[SCM] Samba Shared Repository - branch v4-8-stable updated

Karolin Seeger kseeger at samba.org
Thu Jun 28 06:59:32 UTC 2018


The branch, v4-8-stable has been updated
       via  a62c2f3 VERSION: Disable GIT_SNAPSHOT for the 4.8.3 release.
       via  519bc4d WHATSNEW: Add release notes for Samba 4.8.3.
       via  e25631d ldb: version 1.3.4
       via  fb522c1 .gitlab-ci.yml: Adapt to current GitLab CI setup
       via  7ccd1eb Fix several mem leaks in ldb_index ldb_search ldb_tdb
       via  2a3f91e check return value before using key_values
       via  7a1906d ldb: check return values
       via  9b5f368 ldb_tdb: Use mem_ctx and so avoid leak onto long-term memory on duplicated add.
       via  1fb7246 ldb: Fix memory leak on module context
       via  b4331a3 ldb: Add tests for when we should expect a full scan
       via  b8df3cd ldb: One-level search was incorrectly falling back to full DB scan
       via  703ca1a ldb: Explain why an entry can vanish from the index
       via  d1b59c2 ldb: Indicate that the ltdb_dn_list_sort() in list_union is a bit subtle.
       via  5c1d9b0 ldb: Save a copy of the index result before calling the callbacks.
       via  8b32d29 samdb: Fix build error with gcc8
       via  ee6bd86 s3:winbind: Fix regression introduced with bso #12851
       via  941b566 s3:smbget: Fix buffer truncation issues with gcc8
       via  5f2859e s3:registry: Fix buffer truncation issues issues with gcc8
       via  be00b89 heimdal: lib/krb5: do not fail set_config_files due to parse error
       via  0196569 krb5_plugin: Add winbind localauth plugin for MIT Kerberos
       via  228e5d4 krb5_wrap: fix keep_old_entries logic for older kerberos libraries
       via  df16008 bla
       via  7f32430 python: Fix talloc frame use in make_simple_acl().
       via  6121a6f s3: smbd: printing: Re-implement delete-on-close semantics for print files missing since 3.5.x.
       via  e5ffffd s3: torture: Add DELETE-PRINT test.
       via  0e3d52f lib: Fix array size in audit_logging
       via  fd83672 s4:ntvfs: Fix string copy of share_name
       via  15c13f7 lib:util: Fix size types in debug.c
       via  05dab79 lib:util: Fix parameter aliasing in tfork test
       via  ca1aced s3:winbind: Fix uninitialzed variable warning
       via  aa833e8 s3:passdb: Fix size of ascii_p16
       via  aff1261 s3:lib: Use memcpy() in escape_ldap_string()
       via  3ef6d6a s4:torture: Use strlcpy() in gen_name()
       via  c16e479 lib:util: Fix string check in mkdir_p()
       via  3e42a24 s3-utils: fix format-truncation in smbpasswd
       via  23f19c8 s4-torture: fix format-truncation warning in smb2 session tests.
       via  1b420a2 s3-printing: fix format-truncation in print_queue_update()
       via  35de20b s3-winbindd: remove unused fill_domain_username()
       via  c70a0d5 s3-winbindd: use fill_domain_username_talloc() in winbind.
       via  c5f3606 s4-heimdal: Fix the format-truncation errors.
       via  2839bf2 s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on directories.
       via  ce89931 s3: smbd: Fix SMB2-FLUSH against directories.
       via  a7a51bd smbd: Flush dfree memcache on service reload
       via  f7e53f8 smbd: Cache dfree information based on query path
       via  3fd685e memcache: Add new cache type for dfree information
       via  88d19df selftest: Add test for 'dfree cache'
       via  2e5bc85 selftest: Add dfq_cache share with 'dfree cache time' set
       via  68999b8 lib/util: Call log_stack_trace() in smb_panic_default()
       via  5733e90 lib/util: Move log_stack_trace() to common code
       via  d14cd61 lib/util: Log PANIC before calling pacic action just like s3
       via  8f01d94 s3-lib: Remove support for libexc for IRIX backtraces
       via  9c794a2 s3:utils: Do not segfault on error in DoDNSUpdate()
       via  9cb6459 auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
       via  7faa201 s4:selftest: run test_ldb_simple.sh with more auth options
       via  e153636 auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
       via  2fb77a2 libgpo: Fix the build --without-ads
       via  bcee547 s3:smbd: fix interaction between chown and SD flags
       via  6ea5d16 s4:torture/smb2: new test for interaction between chown and SD flags
       via  682a2e2 winbind: Fix UPN handling in canonicalize_username()
       via  124f0e4 winbind: Fix UPN handling in parse_domain_user()
       via  b5ba5da winbind: Remove unused function parse_domain_user_talloc()
       via  f1dfb9f winbind: Pass upn unmodified to lookup names
       via  a52b067 nsswitch:tests: Add test for wbinfo --user-info
       via  5c946eb selftest: Add a user with a different userPrincipalName
       via  40a1341 nsswitch: Lookup the domain in tests with the wb seperator
       via  a28d7c4 nsswitch: Add a test looking up domain sid
       via  ee22c6f nsswitch: Add a test looking up the user using the upn
       via  4bbc5a8 selftest: Make sure we have correct group mappings
       via  cc678c4 VERSION: Bump version up to 4.8.3...
      from  e64d0d0 VERSION: Disable GIT_SNAPSHOT for the 4.8.2 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 .gitlab-ci.yml => .gitlab-ci-private.yml           |  14 +-
 VERSION                                            |   2 +-
 WHATSNEW.txt                                       | 106 +++++++-
 auth/auth_log.c                                    |   2 +-
 auth/ntlmssp/gensec_ntlmssp_server.c               |  19 --
 auth/ntlmssp/ntlmssp_client.c                      |  24 +-
 auth/ntlmssp/ntlmssp_server.c                      |   8 +
 lib/krb5_wrap/krb5_samba.c                         |   2 +-
 lib/ldb/ABI/{ldb-1.3.3.sigs => ldb-1.3.4.sigs}     |   0
 ...b-util.py3-1.3.3.sigs => pyldb-util-1.3.4.sigs} |   0
 ...il.py3-1.3.3.sigs => pyldb-util.py3-1.3.4.sigs} |   0
 lib/ldb/ldb_tdb/ldb_index.c                        | 134 +++++++---
 lib/ldb/ldb_tdb/ldb_search.c                       |  23 +-
 lib/ldb/ldb_tdb/ldb_tdb.c                          |  20 +-
 lib/ldb/ldb_tdb/ldb_tdb.h                          |   6 +
 lib/ldb/tests/ldb_mod_op_test.c                    | 275 ++++++++++++++++++++
 lib/ldb/tests/python/api.py                        | 104 +++++++-
 lib/ldb/wscript                                    |   2 +-
 lib/util/debug.c                                   |  14 +-
 lib/util/fault.c                                   | 107 +++++++-
 lib/util/fault.h                                   |   1 +
 lib/util/memcache.h                                |   3 +-
 lib/util/mkdir_p.c                                 |   4 +-
 lib/util/tests/tfork.c                             |   7 +-
 lib/util/wscript_configure                         |   1 +
 libgpo/pygpo.c                                     |   5 +
 nsswitch/krb5_plugin/winbind_krb5_localauth.c      | 267 ++++++++++++++++++++
 nsswitch/tests/test_idmap_ad.sh                    |   2 +-
 nsswitch/tests/test_idmap_nss.sh                   |   4 +-
 nsswitch/tests/test_idmap_rid.sh                   |   2 +-
 nsswitch/tests/test_wbinfo_name_lookup.sh          |  13 +-
 nsswitch/tests/test_wbinfo_user_info.sh            |  83 ++++++
 nsswitch/wscript_build                             |   6 +
 selftest/knownfail                                 |   1 +
 selftest/knownfail.d/upn_handling                  |   8 +
 selftest/target/Samba3.pm                          |  15 ++
 selftest/target/Samba4.pm                          |  19 +-
 source3/include/local.h                            |   3 -
 source3/include/proto.h                            |   1 -
 source3/lib/ldap_escape.c                          |   2 +-
 source3/lib/util.c                                 | 139 -----------
 source3/modules/vfs_acl_common.c                   |   7 +-
 source3/passdb/pdb_smbpasswd.c                     |   2 +-
 source3/printing/printing.c                        |   2 +-
 source3/printing/printspoolss.c                    |  17 ++
 source3/registry/reg_perfcount.c                   |  12 +-
 source3/script/tests/test_dfree_quota.sh           |  35 +++
 source3/script/tests/test_smbspool.sh              |  63 +++++
 source3/selftest/tests.py                          |  18 +-
 source3/smbd/dfree.c                               | 104 ++++++--
 source3/smbd/proto.h                               |   1 +
 source3/smbd/pysmbd.c                              |  49 ++--
 source3/smbd/server_reload.c                       |   1 +
 source3/smbd/smb2_flush.c                          |  26 +-
 source3/torture/proto.h                            |   1 +
 source3/torture/test_smb2.c                        | 270 ++++++++++++++++++++
 source3/torture/torture.c                          |  74 ++++++
 source3/utils/net_dns.c                            |   1 +
 source3/utils/smbget.c                             |   2 +-
 source3/utils/smbpasswd.c                          |  49 ++--
 source3/winbindd/wb_getpwsid.c                     |  23 +-
 source3/winbindd/wb_lookupname.c                   |   8 +-
 source3/winbindd/wb_query_user_list.c              |   9 +-
 source3/winbindd/wb_xids2sids.c                    |   1 +
 source3/winbindd/winbindd_cache.c                  |   5 +-
 source3/winbindd/winbindd_ccache_access.c          |  43 +++-
 source3/winbindd/winbindd_creds.c                  |   3 +-
 source3/winbindd/winbindd_getgrnam.c               |  18 +-
 source3/winbindd/winbindd_getgroups.c              |  13 +-
 source3/winbindd/winbindd_getpwnam.c               |  13 +-
 source3/winbindd/winbindd_group.c                  |  12 +-
 source3/winbindd/winbindd_irpc.c                   |   7 +-
 source3/winbindd/winbindd_list_groups.c            |  14 +-
 source3/winbindd/winbindd_lookupname.c             |  17 +-
 source3/winbindd/winbindd_pam.c                    |  96 +++++--
 source3/winbindd/winbindd_pam_auth.c               |  11 +-
 source3/winbindd/winbindd_pam_chauthtok.c          |  12 +-
 source3/winbindd/winbindd_pam_logoff.c             |  12 +-
 source3/winbindd/winbindd_proto.h                  |  20 +-
 source3/winbindd/winbindd_util.c                   |  83 +++---
 source3/wscript                                    |   2 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            |   2 +-
 source4/heimdal/lib/com_err/compile_et.c           |   6 +-
 source4/heimdal/lib/krb5/config_file.c             |   4 +-
 source4/heimdal/lib/krb5/context.c                 |   3 +-
 source4/ntvfs/ipc/rap_server.c                     |   9 +-
 source4/selftest/tests.py                          |   7 +
 source4/torture/basic/mangle_test.c                |   2 +-
 source4/torture/smb2/acls.c                        | 278 +++++++++++++++++++++
 source4/torture/smb2/session.c                     |   2 +-
 wscript_configure_system_mitkrb5                   |   1 +
 91 files changed, 2436 insertions(+), 482 deletions(-)
 rename .gitlab-ci.yml => .gitlab-ci-private.yml (92%)
 copy lib/ldb/ABI/{ldb-1.3.3.sigs => ldb-1.3.4.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util.py3-1.3.3.sigs => pyldb-util-1.3.4.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util.py3-1.3.3.sigs => pyldb-util.py3-1.3.4.sigs} (100%)
 create mode 100644 nsswitch/krb5_plugin/winbind_krb5_localauth.c
 create mode 100755 nsswitch/tests/test_wbinfo_user_info.sh
 create mode 100644 selftest/knownfail.d/upn_handling


Changeset truncated at 500 lines:

diff --git a/.gitlab-ci.yml b/.gitlab-ci-private.yml
similarity index 92%
rename from .gitlab-ci.yml
rename to .gitlab-ci-private.yml
index 2ae9eb4..584b853 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci-private.yml
@@ -1,12 +1,15 @@
 # see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options
 
+image: registry.gitlab.com/samba-team/samba:latest
+
 before_script:
   - echo "Build starting ..."
 
 build_samba:
   stage: build
   tags:
-    - autobuild
+    - docker
+    - private
   script:
     # this one takes about 4 hours to finish
     - python script/autobuild.py samba            --verbose --tail --testbase /tmp/samba-testbase
@@ -14,7 +17,8 @@ build_samba:
 build_samba_others:
   stage: build
   tags:
-    - autobuild
+    - docker
+    - private
   script:
     - python script/autobuild.py samba-nopython   --verbose --tail --testbase /tmp/samba-testbase
     - python script/autobuild.py samba-systemkrb5 --verbose --tail --testbase /tmp/samba-testbase
@@ -26,7 +30,8 @@ build_samba_others:
 build_ctdb:
   stage: build
   tags:
-    - autobuild
+    - docker
+    - private
   script:
     - python script/autobuild.py samba-ctdb       --verbose --tail --testbase /tmp/samba-testbase
     - python script/autobuild.py ctdb             --verbose --tail --testbase /tmp/samba-testbase
@@ -34,7 +39,8 @@ build_ctdb:
 build_others:
   stage: build
   tags:
-    - autobuild
+    - docker
+    - private
   script:
     - python script/autobuild.py ldb              --verbose --tail --testbase /tmp/samba-testbase
     - python script/autobuild.py pidl             --verbose --tail --testbase /tmp/samba-testbase
diff --git a/VERSION b/VERSION
index 9dfbef0..f9e02e8 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=8
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6aa0f91..5c2d922 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,93 @@
                    =============================
+                   Release Notes for Samba 4.8.3
+                            June 26, 2018
+                   =============================
+
+
+This is the latest stable release of the Samba 4.8 release series.
+
+
+Changes since 4.8.2:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13428: s3: smbd: Fix SMB2-FLUSH against directories.
+   * BUG 13457: s3: smbd: printing: Re-implement delete-on-close semantics for
+     print files missing since 3.5.x.
+   * BUG 13474: python: Fix talloc frame use in make_simple_acl().
+
+o  Jeffrey Altman <jaltman at secure-endpoints.com>
+   * BUG 11573: heimdal: lib/krb5: Do not fail set_config_files due to parse
+     error.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * ldb: version 1.3.4
+   * BUG 13448: ldb: One-level search was incorrectly falling back to full DB
+     scan.
+   * BUG 13452: ldb: Save a copy of the index result before calling the
+     callbacks.
+   * BUG 13454: No Backtrace given by Samba's AD DC by default.
+   * BUG 13471: ldb_tdb: Use mem_ctx and so avoid leak onto long-term memory
+     on duplicated add.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 13432: s3:smbd: Fix interaction between chown and SD flags.
+
+o  G√ľnther Deschner <gd at samba.org>
+   * BUG 13437: Fix building Samba with gcc 8.1.
+
+o  Andrej Gessel <Andrej.Gessel at janztec.com>
+   * BUG 13475: Fix several mem leaks in ldb_index ldb_search ldb_tdb.
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 13331: libgpo: Fix the build --without-ads.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13369: Looking up the user using the UPN results in user name with the
+     REALM instead of the DOMAIN.
+   * BUG 13427: Fix broken server side GENSEC_FEATURE_LDAP_STYLE handling
+     (NTLMSSP NTLM2 packet check failed due to invalid signature!).
+
+o  Christof Schmitt <cs at samba.org>
+   * BUG 13446: smbd: Flush dfree memcache on service reload.
+   * BUG 13478: krb5_wrap: Fix keep_old_entries logic for older Kerberos
+     libraries.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 13369: Looking up the user using the UPN results in user name with the
+     REALM instead of the DOMAIN.
+   * BUG 13437: Fix building Samba with gcc 8.1.
+   * BUG 13440: s3:utils: Do not segfault on error in DoDNSUpdate().
+   * BUG 13480: krb5_plugin: Add winbind localauth plugin for MIT Kerberos.
+
+o  Lukas Slebodnik <lslebodn at fedoraproject.org>
+   * BUG 13459: ldb: Fix memory leak on module context.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.8.2
                             May 16, 2018
                    =============================
@@ -86,8 +175,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.8.1
@@ -450,6 +539,19 @@ This new module integrates with Sophos, F-Secure and ClamAV anti-virus
 software to provide scanning and filtering of files on a Samba share.
 
 
+Local authorization plugin for MIT Kerberos
+-------------------------------------------
+
+This plugin controls the relationship between Kerberos principals and AD
+accounts through winbind. The module receives the Kerberos principal and the
+local account name as inputs and can then check if they match. This can resolve
+issues with canonicalized names returned by Kerberos within AD. If the user
+tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
+Kerberos would return ALICE as the username. Kerberos would not be able to map
+'alice' to 'ALICE' in this case and auth would fail.  With this plugin account
+names can be correctly mapped. This only applies to GSSAPI authentication,
+not for the geting the initial ticket granting ticket.
+
 REMOVED FEATURES
 ================
 
diff --git a/auth/auth_log.c b/auth/auth_log.c
index d4c6c44..72d8f81 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -350,7 +350,7 @@ static void add_version(struct json_context *context, int major, int minor)
 static void add_timestamp(struct json_context *context)
 {
 	char buffer[40];	/* formatted time less usec and timezone */
-	char timestamp[50];	/* the formatted ISO 8601 time stamp	 */
+	char timestamp[65];	/* the formatted ISO 8601 time stamp	 */
 	char tz[10];		/* formatted time zone			 */
 	struct tm* tm_info;	/* current local time			 */
 	struct timeval tv;	/* current system time			 */
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index c0e6cff..ab92f4d 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 
-	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-	}
-	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-
-		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
-			/*
-			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
-			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
-			 * is requested.
-			 */
-			ntlmssp_state->force_wrap_seal = true;
-		}
-	}
-	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-	}
 
 	if (role == ROLE_STANDALONE) {
 		ntlmssp_state->server.is_standalone = true;
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index db2003f..54fda41 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 			 * is requested.
 			 */
 			ntlmssp_state->force_wrap_seal = true;
-			/*
-			 * We want also work against old Samba servers
-			 * which didn't had GENSEC_FEATURE_LDAP_STYLE
-			 * we negotiate SEAL too. We may remove this
-			 * in a few years. As all servers should have
-			 * GENSEC_FEATURE_LDAP_STYLE by then.
-			 */
+		}
+	}
+	if (ntlmssp_state->force_wrap_seal) {
+		bool ret;
+
+		/*
+		 * We want also work against old Samba servers
+		 * which didn't had GENSEC_FEATURE_LDAP_STYLE
+		 * we negotiate SEAL too. We may remove this
+		 * in a few years. As all servers should have
+		 * GENSEC_FEATURE_LDAP_STYLE by then.
+		 */
+		ret = gensec_setting_bool(gensec_security->settings,
+					  "ntlmssp_client",
+					  "ldap_style_send_seal",
+					  true);
+		if (ret) {
 			ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 		}
 	}
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 37ed2bc..140e89d 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
 	data_blob_free(&ntlmssp_state->challenge_blob);
 
 	if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
+			/*
+			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
+			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
+			 * is requested.
+			 */
+			ntlmssp_state->force_wrap_seal = true;
+		}
 		nt_status = ntlmssp_sign_init(ntlmssp_state);
 	}
 
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 7c461e5..0ba8aae 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1549,7 +1549,7 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
 		}
 
 		if (!flush &&
-		    (kt_entry.vno == kvno) &&
+		    ((kt_entry.vno & 0xff) == (kvno & 0xff)) &&
 		    (kt_entry_enctype != enctype))
 		{
 			DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
diff --git a/lib/ldb/ABI/ldb-1.3.3.sigs b/lib/ldb/ABI/ldb-1.3.4.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.3.sigs
copy to lib/ldb/ABI/ldb-1.3.4.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs b/lib/ldb/ABI/pyldb-util-1.3.4.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.4.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.3.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c
index ee20273..40baeea 100644
--- a/lib/ldb/ldb_tdb/ldb_index.c
+++ b/lib/ldb/ldb_tdb/ldb_index.c
@@ -403,6 +403,7 @@ normal_index:
 				      "expected %d for %s",
 				      version, LTDB_INDEXING_VERSION,
 				      ldb_dn_get_linearized(dn));
+			talloc_free(msg);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
@@ -420,19 +421,26 @@ normal_index:
 				      "expected %d for %s",
 				      version, LTDB_GUID_INDEXING_VERSION,
 				      ldb_dn_get_linearized(dn));
+			talloc_free(msg);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
 		if (el->num_values != 1) {
+			talloc_free(msg);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
 		if ((el->values[0].length % LTDB_GUID_SIZE) != 0) {
+			talloc_free(msg);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
 		list->count = el->values[0].length / LTDB_GUID_SIZE;
 		list->dn = talloc_array(list, struct ldb_val, list->count);
+		if (list->dn == NULL) {
+			talloc_free(msg);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
 
 		/*
 		 * The actual data is on msg, due to
@@ -523,9 +531,9 @@ static int ltdb_dn_list_store_full(struct ldb_module *module,
 	if (list->count == 0) {
 		ret = ltdb_delete_noindex(module, msg);
 		if (ret == LDB_ERR_NO_SUCH_OBJECT) {
-			talloc_free(msg);
-			return LDB_SUCCESS;
+			ret = LDB_SUCCESS;
 		}
+		talloc_free(msg);
 		return ret;
 	}
 
@@ -621,6 +629,9 @@ static int ltdb_dn_list_store(struct ldb_module *module, struct ldb_dn *dn,
 	}
 
 	key.dptr = discard_const_p(unsigned char, ldb_dn_get_linearized(dn));
+	if (key.dptr == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
 	key.dsize = strlen((char *)key.dptr);
 
 	rec = tdb_fetch(ltdb->idxptr->itdb, key);
@@ -1120,6 +1131,9 @@ static bool list_union(struct ldb_context *ldb,
 	/*
 	 * Sort the lists (if not in GUID DN mode) so we can do
 	 * the de-duplication during the merge
+	 *
+	 * NOTE: This can sort the in-memory index values, as list or
+	 * list2 might not be a copy!
 	 */
 	ltdb_dn_list_sort(ltdb, list);
 	ltdb_dn_list_sort(ltdb, list2);
@@ -1522,27 +1536,64 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
 			     struct ltdb_context *ac,
 			     uint32_t *match_count)
 {
-	struct ldb_context *ldb;
+	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 	struct ldb_message *msg;
 	struct ldb_message *filtered_msg;
 	unsigned int i;
+	unsigned int num_keys = 0;
 	uint8_t previous_guid_key[LTDB_GUID_KEY_SIZE] = {};
+	TDB_DATA *keys = NULL;
+
+	/*
+	 * We have to allocate the key list (rather than just walk the
+	 * caller supplied list) as the callback could change the list
+	 * (by modifying an indexed attribute hosted in the in-memory
+	 * index cache!)
+	 */
+	keys = talloc_array(ac, TDB_DATA, dn_list->count);
+	if (keys == NULL) {
+		return ldb_module_oom(ac->module);
+	}
+
+	if (ltdb->cache->GUID_index_attribute != NULL) {
+		/*
+		 * We speculate that the keys will be GUID based and so
+		 * pre-fill in enough space for a GUID (avoiding a pile of
+		 * small allocations)
+		 */
+		struct guid_tdb_key {
+			uint8_t guid_key[LTDB_GUID_KEY_SIZE];
+		} *key_values = NULL;
+
+		key_values = talloc_array(keys,
+					  struct guid_tdb_key,
+					  dn_list->count);
 
-	ldb = ldb_module_get_ctx(ac->module);
+		if (key_values == NULL) {
+			talloc_free(keys);
+			return ldb_module_oom(ac->module);
+		}
+		for (i = 0; i < dn_list->count; i++) {
+			keys[i].dptr = key_values[i].guid_key;
+			keys[i].dsize = sizeof(key_values[i].guid_key);
+		}
+	} else {
+		for (i = 0; i < dn_list->count; i++) {
+			keys[i].dptr = NULL;
+			keys[i].dsize = 0;
+		}
+	}
 
 	for (i = 0; i < dn_list->count; i++) {
-		uint8_t guid_key[LTDB_GUID_KEY_SIZE];
-		TDB_DATA tdb_key = {
-			.dptr = guid_key,
-			.dsize = sizeof(guid_key)
-		};
 		int ret;
-		bool matched;
 
-		ret = ltdb_idx_to_key(ac->module, ltdb,
-				      ac, &dn_list->dn[i],
-				      &tdb_key);
+		ret = ltdb_idx_to_key(ac->module,
+				      ltdb,
+				      keys,
+				      &dn_list->dn[i],
+				      &keys[num_keys]);
 		if (ret != LDB_SUCCESS) {
+			talloc_free(keys);
 			return ret;
 		}
 
@@ -1558,36 +1609,50 @@ static int ltdb_index_filter(struct ltdb_private *ltdb,
 			 * LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK
 			 */
 
-			if (memcmp(previous_guid_key, tdb_key.dptr,
+			if (memcmp(previous_guid_key,
+				   keys[num_keys].dptr,
 				   sizeof(previous_guid_key)) == 0) {
 				continue;
 			}
 
-			memcpy(previous_guid_key, tdb_key.dptr,
+			memcpy(previous_guid_key,
+			       keys[num_keys].dptr,
 			       sizeof(previous_guid_key));
 		}
+		num_keys++;
+	}
 
+
+	/*
+	 * Now that the list is a safe copy, send the callbacks
+	 */
+	for (i = 0; i < num_keys; i++) {
+		int ret;
+		bool matched;
 		msg = ldb_msg_new(ac);
 		if (!msg) {
+			talloc_free(keys);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
-
 		ret = ltdb_search_key(ac->module, ltdb,
-				      tdb_key, msg,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list