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit c9f5a89809c65770ba4c333db80cd58dcbb493b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 23 09:13:33 2013 +0100
auth/gensec: remove unused prototype headers
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 278c921263550c1473df8944260bbb4e62a0e0e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 11 14:13:00 2017 +0100
script/autobuild.py: try to make TMPDIR handling more verbose
This hopefully gives some hints regarding flakey tests where
the tmpdir is not available.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 96277a9f82379c7fedf36ca13644eb3493dcd1e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 11 15:02:17 2017 +0100
script/autobuild.py: add a do_print() wrapper function that flushes after each message
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5a8d7a5446c23985a7dd3a9cb4856481b94931db
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 11 14:48:45 2017 +0100
script/autobuild.py: export PYTHONUNBUFFERED=1
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f9e188747753225e77f254fe41aad95ff11fec53
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 11 14:42:08 2017 +0100
script/autobuild.py: cleanup the task subdirs when they're done.
This hopefully reduces the used space on the memdisk.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b9199945e7c28f8e5603727896c2af295376dc5b
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 21 12:46:02 2016 +0100
s3-spoolss: globally set print server environment/architecture.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 92fc6a6c254703b771dec0b56b598c2684b4278a
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 21 11:29:56 2016 +0100
s3-spoolss: make us appear as a 64bit print server.
This makes us behave like all recent windows systems.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0e7302dd1078d0743d90ff719184d832ebe486cb
Author: Günther Deschner <gd at samba.org>
Date: Wed Jan 4 16:08:59 2017 +0100
spoolss: Fix PROCESSOR_AMD_X8664 value in IDL
Microsoft got their docs wrong in MS-RPRN Section 2.2.1.10.1 (footnote
65): PROCESSOR_AMD_X8664 must be 0x000021D8 and not 0x000022A0.
This is what recent windows versions report back from a spoolss
getprinter level 0 RPC call.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6a9377b6d96ee0b6c75f15fe4ab81a3cb5e864f
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 18 18:21:39 2016 +0100
s3-spoolss: Use a more accurate DefaultSpoolDirectory
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 03a4741bc768351334c92c8c7ddb0a4e84260c19
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 11 16:35:03 2016 +0100
spoolss: allow truncated driver version in spoolss_driver_version_to_qword()
This has been seen in real life Konica driver defintions.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 34218e0448bca3fda9661c67f18bbd0b9886d079
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 10 18:25:22 2017 +0100
s3-spoolss: Fix architecture handling in spoolss_DeletePrinterDriverEx call
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
commit 06e4d1c174b27f001ece0d57abed3e472674b2e4
Author: Günther Deschner <gd at samba.org>
Date: Tue Jan 10 18:23:14 2017 +0100
s4-torture: cleanup after printing tests that had to add a driver
We were only removing drivers from the upload area but did not delete
them via spoolss.
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
commit 39489a8ca958ad6ffc9d299486e7bff36c296adf
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jan 10 18:20:18 2017 +0100
s4-torture: cleanup architecture handling in spoolss driver tests.
Make sure the architecture field of the driver8 definition is always set
to the local environment (the one of the driver to be uploaded and
tested)
Pair-Programmed-With: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
commit 14d65fbc77cd504237fe924f4c7e63bd47fa3e9f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 11 08:14:49 2017 +0100
script/autobuild.py: use --enable-developer and --picky-developer for the ctdb build
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Martin Schwenke <martin at meltin.net>
commit f981e2c9801cab2fbbf8017cd72a9c4987195f10
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 22 13:50:05 2016 +0100
credentials: Create a smb_gss_krb5_copy_ccache() function
This sets the default principal on the copied ccache if it hasn't been
set yet.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 72fe43f218f712c6807126b62550472500cd37b4
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 15 17:51:24 2016 +0100
mit-kdb: Remove unneeded memset()
The memory has been allocated with calloc() already.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit adcb8a91971f12b4a97bca2e5cd88ee23aa15355
Author: Andreas Schneider <asn at samba.org>
Date: Thu Dec 15 17:50:53 2016 +0100
mit-kdb: Use calloc() to allocate memory
This avoids a memset().
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e467eefb10a1ce80128e3b111a474306a71d696b
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 14 17:26:11 2016 +0100
gensec: Cast data for MIT Kerberos correctly
In Heimdal the data pointer is a void pointer so casting to 'char *' is
not an issue.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9b263c5778438a18e9277c0dd8c655bc4b3f036f
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 14 17:22:28 2016 +0100
gensec: Fix picky developer with MIT Kerberos
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ecec8bb8d575d9ca5df604621033ec3d285f8ece
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jan 12 09:01:54 2017 +0100
docs: Bump version up to 4.7.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5d9eb27c8f995da380bae7c8a11580aadae96b7f
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jan 12 08:59:06 2017 +0100
WHATSNEW: Start release notes for Samba 4.7.0pre1.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 167 +-------------------------
auth/credentials/credentials_krb5.c | 133 +++++++++++++++++++-
auth/gensec/external.c | 54 ++++++++-
auth/gensec/ncalrpc.c | 79 +++++++++++-
auth/gensec/schannel.c | 73 ++++++++++-
auth/gensec/wscript_build | 5 +-
docs-xml/manpages/cifsdd.8.xml | 2 +-
docs-xml/manpages/dbwrap_tool.1.xml | 2 +-
docs-xml/manpages/eventlogadm.8.xml | 2 +-
docs-xml/manpages/findsmb.1.xml | 2 +-
docs-xml/manpages/idmap_ad.8.xml | 2 +-
docs-xml/manpages/idmap_autorid.8.xml | 2 +-
docs-xml/manpages/idmap_hash.8.xml | 2 +-
docs-xml/manpages/idmap_ldap.8.xml | 2 +-
docs-xml/manpages/idmap_nss.8.xml | 2 +-
docs-xml/manpages/idmap_rfc2307.8.xml | 2 +-
docs-xml/manpages/idmap_rid.8.xml | 2 +-
docs-xml/manpages/idmap_script.8.xml | 2 +-
docs-xml/manpages/idmap_tdb.8.xml | 2 +-
docs-xml/manpages/idmap_tdb2.8.xml | 2 +-
docs-xml/manpages/libsmbclient.7.xml | 2 +-
docs-xml/manpages/lmhosts.5.xml | 2 +-
docs-xml/manpages/log2pcap.1.xml | 2 +-
docs-xml/manpages/net.8.xml | 2 +-
docs-xml/manpages/nmbd.8.xml | 2 +-
docs-xml/manpages/nmblookup.1.xml | 2 +-
docs-xml/manpages/ntlm_auth.1.xml | 2 +-
docs-xml/manpages/pam_winbind.8.xml | 2 +-
docs-xml/manpages/pam_winbind.conf.5.xml | 2 +-
docs-xml/manpages/pdbedit.8.xml | 2 +-
docs-xml/manpages/profiles.1.xml | 2 +-
docs-xml/manpages/rpcclient.1.xml | 2 +-
docs-xml/manpages/samba-regedit.8.xml | 2 +-
docs-xml/manpages/samba-tool.8.xml | 2 +-
docs-xml/manpages/samba.7.xml | 2 +-
docs-xml/manpages/samba.8.xml | 2 +-
docs-xml/manpages/sharesec.1.xml | 2 +-
docs-xml/manpages/smb.conf.5.xml | 2 +-
docs-xml/manpages/smbcacls.1.xml | 2 +-
docs-xml/manpages/smbclient.1.xml | 2 +-
docs-xml/manpages/smbcontrol.1.xml | 2 +-
docs-xml/manpages/smbcquotas.1.xml | 2 +-
docs-xml/manpages/smbd.8.xml | 2 +-
docs-xml/manpages/smbget.1.xml | 2 +-
docs-xml/manpages/smbgetrc.5.xml | 2 +-
docs-xml/manpages/smbpasswd.5.xml | 2 +-
docs-xml/manpages/smbpasswd.8.xml | 2 +-
docs-xml/manpages/smbspool.8.xml | 2 +-
docs-xml/manpages/smbspool_krb5_wrapper.8.xml | 2 +-
docs-xml/manpages/smbstatus.1.xml | 2 +-
docs-xml/manpages/smbtar.1.xml | 2 +-
docs-xml/manpages/smbtree.1.xml | 2 +-
docs-xml/manpages/testparm.1.xml | 2 +-
docs-xml/manpages/vfs_acl_tdb.8.xml | 2 +-
docs-xml/manpages/vfs_acl_xattr.8.xml | 2 +-
docs-xml/manpages/vfs_aio_fork.8.xml | 2 +-
docs-xml/manpages/vfs_aio_linux.8.xml | 2 +-
docs-xml/manpages/vfs_aio_pthread.8.xml | 2 +-
docs-xml/manpages/vfs_audit.8.xml | 2 +-
docs-xml/manpages/vfs_btrfs.8.xml | 2 +-
docs-xml/manpages/vfs_cacheprime.8.xml | 2 +-
docs-xml/manpages/vfs_cap.8.xml | 2 +-
docs-xml/manpages/vfs_catia.8.xml | 2 +-
docs-xml/manpages/vfs_ceph.8.xml | 2 +-
docs-xml/manpages/vfs_commit.8.xml | 2 +-
docs-xml/manpages/vfs_crossrename.8.xml | 2 +-
docs-xml/manpages/vfs_default_quota.8.xml | 2 +-
docs-xml/manpages/vfs_dirsort.8.xml | 2 +-
docs-xml/manpages/vfs_extd_audit.8.xml | 2 +-
docs-xml/manpages/vfs_fake_perms.8.xml | 2 +-
docs-xml/manpages/vfs_fileid.8.xml | 2 +-
docs-xml/manpages/vfs_fruit.8.xml | 2 +-
docs-xml/manpages/vfs_full_audit.8.xml | 2 +-
docs-xml/manpages/vfs_glusterfs.8.xml | 2 +-
docs-xml/manpages/vfs_gpfs.8.xml | 2 +-
docs-xml/manpages/vfs_linux_xfs_sgid.8.xml | 2 +-
docs-xml/manpages/vfs_media_harmony.8.xml | 2 +-
docs-xml/manpages/vfs_netatalk.8.xml | 2 +-
docs-xml/manpages/vfs_offline.8.xml | 2 +-
docs-xml/manpages/vfs_prealloc.8.xml | 2 +-
docs-xml/manpages/vfs_preopen.8.xml | 2 +-
docs-xml/manpages/vfs_readahead.8.xml | 2 +-
docs-xml/manpages/vfs_readonly.8.xml | 2 +-
docs-xml/manpages/vfs_recycle.8.xml | 2 +-
docs-xml/manpages/vfs_shadow_copy.8.xml | 2 +-
docs-xml/manpages/vfs_shadow_copy2.8.xml | 2 +-
docs-xml/manpages/vfs_shell_snap.8.xml | 2 +-
docs-xml/manpages/vfs_snapper.8.xml | 2 +-
docs-xml/manpages/vfs_streams_depot.8.xml | 2 +-
docs-xml/manpages/vfs_streams_xattr.8.xml | 2 +-
docs-xml/manpages/vfs_syncops.8.xml | 2 +-
docs-xml/manpages/vfs_time_audit.8.xml | 2 +-
docs-xml/manpages/vfs_tsmsm.8.xml | 2 +-
docs-xml/manpages/vfs_unityed_media.8.xml | 2 +-
docs-xml/manpages/vfs_worm.8.xml | 2 +-
docs-xml/manpages/vfs_xattr_tdb.8.xml | 2 +-
docs-xml/manpages/vfs_zfsacl.8.xml | 2 +-
docs-xml/manpages/vfstest.1.xml | 2 +-
docs-xml/manpages/wbinfo.1.xml | 2 +-
docs-xml/manpages/winbind_krb5_locator.7.xml | 2 +-
docs-xml/manpages/winbindd.8.xml | 2 +-
lib/talloc/talloc.c | 3 -
librpc/idl/spoolss.idl | 10 +-
script/autobuild.py | 59 +++++----
source3/printing/nt_printing.c | 41 ++++---
source3/rpc_client/init_spoolss.c | 6 +-
source3/rpc_server/spoolss/srv_spoolss_nt.c | 28 ++++-
source4/auth/gensec/gensec_krb5.c | 14 +--
source4/kdc/mit-kdb/kdb_samba_principals.c | 6 +-
source4/torture/rpc/spoolss.c | 116 +++++++++++-------
110 files changed, 590 insertions(+), 394 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a521813..761f73f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,190 +1,27 @@
Release Announcements
=====================
-This is the first preview release of Samba 4.6. This is *not*
+This is the first preview release of Samba 4.7. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
-Samba 4.6 will be the next version of the Samba suite.
+Samba 4.7 will be the next version of the Samba suite.
UPGRADING
=========
-vfs_fruit option "fruit:resource" spelling correction
------------------------------------------------------
-
-Due to a spelling error in the vfs_fruit option parsing for the "fruit:resource"
-option, users who have set this option in their smb.conf were still using the
-default setting "fruit:resource = file" as the parser was looking for the string
-"fruit:ressource" (two "s").
-
-After upgrading to this Samba version 4.6, you MUST either remove the option
-from your smb.conf or set it to the default "fruit:resource = file", otherwise
-your macOS clients will not be able to access the resource fork data.
-
-This version Samba 4.6 accepts both the correct and incorrect spelling, but the
-next Samba version 4.7 will not accept the wrong spelling.
-
-Users who were using the wrong spelling "ressource" with two "s" can keep the
-setting, but are advised to switch to the correct spelling.
-
-ID Mapping
-----------
-We discovered that the majority of users have an invalid or incorrect
-ID mapping configuration. We implemented checks in the 'testparm' tool to
-validate the ID mapping configuration. You should run it and check if it prints
-any warnings or errors after upgrading! If it does you should fix them. See the
-'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
-There are some ID mapping backends which are not allowed to be used for the
-default backend. Winbind will no longer start if an invalid backend is
-configured as the default backend.
-
-To avoid problems in future we advise all users to run 'testparm' after
-changing the smb.conf file!
-
NEW FEATURES/CHANGES
====================
-Kerberos client encryption types
---------------------------------
-Some parts of Samba (most notably winbindd) perform Kerberos client
-operations based on a Samba-generated krb5.conf file. A new
-parameter, "kerberos encryption types" allows configuring the
-encryption types set in this file, thereby allowing the user to
-enforce strong or legacy encryption in Kerberos exchanges.
-
-The default value of "all" is compatible with previous behavior, allowing
-all encryption algorithms to be negotiated. Setting the parameter to "strong"
-only allows AES-based algorithms to be negotiated. Setting the parameter to
-"legacy" allows only RC4-HMAC-MD5 - the legacy algorithm for Active Directory.
-This can solves some corner cases of mixed environments with Server 2003R2 and
-newer DCs.
-
-Printing
---------
-Support for uploading printer drivers from newer Windows clients (Windows 10)
-has been added until our implementation of [MS-PAR] protocol is ready.
-Several issues with uploading different printing drivers have been addressed.
-
-The OS Version for the printing server has been increased to announce
-Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
-check the smb.conf manpage for details.
-
-new option for owner inheritance
---------------------------------
-The "inherit owner" smb.conf parameter instructs smbd to set the
-owner of files to be the same as the parent directory's owner.
-Up until now, this parameter could be set to "yes" or "no".
-A new option, "unix only", enables this feature only for the UNIX owner
-of the file, not affecting the SID owner in the Windows NT ACL of the
-file. This can be used to emulate something very similar to folder quotas.
-
-Multi-process Netlogon support
-------------------------------
-
-The Netlogon server in the Samba AD DC can now run as multiple
-processes. The Netlogon server is a part of the AD DC that handles
-NTLM authentication on behalf of domain members, including file
-servers, NTLM-authenticated web servers and 802.1x gateways. The
-previous restriction to running as a single process has been removed,
-and it will now run in the same process model as the rest of the
-'samba' binary.
-
-As part of this change, the NETLOGON service will now run on a distinct
-TCP port, rather than being shared with all other RPC services (LSA,
-SAMR, DRSUAPI etc).
-
-new options for controlling TCP ports used for RPC services
------------------------------------------------------------
-
-The new 'rpc server port' option controls the default port used for
-RPC services other than Netlogon. The Netlogon server honors instead
-the 'rpc server port:netlogon' option. The default value for both
-these options is the first available port including or after 1024.
-
-Improve AD performance and replication improvements
----------------------------------------------------
-
-Samba's LDB and replication code continues to improve, particularly in
-respect to the handling of large numbers of linked attributes. We now
-respect an 'uptodateness vector' which will dramatically reduce the
-over-replication of links from new DCs. We have also made the parsing
-of on-disk linked attributes much more efficient.
-
-DNS improvements
-----------------
-
-The samba-tool dns subcommand is now much more robust and can delete
-records in a number of situations where it was not possible to do so
-in the past.
-
-On the server side, DNS names are now more strictly validated.
-
-CTDB changes
-------------
-
-* "ctdb event" is a new top-level command for interacting with event scripts
-
- "ctdb event status" replaces "ctdb scriptstatus" - the latter is
- maintained for backward compatibility but the output format has been
- cleaned up
-
- "ctdb event run" replaces "ctdb eventscript"
-
- "ctdb event script enable" replaces "ctdb enablescript"
-
- "ctdb event script disable" replaces "ctdb disablescript"
-
- The new command "ctdb event script list" lists event scripts.
-
-* CTDB's back-end for running event scripts has been replaced by a
- separate, long-running daemon ctdbd_eventd.
-
-* Running ctdb interactively will log to stderr
-
-* CTDB logs now include process id for each process
-
-* CTDB tags log messages differently. Changes include:
-
- ctdb-recoverd: Messages from CTDB's recovery daemon
- ctdb-recovery: Messages from CTDB database recovery
- ctdb-eventd: Messages from CTDB's event daemon
- ctdb-takeover: Messgaes from CTDB's public IP takeover subsystem
-
-* The mapping between symbolic and numeric debug levels has changed
-
- Configurations containing numeric debug levels should be updated.
- Symbolic debug levels are recommended. See the DEBUG LEVEL section
- of ctdb(7) for details.
-
-* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
-
- See ctdb-tunables(7) for details
-
-* CTDB's configuration tunables should be consistently set across a cluster
-
- This has always been the cases for most tunables but this fact is
- now documented.
-
-* CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
-
- To build/install these, use the --enable-etcd-reclock and
- --enable-ceph-reclock configure options.
-
smb.conf changes
================
Parameter Name Description Default
-------------- ----------- -------
- kerberos encryption types New all
- inherit owner New option
- fruit:resource Spelling correction
- lsa over netlogon New (deprecated) no
- rpc server port New 0
KNOWN ISSUES
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index a0346a2..3663e1d 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -63,6 +63,130 @@ static int free_dccache(struct ccache_container *ccc)
return 0;
}
+static uint32_t smb_gss_krb5_copy_ccache(uint32_t *min_stat,
+ gss_cred_id_t cred,
+ struct ccache_container *ccc)
+{
+#ifndef SAMBA4_USES_HEIMDAL /* MIT 1.10 */
+ krb5_context context = ccc->smb_krb5_context->krb5_context;
+ krb5_ccache dummy_ccache = NULL;
+ krb5_creds creds = {0};
+ krb5_cc_cursor cursor = NULL;
+ krb5_principal princ = NULL;
+ krb5_error_code code;
+ char *dummy_name;
+ uint32_t maj_stat = GSS_S_FAILURE;
+
+ dummy_name = talloc_asprintf(ccc,
+ "MEMORY:gss_krb5_copy_ccache-%p",
+ &ccc->ccache);
+ if (dummy_name == NULL) {
+ *min_stat = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ /*
+ * Create a dummy ccache, so we can iterate over the credentials
+ * and find the default principal for the ccache we want to
+ * copy. The new ccache needs to be initialized with this
+ * principal.
+ */
+ code = krb5_cc_resolve(context, dummy_name, &dummy_ccache);
+ TALLOC_FREE(dummy_name);
+ if (code != 0) {
+ *min_stat = code;
+ return GSS_S_FAILURE;
+ }
+
+ /*
+ * We do not need set a default principal on the temporary dummy
+ * ccache, as we do consume it at all in this function.
+ */
+ maj_stat = gss_krb5_copy_ccache(min_stat, cred, dummy_ccache);
+ if (maj_stat != 0) {
+ krb5_cc_close(context, dummy_ccache);
+ return maj_stat;
+ }
+
+ code = krb5_cc_start_seq_get(context, dummy_ccache, &cursor);
+ if (code != 0) {
+ krb5_cc_close(context, dummy_ccache);
+ *min_stat = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_cc_next_cred(context,
+ dummy_ccache,
+ &cursor,
+ &creds);
+ if (code != 0) {
+ krb5_cc_close(context, dummy_ccache);
+ *min_stat = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ do {
+ if (creds.ticket_flags & TKT_FLG_PRE_AUTH) {
+ krb5_data *tgs;
+
+ tgs = krb5_princ_component(context,
+ creds.server,
+ 0);
+ if (tgs != NULL && tgs->length >= 1) {
+ int cmp;
+
+ cmp = memcmp(tgs->data,
+ KRB5_TGS_NAME,
+ tgs->length);
+ if (cmp == 0 && creds.client != NULL) {
+ princ = creds.client;
+ code = KRB5_CC_END;
+ break;
+ }
+ }
+ }
+
+ krb5_free_cred_contents(context, &creds);
+
+ code = krb5_cc_next_cred(context,
+ dummy_ccache,
+ &cursor,
+ &creds);
+ } while (code == 0);
+
+ if (code == KRB5_CC_END) {
+ krb5_cc_end_seq_get(context, dummy_ccache, &cursor);
+ code = 0;
+ }
+ krb5_cc_close(context, dummy_ccache);
+
+ if (code != 0 || princ == NULL) {
+ krb5_free_cred_contents(context, &creds);
+ *min_stat = EINVAL;
+ return GSS_S_FAILURE;
+ }
+
+ /*
+ * Set the default principal for the cache we copy
+ * into. This is needed to be able that other calls
+ * can read it with e.g. gss_acquire_cred() or
+ * krb5_cc_get_principal().
+ */
+ code = krb5_cc_initialize(context, ccc->ccache, princ);
+ if (code != 0) {
+ krb5_free_cred_contents(context, &creds);
+ *min_stat = EINVAL;
+ return GSS_S_FAILURE;
+ }
+ krb5_free_cred_contents(context, &creds);
+
+#endif /* SAMBA4_USES_HEIMDAL */
+
+ return gss_krb5_copy_ccache(min_stat,
+ cred,
+ ccc->ccache);
+}
+
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
@@ -712,8 +836,8 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
{
int ret;
OM_uint32 maj_stat, min_stat;
- struct ccache_container *ccc;
- struct gssapi_creds_container *gcc;
+ struct ccache_container *ccc = NULL;
+ struct gssapi_creds_container *gcc = NULL;
if (cred->client_gss_creds_obtained > obtained) {
return 0;
}
@@ -729,8 +853,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
- maj_stat = gss_krb5_copy_ccache(&min_stat,
- gssapi_cred, ccc->ccache);
+ maj_stat = smb_gss_krb5_copy_ccache(&min_stat,
+ gssapi_cred,
+ ccc);
if (maj_stat) {
if (min_stat) {
ret = min_stat;
diff --git a/auth/gensec/external.c b/auth/gensec/external.c
index a26e435..9c17888 100644
--- a/auth/gensec/external.c
+++ b/auth/gensec/external.c
@@ -20,6 +20,8 @@
*/
#include "includes.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
@@ -42,12 +44,51 @@ static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
return NT_STATUS_OK;
}
-static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+struct gensec_external_update_state {
+ DATA_BLOB out;
+};
+
+static struct tevent_req *gensec_external_update_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_security *gensec_security,
+ const DATA_BLOB in)
+{
+ struct tevent_req *req;
+ struct gensec_external_update_state *state = NULL;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct gensec_external_update_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->out = data_blob_talloc(state, "", 0);
+ if (tevent_req_nomem(state->out.data, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+static NTSTATUS gensec_external_update_recv(struct tevent_req *req,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
{
- *out = data_blob_talloc(out_mem_ctx, "", 0);
+ struct gensec_external_update_state *state =
+ tevent_req_data(req,
+ struct gensec_external_update_state);
+ NTSTATUS status;
+
+ *out = data_blob_null;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ *out = state->out;
+ tevent_req_received(req);
return NT_STATUS_OK;
}
@@ -62,7 +103,8 @@ static const struct gensec_security_ops gensec_external_ops = {
.name = "sasl-EXTERNAL",
.sasl_name = "EXTERNAL",
.client_start = gensec_external_start,
- .update = gensec_external_update,
+ .update_send = gensec_external_update_send,
+ .update_recv = gensec_external_update_recv,
.have_feature = gensec_external_have_feature,
.enabled = true,
.priority = GENSEC_EXTERNAL
diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c
index d5537a4..e6f33f3 100644
--- a/auth/gensec/ncalrpc.c
+++ b/auth/gensec/ncalrpc.c
@@ -21,6 +21,8 @@
*/
#include "includes.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
#include "auth/auth.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
@@ -71,11 +73,52 @@ static NTSTATUS gensec_ncalrpc_server_start(struct gensec_security *gensec_secur
return NT_STATUS_OK;
}
-static NTSTATUS gensec_ncalrpc_update(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in,
- DATA_BLOB *out)
+struct gensec_ncalrpc_update_state {
+ NTSTATUS status;
+ DATA_BLOB out;
+};
+
+static NTSTATUS gensec_ncalrpc_update_internal(
+ struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+ const DATA_BLOB in,
+ DATA_BLOB *out);
+
+static struct tevent_req *gensec_ncalrpc_update_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_security *gensec_security,
+ const DATA_BLOB in)
+{
+ struct tevent_req *req;
+ struct gensec_ncalrpc_update_state *state = NULL;
+ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct gensec_ncalrpc_update_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ status = gensec_ncalrpc_update_internal(gensec_security,
+ state, in,
+ &state->out);
+ state->status = status;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ status = NT_STATUS_OK;
+ }
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+static NTSTATUS gensec_ncalrpc_update_internal(
+ struct gensec_security *gensec_security,
--
Samba Shared Repository
More information about the samba-cvs
mailing list