[SCM] Samba Shared Repository - branch v4-9-stable updated

Karolin Seeger kseeger at samba.org
Tue Sep 3 07:20:12 UTC 2019


The branch, v4-9-stable has been updated
       via  1acf30ac5c1 VERSION: Disable GIT_SNAPSHOT for the 4.9.13 release.
       via  514743b29cd WHATSNEW: Add release notes for Samba 4.9.13.
       via  8e2c37bdde1 CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
       via  c98528753fc CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
       via  1305693dba3 CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory
       via  104557f2ad5 CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root()
       via  5604883d06d CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir
       via  4772adbe1ce CVE-2019-10197: smbd: separate out impersonation debug info into a new function.
       via  674ef36921f VERSION: Bump version up to 4.9.13...
       via  53d19bf5359 VERSION: Diable GIT_SNAPSHOT for the 4.9.12 release.
       via  1205c5cb588 WHATSNEW: Add release notes for Samba 4.9.12.
       via  dcff563d0ff vfs_glusterfs: Enable profiling for file system operations
       via  0cb08a2309c vfs_gpfs: Implement special case for denying owner access to ACL
       via  fe990205ac8 vfs_gpfs: Move mapping from generic NFSv ACL to GPFS ACL to separate function
       via  bba26e385b3 docs: Remove gpfs:merge_writeappend from vfs_gpfs manpage
       via  b3560baaf99 vfs_gpfs: Remove merge_writeappend parameter
       via  548cc5183e4 nfs4_acls: Use correct owner information for ACL after owner change
       via  c5d4691183f nfs4_acls: Add test for merging duplicates when mapping from NFS4 ACL to DACL
       via  1f10af9fb98 nfs4_acls: Remove duplicate entries when mapping from NFS4 ACL to DACL
       via  b4b61724550 nfs4_acls: Rename smbacl4_fill_ace4 function
       via  657f79f8594 nfs4_acls: Add additional owner entry when mapping to NFS4 ACL with IDMAP_TYPE_BOTH
       via  d297f347dd1 nfs4_acls: Remove redundant pointer variable
       via  596a4e4d0a1 nfs4_acls: Remove redundant logging from smbacl4_fill_ace4
       via  7555f121757 nfs4_acls: Move adding of NFS4 ACE to ACL to smbacl4_fill_ace4
       via  02a5fbd007a nfs4_acls: Move smbacl4_MergeIgnoreReject function
       via  8c8f09c32f8 nfs4_acls: Remove i argument from smbacl4_MergeIgnoreReject
       via  966916dafec nfs4_acls: Add missing braces in smbacl4_win2nfs4
       via  ff1cee15494 nfs4_acls: Add helper function for checking INHERIT flags.
       via  1026680518d nfs4_acls: Use correct type when checking ownerGID
       via  2493a9f81b9 nfs4_acls: Use switch/case for checking idmap type
       via  d50b5fc5fc5 nfs4_acls: Use sids_to_unixids to lookup uid or gid
       via  9ba27632b29 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with IDMAP_TYPE_BOTH
       via  8ad87b9ab42 test_nfs4_acls: Add test for mapping from NFS4 ACL to DACL with IDMAP_TYPE_BOTH
       via  c5da1d665a9 test_nfs4_acls: Add test for mapping from NFS4 to DACL in config mode special
       via  f64276397e2 test_nfs4_acls: Add test for mapping from DACL to NFS4 ACL with config special
       via  92d2e243c30 test_nfs4_acls: Add test for matching DACL entries for acedup
       via  5b130cc4d10 test_nfs4_acls: Add test for acedup settings
       via  b21c3f38871 test_nfs4_acls: Add test for 'map full control' option
       via  79f9a5013a6 test_nfs4_acls: Add test for mapping from NFS4 to DACL CREATOR entries
       via  e8f8c4c8257 test_nfs4_acls: Add test for mapping CREATOR entries to NFS4 ACL entries
       via  f0581b94b24 test_nfs4_acls: Add test for mapping from DACL to special NFS4 ACL entries
       via  f900a6e1252 test_nfs4_acls: Add test for mapping of special NFS4 ACL entries to DACL entries
       via  c9650274538 test_nfs4_acls: Add test for mapping permissions from DACL to NFS4 ACL
       via  f431a1b7de7 test_nfs4_acls: Add test for mapping permissions from NFS4 ACL to DACL
       via  0aadba938c9 test_nfs4_acls: Add test for flags mapping from DACL to NFS4 ACL
       via  d142e46acdf test_nfs4_acls: Add test for flags mapping from NFS4 ACL to DACL
       via  7f1c567af71 test_nfs4_acls: Add tests for mapping of ACL types
       via  ee47f743a9b test_nfs4_acls: Add tests for mapping of empty ACLs
       via  c84bdb31826 selftest: Start implementing unit test for nfs4_acls
       via  1db5a29088b nfs4_acls: Remove fsp from smbacl4_win2nfs4
       via  0af50d85f6d Revert "nfs4acl: Fix owner mapping with ID_TYPE_BOTH"
       via  d2b711ae9bf vfs: Use dom_sid_str_buf
       via  1784a664892 Add PrimaryGroupId to group array in DC response
       via  c20f77fe0fb selftest: check for PrimaryGroupId in DC returned group array
       via  1c43f6b1afb selftest: remote_pac: s/s2u4self/s4u2self/g
       via  3aa131b5558 vfs:glusterfs_fuse: build only if we have setmntent()
       via  c7e98332192 vfs:glusterfs_fuse: ensure fileids are constant across nodes
       via  bf5ac945151 smbtorture: extend rpc.lsa to lookup machine over forest-wide LookupNames
       via  d89fc30dab1 lookup_name: allow own domain lookup when flags == 0
       via  4fd7914eed9 torture/rpc/lsa: allow testing different lookup levels
       via  2627724e1b2 Revert "s3:messages: protect against usage of wrapper tevent_context objects for messaging"
       via  5a3fa18389b Revert "s3:messages: allow messaging_{dgm,ctdb}_register_tevent_context() to use wrapper tevent_context"
       via  a4ad9d6e7cf Revert "s3:messages: allow messaging_dgm_ref() to use wrapper tevent_context"
       via  116c4a79456 Revert "s3:messages: allow messaging_filtered_read_send() to use wrapper tevent_context"
       via  9daacf18383 Revert "s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper"
       via  de909ff8860 ctdb-config: depend on /etc/ctdb/nodes file
       via  97727eefe49 vfs_catia: pass stat info to synthetic_smb_fname()
       via  db44860c93d samba-tool: add 'import samba.drs_utils' to fsmo.py
       via  f1eeb8e63af samba-tool: use only one LDAP modify for dns partition fsmo role transfer
       via  8fb77c2d1c8 s4:torture:fsmo.py: remove unused 'net_cmd' variable
       via  6b9d7481fe8 samba-tool: fix replication after dns partition fsmo role transfer
       via  cf5002e0345 s4:torture:fsmo.py: test role transfers of dns partitions
       via  043675f3a0c dnsp.idl: fix payload for DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME
       via  8ce25bdb054 dnsp.idl: fix the dnsp_dns_addr_array definition
       via  b59569126d9 dnsp.idl: fix dnsp_ip4_array definition
       via  d9b747c0ca0 s4:torture: add local.ndr.dnsp tests
       via  4fd604b1657 dbcheck: fallback to the default tombstoneLifetime of 180 days
       via  9af7a1ccb33 lib/util: remove unused prototypes in debug.h
       via  bdc11a6b825 lib/util: fix call to dbghdrclass() for DEBUGC()
       via  f7a5adf0256 s4/libnet: Fix joining a Windows pre-2008R2 DC
       via  ea481544d2f vfs:glusterfs_fuse: treat ENOATTR as ENOENT
       via  e126fdaa0c4 vfs:glusterfs: treat ENOATTR as ENOENT
       via  00dbe9ff5a5 dsdb: Handle DB corner-case where PSO container doesn't exist
       via  948b60d21ef s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
       via  a47fd552e12 s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
       via  3bcaef67d29 s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
       via  88a60f59c13 WHATSNEW: Fix typo.
       via  63547807f51 VERSION: Bump version up to 4.9.12...
      from  f9055cbf92c VERSION: Disable GIT_SNAPSHOT for the 4.9.11 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable


- Log -----------------------------------------------------------------
commit 1acf30ac5c1c1ffc6f92ff9786b1be897c3b5092
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Aug 28 09:45:38 2019 +0200

    VERSION: Disable GIT_SNAPSHOT for the 4.9.13 release.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 514743b29cd107fb26dfbe69d0ad520b42fce21f
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Aug 28 09:44:22 2019 +0200

    WHATSNEW: Add release notes for Samba 4.9.13.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    CVE-2019-10197 [SECURITY][EMBARGOED] permissions check deny can allow user to
    escape from the share.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 8e2c37bdde18440299f7e5d4a0393e0cc465ac31
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 11 17:02:15 2019 +0200

    CVE-2019-10197: smbd: split change_to_user_impersonate() out of change_to_user_internal()
    
    This makes sure we always call chdir_current_service() even
    when we still impersonated the user. Which is important
    in order to run the SMB* request within the correct working directory
    and only if the user has permissions to enter that directory.
    
    It makes sure we always update conn->lastused_count
    in chdir_current_service() for each request.
    
    Note that vfs_ChDir() (called from chdir_current_service())
    maintains its own cache and avoids calling SMB_VFS_CHDIR()
    if possible.
    
    It means we still avoid syscalls if we get a multiple requests
    for the same session/tcon tuple.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit c98528753fc4754c0a34a449f9cc682c8c83e318
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jul 16 15:40:38 2019 +0200

    CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 1305693dba384c328651af569d46b535bb26ee0f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jul 30 17:16:59 2019 +0200

    CVE-2019-10197: selftest: make fsrvp_share its own independent subdirectory
    
    The next patch will otherwise break the fsrvp related tests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 104557f2ad5c67fab257927d9aa0931a74113ce2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jun 18 14:04:08 2019 +0200

    CVE-2019-10197: smbd: make sure we reset current_user.{need,done}_chdir in become_root()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 5604883d06d99a2ed3c1122408e266793de40942
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 11 17:01:29 2019 +0200

    CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir
    
    We should not leave current_user.done_chdir as true if we didn't call
    chdir_current_service() with success.
    
    This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
    chdir_current_service() worked once on one share but later failed on another
    share.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>

commit 4772adbe1ce1693c64e9b3673c8d9359bfa910b4
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Jul 12 12:10:35 2019 -0700

    CVE-2019-10197: smbd: separate out impersonation debug info into a new function.
    
    Will be called on elsewhere on successful impersonation.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 674ef36921fe8355854593b4b7cded78a6b76d2c
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Aug 27 10:13:25 2019 +0200

    VERSION: Bump version up to 4.9.13...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |  142 +-
 auth/auth_sam_reply.c                              |    8 +-
 ctdb/config/ctdb.service                           |    1 +
 docs-xml/manpages/vfs_glusterfs_fuse.8.xml         |    8 +
 docs-xml/manpages/vfs_gpfs.8.xml                   |   20 -
 lib/util/debug.h                                   |    4 +-
 librpc/idl/dnsp.idl                                |    9 +-
 python/samba/dbchecker.py                          |    5 +-
 python/samba/netcmd/fsmo.py                        |   27 +-
 selftest/target/Samba3.pm                          |   19 +-
 source3/lib/messages.c                             |   37 +-
 source3/lib/messages_ctdb.c                        |   30 +-
 source3/lib/messages_ctdb_ref.c                    |   12 -
 source3/lib/messages_dgm.c                         |   36 +-
 source3/lib/messages_dgm_ref.c                     |   12 -
 source3/modules/nfs4_acls.c                        |  365 ++--
 source3/modules/nfs4_acls.h                        |    2 +
 source3/modules/test_nfs4_acls.c                   | 1898 ++++++++++++++++++++
 source3/modules/vfs_afsacl.c                       |    6 +-
 source3/modules/vfs_catia.c                        |   42 +-
 source3/modules/vfs_default.c                      |    6 +-
 source3/modules/vfs_glusterfs.c                    |  346 +++-
 source3/modules/vfs_glusterfs_fuse.c               |  195 +-
 source3/modules/vfs_gpfs.c                         |  121 +-
 source3/modules/wscript_build                      |    5 +
 source3/passdb/lookup_sid.c                        |    2 +-
 source3/rpc_server/netlogon/srv_netlog_nt.c        |   52 +-
 source3/script/tests/test_smbclient_s3.sh          |   30 +
 source3/selftest/tests.py                          |    4 +
 source3/smbd/uid.c                                 |   62 +-
 source3/wscript                                    |    4 +-
 source4/dns_server/dnsserver_common.c              |    2 +-
 source4/dsdb/samdb/ldb_modules/operational.c       |   12 +
 source4/lib/messaging/messaging.c                  |   28 +-
 source4/libnet/libnet_vampire.c                    |    9 +
 source4/rpc_server/netlogon/dcerpc_netlogon.c      |   15 -
 .../tests/rpc_dns_server_dnsutils_test.c           |   44 +-
 source4/torture/drs/python/fsmo.py                 |   12 +-
 source4/torture/ndr/dnsp.c                         |  367 ++++
 source4/torture/ndr/ndr.c                          |    1 +
 source4/torture/ndr/ndr.h                          |    9 +
 source4/torture/rpc/lsa.c                          |  128 +-
 source4/torture/rpc/remote_pac.c                   |  114 +-
 source4/torture/rpc/schannel.c                     |    2 +-
 source4/torture/wscript_build                      |    1 +
 46 files changed, 3593 insertions(+), 663 deletions(-)
 create mode 100644 source3/modules/test_nfs4_acls.c
 create mode 100644 source4/torture/ndr/dnsp.c


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 75b6a9a9768..d2721c27c8e 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=9
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=13
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4c28ae2b424..fe8086b436a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,139 @@
+                   ==============================
+                   Release Notes for Samba 4.9.13
+                         September 03, 2019
+                   ==============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2019-10197: Combination of parameters and permissions can allow user
+                   to escape from the share path definition.
+
+=======
+Details
+=======
+
+o  CVE-2019-10197:
+   Under certain parameter configurations, when an SMB client accesses a network
+   share and the user does not have permission to access the share root
+   directory, it is possible for the user to escape from the share to see the
+   complete '/' filesystem. Unix permission checks in the kernel are still
+   enforced.
+
+
+Changes since 4.9.12:
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
+     from the share.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 14035: CVE-2019-10197: Permissions check deny can allow user to escape
+     from the share.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   ==============================
+                   Release Notes for Samba 4.9.12
+                           August 27, 2019
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.9 release series.
+
+
+Changes since 4.9.11:
+---------------------
+
+o  Michael Adam <obnox at samba.org>
+   * BUG 13972: vfs:glusterfs_fuse: Different Device Id for GlusterFS FUSE mount
+     is causing data loss in CTDB cluster.
+   * BUG 14010: vfs:glusterfs_fuse: Unable to create or rename file/directory
+     inside shares configured with vfs_glusterfs_fuse module.
+
+o  Björn Baumbach <bb at sernet.de>
+   * BUG 13973: samba-tool: Add 'import samba.drs_utils' to fsmo.py.
+
+o  Tim Beale <timbeale at catalyst.net.nz>
+   * BUG 14008: dsdb: Handle DB corner-case where PSO container doesn't exist.
+   * BUG 14021: s4/libnet: Fix joining a Windows pre-2008R2 DC.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 14015: vfs_catia: Pass stat info to synthetic_smb_fname().
+   * BUG 14033: Samba 4.9 doesn't build with libtevent 0.9.39.
+
+o  Alexander Bokovoy <ab at samba.org>
+   * BUG 14091: lookup_name: Allow own domain lookup when flags == 0.
+
+o  Isaac Boukris <iboukris at gmail.com>
+   * BUG 11362: Add PrimaryGroupId to group array in DC response.
+
+o  Anoop C S <anoopcs at redhat.com>
+   * BUG 14035: vfs_glusterfs: Enable profiling for file system operations.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 13915: DEBUGC and DEBUGADDC doesn't print into a class specific log
+     file. 
+   * BUG 13949: Request to keep deprecated option "server schannel", VMWare
+     Quickprep requires "auto".
+   * BUG 13967: dbcheck: Fallback to the default tombstoneLifetime of 180 days.
+   * BUG 13969: dnsProperty fails to decode values from older Windows versions.
+   * BUG 13973: samba-tool: fsmo transfer is not reliable for the dns related
+     partitions role transfer.
+
+o  Christof Schmitt <cs at samba.org>
+   * BUG 14032: vfs_gpfs: Fix NFSv4 ACL for owner with IDMAP_TYPE_BOTH.
+
+o  Rafael David Tinoco <rafaeldtinoco at ubuntu.com>
+   * BUG 14017: ctdb-config: Depend on /etc/ctdb/nodes file.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
                    ==============================
                    Release Notes for Samba 4.9.11
                             July 03, 2019
@@ -11,7 +147,7 @@ db_module.h in order to fix bug #12478. Unfortunately, the ldb version was not
 raised. Samba >= 4.9.10 is no longer able to build with ldb 1.4.6. This version
 includes the new ldb version. Please note that there are just the version bumps
 in ldb and Samba, no code change. If you don't build Samba with an external ldb
-library, you can ignore this release and keep using 4.9.11.
+library, you can ignore this release and keep using 4.9.10.
 
 
 Changes since 4.9.10:
@@ -41,8 +177,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================
                    Release Notes for Samba 4.9.10
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index bd695151dc0..b5b6362dc93 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -89,7 +89,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
 	sam->groups.count = 0;
 	sam->groups.rids = NULL;
 
-	if (user_info_dc->num_sids > 2) {
+	if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
 		size_t i;
 		sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute,
 						user_info_dc->num_sids);
@@ -97,7 +97,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
 		if (sam->groups.rids == NULL)
 			return NT_STATUS_NO_MEMORY;
 
-		for (i=2; i<user_info_dc->num_sids; i++) {
+		for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
 			struct dom_sid *group_sid = &user_info_dc->sids[i];
 			if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
 				/* We handle this elsewhere */
@@ -451,6 +451,10 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 	}
 
 	for (i = 0; i < base->groups.count; i++) {
+		/* Skip primary group, already added above */
+		if (base->groups.rids[i].rid == base->primary_gid) {
+			continue;
+		}
 		user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid;
 		if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) {
 			return NT_STATUS_INVALID_PARAMETER;
diff --git a/ctdb/config/ctdb.service b/ctdb/config/ctdb.service
index 675b3147417..fd81c38e26d 100644
--- a/ctdb/config/ctdb.service
+++ b/ctdb/config/ctdb.service
@@ -2,6 +2,7 @@
 Description=CTDB
 Documentation=man:ctdbd(1) man:ctdb(7)
 After=network-online.target time-sync.target
+ConditionFileNotEmpty=/etc/ctdb/nodes
 
 [Service]
 Type=forking
diff --git a/docs-xml/manpages/vfs_glusterfs_fuse.8.xml b/docs-xml/manpages/vfs_glusterfs_fuse.8.xml
index b9f7f42c6f2..f2aa624353e 100644
--- a/docs-xml/manpages/vfs_glusterfs_fuse.8.xml
+++ b/docs-xml/manpages/vfs_glusterfs_fuse.8.xml
@@ -48,6 +48,14 @@
 		case of an exisiting filename.
 	</para>
 
+	<para>
+		Furthermore, this module implements a substitute file-id
+		mechanism. The default file-id mechanism is not working
+		correctly for gluster fuse mount re-exports, so in order to
+		avoid data loss, users exporting gluster fuse mounts with
+		Samba should enable this module.
+	</para>
+
 	<para>
 		This module can be combined with other modules, but it
 		should be the last module in the <command>vfs objects</command>
diff --git a/docs-xml/manpages/vfs_gpfs.8.xml b/docs-xml/manpages/vfs_gpfs.8.xml
index 428f48a6bf0..f854d8900b2 100644
--- a/docs-xml/manpages/vfs_gpfs.8.xml
+++ b/docs-xml/manpages/vfs_gpfs.8.xml
@@ -204,26 +204,6 @@
 		</varlistentry>
 		<varlistentry>
 
-		<term>gpfs:merge_writeappend = [ yes | no ]</term>
-		<listitem>
-		<para>
-		GPFS ACLs doesn't know about the 'APPEND' right.
-		This option lets Samba map the 'APPEND' right to 'WRITE'.
-		</para>
-
-		<itemizedlist>
-		<listitem><para>
-		<command>yes(default)</command> - map 'APPEND' to 'WRITE'.
-		</para></listitem>
-		<listitem><para>
-		<command>no</command> - do not map 'APPEND' to 'WRITE'.
-		</para></listitem>
-		</itemizedlist>
-		</listitem>
-
-		</varlistentry>
-		<varlistentry>
-
 		<term>gpfs:acl = [ yes | no ]</term>
 		<listitem>
 		<para>
diff --git a/lib/util/debug.h b/lib/util/debug.h
index 2895d157887..188e6b647d3 100644
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -45,7 +45,6 @@
 bool dbgtext_va(const char *, va_list ap) PRINTF_ATTRIBUTE(1,0);
 bool dbgtext( const char *, ... ) PRINTF_ATTRIBUTE(1,2);
 bool dbghdrclass( int level, int cls, const char *location, const char *func);
-bool dbghdr( int level, const char *location, const char *func);
 
 /*
  * Redefine DEBUGLEVEL because so we don't have to change every source file
@@ -201,7 +200,7 @@ extern int  *DEBUGLEVEL_CLASS;
 #define DEBUGC( dbgc_class, level, body ) \
   (void)( ((level) <= MAX_DEBUG_LEVEL) && \
 	  unlikely(DEBUGLEVEL_CLASS[ dbgc_class ] >= (level))		\
-       && (dbghdrclass( level, DBGC_CLASS, __location__, __FUNCTION__ )) \
+       && (dbghdrclass( level, dbgc_class, __location__, __FUNCTION__ )) \
        && (dbgtext body) )
 
 #define DEBUGADD( level, body ) \
@@ -318,7 +317,6 @@ void force_check_log_size( void );
 bool need_to_check_log_size( void );
 void check_log_size( void );
 void dbgflush( void );
-bool dbghdrclass(int level, int cls, const char *location, const char *func);
 bool debug_get_output_is_stderr(void);
 bool debug_get_output_is_stdout(void);
 void debug_schedule_reopen_logs(void);
diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index d705cfcbfa3..e09a3dcf43d 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -169,13 +169,13 @@ interface dnsp
 
 	typedef struct {
 		uint32  addrCount;
-		[size_is(addrCount)] uint32 *addr;
+		uint32 addrArray[addrCount];
 	} dnsp_ip4_array;
 
 	typedef struct {
 		uint16 	family;
-		uint16	port;
-		ipv4address ipv4;
+		[flag(NDR_BIG_ENDIAN)] uint16	port;
+		[flag(NDR_BIG_ENDIAN)] ipv4address ipv4;
 		ipv6address ipv6;
 		uint8	pad[8];
 		uint32	unused[8];
@@ -187,6 +187,7 @@ interface dnsp
 		uint32	Tag;
 		uint16	Family;
 		uint16	Reserved0;
+		uint32	Flags;
 		uint32	MatchFlag;
 		uint32	Reserved1;
 		uint32	Reserved2;
@@ -238,7 +239,7 @@ interface dnsp
 		[case(DSPROPERTY_ZONE_AGING_STATE)]             uint32 aging_enabled;
 		[case(DSPROPERTY_ZONE_SCAVENGING_SERVERS)]      dnsp_ip4_array servers;
 		[case(DSPROPERTY_ZONE_AGING_ENABLED_TIME)]      uint32 next_scavenging_cycle_hours;
-		[case(DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME)]   utf8string deleted_by_hostname;
+		[case(DSPROPERTY_ZONE_DELETED_FROM_HOSTNAME)]   nstring deleted_by_hostname;
 		[case(DSPROPERTY_ZONE_MASTER_SERVERS)]          dnsp_ip4_array master_servers;
 		[case(DSPROPERTY_ZONE_AUTO_NS_SERVERS)]         dnsp_ip4_array ns_servers;
 		[case(DSPROPERTY_ZONE_DCPROMO_CONVERT)]         dns_dcpromo_flag dcpromo_flag;
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index bd43667b99f..d9939a92933 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -199,7 +199,10 @@ class dbcheck(object):
                            scope=ldb.SCOPE_BASE,
                            expression="(objectClass=nTDSService)",
                            attrs=["tombstoneLifetime"])
-        self.tombstoneLifetime = int(res[0]["tombstoneLifetime"][0])
+        if "tombstoneLifetime" in res[0]:
+            self.tombstoneLifetime = int(res[0]["tombstoneLifetime"][0])
+        else:
+            self.tombstoneLifetime = 180
 
         self.compatibleFeatures = []
         self.requiredFeatures = []
diff --git a/python/samba/netcmd/fsmo.py b/python/samba/netcmd/fsmo.py
index 91de5dad563..c5ed04be1bb 100644
--- a/python/samba/netcmd/fsmo.py
+++ b/python/samba/netcmd/fsmo.py
@@ -23,6 +23,7 @@ import ldb
 from ldb import LdbError
 from samba.dcerpc import drsuapi, misc
 from samba.auth import system_session
+import samba.drs_utils
 from samba.netcmd import (
     Command,
     CommandError,
@@ -64,6 +65,8 @@ def transfer_dns_role(outf, sambaopts, credopts, role, samdb):
         forest_dn = samba.dn_from_dns_name(samdb.forest_dns_name())
         role_object = "CN=Infrastructure,DC=ForestDnsZones," + forest_dn
 
+    new_host_dns_name = samdb.host_dns_name()
+
     res = samdb.search(role_object,
                        attrs=["fSMORoleOwner"],
                        scope=ldb.SCOPE_BASE,
@@ -105,22 +108,12 @@ def transfer_dns_role(outf, sambaopts, credopts, role, samdb):
 
         m = ldb.Message()
         m.dn = ldb.Dn(samdb, role_object)
-        m["fSMORoleOwner"] = ldb.MessageElement(master_owner,
-                                                ldb.FLAG_MOD_DELETE,
-                                                "fSMORoleOwner")
-
-        try:
-            samdb.modify(m)
-        except LdbError as e4:
-            (num, msg) = e4.args
-            raise CommandError("Failed to delete role '%s': %s" %
-                               (role, msg))
-
-        m = ldb.Message()
-        m.dn = ldb.Dn(samdb, role_object)
-        m["fSMORoleOwner"]= ldb.MessageElement(new_owner,
-                                               ldb.FLAG_MOD_ADD,
-                                               "fSMORoleOwner")
+        m["fSMORoleOwner_Del"] = ldb.MessageElement(master_owner,
+                                                    ldb.FLAG_MOD_DELETE,
+                                                    "fSMORoleOwner")
+        m["fSMORoleOwner_Add"] = ldb.MessageElement(new_owner,
+                                                    ldb.FLAG_MOD_ADD,
+                                                    "fSMORoleOwner")
         try:
             samdb.modify(m)
         except LdbError as e5:
@@ -128,7 +121,7 @@ def transfer_dns_role(outf, sambaopts, credopts, role, samdb):
             raise CommandError("Failed to add role '%s': %s" % (role, msg))
 
         try:
-            connection = samba.drs_utils.drsuapi_connect(samdb.host_dns_name(),
+            connection = samba.drs_utils.drsuapi_connect(new_host_dns_name,
                                                          lp, creds)
         except samba.drs_utils.drsException as e:
             raise CommandError("Drsuapi Connect failed", e)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 14252344175..22e5035b079 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1450,6 +1450,9 @@ sub provision($$$$$$$$$)
 	my $ro_shrdir="$shrdir/root-tmp";
 	push(@dirs,$ro_shrdir);
 
+	my $noperm_shrdir="$shrdir/noperm-tmp";
+	push(@dirs,$noperm_shrdir);
+
 	my $msdfs_shrdir="$shrdir/msdfsshare";
 	push(@dirs,$msdfs_shrdir);
 
@@ -1474,6 +1477,9 @@ sub provision($$$$$$$$$)
 	my $widelinks_linkdir="$shrdir/widelinks_foo";
 	push(@dirs,$widelinks_linkdir);
 
+	my $fsrvp_shrdir="$shrdir/fsrvp";
+	push(@dirs,$fsrvp_shrdir);
+
 	my $shadow_tstdir="$shrdir/shadow";
 	push(@dirs,$shadow_tstdir);
 	my $shadow_mntdir="$shadow_tstdir/mount";
@@ -1517,6 +1523,11 @@ sub provision($$$$$$$$$)
 	chmod 0755, $piddir;
 
 
+	##
+	## Create a directory without permissions to enter
+	##
+	chmod 0000, $noperm_shrdir;
+
 	##
 	## create ro and msdfs share layout
 	##
@@ -1825,6 +1836,10 @@ sub provision($$$$$$$$$)
 [ro-tmp]
 	path = $ro_shrdir
 	guest ok = yes
+[noperm]
+	path = $noperm_shrdir
+	wide links = yes
+	guest ok = yes
 [write-list-tmp]
 	path = $shrdir
         read only = yes
@@ -2009,14 +2024,14 @@ sub provision($$$$$$$$$)
 	guest ok = yes
 
 [fsrvp_share]
-	path = $shrdir
+	path = $fsrvp_shrdir
 	comment = fake shapshots using rsync
 	vfs objects = shell_snap shadow_copy2
 	shell_snap:check path command = $fake_snap_pl --check
 	shell_snap:create command = $fake_snap_pl --create
 	shell_snap:delete command = $fake_snap_pl --delete
 	# a relative path here fails, the snapshot dir is no longer found
-	shadow:snapdir = $shrdir/.snapshots
+	shadow:snapdir = $fsrvp_shrdir/.snapshots
 
 [shadow1]
 	path = $shadow_shrdir
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
index 90fffa2c872..df7af2e50f1 100644
--- a/source3/lib/messages.c
+++ b/source3/lib/messages.c
@@ -206,7 +206,7 @@ static bool messaging_register_event_context(struct messaging_context *ctx,
 			continue;
 		}
 
-		if (tevent_context_same_loop(reg->ev, ev)) {
+		if (reg->ev == ev) {
 			reg->refcount += 1;
 			return true;
 		}
@@ -255,7 +255,7 @@ static bool messaging_deregister_event_context(struct messaging_context *ctx,
 			continue;
 		}
 
-		if (tevent_context_same_loop(reg->ev, ev)) {
+		if (reg->ev == ev) {
 			reg->refcount -= 1;
 
 			if (reg->refcount == 0) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list