[SCM] Samba Shared Repository - branch v4-14-stable updated
Jule Anger
janger at samba.org
Tue Oct 5 13:19:00 UTC 2021
The branch, v4-14-stable has been updated
via d1c9330fa69 VERSION: Disable GIT_SNAPSHOT for the 4.14.8 release.
via 83bf8c9c2c5 WHATSNEW: Add release notes for Samba 4.14.8.
via b66b172bb57 samldb: Address birthday paradox adding an RODC
via 5a90b3e832c pyldb: Avoid use-after-free in msg_diff()
via 9d61f2f2f3e ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
via 9f79d4256f8 pytest:segfault: Add test for ldb.msg_diff()
via f53c532c229 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
via 53b48cbe9a8 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via a21afdbcd7b kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via 7b4c9eea253 tests/krb5: Allow expected_error_mode to be a container type
via 63e5d195a5a tests/krb5: Allow specifying parameters specific to the inner FAST request body
via 112e3625253 tests/krb5: Add tests for omitting sname in request
via f18cff2b0e1 tests/krb5: Check PADATA-PW-SALT element in e-data
via 12c9c5b7d29 tests/krb5: Check e-data element for TGS-REP errors without FAST
via 474ddf8fdda tests/krb5: Remove harmful and a-typical return in as_req testcase
via 2444c94cb3a CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via 5c4de75af50 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via c64f0cb102a tests/krb5: Make cname checking less strict
via 7a938531dd0 tests/krb5: Make e-data checking less strict
via 6b0ac964d78 selftest: Remove knownfail for no_etypes FAST tests
via 54afeaec083 tests/krb5: Add FAST tests
via 8eafefbce03 initial FAST tests
via 6f483eb7c35 tests/krb5: Check PADATA-FX-ERROR in reply
via 977d1e068e9 tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via a4e7e1bd671 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 7dc15c34d9e tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via 531ed864922 tests/krb5: Make check_rep_padata() also work for checking TGS replies
via 2940dfb59c0 tests/krb5: Check PADATA-FX-COOKIE in reply
via 1df74663b1e tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via d8aaacc66d9 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 7cb152b6ba6 tests/krb5: Check reply FAST padata if request included FAST
via e1f72aaaa44 tests/krb5: Check sname is krbtgt for FAST generic error
via 1e02aaf49c6 tests/krb5: Add get_krbtgt_sname() method
via e2e7f2ec556 tests/krb5: Remove unused variables
via 4fd7b629abd tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 9380f54b200 tests/krb5: Add check_rep_padata() method to check padata in reply
via ff1d3928e04 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via 0f2acee95d2 tests/krb5: Include authdata in kdc_exchange_dict
via 14207a42625 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via ebd51dc4db4 tests/krb5: Check encrypted-pa-data
via b77aed56836 tests/krb5: Add methods to determine whether elements were included in the request
via afae6b431b8 tests/krb5: Add functions to get dicts of request padata
via 1cecb538d78 tests/krb5: Check FAST response
via d2b4a1883a3 tests/krb5: Add method to verify ticket checksum for FAST
via 7f8f1202964 tests/krb5: Add method to check PA-FX-FAST-REPLY
via 9064e5eb053 tests/krb5: Allow specifying parameters specific to the outer request body
via dec428538ca tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via d51b727590f tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via c4be77e9606 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via b2aee7dc371 tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 020d1c73af3 tests/krb5: Add methods to calculate keys for FAST
via 1b85d721a48 tests/krb5: Add method to generate FAST encrypted challenge padata
via 83f8c3f1e18 tests/krb5: Add more methods to create ASN1 objects for FAST
via 46f356d0b62 tests/krb5: Add more ASN1 definitions for FAST
via ce130f1bdf7 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via 4cca060c4dd tests/krb5: Ensure generated padata is not None
via c511763c119 tests/krb5: Add generate_ap_req() method
via 383ccffa5eb tests/krb5: Check nonce in EncKDCRepPart
via 972111f501f tests/krb5: Make checking less strict
via f5c4993213a tests/krb5: Check version number of obtained ticket
via 6fea68a9828 tests/krb5: Assert that more variables are not None
via fde5967c8dd tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 3795f815003 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via 5e41e264ebe tests/krb5: Include kdc_options in kdc_exchange_dict
via 8bef7b0c98a tests/krb5: Always specify expected error code
via 46e019d5088 tests/krb5: Add check_reply() method to check for AS or TGS reply
via be5047564fc tests/krb5: Add method to calculate account salt
via 49a987dc57e tests/krb5: Add more methods for obtaining machine and service credentials
via 989b352023b tests/krb5: Allow specifying additional details when creating an account
via 79ab000c197 tests/krb5: Use encryption with admin credentials
via 300ac82e720 tests/krb5: Add get_EpochFromKerberosTime()
via 29aa10b93ae tests/krb5: Make _test_as_exchange() return value more consistent
via 53c49a8c2a0 tests/krb5: Add method to return dict containing padata elements
via 885f56f4c91 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via 16d7c193bb4 tests/krb5: Refactor get_pa_data()
via 210b2368eea tests/krb5: Allow cf2 to automatically use the enctype of the first key
via 27ce461ad8f tests/krb5: Use credentials kvno when creating password key
via b695f407b9a tests/krb5: Check Kerberos protocol version number
via c562c5cbeeb tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via 1676812b858 tests/krb5: Fix encpart_decryption_key with MIT KDC
via 4cc5bbdb71b tests/krb5: Fix callback_dict parameter
via 2261df73ce4 tests/krb5: Fix including enc-authorization-data
via b7e71204189 tests/krb5: Remove magic constants
via 27499d3583f tests/krb5: Simplify Python syntax
via 10578ae11f9 tests/krb5: Use more compact dict lookup
via 6955f08227b tests/krb5: Remove unneeded statements
via 0e276e08fb5 tests/krb5: formatting
via 27e3155358f tests/krb5: Fix method name typo
via b74fca8dd01 tests/krb5: Fix comment typo
via 82586e8bee9 tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 3df9870e6d3 pygensec: Don't modify Python bytes objects
via 8b281a05539 pygensec: Fix memory leaks
via 6cf0b28459d selftest: Add support for setting ENV variables in plantestsuite()
via b884b4ef585 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
via e04e2925be1 selftest: Re-format long lines in selftesthelpers.py
via 30142140927 selftest: add space after --list in output of selftesthelpers.py
via 6a3b7eb5b81 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
via b4022ea0b4a tests/krb5: Use admin creds for SamDB rather than user creds
via 477f765f1ab tests/krb5/as_canonicalization_tests.py: Refactor account creation
via 0e86cc3d59d tests/krb5: Deduplicate 'host' attribute initialisation
via de8c2bf0cc9 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
via 8565cc4ec48 tests/krb5/as_req_tests.py: Check the client kvno
via 8154d2cc3d2 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
via 6bc79db7b39 tests/krb5/as_req_tests.py: Automatically obtain credentials
via 7f33d712596 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
via 13667701cda tests/krb5/raw_testcase.py: Simplify conditionals
via b423bb95afc tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
via 47b6072624c tests/krb5/raw_testcase.py: Cache obtained credentials
via 4d72aa9e098 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
via 9521952380b tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
via d85f359789b tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
via b91a08ce89e tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
via d6f5da02368 tests/krb5/kdc_base_test.py: Create loadparm only when needed
via 5ffa305eb2e tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
via 9ce0d56ed48 tests/krb5/kdc_base_test.py: Create database connection only when needed
via c12cc693710 tests/krb5/raw_testcase.py: Add get_admin_creds()
via 461131ed517 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
via af9e564cacc selftest: run new as_req_tests against fl2008r2dc and fl2003dc
via acf7c56f209 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
via e24e1b1a536 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
via a03042d103b tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
via 150be099ae0 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
via b833bf902f7 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
via ea7399d54e8 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
via 6d21cb27cb3 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
via 6257fd9b3c1 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
via 1a2d9b500e4 tests/krb5/raw_testcase.py: add assertElement*()
via e089c45d44d tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
via d48196e12f4 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
via e63908db368 tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
via e9a2916b5f3 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
via 8958105aa80 auth/credentials: allow credentials.Credentials to act as base class
via 72606c02824 python: Make credentials cache test run against Windows
via 29d8bacc8a4 python: Fix ticket timestamp conversion when local timezone is not UTC
via 0b937a91422 python: Fix erroneous increments of reference counts
via de40f47cfac python: Ensure reference counts are properly incremented
via 795e2b4d487 python: Add SMB credentials cache test
via 7439b5a91db pylibsmb: Add posix_whoami()
via e2b0cdcb507 libsmb: Ensure that whoami parses all the data provided to it
via 728d13309df libsmb: Check to see that whoami is not receiving more data than it requested
via 72a11b5eb38 libsmb: Avoid undefined behaviour when parsing whoami state
via 9dea3dd8b8e libsmb: Remove overflow check
via 76047162bb0 Revert "libsmb: Use sid_parse()"
via f8c0dff5b08 python: Add RPC credentials cache test
via 8667e6bcdd3 python: Add LDAP credentials cache test
via 876fe2503fe python: Add credentials cache test
via 43e20ad3ea2 krb5: Add Python functions to create a credentials cache containing a service ticket
via e7ec9b0779a librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
via 0d08a120e77 krb5ccache.idl: Add definition for a Kerberos credentials cache
via c7525b69fe1 Revert "s4-test: fixed ndrdump test for top level build"
via b1ed4f5ff37 pygensec: Fix method documentation
via 6d7dbe77a9e auth:creds: Fix parameter in creds.set_named_ccache()
via c222cf2cd4f auth:creds: Remove unused variable
via b5d279057f6 tests python krb5: MS-KILE client principal look-up
via b30947fc856 librpc: Add py_descriptor_richcmp() equality function
via 551a39d890a ctdb-daemon: Don't mark a node as unhealthy when connecting to it
via 2d6cf082db5 ctdb-daemon: Ignore flag changes for disconnected nodes
via 814844538aa ctdb-daemon: Simplify ctdb_control_modflags()
via a7ea1ab3e6a ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
via eab3ee12fe0 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
via e3eeffafff8 ctdb-daemon: Modernise remaining debug macro in this function
via cfbac3b5ab9 ctdb-daemon: Update logging for flag changes
via c906c9a0b39 ctdb-daemon: Correct the condition for logging unchanged flags
via 00c1757d92e ctdb-tools: Use disable and enable controls in tool
via c8d130f139a ctdb-client: Add client code for disable/enable controls
via cb64c64ddb3 ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
via e158aa6d9bd ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
via 116db8d54f8 ctdb-daemon: Factor out a function to get node structure from PNN
via 50596cf0029 ctdb-daemon: Add a helper variable
via 79961f5a33a ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
via 88660d4e2f8 ctdb-protocol: Add new controls to disable and enable nodes
via c61fe558427 ctdb-recoverd: Push flags for a node if any remote node disagrees
via c1e217c0e2e ctdb-recoverd: Update the local node map before pushing out flags
via 69f744e539f ctdb-recoverd: Add a helper variable
via e9cbf386be7 vfs_btrfs: fix btrfs_fget_compression()
via 78f183faa6d selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
via 207f232abac s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
via 105014ed48b selftest: Add a test for LookupSids3 and LookupNames4 in python
via 59f6d56f4ef dsdb: Be careful to avoid use of the expensive talloc_is_parent()
via 7b66c0cec9f selftest: Only run samba_tool_drs_showrepl test once
via e6555e25414 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
via b5cbbf0542c s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.
via 1bb8ed2b619 s3: smbd: Add fifo test for the DISABLE_OPATH case.
via 97dc8c0dccc s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error.
via b00fed3b698 s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor.
via 446f89510f2 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
via 7d1dd87a653 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
via 274236ff3db vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes()
via 08f18b66716 vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
via 4312b6c17da vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles
via d98e8e0e3f8 vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
via 4a17f42d00b vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
via 994c64d3098 vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
via a4a57724b92 vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code
via 34c20fe3a16 registry: check for running as root in clustering mode
via 0e85755f383 s3/lib/dbwrap: check if global_messaging_context() succeeded
via a7d66e00fa8 s3: smbd: Fix smbd crash on dangling symlink with posix connection calling several non-posix info levels.
via 07b062c489f s3/rpc_server: track the number of policy handles with a talloc destructor
via 5500f3ab7fe selftest: add a test for the "deadtime" parameter
via 4fbd8a22c3d s3: smbd: Ensure all returns from OpenDir() correctly set errno.
via e8807cc57e7 VERSION: Bump version up to 4.14.8...
from 625e30ad0b9 VERSION: Disable GIT_SNAPSHOT for the 4.14.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 96 +-
auth/credentials/pycredentials.c | 8 +-
ctdb/client/client_control_sync.c | 68 +
ctdb/client/client_sync.h | 12 +
ctdb/include/ctdb_private.h | 2 +
ctdb/protocol/protocol.h | 4 +-
ctdb/protocol/protocol_api.h | 6 +
ctdb/protocol/protocol_client.c | 36 +
ctdb/protocol/protocol_control.c | 12 +
ctdb/protocol/protocol_debug.c | 2 +
ctdb/server/ctdb_control.c | 42 +
ctdb/server/ctdb_daemon.c | 35 +-
ctdb/server/ctdb_monitor.c | 67 +-
ctdb/server/ctdb_recoverd.c | 120 +-
ctdb/server/ctdb_server.c | 1 -
ctdb/tests/UNIT/cunit/protocol_test_101.sh | 2 +-
ctdb/tests/src/fake_ctdbd.c | 54 +
ctdb/tests/src/protocol_common_ctdb.c | 24 +
ctdb/tests/src/protocol_ctdb_test.c | 2 +-
ctdb/tools/ctdb.c | 57 +-
lib/ldb/common/ldb_msg.c | 6 +-
lib/ldb/pyldb.c | 18 +-
lib/talloc/pytalloc.c | 4 +-
libgpo/pygpo.c | 2 +-
librpc/idl/krb5ccache.idl | 115 +
librpc/idl/wscript_build | 1 +
librpc/wscript_build | 8 +-
python/samba/tests/blackbox/ndrdump.py | 45 +-
python/samba/tests/dcerpc/lsa.py | 333 +++
python/samba/tests/dsdb_schema_attributes.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 140 +-
python/samba/tests/krb5/as_req_tests.py | 218 ++
python/samba/tests/krb5/compatability_tests.py | 4 -
python/samba/tests/krb5/fast_tests.py | 1691 +++++++++++++++
python/samba/tests/krb5/kcrypto.py | 12 +-
python/samba/tests/krb5/kdc_base_test.py | 663 +++++-
python/samba/tests/krb5/kdc_tests.py | 27 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 35 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 829 ++++++++
.../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0
python/samba/tests/krb5/raw_testcase.py | 2206 ++++++++++++++++++--
python/samba/tests/krb5/rfc4120.asn1 | 176 +-
python/samba/tests/krb5/rfc4120_constants.py | 56 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 232 +-
python/samba/tests/krb5/s4u_tests.py | 4 -
python/samba/tests/krb5/simple_tests.py | 10 +-
python/samba/tests/krb5/test_ccache.py | 135 ++
python/samba/tests/krb5/test_ldap.py | 96 +
python/samba/tests/krb5/test_rpc.py | 79 +
python/samba/tests/krb5/test_smb.py | 110 +
python/samba/tests/krb5/xrealm_tests.py | 4 -
python/samba/tests/segfault.py | 11 +
python/samba/tests/usage.py | 7 +
script/autobuild.py | 9 +-
selftest/knownfail | 6 +-
selftest/knownfail_heimdal_kdc | 119 ++
selftest/knownfail_mit_kdc | 45 +
selftest/selftesthelpers.py | 42 +-
selftest/target/Samba4.pm | 2 +-
source3/lib/dbwrap/dbwrap_open.c | 4 +
source3/libsmb/clifsinfo.c | 44 +-
source3/libsmb/pylibsmb.c | 139 +-
source3/modules/vfs_btrfs.c | 7 +-
source3/modules/vfs_gpfs.c | 177 +-
source3/passdb/py_passdb.c | 4 -
source3/registry/reg_backend_db.c | 9 +
source3/rpc_server/mdssvc/mdssvc.c | 5 +
source3/rpc_server/rpc_handles.c | 20 +-
source3/script/tests/test_deadtime.sh | 67 +
source3/script/tests/test_fifo.sh | 83 +
source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++++
source3/selftest/ktest-krb5_ccache-3.txt | 832 ++++++++
source3/selftest/tests.py | 7 +
source3/smbd/dir.c | 2 +
source3/smbd/files.c | 4 +
source3/smbd/msdfs.c | 7 +-
source3/smbd/trans2.c | 14 +-
source3/winbindd/wb_queryuser.c | 30 +-
source3/winbindd/winbindd_allocate_uid.c | 44 +-
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 71 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 4 +-
source4/dsdb/schema/schema_set.c | 41 +-
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
source4/librpc/ndr/py_security.c | 37 +
source4/librpc/wscript_build | 7 +
source4/ntvfs/posix/python/pyposix_eadb.c | 2 +-
source4/ntvfs/posix/python/pyxattr_native.c | 4 +-
source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +-
source4/rpc_server/lsa/lsa_lookup.c | 131 +-
source4/selftest/tests.py | 89 +-
source4/torture/krb5/kdc-heimdal.c | 104 +-
94 files changed, 10969 insertions(+), 766 deletions(-)
create mode 100644 librpc/idl/krb5ccache.idl
create mode 100644 python/samba/tests/dcerpc/lsa.py
create mode 100755 python/samba/tests/krb5/as_req_tests.py
create mode 100755 python/samba/tests/krb5/fast_tests.py
create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
create mode 100755 python/samba/tests/krb5/test_ccache.py
create mode 100755 python/samba/tests/krb5/test_ldap.py
create mode 100755 python/samba/tests/krb5/test_rpc.py
create mode 100755 python/samba/tests/krb5/test_smb.py
create mode 100755 source3/script/tests/test_deadtime.sh
create mode 100755 source3/script/tests/test_fifo.sh
create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt
create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 82268e491d0..4ef0829ae24 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=14
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ed154ee97c6..cdea32de764 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,96 @@
+ ==============================
+ Release Notes for Samba 4.14.8
+ October 05, 2021
+ ==============================
+
+
+This is the latest stable release of the Samba 4.14 release series.
+
+
+Changes since 4.14.7
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14742: Python ldb.msg_diff() memory handling failure.
+ * BUG 14805: OpenDir() loses the correct errno return.
+ * BUG 14809: Shares with variable substitutions cause core dump upon
+ connection from MacOS Big Sur 11.5.2.
+ * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
+ build.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14806: Address a signifcant performance regression in database access
+ in the AD DC since Samba 4.12.
+ * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+ Samba 4.9 by using an explicit database handle cache.
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+ * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+ * BUG 14819: Address flapping dsdb_schema_attributes test.
+ * BUG 14841: Samba CI runs can now continue past the first error if
+ AUTOBUILD_FAIL_IMMEDIATELY=0 is set.
+ * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+ * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
+ * BUG 14787: net conf list crashes when run as normal user.
+ * BUG 14790: vfs_btrfs compression support broken.
+ * BUG 14804: winbindd can crash because idmap child state is not fully
+ initialized.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Martin Schwenke <martin at meltin.net>
+ * BUG 14784: Fix CTDB flag/status update race conditions.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+ * BUG 14836: Python ldb.msg_diff() memory handling failure.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.14.7
August 24, 2021
@@ -52,8 +145,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 95dde276ef7..5a168e6dd7f 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -604,8 +604,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
{
char *newval;
- enum credentials_obtained obt = CRED_SPECIFIED;
- int _obt = obt;
struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
if (creds == NULL) {
PyErr_Format(PyExc_TypeError, "Credentials expected");
@@ -615,7 +613,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s", &newval)) {
return NULL;
}
- obt = _obt;
cli_credentials_set_forced_sasl_mech(creds, newval);
Py_RETURN_NONE;
@@ -803,6 +800,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
return NULL;
+ obt = _obt;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
@@ -818,7 +816,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
ret = cli_credentials_set_ccache(creds,
lp_ctx,
- newval, CRED_SPECIFIED,
+ newval, obt,
&error_string);
if (ret != 0) {
@@ -1433,7 +1431,7 @@ static struct PyModuleDef moduledef = {
PyTypeObject PyCredentials = {
.tp_name = "credentials.Credentials",
.tp_new = py_creds_new,
- .tp_flags = Py_TPFLAGS_DEFAULT,
+ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
.tp_methods = py_creds_methods,
};
diff --git a/ctdb/client/client_control_sync.c b/ctdb/client/client_control_sync.c
index b9a25ce2b2c..e9f97dd0f30 100644
--- a/ctdb/client/client_control_sync.c
+++ b/ctdb/client/client_control_sync.c
@@ -2660,3 +2660,71 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
return 0;
}
+
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout)
+{
+ struct ctdb_req_control request;
+ struct ctdb_reply_control *reply;
+ int ret;
+
+ ctdb_req_control_disable_node(&request);
+ ret = ctdb_client_control(mem_ctx,
+ ev,
+ client,
+ destnode,
+ timeout,
+ &request,
+ &reply);
+ if (ret != 0) {
+ D_ERR("Control DISABLE_NODE failed to node %u, ret=%d\n",
+ destnode,
+ ret);
+ return ret;
+ }
+
+ ret = ctdb_reply_control_disable_node(reply);
+ if (ret != 0) {
+ D_ERR("Control DISABLE_NODE failed, ret=%d\n", ret);
+ return ret;
+ }
+
+ return 0;
+}
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout)
+{
+ struct ctdb_req_control request;
+ struct ctdb_reply_control *reply;
+ int ret;
+
+ ctdb_req_control_enable_node(&request);
+ ret = ctdb_client_control(mem_ctx,
+ ev,
+ client,
+ destnode,
+ timeout,
+ &request,
+ &reply);
+ if (ret != 0) {
+ D_ERR("Control ENABLE_NODE failed to node %u, ret=%d\n",
+ destnode,
+ ret);
+ return ret;
+ }
+
+ ret = ctdb_reply_control_enable_node(reply);
+ if (ret != 0) {
+ D_ERR("Control ENABLE_NODE failed, ret=%d\n", ret);
+ return ret;
+ }
+
+ return 0;
+}
diff --git a/ctdb/client/client_sync.h b/ctdb/client/client_sync.h
index dc8b67395e3..b8f5d905857 100644
--- a/ctdb/client/client_sync.h
+++ b/ctdb/client/client_sync.h
@@ -482,6 +482,18 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
int destnode, struct timeval timeout,
uint64_t tunnel_id);
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout);
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct ctdb_client_context *client,
+ int destnode,
+ struct timeval timeout);
+
/* from client/client_message_sync.c */
int ctdb_message_recd_update_ip(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
diff --git a/ctdb/include/ctdb_private.h b/ctdb/include/ctdb_private.h
index 8eb6686f953..f5e647f08a5 100644
--- a/ctdb/include/ctdb_private.h
+++ b/ctdb/include/ctdb_private.h
@@ -565,6 +565,8 @@ int daemon_deregister_message_handler(struct ctdb_context *ctdb,
void daemon_tunnel_handler(uint64_t tunnel_id, TDB_DATA data,
void *private_data);
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn);
+
int ctdb_start_daemon(struct ctdb_context *ctdb,
bool interactive,
bool test_mode_enabled);
diff --git a/ctdb/protocol/protocol.h b/ctdb/protocol/protocol.h
index e4b76c6b986..5f788f6f2a8 100644
--- a/ctdb/protocol/protocol.h
+++ b/ctdb/protocol/protocol.h
@@ -137,7 +137,7 @@ struct ctdb_call {
/* SRVID to inform clients that an IP address has been taken over */
#define CTDB_SRVID_TAKE_IP 0xF301000000000000LL
-/* SRVID to inform recovery daemon of the node flags */
+/* SRVID to inform recovery daemon of the node flags - OBSOLETE */
#define CTDB_SRVID_SET_NODE_FLAGS 0xF400000000000000LL
/* SRVID to inform recovery daemon to update public ip assignment */
@@ -376,6 +376,8 @@ enum ctdb_controls {CTDB_CONTROL_PROCESS_EXISTS = 0,
CTDB_CONTROL_VACUUM_FETCH = 154,
CTDB_CONTROL_DB_VACUUM = 155,
CTDB_CONTROL_ECHO_DATA = 156,
+ CTDB_CONTROL_DISABLE_NODE = 157,
+ CTDB_CONTROL_ENABLE_NODE = 158,
};
#define MAX_COUNT_BUCKETS 16
diff --git a/ctdb/protocol/protocol_api.h b/ctdb/protocol/protocol_api.h
index 7bbe33b22fe..499d9329c54 100644
--- a/ctdb/protocol/protocol_api.h
+++ b/ctdb/protocol/protocol_api.h
@@ -605,6 +605,12 @@ void ctdb_req_control_echo_data(struct ctdb_req_control *request,
struct ctdb_echo_data *echo_data);
int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply);
+void ctdb_req_control_disable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply);
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply);
+
/* From protocol/protocol_debug.c */
void ctdb_packet_print(uint8_t *buf, size_t buflen, FILE *fp);
diff --git a/ctdb/protocol/protocol_client.c b/ctdb/protocol/protocol_client.c
index 6d850be86df..dcce83f02a1 100644
--- a/ctdb/protocol/protocol_client.c
+++ b/ctdb/protocol/protocol_client.c
@@ -2360,3 +2360,39 @@ int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply)
return reply->status;
}
+
+/* CTDB_CONTROL_DISABLE_NODE */
+
+void ctdb_req_control_disable_node(struct ctdb_req_control *request)
+{
+ request->opcode = CTDB_CONTROL_DISABLE_NODE;
+ request->pad = 0;
+ request->srvid = 0;
+ request->client_id = 0;
+ request->flags = 0;
+
+ request->rdata.opcode = CTDB_CONTROL_DISABLE_NODE;
+}
+
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply)
+{
+ return ctdb_reply_control_generic(reply, CTDB_CONTROL_DISABLE_NODE);
+}
+
+/* CTDB_CONTROL_ENABLE_NODE */
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request)
+{
+ request->opcode = CTDB_CONTROL_ENABLE_NODE;
+ request->pad = 0;
+ request->srvid = 0;
+ request->client_id = 0;
+ request->flags = 0;
+
+ request->rdata.opcode = CTDB_CONTROL_ENABLE_NODE;
+}
+
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply)
+{
+ return ctdb_reply_control_generic(reply, CTDB_CONTROL_ENABLE_NODE);
+}
diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c
index fb6b0219ef7..f64a1a90e10 100644
--- a/ctdb/protocol/protocol_control.c
+++ b/ctdb/protocol/protocol_control.c
@@ -411,6 +411,12 @@ static size_t ctdb_req_control_data_len(struct ctdb_req_control_data *cd)
case CTDB_CONTROL_ECHO_DATA:
len = ctdb_echo_data_len(cd->data.echo_data);
break;
+
+ case CTDB_CONTROL_DISABLE_NODE:
+ break;
+
+ case CTDB_CONTROL_ENABLE_NODE:
+ break;
}
return len;
@@ -1385,6 +1391,12 @@ static size_t ctdb_reply_control_data_len(struct ctdb_reply_control_data *cd)
case CTDB_CONTROL_ECHO_DATA:
len = ctdb_echo_data_len(cd->data.echo_data);
break;
+
+ case CTDB_CONTROL_DISABLE_NODE:
+ break;
+
+ case CTDB_CONTROL_ENABLE_NODE:
+ break;
}
return len;
diff --git a/ctdb/protocol/protocol_debug.c b/ctdb/protocol/protocol_debug.c
index 694285515e1..d94cb548d68 100644
--- a/ctdb/protocol/protocol_debug.c
+++ b/ctdb/protocol/protocol_debug.c
@@ -243,6 +243,8 @@ static void ctdb_opcode_print(uint32_t opcode, FILE *fp)
{ CTDB_CONTROL_VACUUM_FETCH, "VACUUM_FETCH" },
{ CTDB_CONTROL_DB_VACUUM, "DB_VACUUM" },
{ CTDB_CONTROL_ECHO_DATA, "ECHO_DATA" },
+ { CTDB_CONTROL_DISABLE_NODE, "DISABLE_NODE" },
+ { CTDB_CONTROL_ENABLE_NODE, "ENABLE_NODE" },
{ MAP_END, "" },
};
diff --git a/ctdb/server/ctdb_control.c b/ctdb/server/ctdb_control.c
index 206ea149693..131ebd43afc 100644
--- a/ctdb/server/ctdb_control.c
+++ b/ctdb/server/ctdb_control.c
@@ -173,6 +173,40 @@ done:
TALLOC_FREE(state);
}
+static int ctdb_control_disable_node(struct ctdb_context *ctdb)
+{
+ struct ctdb_node *node;
+
+ node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+ if (node == NULL) {
+ /* Can't happen */
+ DBG_ERR("Unable to find current node\n");
+ return -1;
+ }
+
+ D_ERR("Disable node\n");
+ node->flags |= NODE_FLAGS_PERMANENTLY_DISABLED;
+
+ return 0;
+}
+
+static int ctdb_control_enable_node(struct ctdb_context *ctdb)
+{
+ struct ctdb_node *node;
+
+ node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+ if (node == NULL) {
+ /* Can't happen */
+ DBG_ERR("Unable to find current node\n");
+ return -1;
+ }
+
+ D_ERR("Enable node\n");
+ node->flags &= ~NODE_FLAGS_PERMANENTLY_DISABLED;
+
+ return 0;
+}
+
/*
process a control request
*/
@@ -827,6 +861,14 @@ static int32_t ctdb_control_dispatch(struct ctdb_context *ctdb,
return ctdb_control_echo_data(ctdb, c, indata, async_reply);
}
+ case CTDB_CONTROL_DISABLE_NODE:
+ CHECK_CONTROL_DATA_SIZE(0);
+ return ctdb_control_disable_node(ctdb);
+
+ case CTDB_CONTROL_ENABLE_NODE:
+ CHECK_CONTROL_DATA_SIZE(0);
+ return ctdb_control_enable_node(ctdb);
+
default:
DEBUG(DEBUG_CRIT,(__location__ " Unknown CTDB control opcode %u\n", opcode));
return -1;
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 9035f5b4748..6a76b2ea998 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -1235,28 +1235,51 @@ failed:
return -1;
}
-static void initialise_node_flags (struct ctdb_context *ctdb)
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn)
{
+ struct ctdb_node *node = NULL;
unsigned int i;
+ if (pnn == CTDB_CURRENT_NODE) {
+ pnn = ctdb->pnn;
+ }
+
/* Always found: PNN correctly set just before this is called */
for (i = 0; i < ctdb->num_nodes; i++) {
- if (ctdb->pnn == ctdb->nodes[i]->pnn) {
- break;
+ node = ctdb->nodes[i];
+ if (pnn == node->pnn) {
+ return node;
}
}
- ctdb->nodes[i]->flags &= ~NODE_FLAGS_DISCONNECTED;
+ return NULL;
+}
--
Samba Shared Repository
More information about the samba-cvs
mailing list