[SCM] Samba Shared Repository - branch v4-9-test updated

Stefan Metzmacher metze at samba.org
Tue Aug 14 18:50:02 UTC 2018


The branch, v4-9-test has been updated
       via  bf3bb82 libsmb: Fix CID 1438243 Unchecked return value
       via  601eb6b libsmb: Fix CID 1438244 Unsigned compared against 0
       via  33c7d3c smbd: Fix CID 1438245 Dereference before null check
       via  0eaef7e smbd: Fix CID 1438246 Unchecked return value
       via  e30cf1a smbd: Align integer types
       via  2d5c574 ctdb: add expiry test for ctdb_mutex_ceph_rados_helper
       via  37b4e0b ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals
       via  2849d57 ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev
       via  5f3548b ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup
       via  eae828b ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler
       via  609109d ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common
       via  b09fdd0 s3: tests: smbclient. Regression test to ensure we get NT_STATUS_DIRECTORY_NOT_EMPTY on rmdir.
       via  921a5bb s4/torture: Add new test for DELETE_ON_CLOSE on non-empty directories
       via  81b0d5c s3/libsmb: Explicitly set delete_on_close token for rmdir
       via  7ed470b cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
       via  4a2880b libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
       via  61e34a2 libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
       via  4897bf3 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
       via  52b5ed8 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
       via  a5cd47d CVE-2018-10919 acl_read: Flip the logic in the dirsync check
       via  4c201d0 CVE-2018-10919 acl_read: Small refactor to aclread_callback()
       via  0395055 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
       via  605a7f3 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
       via  9c9f50b CVE-2018-10919 tests: test ldap searches for non-existent attributes.
       via  e2574d0 CVE-2018-10919 tests: Add test case for object visibility with limited rights
       via  10a2c8d CVE-2018-10919 tests: Add tests for guessing confidential attributes
       via  17b7206 CVE-2018-10919 security: Add more comments to the object-specific access checks
       via  5bcbf5a CVE-2018-10919 security: Move object-specific access checks into separate function
       via  164766b CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
       via  e2d6ad5 Release LDB 1.4.2 for CVE-2018-1140
       via  bf988ac CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
       via  dc2898f CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
       via  8fed2cc CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
       via  504cff7 CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
       via  31a001f CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
       via  3e89172 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
       via  e2b2c00 CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
       via  48f5dbd CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
       via  d171f8d CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
       via  3579ac4 CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
      from  7751937 s3/smbd: Ensure quota code is only called when quota support detected

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test


- Log -----------------------------------------------------------------
commit bf3bb82d8a7e31950f01a3508787a8e6951ea9a4
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 8 10:14:26 2018 +0200

    libsmb: Fix CID 1438243 Unchecked return value
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Wed Aug  8 23:10:22 CEST 2018 on sn-devel-144
    
    Autobuild-User(v4-9-test): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(v4-9-test): Tue Aug 14 20:49:09 CEST 2018 on sn-devel-144

commit 601eb6bc3fa5b44841bdbc31f31c42f21feb0982
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 8 10:08:38 2018 +0200

    libsmb: Fix CID 1438244 Unsigned compared against 0
    
    ndr_size_dom_sid returns a size_t, so that can't be <0. Also, the only
    case that ndr_size_dom_sid returns 0 is a NULL sid
    pointer. ndr_size_dom_sid can reasonably be assumed to not overflow, the
    number of sub-auths is a uint8. That times 4 plus 8 always fits into a
    size_t.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 33c7d3ceff929a55a27b28d0ce5a31e7ef8b89e7
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Aug 7 22:50:52 2018 +0200

    smbd: Fix CID 1438245 Dereference before null check
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 0eaef7eeb0f7eef67ce80955deafc9da23bf153e
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Aug 7 22:49:16 2018 +0200

    smbd: Fix CID 1438246 Unchecked return value
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit e30cf1a253ddde90d3d305799f544312872ae03f
Author: Volker Lendecke <vl at samba.org>
Date:   Tue Aug 7 22:48:58 2018 +0200

    smbd: Align integer types
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13553
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 2d5c574f459769ea11d1f26b2b2c5f45ce5f6bd7
Author: David Disseldorp <ddiss at samba.org>
Date:   Fri Jul 20 17:20:08 2018 +0200

    ctdb: add expiry test for ctdb_mutex_ceph_rados_helper
    
    Kill the ctdb_mutex_ceph_rados_helper with SIGKILL and then confirm
    that the lock is automatically released following expiry.
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Samuel Cabrero <scabrero at suse.de>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    
    Autobuild-User(master): David Disseldorp <ddiss at samba.org>
    Autobuild-Date(master): Thu Aug  9 16:26:36 CEST 2018 on sn-devel-144
    
    (cherry picked from commit 4abf348ec4cbb78d3216d5e8c5f3020d4499f10a)

commit 37b4e0bcebfa9741b2862f09d20e363eaad611db
Author: David Disseldorp <ddiss at samba.org>
Date:   Thu Jul 19 11:55:23 2018 +0200

    ctdb_mutex_ceph_rados_helper: fix deadlock via lock renewals
    
    RADOS locks without expiry persist indefinitely. This results in CTDB
    deadlock during failover if the recovery master dies unexpectedly, as
    subsequently elected recovery master nodes can't obtain the recovery
    lock.
    Avoid deadlock by using a lock expiration time (10s by default), and
    renewing it periodically.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13540
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Samuel Cabrero <scabrero at suse.de>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    (cherry picked from commit ce289e89e5c469cf2c5626dc7f2666b945dba3bd)

commit 2849d5778561b70bb01c03f1978c5f4e8ba419d6
Author: David Disseldorp <ddiss at samba.org>
Date:   Tue Jul 17 23:36:36 2018 +0200

    ctdb_mutex_ceph_rados_helper: rename timer_ev to ppid_timer_ev
    
    In preparation for adding a lock refresh timer.
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Samuel Cabrero <scabrero at suse.de>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    (cherry picked from commit 91a89c146453ca203a83dc2ba555bb93276c4d7f)

commit 5f3548bc33f5044b91217b1bcdc674029d2e3ecb
Author: David Disseldorp <ddiss at samba.org>
Date:   Thu Jul 19 18:46:27 2018 +0200

    ctdb_mutex_ceph_rados_helper: use talloc destructor for cleanup
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Samuel Cabrero <scabrero at suse.de>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    (cherry picked from commit 8d30fd591600ac17c742cd78c7bc4056bba6b877)

commit eae828b3dd75c8fb699a0da4cc3c15808775afdd
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Fri Jun 15 18:15:53 2018 +0200

    ctdb_mutex_ceph_rados_helper: Set SIGINT signal handler
    
    Set a handler for SIGINT to release the lock.
    
    Signed-off-by: Samuel Cabrero <scabrero at suse.de>
    Reviewed-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    (cherry picked from commit 85706bd27535eaa4ec653f99b1910fbd8f2aab88)

commit 609109ddfbea8cccd058f7bfed525ae7ea4cb155
Author: David Disseldorp <ddiss at samba.org>
Date:   Mon Jul 9 14:53:00 2018 +0200

    ctdb/build: link ctdb_mutex_ceph_rados_helper against ceph-common
    
    ceph-common linkage is needed with new versions of Ceph.
    Also respect the --libcephfs_dir=<path> parameter when provided.
    
    Signed-off-by: David Disseldorp <ddiss at samba.org>
    Reviewed-by: Amitay Isaacs <amitay at gmail.com>
    (cherry picked from commit bd64af6b8861f892e6ae2840a493f037d1e0a06c)

commit b09fdd039b6608c9c8de877e6ce1300b8cae55f3
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Aug 9 10:02:26 2018 -0700

    s3: tests: smbclient. Regression test to ensure we get NT_STATUS_DIRECTORY_NOT_EMPTY on rmdir.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Fri Aug 10 21:08:14 CEST 2018 on sn-devel-144
    
    (cherry picked from commit bca400847f2fcc3dd1398e166c1964cb88822071)

commit 921a5bbd3c70ab16ad47fda94f054e113f49bc7c
Author: Anoop C S <anoopcs at redhat.com>
Date:   Thu Aug 9 20:02:05 2018 +0530

    s4/torture: Add new test for DELETE_ON_CLOSE on non-empty directories
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204
    
    Signed-off-by: Anoop C S <anoopcs at redhat.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 6a7f11746c9cc3cdc5307e540bdd1f3f10fed05b)

commit 81b0d5cda82eb5ef284bd9083fa4f9e83e188e5a
Author: Anoop C S <anoopcs at redhat.com>
Date:   Thu Aug 9 12:28:41 2018 +0530

    s3/libsmb: Explicitly set delete_on_close token for rmdir
    
    The current implementation of `rmdir` hopes to get the directory deleted
    on closing last open handle when FILE_DELETE_ON_CLOSE is set on it. But
    for non-empty directories Windows doesn't error out during an open call.
    Following that we internally refuse to set initial delete_on_close while
    opening a non-empty directory. This prevents us from trying to delete
    the directory when last open handle is closed.
    
    Instead of relying on FILE_DELETE_ON_CLOSE during an open we explicitly
    set delete_on_close token on directory handle once it is available. This
    ensures that NT_STATUS_DIRECTORY_NOT_EMPTY is returned for `rmdir` on
    non-empty directories while closing open directory handle.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13204
    
    Signed-off-by: Anoop C S <anoopcs at redhat.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 6b68e3eca631c04d6d57c489daf60f64732fc86d)

commit 7ed470b1ad90174166ab561ab95751ffc6e240d9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jul 30 14:00:18 2018 +1200

    cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
    
    This regression was introduced in Samba 4.7 by bug 12842 and in
    master git commit eb2e77970e41c1cb62c041877565e939c78ff52d.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 4a2880b670b261ca9fbc70b4665aa86ee2a2c07a
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jun 15 15:08:17 2018 -0700

    libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
    
    CVE-2018-10858: Insufficient input validation on client directory
    		listing in libsmbclient.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 61e34a2002e069527011e254434e044d2e12cda4
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jun 15 15:07:17 2018 -0700

    libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
    
    CVE-2018-10858: Insufficient input validation on client directory
    		listing in libsmbclient.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 4897bf3de3a9ad467658f2af26a3b6eb489509fc
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Wed Aug 1 13:51:42 2018 +1200

    CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
    
    The acl_read.c code contains a special case to allow dirsync to
    work-around having insufficient access rights. We had a concern that
    the dirsync module could leak sensitive information for deleted objects.
    This patch adds a test-case to prove whether or not this is happening.
    
    The new test case is similar to the existing dirsync test except:
    - We make the confidential attribute also preserve-on-delete, so it
      hangs around for deleted objcts. Because the attributes now persist
      across test case runs, I've used a different attribute to normal.
      (Technically, the dirsync search expressions are now specific enough
      that the regular attribute could be used, but it would make things
      quite fragile if someone tried to add a new test case).
    - To handle searching for deleted objects, the search expressions are
      now more complicated. Currently dirsync adds an extra-filter to the
      '!' searches to exclude deleted objects, i.e. samaccountname matches
      the test-objects AND the object is not deleted. We now extend this to
      include deleted objects with lastKnownParent equal to the test OU.
      The search expression matches either case so that we can use the same
      expression throughout the test (regardless of whether the object is
      deleted yet or not).
    
    This test proves that the dirsync corner-case does not actually leak
    sensitive information on Samba. This is due to a bug in the dirsync
    code - when the buggy line is removed, this new test promptly fails.
    Test also passes against Windows.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 52b5ed820c874eadadb88fd0db2103718cb8ebc0
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Fri Jul 20 15:42:36 2018 +1200

    CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
    
    A user that doesn't have access to view an attribute can still guess the
    attribute's value via repeated LDAP searches. This affects confidential
    attributes, as well as ACLs applied to an object/attribute to deny
    access.
    
    Currently the code will hide objects if the attribute filter contains an
    attribute they are not authorized to see. However, the code still
    returns objects as results if confidential attribute is in the search
    expression itself, but not in the attribute filter.
    
    To fix this problem we have to check the access rights on the attributes
    in the search-tree, as well as the attributes returned in the message.
    
    Points of note:
    - I've preserved the existing dirsync logic (the dirsync module code
      suppresses the result as long as the replPropertyMetaData attribute is
      removed). However, there doesn't appear to be any test that highlights
      that this functionality is required for dirsync.
    - To avoid this fix breaking the acl.py tests, we need to still permit
      searches like 'objectClass=*', even though we don't have Read Property
      access rights for the objectClass attribute. The logic that Windows
      uses does not appear to be clearly documented, so I've made a best
      guess that seems to mirror Windows behaviour.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit a5cd47d85c77a095ec99412dd6538929b7c39248
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jul 30 16:00:15 2018 +1200

    CVE-2018-10919 acl_read: Flip the logic in the dirsync check
    
    This better reflects the special case we're making for dirsync, and gets
    rid of a 'if-else' clause.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 4c201d0a09a082f47ddfdcb021ac4d82a9a3dc77
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Thu Jul 26 12:20:49 2018 +1200

    CVE-2018-10919 acl_read: Small refactor to aclread_callback()
    
    Flip the dirsync check (to avoid a double negative), and use a helper
    boolean variable.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 03950558a4566c4044e374d37f2b8f5a80005bf6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Fri Jul 20 13:52:24 2018 +1200

    CVE-2018-10919 acl_read: Split access_mask logic out into helper function
    
    So we can re-use the same logic laster for checking the search-ops.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 605a7f3b3c03e2f1efb49f5dea400a38a03339f9
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Fri Jul 20 13:01:00 2018 +1200

    CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
    
    An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
    rights to a specific attribute would not actually grant access.
    
    What was happening was the remaining_access mask for the object_tree
    nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
    to the schemaIDGUID for a given attribute, which would end up being a
    child node in the tree. So the CR bit was cleared for a child node, but
    not the rest of the tree. We would then check the user had the RP access
    right, which it did. However, the RP right was cleared for another node
    in the tree, which still had the CR bit set in its remaining_access
    bitmap, so Samba would not grant access.
    
    Generally, the remaining_access only ever has one bit set, which means
    this isn't a problem normally. However, in the Control Access case there
    are 2 separate bits being checked, i.e. RP + CR.
    
    One option to fix this problem would be to clear the remaining_access
    for the tree instead of just the node. However, the Windows spec is
    actually pretty clear on this: if the ACE has a CR right present, then
    you can stop any further access checks.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 9c9f50b362f28869e374378baa8362218de11a48
Author: Gary Lockyer <gary at catalyst.net.nz>
Date:   Fri Aug 3 15:51:28 2018 +1200

    CVE-2018-10919 tests: test ldap searches for non-existent attributes.
    
    It is perfectly legal to search LDAP for an attribute that is not part
    of the schema.  That part of the query should simply not match.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e2574d092dc91ee1ba7ee04938c63b3ee811c5af
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Wed Jul 25 10:08:34 2018 +1200

    CVE-2018-10919 tests: Add test case for object visibility with limited rights
    
    Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
    attribute=*) searches compared to Windows.
    
    All the acl.py tests are based on objectClass=* searches, where Windows
    will happily tell a user about objects they have List Contents rights,
    but not Read Property rights for. However, if you change the attribute
    being searched for, suddenly the objects are no longer visible on
    Windows (whereas they are on Samba).
    
    This is a problem, because Samba can tell you about which objects have
    confidential attributes, which in itself could be disclosive.
    
    This patch adds a acl.py test-case that highlights this behaviour. The
    test passes against Windows but fails against Samba.
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 10a2c8da54adc85a9d567e8b805a2cce16893d9e
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jul 9 15:57:59 2018 +1200

    CVE-2018-10919 tests: Add tests for guessing confidential attributes
    
    Adds tests that assert that a confidential attribute cannot be guessed
    by an unprivileged user through wildcard DB searches.
    
    The tests basically consist of a set of DB searches/assertions that
    get run for:
    - basic searches against a confidential attribute
    - confidential attributes that get overridden by giving access to the
      user via an ACE (run against a variety of ACEs)
    - protecting a non-confidential attribute via an ACL that denies read-
      access (run against a variety of ACEs)
    - querying confidential attributes via the dirsync controls
    
    These tests all pass when run against a Windows Dc and all fail against
    a Samba DC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 17b7206a6d1399185a3b1d90aba5f2e26a9e7236
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Fri Jul 20 13:13:50 2018 +1200

    CVE-2018-10919 security: Add more comments to the object-specific access checks
    
    Reading the spec and then reading the code makes sense, but we could
    comment the code more so it makes sense on its own.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 5bcbf5a308cb5e516b257bf1769728d22e9b6f36
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Thu Jul 19 16:03:36 2018 +1200

    CVE-2018-10919 security: Move object-specific access checks into separate function
    
    Object-specific access checks refer to a specific section of the
    MS-ADTS, and the code closely matches the spec. We need to extend this
    logic to properly handle the Control-Access Right (CR), so it makes
    sense to split the logic out into its own function.
    
    This patch just moves the code, and should not alter the logic (apart
    from ading in the boolean grant_access return variable.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
    
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 164766b8800c59a3f981aeb3ea1b3ab4e2e31a54
Author: Kai Blin <kai at samba.org>
Date:   Fri Jun 8 18:20:16 2018 +0200

    CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466
    
    Signed-off-by: Kai Blin <kai at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

commit e2d6ad5147e0bf5869e94eb60c49c385e91eba5d
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Aug 14 13:59:45 2018 +1200

    Release LDB 1.4.2 for CVE-2018-1140
    
    * Security fix for CVE-2018-1140 (NULL pointer de-reference, bug 13374)
    * Fix memory leaks and missing error checks (bug 13459, 13471, 13475)
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

commit bf988acd2e7e79fd6c53954bbcb9472db422c9cb
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 21 15:25:58 2018 +1200

    CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

commit dc2898f114dbd7bdff7f29c758819500a6238136
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 21 15:23:53 2018 +1200

    CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
    
    This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which
    would otherwise fail.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

commit 8fed2cc0a96a2ccde675a8f72bb5db31174189e2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 21 15:20:26 2018 +1200

    CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
    
    ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
    call to ldb_dn_get_casefold() can fail if the input is not valid.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

commit 504cff7aa875df67385fb4fcd4f7f1f461d377b4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon May 21 14:50:50 2018 +1200

    CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

commit 31a001f2e2f8eadd3e652984e30b7c0cccfe4f1c
Author: Andrej Gessel <Andrej.Gessel at janztec.com>
Date:   Fri Apr 6 18:18:33 2018 +0200

    CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
    
    Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

commit 3e89172fc75d5b2f5d5ec2b7b7efdf3be5c174eb
Author: Günther Deschner <gd at samba.org>
Date:   Tue Mar 13 16:56:20 2018 +0100

    CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
    
    This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
    
    Found by Vivek Das <vdas at redhat.com> (Red Hat QE).
    
    In order to demonstrate simply run:
    
    smbclient //server/share -U user%password -mNT1 -c quit \
    --option="client ntlmv2 auth"=no \
    --option="client use spnego"=no
    
    against a server that uses "ntlm auth = ntlmv2-only" (our default
    setting).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
    
    CVE-2018-1139: Weak authentication protocol allowed.
    
    Guenther
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit e2b2c00626ff677c430d49c0454bc70be5f40d28
Author: Günther Deschner <gd at samba.org>
Date:   Fri Mar 16 17:25:12 2018 +0100

    CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
    
    Right now, this test will succeed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
    
    CVE-2018-1139: Weak authentication protocol allowed.
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 48f5dbd7dbc397c16056e1466998b31ed75b5bad
Author: Günther Deschner <gd at samba.org>
Date:   Wed Mar 14 15:35:01 2018 +0100

    CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
    
    CVE-2018-1139: Weak authentication protocol allowed.
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit d171f8d1938393982b6645afc095a06a30ef8420
Author: Günther Deschner <gd at samba.org>
Date:   Wed Mar 14 15:36:05 2018 +0100

    CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
    
    CVE-2018-1139: Weak authentication protocol allowed.
    
    Guenther
    
    Signed-off-by: Guenther Deschner <gd at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

commit 3579ac445ab25c319dc520f01b516b103b140c07
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jul 27 08:44:24 2018 +1200

    CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c     |  200 +++-
 ctdb/utils/ceph/test_ceph_rados_reclock.sh         |   57 +-
 ctdb/wscript                                       |   14 +-
 lib/ldb/ABI/{ldb-1.4.1.sigs => ldb-1.4.2.sigs}     |    0
 ...b-util.py3-1.4.1.sigs => pyldb-util-1.4.2.sigs} |    0
 ...il.py3-1.4.1.sigs => pyldb-util.py3-1.4.2.sigs} |    0
 lib/ldb/ldb_sqlite3/ldb_sqlite3.c                  |    3 +
 lib/ldb/ldb_tdb/ldb_index.c                        |   18 +
 lib/ldb/ldb_tdb/ldb_search.c                       |   16 +
 lib/ldb/ldb_tdb/ldb_tdb.c                          |   27 +-
 lib/ldb/tests/python/api.py                        |  156 +++
 lib/ldb/wscript                                    |    2 +-
 libcli/auth/ntlm_check.c                           |   10 +-
 libcli/auth/tests/ntlm_check.c                     |  413 ++++++++
 libcli/auth/wscript_build                          |   13 +
 libcli/security/access_check.c                     |  110 ++-
 python/samba/tests/dns_invalid.py                  |   87 ++
 selftest/knownfail                                 |    3 +-
 selftest/tests.py                                  |    2 +
 source3/libsmb/cli_smb2_fnum.c                     |   13 +-
 source3/libsmb/cliquota.c                          |    9 +-
 source3/libsmb/libsmb_dir.c                        |   57 +-
 source3/libsmb/libsmb_path.c                       |    9 +-
 source3/script/tests/test_smbclient_s3.sh          |   42 +
 source3/selftest/tests.py                          |    2 +-
 source3/smbd/nttrans.c                             |   15 +-
 source3/utils/ntlm_auth.c                          |    6 +-
 source4/dsdb/samdb/cracknames.c                    |    8 +-
 source4/dsdb/samdb/ldb_modules/acl_read.c          |  331 ++++++-
 source4/dsdb/tests/python/acl.py                   |   68 ++
 source4/dsdb/tests/python/confidential_attr.py     | 1016 ++++++++++++++++++++
 source4/dsdb/tests/python/ldap.py                  |    9 +
 source4/selftest/tests.py                          |    6 +
 source4/torture/basic/delete.c                     |   87 ++
 source4/torture/drs/python/cracknames.py           |   38 +
 35 files changed, 2703 insertions(+), 144 deletions(-)
 copy lib/ldb/ABI/{ldb-1.4.1.sigs => ldb-1.4.2.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util.py3-1.4.1.sigs => pyldb-util-1.4.2.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util.py3-1.4.1.sigs => pyldb-util.py3-1.4.2.sigs} (100%)
 create mode 100644 libcli/auth/tests/ntlm_check.c
 create mode 100644 python/samba/tests/dns_invalid.py
 create mode 100755 source4/dsdb/tests/python/confidential_attr.py


Changeset truncated at 500 lines:

diff --git a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
index 326a0b0..7ef76c2 100644
--- a/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
+++ b/ctdb/utils/ceph/ctdb_mutex_ceph_rados_helper.c
@@ -1,7 +1,7 @@
 /*
    CTDB mutex helper using Ceph librados locks
 
-   Copyright (C) David Disseldorp 2016
+   Copyright (C) David Disseldorp 2016-2018
 
    Based on ctdb_mutex_fcntl_helper.c, which is:
    Copyright (C) Martin Schwenke 2015
@@ -29,6 +29,11 @@
 #define CTDB_MUTEX_CEPH_LOCK_NAME	"ctdb_reclock_mutex"
 #define CTDB_MUTEX_CEPH_LOCK_COOKIE	CTDB_MUTEX_CEPH_LOCK_NAME
 #define CTDB_MUTEX_CEPH_LOCK_DESC	"CTDB recovery lock"
+/*
+ * During failover it may take up to <lock duration> seconds before the
+ * newly elected recovery master can obtain the lock.
+ */
+#define CTDB_MUTEX_CEPH_LOCK_DURATION_SECS_DEFAULT	10
 
 #define CTDB_MUTEX_STATUS_HOLDING "0"
 #define CTDB_MUTEX_STATUS_CONTENDED "1"
@@ -88,24 +93,20 @@ static int ctdb_mutex_rados_ctx_create(const char *ceph_cluster_name,
 	return 0;
 }
 
-static void ctdb_mutex_rados_ctx_destroy(rados_t ceph_cluster,
-					 rados_ioctx_t ioctx)
-{
-	rados_ioctx_destroy(ioctx);
-	rados_shutdown(ceph_cluster);
-}
-
 static int ctdb_mutex_rados_lock(rados_ioctx_t *ioctx,
-				 const char *oid)
+				 const char *oid,
+				 uint64_t lock_duration_s,
+				 uint8_t flags)
 {
 	int ret;
+	struct timeval tv = { lock_duration_s, 0 };
 
 	ret = rados_lock_exclusive(ioctx, oid,
-                                   CTDB_MUTEX_CEPH_LOCK_NAME,
+				   CTDB_MUTEX_CEPH_LOCK_NAME,
 				   CTDB_MUTEX_CEPH_LOCK_COOKIE,
 				   CTDB_MUTEX_CEPH_LOCK_DESC,
-                                   NULL, /* infinite duration */
-                                   0);
+				   lock_duration_s == 0 ? NULL : &tv,
+				   flags);
 	if ((ret == -EEXIST) || (ret == -EBUSY)) {
 		/* lock contention */
 		return ret;
@@ -145,10 +146,13 @@ struct ctdb_mutex_rados_state {
 	const char *ceph_auth_name;
 	const char *pool_name;
 	const char *object;
+	uint64_t lock_duration_s;
 	int ppid;
 	struct tevent_context *ev;
-	struct tevent_signal *sig_ev;
-	struct tevent_timer *timer_ev;
+	struct tevent_signal *sigterm_ev;
+	struct tevent_signal *sigint_ev;
+	struct tevent_timer *ppid_timer_ev;
+	struct tevent_timer *renew_timer_ev;
 	rados_t ceph_cluster;
 	rados_ioctx_t ioctx;
 };
@@ -161,29 +165,24 @@ static void ctdb_mutex_rados_sigterm_cb(struct tevent_context *ev,
 					void *private_data)
 {
 	struct ctdb_mutex_rados_state *cmr_state = private_data;
-	int ret;
+	int ret = 0;
 
 	if (!cmr_state->holding_mutex) {
 		fprintf(stderr, "Sigterm callback invoked without mutex!\n");
 		ret = -EINVAL;
-		goto err_ctx_cleanup;
 	}
 
-	ret = ctdb_mutex_rados_unlock(cmr_state->ioctx, cmr_state->object);
-err_ctx_cleanup:
-	ctdb_mutex_rados_ctx_destroy(cmr_state->ceph_cluster,
-				     cmr_state->ioctx);
 	talloc_free(cmr_state);
 	exit(ret ? 1 : 0);
 }
 
-static void ctdb_mutex_rados_timer_cb(struct tevent_context *ev,
-				      struct tevent_timer *te,
-				      struct timeval current_time,
-				      void *private_data)
+static void ctdb_mutex_rados_ppid_timer_cb(struct tevent_context *ev,
+					   struct tevent_timer *te,
+					   struct timeval current_time,
+					   void *private_data)
 {
 	struct ctdb_mutex_rados_state *cmr_state = private_data;
-	int ret;
+	int ret = 0;
 
 	if (!cmr_state->holding_mutex) {
 		fprintf(stderr, "Timer callback invoked without mutex!\n");
@@ -193,26 +192,81 @@ static void ctdb_mutex_rados_timer_cb(struct tevent_context *ev,
 
 	if ((kill(cmr_state->ppid, 0) == 0) || (errno != ESRCH)) {
 		/* parent still around, keep waiting */
-		cmr_state->timer_ev = tevent_add_timer(cmr_state->ev, cmr_state,
+		cmr_state->ppid_timer_ev = tevent_add_timer(cmr_state->ev,
+							    cmr_state,
 					       tevent_timeval_current_ofs(5, 0),
-						      ctdb_mutex_rados_timer_cb,
-						       cmr_state);
-		if (cmr_state->timer_ev == NULL) {
+						ctdb_mutex_rados_ppid_timer_cb,
+							    cmr_state);
+		if (cmr_state->ppid_timer_ev == NULL) {
 			fprintf(stderr, "Failed to create timer event\n");
 			/* rely on signal cb */
 		}
 		return;
 	}
 
-	/* parent ended, drop lock and exit */
-	ret = ctdb_mutex_rados_unlock(cmr_state->ioctx, cmr_state->object);
+	/* parent ended, drop lock (via destructor) and exit */
 err_ctx_cleanup:
-	ctdb_mutex_rados_ctx_destroy(cmr_state->ceph_cluster,
-				     cmr_state->ioctx);
 	talloc_free(cmr_state);
 	exit(ret ? 1 : 0);
 }
 
+#define USECS_IN_SEC 1000000
+
+static void ctdb_mutex_rados_lock_renew_timer_cb(struct tevent_context *ev,
+						 struct tevent_timer *te,
+						 struct timeval current_time,
+						 void *private_data)
+{
+	struct ctdb_mutex_rados_state *cmr_state = private_data;
+	struct timeval tv;
+	int ret;
+
+	ret = ctdb_mutex_rados_lock(cmr_state->ioctx, cmr_state->object,
+				    cmr_state->lock_duration_s,
+				    LIBRADOS_LOCK_FLAG_RENEW);
+	if (ret == -EBUSY) {
+		/* should never get -EEXIST on renewal */
+		fprintf(stderr, "Lock contention during renew: %d\n", ret);
+		goto err_ctx_cleanup;
+	} else if (ret < 0) {
+		fprintf(stderr, "Lock renew failed\n");
+		goto err_ctx_cleanup;
+	}
+
+	tv = tevent_timeval_current_ofs(0,
+			    cmr_state->lock_duration_s * (USECS_IN_SEC / 2));
+	cmr_state->renew_timer_ev = tevent_add_timer(cmr_state->ev,
+						       cmr_state,
+						       tv,
+					ctdb_mutex_rados_lock_renew_timer_cb,
+						       cmr_state);
+	if (cmr_state->renew_timer_ev == NULL) {
+		fprintf(stderr, "Failed to create timer event\n");
+		goto err_ctx_cleanup;
+	}
+
+	return;
+
+err_ctx_cleanup:
+	/* drop lock (via destructor) and exit */
+	talloc_free(cmr_state);
+	exit(1);
+}
+
+static int ctdb_mutex_rados_state_destroy(struct ctdb_mutex_rados_state *cmr_state)
+{
+	if (cmr_state->holding_mutex) {
+		ctdb_mutex_rados_unlock(cmr_state->ioctx, cmr_state->object);
+	}
+	if (cmr_state->ioctx != NULL) {
+		rados_ioctx_destroy(cmr_state->ioctx);
+	}
+	if (cmr_state->ceph_cluster != NULL) {
+		rados_shutdown(cmr_state->ceph_cluster);
+	}
+	return 0;
+}
+
 int main(int argc, char *argv[])
 {
 	int ret;
@@ -220,9 +274,10 @@ int main(int argc, char *argv[])
 
 	progname = argv[0];
 
-	if (argc != 5) {
+	if ((argc != 5) && (argc != 6)) {
 		fprintf(stderr, "Usage: %s <Ceph Cluster> <Ceph user> "
-				"<RADOS pool> <RADOS object>\n",
+				"<RADOS pool> <RADOS object> "
+				"[lock duration secs]\n",
 			progname);
 		ret = -EINVAL;
 		goto err_out;
@@ -240,10 +295,24 @@ int main(int argc, char *argv[])
 		goto err_out;
 	}
 
+	talloc_set_destructor(cmr_state, ctdb_mutex_rados_state_destroy);
 	cmr_state->ceph_cluster_name = argv[1];
 	cmr_state->ceph_auth_name = argv[2];
 	cmr_state->pool_name = argv[3];
 	cmr_state->object = argv[4];
+	if (argc == 6) {
+		/* optional lock duration provided */
+		char *endptr = NULL;
+		cmr_state->lock_duration_s = strtoull(argv[5], &endptr, 0);
+		if ((endptr == argv[5]) || (*endptr != '\0')) {
+			fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
+			ret = -EINVAL;
+			goto err_ctx_cleanup;
+		}
+	} else {
+		cmr_state->lock_duration_s
+			= CTDB_MUTEX_CEPH_LOCK_DURATION_SECS_DEFAULT;
+	}
 
 	cmr_state->ppid = getppid();
 	if (cmr_state->ppid == 1) {
@@ -257,7 +326,7 @@ int main(int argc, char *argv[])
 		 */
 		fprintf(stderr, "%s: PPID == 1\n", progname);
 		ret = -EPIPE;
-		goto err_state_free;
+		goto err_ctx_cleanup;
 	}
 
 	cmr_state->ev = tevent_context_init(cmr_state);
@@ -265,30 +334,40 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "tevent_context_init failed\n");
 		fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
 		ret = -ENOMEM;
-		goto err_state_free;
+		goto err_ctx_cleanup;
 	}
 
 	/* wait for sigterm */
-	cmr_state->sig_ev = tevent_add_signal(cmr_state->ev, cmr_state, SIGTERM, 0,
+	cmr_state->sigterm_ev = tevent_add_signal(cmr_state->ev, cmr_state, SIGTERM, 0,
 					      ctdb_mutex_rados_sigterm_cb,
 					      cmr_state);
-	if (cmr_state->sig_ev == NULL) {
-		fprintf(stderr, "Failed to create signal event\n");
+	if (cmr_state->sigterm_ev == NULL) {
+		fprintf(stderr, "Failed to create term signal event\n");
 		fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
 		ret = -ENOMEM;
-		goto err_state_free;
+		goto err_ctx_cleanup;
+	}
+
+	cmr_state->sigint_ev = tevent_add_signal(cmr_state->ev, cmr_state, SIGINT, 0,
+					      ctdb_mutex_rados_sigterm_cb,
+					      cmr_state);
+	if (cmr_state->sigint_ev == NULL) {
+		fprintf(stderr, "Failed to create int signal event\n");
+		fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
+		ret = -ENOMEM;
+		goto err_ctx_cleanup;
 	}
 
 	/* periodically check parent */
-	cmr_state->timer_ev = tevent_add_timer(cmr_state->ev, cmr_state,
+	cmr_state->ppid_timer_ev = tevent_add_timer(cmr_state->ev, cmr_state,
 					       tevent_timeval_current_ofs(5, 0),
-					       ctdb_mutex_rados_timer_cb,
+					       ctdb_mutex_rados_ppid_timer_cb,
 					       cmr_state);
-	if (cmr_state->timer_ev == NULL) {
+	if (cmr_state->ppid_timer_ev == NULL) {
 		fprintf(stderr, "Failed to create timer event\n");
 		fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
 		ret = -ENOMEM;
-		goto err_state_free;
+		goto err_ctx_cleanup;
 	}
 
 	ret = ctdb_mutex_rados_ctx_create(cmr_state->ceph_cluster_name,
@@ -298,10 +377,12 @@ int main(int argc, char *argv[])
 					  &cmr_state->ioctx);
 	if (ret < 0) {
 		fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
-		goto err_state_free;
+		goto err_ctx_cleanup;
 	}
 
-	ret = ctdb_mutex_rados_lock(cmr_state->ioctx, cmr_state->object);
+	ret = ctdb_mutex_rados_lock(cmr_state->ioctx, cmr_state->object,
+				    cmr_state->lock_duration_s,
+				    0);
 	if ((ret == -EEXIST) || (ret == -EBUSY)) {
 		fprintf(stdout, CTDB_MUTEX_STATUS_CONTENDED);
 		goto err_ctx_cleanup;
@@ -309,8 +390,28 @@ int main(int argc, char *argv[])
 		fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
 		goto err_ctx_cleanup;
 	}
-
 	cmr_state->holding_mutex = true;
+
+	if (cmr_state->lock_duration_s != 0) {
+		/*
+		 * renew (reobtain) the lock, using a period of half the lock
+		 * duration. Convert to usecs to avoid rounding.
+		 */
+		struct timeval tv = tevent_timeval_current_ofs(0,
+			       cmr_state->lock_duration_s * (USECS_IN_SEC / 2));
+		cmr_state->renew_timer_ev = tevent_add_timer(cmr_state->ev,
+							       cmr_state,
+							       tv,
+					ctdb_mutex_rados_lock_renew_timer_cb,
+							       cmr_state);
+		if (cmr_state->renew_timer_ev == NULL) {
+			fprintf(stderr, "Failed to create timer event\n");
+			fprintf(stdout, CTDB_MUTEX_STATUS_ERROR);
+			ret = -ENOMEM;
+			goto err_ctx_cleanup;
+		}
+	}
+
 	fprintf(stdout, CTDB_MUTEX_STATUS_HOLDING);
 
 	/* wait for the signal / timer events to do their work */
@@ -319,9 +420,6 @@ int main(int argc, char *argv[])
 		goto err_ctx_cleanup;
 	}
 err_ctx_cleanup:
-	ctdb_mutex_rados_ctx_destroy(cmr_state->ceph_cluster,
-				     cmr_state->ioctx);
-err_state_free:
 	talloc_free(cmr_state);
 err_out:
 	return ret ? 1 : 0;
diff --git a/ctdb/utils/ceph/test_ceph_rados_reclock.sh b/ctdb/utils/ceph/test_ceph_rados_reclock.sh
index 1adacf6..68b44ff 100755
--- a/ctdb/utils/ceph/test_ceph_rados_reclock.sh
+++ b/ctdb/utils/ceph/test_ceph_rados_reclock.sh
@@ -46,7 +46,9 @@ which ctdb_mutex_ceph_rados_helper || exit 1
 TMP_DIR="$(mktemp --directory)" || exit 1
 rados -p "$POOL" rm "$OBJECT"
 
-(ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" "$POOL" "$OBJECT" \
+# explicitly disable lock expiry (duration=0), to ensure that we don't get
+# intermittent failures (due to renewal) from the lock state diff further down
+(ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" "$POOL" "$OBJECT" 0 \
 							> ${TMP_DIR}/first) &
 locker_pid=$!
 
@@ -78,6 +80,9 @@ LOCKER_COOKIE="$(jq -r '.lockers[0].cookie' ${TMP_DIR}/lock_state_first)"
 LOCKER_DESC="$(jq -r '.lockers[0].description' ${TMP_DIR}/lock_state_first)"
 [ "$LOCKER_DESC" == "CTDB recovery lock" ] \
 	|| _fail "unexpected locker description: $LOCKER_DESC"
+LOCKER_EXP="$(jq -r '.lockers[0].expiration' ${TMP_DIR}/lock_state_first)"
+[ "$LOCKER_EXP" == "0.000000" ] \
+	|| _fail "unexpected locker expiration: $LOCKER_EXP"
 
 # second attempt while first is still holding the lock - expect failure
 ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" "$POOL" "$OBJECT" \
@@ -145,6 +150,56 @@ third_out=$(cat ${TMP_DIR}/third)
 [ "$third_out" == "0" ] \
 	|| _fail "expected lock acquisition (0), but got $third_out"
 
+# test renew / expire behaviour using a 1s expiry (update period = 500ms)
+exec >${TMP_DIR}/forth -- ctdb_mutex_ceph_rados_helper "$CLUSTER" "$USER" \
+							"$POOL" "$OBJECT" 1 &
+locker_pid=$!
+
+sleep 1
+
+rados -p "$POOL" lock info "$OBJECT" ctdb_reclock_mutex \
+						> ${TMP_DIR}/lock_state_fifth_a
+#echo "with lock fifth: `cat ${TMP_DIR}/lock_state_fifth_a`"
+
+LOCK_NAME="$(jq -r '.name' ${TMP_DIR}/lock_state_fifth_a)"
+[ "$LOCK_NAME" == "ctdb_reclock_mutex" ] \
+	|| _fail "unexpected lock name: $LOCK_NAME"
+LOCK_TYPE="$(jq -r '.type' ${TMP_DIR}/lock_state_fifth_a)"
+[ "$LOCK_TYPE" == "exclusive" ] \
+	|| _fail "unexpected lock type: $LOCK_TYPE"
+LOCK_COUNT="$(jq -r '.lockers | length' ${TMP_DIR}/lock_state_fifth_a)"
+[ $LOCK_COUNT -eq 1 ] || _fail "expected 1 lock in rados state, got $LOCK_COUNT"
+LOCKER_EXP_A="$(jq -r '.lockers[0].expiration' ${TMP_DIR}/lock_state_fifth_a)"
+[ "$LOCKER_EXP_A" != "0.000000" ] \
+	|| _fail "unexpected locker expiration: $LOCKER_EXP_A"
+sleep 1 # sleep until renewal
+rados -p "$POOL" lock info "$OBJECT" ctdb_reclock_mutex \
+						> ${TMP_DIR}/lock_state_fifth_b
+LOCKER_EXP_B="$(jq -r '.lockers[0].expiration' ${TMP_DIR}/lock_state_fifth_b)"
+[ "$LOCKER_EXP_B" != "0.000000" ] \
+	|| _fail "unexpected locker expiration: $LOCKER_EXP_B"
+#echo "lock expiration before renewal $LOCKER_EXP_A, after renewal $LOCKER_EXP_B"
+[ "$LOCKER_EXP_B" != "$LOCKER_EXP_A" ] \
+	|| _fail "locker expiration matches: $LOCKER_EXP_B"
+
+# no chance to drop the lock, rely on expiry
+kill -KILL $locker_pid || exit 1
+wait $locker_pid &> /dev/null
+sleep 1	# sleep until lock expiry
+
+rados -p "$POOL" lock info "$OBJECT" ctdb_reclock_mutex \
+						> ${TMP_DIR}/lock_state_sixth
+#echo "lock expiry sixth: `cat ${TMP_DIR}/lock_state_sixth`"
+
+LOCK_NAME="$(jq -r '.name' ${TMP_DIR}/lock_state_sixth)"
+[ "$LOCK_NAME" == "ctdb_reclock_mutex" ] \
+	|| _fail "unexpected lock name: $LOCK_NAME"
+LOCK_TYPE="$(jq -r '.type' ${TMP_DIR}/lock_state_sixth)"
+[ "$LOCK_TYPE" == "exclusive" ] \
+	|| _fail "unexpected lock type: $LOCK_TYPE"
+LOCK_COUNT="$(jq -r '.lockers | length' ${TMP_DIR}/lock_state_sixth)"
+[ $LOCK_COUNT -eq 0 ] || _fail "expected 0 locks in rados state, got $LOCK_COUNT"
+
 rm ${TMP_DIR}/*
 rmdir $TMP_DIR
 
diff --git a/ctdb/wscript b/ctdb/wscript
index 05044ce..addf8ec 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -85,6 +85,10 @@ def set_options(opt):
     opt.add_option('--enable-etcd-reclock',
                    help=("Enable etcd recovery lock helper (default=no)"),
                    action="store_true", dest='ctdb_etcd_reclock', default=False)
+
+    opt.add_option('--with-libcephfs',
+                   help=("Directory under which libcephfs is installed"),
+                   action="store", dest='libcephfs_dir', default=None)
     opt.add_option('--enable-ceph-reclock',
                    help=("Enable Ceph CTDB recovery lock helper (default=no)"),
                    action="store_true", dest='ctdb_ceph_reclock', default=False)
@@ -237,8 +241,16 @@ def configure(conf):
     conf.env.etcd_reclock = have_etcd_reclock
 
     if Options.options.ctdb_ceph_reclock:
+        # Use custom libcephfs library path if provided. XXX The top level build
+        # explicitly sets LIBPATH_CEPH-COMMON when libcephfs_dir isn't provided.
+        if Options.options.libcephfs_dir:
+            conf.env['CPPPATH_RADOS'] = Options.options.libcephfs_dir + '/include'
+            conf.env['LIBPATH_RADOS'] = Options.options.libcephfs_dir + '/lib'
+            conf.env['LIBPATH_CEPH-COMMON'] = conf.env['LIBPATH_RADOS'] + '/ceph'
+
         if (conf.CHECK_HEADERS('rados/librados.h', False, False, 'rados') and
 					conf.CHECK_LIB('rados', shlib=True)):
+            conf.CHECK_LIB('ceph-common', shlib=True)
             Logs.info('Building with Ceph librados recovery lock support')
             conf.define('HAVE_LIBRADOS', 1)
         else:
@@ -665,7 +677,7 @@ def build(bld):
     if bld.env.HAVE_LIBRADOS:
         bld.SAMBA_BINARY('ctdb_mutex_ceph_rados_helper',
                          source='utils/ceph/ctdb_mutex_ceph_rados_helper.c',
-			 deps='talloc tevent rados',
+			 deps='talloc tevent rados ceph-common',
 			 includes='include',
 			 install_path='${CTDB_HELPER_BINDIR}')
 
diff --git a/lib/ldb/ABI/ldb-1.4.1.sigs b/lib/ldb/ABI/ldb-1.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.4.1.sigs
copy to lib/ldb/ABI/ldb-1.4.2.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs b/lib/ldb/ABI/pyldb-util-1.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs
copy to lib/ldb/ABI/pyldb-util-1.4.2.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs b/lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.4.1.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.4.2.sigs
diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index f94dc99..0f5abf8 100644
--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module,
 		 	const char *cdn = ldb_dn_get_casefold(
 						ldb_dn_new(mem_ctx, ldb,
 							      (const char *)value.data));
+			if (cdn == NULL) {
+				return NULL;
+			}
 
 			return lsqlite3_tprintf(mem_ctx,
 						"SELECT eid FROM ldb_entry "


-- 
Samba Shared Repository



More information about the samba-cvs mailing list