[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Thu Sep 9 06:38:12 UTC 2021
The branch, v4-15-stable has been updated
via 30c5a0e60e8 VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc6 release.
via 718da33d4e6 WHATSNEW: Add release notes for Samba 4.15.0rc6.
via 45b5c9074e7 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
via 1252f2c170c s4-lsa: Cache sam.ldb handle in lsa_LookupSids3/LookupNames4
via bb825a909e9 selftest: Add a test for LookupSids3 and LookupNames4 in python
via 86d3397f852 dsdb: Be careful to avoid use of the expensive talloc_is_parent()
via d18232cdcfc selftest: Only run samba_tool_drs_showrepl test once
via 8c246869e14 selftest: Split up targets for samba_tool_drs from samba_tool_drs_showrepl
via 5cec6963b69 WHATSNEW: Update with samba-tool domain backup offline fix
via 0cc8a4708f0 WHATSNEW: Update for KDC crash fixes
via 7ca641892b3 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via 0fd150e4844 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via dcbec3eab52 tests/krb5: Allow expected_error_mode to be a container type
via 8d17a87523b tests/krb5: Add tests for omitting sname in inner request
via c837f43a9cd tests/krb5: Allow specifying parameters specific to the inner FAST request body
via b628cda6604 tests/krb5: Add tests for omitting sname in request
via 83ba64c9106 tests/krb5: Check PADATA-PW-SALT element in e-data
via 13cb2664266 tests/krb5: Check e-data element for TGS-REP errors without FAST
via 2762a9dcee4 tests/krb5: Remove harmful and a-typical return in as_req testcase
via f50f9618efa CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via d9de103cc58 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 1ae386bf725 tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
via b6496bd5990 tests/krb5: Make cname checking less strict
via c9b594a1a21 tests/krb5: Make e-data checking less strict
via ef69ac460bc Update common on currently supported Fedora versions
via d0f26d12a9b bootstrap: SAMBA_CI_CONTAINER_TAG is now in .gitlab-ci-main.yml
via 04cbe284f4e bootstrap: Update to get newer krb5 on Fedora 34
via 2c7d7307ae3 mit-kdc: Remove build time support for KDB_API < 10
via 0cf8c13b940 build: Move minimum MIT krb5 version to 1.19 to align with what is tested
via e30483eb251 autobuild.py: Do not build MIT builds by default (eg sn-devel)
via 1dd8ded8c57 gitlab-ci: Move MIT builds to current Fedora so we can test against a current MIT KDC
via 961bdab6647 gitlab-ci/autobuild: Add new build confirming behaviour on older MIT Kerberos
via e850967129d autobuild.py: Explain why each job is removed from the default set
via 521adb2fd3e samba-tool domain backup: Use tdbbackup on metadata.tdb
via 2f8295604ce samba-tool: Rework transations/locks to hold a lock during mdb backup
via 21e1a6b48d6 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
via 535bd82604e mit-samba: Only set the function opening bracket once
via 13dff7227f4 mit-samba: Use talloc_get_type_abort() instead of casting
via 9698e453ae9 mit-samba: Send the logging to the kdc log facility
via 4bf41b6ccf5 mit-samba: Define debug class for kdb module
via 07cfa4d6f95 tests/krb5: Add FAST tests
via 003307b7d34 initial FAST tests
via 18c2ff9a3c6 tests/krb5: Check PADATA-FX-ERROR in reply
via 54f1f269f0a tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via d6acfe270d0 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 1e9a7cd0a81 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via 464a7efe1b2 tests/krb5: Make check_rep_padata() also work for checking TGS replies
via 220f76a98eb tests/krb5: Check PADATA-FX-COOKIE in reply
via 18b587ad53b tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 904df7418b8 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 19aaacb5b2b tests/krb5: Check reply FAST padata if request included FAST
via 5fc7588d3cc tests/krb5: Check sname is krbtgt for FAST generic error
via fc2ec4b9e01 tests/krb5: Add get_krbtgt_sname() method
via 6ed03543ea0 tests/krb5: Remove unused variables
via 2e9c0a7ff2f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 4d8b3dcd2f7 tests/krb5: Add check_rep_padata() method to check padata in reply
via 7628f04aa64 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via 5893e9dc6d6 tests/krb5: Include authdata in kdc_exchange_dict
via d544371bd15 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via 6457ecee2a9 tests/krb5: Check encrypted-pa-data
via 79972f42603 tests/krb5: Add methods to determine whether elements were included in the request
via 361d9e73d15 tests/krb5: Add functions to get dicts of request padata
via 038921df85e tests/krb5: Check FAST response
via afd32084e3b tests/krb5: Add method to verify ticket checksum for FAST
via 846c0132b52 tests/krb5: Add method to check PA-FX-FAST-REPLY
via 9cc2d4a659c tests/krb5: Allow specifying parameters specific to the outer request body
via 889593908e6 tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via dbf3f3bab68 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via 5f35f5ce1dc tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via dc778a5f4ca tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 943a58fc29f tests/krb5: Add methods to calculate keys for FAST
via 539981fc13b tests/krb5: Add method to generate FAST encrypted challenge padata
via cb609e47d76 tests/krb5: Add more methods to create ASN1 objects for FAST
via db22b645c05 tests/krb5: Add more ASN1 definitions for FAST
via 98f242cf97f tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via 9d8973d3775 tests/krb5: Ensure generated padata is not None
via 2898841517e tests/krb5: Add generate_ap_req() method
via 8bc2d847585 tests/krb5: Check nonce in EncKDCRepPart
via 9c80f3188c5 tests/krb5: Make checking less strict
via cd4d26b7342 tests/krb5: Check version number of obtained ticket
via 7b859c2ce3a tests/krb5: Assert that more variables are not None
via 17fb5d3534a tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 88a3de1f8cd tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via c8f98ef1bf7 tests/krb5: Include kdc_options in kdc_exchange_dict
via 2804451db04 tests/krb5: Always specify expected error code
via 9668d0a12af tests/krb5: Add check_reply() method to check for AS or TGS reply
via 5d4f3948652 tests/krb5: Add method to calculate account salt
via 2f26125a45b tests/krb5: Add more methods for obtaining machine and service credentials
via 8926866e50f tests/krb5: Allow specifying additional details when creating an account
via 80904c2493a tests/krb5: Use encryption with admin credentials
via 8ebde4958f6 tests/krb5: Add get_EpochFromKerberosTime()
via ad37b892482 tests/krb5: Make _test_as_exchange() return value more consistent
via 4f9621dc01d tests/krb5: Add method to return dict containing padata elements
via 790c07f6262 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via 0ad81b04468 tests/krb5: Refactor get_pa_data()
via 8a465e73ba3 tests/krb5: Allow cf2 to automatically use the enctype of the first key
via d003d7a3edc tests/krb5: Use credentials kvno when creating password key
via bd1a33d8b09 tests/krb5: Check Kerberos protocol version number
via 5bed0606922 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via 34b85fc9f02 tests/krb5: Fix encpart_decryption_key with MIT KDC
via f5bb7f975c2 tests/krb5: Fix callback_dict parameter
via 3ace86e524c tests/krb5: Fix including enc-authorization-data
via f191934f14d tests/krb5: Remove magic constants
via 82158d38ad6 tests/krb5: Simplify Python syntax
via 122ed8d3f3e tests/krb5: Use more compact dict lookup
via 68fc4851772 tests/krb5: Remove unneeded statements
via 5df6c6850f4 tests/krb5: formatting
via 3d751f9cc6f tests/krb5: Fix method name typo
via 204f2dbcefe tests/krb5: Fix comment typo
via 424b945426a tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 25b51c3a287 pygensec: Don't modify Python bytes objects
via a90933e820c pygensec: Fix memory leaks
via 36a99feeafb selftest: Add support for setting ENV variables in plantestsuite()
via daab1eba30a selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
via 2dfe335bbe2 selftest: Re-format long lines in selftesthelpers.py
via a116dec4bb6 bootstrap: Install python3-dateutil instead of python3-iso8601 on RPM distros
via 9ded25beb7e python:waf: Correctly check for python-dateutil
via 8586802eaca bootstrap: Install krb5-workstation on Fedora based distros
via a0a96f6ebab VERSION: Bump version up to Samba 4.15.0rc6...
from cbfc80e7b7d VERSION: Disable GIT_SNAPSHOT for the 4.15.0rc5 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 15 +-
VERSION | 2 +-
WHATSNEW.txt | 57 +-
bootstrap/README.md | 4 +-
bootstrap/config.py | 8 +-
bootstrap/generated-dists/centos7/bootstrap.sh | 1 +
bootstrap/generated-dists/centos7/packages.yml | 1 +
bootstrap/generated-dists/centos8/bootstrap.sh | 1 +
bootstrap/generated-dists/centos8/packages.yml | 1 +
bootstrap/generated-dists/fedora33/bootstrap.sh | 3 +-
bootstrap/generated-dists/fedora33/packages.yml | 3 +-
bootstrap/generated-dists/fedora34/bootstrap.sh | 3 +-
bootstrap/generated-dists/fedora34/packages.yml | 3 +-
bootstrap/generated-dists/opensuse151/bootstrap.sh | 1 +
bootstrap/generated-dists/opensuse151/packages.yml | 1 +
bootstrap/generated-dists/opensuse152/bootstrap.sh | 3 +-
bootstrap/generated-dists/opensuse152/packages.yml | 3 +-
bootstrap/sha1sum.txt | 2 +-
python/samba/netcmd/domain_backup.py | 54 +-
python/samba/tests/dcerpc/lsa.py | 333 ++++
python/samba/tests/dsdb_schema_attributes.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 4 -
python/samba/tests/krb5/as_req_tests.py | 117 +-
python/samba/tests/krb5/compatability_tests.py | 4 -
python/samba/tests/krb5/fast_tests.py | 1734 ++++++++++++++++++++
python/samba/tests/krb5/kcrypto.py | 12 +-
python/samba/tests/krb5/kdc_base_test.py | 193 ++-
python/samba/tests/krb5/kdc_tests.py | 27 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 18 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 71 +-
python/samba/tests/krb5/raw_testcase.py | 1561 ++++++++++++++----
python/samba/tests/krb5/rfc4120.asn1 | 106 +-
python/samba/tests/krb5/rfc4120_constants.py | 44 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 100 +-
python/samba/tests/krb5/s4u_tests.py | 4 -
python/samba/tests/krb5/simple_tests.py | 4 -
python/samba/tests/krb5/xrealm_tests.py | 4 -
python/samba/tests/usage.py | 1 +
python/wscript | 23 +-
script/autobuild.py | 47 +-
selftest/knownfail_heimdal_kdc | 56 +
selftest/knownfail_mit_kdc | 393 +----
selftest/knownfail_mit_krb5_pre_1_18 | 1 -
selftest/selftesthelpers.py | 42 +-
selftest/wscript | 3 -
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 59 +-
source4/dsdb/schema/schema_set.c | 41 +-
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
source4/kdc/mit-kdb/kdb_samba.h | 32 -
source4/kdc/mit-kdb/kdb_samba_change_pwd.c | 3 +
source4/kdc/mit-kdb/kdb_samba_common.c | 3 +
source4/kdc/mit-kdb/kdb_samba_masterkey.c | 3 +
source4/kdc/mit-kdb/kdb_samba_pac.c | 3 +
source4/kdc/mit-kdb/kdb_samba_policies.c | 42 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 10 +-
source4/kdc/mit_samba.c | 37 +-
source4/rpc_server/lsa/lsa_lookup.c | 131 +-
source4/selftest/tests.py | 42 +-
wscript_configure_system_mitkrb5 | 4 +-
61 files changed, 4370 insertions(+), 1126 deletions(-)
create mode 100644 python/samba/tests/dcerpc/lsa.py
create mode 100755 python/samba/tests/krb5/fast_tests.py
delete mode 100644 selftest/knownfail_mit_krb5_pre_1_18
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 0979c007dc6..4b2f17938c8 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: fa3eeb92fb5447524a057a4c377e6960dff626ce
+ SAMBA_CI_CONTAINER_TAG: 733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -234,10 +234,14 @@ samba-def-build:
samba-mit-build:
extends: .shared_template_build_only
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
stage: build_first
.needs_samba-mit-build:
extends: .shared_template_test_only
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
needs:
- job: samba-mit-build
artifacts: true
@@ -274,6 +278,8 @@ samba:
samba-mitkrb5:
extends: .shared_template
+ variables:
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora34}
samba-minimal-smbd:
extends: .shared_template
@@ -383,6 +389,13 @@ samba-fips:
samba-fileserver:
extends: .needs_samba-h5l-build-private
+# This is a full build without the AD DC so we test the build with MIT
+# Kerberos from the default system (Ubuntu 18.04 at this stage).
+# Runtime behaviour checked via the ktest (static ccache and keytab)
+# environment
+samba-ktest-mit:
+ extends: .shared_template
+
samba-ad-dc-1:
extends: .needs_samba-def-build-private
diff --git a/VERSION b/VERSION
index 9dc372ed3ca..31a0c312220 100644
--- a/VERSION
+++ b/VERSION
@@ -87,7 +87,7 @@ SAMBA_VERSION_PRE_RELEASE=
# e.g. SAMBA_VERSION_RC_RELEASE=1 #
# -> "3.0.0rc1" #
########################################################
-SAMBA_VERSION_RC_RELEASE=5
+SAMBA_VERSION_RC_RELEASE=6
########################################################
# To mark SVN snapshots this should be set to 'yes' #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d2c25df89ff..739a0b319ca 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,7 +1,7 @@
Release Announcements
=====================
-This is the fifth release candidate of Samba 4.15. This is *not*
+This is the sixth release candidate of Samba 4.15. This is *not*
intended for production environments and is designed for testing
purposes only. Please report any defects via the Samba bug reporting
system at https://bugzilla.samba.org/.
@@ -52,6 +52,14 @@ Starting from Jan 21th 2021, all Samba releases will be signed with the new key.
See also GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt
+New minimum version for the experimental MIT KDC
+------------------------------------------------
+
+The build of the AD DC using the system MIT Kerberos, an
+experimental feature, now requires MIT Kerberos 1.19. An up-to-date
+Fedora 34 has this version and has backported fixes for the KDC crash
+bugs CVE-2021-37750 and CVE-2021-36222
+
NEW FEATURES/CHANGES
====================
@@ -274,6 +282,23 @@ Windows.
'samba-tool dns update' is now a bit more careful in rejecting and
warning you about malformed IPv4 and IPv6 addresses.
+CVE-2021-3671: Crash in Heimdal KDC and updated security release policy
+-----------------------------------------------------------------------
+
+An unuthenticated user can crash the AD DC KDC by omitting the server
+name in a TGS-REQ. Per Samba's updated security process a specific
+security release was not made for this issue as it is a recoverable
+Denial Of Service.
+
+See https://wiki.samba.org/index.php/Samba_Security_Proces
+
+samba-tool domain backup offline with the LMDB backend
+------------------------------------------------------
+
+samba-tool domain backup offline, when operating with the LMDB backend
+now correctly takes out locks against concurrent modification of the
+database during the backup. If you use this tool on a Samba AD DC
+using LMDB, you should upgrade to this release for safer backups.
REMOVED FEATURES
================
@@ -316,6 +341,36 @@ smb.conf changes
winbind scan trusted domains Changed No
+CHANGES SINCE 4.15.0rc5
+=======================
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14806: Address a signifcant performance regression in database access
+ in the AD DC since Samba 4.12.
+ * BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
+ Samba 4.9 by using an explicit database handle cache.
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+ * BUG 14818: Address flapping samba_tool_drs_showrepl test.
+ * BUG 14819: Address flapping dsdb_schema_attributes test.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
+ server name in a TGS-REQ.
+
+
CHANGES SINCE 4.15.0rc4
=======================
diff --git a/bootstrap/README.md b/bootstrap/README.md
index 47ef1c67836..44a354de545 100644
--- a/bootstrap/README.md
+++ b/bootstrap/README.md
@@ -13,7 +13,7 @@ A pure python3 module with CLI to bootstrap Samba envs for multiple distribution
## Supported Distributions
deb: Debian 10, Ubuntu 1604|1804|2004
-rpm: CentOS 7|8, Fedora 32|33, openSUSE Leap 15.1|15.2
+rpm: CentOS 7|8, Fedora 33|34, openSUSE Leap 15.1|15.2
Easy to add more.
@@ -32,7 +32,7 @@ Just calculate the sha1sum for consistency checks:
bootstrap/template.py --sha1sum
The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in
-the toplevel .gitlab-ci.yml file.
+the toplevel .gitlab-ci-main.yml file.
## User Stories
diff --git a/bootstrap/config.py b/bootstrap/config.py
index b5d04d4e371..ba4304bb9f8 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -20,6 +20,9 @@ Manage dependencies and bootstrap environments for Samba.
Config file for packages and templates.
+Update the lists in this file to require new packages in the
+container images used in GitLab CI
+
Author: Joe Guo <joeg at catalyst.net.nz>
"""
import os
@@ -116,7 +119,7 @@ PKGS = [
('bind9utils', 'bind-utils'),
('dnsutils', ''),
('xsltproc', 'libxslt'),
- ('krb5-user', ''),
+ ('krb5-user', 'krb5-workstation'),
('krb5-config', ''),
('krb5-kdc', 'krb5-server'),
('apt-utils', 'yum-utils'),
@@ -485,6 +488,7 @@ RPM_DISTS = {
'lsb-release': 'redhat-lsb',
'libsemanage-python': 'python3-libsemanage',
'policycoreutils-python': 'python3-policycoreutils',
+ 'python3-iso8601': 'python3-dateutil',
}
},
'fedora34': {
@@ -496,6 +500,7 @@ RPM_DISTS = {
'libsemanage-python': 'python3-libsemanage',
'policycoreutils-python': 'python3-policycoreutils',
'perl-FindBin': '',
+ 'python3-iso8601': 'python3-dateutil',
'libtracker-sparql-2.0-dev': '', # only tracker 3.x is available
}
},
@@ -552,6 +557,7 @@ RPM_DISTS = {
'perl-interpreter': '',
'perl-FindBin': '',
'procps-ng': 'procps',
+ 'python3-iso8601': 'python3-python-dateutil',
'python3-dns': 'python3-dnspython',
'python3-markdown': 'python3-Markdown',
'quota-devel': '',
diff --git a/bootstrap/generated-dists/centos7/bootstrap.sh b/bootstrap/generated-dists/centos7/bootstrap.sh
index 00dd22b891f..36913f40b44 100755
--- a/bootstrap/generated-dists/centos7/bootstrap.sh
+++ b/bootstrap/generated-dists/centos7/bootstrap.sh
@@ -45,6 +45,7 @@ yum install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
lcov \
libacl-devel \
libarchive-devel \
diff --git a/bootstrap/generated-dists/centos7/packages.yml b/bootstrap/generated-dists/centos7/packages.yml
index 3f5e8331b40..4da3d61441f 100644
--- a/bootstrap/generated-dists/centos7/packages.yml
+++ b/bootstrap/generated-dists/centos7/packages.yml
@@ -31,6 +31,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- lcov
- libacl-devel
- libarchive-devel
diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh
index a3079982dda..60cf3937cf7 100755
--- a/bootstrap/generated-dists/centos8/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8/bootstrap.sh
@@ -54,6 +54,7 @@ yum install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
libacl-devel \
libarchive-devel \
libattr-devel \
diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8/packages.yml
index 2994e81640a..f5d0ac5ffe6 100644
--- a/bootstrap/generated-dists/centos8/packages.yml
+++ b/bootstrap/generated-dists/centos8/packages.yml
@@ -34,6 +34,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- libacl-devel
- libarchive-devel
- libattr-devel
diff --git a/bootstrap/generated-dists/fedora33/bootstrap.sh b/bootstrap/generated-dists/fedora33/bootstrap.sh
index 106bd09ede8..52e199f6b88 100755
--- a/bootstrap/generated-dists/fedora33/bootstrap.sh
+++ b/bootstrap/generated-dists/fedora33/bootstrap.sh
@@ -45,6 +45,7 @@ dnf install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
lcov \
libacl-devel \
libarchive-devel \
@@ -86,10 +87,10 @@ dnf install -y \
psmisc \
python3 \
python3-cryptography \
+ python3-dateutil \
python3-devel \
python3-dns \
python3-gpg \
- python3-iso8601 \
python3-libsemanage \
python3-markdown \
python3-policycoreutils \
diff --git a/bootstrap/generated-dists/fedora33/packages.yml b/bootstrap/generated-dists/fedora33/packages.yml
index 9fa48ad4502..d9cbfbd80db 100644
--- a/bootstrap/generated-dists/fedora33/packages.yml
+++ b/bootstrap/generated-dists/fedora33/packages.yml
@@ -34,6 +34,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- lcov
- libacl-devel
- libarchive-devel
@@ -75,10 +76,10 @@ packages:
- psmisc
- python3
- python3-cryptography
+ - python3-dateutil
- python3-devel
- python3-dns
- python3-gpg
- - python3-iso8601
- python3-libsemanage
- python3-markdown
- python3-policycoreutils
diff --git a/bootstrap/generated-dists/fedora34/bootstrap.sh b/bootstrap/generated-dists/fedora34/bootstrap.sh
index 6686ab19250..de5a9670601 100755
--- a/bootstrap/generated-dists/fedora34/bootstrap.sh
+++ b/bootstrap/generated-dists/fedora34/bootstrap.sh
@@ -45,6 +45,7 @@ dnf install -y \
keyutils-libs-devel \
krb5-devel \
krb5-server \
+ krb5-workstation \
lcov \
libacl-devel \
libarchive-devel \
@@ -85,10 +86,10 @@ dnf install -y \
psmisc \
python3 \
python3-cryptography \
+ python3-dateutil \
python3-devel \
python3-dns \
python3-gpg \
- python3-iso8601 \
python3-libsemanage \
python3-markdown \
python3-policycoreutils \
diff --git a/bootstrap/generated-dists/fedora34/packages.yml b/bootstrap/generated-dists/fedora34/packages.yml
index 1e488823dda..749f30dfc0e 100644
--- a/bootstrap/generated-dists/fedora34/packages.yml
+++ b/bootstrap/generated-dists/fedora34/packages.yml
@@ -34,6 +34,7 @@ packages:
- keyutils-libs-devel
- krb5-devel
- krb5-server
+ - krb5-workstation
- lcov
- libacl-devel
- libarchive-devel
@@ -74,10 +75,10 @@ packages:
- psmisc
- python3
- python3-cryptography
+ - python3-dateutil
- python3-devel
- python3-dns
- python3-gpg
- - python3-iso8601
- python3-libsemanage
- python3-markdown
- python3-policycoreutils
diff --git a/bootstrap/generated-dists/opensuse151/bootstrap.sh b/bootstrap/generated-dists/opensuse151/bootstrap.sh
index 2271e2ea8b2..e4771284f4d 100755
--- a/bootstrap/generated-dists/opensuse151/bootstrap.sh
+++ b/bootstrap/generated-dists/opensuse151/bootstrap.sh
@@ -40,6 +40,7 @@ zypper --non-interactive install \
hostname \
htop \
keyutils-devel \
+ krb5-client \
krb5-devel \
krb5-server \
lcov \
diff --git a/bootstrap/generated-dists/opensuse151/packages.yml b/bootstrap/generated-dists/opensuse151/packages.yml
index 5710c60bd8b..d465252e26b 100644
--- a/bootstrap/generated-dists/opensuse151/packages.yml
+++ b/bootstrap/generated-dists/opensuse151/packages.yml
@@ -28,6 +28,7 @@ packages:
- hostname
- htop
- keyutils-devel
+ - krb5-client
- krb5-devel
- krb5-server
- lcov
diff --git a/bootstrap/generated-dists/opensuse152/bootstrap.sh b/bootstrap/generated-dists/opensuse152/bootstrap.sh
index ae766095a4d..534ff66896f 100755
--- a/bootstrap/generated-dists/opensuse152/bootstrap.sh
+++ b/bootstrap/generated-dists/opensuse152/bootstrap.sh
@@ -40,6 +40,7 @@ zypper --non-interactive install \
hostname \
htop \
keyutils-devel \
+ krb5-client \
krb5-devel \
krb5-server \
lcov \
@@ -87,8 +88,8 @@ zypper --non-interactive install \
python3-devel \
python3-dnspython \
python3-gpg \
- python3-iso8601 \
python3-pyasn1 \
+ python3-python-dateutil \
python3-setproctitle \
readline-devel \
rng-tools \
diff --git a/bootstrap/generated-dists/opensuse152/packages.yml b/bootstrap/generated-dists/opensuse152/packages.yml
index 6bc1a137ca7..05b3779a2fd 100644
--- a/bootstrap/generated-dists/opensuse152/packages.yml
+++ b/bootstrap/generated-dists/opensuse152/packages.yml
@@ -28,6 +28,7 @@ packages:
- hostname
- htop
- keyutils-devel
+ - krb5-client
- krb5-devel
- krb5-server
- lcov
@@ -75,8 +76,8 @@ packages:
- python3-devel
- python3-dnspython
- python3-gpg
- - python3-iso8601
- python3-pyasn1
+ - python3-python-dateutil
- python3-setproctitle
- readline-devel
- rng-tools
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index e198e6b80ae..e433f698b68 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-fa3eeb92fb5447524a057a4c377e6960dff626ce
+733f8fa83c921e5a7ec8f5470b2ca7d52548f4b0
diff --git a/python/samba/netcmd/domain_backup.py b/python/samba/netcmd/domain_backup.py
index 5cccccd40ec..81738196385 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -1004,7 +1004,12 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
# sam.ldb must have a transaction started on it before backing up
# everything in sam.ldb.d with the appropriate backup function.
+ #
+ # Obtains the sidForRestore (SID for the new DC) and returns it
+ # from under the transaction
def backup_smb_dbs(self, private_dir, samdb, lp, logger):
+ sam_ldb_path = os.path.join(private_dir, 'sam.ldb')
+
# First, determine if DB backend is MDB. Assume not unless there is a
# 'backendStore' attribute on @PARTITION containing the text 'mdb'
store_label = "backendStore"
@@ -1012,16 +1017,28 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
attrs=[store_label])
mdb_backend = store_label in res[0] and str(res[0][store_label][0]) == 'mdb'
- sam_ldb_path = os.path.join(private_dir, 'sam.ldb')
+ # This is needed to keep this variable in scope until the end
+ # of the transaction.
+ res_iterator = None
+
copy_function = None
if mdb_backend:
logger.info('MDB backend detected. Using mdb backup function.')
copy_function = self.offline_mdb_copy
+
+ # We can't backup with a write transaction open, so get a
+ # read lock with a search_iterator().
+ #
+ # We have tests in lib/ldb/tests/python/api.py that the
+ # search iterator takes a read lock effective against a
+ # transaction. This in turn will ensure there are no
+ # transactions on either the main or sub-database, even if
+ # the read locks were not enforced globally (they are).
+ res_iterator = samdb.search_iterator()
else:
logger.info('Starting transaction on ' + sam_ldb_path)
copy_function = self.offline_tdb_copy
- sam_obj = Ldb(sam_ldb_path, lp=lp, flags=ldb.FLG_DONT_CREATE_DB)
- sam_obj.transaction_start()
+ samdb.transaction_start()
logger.info(' backing up ' + sam_ldb_path)
self.offline_tdb_copy(sam_ldb_path)
@@ -1031,12 +1048,22 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
if sam_file.endswith('.ldb'):
logger.info(' backing up locked/related file ' + sam_file)
copy_function(sam_file)
+ elif sam_file.endswith('.tdb'):
+ logger.info(' tdbbackup of locked/related file ' + sam_file)
+ self.offline_tdb_copy(sam_file)
else:
logger.info(' copying locked/related file ' + sam_file)
shutil.copyfile(sam_file, sam_file + self.backup_ext)
--
Samba Shared Repository
More information about the samba-cvs
mailing list