[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Thu Aug 26 09:20:38 UTC 2021
The branch, v4-15-stable has been updated
via 16a28116179 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc3 release.
via c8627e00de3 WHATSNEW: Add release notes for Samba 4.15.0rc3.
via 545c0fc8e80 WHATSNEW: add matrix.org and libera
via 0524e0c6548 WHATSNEW: Add various DNS changes
via f8c7428abcf WHATSNEW: reformat for style (mostly Bind9 DLZ allow/deny)
via 4745b8e8a1b s3:winbindd: Pass the right variable to the debug message
via 12f76f4292a s3: VFS: streams_depot: Allow "streams directory" outside of share path to work again.
via 185f191bd43 s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute stream rootdir into a function.
via 6b5f770790c s3: selftest: Add a test for vfs_streams_depot with the target path outside of the share.
via 20ec0ea95e9 s4: torture: CHECK ret value and fail if false
via 34d2bc28460 s3: smbd: Ensure all returns from OpenDir() correctly set errno.
via ccd0b865574 s3: VFS: ceph. Fix enumerating directories. dirfsp->fh->fd != AT_FDCWD in this case.
via 9a23ff2ca2b s3: smbd: For FSCTL calls that go async, add the outstanding tevent_reqs to the aio list on the file handle.
via 654430f6f6f s4: torture: Add test for smb2.ioctl.bug14769.
via 24b661c01ef s3: smbd: Call smbd_fsctl_torture_async_sleep() when we get FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
via 68ceb6c8f05 s3: smbd: Add smbd_fsctl_torture_async_sleep() server-side code.
via 69c5ab71106 s3: libcli: Add FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP.
via 04af36c4916 s3: smbd: Split out smb2_ioctl_smbtorture() into a separate file.
via 7c8ba49b2e9 libreplace: remove now unused USE_COPY_FILE_RANGE define
via 681675b68c5 vfs_default: detect EOPNOTSUPP and ENOSYS errors from copy_file_range()
via c5fbec5db03 s3:libsmb: close the temporary IPC$ connection in cli_full_connection()
via 9d152be356d s3:libsmb: start encryption as soon as possible after the session setup
via eb8518e4fb8 wscript: fix installing pre-commit with 'git worktree'
via f9ed3a8cb95 script/bisect-test.py: add support git worktree
via 24c95d2523f wafsamba: add support git worktree to vcs_dir_contents()
via f834da87269 VERSION: Bump version up to Samba 4.15.0rc3...
from 16fb5c685a5 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 152 +++++++++++++++++++++--
buildtools/wafsamba/samba_dist.py | 2 +-
lib/replace/wscript | 2 -
libcli/smb/smb_constants.h | 2 +
script/bisect-test.py | 2 +-
selftest/knownfail | 1 +
selftest/target/Samba3.pm | 10 ++
source3/libsmb/cliconnect.c | 39 +++++-
source3/libsmb/clidfs.c | 56 ++++++---
source3/modules/vfs_ceph.c | 14 ++-
source3/modules/vfs_default.c | 12 +-
source3/modules/vfs_streams_depot.c | 73 ++++++++---
source3/selftest/tests.py | 5 +
source3/smbd/dir.c | 2 +
source3/smbd/smb2_ioctl.c | 83 +++----------
source3/smbd/smb2_ioctl_private.h | 5 +
source3/smbd/smb2_ioctl_smbtorture.c | 230 +++++++++++++++++++++++++++++++++++
source3/winbindd/winbindd.c | 2 +-
source3/wscript_build | 1 +
source4/torture/smb2/ioctl.c | 80 ++++++++++++
source4/torture/smb2/streams.c | 6 +-
wscript | 20 ++-
23 files changed, 672 insertions(+), 129 deletions(-)
create mode 100644 source3/smbd/smb2_ioctl_smbtorture.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ba0f12ea840..c529cb04f23 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=2
+SAMBA_VERSION_RC_RELEASE=3
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 074767e3251..0e6aeea6530 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the second release candidate of Samba 4.15. This is *not*
+This is the third release candidate of Samba 4.15. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -55,15 +55,17 @@ See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
NEW FEATURES/CHANGES
====================
-- bind DLZ: Added the ability to set allow/deny lists for zone
- transfer clients.
- Up to now, any client could use a DNS zone transfer request
- to the bind server, and get an answer from Samba.
- Now the default behaviour will be to deny those request.
- Two new options have been added to manage the list of
- authorized/denied clients for zone transfer requests.
- In order to be accepted, the request must be issued by a client
- that is in the allow list and NOT in the deny list.
+
+Bind DLZ: add the ability to set allow/deny lists for zone transfer clients
+---------------------------------------------------------------------------
+
+Up to now, any client could use a DNS zone transfer request to the
+bind server, and get an answer from Samba. Now the default behaviour
+will be to deny those request. Two new options have been added to
+manage the list of authorized/denied clients for zone transfer
+requests. In order to be accepted, the request must be issued by a
+client that is in the allow list and NOT in the deny list.
+
"server multi channel support" no longer experimental
-----------------------------------------------------
@@ -81,6 +83,7 @@ have been disabled. The samba-tool domain options, for example, are limited
when no ad-dc is present. Samba must still be built with ads in order to enable
samba-tool.
+
Improved command line user experience
-------------------------------------
@@ -143,6 +146,7 @@ smbd:
winbindd:
--log-stdout -> --debug-stdout
+
Scanning of trusted domains and enterprise principals
-----------------------------------------------------
@@ -167,6 +171,107 @@ utility. The existing options for the provisioning and joining steps
are documented in the net(8) manpage.
+samba-tool dns zoneoptions for aging control
+--------------------------------------------
+
+The samba-tool dns zoneoptions command can be used to turn aging on
+and off, alter the refresh and no-refresh periods, and manipulate the
+timestamps of existing records.
+
+To turn aging on for a zone, you can use something like this:
+
+ samba-tool dns zoneoptions --aging=1 --refreshinterval=306600
+
+which turns on aging and ensures no records less than five years old
+are aged out and scavenged. After aging has been on for sufficient
+time for records to be renewed, the command
+
+ samba-tool dns zoneoptions --refreshinterval=168
+
+will set the refresh period to the standard seven days. Using this two
+step process will help prevent the temporary loss of dynamic records
+if scavenging happens before their first renewal.
+
+
+Marking old records as static or dynamic with samba-tool
+--------------------------------------------------------
+
+A bug in Samba versions prior to 4.9 meant records that were meant to
+be static were marked as dynamic and vice versa. To fix the timestamps
+in these domains, it is possible to use the following options,
+preferably before turning aging on.
+
+ --mark-old-records-static
+ --mark-records-dynamic-regex
+ --mark-records-static-regex
+
+The --mark-old-records-static option will make records older than the
+specified date static (that is, with a zero timestamp). For example,
+if you upgraded to Samba 4.9 in November 2018, you could use ensure no
+old records will be mistakenly interpreted as dynamic using the
+following option:
+
+ samba-tool dns zoneoptions --mark-old-records-static=2018-11-30
+
+Then, if you know that that will have marked some records as static
+that should be dynamic, and you know which those are due to your
+naming scheme, you can use commands like:
+
+ samba-tool dns zoneoptions --mark-records-dynamic-regex='\w+-desktop'
+
+where '\w+-desktop' is a perl-compatible regular expression that will
+match 'bob-desktop', 'alice-desktop', and so on.
+
+These options are deliberately long and cumbersome to type, so people
+have a chance to think before they get to the end. You can make a
+mess if you get it wrong.
+
+All samba-tool dns zoneoptions modes can be given a --dry-run/-n
+argument that allows you to inspect the likely results before going
+ahead.
+
+NOTE: for aging to work, you need to have "dns zone scavenging = yes"
+set in the smb.conf of at least one server.
+
+
+DNS tombstones are now deleted as appropriate
+---------------------------------------------
+
+When all the records for a DNS name have been deleted, the node is put
+in a tombstoned state (separate from general AD object tombstoning,
+which deleted nodes also go through). These tombstones should be
+cleaned up periodically. Due to a conflation of scavenging and
+tombstoning, we have only been deleting tombstones when aging is
+enabled.
+
+If you have a lot of tombstoned DNS nodes (that is, DNS names for
+which you have removed all the records), cleaning up these DNS
+tombstones may take a noticeable time.
+
+
+DNS tombstones use a consistent timestamp format
+------------------------------------------------
+
+DNS records use an hours-since-1601 timestamp format except for in the
+case of tombstone records where a 100-nanosecond-intervals-since-1601
+format is used (this latter format being the most common in Windows).
+We had mixed that up, which might have had strange effects in zones
+where aging was enabled (and hence tombstone timestamps were used).
+
+
+samba-tool dns update and RPC changes
+-------------------------------------
+
+The dnsserver DCERPC pipe can be used by samba-tool and Windows tools
+to manipulate dns records on the remote server. A bug in Samba meant
+it was not possible to update an existing DNS record to change the
+TTL. The general behaviour of RPC updates is now closer to that of
+Windows.
+
+samba-tool dns update is now a bit more careful in rejecting and
+warning you about malformed IPv4 and IPv6 addresses.
+
+
REMOVED FEATURES
================
@@ -208,6 +313,30 @@ smb.conf changes
winbind scan trusted domains Changed No
+CHANGES SINCE 4.15.0rc2
+=======================
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14760: vfs_streams_depot directory creation permissions and store
+ location problems.
+ * BUG 14766: vfs_ceph openat() doesn't cope with dirfsp != AT_FDCW.
+ * BUG 14769: smbd panic on force-close share during offload write.
+ * BUG 14805: OpenDir() loses the correct errno return.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14795: copy_file_range() may fail with EOPNOTSUPP.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14793: Start the SMB encryption as soon as possible.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14779: Winbind should not start if the socket path is too long.
+
+o Noel Power <noel.power at suse.com>
+ * BUG 14760: vfs_streams_depot directory creation permissions and store
+ location problems.
+
+
CHANGES SINCE 4.15.0rc1
=======================
@@ -240,7 +369,8 @@ Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
-joining the #samba-technical IRC channel on irc.freenode.net.
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py
index c211a94d3db..0218cad6271 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -109,7 +109,7 @@ def vcs_dir_contents(path):
"""
repo = path
while repo != "/":
- if os.path.isdir(os.path.join(repo, ".git")):
+ if os.path.exists(os.path.join(repo, ".git")):
ls_files_cmd = [ 'git', 'ls-files', '--full-name',
os.path.relpath(path, repo) ]
cwd = None
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 12f995f3198..782ac5bd550 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -462,8 +462,6 @@ syscall(SYS_copy_file_range,0,NULL,0,NULL,0,0);
''',
'HAVE_SYSCALL_COPY_FILE_RANGE',
msg='Checking whether we have copy_file_range system call')
- if conf.CONFIG_SET('HAVE_COPY_FILE_RANGE') or conf.CONFIG_SET('HAVE_SYSCALL_COPY_FILE_RANGE'):
- conf.DEFINE('USE_COPY_FILE_RANGE', 1)
conf.SET_TARGET_TYPE('attr', 'EMPTY')
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index a12086e602b..a043cbc883e 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -599,6 +599,8 @@ enum csc_policy {
(FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0010 | FSCTL_METHOD_NEITHER)
#define FSCTL_SMBTORTURE_GLOBAL_READ_RESPONSE_BODY_PADDING8 \
(FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0020 | FSCTL_METHOD_NEITHER)
+#define FSCTL_SMBTORTURE_FSP_ASYNC_SLEEP \
+ (FSCTL_SMBTORTURE | FSCTL_ACCESS_WRITE | 0x0040 | FSCTL_METHOD_NEITHER)
/*
* A few values from [MS-FSCC] 2.1.2.1 Reparse Tags
diff --git a/script/bisect-test.py b/script/bisect-test.py
index b87df54ac09..7c5cd635f58 100755
--- a/script/bisect-test.py
+++ b/script/bisect-test.py
@@ -48,7 +48,7 @@ def find_git_root():
'''get to the top of the git repo'''
p = os.getcwd()
while p != '/':
- if os.path.isdir(os.path.join(p, ".git")):
+ if os.path.exists(os.path.join(p, ".git")):
return p
p = os.path.abspath(os.path.join(p, '..'))
return None
diff --git a/selftest/knownfail b/selftest/knownfail
index b2c09e73393..9f362c02b47 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -198,6 +198,7 @@
^samba4.smb2.ioctl.req_two_resume_keys\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
^samba4.smb2.ioctl.copy_chunk_\w*\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
^samba4.smb2.ioctl.copy-chunk streams\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
+^samba4.smb2.ioctl.bug14769\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
^samba3.smb2.dir.one
^samba3.smb2.dir.modify
^samba3.smb2.oplock.batch20
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index d0ef659da99..3fe6c194ed8 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1458,6 +1458,11 @@ sub setup_simpleserver
print "PROVISIONING simple server...";
my $prefix_abs = abs_path($path);
+ mkdir($prefix_abs, 0777);
+
+ my $external_streams_depot="$prefix_abs/external_streams_depot";
+ remove_tree($external_streams_depot);
+ mkdir($external_streams_depot, 0777);
my $simpleserver_options = "
lanman auth = yes
@@ -1531,6 +1536,11 @@ sub setup_simpleserver
[hidenewfiles]
path = $prefix_abs/share
hide new files timeout = 5
+
+[external_streams_depot]
+ path = $prefix_abs/share
+ read only = no
+ streams_depot:directory = $external_streams_depot
";
my $vars = $self->provision(
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index e5274e05c40..63c505f8ed5 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -3369,6 +3369,8 @@ static void cli_full_connection_creds_enc_start(struct tevent_req *req);
static void cli_full_connection_creds_enc_tcon(struct tevent_req *subreq);
static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq);
static void cli_full_connection_creds_enc_done(struct tevent_req *subreq);
+static void cli_full_connection_creds_enc_tdis(struct tevent_req *req);
+static void cli_full_connection_creds_enc_finished(struct tevent_req *subreq);
static void cli_full_connection_creds_tcon_start(struct tevent_req *req);
static void cli_full_connection_creds_tcon_done(struct tevent_req *subreq);
@@ -3596,7 +3598,8 @@ static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq)
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) {
if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
- cli_full_connection_creds_tcon_start(req);
+ /* disconnect ipc$ followed by the real tree connect */
+ cli_full_connection_creds_enc_tdis(req);
return;
}
DEBUG(10, ("%s: cli_unix_extensions_version "
@@ -3607,7 +3610,8 @@ static void cli_full_connection_creds_enc_ver(struct tevent_req *subreq)
if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) {
if (encryption_state < SMB_ENCRYPTION_REQUIRED) {
- cli_full_connection_creds_tcon_start(req);
+ /* disconnect ipc$ followed by the real tree connect */
+ cli_full_connection_creds_enc_tdis(req);
return;
}
DEBUG(10, ("%s: CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP "
@@ -3639,6 +3643,37 @@ static void cli_full_connection_creds_enc_done(struct tevent_req *subreq)
return;
}
+ /* disconnect ipc$ followed by the real tree connect */
+ cli_full_connection_creds_enc_tdis(req);
+}
+
+static void cli_full_connection_creds_enc_tdis(struct tevent_req *req)
+{
+ struct cli_full_connection_creds_state *state = tevent_req_data(
+ req, struct cli_full_connection_creds_state);
+ struct tevent_req *subreq = NULL;
+
+ subreq = cli_tdis_send(state, state->ev, state->cli);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq,
+ cli_full_connection_creds_enc_finished,
+ req);
+}
+
+static void cli_full_connection_creds_enc_finished(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ NTSTATUS status;
+
+ status = cli_tdis_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
cli_full_connection_creds_tcon_start(req);
}
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 040b957e6f8..5b64858ca33 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -50,6 +50,7 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
uint16_t major, minor;
uint32_t caplow, caphigh;
NTSTATUS status;
+ bool temp_ipc = false;
if (smbXcli_conn_protocol(c->conn) >= PROTOCOL_SMB2_02) {
status = smb2cli_session_encryption_on(c->smb2.session);
@@ -72,12 +73,26 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
return NT_STATUS_NOT_SUPPORTED;
}
+ if (c->smb1.tcon == NULL) {
+ status = cli_tree_connect_creds(c, "IPC$", "IPC", creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("Encryption required and "
+ "can't connect to IPC$ to check "
+ "UNIX CIFS extensions.\n");
+ return NT_STATUS_UNKNOWN_REVISION;
+ }
+ temp_ipc = true;
+ }
+
status = cli_unix_extensions_version(c, &major, &minor, &caplow,
&caphigh);
if (!NT_STATUS_IS_OK(status)) {
d_printf("Encryption required and "
"can't get UNIX CIFS extensions "
"version from server.\n");
+ if (temp_ipc) {
+ cli_tdis(c);
+ }
return NT_STATUS_UNKNOWN_REVISION;
}
@@ -85,6 +100,9 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
d_printf("Encryption required and "
"share %s doesn't support "
"encryption.\n", sharename);
+ if (temp_ipc) {
+ cli_tdis(c);
+ }
return NT_STATUS_UNSUPPORTED_COMPRESSION;
}
@@ -93,9 +111,15 @@ static NTSTATUS cli_cm_force_encryption_creds(struct cli_state *c,
d_printf("Encryption required and "
"setup failed with error %s.\n",
nt_errstr(status));
+ if (temp_ipc) {
+ cli_tdis(c);
+ }
return status;
}
+ if (temp_ipc) {
+ cli_tdis(c);
+ }
return NT_STATUS_OK;
}
@@ -217,6 +241,22 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
DEBUG(4,(" session setup ok\n"));
+ if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
+ status = cli_cm_force_encryption_creds(c,
+ creds,
+ sharename);
+ if (!NT_STATUS_IS_OK(status)) {
+ switch (encryption_state) {
+ case SMB_ENCRYPTION_DESIRED:
+ break;
+ case SMB_ENCRYPTION_REQUIRED:
+ default:
+ cli_shutdown(c);
+ return status;
+ }
+ }
+ }
+
/* here's the fun part....to support 'msdfs proxy' shares
(on Samba or windows) we have to issues a TRANS_GET_DFS_REFERRAL
here before trying to connect to the original share.
@@ -241,22 +281,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
return status;
}
- if (encryption_state >= SMB_ENCRYPTION_DESIRED) {
- status = cli_cm_force_encryption_creds(c,
- creds,
- sharename);
- if (!NT_STATUS_IS_OK(status)) {
- switch (encryption_state) {
- case SMB_ENCRYPTION_DESIRED:
- break;
- case SMB_ENCRYPTION_REQUIRED:
- default:
- cli_shutdown(c);
- return status;
- }
- }
- }
-
DEBUG(4,(" tconx ok\n"));
*pcli = c;
return NT_STATUS_OK;
diff --git a/source3/modules/vfs_ceph.c b/source3/modules/vfs_ceph.c
index 594ebce4b9a..3f55d724143 100644
--- a/source3/modules/vfs_ceph.c
+++ b/source3/modules/vfs_ceph.c
@@ -403,14 +403,23 @@ static int cephwrap_openat(struct vfs_handle_struct *handle,
int flags,
mode_t mode)
{
--
Samba Shared Repository
More information about the samba-cvs
mailing list