[SCM] Samba Shared Repository - branch v4-14-stable updated

Jule Anger janger at samba.org
Tue Oct 5 13:19:00 UTC 2021


The branch, v4-14-stable has been updated
       via  d1c9330fa69 VERSION: Disable GIT_SNAPSHOT for the 4.14.8 release.
       via  83bf8c9c2c5 WHATSNEW: Add release notes for Samba 4.14.8.
       via  b66b172bb57 samldb: Address birthday paradox adding an RODC
       via  5a90b3e832c pyldb: Avoid use-after-free in msg_diff()
       via  9d61f2f2f3e ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
       via  9f79d4256f8 pytest:segfault: Add test for ldb.msg_diff()
       via  f53c532c229 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
       via  53b48cbe9a8 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
       via  a21afdbcd7b kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
       via  7b4c9eea253 tests/krb5: Allow expected_error_mode to be a container type
       via  63e5d195a5a tests/krb5: Allow specifying parameters specific to the inner FAST request body
       via  112e3625253 tests/krb5: Add tests for omitting sname in request
       via  f18cff2b0e1 tests/krb5: Check PADATA-PW-SALT element in e-data
       via  12c9c5b7d29 tests/krb5: Check e-data element for TGS-REP errors without FAST
       via  474ddf8fdda tests/krb5: Remove harmful and a-typical return in as_req testcase
       via  2444c94cb3a CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
       via  5c4de75af50 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
       via  c64f0cb102a tests/krb5: Make cname checking less strict
       via  7a938531dd0 tests/krb5: Make e-data checking less strict
       via  6b0ac964d78 selftest: Remove knownfail for no_etypes FAST tests
       via  54afeaec083 tests/krb5: Add FAST tests
       via  8eafefbce03 initial FAST tests
       via  6f483eb7c35 tests/krb5: Check PADATA-FX-ERROR in reply
       via  977d1e068e9 tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
       via  a4e7e1bd671 tests/krb5: Check PADATA-PAC-OPTIONS in reply
       via  7dc15c34d9e tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
       via  531ed864922 tests/krb5: Make check_rep_padata() also work for checking TGS replies
       via  2940dfb59c0 tests/krb5: Check PADATA-FX-COOKIE in reply
       via  1df74663b1e tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
       via  d8aaacc66d9 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
       via  7cb152b6ba6 tests/krb5: Check reply FAST padata if request included FAST
       via  e1f72aaaa44 tests/krb5: Check sname is krbtgt for FAST generic error
       via  1e02aaf49c6 tests/krb5: Add get_krbtgt_sname() method
       via  e2e7f2ec556 tests/krb5: Remove unused variables
       via  4fd7b629abd tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
       via  9380f54b200 tests/krb5: Add check_rep_padata() method to check padata in reply
       via  ff1d3928e04 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
       via  0f2acee95d2 tests/krb5: Include authdata in kdc_exchange_dict
       via  14207a42625 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
       via  ebd51dc4db4 tests/krb5: Check encrypted-pa-data
       via  b77aed56836 tests/krb5: Add methods to determine whether elements were included in the request
       via  afae6b431b8 tests/krb5: Add functions to get dicts of request padata
       via  1cecb538d78 tests/krb5: Check FAST response
       via  d2b4a1883a3 tests/krb5: Add method to verify ticket checksum for FAST
       via  7f8f1202964 tests/krb5: Add method to check PA-FX-FAST-REPLY
       via  9064e5eb053 tests/krb5: Allow specifying parameters specific to the outer request body
       via  dec428538ca tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
       via  d51b727590f tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
       via  c4be77e9606 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
       via  b2aee7dc371 tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
       via  020d1c73af3 tests/krb5: Add methods to calculate keys for FAST
       via  1b85d721a48 tests/krb5: Add method to generate FAST encrypted challenge padata
       via  83f8c3f1e18 tests/krb5: Add more methods to create ASN1 objects for FAST
       via  46f356d0b62 tests/krb5: Add more ASN1 definitions for FAST
       via  ce130f1bdf7 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
       via  4cca060c4dd tests/krb5: Ensure generated padata is not None
       via  c511763c119 tests/krb5: Add generate_ap_req() method
       via  383ccffa5eb tests/krb5: Check nonce in EncKDCRepPart
       via  972111f501f tests/krb5: Make checking less strict
       via  f5c4993213a tests/krb5: Check version number of obtained ticket
       via  6fea68a9828 tests/krb5: Assert that more variables are not None
       via  fde5967c8dd tests/krb5: Ensure in assertElementPresent() that container elements are not empty
       via  3795f815003 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
       via  5e41e264ebe tests/krb5: Include kdc_options in kdc_exchange_dict
       via  8bef7b0c98a tests/krb5: Always specify expected error code
       via  46e019d5088 tests/krb5: Add check_reply() method to check for AS or TGS reply
       via  be5047564fc tests/krb5: Add method to calculate account salt
       via  49a987dc57e tests/krb5: Add more methods for obtaining machine and service credentials
       via  989b352023b tests/krb5: Allow specifying additional details when creating an account
       via  79ab000c197 tests/krb5: Use encryption with admin credentials
       via  300ac82e720 tests/krb5: Add get_EpochFromKerberosTime()
       via  29aa10b93ae tests/krb5: Make _test_as_exchange() return value more consistent
       via  53c49a8c2a0 tests/krb5: Add method to return dict containing padata elements
       via  885f56f4c91 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
       via  16d7c193bb4 tests/krb5: Refactor get_pa_data()
       via  210b2368eea tests/krb5: Allow cf2 to automatically use the enctype of the first key
       via  27ce461ad8f tests/krb5: Use credentials kvno when creating password key
       via  b695f407b9a tests/krb5: Check Kerberos protocol version number
       via  c562c5cbeeb tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
       via  1676812b858 tests/krb5: Fix encpart_decryption_key with MIT KDC
       via  4cc5bbdb71b tests/krb5: Fix callback_dict parameter
       via  2261df73ce4 tests/krb5: Fix including enc-authorization-data
       via  b7e71204189 tests/krb5: Remove magic constants
       via  27499d3583f tests/krb5: Simplify Python syntax
       via  10578ae11f9 tests/krb5: Use more compact dict lookup
       via  6955f08227b tests/krb5: Remove unneeded statements
       via  0e276e08fb5 tests/krb5: formatting
       via  27e3155358f tests/krb5: Fix method name typo
       via  b74fca8dd01 tests/krb5: Fix comment typo
       via  82586e8bee9 tests/krb5: Fix ms_kile_client_principal_lookup_test errors
       via  3df9870e6d3 pygensec: Don't modify Python bytes objects
       via  8b281a05539 pygensec: Fix memory leaks
       via  6cf0b28459d selftest: Add support for setting ENV variables in plantestsuite()
       via  b884b4ef585 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
       via  e04e2925be1 selftest: Re-format long lines in selftesthelpers.py
       via  30142140927 selftest: add space after --list in output of selftesthelpers.py
       via  6a3b7eb5b81 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
       via  b4022ea0b4a tests/krb5: Use admin creds for SamDB rather than user creds
       via  477f765f1ab tests/krb5/as_canonicalization_tests.py: Refactor account creation
       via  0e86cc3d59d tests/krb5: Deduplicate 'host' attribute initialisation
       via  de8c2bf0cc9 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
       via  8565cc4ec48 tests/krb5/as_req_tests.py: Check the client kvno
       via  8154d2cc3d2 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
       via  6bc79db7b39 tests/krb5/as_req_tests.py: Automatically obtain credentials
       via  7f33d712596 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
       via  13667701cda tests/krb5/raw_testcase.py: Simplify conditionals
       via  b423bb95afc tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
       via  47b6072624c tests/krb5/raw_testcase.py: Cache obtained credentials
       via  4d72aa9e098 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
       via  9521952380b tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
       via  d85f359789b tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
       via  b91a08ce89e tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
       via  d6f5da02368 tests/krb5/kdc_base_test.py: Create loadparm only when needed
       via  5ffa305eb2e tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
       via  9ce0d56ed48 tests/krb5/kdc_base_test.py: Create database connection only when needed
       via  c12cc693710 tests/krb5/raw_testcase.py: Add get_admin_creds()
       via  461131ed517 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
       via  af9e564cacc selftest: run new as_req_tests against fl2008r2dc and fl2003dc
       via  acf7c56f209 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
       via  e24e1b1a536 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
       via  a03042d103b tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
       via  150be099ae0 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
       via  b833bf902f7 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
       via  ea7399d54e8 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
       via  6d21cb27cb3 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
       via  6257fd9b3c1 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
       via  1a2d9b500e4 tests/krb5/raw_testcase.py: add assertElement*()
       via  e089c45d44d tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
       via  d48196e12f4 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
       via  e63908db368 tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
       via  e9a2916b5f3 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
       via  8958105aa80 auth/credentials: allow credentials.Credentials to act as base class
       via  72606c02824 python: Make credentials cache test run against Windows
       via  29d8bacc8a4 python: Fix ticket timestamp conversion when local timezone is not UTC
       via  0b937a91422 python: Fix erroneous increments of reference counts
       via  de40f47cfac python: Ensure reference counts are properly incremented
       via  795e2b4d487 python: Add SMB credentials cache test
       via  7439b5a91db pylibsmb: Add posix_whoami()
       via  e2b0cdcb507 libsmb: Ensure that whoami parses all the data provided to it
       via  728d13309df libsmb: Check to see that whoami is not receiving more data than it requested
       via  72a11b5eb38 libsmb: Avoid undefined behaviour when parsing whoami state
       via  9dea3dd8b8e libsmb: Remove overflow check
       via  76047162bb0 Revert "libsmb: Use sid_parse()"
       via  f8c0dff5b08 python: Add RPC credentials cache test
       via  8667e6bcdd3 python: Add LDAP credentials cache test
       via  876fe2503fe python: Add credentials cache test
       via  43e20ad3ea2 krb5: Add Python functions to create a credentials cache containing a service ticket
       via  e7ec9b0779a librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
       via  0d08a120e77 krb5ccache.idl: Add definition for a Kerberos credentials cache
       via  c7525b69fe1 Revert "s4-test: fixed ndrdump test for top level build"
       via  b1ed4f5ff37 pygensec: Fix method documentation
       via  6d7dbe77a9e auth:creds: Fix parameter in creds.set_named_ccache()
       via  c222cf2cd4f auth:creds: Remove unused variable
       via  b5d279057f6 tests python krb5: MS-KILE client principal look-up
       via  b30947fc856 librpc: Add py_descriptor_richcmp() equality function
       via  551a39d890a ctdb-daemon: Don't mark a node as unhealthy when connecting to it
       via  2d6cf082db5 ctdb-daemon: Ignore flag changes for disconnected nodes
       via  814844538aa ctdb-daemon: Simplify ctdb_control_modflags()
       via  a7ea1ab3e6a ctdb-recoverd: Mark CTDB_SRVID_SET_NODE_FLAGS obsolete
       via  eab3ee12fe0 ctdb-daemon: Don't bother sending CTDB_SRVID_SET_NODE_FLAGS
       via  e3eeffafff8 ctdb-daemon: Modernise remaining debug macro in this function
       via  cfbac3b5ab9 ctdb-daemon: Update logging for flag changes
       via  c906c9a0b39 ctdb-daemon: Correct the condition for logging unchanged flags
       via  00c1757d92e ctdb-tools: Use disable and enable controls in tool
       via  c8d130f139a ctdb-client: Add client code for disable/enable controls
       via  cb64c64ddb3 ctdb_daemon: Implement controls DISABLE_NODE/ENABLE_NODE
       via  e158aa6d9bd ctdb-daemon: Start as disabled means PERMANENTLY_DISABLED
       via  116db8d54f8 ctdb-daemon: Factor out a function to get node structure from PNN
       via  50596cf0029 ctdb-daemon: Add a helper variable
       via  79961f5a33a ctdb-protocol: Add marshalling for controls DISABLE_NODE/ENABLE_NODE
       via  88660d4e2f8 ctdb-protocol: Add new controls to disable and enable nodes
       via  c61fe558427 ctdb-recoverd: Push flags for a node if any remote node disagrees
       via  c1e217c0e2e ctdb-recoverd: Update the local node map before pushing out flags
       via  69f744e539f ctdb-recoverd: Add a helper variable
       via  e9cbf386be7 vfs_btrfs: fix btrfs_fget_compression()
       via  78f183faa6d selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
       via  207f232abac s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
       via  105014ed48b selftest: Add a test for LookupSids3 and LookupNames4 in python
       via  59f6d56f4ef dsdb: Be careful to avoid use of the expensive talloc_is_parent()
       via  7b66c0cec9f selftest: Only run samba_tool_drs_showrepl test once
       via  e6555e25414 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
       via  b5cbbf0542c s3: smbd: Fix openat_pathref_fsp() to cope with FIFO's in the filesystem.
       via  1bb8ed2b619 s3: smbd: Add fifo test for the DISABLE_OPATH case.
       via  97dc8c0dccc s3: smbd: In create_conn_struct_cwd(), don't TALLOC_FREE() an unallocated pointer on error.
       via  b00fed3b698 s3: mdssvc: Correctly disconnect the VFS connection inside the mds_ctx destructor.
       via  446f89510f2 winbind: ensure wb_parent_idmap_setup_send() gets called in winbindd_allocate_uid_send()
       via  7d1dd87a653 winbindd: call wb_parent_idmap_setup_send() in wb_queryuser_send()
       via  274236ff3db vfs_gpfs: add sys_proc_fd_path() fallback to vfs_gpfs_fset_dos_attributes()
       via  08f18b66716 vfs_gpfs: remove ENOSYS fallback from vfs_gpfs_fset_dos_attributes()
       via  4312b6c17da vfs_gpfs: add path based fallback for gpfswrap_fstat_x() on pathref handles
       via  d98e8e0e3f8 vfs_gpfs: check for O_PATH support in gpfswrap_fstat_x()
       via  4a17f42d00b vfs_gpfs: make vfs_gpfs_connect() a no-op on IPC shares
       via  994c64d3098 vfs_gpfs: don't check for struct gpfs_config_data in vfs_gpfs_[l]stat()
       via  a4a57724b92 vfs_gpfs: call SMB_VFS_NEXT_CONNECT() before running some module initialization code
       via  34c20fe3a16 registry: check for running as root in clustering mode
       via  0e85755f383 s3/lib/dbwrap: check if global_messaging_context() succeeded
       via  a7d66e00fa8 s3: smbd: Fix smbd crash on dangling symlink with posix connection calling several non-posix info levels.
       via  07b062c489f s3/rpc_server: track the number of policy handles with a talloc destructor
       via  5500f3ab7fe selftest: add a test for the "deadtime" parameter
       via  4fbd8a22c3d s3: smbd: Ensure all returns from OpenDir() correctly set errno.
       via  e8807cc57e7 VERSION: Bump version up to 4.14.8...
      from  625e30ad0b9 VERSION: Disable GIT_SNAPSHOT for the 4.14.7 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |    2 +-
 WHATSNEW.txt                                       |   96 +-
 auth/credentials/pycredentials.c                   |    8 +-
 ctdb/client/client_control_sync.c                  |   68 +
 ctdb/client/client_sync.h                          |   12 +
 ctdb/include/ctdb_private.h                        |    2 +
 ctdb/protocol/protocol.h                           |    4 +-
 ctdb/protocol/protocol_api.h                       |    6 +
 ctdb/protocol/protocol_client.c                    |   36 +
 ctdb/protocol/protocol_control.c                   |   12 +
 ctdb/protocol/protocol_debug.c                     |    2 +
 ctdb/server/ctdb_control.c                         |   42 +
 ctdb/server/ctdb_daemon.c                          |   35 +-
 ctdb/server/ctdb_monitor.c                         |   67 +-
 ctdb/server/ctdb_recoverd.c                        |  120 +-
 ctdb/server/ctdb_server.c                          |    1 -
 ctdb/tests/UNIT/cunit/protocol_test_101.sh         |    2 +-
 ctdb/tests/src/fake_ctdbd.c                        |   54 +
 ctdb/tests/src/protocol_common_ctdb.c              |   24 +
 ctdb/tests/src/protocol_ctdb_test.c                |    2 +-
 ctdb/tools/ctdb.c                                  |   57 +-
 lib/ldb/common/ldb_msg.c                           |    6 +-
 lib/ldb/pyldb.c                                    |   18 +-
 lib/talloc/pytalloc.c                              |    4 +-
 libgpo/pygpo.c                                     |    2 +-
 librpc/idl/krb5ccache.idl                          |  115 +
 librpc/idl/wscript_build                           |    1 +
 librpc/wscript_build                               |    8 +-
 python/samba/tests/blackbox/ndrdump.py             |   45 +-
 python/samba/tests/dcerpc/lsa.py                   |  333 +++
 python/samba/tests/dsdb_schema_attributes.py       |    6 +-
 .../samba/tests/krb5/as_canonicalization_tests.py  |  140 +-
 python/samba/tests/krb5/as_req_tests.py            |  218 ++
 python/samba/tests/krb5/compatability_tests.py     |    4 -
 python/samba/tests/krb5/fast_tests.py              | 1691 +++++++++++++++
 python/samba/tests/krb5/kcrypto.py                 |   12 +-
 python/samba/tests/krb5/kdc_base_test.py           |  663 +++++-
 python/samba/tests/krb5/kdc_tests.py               |   27 +-
 python/samba/tests/krb5/kdc_tgs_tests.py           |   35 +-
 .../krb5/ms_kile_client_principal_lookup_tests.py  |  829 ++++++++
 .../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}   |    0
 python/samba/tests/krb5/raw_testcase.py            | 2206 ++++++++++++++++++--
 python/samba/tests/krb5/rfc4120.asn1               |  176 +-
 python/samba/tests/krb5/rfc4120_constants.py       |   56 +
 python/samba/tests/krb5/rfc4120_pyasn1.py          |  232 +-
 python/samba/tests/krb5/s4u_tests.py               |    4 -
 python/samba/tests/krb5/simple_tests.py            |   10 +-
 python/samba/tests/krb5/test_ccache.py             |  135 ++
 python/samba/tests/krb5/test_ldap.py               |   96 +
 python/samba/tests/krb5/test_rpc.py                |   79 +
 python/samba/tests/krb5/test_smb.py                |  110 +
 python/samba/tests/krb5/xrealm_tests.py            |    4 -
 python/samba/tests/segfault.py                     |   11 +
 python/samba/tests/usage.py                        |    7 +
 script/autobuild.py                                |    9 +-
 selftest/knownfail                                 |    6 +-
 selftest/knownfail_heimdal_kdc                     |  119 ++
 selftest/knownfail_mit_kdc                         |   45 +
 selftest/selftesthelpers.py                        |   42 +-
 selftest/target/Samba4.pm                          |    2 +-
 source3/lib/dbwrap/dbwrap_open.c                   |    4 +
 source3/libsmb/clifsinfo.c                         |   44 +-
 source3/libsmb/pylibsmb.c                          |  139 +-
 source3/modules/vfs_btrfs.c                        |    7 +-
 source3/modules/vfs_gpfs.c                         |  177 +-
 source3/passdb/py_passdb.c                         |    4 -
 source3/registry/reg_backend_db.c                  |    9 +
 source3/rpc_server/mdssvc/mdssvc.c                 |    5 +
 source3/rpc_server/rpc_handles.c                   |   20 +-
 source3/script/tests/test_deadtime.sh              |   67 +
 source3/script/tests/test_fifo.sh                  |   83 +
 source3/selftest/ktest-krb5_ccache-2.txt           | 1574 ++++++++++++++
 source3/selftest/ktest-krb5_ccache-3.txt           |  832 ++++++++
 source3/selftest/tests.py                          |    7 +
 source3/smbd/dir.c                                 |    2 +
 source3/smbd/files.c                               |    4 +
 source3/smbd/msdfs.c                               |    7 +-
 source3/smbd/trans2.c                              |   14 +-
 source3/winbindd/wb_queryuser.c                    |   30 +-
 source3/winbindd/winbindd_allocate_uid.c           |   44 +-
 source4/auth/gensec/gensec_gssapi.c                |    4 +
 source4/auth/gensec/pygensec.c                     |   71 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            |    4 +-
 source4/dsdb/schema/schema_set.c                   |   41 +-
 source4/heimdal/kdc/kerberos5.c                    |    4 +-
 source4/heimdal/kdc/krb5tgs.c                      |    4 +
 source4/librpc/ndr/py_security.c                   |   37 +
 source4/librpc/wscript_build                       |    7 +
 source4/ntvfs/posix/python/pyposix_eadb.c          |    2 +-
 source4/ntvfs/posix/python/pyxattr_native.c        |    4 +-
 source4/ntvfs/posix/python/pyxattr_tdb.c           |    2 +-
 source4/rpc_server/lsa/lsa_lookup.c                |  131 +-
 source4/selftest/tests.py                          |   89 +-
 source4/torture/krb5/kdc-heimdal.c                 |  104 +-
 94 files changed, 10969 insertions(+), 766 deletions(-)
 create mode 100644 librpc/idl/krb5ccache.idl
 create mode 100644 python/samba/tests/dcerpc/lsa.py
 create mode 100755 python/samba/tests/krb5/as_req_tests.py
 create mode 100755 python/samba/tests/krb5/fast_tests.py
 create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
 create mode 100755 python/samba/tests/krb5/test_ccache.py
 create mode 100755 python/samba/tests/krb5/test_ldap.py
 create mode 100755 python/samba/tests/krb5/test_rpc.py
 create mode 100755 python/samba/tests/krb5/test_smb.py
 create mode 100755 source3/script/tests/test_deadtime.sh
 create mode 100755 source3/script/tests/test_fifo.sh
 create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt
 create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 82268e491d0..4ef0829ae24 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=14
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ed154ee97c6..cdea32de764 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,96 @@
+                   ==============================
+                   Release Notes for Samba 4.14.8
+                          October 05, 2021
+                   ==============================
+
+
+This is the latest stable release of the Samba 4.14 release series.
+
+
+Changes since 4.14.7
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 14742: Python ldb.msg_diff() memory handling failure.
+   * BUG 14805: OpenDir() loses the correct errno return.
+   * BUG 14809: Shares with variable substitutions cause core dump upon
+     connection from MacOS Big Sur 11.5.2.
+   * BUG 14816: Fix pathref open of a filesystem fifo in the DISABLE_OPATH
+     build.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 14806: Address a signifcant performance regression in database access
+     in the AD DC since Samba 4.12.
+   * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+     Samba 4.9 by using an explicit database handle cache.
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+   * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+   * BUG 14819: Address flapping dsdb_schema_attributes test.
+   * BUG 14841: Samba CI runs can now continue past the first error if
+     AUTOBUILD_FAIL_IMMEDIATELY=0 is set.
+   * BUG 14854: samldb_krbtgtnumber_available() looks for incorrect string.
+
+o  Ralph Boehme <slow at samba.org>
+   * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+   * BUG 14783: smbd "deadtime" parameter doesn't work anymore.
+   * BUG 14787: net conf list crashes when run as normal user.
+   * BUG 14790: vfs_btrfs compression support broken.
+   * BUG 14804: winbindd can crash because idmap child state is not fully
+     initialized.
+
+o  Luke Howard <lukeh at padl.com>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Gary Lockyer <gary at catalyst.net.nz>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 14771: Some VFS operations on pathref (O_PATH) handles fail on GPFS.
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Andreas Schneider <asn at samba.org>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+
+o  Martin Schwenke <martin at meltin.net>
+   * BUG 14784: Fix CTDB flag/status update race conditions.
+
+o  Joseph Sutton <josephsutton at catalyst.net.nz>
+   * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+     server name in a TGS-REQ.
+   * BUG 14836: Python ldb.msg_diff() memory handling failure.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
                    ==============================
                    Release Notes for Samba 4.14.7
                           August 24, 2021
@@ -52,8 +145,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
 
                    ==============================
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 95dde276ef7..5a168e6dd7f 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -604,8 +604,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
 static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
 {
 	char *newval;
-	enum credentials_obtained obt = CRED_SPECIFIED;
-	int _obt = obt;
 	struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
 	if (creds == NULL) {
 		PyErr_Format(PyExc_TypeError, "Credentials expected");
@@ -615,7 +613,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
 	if (!PyArg_ParseTuple(args, "s", &newval)) {
 		return NULL;
 	}
-	obt = _obt;
 
 	cli_credentials_set_forced_sasl_mech(creds, newval);
 	Py_RETURN_NONE;
@@ -803,6 +800,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
 
 	if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
 		return NULL;
+	obt = _obt;
 
 	mem_ctx = talloc_new(NULL);
 	if (mem_ctx == NULL) {
@@ -818,7 +816,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
 
 	ret = cli_credentials_set_ccache(creds,
 					 lp_ctx,
-					 newval, CRED_SPECIFIED,
+					 newval, obt,
 					 &error_string);
 
 	if (ret != 0) {
@@ -1433,7 +1431,7 @@ static struct PyModuleDef moduledef = {
 PyTypeObject PyCredentials = {
 	.tp_name = "credentials.Credentials",
 	.tp_new = py_creds_new,
-	.tp_flags = Py_TPFLAGS_DEFAULT,
+	.tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
 	.tp_methods = py_creds_methods,
 };
 
diff --git a/ctdb/client/client_control_sync.c b/ctdb/client/client_control_sync.c
index b9a25ce2b2c..e9f97dd0f30 100644
--- a/ctdb/client/client_control_sync.c
+++ b/ctdb/client/client_control_sync.c
@@ -2660,3 +2660,71 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
 
 	return 0;
 }
+
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+			   struct tevent_context *ev,
+			   struct ctdb_client_context *client,
+			   int destnode,
+			   struct timeval timeout)
+{
+	struct ctdb_req_control request;
+	struct ctdb_reply_control *reply;
+	int ret;
+
+	ctdb_req_control_disable_node(&request);
+	ret = ctdb_client_control(mem_ctx,
+				  ev,
+				  client,
+				  destnode,
+				  timeout,
+				  &request,
+				  &reply);
+	if (ret != 0) {
+		D_ERR("Control DISABLE_NODE failed to node %u, ret=%d\n",
+		      destnode,
+		      ret);
+		return ret;
+	}
+
+	ret = ctdb_reply_control_disable_node(reply);
+	if (ret != 0) {
+		D_ERR("Control DISABLE_NODE failed, ret=%d\n", ret);
+		return ret;
+	}
+
+	return 0;
+}
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+			  struct tevent_context *ev,
+			  struct ctdb_client_context *client,
+			  int destnode,
+			  struct timeval timeout)
+{
+	struct ctdb_req_control request;
+	struct ctdb_reply_control *reply;
+	int ret;
+
+	ctdb_req_control_enable_node(&request);
+	ret = ctdb_client_control(mem_ctx,
+				  ev,
+				  client,
+				  destnode,
+				  timeout,
+				  &request,
+				  &reply);
+	if (ret != 0) {
+		D_ERR("Control ENABLE_NODE failed to node %u, ret=%d\n",
+		      destnode,
+		      ret);
+		return ret;
+	}
+
+	ret = ctdb_reply_control_enable_node(reply);
+	if (ret != 0) {
+		D_ERR("Control ENABLE_NODE failed, ret=%d\n", ret);
+		return ret;
+	}
+
+	return 0;
+}
diff --git a/ctdb/client/client_sync.h b/ctdb/client/client_sync.h
index dc8b67395e3..b8f5d905857 100644
--- a/ctdb/client/client_sync.h
+++ b/ctdb/client/client_sync.h
@@ -482,6 +482,18 @@ int ctdb_ctrl_tunnel_deregister(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
 				int destnode, struct timeval timeout,
 				uint64_t tunnel_id);
 
+int ctdb_ctrl_disable_node(TALLOC_CTX *mem_ctx,
+			   struct tevent_context *ev,
+			   struct ctdb_client_context *client,
+			   int destnode,
+			   struct timeval timeout);
+
+int ctdb_ctrl_enable_node(TALLOC_CTX *mem_ctx,
+			  struct tevent_context *ev,
+			  struct ctdb_client_context *client,
+			  int destnode,
+			  struct timeval timeout);
+
 /* from client/client_message_sync.c */
 
 int ctdb_message_recd_update_ip(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
diff --git a/ctdb/include/ctdb_private.h b/ctdb/include/ctdb_private.h
index 8eb6686f953..f5e647f08a5 100644
--- a/ctdb/include/ctdb_private.h
+++ b/ctdb/include/ctdb_private.h
@@ -565,6 +565,8 @@ int daemon_deregister_message_handler(struct ctdb_context *ctdb,
 void daemon_tunnel_handler(uint64_t tunnel_id, TDB_DATA data,
 			   void *private_data);
 
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn);
+
 int ctdb_start_daemon(struct ctdb_context *ctdb,
 		      bool interactive,
 		      bool test_mode_enabled);
diff --git a/ctdb/protocol/protocol.h b/ctdb/protocol/protocol.h
index e4b76c6b986..5f788f6f2a8 100644
--- a/ctdb/protocol/protocol.h
+++ b/ctdb/protocol/protocol.h
@@ -137,7 +137,7 @@ struct ctdb_call {
 /* SRVID to inform clients that an IP address has been taken over */
 #define CTDB_SRVID_TAKE_IP 0xF301000000000000LL
 
-/* SRVID to inform recovery daemon of the node flags */
+/* SRVID to inform recovery daemon of the node flags - OBSOLETE */
 #define CTDB_SRVID_SET_NODE_FLAGS 0xF400000000000000LL
 
 /* SRVID to inform recovery daemon to update public ip assignment */
@@ -376,6 +376,8 @@ enum ctdb_controls {CTDB_CONTROL_PROCESS_EXISTS          = 0,
 		    CTDB_CONTROL_VACUUM_FETCH            = 154,
 		    CTDB_CONTROL_DB_VACUUM               = 155,
 		    CTDB_CONTROL_ECHO_DATA               = 156,
+		    CTDB_CONTROL_DISABLE_NODE            = 157,
+		    CTDB_CONTROL_ENABLE_NODE             = 158,
 };
 
 #define MAX_COUNT_BUCKETS 16
diff --git a/ctdb/protocol/protocol_api.h b/ctdb/protocol/protocol_api.h
index 7bbe33b22fe..499d9329c54 100644
--- a/ctdb/protocol/protocol_api.h
+++ b/ctdb/protocol/protocol_api.h
@@ -605,6 +605,12 @@ void ctdb_req_control_echo_data(struct ctdb_req_control *request,
 				struct ctdb_echo_data *echo_data);
 int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply);
 
+void ctdb_req_control_disable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply);
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request);
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply);
+
 /* From protocol/protocol_debug.c */
 
 void ctdb_packet_print(uint8_t *buf, size_t buflen, FILE *fp);
diff --git a/ctdb/protocol/protocol_client.c b/ctdb/protocol/protocol_client.c
index 6d850be86df..dcce83f02a1 100644
--- a/ctdb/protocol/protocol_client.c
+++ b/ctdb/protocol/protocol_client.c
@@ -2360,3 +2360,39 @@ int ctdb_reply_control_echo_data(struct ctdb_reply_control *reply)
 
 	return reply->status;
 }
+
+/* CTDB_CONTROL_DISABLE_NODE */
+
+void ctdb_req_control_disable_node(struct ctdb_req_control *request)
+{
+	request->opcode = CTDB_CONTROL_DISABLE_NODE;
+	request->pad = 0;
+	request->srvid = 0;
+	request->client_id = 0;
+	request->flags = 0;
+
+	request->rdata.opcode = CTDB_CONTROL_DISABLE_NODE;
+}
+
+int ctdb_reply_control_disable_node(struct ctdb_reply_control *reply)
+{
+	return ctdb_reply_control_generic(reply, CTDB_CONTROL_DISABLE_NODE);
+}
+
+/* CTDB_CONTROL_ENABLE_NODE */
+
+void ctdb_req_control_enable_node(struct ctdb_req_control *request)
+{
+	request->opcode = CTDB_CONTROL_ENABLE_NODE;
+	request->pad = 0;
+	request->srvid = 0;
+	request->client_id = 0;
+	request->flags = 0;
+
+	request->rdata.opcode = CTDB_CONTROL_ENABLE_NODE;
+}
+
+int ctdb_reply_control_enable_node(struct ctdb_reply_control *reply)
+{
+	return ctdb_reply_control_generic(reply, CTDB_CONTROL_ENABLE_NODE);
+}
diff --git a/ctdb/protocol/protocol_control.c b/ctdb/protocol/protocol_control.c
index fb6b0219ef7..f64a1a90e10 100644
--- a/ctdb/protocol/protocol_control.c
+++ b/ctdb/protocol/protocol_control.c
@@ -411,6 +411,12 @@ static size_t ctdb_req_control_data_len(struct ctdb_req_control_data *cd)
 	case CTDB_CONTROL_ECHO_DATA:
 		len = ctdb_echo_data_len(cd->data.echo_data);
 		break;
+
+	case CTDB_CONTROL_DISABLE_NODE:
+		break;
+
+	case CTDB_CONTROL_ENABLE_NODE:
+		break;
 	}
 
 	return len;
@@ -1385,6 +1391,12 @@ static size_t ctdb_reply_control_data_len(struct ctdb_reply_control_data *cd)
 	case CTDB_CONTROL_ECHO_DATA:
 		len = ctdb_echo_data_len(cd->data.echo_data);
 		break;
+
+	case CTDB_CONTROL_DISABLE_NODE:
+		break;
+
+	case CTDB_CONTROL_ENABLE_NODE:
+		break;
 	}
 
 	return len;
diff --git a/ctdb/protocol/protocol_debug.c b/ctdb/protocol/protocol_debug.c
index 694285515e1..d94cb548d68 100644
--- a/ctdb/protocol/protocol_debug.c
+++ b/ctdb/protocol/protocol_debug.c
@@ -243,6 +243,8 @@ static void ctdb_opcode_print(uint32_t opcode, FILE *fp)
 		{ CTDB_CONTROL_VACUUM_FETCH, "VACUUM_FETCH" },
 		{ CTDB_CONTROL_DB_VACUUM, "DB_VACUUM" },
 		{ CTDB_CONTROL_ECHO_DATA, "ECHO_DATA" },
+		{ CTDB_CONTROL_DISABLE_NODE, "DISABLE_NODE" },
+		{ CTDB_CONTROL_ENABLE_NODE, "ENABLE_NODE" },
 		{ MAP_END, "" },
 	};
 
diff --git a/ctdb/server/ctdb_control.c b/ctdb/server/ctdb_control.c
index 206ea149693..131ebd43afc 100644
--- a/ctdb/server/ctdb_control.c
+++ b/ctdb/server/ctdb_control.c
@@ -173,6 +173,40 @@ done:
 	TALLOC_FREE(state);
 }
 
+static int ctdb_control_disable_node(struct ctdb_context *ctdb)
+{
+	struct ctdb_node *node;
+
+	node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+	if (node == NULL) {
+		/* Can't happen */
+		DBG_ERR("Unable to find current node\n");
+		return -1;
+	}
+
+	D_ERR("Disable node\n");
+	node->flags |= NODE_FLAGS_PERMANENTLY_DISABLED;
+
+	return 0;
+}
+
+static int ctdb_control_enable_node(struct ctdb_context *ctdb)
+{
+	struct ctdb_node *node;
+
+	node = ctdb_find_node(ctdb, CTDB_CURRENT_NODE);
+	if (node == NULL) {
+		/* Can't happen */
+		DBG_ERR("Unable to find current node\n");
+		return -1;
+	}
+
+	D_ERR("Enable node\n");
+	node->flags &= ~NODE_FLAGS_PERMANENTLY_DISABLED;
+
+	return 0;
+}
+
 /*
   process a control request
  */
@@ -827,6 +861,14 @@ static int32_t ctdb_control_dispatch(struct ctdb_context *ctdb,
 		return ctdb_control_echo_data(ctdb, c, indata, async_reply);
 	}
 
+	case CTDB_CONTROL_DISABLE_NODE:
+		CHECK_CONTROL_DATA_SIZE(0);
+		return ctdb_control_disable_node(ctdb);
+
+	case CTDB_CONTROL_ENABLE_NODE:
+		CHECK_CONTROL_DATA_SIZE(0);
+		return ctdb_control_enable_node(ctdb);
+
 	default:
 		DEBUG(DEBUG_CRIT,(__location__ " Unknown CTDB control opcode %u\n", opcode));
 		return -1;
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 9035f5b4748..6a76b2ea998 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -1235,28 +1235,51 @@ failed:
 	return -1;
 }
 
-static void initialise_node_flags (struct ctdb_context *ctdb)
+struct ctdb_node *ctdb_find_node(struct ctdb_context *ctdb, uint32_t pnn)
 {
+	struct ctdb_node *node = NULL;
 	unsigned int i;
 
+	if (pnn == CTDB_CURRENT_NODE) {
+		pnn = ctdb->pnn;
+	}
+
 	/* Always found: PNN correctly set just before this is called */
 	for (i = 0; i < ctdb->num_nodes; i++) {
-		if (ctdb->pnn == ctdb->nodes[i]->pnn) {
-			break;
+		node = ctdb->nodes[i];
+		if (pnn == node->pnn) {
+			return node;
 		}
 	}
 
-	ctdb->nodes[i]->flags &= ~NODE_FLAGS_DISCONNECTED;
+	return NULL;
+}


-- 
Samba Shared Repository



More information about the samba-cvs mailing list