[SCM] Samba Shared Repository - branch v4-8-stable updated
Stefan Metzmacher
metze at samba.org
Mon Jan 15 09:25:17 UTC 2018
The branch, v4-8-stable has been updated
via e5f4aff VERSION: Bump version up to 4.8.0rc1...
via 59a07e3 WHATSNEW: Add release notes for Samba 4.8.0rc1.
via 0580a23 s4:torture: Improve error message in whoami test
via 8d90f2a s3:test: Always validate the join after changing the secret
via e131ce4 waf: Remove build system info (uname -a)
via c69938e systemd: Fix kill path
via a653b62 systemd: Add documentation to Unit files
via df68af9 systemd: syslog.target is obsolete
via 0abe16a torture: Add test for channel sequence number handling
via cd288a0 smbXcli: Add "force_channel_sequence"
via 0b57434 smbd: Fix channel sequence number checks for long-running requests
via 03f65a7 smbd: Remove a "!" from an if-condition for easier readability
via 71cee27 torture4: Fix typos
via e8636e7 smbd: Fix a typo
via 9b423fe winbindd: set routing_domain when enumerating trusts
via 0eec2b6 docs: Remove reference to environment variables for now
via 2ca73cb gpo: Add the winbind call to gpupdate
via fb5241a Revert "gpo: Create the gpo update service"
via 88152ad gpo: Continue parsing GPOs even if one fails
via ef49d0b gpo: Fix crashes in gpo unapply
via 08651a0 samba_kcc: do not commit new nTDSConnection, if we are rodc
via a00312d samba_kcc: simplify NCReplica.set_instantiated_flags()
via 81484f3 samba_kcc: simplify NCReplica constructor
via 315f445 samba_kcc: clarify readonly logging, removing now unused function
via d3f4429 samba_kcc: remove unused functions
via d3c5420 samba_kcc: fix dot_file_dir documentation
via a090d7e samba_kcc: remove an unused function
via c6294c3 samba-tool visualize for understanding AD DC behaviour
via ba2306f samba_kcc: use new graph module for writing dot files
via cebad22 python/graph: module for generating ASCII and graphviz visualisations
via b4a90a6 samba_kcc: respect kcc.read_only flag on RODC
via e579d5b samba_kcc: kcc.debug module defers to samba.colour
via a46c4a3 python: module containing ANSI colour sequences
via f2762d0 python tests: assert string equality, with diff
via 3f2762d samba_kcc: documentation fix
via 6678f33 s4:torture/samba_tool_drs: demote the test dc at the end of test_samba_tool_replicate_local()
via 4b17d36 WHATSNEW: document some more new options
via b4e1e30 winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
via 9fb3637 winbindd: add more trust types to get_trust_type_string
via 95e3307 libwbclient: add more trust types
via 05558dd wbinfo: support for local, workstation and routed trust types
via ec85579 libwbclient: add trust routing and more trust-types
via f12a43f winbindd: fix trust_is_oubound()
via 09021f9 winbindd: fix trust_is_inbound()
via a39cf19 winbindd: transitive trust logic in trust_is_transitive()
via 939592c winbindd: use add_trusted_domain_from_auth
via f4d27f2 winbindd: add add_trusted_domain_from_auth
via b2ea360 winbindd: add set_routing_domain()
via 2e644af winbindd: add find_default_route_domain()
via 40c9115 winbindd: avoid automatic enumerating trusts on DCs
via 29e6d55 winbindd: load the trusted domains on a DC already in init_domain_list()
via fa3b81b pdb_samba_dsdb: set PDB_CAP_TRUSTED_DOMAINS_EX
via f8bcd37 pdb_samba_dsdb: implement pdb_samba_dsdb_del_trusted_domain
via a556437 pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusted_domain
via 3091ea3 pdb_samba_dsdb: implement PDB_CAP_TRUSTED_DOMAINS_EX related functions
via 6f9232e pdb_samba_dsdb: implement pdb_samba_dsdb_enum_trusteddoms()
via f362387 s4:dsdb: add dsdb_trust_search_tdo_by_sid() helper function
via 8fde1c6 s3/torture/pdbtest: delete trusted domain at test end
via f1bd7c8 s3/torture/pdbtest: creating a trusted domain requires a valid SID
via 4b0641b winbindd: use find_trust_from_name_noinit when we require a direct trust
via 2385e71 winbindd: add find_trust_from_{name,sid}_noinit()
via b724e01 winbindd: remember the secure_channel_type in winbindd_domain
via 5bf2979 winbindd: rework add_trusted_domain(), replacing add_trusted_domain_from_tdc()
via 8587445 winbindd: initialize some stack pointers to NULL
via 126d6ce winbindd: rename alternative_name to dns_name
via 5ffade7 winbindd: only use NetBIOS name when searching domain list in add_trusted_domain_from_tdc()
via c7c06fd winbindd: enforce valid SID in add_trusted_domain_from_tdc()
via e43ee33 winbindd: set info6 data in append_info3_as_txt
via c8f76bf nsswitch: fill out wbcAuthUserInfo user_principal and dns_domain_name from info6
via 59cb1f6 nsswitch: add "validation_level" and "info6" to winbindd_response
via 7290b5c winbindd: pass validation in append_info3_as_txt
via 194a9e4 winbindd: pass down validation to append_auth_data()
via 7b30f69 winbindd: simplify an if condition in winbindd_dual_pam_auth
via f153c95 winbindd: let winbind_dual_SamLogon return validation
via 1337104 winbindd: remove a space in winbind_dual_SamLogon
via 13d0d52 winbindd: let winbindd_dual_pam_auth_samlogon() return validation info
via cc3ee55 winbindd: let winbind_samlogon_retry_loop return validation info
via aae75d1 winbindd: remove a redundant check from winbindd_dual_pam_auth_samlogon
via 489e942 s3/rpc_client: return validation from rpccli_netlogon functions
via 7082ebb s3/rpc_client: add map_info3_to_validation()
via 7eed166 s3/rpc_client: make map_validation_to_info3() public and move to util_netlogon
via a001f4b s3/rpc_client: in map_validation_to_info3() make a deep copy
via 158c890 s3/rpc_client: move copy_netr_SamInfo3() to util_netlogon
via a1a9feb winbindd: prevent long lines in a later commit
via e9a9a94 winbindd: simplify if condition in find_domain_from_name_noinit()
via 751fa04 winbindd: remove an else branch
via ca4d5ea winbindd: remove a space
via 5812c7c winbindd: fix overly long lines
via ef27942 s3/rpc_client: fix overly long lines
via dcb45d5 s3/torture: fix an error message
via 561a3b7 s3:vfs: remove unused smb_vfs_call_{is,set}_offline() prototypes
via 98ba88a params: mark "ldap ssl ads" as deprecated
via a79df4e7 params: mark "unicode" parameter as deprecated
via f1befc5 s3/smbd: Fix error code for unsupported SET_INFO requests
via ce884ee s3/smbd: Add new file information classes
via 4b25c9f vfs_default: use VFS statvfs macro in fs_capabilities
via 2724e0c vfs_ceph: add fs_capabilities hook to avoid local statvfs
via 3297f4c Mark wbinfo test flapping
via 6b09ab2 Mark whoami test flapping
via 23ec73e Mark rfc2307 test flapping
via bf19b6c ldb: version 1.3.1
via 6dd0a8c tevent: version 0.9.35
via efe317c talloc: version 2.1.11
via 0623097 talloc: Do not disclose the random talloc magic in free()'ed memory
via e2497b2 talloc: Add tests to require use-after-free to give the correct talloc_abort() string
via 00ee9da talloc: Remove talloc_abort_magic()
from 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 6 +-
WHATSNEW.txt | 96 ++-
buildtools/wafsamba/wscript | 4 -
ctdb/config/ctdb.service | 1 +
docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 10 +-
docs-xml/smbdotconf/ldap/ldapsslads.xml | 1 +
docs-xml/smbdotconf/protocol/unicode.xml | 1 +
docs-xml/smbdotconf/winbind/applygrouppolicies.xml | 19 +
.../winbind/winbindscantrusteddomains.xml | 29 +
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} | 0
lib/ldb/wscript | 2 +-
lib/param/loadparm.c | 2 +
...-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} | 0
...3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} | 0
.../ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} | 0
lib/talloc/talloc.c | 128 ++-
lib/talloc/testsuite.c | 68 ++
lib/talloc/wscript | 2 +-
.../ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} | 0
lib/tevent/wscript | 2 +-
libcli/smb/smbXcli_base.c | 15 +-
libcli/smb/smbXcli_base.h | 4 +
nsswitch/libwbclient/wbc_pam.c | 14 +-
nsswitch/libwbclient/wbc_util.c | 16 +-
nsswitch/libwbclient/wbclient.h | 7 +
nsswitch/wbinfo.c | 21 +-
nsswitch/winbind_struct_protocol.h | 10 +-
packaging/systemd/nmb.service.in | 5 +-
packaging/systemd/samba.service.in | 5 +-
packaging/systemd/smb.service.in | 5 +-
packaging/systemd/winbind.service.in | 5 +-
python/samba/colour.py | 50 ++
python/samba/gpclass.py | 24 +-
python/samba/graph.py | 621 +++++++++++++++
python/samba/kcc/__init__.py | 21 +-
python/samba/kcc/debug.py | 24 +-
python/samba/kcc/graph_utils.py | 37 +-
python/samba/kcc/kcc_utils.py | 39 +-
python/samba/netcmd/main.py | 1 +
python/samba/netcmd/visualize.py | 574 ++++++++++++++
python/samba/tests/__init__.py | 23 +
python/samba/tests/graph.py | 152 ++++
python/samba/tests/samba_tool/visualize.py | 466 +++++++++++
python/samba/tests/samba_tool/visualize_drs.py | 110 +++
selftest/flapping.d/rfc2307 | 1 +
selftest/flapping.d/wbinfo | 1 +
selftest/flapping.d/whoami | 1 +
selftest/target/Samba4.pm | 2 +-
selftest/tests.py | 1 +
source3/auth/auth_util.c | 1 +
source3/auth/proto.h | 2 -
source3/auth/server_info.c | 42 -
source3/include/trans2.h | 12 +-
source3/include/vfs.h | 5 -
source3/librpc/idl/smbXsrv.idl | 3 +-
source3/modules/vfs_ceph.c | 15 +
source3/modules/vfs_default.c | 14 +-
source3/param/loadparm.c | 3 +
source3/passdb/pdb_samba_dsdb.c | 877 ++++++++++++++++++++-
source3/rpc_client/cli_netlogon.c | 74 +-
source3/rpc_client/cli_netlogon.h | 54 +-
source3/rpc_client/util_netlogon.c | 141 ++++
source3/rpc_client/util_netlogon.h | 10 +
source3/rpcclient/cmd_netlogon.c | 14 +-
source3/script/tests/test_net_cred_change.sh | 7 +-
source3/smbd/globals.h | 1 +
source3/smbd/smb2_server.c | 27 +-
source3/smbd/trans2.c | 5 +
source3/torture/pdbtest.c | 15 +-
source3/winbindd/winbindd.c | 17 +-
source3/winbindd/winbindd.h | 2 +
source3/winbindd/winbindd_dual_srv.c | 20 +-
source3/winbindd/winbindd_gpupdate.c | 116 +++
source3/winbindd/winbindd_irpc.c | 2 +-
source3/winbindd/winbindd_misc.c | 211 ++++-
source3/winbindd/winbindd_pam.c | 407 +++++++---
source3/winbindd/winbindd_pam_auth.c | 15 +
source3/winbindd/winbindd_pam_auth_crap.c | 47 +-
source3/winbindd/winbindd_ping_dc.c | 2 +-
source3/winbindd/winbindd_proto.h | 17 +-
source3/winbindd/winbindd_util.c | 747 ++++++++++++++----
source3/winbindd/wscript_build | 3 +-
source4/dsdb/common/util_trusts.c | 65 ++
source4/dsdb/gpo/gpo_update.c | 193 -----
source4/dsdb/wscript_build | 9 -
source4/scripting/bin/samba_gpoupdate | 35 +-
source4/scripting/bin/wscript_build | 2 +-
source4/scripting/wscript_build | 7 +-
source4/selftest/tests.py | 6 +-
source4/smbd/server.c | 3 -
source4/torture/drs/python/samba_tool_drs.py | 3 +
source4/torture/smb2/replay.c | 117 ++-
source4/torture/unix/whoami.c | 9 +-
95 files changed, 5114 insertions(+), 889 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/applygrouppolicies.xml
create mode 100644 docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util.py3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} (100%)
copy lib/tevent/ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} (100%)
create mode 100644 python/samba/colour.py
create mode 100644 python/samba/graph.py
create mode 100644 python/samba/netcmd/visualize.py
create mode 100644 python/samba/tests/graph.py
create mode 100644 python/samba/tests/samba_tool/visualize.py
create mode 100644 python/samba/tests/samba_tool/visualize_drs.py
create mode 100644 selftest/flapping.d/rfc2307
create mode 100644 selftest/flapping.d/wbinfo
create mode 100644 selftest/flapping.d/whoami
create mode 100644 source3/winbindd/winbindd_gpupdate.c
delete mode 100644 source4/dsdb/gpo/gpo_update.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index b60d783..ce50a73 100644
--- a/VERSION
+++ b/VERSION
@@ -77,7 +77,7 @@ SAMBA_VERSION_BETA_RELEASE=
# e.g. SAMBA_VERSION_PRE_RELEASE=1 #
# -> "2.2.9pre1" #
########################################################
-SAMBA_VERSION_PRE_RELEASE=1
+SAMBA_VERSION_PRE_RELEASE=
########################################################
# For 'rc' releases the version will be #
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=1
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=
+SAMBA_VERSION_RC_RELEASE=1
########################################################
# To mark SVN snapshots this should be set to 'yes' #
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
########################################################
# This is for specifying a release nickname #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 94278b3..f2da373 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the first preview release of Samba 4.8. This is *not*
+This is the first release candidate of Samba 4.8. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -19,7 +19,7 @@ NEW FEATURES/CHANGES
KDC GPO application
-------------------
-Adds Group Policy support for the samba kdc. Applies password policies
+Adds Group Policy support for the Samba kdc. Applies password policies
(minimum/maximum password age, minimum password length, and password
complexity) and kerberos policies (user/service ticket lifetime and
renew lifetime).
@@ -30,7 +30,8 @@ policy. Can be applied automatically by setting
'server services = +gpoupdate'.
Time Machine Support with vfs_fruit
-===================================
+-----------------------------------
+
Samba can be configured as a Time Machine target for Apple Mac devices
through the vfs_fruit module. When enabling a share for Time Machine
support the relevant Avahi records to support discovery will be published
@@ -41,7 +42,8 @@ Shares can be designated as a Time Machine share with the following setting:
'fruit:time machine = yes'
Support for lower casing the MDNS Name
-======================================
+--------------------------------------
+
Allows the server name that is advertised through MDNS to be set to the
hostname rather than the Samba NETBIOS name. This allows an administrator
to make Samba registered MDNS records match the case of the hostname
@@ -52,7 +54,8 @@ This can be set with the following settings:
'mdns name = mdns'
Encrypted secrets
-=================
+-----------------
+
Attributes deemed to be sensitive are now encrypted on disk. The sensitive
values are currently:
pekList
@@ -72,43 +75,21 @@ values are currently:
This encryption is enabled by default on a new provision or join, it
can be disabled at provision or join time with the new option
---plaintext-secrets.
+'--plaintext-secrets'.
However, an in-place upgrade will not encrypt the database.
Once encrypted, it is not possible to do an in-place downgrade (eg to
4.7) of the database. To obtain an unencrypted copy of the database a
-new DC join should be performed, specifying the --plaintext-secrets
+new DC join should be performed, specifying the '--plaintext-secrets'
option.
The key file "encrypted_secrets.key" is created in the same directory
as the database and should NEVER be disclosed. It is included by the
samba_backup script.
-smb.conf changes
-================
-
- Parameter Name Description Default
- -------------- ----------- -------
- auth methods Removed
- binddns dir New
- client schannel Default changed/ yes
- Deprecated
- gpo update command New
- map untrusted to domain Removed
- oplock contention limit Removed
- prefork children New 1
- mdns name Added netbios
- fruit:time machine Added false
- profile acls Removed
- use spnego Removed
- server schannel Default changed/ yes
- Deprecated
- winbind trusted domains only Removed
-
-
NT4-style replication based net commands removed
-================================================
+------------------------------------------------
The following commands and sub-commands have been removed from the
"net" utility:
@@ -131,7 +112,7 @@ commands have been removed from rpcclient.
supported.
vfs_aio_linux module removed
-============================
+----------------------------
The current Linux kernel aio does not match what Samba would
do. Shipping code that uses it leads people to false
@@ -140,7 +121,7 @@ there is no special module required to see benefits of read and write
request being sent do the disk in parallel.
smbclient reparse point symlink parameters reversed
-===================================================
+---------------------------------------------------
A bug in smbclient caused the 'symlink' command to reverse the
meaning of the new name and link target parameters when creating a
@@ -150,23 +131,66 @@ reversed to match the parameter ordering of the UNIX extensions
'symlink' command. The usage message for this command has also
been improved to remove confusion.
+Winbind changes
+---------------
+
+The dependency to global list of trusted domains within
+the winbindd processes has been reduced a lot.
+
+The construction of that global list is not reliable and often
+incomplete in complex trust setups. In most situations the list is not needed
+any more for winbindd to operate correctly. E.g. for plain file serving via SMB
+using a simple idmap setup with autorid, tdb or ad. However some more complex
+setups require the list, e.g. if you specify idmap backends for specific
+domains. Some pam_winbind setups may also require the global list.
+
+If you have a setup that doesn't require the global list, you should set
+"winbind scan trusted domains = no".
+
+
REMOVED FEATURES
================
-The two commands "net serverid list" and "net serverid wipe" have been
+The two commands 'net serverid list' and 'net serverid wipe' have been
removed, because the file serverid.tdb is not used anymore.
-"net serverid list" can be replaced by listing all files in the
+'net serverid list' can be replaced by listing all files in the
subdirectory "msg.lock" of Samba's "lock directory". The unique id
-listed by "net serverid list" is stored in every process' lockfile in
+listed by 'net serverid list' is stored in every process' lockfile in
"msg.lock".
-"net serverid wipe" is not necessary anymore. It was meant primarily
+'net serverid wipe' is not necessary anymore. It was meant primarily
for clustered environments, where the serverid.tdb file was not
properly cleaned up after single node crashes. Nowadays smbd and
winbind take care of cleaning up the msg.lock and msg.sock directories
automatically.
+
+smb.conf changes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ auth methods Removed
+ binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
+ gpo update command New
+ ldap ssl ads Deprecated
+ map untrusted to domain Removed
+ oplock contention limit Removed
+ prefork children New 1
+ mdns name Added netbios
+ fruit:time machine Added false
+ profile acls Removed
+ use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
+ unicode Deprecated
+ winbind scan trusted domains New yes
+ winbind trusted domains only Removed
+
+
KNOWN ISSUES
============
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 430d164..3b36b57 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -313,10 +313,6 @@ def configure(conf):
conf.env.GIT_LOCAL_CHANGES = Options.options.GIT_LOCAL_CHANGES
- conf.CHECK_COMMAND(['uname', '-a'],
- msg='Checking build system',
- define='BUILD_SYSTEM',
- on_target=False)
conf.CHECK_UNAME()
# see if we can compile and run a simple C program
diff --git a/ctdb/config/ctdb.service b/ctdb/config/ctdb.service
index 63cdfa9..189f2f4 100644
--- a/ctdb/config/ctdb.service
+++ b/ctdb/config/ctdb.service
@@ -1,5 +1,6 @@
[Unit]
Description=CTDB
+Documentation=man:ctdbd(1) man:ctdb(7)
After=network-online.target time-sync.target
[Service]
diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
index 22a4216..147751b 100644
--- a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
+++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
@@ -5,10 +5,12 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option sets the command that is called to apply GPO policies.
- The samba_gpoupdate script applies System Access and Kerberos Policies.
- System Access policies set minPwdAge, maxPwdAge, minPwdLength, and
- pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime,
- kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf.
+ The samba_gpoupdate script applies System Access and Kerberos Policies
+ to the KDC, or Environment Variable policies to client machines. System
+ Access policies set minPwdAge, maxPwdAge, minPwdLength, and
+ pwdProperties in the samdb. Kerberos Policies set kdc:service ticket
+ lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in
+ smb.conf.
</para>
</description>
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 4fdf4dc..98c3965 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -1,6 +1,7 @@
<samba:parameter name="ldap ssl ads"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option is used to define whether or not Samba should
diff --git a/docs-xml/smbdotconf/protocol/unicode.xml b/docs-xml/smbdotconf/protocol/unicode.xml
index 86fb06c..25810cd 100644
--- a/docs-xml/smbdotconf/protocol/unicode.xml
+++ b/docs-xml/smbdotconf/protocol/unicode.xml
@@ -1,6 +1,7 @@
<samba:parameter name="unicode"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>Specifies whether the server and client should support unicode.</para>
diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
new file mode 100644
index 0000000..67baa0d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="apply group policies"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This option controls whether winbind will execute the gpupdate
+ command defined in <smbconfoption name="gpo update command"/> on the
+ Group Policy update interval. The Group Policy update interval is
+ defined as every 90 minutes, plus a random offset between 0 and 30
+ minutes. This applies Group Policy Machine polices to the client or
+ KDC and machine policies to a server.
+ </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
new file mode 100644
index 0000000..31afdc9
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="winbind scan trusted domains"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
+ <constant>domain</constant> or <constant>ads</constant>.
+ If it is set to yes (the default), winbindd periodically tries to scan for new
+ trusted domains and adds them to a global list inside of winbindd.
+ The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>.
+ This matches the behaviour of Samba 4.7 and older.</para>
+
+ <para>The construction of that global list is not reliable and often
+ incomplete in complex trust setups. In most situations the list is
+ not needed any more for winbindd to operate correctly.
+ E.g. for plain file serving via SMB using a simple idmap setup
+ with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>.
+ However some more complex setups require the list, e.g.
+ if you specify idmap backends for specific domains.
+ Some pam_winbind setups may also require the global list.</para>
+
+ <para>If you have a setup that doesn't require the global list, you should set
+ <smbconfoption name="winbind scan trusted domains">no</smbconfoption>.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/ldb/ABI/ldb-1.3.0.sigs b/lib/ldb/ABI/ldb-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.0.sigs
copy to lib/ldb/ABI/ldb-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 0b8ba26..8ae5be3 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.3.0'
+VERSION = '1.3.1'
blddir = 'bin'
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a18407d..7854f57 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,10 +2729,12 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+ lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR);
+ lpcfg_do_global_parameter_var(lp_ctx, "apply group policies", "False");
lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command",
diff --git a/lib/talloc/ABI/pytalloc-util-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util-2.1.11.sigs
diff --git a/lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.10.sigs b/lib/talloc/ABI/talloc-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.10.sigs
copy to lib/talloc/ABI/talloc-2.1.11.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 7721fa4..cd159ef 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -75,12 +75,13 @@
#define TALLOC_MAGIC_REFERENCE ((const char *)1)
#define TALLOC_MAGIC_BASE 0xe814ec70
-static unsigned int talloc_magic = (
- ~TALLOC_FLAG_MASK & (
- TALLOC_MAGIC_BASE +
- (TALLOC_BUILD_VERSION_MAJOR << 24) +
- (TALLOC_BUILD_VERSION_MINOR << 16) +
- (TALLOC_BUILD_VERSION_RELEASE << 8)));
+#define TALLOC_MAGIC_NON_RANDOM ( \
+ ~TALLOC_FLAG_MASK & ( \
+ TALLOC_MAGIC_BASE + \
+ (TALLOC_BUILD_VERSION_MAJOR << 24) + \
+ (TALLOC_BUILD_VERSION_MINOR << 16) + \
+ (TALLOC_BUILD_VERSION_RELEASE << 8)))
+static unsigned int talloc_magic = TALLOC_MAGIC_NON_RANDOM;
/* by default we abort when given a bad pointer (such as when talloc_free() is called
on a pointer that came from malloc() */
@@ -332,6 +333,48 @@ _PUBLIC_ int talloc_test_get_magic(void)
return talloc_magic;
}
+static inline void _talloc_chunk_set_free(struct talloc_chunk *tc,
+ const char *location)
+{
+ /*
+ * Mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ */
+ tc->flags = TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE
+ | (tc->flags & TALLOC_FLAG_MASK);
+
+ /* we mark the freed memory with where we called the free
+ * from. This means on a double free error we can report where
+ * the first free came from
+ */
+ if (location) {
+ tc->name = location;
+ }
+}
+
+static inline void _talloc_chunk_set_not_free(struct talloc_chunk *tc)
+{
+ /*
+ * Mark this memory as not free.
+ *
+ * Why? This is memory either in a pool (and so available for
+ * talloc's re-use or after the realloc(). We need to mark
+ * the memory as free() before any realloc() call as we can't
+ * write to the memory after that.
+ *
+ * We put back the normal magic instead of the 'not random'
+ * magic.
+ */
+
+ tc->flags = talloc_magic |
+ ((tc->flags & TALLOC_FLAG_MASK) & ~TALLOC_FLAG_FREE);
+}
+
static void (*talloc_log_fn)(const char *message);
_PUBLIC_ void talloc_set_log_fn(void (*log_fn)(const char *message))
@@ -429,11 +472,6 @@ static void talloc_abort(const char *reason)
talloc_abort_fn(reason);
}
-static void talloc_abort_magic(unsigned magic)
-{
- talloc_abort("Bad talloc magic value - wrong talloc version used/mixed");
-}
-
static void talloc_abort_access_after_free(void)
{
talloc_abort("Bad talloc magic value - access after free");
@@ -450,19 +488,15 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
const char *pp = (const char *)ptr;
struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) {
- if ((tc->flags & (~TALLOC_FLAG_MASK)) == talloc_magic) {
- talloc_abort_magic(tc->flags & (~TALLOC_FLAG_MASK));
- return NULL;
- }
-
- if (tc->flags & TALLOC_FLAG_FREE) {
+ if ((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK))
--
Samba Shared Repository
More information about the samba-cvs
mailing list