[SCM] Samba Shared Repository - branch v4-9-stable updated
Karolin Seeger
kseeger at samba.org
Thu Sep 6 08:03:06 UTC 2018
The branch, v4-9-stable has been updated
via 71aa4d1 VERSION: Disable GIT_SNAPSHOT for the 4.9.0rc5 release.
via 85edcc5 WHATSNEW: Add release notes for Samba 4.9.0rc5.
via c53bf98 krb5-samba: interdomain trust uses different salt principal
via 3dba82d testprogs/blackbox: let test_trust_user_account.sh check the correct kerberos salt
via a8be75b testprogs/blackbox: add testit[_expect_failure]_grep() to subunit.sh
via 58b3c86 samba-tool: add virtualKerberosSalt attribute to 'user getpassword/syncpasswords'
via ab0e26a s4:selftest: test kinit with the interdomain trust user account
via bcba25d vfs_fruit: Don't unlink the main file
via 5dad448 torture: Make sure that fruit_ftruncate only unlinks streams
via 5265716 s3:smbd: add a comment stating that file_close_user() is redundant for SMB2
via 71b7745 s3:smbd: let session logoff close files and tcons before deleting the session
via b5d7834 s3:smbd: reorder tcon global record deletion and closing files of a tcon
via c77edea selftest: add a durable handle test with delayed disconnect
via 99ef099 s4:selftest: reformat smb2_s3only list
via 7c5883a vfs_delay_inject: adding delay to VFS calls
via 7a3dbad s4:rpc_server/netlogon: don't treet trusted domains as primary in LogonGetDomainInfo()
via c6cfdf0 s4:rpc_server/netlogon: make use of talloc_zero_array() for the netr_OneDomainInfo array
via 3982347 s4:rpc_server/netlogon: use samdb_domain_guid()/dsdb_trust_local_tdo_info() to build our netr_OneDomainInfo values
via c7ca858 s4:dsdb/common: add samdb_domain_guid() helper function
via 7aab1f1 dsdb:util_trusts: add dsdb_trust_local_tdo_info() helper function
via 53f225c dsdb/util_trusts: domain_dn is an input parameter of dsdb_trust_crossref_tdo_info()
via 5556a67 s4:torture/rpc/netlogon: verify the trusted domains output of LogonGetDomainInfo()
via 0a1df2a s4:torture/rpc/netlogon: assert that cli_credentials_get_{workstation,password} don't return NULL
via 176c9c3 smbd: Fix a memleak in async search ask sharemode
via 02f01fa ctdb-daemon: Log complete eventd startup command
via 9987cc3 ctdb-daemon: Do not retry connection to eventd
via 46de8d2 ctdb-daemon: Wait for eventd to be ready before connecting
via 0155635 ctdb-daemon: Open eventd pipe earlier
via abb6337 ctdb-daemon: Improve error handling consistency
via 1a171bc ctdb-event: Add support to eventd for the startup notification FD
via 35242cf ctdb-common: Add support for sock daemon to notify of successful startup
via a242e10 ctdb-common: Process the whole config file even if an error occurs
via 7db0f18 ctdb-common: Avoid ENOENT for unknown conf options
via 40dff2c ctdb-common: Avoid ENOENT for unknown conf type tags
via 372b79c ctdb-common: Log a message when an invalid conf value is encountered
via 42b2c12f ctdb-common: Log a message for unknown conf option
via 8b711e8 ctdb-common: Fix log message for conf option with unknown section
via 0070d21 ctdb-daemon: Drop incorrect log message
via 8d9c661 s3: util: Do not take over stderr when there is no log file
via 4c2dfd7 s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only returns absolute pathnames.
via 4629746 s3: VFS: vfs_full_audit: Add $cwd arg to smb_fname_str_do_log().
via 3b31cae VERSION: Bump version up to 4.9.0rc5...
from 8fd169a VERSION: Disable GIT_SNAPSHOT for the 4.9.0rc4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 82 ++++++--
auth/credentials/credentials_krb5.c | 16 +-
ctdb/common/conf.c | 47 +++--
ctdb/common/sock_daemon.c | 26 +++
ctdb/common/sock_daemon.h | 10 +
ctdb/event/event_daemon.c | 8 +
ctdb/server/ctdbd.c | 2 +-
ctdb/server/eventscript.c | 147 +++++++++++--
ctdb/tests/cunit/conf_test_001.sh | 4 +-
ctdb/tests/cunit/config_test_001.sh | 5 +-
ctdb/tests/cunit/config_test_005.sh | 6 +
lib/krb5_wrap/krb5_samba.c | 61 ++++--
lib/krb5_wrap/krb5_samba.h | 2 +-
lib/util/debug.c | 7 +-
python/samba/netcmd/user.py | 24 +++
selftest/target/Samba3.pm | 8 +
source3/locking/share_mode_lock.c | 13 +-
source3/modules/vfs_delay_inject.c | 58 +++++
source3/modules/vfs_fruit.c | 6 +-
source3/modules/vfs_full_audit.c | 62 ++++--
source3/modules/wscript_build | 7 +
source3/passdb/machine_account_secrets.c | 3 +-
.../script/tests/test_durable_handle_reconnect.sh | 21 ++
source3/selftest/tests.py | 5 +-
source3/smbd/smbXsrv_session.c | 52 +++--
source3/smbd/smbXsrv_tcon.c | 38 ++--
source3/wscript | 1 +
source4/dsdb/common/util.c | 55 +++++
source4/dsdb/common/util_trusts.c | 22 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 6 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 234 +++++++++++++++------
source4/selftest/tests.py | 9 +-
source4/torture/rpc/netlogon.c | 146 ++++++++++++-
source4/torture/smb2/durable_v2_open.c | 95 +++++++++
source4/torture/smb2/smb2.c | 2 +
source4/torture/vfs/fruit.c | 45 ++++
testprogs/blackbox/subunit.sh | 50 +++++
testprogs/blackbox/test_trust_user_account.sh | 58 +++++
39 files changed, 1209 insertions(+), 236 deletions(-)
create mode 100644 source3/modules/vfs_delay_inject.c
create mode 100755 source3/script/tests/test_durable_handle_reconnect.sh
create mode 100755 testprogs/blackbox/test_trust_user_account.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 1860df5..89ac63f 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=4
+SAMBA_VERSION_RC_RELEASE=5
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e6194aa..07cd9f2 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the fourth release candidate of Samba 4.9. This is *not*
+This is the fifth release candidate of Samba 4.9. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -17,8 +17,8 @@ NEW FEATURES/CHANGES
====================
-net ads setspn
----------------
+'net ads setspn'
+----------------
There is a new 'net ads setspn' sub command for managing Windows SPN(s)
on the AD. This command aims to give the basic functionality that is
@@ -39,8 +39,9 @@ The format of a Windows SPN is
serviceclass/host is generally sufficient to specify a host based service.
-net ads keytab changes
-----------------------
+'net ads keytab' changes
+------------------------
+
net ads keytab add no longer attempts to convert the passed serviceclass
(e.g. nfs, html etc.) into a Windows SPN which is added to the Windows AD
computer object. By default just the keytab file is modified.
@@ -62,14 +63,14 @@ local account name as inputs and can then check if they match. This can resolve
issues with canonicalized names returned by Kerberos within AD. If the user
tries to log in as 'alice', but the samAccountName is set to ALICE (uppercase),
Kerberos would return ALICE as the username. Kerberos would not be able to map
-'alice' to 'ALICE' in this case and auth would fail. With this plugin account
+'alice' to 'ALICE' in this case and auth would fail. With this plugin, account
names can be correctly mapped. This only applies to GSSAPI authentication,
-not for the getting the initial ticket granting ticket.
+not for getting the initial ticket granting ticket.
VFS audit modules
-----------------
-The vfs_full_audit module has changed it's default set of monitored successful
+The vfs_full_audit module has changed its default set of monitored successful
and failed operations from "all" to "none". That helps to prevent potential
denial of service caused by simple addition of the module to the VFS objects.
@@ -111,27 +112,28 @@ entries.
JSON library Jansson required for the AD DC
-------------------------------------------
-By default the Jansson JSON library is required for Samba to build.
+By default, the Jansson JSON library is required for Samba to build.
It is strictly required for the Samba AD DC, and is optional for
-builds --without-ad-dc by specifying --without-json-audit at configure
+builds "--without-ad-dc" by specifying "--without-json-audit" at configure
time.
-New Experimental LMDB LDB backend
+New experimental LMDB LDB backend
---------------------------------
A new experimental LDB backend using LMDB is now available. This allows
databases larger than 4Gb (Currently the limit is set to 6Gb, but this will be
increased in a future release). To enable lmdb, provision or join a domain using
-the --backend-store=mdb option.
+the "--backend-store=mdb" option.
This requires that a version of lmdb greater than 0.9.16 is installed and that
-samba has not been built with the --without-ldb-lmdb option.
+samba has not been built with the "--without-ldb-lmdb" option.
Please note this is an experimental feature and is not recommended for
production deployments.
Password Settings Objects
-------------------------
+
Support has been added for Password Settings Objects (PSOs). This AD feature is
also known as Fine-Grained Password Policies (FGPP).
@@ -147,9 +149,10 @@ passwordsettings pso' set of commands.
Domain backup and restore
-------------------------
-A new samba-tool command has been added that allows administrators to create a
-backup-file of their domain DB. In the event of a catastrophic failure of the
-domain, this backup-file can be used to restore Samba services.
+
+A new 'samba-tool' subcommand has been added that allows administrators to
+create a backup-file of their domain DB. In the event of a catastrophic failure
+of the domain, this backup-file can be used to restore Samba services.
The new 'samba-tool domain backup online' command takes a snapshot of the
domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
@@ -161,6 +164,7 @@ network.
Domain rename tool
------------------
+
Basic support has been added for renaming a Samba domain. The rename feature is
designed for the following cases:
1). Running a temporary alternate domain, in the event of a catastrophic
@@ -203,8 +207,8 @@ This, combined with efforts to correctly identify the client side in
the GetDCName Netlogon call will improve service to sites without a
local DC.
-Improved samba-tool computer command
-------------------------------------
+Improved 'samba-tool computer' command
+--------------------------------------
The 'samba-tool computer' command allow manipulation of computer
accounts including creating a new computer and resetting the password.
@@ -214,7 +218,7 @@ Samba AD domain.
Samba performance tool now operates against Microsoft Windows AD
----------------------------------------------------------------
-The Samba AD performance testing tool traffic_reply can now operate
+The Samba AD performance testing tool 'traffic_reply' can now operate
against a Windows based AD domain. Previously it only operated
correctly against Samba.
@@ -222,10 +226,10 @@ DNS entries are now cleaned up during DC demote
-----------------------------------------------
DNS records are now cleaned up as part of the 'samba-tool domain
-demote' including both the default and --remove-other-dead-server
+demote' including both the default and '--remove-other-dead-server'
modes.
-Additionally DNS records can be automatically cleaned up for a given
+Additionally, DNS records can be automatically cleaned up for a given
name with the 'samba-tool dns cleanup' command, which aids in cleaning
up partially removed DCs.
@@ -434,8 +438,8 @@ There are many changes to CTDB in this release.
GPO Improvements
----------------
-The samba_gpoupdate command (used in applying Group Policies to the
-samba machine itself) has been renamed to samba_gpupdate and had the
+The 'samba_gpoupdate' command (used in applying Group Policies to the
+Samba machine itself) has been renamed to "samba_gpupdate" and had the
syntax changed to better match the same tool on Windows.
@@ -476,6 +480,38 @@ Any external VFS modules will need to be updated to match these
changes in order to work with 4.9.x.
+CHANGES SINCE 4.9.0rc4
+======================
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13565: s3: VFS: vfs_full_audit: Ensure smb_fname_str_do_log() only
+ returns absolute pathnames.
+
+o Paulo Alcantara <paulo at paulo.ac>
+ * BUG 13578: s3: util: Do not take over stderr when there is no log file.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 13549: Durable Reconnect fails because cookie.allow_reconnect is not
+ set.
+
+o Alexander Bokovoy <ab at samba.org>
+ * BUG 13539: krb5-samba: Interdomain trust uses different salt principal.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 13441: vfs_fruit: Don't unlink the main file.
+ * BUG 13602: smbd: Fix a memleak in async search ask sharemode.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11517: Fix Samba GPO issue when Trust is enabled.
+ * BUG 13539: samba-tool: Add "virtualKerberosSalt" attribute to
+ 'user getpassword/syncpasswords'.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 13589: Fix CTDB configuration issues.
+ * BUG 13592: ctdbd logs an error until it can successfully connect to
+ eventd.
+
+
CHANGES SINCE 4.9.0rc3
======================
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 9da1aa0..d36797b 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -34,6 +34,7 @@
#include "auth/kerberos/kerberos_util.h"
#include "auth/kerberos/pac_utils.h"
#include "param/param.h"
+#include "../libds/common/flags.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -974,7 +975,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
const char *upn = NULL;
const char *realm = cli_credentials_get_realm(cred);
char *salt_principal = NULL;
- bool is_computer = false;
+ uint32_t uac_flags = 0;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
@@ -999,9 +1000,15 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
switch (cred->secure_channel_type) {
case SEC_CHAN_WKSTA:
- case SEC_CHAN_BDC:
case SEC_CHAN_RODC:
- is_computer = true;
+ uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_BDC:
+ uac_flags = UF_SERVER_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_DNS_DOMAIN:
+ uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
break;
default:
upn = cli_credentials_get_principal(cred, mem_ctx);
@@ -1009,13 +1016,14 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
TALLOC_FREE(mem_ctx);
return ENOMEM;
}
+ uac_flags = UF_NORMAL_ACCOUNT;
break;
}
ret = smb_krb5_salt_principal(realm,
username, /* sAMAccountName */
upn, /* userPrincipalName */
- is_computer,
+ uac_flags,
mem_ctx,
&salt_principal);
if (ret) {
diff --git a/ctdb/common/conf.c b/ctdb/common/conf.c
index 669ac23..3d668de 100644
--- a/ctdb/common/conf.c
+++ b/ctdb/common/conf.c
@@ -155,7 +155,7 @@ static int conf_value_from_string(TALLOC_CTX *mem_ctx,
break;
default:
- return ENOENT;
+ return EINVAL;
}
return ret;
@@ -232,7 +232,7 @@ static int conf_value_copy(TALLOC_CTX *mem_ctx,
break;
default:
- return ENOENT;
+ return EINVAL;
}
return 0;
@@ -1048,6 +1048,10 @@ static int conf_load_internal(struct conf_context *conf)
}
}
+ if (state.err != 0) {
+ goto fail;
+ }
+
conf_all_update(conf);
return 0;
@@ -1066,7 +1070,7 @@ static bool conf_load_section(const char *section, void *private_data)
ok = conf_section_validate(state->conf, state->s, state->mode);
if (!ok) {
state->err = EINVAL;
- return false;
+ return true;
}
}
@@ -1078,7 +1082,7 @@ static bool conf_load_section(const char *section, void *private_data)
} else {
D_ERR("conf: unknown section [%s]\n", section);
state->err = EINVAL;
- return false;
+ return true;
}
}
@@ -1099,23 +1103,30 @@ static bool conf_load_option(const char *name,
if (state->s == NULL) {
if (state->conf->ignore_unknown) {
- D_DEBUG("conf: ignoring unknown option \"%s\"\n",
+ D_DEBUG("conf: unknown section for option \"%s\"\n",
name);
return true;
} else {
- D_ERR("conf: unknown option \"%s\"\n", name);
+ D_ERR("conf: unknown section for option \"%s\"\n",
+ name);
state->err = EINVAL;
- return false;
+ return true;
}
}
opt = conf_option_find(state->s, name);
if (opt == NULL) {
if (state->conf->ignore_unknown) {
+ D_DEBUG("conf: unknown option [%s] -> \"%s\"\n",
+ state->s->name,
+ name);
return true;
} else {
- state->err = ENOENT;
- return false;
+ D_ERR("conf: unknown option [%s] -> \"%s\"\n",
+ state->s->name,
+ name);
+ state->err = EINVAL;
+ return true;
}
}
@@ -1128,9 +1139,13 @@ static bool conf_load_option(const char *name,
value.type = opt->type;
ret = conf_value_from_string(tmp_ctx, value_str, &value);
if (ret != 0) {
+ D_ERR("conf: invalid value [%s] -> \"%s\" = \"%s\"\n",
+ state->s->name,
+ name,
+ value_str);
talloc_free(tmp_ctx);
state->err = ret;
- return false;
+ return true;
}
ok = conf_option_same_value(opt, &value);
@@ -1142,7 +1157,7 @@ static bool conf_load_option(const char *name,
if (ret != 0) {
talloc_free(tmp_ctx);
state->err = ret;
- return false;
+ return true;
}
done:
@@ -1196,16 +1211,16 @@ static int conf_set(struct conf_context *conf,
s = conf_section_find(conf, section);
if (s == NULL) {
- return ENOENT;
+ return EINVAL;
}
opt = conf_option_find(s, key);
if (opt == NULL) {
- return ENOENT;
+ return EINVAL;
}
if (opt->type != value->type) {
- return ENOENT;
+ return EINVAL;
}
ok = conf_option_same_value(opt, value);
@@ -1280,12 +1295,12 @@ static int conf_get(struct conf_context *conf,
s = conf_section_find(conf, section);
if (s == NULL) {
- return ENOENT;
+ return EINVAL;
}
opt = conf_option_find(s, key);
if (opt == NULL) {
- return ENOENT;
+ return EINVAL;
}
if (opt->type != type) {
diff --git a/ctdb/common/sock_daemon.c b/ctdb/common/sock_daemon.c
index 3c17519..90f6bce 100644
--- a/ctdb/common/sock_daemon.c
+++ b/ctdb/common/sock_daemon.c
@@ -31,6 +31,7 @@
#include "lib/util/dlinklist.h"
#include "lib/util/tevent_unix.h"
#include "lib/util/become_daemon.h"
+#include "lib/util/sys_rw.h"
#include "common/logging.h"
#include "common/reqid.h"
@@ -72,6 +73,7 @@ struct sock_daemon_context {
struct pidfile_context *pid_ctx;
struct sock_socket *socket_list;
+ int startup_fd;
};
/*
@@ -489,6 +491,7 @@ int sock_daemon_setup(TALLOC_CTX *mem_ctx, const char *daemon_name,
sockd->funcs = funcs;
sockd->private_data = private_data;
+ sockd->startup_fd = -1;
ret = logging_init(sockd, logging, debug_level, daemon_name);
if (ret != 0) {
@@ -520,6 +523,11 @@ int sock_daemon_add_unix(struct sock_daemon_context *sockd,
return 0;
}
+void sock_daemon_set_startup_fd(struct sock_daemon_context *sockd, int fd)
+{
+ sockd->startup_fd = fd;
+}
+
/*
* Run socket daemon
*/
@@ -549,6 +557,7 @@ static void sock_daemon_run_socket_fail(struct tevent_req *subreq);
static void sock_daemon_run_watch_pid(struct tevent_req *subreq);
static void sock_daemon_run_wait(struct tevent_req *req);
static void sock_daemon_run_wait_done(struct tevent_req *subreq);
+static void sock_daemon_startup_notify(struct sock_daemon_context *sockd);
struct tevent_req *sock_daemon_run_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -675,6 +684,8 @@ static void sock_daemon_run_started(struct tevent_req *subreq)
return;
}
sock_daemon_run_wait(req);
+
+ sock_daemon_startup_notify(sockd);
}
static void sock_daemon_run_startup_done(struct tevent_req *subreq)
@@ -702,6 +713,8 @@ static void sock_daemon_run_startup_done(struct tevent_req *subreq)
return;
}
sock_daemon_run_wait(req);
+
+ sock_daemon_startup_notify(sockd);
}
static void sock_daemon_run_signal_handler(struct tevent_context *ev,
@@ -967,6 +980,19 @@ static void sock_daemon_run_wait_done(struct tevent_req *subreq)
sock_daemon_run_shutdown(req);
}
+static void sock_daemon_startup_notify(struct sock_daemon_context *sockd)
+{
+ if (sockd->startup_fd != -1) {
+ unsigned int zero = 0;
+ ssize_t num;
+
+ num = sys_write(sockd->startup_fd, &zero, sizeof(zero));
+ if (num != sizeof(zero)) {
+ D_WARNING("Failed to write zero to pipe FD\n");
+ }
+ }
+}
+
bool sock_daemon_run_recv(struct tevent_req *req, int *perr)
{
int ret;
diff --git a/ctdb/common/sock_daemon.h b/ctdb/common/sock_daemon.h
index 705c4fa..972245a 100644
--- a/ctdb/common/sock_daemon.h
+++ b/ctdb/common/sock_daemon.h
@@ -210,6 +210,16 @@ int sock_daemon_add_unix(struct sock_daemon_context *sockd,
void *private_data);
--
Samba Shared Repository
More information about the samba-cvs
mailing list