[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Fri Jul 5 00:06:02 UTC 2019

The branch, master has been updated
       via  eb8f74f26d5 WHATSNEW: entries for gnutls and samba-tool
       via  b3a2508f2ad s4/libnet: Fix joining a Windows pre-2008R2 DC
      from  4a9d46dafb3 s3: smbd: SMB1 add range checks to reply_fclose().


- Log -----------------------------------------------------------------
commit eb8f74f26d5d8facaaa13419e852aac727ba41a8
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Jul 5 07:19:53 2019 +1200

    WHATSNEW: entries for gnutls and samba-tool
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Jul  5 00:05:15 UTC 2019 on sn-devel-184

commit b3a2508f2ad79e2f1007464da7dbe918933038a0
Author: Tim Beale <timbeale at catalyst.net.nz>
Date:   Mon Jul 1 17:06:31 2019 +1200

    s4/libnet: Fix joining a Windows pre-2008R2 DC
    From v4.8 onwards, Samba may not be able join a DC older than 2008R2
    because the Windows DC doesn't support GET_TGT.
    If the dsdb repl_md code can't resolve a link target it returns an
    error, and the calling code (e.g. drs_util.py) should retry with
    GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
    so if you try to join an earlier Windows DC, the join will throw an
    error that you can't work-around.
    We can avoid this problem by setting the same DSDB flag that GET_TGT
    sets to indicate that the link targets are as up-to-date as possible,
    and so there's no point retrying. Missing targets are still logged, so
    this at least allows the admin to fix up any problems after the join
    I've only done this for the join case (problems during periodic
    replication are probably still worth escalating to an error).
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
    RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
    DC may not have worked. When this problem occurred, the following
    message would be displayed:
     'Failed to commit objects: DOS code 0x000021bf'
    This particular issue has now been resolved. Note that there may still
    be other potential problems that occur when joining an older Windows DC.
    Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>


Summary of changes:
 WHATSNEW.txt                    | 30 ++++++++++++++++++++++++++++++
 source4/libnet/libnet_vampire.c |  9 +++++++++
 2 files changed, 39 insertions(+)

Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cf65bd04ebb..286798cc289 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -87,6 +87,36 @@ Samba's replication code has also been improved to handle replication
 with the 2012 schema (the core of this replication fix has also been
 backported to 4.9.11 and will be in a 4.10.x release).
+GnuTLS 3.2 required
+Samba is making efforts to remove in-tree cryptographic functionality,
+and to instead rely on externally maintained libraries.  To this end,
+Samba has chosen GnuTLS as our standard cryptographic provider.
+Samba now requires GnuTLS 3.2 to be installed (including development
+headers at build time) for all configurations, not just the Samba AD
+NOTE WELL: The use of GnuTLS means that Samba will honour the
+system-wide 'FIPS mode' (a reference to the US FIPS-140 cryptographic
+standard) and so will not operate in many still common situations if
+this system-wide parameter is in effect, as many of our protocols rely
+on outdated cryptography.
+A future Samba version will mitigate this to some extent where good
+cryptography effectively wraps bad cryptography, but for now that above
+samba-tool improvements
+A new "samba-tool contact" command has been added to allow the
+command-line manipulation of contacts, as used for address book
+lookups in LDAP.
+The "samba-tool [user|group|computer|group|contact] edit" command has been
+improved to operate more pleasantly on international character sets.
 100,000 USER and LARGER Samba AD DOMAINS
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c
index 0a2f62d703b..a0de1b7d3e0 100644
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -665,6 +665,15 @@ WERROR libnet_vampire_cb_store_chunk(void *private_data,
+	/*
+	 * If the peer DC doesn't support GET_TGT (req v10), then the link
+	 * targets are as up-to-date as they're ever gonna be. (Without this,
+	 * cases where we'd normally retry with GET_TGT cause the join to fail)
+	 */
+	if (c->req_level < 10) {
+		dsdb_repl_flags |= DSDB_REPL_FLAG_TARGETS_UPTODATE;
+	}
 	if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY || is_exop) {
 		 * If we only replicate the critical objects, or this

Samba Shared Repository

More information about the samba-cvs mailing list